Event ID 1030 and 1058. Access denied to gpt.ini

[Paul D]

Environment:
Domain with 2 Windows 2003 Server Standard servers.
Terminal Services servers all Windows 2003 Server Standard servers
Other member servers all Windows 2000 Server



Dear all

On our Domain servers we constantly recieve the following Event IDs 1030 and 1058 in the Application Event Log:

Event ID 1030

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 1058

Windows cannot access the file gpt.ini for GPO CN={B4D56E53-91FC-4208-9A4E-5B452CD94821},CN=Policies,CN=System,DC=louverttbw1,DC=co,DC=uk. The file must be present at the location <\\louverttbw1.co.uk\SysVol\louverttbw1.co.uk\Policies\{B4D56E53-91FC-4208-9A4E-5B452CD94821}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



The information below *claims* to resolve the issue, but I am concerned about whether it would have any adverse side-effects. Does anyone know if Microsoft recommends this course of action?


I'd very much appreciate your views

Thanks
Paul

Message 5 in thread
From: Eric ([email protected])
Subject: Error 1030 1058


View this article only
Newsgroups: microsoft.public.windows.group_policy
Date: 2003-12-01 12:15:38 PST


The fix is here -- the fix is here (err, workaround)!!!

Here is what you do (got this from the windows.mag
Internet forum on this issue). This worked for me (and
EVERYONE else who has tried this), and NOTHING has worked
for over 6 months until this. No question this workaround
stops the 1030/1058 errors.

Here's what you do.

Edit the hosts file on EACH domain controller. Put in the
IP address for your domain controller (the local IP
address should be first in the list) -- and then next to
the IP address do NOT put the host name, but put the name
of the domain. Then list the IP address for EACH domain
controller in your domain on that same hosts file (with
the domain name next to it). In other words, your hosts
file should look like this (if you have just two domain
controllers):

121.121.121.121 yourdomainname.com

121.121.121.122 yourdomainname.com

Where 121.121.121.121 = the ip address of the local domain
controller for THIS hosts file.

Where 121.121.121.122 = the ip address of your OTHER
domain controller

yourdomainname.com = the name of your domain

The list would be reversed (as far as IP address) on the
hosts file on the other domain controller. Yes, you need
a hosts file on EACH domain controller.

Try it -- it works.

Let me know if you don't know how to find the hosts file.

 

[Ace Fekay [MVP]]

In

Environment:
Domain with 2 Windows 2003 Server Standard servers.
Terminal Services servers all Windows 2003 Server Standard servers
Other member servers all Windows 2000 Server



Dear all

On our Domain servers we constantly recieve the following Event IDs
1030 and 1058 in the Application Event Log:

Event ID 1030

Windows cannot query for the list of Group Policy objects. Check the
event log for possible messages previously logged by the policy
engine that describes the reason for this.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event ID 1058

Windows cannot access the file gpt.ini for GPO
CN={B4D56E53-91FC-4208-9A4E-5B452CD94821},CN=Policies,CN=System,DC=louverttbw1,DC=co,DC=uk.
The file must be present at the location
<\\louverttbw1.co.uk\SysVol\louverttbw1.co.uk\Policies\{B4D56E53-91FC-4208-9A4E-5B452CD94821}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

<snip>


Here's some info on it:
http://www.eventid.net/display.asp?eventid=1030&eventno=1542&source=Userenv&phase=1

Also, can you give us some configuration to better assist? The list below
will greatly help us to diagnose this:

1. Unedited ipconfig /all from the DCs
2. Name of your AD DNS Domain name (as it shows up in ADUC)
3. Please specify if the DC is multihomed.
4. Any other services running on the DC, such as RRAS, DNS, etc.
5. Was this DC upgraded from NT4?
6. Any alterations to the security policies (IpSec, SMB signing behavior,
etc).
7. Any services that have been disabled (NetBios Helper, DHCP Client
service, any at all).
8. Are any of these services disabled: MS Client, F&P Services, NetBIOS?
9. Is DFS running?

Thanks!





--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[James Raines]

Hello Paul,

Thank you for choosing Microsoft and for using our Newsgroups. I have
reviewed the information you have provided this far. My understanding of
the issue is the following:

You have 2 Win2k3 DC's and are getting the Userenv 1058 and Scecli 1030
errors and would like to know how to resolve this issue.

