Error accessing Group Policies

[Chopsy]

I have a problem accessing Group Policies on a 2003 server. WHen I try and access, I get the error :-

'The domain controller for Group Policy operations is not available. You may cancel this operation or...'

This is despite the fact that the machine I am trying to access it on, is the actual domain controller.

I've looked through the forums, and came across an identical problem which was resolved by checking that file sharing is enabled on the main controller. I've checked that, and it already is.

I'm wondering if there is a DNS problem of some description. This machine was initially built on one network before being installed on another, so has changed IP addresses since. I've checked the DNS entried and they look OK, but I'm not 100% sure of what I'm doing.

There is an error in the DNS event log, but it doesn't tell me much :-

'The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.'

Any help would be appreciated.

 

[mlichstein]

Could be a couple of things. Run a dcdiag /v and post the output.

Check the default domain controllers group policy. Under computer configuration, windows settings, security settings, local policies, click on user rights assignment.

Check "access this computer from the network" Make sure at least administrators, authenticated users, and everyone are listed. Check to make sure you have at least the same three groups listed for "bypass traverse checking"

You should also check to make sure your distributed file system service is started and set to auto.

 

[markdmac]

I ran into a similar situation with a customer recently. They had messed around with file permissions and had messed up the settings on the Sysvol. See if you can traverse inside the Sysvol in Windows Explorer. If you can't then you know where the problem is. For my customer I had to Take Ownership of the Sysvol and then reset all of the permissions to normal.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Chopsy]

OK, thanks for the tips.

The dcdiag output is at the end.

I can't check the user rights settings on the group policy because I can't get in to it to amend anything.

Distributed File System services is started and is set to auto.

Logged in as domain administrator, I can explore \\servername\SYSVOL quite happily, and see the files and directories below.

dcdiag output :-

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine por-lzr, is a DC.
* Connecting to directory service on server por-lzr.
* Collecting site info.
* Identifying all servers.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\POR-LZR
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... POR-LZR passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\POR-LZR
Starting test: Replications
* Replications Check
......................... POR-LZR passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=por-lzr,DC=lizard,DC=local
* Security Permissions Check for
CN=Configuration,DC=por-lzr,DC=lizard,DC=local
* Security Permissions Check for
DC=por-lzr,DC=lizard,DC=local
......................... POR-LZR passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... POR-LZR passed test NetLogons
Starting test: Advertising
The DC POR-LZR is advertising itself as a DC and having a DS.
The DC POR-LZR is advertising as an LDAP server
The DC POR-LZR is advertising as having a writeable directory
The DC POR-LZR is advertising as a Key Distribution Center
The DC POR-LZR is advertising as a time server
The DS POR-LZR is advertising as a GC.
......................... POR-LZR passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=POR-LZR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=por-lzr,DC=lizard,DC=local
Role Domain Owner = CN=NTDS Settings,CN=POR-LZR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=por-lzr,DC=lizard,DC=local
Role PDC Owner = CN=NTDS Settings,CN=POR-LZR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=por-lzr,DC=lizard,DC=local
Role Rid Owner = CN=NTDS Settings,CN=POR-LZR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=por-lzr,DC=lizard,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=POR-LZR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=por-lzr,DC=lizard,DC=local
......................... POR-LZR passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 1610 to 1073741823
* por-lzr.lizard.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1110 to 1609
* rIDPreviousAllocationPool is 1110 to 1609
* rIDNextRID: 1148
......................... POR-LZR passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/por-lzr.lizard.local
* SPN found :LDAP/por-lzr.lizard.local
* SPN found :LDAP/POR-LZR
* SPN found :LDAP/por-lzr.lizard.local/LIZARD
* SPN found :LDAP/839a58cf-0aa9-40bc-a063-0dda28d67263._msdcs.por-lzr.lizard.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/839a58cf-0aa9-40bc-a063-0dda28d67263/por-lzr.lizard.local
* SPN found :HOST/por-lzr.lizard.local
* SPN found :HOST/por-lzr.lizard.local
* SPN found :HOST/POR-LZR
* SPN found :HOST/por-lzr.lizard.local/LIZARD
* SPN found :GC/por-lzr.lizard.local
......................... POR-LZR passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
RPCLOCATOR Service is stopped on [POR-LZR]
* Checking Service: w32time
* Checking Service: TrkWks
TrkWks Service is stopped on [POR-LZR]
* Checking Service: TrkSvr
TrkSvr Service is stopped on [POR-LZR]
* Checking Service: NETLOGON
......................... POR-LZR failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
POR-LZR is in domain DC=por-lzr,DC=lizard,DC=local
Checking for CN=POR-LZR,OU=Domain Controllers,DC=por-lzr,DC=lizard,DC=local in domain DC=por-lzr,DC=lizard,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=POR-LZR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=por-lzr,DC=lizard,DC=local in domain CN=Configuration,DC=por-lzr,DC=lizard,DC=local on 1 servers
Object is up-to-date on all servers.
......................... POR-LZR passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... POR-LZR passed test frssysvol
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... POR-LZR passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 05/10/2004 11:38:27
Event String: Driver Acrobat PDFWriter required for printer

