Active Directory Group Policy DOES NOT work ANY MORE !

[Guest]

Hello my name is Paul
by some reason my Group Policy stoped working !
It started 2 days ago. I did nto do anything with AD ad a PDC. When i came
to look what happed, there was no logs =( till the moment i restarted a PDC
and now when i try to edit my policy in AD (when i logged on to my PDC and
opened mmc) i cannot open o edit it ! it says MMC cannot open the selected
file !
but whe i open it remotly, MMC opens it and i can see the setting of mya
Group Policies. When my domain users log GP are not applied =( in the SYSVOL
folder i can see this GP with its UN.
I tried to create a new GP, it was created, but when i finished it i tried
to click EDIT on a newly created GP and - MMC CANNOT OPEN THE SELECTED FILE
!!!
still no serious warnings in my LOG
Did some one had this kind of problem?
What to do?
Thank you in advance

 

[Ace Fekay [MVP]]

In

Hello my name is Paul
by some reason my Group Policy stoped working !
It started 2 days ago. I did nto do anything with AD ad a PDC. When i
came to look what happed, there was no logs =( till the moment i
restarted a PDC and now when i try to edit my policy in AD (when i
logged on to my PDC and opened mmc) i cannot open o edit it ! it says
MMC cannot open the selected file !
but whe i open it remotly, MMC opens it and i can see the setting of
mya Group Policies. When my domain users log GP are not applied =( in
the SYSVOL folder i can see this GP with its UN.
I tried to create a new GP, it was created, but when i finished it i
tried to click EDIT on a newly created GP and - MMC CANNOT OPEN THE
SELECTED FILE !!!
still no serious warnings in my LOG
Did some one had this kind of problem?
What to do?
Thank you in advance

Right off the bat, this sounds almost like a DNS issue. Can you verify that
you are only using your internal DNS servers in IP properties (no ISP's)?
Is your domain name a single label name by chance? And there are no Event
log errors in any of your logs?



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Ace Fekay [MVP]]

In

by the way i forgot to mention that i can not launch dcdiag. it says
that there is some kind of error in dll and can not execute
and i found in AD management SYSTM/MicrosoftDNS/ some kind of
duplicate record of my domain name but with some symbols like squares
nad etc .. i deleted it
did i the right thing?
thank you in advance

:

That can be part of the issue. That may have been a CNF record (conflicting
record). Yes, delete it!

What DLL did the message reference? Did you look it up at www.technet.com or
www.google.com to see what it's about?

I would also change the IP from the loopback to the actual IP address of
this server.

And you say there are no errors in the Event viewer?

Ace

 

[Guest]

sorry for a duplicate
more errors in application log: EVENT ID 1000but i can see such file in ,y sysvol folder!

here is what i have in my sysvol after a restore15.09.2004 21:46 <DIR> ..
15.09.2004 22:15 <DIR> NtFrs_PreExisting___See_EventLog
15.09.2004 21:54 <DIR> Policies
15.09.2004 21:45 <DIR> Policies_NTFRS_3789ca55

may be a problem discussed with a GC applied to me?
my ipconfig /all
Host Name . . . . . . . . . . . . : addc1
Primary DNS Suffix . . . . . . . : coscom.gsm
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : coscom.gsm

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+ Management
Adapter

Physical Address. . . . . . . . . : 00-02-B3-23-C2-3C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.13.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.13.32
DNS Servers . . . . . . . . . . . : 127.0.0.1127.0.0.1 as i mentioned was working for a 100% for almost 3 years !

thank you in advance

 

[Ace Fekay [MVP]]

In

sorry for a duplicate
more errors in application log: EVENT ID 1000
but i can see such file in ,y sysvol folder!

here is what i have in my sysvol after a restore
15.09.2004 21:46 <DIR> ..
15.09.2004 22:15 <DIR> NtFrs_PreExisting___See_EventLog
15.09.2004 21:54 <DIR> Policies
15.09.2004 21:45 <DIR> Policies_NTFRS_3789ca55


may be a problem discussed with a GC applied to me?
my ipconfig /all

Host Name . . . . . . . . . . . . : addc1
Primary DNS Suffix . . . . . . . : coscom.gsm
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : coscom.gsm