RESOLUTION:
============

There are many things that could cause this issue. However, I found this
article that applies to Win2k3:

830676 Group Policy processing fails with Events 1058 and 1030 in Windows
http://support.microsoft.com/?id=830676

Each Group Policy has a GUID associated with it. In your case the one
that's failing is: {B4D56E53-91FC-4208-9A4E-5B452CD94821} which isn't a
default policy. This tells me you have created additional Group Policies.
Have you recently created a new policy and started receiving these errors?
When did this start happening?

A few other things to check:

Make sure you aren't getting any errors in the File Replication event logs
Make sure the Distributed File System service is running on all DC's.
Make sure the Sysvol and Netlogon folders are shared on the DC's, if they
aren't DO NOT MANUALLY SHARE THEM OUT!. When the DC is working properly
this will be shared automatically.


Do not use HOST files. If DNS is working properly there is no need to use
them.


Best Regards,

James Raines
Microsoft Corporation

 

[Paul D]

Hi James - thank you for your very professional email!
I had tried running dfsutil /PurgeMupCache on both servers before, but the
problem was not resolved. I will try this again and let you know.

I will also relay the other information as soon as I get back to the office
on Monday.

Make sure you aren't getting any errors in the File Replication event logs
Make sure the Distributed File System service is running on all DC's.
Make sure the Sysvol and Netlogon folders are shared on the DC's, if they
aren't DO NOT MANUALLY SHARE THEM OUT!. When the DC is working properly
this will be shared automatically.

Thanks again
Paul

 

[Paul D]

Thanks, Ace
That is a much more informative page than I had found on the EventID
website.
I will go through these on Monday when I return to the office.


Regarding the questions:

1. Unedited ipconfig /all from the DCs I can do this on Monday.
2. Name of your AD DNS Domain name (as it shows up in ADUC)

I'd prefer not to post this for security reasons.

3. Please specify if the DC is multihomed.

Definitely not - clients, Protocols and Services have been unbound from
other adapters, and the adapters are disabled in hardware manager

4. Any other services running on the DC, such as RRAS, DNS, etc. Only DNS
5. Was this DC upgraded from NT4?

No from Windows 2000 Server to Windows 2003 Server Standard

6. Any alterations to the security policies (IpSec, SMB signing behavior,
etc). Maybe...
7. Any services that have been disabled (NetBios Helper, DHCP Client
service, any at all). Will check
8. Are any of these services disabled: MS Client, F&P Services, NetBIOS? Will check
9. Is DFS running?

Yes, on both DCs


Thank you very much for your valued input!

Paul

 

[Ace Fekay [MVP]]

In

Thanks, Ace
That is a much more informative page than I had found on the EventID
website.
I will go through these on Monday when I return to the office.


Regarding the questions:

I'd prefer not to post this for security reasons.
Definitely not - clients, Protocols and Services have been unbound
from other adapters, and the adapters are disabled in hardware manager
No from Windows 2000 Server to Windows 2003 Server Standard
Yes, on both DCs


Thank you very much for your valued input!

Paul

Hi Paul,

I can understand not posting your domain name. If its a private name, it
won;t really matter much. I will assume from your original post with the
error message that
"louverttbw1.co.uk" is you domain name. I am looking for coorelation wioth
this name that it matches the Primary DNS Suffix (from the ipconfig /all)
and with the zone in DNS, as long as updates are enabled and the SRV records
exist. Also, wanted to make sure that you are not using your ISP's DNS
servers in your IP properties (also looking at the ipconfig /all).

As for DFS, I believe that article that James posted for you should help,
and maybe the main issue going on here. Looking forward to confirm services
and other thing running on your machine.



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Glenn L]

Paul,

The event you included is for a custom GPO
CN={B4D56E53-91FC-4208-9A4E-5B452CD94821
Is this the only GPO that is failing.

Nowhere in your post did you indicate whether you checked the permissions on
the gpt.ini file the error is complaining about.
Have you checked the parms on the file for authenticated users read access?

The Host file workaround will not work in this case. You are getting access
denied error codes, not name resolution errors.