Acrobat PDFWriter is unknown. Contact the

administrator to install the driver before you

log in again.
......................... POR-LZR failed test systemlog

Running enterprise tests on : por-lzr.lizard.local
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... por-lzr.lizard.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\por-lzr.lizard.local
Locator Flags: 0xe00003fd
PDC Name: \\por-lzr.lizard.local
Locator Flags: 0xe00003fd
Time Server Name: \\por-lzr.lizard.local
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\por-lzr.lizard.local
Locator Flags: 0xe00003fd
KDC Name: \\por-lzr.lizard.local
Locator Flags: 0xe00003fd
......................... por-lzr.lizard.local passed test FsmoCheck

 

[mlichstein]

You should be able to check user rights by running rsop.msc from the run box.

That said, there isn't anything glaring in this report. Try and see if you can get to \\lizard.local\sysvol\lizard.local\policies\{6AC.....}

 

[Chopsy]

When I run rsop.msc from run, I get the RSOP window open (with red crosses against administrator, computer configuration & user configuration), then a popup telling me -

Administrative Templates. The latest versions of the ADM files below are not available. This can be due to insufficient permissions or unavailable network resources. The local copy of these ADM files will be used.

If I explore down to the two options, as suggested, Administrators, Everyone & Authenticated Users are all members.

I've tried, and I can browse to the \\lizard.local....etc..\{6AC1786.. quite happily. If it's relevant, there is also a {31B2f...} directory in the same place as the {6AC1786..} and it is the one that is referred to in the above error message about ADM files not being available...

 

[mlichstein]

Hmmm...

Make sure the TCP/IP Netbios helper server is started and set to auto.

 

[Chopsy]

Yup, it's started and on auto..

 

[mlichstein]

Can you run a netdiag and post that output?

Also, I wasn't clear if you can actually get into the 6AC and 31B policy folders.

 

[Chopsy]

Yes, I seem to be able to browse both those folders quite happily.

When I run netdiag I immediately get the error :-

'netdiag.exe - Entry point not found. The procedure entry point DnsGetMaxNumberOfAddressesToRegister could not be located in the dynamic link library DNSAPI.dll'

What the?

 

[mlichstein]

Sounds like you may be using the wrong verion of netdiag. If you haven't already install the 2003 support tools from the 2003 CD (support\tools\suptools.msi).

Then run the netdiag in program files\support tools

 

[Chopsy]

Oops!

This is better ...


........................................

Computer Name: POR-LZR
DNS Host Name: por-lzr.lizard.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB819696
KB823182
KB823559
KB824105
KB824141
KB824146
KB825119
KB828028
KB828035
KB828741
KB828750
KB830352
KB832894
KB835732
KB837001
KB837009
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Intel Pro 1000 MT Gigabit Ethernet Adapter - onboard

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : por-lzr
IP Address . . . . . . . . : 172.19.26.13
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.19.26.1
Primary WINS Server. . . . : 172.19.26.13
Dns Servers. . . . . . . . : 172.19.26.13
172.19.221.1
10.61.254.21


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{052EEE07-831A-4E27-B71D-916153E5BAF9}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '172.19.26.13' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '172.19.221.1'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC cannot be verified right now on DNS server 10.61.254.21, ERROR_TIMEOUT.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{052EEE07-831A-4E27-B71D-916153E5BAF9}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{052EEE07-831A-4E27-B71D-916153E5BAF9}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

 

[mlichstein]

Try taking out the 172.19.221.1 and 10.61.254.21 IPs for DNS.

Then do ipconfig /flushdns and ipconfig /registerdns, then 'net stop netlogon & net start netlogon'

Then see if you can get to the policies.

 

[Chopsy]

I presume you meant remove them as DNS servers in the network card configuration, rather than within the DNS Server configuration?

If so, I've done that, and still no luck...

What about the warning below, is that significant?

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

 

[Chopsy]

Just tested something, which may throw some light on it..

When I use explorer and browse to

\\POR-LZR\SYSVOL

I can see it fine, but if I browse to

\\por-lzr.lizard.local\SYSVOL
(which is the path listed in the error message I get from rsop.msc)

I get an error saying it is not accessible and 'no network provider accepted the given network path'

 

[Chopsy]

I've gone through the DNS configuration and compared this problem server and an identical working server in another domain. There seem to be some differences..

Under Forward Lookup Zones, the subfolder lists
_msdcs.por-lzr.lizard.local

whereas on the working server it shows as
_msdcs.domain.local

i.e. without the machine name

This difference crops up in several places...