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100+
Management Adapter

Physical Address. . . . . . . . . : 00-02-B3-23-C2-3C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.13.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.13.32
DNS Servers . . . . . . . . . . . : 127.0.0.1
127.0.0.1 as i mentioned was working for a 100% for almost 3 years !

thank you in advance

"kajama" wrote:

Hi Kajama,

Thanks for the updates. Not really sure if you needed to restore the
machine, just to find out what that error was. I looked it up and came up
with something saying your dcdiag tool is older or not the same service pack
level.
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20585683.html


As for the other errors:
http://www.eventid.net/display.asp?eventid=16650&eventno=896&source=SAM&phase=1

The 1000's are usually based on a DNS lookup issue. Under your coscom.gsm
zone in DNS, do the SRV records exist for this AD domain ( folder names are
_msdcs, _sites, _udp, _tcp)?

In ADUC, advanced View, do you see an NTFRS subscription folder? Is there
any entries with CNF still in them? How about under the Microsoft DNS
services folder?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Guest]

hello ace thank you for your support
but i'm still having problems =)
http://www.coscom.uz/kajama/ad
here i posted some pics from DNS server and ADUC
i hope that they can help because today i have 1 more poblem =) my exchange
server says that it can not find a GC server and does not start =( so ...
alot of problems came at 1 time
but i hope that everything going to be allright =)
about DCDIAG.EXE they say that SP should fix this problem. so what do you
think? shoul i reinstall SP4 on mya PDC?
and today i could not access my sysvol folder ! i looked permissions and
there was nothing ! so i made it to inherit from parrent
but still this messages:and 1 more: i tried to join a new computer to mya domain. joined. but NO
COMPUTER account in ADUC and an error message:.......... still going =)
thank you in advace. i mean it

 

[Guest]

hmm i edited my Defaul Domain Controllrs Policy and it is applied to mya
domain but i still cannot open it on my pdc, i edited it remotly from ADUC
maybe i should try to create a new policy for a restricted group and to see
what will happen

 

[Guest]

thats IT !!!! done i found and fixed the problem
thak you for your assistance
that's what i did: cleaned AD scheme using ADSI utility, deleted CNF
entries, then i downloaded Group POlicy Management from microsoft and using
it i found my CNF policy reccords ad deleted them. and afwter this i created
2 new policie for a domain controller default and restricted and it is
working now
thanks a lot guys

 

[Guest]

btw i forgot to say what was the problem with policies conflicting. when i
installed GPM from MS it said that permissions on my policy are not the saim
as in AD and it fixed it <--- that was the problem i think. but why i dont
now may be bug? and mmc on my DC still does not open policy files
thank all of you

 

[Ace Fekay [MVP]]

In

hello ace thank you for your support
but i'm still having problems =)
http://www.coscom.uz/kajama/ad
here i posted some pics from DNS server and ADUC
i hope that they can help because today i have 1 more poblem =) my
exchange server says that it can not find a GC server and does not
start =( so ... alot of problems came at 1 time
but i hope that everything going to be allright =)
about DCDIAG.EXE they say that SP should fix this problem. so what do
you think? shoul i reinstall SP4 on mya PDC?
and today i could not access my sysvol folder ! i looked permissions
and there was nothing ! so i made it to inherit from parrent
but still this messages:
and 1 more: i tried to join a new computer to mya domain. joined. but
NO COMPUTER account in ADUC and an error message:
......... still going =)
thank you in advace. i mean it

GC not accessible? Those pics look fine, the SRV records exist. Look under
the _msdcs folder for the _gc folder and see if all the GCs are entered.
SInce you have mutliple sites, I would of course suggest that you have a GC
created in each Site.

As for DCDIAG, just expand the service pack file (w2ksp4.exe /x) and grab it
out of there. If you already installed it, then it would have updated the
adminpak.msi file in system32. Look at the date on the file. If newer around
June, 2004, that would be the lates. Just reinstall it.

Ace

 

[Ace Fekay [MVP]]

In

btw i forgot to say what was the problem with policies conflicting.
when i installed GPM from MS it said that permissions on my policy
are not the saim as in AD and it fixed it <--- that was the problem i
think. but why i dont now may be bug? and mmc on my DC still does not
open policy files
thank all of you

I'm glad that you fixed it. As for the permissions, maybe something you
changed on the Default Domain policy could have caused that? Not sure. I
don't think that thing is a bug, but then you never know!

Ace