Cannot find global policies Red X in place of it.

  • Thread starter Thread starter Sylvain Moreau
  • Start date Start date
S

Sylvain Moreau

Good day,

In an effort to resolve a problem with NTFRS ID:Event
ID:13555 I have aplied this solution; [4] For other
Windows 2000 servers:

(4-a) If any of the DFS alternates or other replica sets
hosted by this server do not have any other replication
partners then copy the data under its share or replica
tree root to a safe location.
(4-b) net stop ntfrs
(4-c) rd /s /q c:\winnt\ntfrs\jet
(4-d) net start ntfrs
(4-e) Copy the data from step (4-a) above to the
original location after the service has initialized (5
minutes is a safe waiting time).

Good news I no longer have the error message in m NtFrs
log.
Bad news I no longer have global domain policies it says
it cannot find the path. In my mmc console in place of
domain policies I have a big re XXX.

Help if you can...

Thanks Sylvain
 
Hi Sylvain-

Two possibilities immediately come to mind. The first is that the machine
you are trying to edit the policies from cannot reach the PDC Emulator, or
the DC that cannot. A DCDIAG /test:Knowsofroleholders would tell the tale
on that.

The other possibility is that the file portion of the group policy or
policies is missing from the SYSVOL.

Please reply if you have additional questions or concerns.
 
Tim,

Thank you for your awnser you are the firts to give feed
back, I have posted this issue in other newsgroup without
success.

(1)I ran DCDIAG /test:Knowsofroleholders = All test passed

with DCDIAG All passed except:
Starting test: MachineAccount
* MachineName is not trusted for account
delegation
......................... MachineName failed
test MachineAccount

(2)

Like previously mentionned I had replace the SYSVOL and
its content with a older version from my tape back-up. I
am thinking about booting my main DC in Directory repair
mode and replace the system state from tape back-up.
What is your opinion about this.

Thanks a lot Tim

Sylvain
Hi Sylvain-

Two possibilities immediately come to mind. The first is that the machine
you are trying to edit the policies from cannot reach the PDC Emulator, or
the DC that cannot. A DCDIAG /test:Knowsofroleholders would tell the tale
on that.

The other possibility is that the file portion of the group policy or
policies is missing from the SYSVOL.

Please reply if you have additional questions or concerns.

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

Sylvain Moreau said:
Good day,

In an effort to resolve a problem with NTFRS ID:Event
ID:13555 I have aplied this solution; [4] For other
Windows 2000 servers:

(4-a) If any of the DFS alternates or other replica sets
hosted by this server do not have any other replication
partners then copy the data under its share or replica
tree root to a safe location.
(4-b) net stop ntfrs
(4-c) rd /s /q c:\winnt\ntfrs\jet
(4-d) net start ntfrs
(4-e) Copy the data from step (4-a) above to the
original location after the service has initialized (5
minutes is a safe waiting time).

Good news I no longer have the error message in m NtFrs
log.
Bad news I no longer have global domain policies it says
it cannot find the path. In my mmc console in place of
domain policies I have a big re XXX.

Help if you can...

Thanks Sylvain


.
 
Hi Sylvain-

If the domain controller is not trusted for delegation that is a problem.
It amy not be THE problem at hand, but you can fix it and see. Trusted for
delegation is a setting available in two places. Please check them and see
if this helps:

1) In AD Users and Computers (DSA.MSC) go to the Domain Controllers OU, and
select the properties of the domain controller. There should be a check box
there called "Trusted for delegation". Make sure it is checked.

AND/OR

2) Edit the Default Domain Controllers Policy and go to Computer
Configuration->Local Settings->Windows Settings->Security Settings->User
Rights Assignment and make sure that the "Enterprise Domain Controllers"
security group is added to the "Enable to be trusted for delegation"
(paraphrased) user right.

Then reboot the server and see if that helps. Please repost to let us know
how that goes.

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

Sylvain said:
Tim,

Thank you for your awnser you are the firts to give feed
back, I have posted this issue in other newsgroup without
success.

(1)I ran DCDIAG /test:Knowsofroleholders = All test passed

with DCDIAG All passed except:
Starting test: MachineAccount
* MachineName is not trusted for account
delegation
......................... MachineName failed
test MachineAccount

(2)

Like previously mentionned I had replace the SYSVOL and
its content with a older version from my tape back-up. I
am thinking about booting my main DC in Directory repair
mode and replace the system state from tape back-up.
What is your opinion about this.

