Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event Log error messages

Status
Not open for further replies.
sharyn

sharyn

IS-IT--Management
Mar 6, 2001
161
US
Hi everyone,

I am getting these error messages in the event application log approx. every 5 mins. I have been on the MS KB all morning, and while I have found many articles concerning the event codes that I am getting, none of them have the error message that I am receiving...

The Group Policy client-side extension Security was passed flags (49) and returned a failure status code of (997). Event 1000

and

Security policies are propogated with warning 0x3e5: Overlapped i/o operation in progress. Please look for more details in Troubleshooting Section in Security Help. Event 1202

and, in the Userenv.log...

ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0x3e5.

Like I said before, there are quite a few articles in the KB that have errors concerning events 1000 and 1202, but none of them have these error messages.

Anyone seen anything like this? This is on a dc, upgraded from an nt 4.0 bdc. This is the 3rd win2k dc in my domain, but only the second one I actually upgraded (first nt4.0 bdc that was upgraded). The other 2 win2k dcs are my upgraded nt 4.0 pdc, and a win2k dc that had a fresh install of the o/s on it.

As an added FYI, after poking around a bit, I discovered that the sysvol directory had been installed UNshared. I went ahead and shared it, using the permissions/security settings that were on the other 2 DCs.

Thanks in advance!
Sharyn
 
Sort by date Sort by votes
Try a search for the event id's on Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"For last year's words belong to last year's language".
T. S. Eliot (1888-1965), Anglo-American poet.
 
Upvote 0 Downvote
I did! All the event ID's have error messages that don't say what mine says. I haven't seen one anywhere that actually refers to this passed flags(49), they all return a differnt number, and the failure status code of (997). Again, all the searches I've done return a different number.

Same thing when I search for the text "security policies are propogated with warning 0x3e5". It all comes back with a different warning code, not the one I'm experiencing.

Sharyn
 
Upvote 0 Downvote
Yes! Just this one. All the other dcs are giving me group policy applied successfully messages in event viewer.

Sharyn
 
Upvote 0 Downvote
OK. Run a GPOTOOL query. It should give you a bit more specific detail about which policy is causing the problem. Also, REPLMON may provide some clues. Sounds to me like you've got a version mismatch on this affected DC, and for some reason (maybe corrupt policy template, maybe bad communications), it's unable to update. After you run these, check the Directory Service part of the event viewer for more detail...
 
Upvote 0 Downvote
This box is at a remote site, approx 200 miles away from me. Can I run these tools from here?

Also, an update. After poking around yesterday at the sysvol share, I noticed it was missing quite a few directories that the other dcs had. I copied the missing directories, mainly the sysvol\policies\domainname and all its subdirectories. Today, I am still getting error messages, but different ones. :0) Is that progress? Here is what Im getting today, way less than yesterday too..not happening every 5 mins like before..

Policy change from LSA/SAM can't be saved in the policy storage. Error 4312 to save policy change in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root. Event ID 1003, Source scesrv
(this is a new one)

Windows cannot determine the user or computer name. Return value (1722). Event ID 1000 Source userenv (another new one)

Plus I'm still getting the old ones about 49 flags returned and the i/o overlap, but only a few of those, not every 5 mins. The good news is, my log isn't filling up to overflowing like it was.

Guess I need to see if I can run any of these suggested tools remotely.

Thanks everyone..will keep plugging away :)

Sharyn



 
Upvote 0 Downvote
Hi, I really think it's a replication problem, I already had that problem. Try to force a replication from a known good DC on that problematic one. On my side it didn't fix the problem but that's the first thing to do. I had to disable the KCC for all of my sites, I disabled both (intra-site and inter-site) and created some manual connections between "corrupted" DC and others. Then I let it run a couple of days and re-enabled the KCC and the errors never came back. Can you also take a look in the event viewer, Directory Services log to see if there would be a lot of Warnings with KCC.

Niavlys

 
Upvote 0 Downvote
Hi,

There are no warnings at all in the directory services log, just the info statement

"NTDS (256) Online defragmentation has completed a full pass on database 'C:\WINNT\NTDS\ntds.dit'. "

which is normal.

There is absolutely NOTHING in the file replication service log, on the dc that isnt working right, which is probably NOT a good sign, so I believe you are correct, replication is not working.

