Unable to access \\domain\SYSVOL but able to access \\server\SYSVO

[Witt@discussions.microsoft.com Jared Witt]

I have a group policy/sysvol problem that I would really appreciate help on.

\\domain and \\domain.local both access one of the DCs registered in DNS.
All shares, other than SYSVOL and NETLOGON are available. We use domain
based DFS and it is not experiencing any problems. If I directly access a DC
via \\server\SYSVOL, I can move/change files according to the proper
permissions. None of the DCs are clustered. I’ve worked through quite a few
KB articles (specifically http://support.microsoft.com/?id=842804
). The permissions are correct on the GPOs. DNS and DFS are working. If I
manually change a file in SYSVOL, it appears seconds later on the other DCs.
We have recently changed to fiber optic NICs and disabled our CAT5 in bios.
The system worked just fine for 4+ weeks after the NIC change. We have
expanded from 1 site to 3 sites in the past year. Everything worked just
fine until 2-3 weeks ago when two new admins started work at the other two
sites.

The two other sites have “politically” appointed system admins that have
little training or experience. One of them did create a child domain and
then delete all of the DCs while leaving the empty shell of a domain in tact.
This was his second time doing something similar. The other added in
several changes relating to PKIs. One of them also added a redirection for
directories in the default user’s profile to the Default Domain Policy.
Existing users are fine but I can no longer create new users as their profile
is unusable when it’s initially created. Plug-ins for MS Office now crash
office and ODBC connections fail every time. MS Word attempts to change
settings in the default template. Outlook will not work at all. Both deny
changing anything even though the logs show otherwise.

If anyone could help me I would really appreciate it. Bellow are the error
messages and logs I get when I attempt to get around the problem. /sigh I'm
just glad the existing users are fine and the GPOs are fairly set.

When I attempt to edit any GPO, including the Default Domain Policy, I get a
pop up error with the following text: (this happens via Users and computers
and GPMC)

Group Policy Error
Failed to open the Group Policy Object. You may not have appropriate rights.
Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied.

Accessing the share via the “Run” line produces the following:
\\server\SYSVOL connects to the server and all files are available with
proper permissions

\\domain\SYSVOL fails with the following error

\\domain.local
\\domain.local\SYSVOL is not accessible. You might not have permission to
use this network resource. Contact the administrator of the server to find
out if you have access permissions.
Configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied.

Event Logs

User: DOMAIN\Administrator
Event ID: 1058
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=thisdomain,DC=local.
The file must be present at the location
<\\thisdomain.local\sysvol\thisdomain.local\Policies\{31B2F340-016D-11D2-945
F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from
the domain controller, either because the machine is unavailable, or access
has been denied. ). Group Policy processing aborted

User: DOMAIN\Administrator
Event ID: 1030
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

I have tried to reset the GPOs with DCGPOFIX. It reset the DC policy but
the default domain policy still gives an access denied message:

C:\dcgpofix /target:domain
…
Unable to read EFS cerfiticates from Registry.pol file of Default Domain
Policy. The error was Configuration information could not be read from the
domain controller, either because the machine is unavailable, or access has
been denied.

(I’ve never seen an error in the command tool in red. This one was.)

[Al Mulnick]

Long before you fix this issue, you'll need to fix the other issue. The
other issue I'm talking about is the layer-8 issue. If you don't fix that,
there's no point in going any further. I would highly suggest talking to
those other business units and letting them know that you cannot, not won't,
create any new users until you get the AD fixed. You don't have to point
out any names etc, but let them know that it was due to their admins.

Regardless of winning or losing that battle, implement a proper change
management process with senior company official buy-off that anyone that
circumvents it is fired on the spot. Including yourself. No further
questions asked.

Once that's done, I highly suggest you call Microsoft Support. The PKI and
the other issues/configuration changes you describe are likely causing you
issues you won't want to let go much longer unless you enjoy rebuilding the
entire Active Directory forest. I'd guess based on your timeline you have
about 30 more days before you're to a point of no return. Tough to say for
sure without seeing your environment first hand.

Until you solve the problem of being able to access the \\domain\sysvol
share, there's no point in trying to fix the rest in my honest opinion.

You may want to check the event logs of the domain controllers to see if
there are any entries listed after the last restart related to problems
becoming a domain controller, or allowing shares, etc. But I suspect you'll
have to just call support and really go over it with a fine tooth comb to
undue it.

Feel free to drop a note off-line if I can be of any help.

Al

"Jared Witt" <Jared Wi...@discussions.microsoft.com> wrote in message
news:07ADFCDC-612F-4DD9...@microsoft.com...

> .