Thanks a lot Tim

Sylvain
Hi Sylvain-

Two possibilities immediately come to mind. The first is that the machine
you are trying to edit the policies from cannot reach the PDC Emulator, or
the DC that cannot. A DCDIAG /test:Knowsofroleholders would tell the tale
on that.

The other possibility is that the file portion of the group policy or
policies is missing from the SYSVOL.

Please reply if you have additional questions or concerns.

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

Sylvain Moreau said:
Good day,

In an effort to resolve a problem with NTFRS ID:Event
ID:13555 I have aplied this solution; [4] For other
Windows 2000 servers:

(4-a) If any of the DFS alternates or other replica sets
hosted by this server do not have any other replication
partners then copy the data under its share or replica
tree root to a safe location.
(4-b) net stop ntfrs
(4-c) rd /s /q c:\winnt\ntfrs\jet
(4-d) net start ntfrs
(4-e) Copy the data from step (4-a) above to the
original location after the service has initialized (5
minutes is a safe waiting time).

Good news I no longer have the error message in m NtFrs
log.
Bad news I no longer have global domain policies it says
it cannot find the path. In my mmc console in place of
domain policies I have a big re XXX.

Help if you can...

Thanks Sylvain


.
 
Tim; here are some results;

Response:

(1)
When trying to enable Trusted for delegation, here is
what I get: Your security settings do not allow you to
specify whether or not this account is to be trusted.
(It looks like it cannot modify actual policies)

(2)
I have done this and it does not change anything. When I
try to open Group Policy Object here is my error
message:Failed to open the Group Policy Object. You may
not have appropriate rights.

QUESTION:

I think that you are right in what you said that the
sysvol containS no policies or the wrong version of
policies. I had replace the SYSVOL and
its content with a older version from my tape back-up. I
am thinking about booting my main DC in Directory repair
mode and replace the system state from tape back-up.
What is your opinion about this?

Thanks
nb going avay for 3 to 4 days, hope to read you when I
get back.



-----Original Message-----
Hi Sylvain-

If the domain controller is not trusted for delegation that is a problem.
It amy not be THE problem at hand, but you can fix it and see. Trusted for
delegation is a setting available in two places. Please check them and see
if this helps:


1) In AD Users and Computers (DSA.MSC) go to the Domain Controllers OU, and
select the properties of the domain controller. There should be a check box
there called "Trusted for delegation". Make sure it is checked.

AND/OR

2) Edit the Default Domain Controllers Policy and go to Computer
Configuration->Local Settings->Windows Settings-
Security Settings->User
Rights Assignment and make sure that the "Enterprise Domain Controllers"
security group is added to the "Enable to be trusted for delegation"
(paraphrased) user right.

Then reboot the server and see if that helps. Please repost to let us know
how that goes.

--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.

Sylvain said:
Tim,

Thank you for your awnser you are the firts to give feed
back, I have posted this issue in other newsgroup without
success.

(1)I ran DCDIAG /test:Knowsofroleholders = All test passed

with DCDIAG All passed except:
Starting test: MachineAccount
* MachineName is not trusted for account
delegation
......................... MachineName failed
test MachineAccount

(2)

Like previously mentionned I had replace the SYSVOL and
its content with a older version from my tape back- up. I
am thinking about booting my main DC in Directory repair
mode and replace the system state from tape back-up.
What is your opinion about this.

Thanks a lot Tim

Sylvain
Hi Sylvain-

Two possibilities immediately come to mind. The first
is
that the machine
you are trying to edit the policies from cannot reach the PDC Emulator, or
the DC that cannot. A DCDIAG /test:Knowsofroleholders would tell the tale
on that.

The other possibility is that the file portion of the group policy or
policies is missing from the SYSVOL.

Please reply if you have additional questions or concerns.
and
confers no rights.
Good day,

In an effort to resolve a problem with NTFRS ID:Event
ID:13555 I have aplied this solution; [4] For other
Windows 2000 servers:

(4-a) If any of the DFS alternates or other
replica
sets
hosted by this server do not have any other replication
partners then copy the data under its share or replica
tree root to a safe location.
(4-b) net stop ntfrs
(4-c) rd /s /q c:\winnt\ntfrs\jet
(4-d) net start ntfrs
(4-e) Copy the data from step (4-a) above to the
original location after the service has initialized (5
minutes is a safe waiting time).

Good news I no longer have the error message in m NtFrs
log.
Bad news I no longer have global domain policies it says
it cannot find the path. In my mmc console in place of
domain policies I have a big re XXX.

Help if you can...

Thanks Sylvain



.


.
 
Back
Top