On both the other DC's that are working fine, I am getting this error message concerning the DC that isn't working right: (the wpbserver is the one giving me fits, the laserver is my x nt4.0 pdc, now a win2k dc, the first one to be upgraded)

The File Replication Service is having trouble enabling replication from WPBSERVER to LASERVER for d:\winnt\sysvol\domain using the DNS name wpbserver.fdc.com. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name wpbserver.fdc.com from this computer.
[2] FRS is not running on wpbserver.fdc.com.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Event ID 13508
Source NTFRS

I am 100% sure this is NOT a DNS issue as I can ping everyone from everyone using the fqdn and resolve with no problems.

I am getting this exact same message on the other dc up here that is working. It also can't replicate to the wpbserver. I have checked and rechecked the network connections. I have also run the KCC in AD sites and services and it seems to be fine.

How do you disable it? My next set was going to be to set up a manual link with the laserver up here and the wpbserver down there.

Sharyn
 
Upvote 0 Downvote
If you want to run through this, you can first take a look at those Microsoft Qs.
- Q281485
- Q245610
- Q242780

Q245610 explains how to disable inter-site KCC but you can do both at one time (if you have more than one site) with the procedure in Q242780 at step 14, write 17 in the value box and you will be done. To re-enable it, just put 0 instead of 17.

It helped me a lot when I was in trouble.
 
Upvote 0 Downvote
I have run replmon on the affected dc but am still getting no event messages in the directory service log in event viewer other than the standard one i have been getting. I don't know what the gpotool is or where to find it, I dont see it in the addon tools on the cd that are loaded on the machine.

The messages Im getting from replmon itself is:

"the last replication attempt was successful" I am getting these messages from all servers, on all objects, which are currently all set to replicate with each other. This means that when I trigger the replication manually, it's working. Right? Which leads me to go back to suspecting the KCC and the automatic replications.

What is the gpo tool and where do I find it? I can't stick a CD in the affected server as my arms arent quite that long :)

Sharyn
 
Upvote 0 Downvote
Sharyn, GPOTOOLS is in W2K ressource kit. But I think you have to be a bar code reader to understand that bunch of GUID this tool reports.

Brontosaurus: if you can help me with that tool, I'll be happy too!
 
Upvote 0 Downvote
Actually, I found a ms kb article that identifies all the different client side extensions and what they mean..Q216357. ( not sure if this is what you mean)

The problem is, if the resource kit is on the win2k cd, and the cd and server is 200 miles away, I am going to have a problem running it unless I can run it from up here on a different dc, then connect to the problem child.
 
Upvote 0 Downvote
GPOTOOL (when run without any switches) queries all your DC's for effective policies and whether or not they're in synch. Those GUID's you see represent the actual raw name of the policies found and correspond to a directory of the same name in the Sysvol share.
Sharyn, in addition to checking the right pane in REPLMON, you can right-click on a server in the left pane and do some manual tasks, like re-generate the replication topology, and directory synchronization. Also, since you have the resource kit :), I can email you the GPOTOOL if you want.
 
Upvote 0 Downvote
Ive done all of that, regenerated the topology, triggered a manual replication,etc.

I dont know what the error about the FRS means as my DNS is working fine, nslookup works, ping works. FRS IS running on the server in question, at least the service is.

I am back to thinking there is a problem with the sysvol share that is not allowing the Group policy updates to take place and is causing all these error messages.

I have to laugh, this makes my network neighborhood problems look easy :)

Yes, please email me the GPO tool as I can't find it on the resouce kit. Or, tell me where I can download it. Rename the file(or zip it)if its an .exe as my firewall will block it.

I also looked at the scelog and am getting the following error. Unfortunately, I don't really know what exactly this means, but a path is a path and it's apparantly not finding what it's looking for.

Error=4312 SAM Domain Error get file path

Here is my email address if you want to mail me the tool..

sschmidt@todhunter.com

Thanks!
 
Upvote 0 Downvote
THanks..got it..now if I can just figure out how to use it :)
 
Upvote 0 Downvote
Is there a switch to keep it from running so fast? I can't see what it's doing. All the log says is :

gpotool: e ERROR: Err: Name different between Adm, GPT.INI


What in the heck does that mean?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
494
DeepuM
DeepuM
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
343
RRankin355
RRankin355
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
372
ADB100
ADB100
johan_1212
  • Locked
  • Question
AVG Antivirus Error
Replies
0
Views
198
johan_1212
johan_1212
blpcrs
  • Locked
  • Question
Disk Space warning in real time in Event Viewer?
Replies
0
Views
415
blpcrs
blpcrs

Part and Inventory Search

Sponsor

Back
Top