Event Log error messages

[sharyn]

Hi everyone,

I am getting these error messages in the event application log approx. every 5 mins. I have been on the MS KB all morning, and while I have found many articles concerning the event codes that I am getting, none of them have the error message that I am receiving...

The Group Policy client-side extension Security was passed flags (49) and returned a failure status code of (997). Event 1000

and

Security policies are propogated with warning 0x3e5: Overlapped i/o operation in progress. Please look for more details in Troubleshooting Section in Security Help. Event 1202

and, in the Userenv.log...

ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x3e5.

Like I said before, there are quite a few articles in the KB that have errors concerning events 1000 and 1202, but none of them have these error messages.

Anyone seen anything like this? This is on a dc, upgraded from an nt 4.0 bdc. This is the 3rd win2k dc in my domain, but only the second one I actually upgraded (first nt4.0 bdc that was upgraded). The other 2 win2k dcs are my upgraded nt 4.0 pdc, and a win2k dc that had a fresh install of the o/s on it.

As an added FYI, after poking around a bit, I discovered that the sysvol directory had been installed UNshared. I went ahead and shared it, using the permissions/security settings that were on the other 2 DCs.

Thanks in advance!
Sharyn

 

[brontosaurus]

Adm is a subfolder under each of your policies in Sysvol and GPT.INI is the file that holds the version number. So, this may be a good start. You can always pipe the output to MORE to stop the scrolling....

 

[sharyn]

Ok..it's worse than that. When I run this, only 2 of my servers show up. The problem child doesnt even show up in the readout, even when running it ON THAT SERVER.

Hmmmmmm

What does this mean? It shows up as a DC everywhere else in AD.

 

[brontosaurus]

Argh. Would you be averse to a demotion, clean AD of any traces of this box, and then a fresh promotion? I'd hate to see you spending too much more time on this...

 

[GlenJohnson]

Brontosauarus is right. When I was setting up a new server, I had all kinds of problems. Since it wasn't a production server, I demoted it, promoted it and things went a lot smoother. Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"To be ignorant of what occurred before you were born is to remain always a child."
Cicero (106-43 B.C.); Roman orator, philosopher.

 

[sharyn]

I was thinking about that but you know what? After playing with the sites and services snap in, and creating a separate subnet and site link for the problem child (it does have its own subnet), I am now getting the following messages in the event viewer on that particular box..

In the application log..
Security policy in the Group policy objects are applied successfully.

This is the first time I have seen this message on this box!

In the file replication log..

The File Replication Service has enabled replication from LASERVER to WPBSERVER for c:\winnt\sysvol\domain after repeated retries.

and finally some kcc messages in the directory services log telling me that it is only replicating with my DC that was the PDC, which is what it's supposed to be doing.

How strange. Does this mean it just magically fixed itself?

Unfortunately, the problem child is not close to me and demoting and reinstalling AD will mean another road trip, which doesnt bother me any but might upset my boss

I think I'm going to let this whole thing ride for now until I see whether there is any real damage. Throughout this whole thing, dhcp, wins, authentication, and all the other things I really need the DC for (knock on wood) have been working.

I am pretty sure this is a result of an nt4.0 upgrade instead of a fresh install, one of the reasons I'm not calling MS as I havent done anything the way they recommended

Thanks for all your help! I"m sure I'll be back with another issue. As an FYI, the only subnet that is browsing correctly and has a full browse list all the time is the subnet that is controlled by the problem child DC. Ironic huh?

Gee, I only wasted 2 days on this.

Sharyn

 

[Niavlys]

That's Windows 2000, go out for a cig' and come back... everything will be ok
it's magic !

 

[sharyn]

I dont smoke, but, this upgrade/migration could make me start again!

 

[brontosaurus]

Awesome. I'm glad you didn't have to go that far. Nice work!

 

[JBruyet]

This lurker has a question: This &quot;problem child&quot; was an upgrade to Win2k from an NT BDC, correct? And your other successful upgrade was an NT PDC? I have a couple of NT boxes that I'm going to be upgrading soon and I hope to avoid ALL problems! <rolling eyes>

Thanks,

Joe Brouillette

 

[sharyn]

Good morning fellow Techies,

I am a happy camper this morning!

Info messages in my application log, event viewer on the problem child read as follows:

Security policy in the Group policy objects are applied successfully.

Still..this worked all night too. Im officially considering it fixed for now

To answer your question, JBruyet..

Good luck avoiding all problems, my suggestion is to be prepared to totally reinstall everything from scratch if necessary and have a synced, nt4.0 BDC available to promote to the PDC if everything gets hosed!

I also maxed out the amt of RAM these boxes had before I started the upgrade.

Yes, the problem child is a nt4.0 BDC. I managed to upgrade my nt4.0 PDC without too many issues. I did not follow MS's directions as my company can't afford to have &quot;extra&quot; servers offline, in the closet. Before upgrading the PDC, I took every extra piece of software off and cleaned it up the best I could. I did not do a fresh install of anything (which is recommended). The upgrade on the PDC was fairly smooth, there were a few points where it took a LONG time for things to come back up, but I never got any errors.

The problem child was a different story. The O/S installation upgrade was fine, but when I ran dcpromo I encountered all kinds of errors, which is probably why I was having all these AD problems. When I ran dcpromo, which did not launch by itself, like it did on my PDC, AD couldnt find my PDC and told me that it couldnt find the domain I was trying to make this box a dc for. After much clicking through screens and tearing my hair out, all of a sudden it just worked. After I got DC promo to run, I checked the FSMO roles, etc, and looked in AD and everything seemed to be there. I didnt discover that the sysvol directory wasn't shared (should be shared as its being set up) until I got these error messages with the group policies and started digging. Basically, looking back, not only was the sysvol directory not shared but it was missing 1/2 its file structure which I had to manually recreate. Then, of course the versions were wrong.

What I also discovered here was, if your box is on a different subnet, it really likes it when you go to AD sites and services and add a site and corresponding subnet, and put the appropriate DC in the correct site. Ultimately, between doing this yesterday and manually triggering the KCC to verify site connections, I think this is what fixed things.

Obviously I will keep a continued eye on it but my event viewer looks normal today, the first day since the upgrade took place.

Thanks again, Bront, and everyone for your help!!!!

Sharyn