 

[Paul D]

Glenn

Thanks for your contribution. Yes, I did check that the policy existed in
the sysvol directory structure, and that permissions were hte same as all
others.
You beat me to it, as I was going to post the omission from my previous post
that, yes, we have other custom policies, but this is the only one where the
access is denied errors are occuring for the gpt.ini. I feel this is a
significant observation - could it mea that the GPO is corrupt? I wouldn'#t
like to have to recreat the GPO from scratch, as it contains many
configuration settings. **If it is corrupt**, why can I browse it in the
GPO configuraiton MMC?

It didn't seem logical that the hosts file workaround would work, but some
postings idicated that it would. Thanks for clearing that up!

Kind regards
Paul

 

[Glenn L]

Check the parms on {B4D56E53-91FC-4208-9A4E-5B452CD94821} folder as well.
Authenticated users needs read access.

If you add a test workstation to the OU that contains this policy, does it
also get an access denied?

You can enable userenv diagnostic logging to get possibly get more detail on
the access denied problem.
http://support.microsoft.com/default.aspx?scid=kb;en-us;221833

Recreating the policy does not have to be very difficult.
You can use GPMC to backup a policy.
You can then create a new policy and import the settings from the backup.
I don't recall whether the security settings come with the import, but I
dont think so.

 

[the yeti]

<----Snip>

I am having the same problem here.

I have a Win2K3 Server. Configured for routing and Remote Access,
DHCP and DNS. Everything appears to work properly.

My group policy works perfectly on a Win2k Client. It works fine on
the 2k3 server its self. But my XP client will not work. I get 2
copies of the 1058 and 1030 error in the event log of the XP client
everytime I run gpupdate.

I can ping anderson.local and it resolves to 192.168.1.1
\\anderson.local wont work on the XP client, but it does on the
2k3Server.

I have changed the XP and 2k3 registry keys for disable DFS to 0.

Do I need to run that Dfsutil on the XP client?

Thank You for your help.



Extra Details:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=anderson,DC=local.
The file must be present at the location
<\\anderson.local\sysvol\anderson.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(The network location cannot be reached. For information about network
troubleshooting, see Windows Help. ). Group Policy processing aborted.


C:\>ping anderson.local

Pinging anderson.local [192.168.1.1] with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128


C:\>ping server-s1

Pinging server-s1.anderson.local [192.168.1.1] with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

 

[Kevin D. Goodknecht Sr. [MVP]]

In

<----Snip>

I am having the same problem here.

I have a Win2K3 Server. Configured for routing and
Remote Access,
DHCP and DNS. Everything appears to work properly.

My group policy works perfectly on a Win2k Client. It
works fine on
the 2k3 server its self. But my XP client will not work.
I get 2
copies of the 1058 and 1030 error in the event log of the
XP client
everytime I run gpupdate.

I can ping anderson.local and it resolves to 192.168.1.1
\\anderson.local wont work on the XP client, but it does
on the
2k3Server.

I have changed the XP and 2k3 registry keys for disable
DFS to 0.

Do I need to run that Dfsutil on the XP client?

Thank You for your help.



Extra Details:

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=anderson,
DC=local.
The file must be present at the location
<\\anderson.local\sysvol\anderson.local\Policies\{31B2F340-016D-11D2-945F-00
C04FB984F9}\gpt.ini>.
(The network location cannot be reached. For information
about network
troubleshooting, see Windows Help. ). Group Policy
processing aborted.


C:\>ping anderson.local

Pinging anderson.local [192.168.1.1] with 32 bytes of
data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128


C:\>ping server-s1

Pinging server-s1.anderson.local [192.168.1.1] with 32
bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

RRAS causes connection issues when running on a DC. Do the modifications in
the KB on the DC. That said, these two events can be caused by several
issues. All you can do is trial and error your way through them.

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

830063 - Name resolution and connectivity issues occur on Windows 2000
domain controllers that have the Routing and Remote Acce:
http://support.microsoft.com/default.aspx?scid=kb;en-us;830063
292822 - Name resolution and connectivity issues on a Routing and Remote
Access Server that also runs DNS or WINS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;292822

 

[Jerry J.F. Wu]

The fix is here -- the fix is here (err, workaround)!!!

Here is what you do (got this from the windows.mag
Internet forum on this issue). This worked for me (and
EVERYONE else who has tried this), and NOTHING has worked
for over 6 months until this. No question this workaround
stops the 1030/1058 errors.

Here's what you do.

Edit the hosts file on EACH domain controller. Put in the
IP address for your domain controller (the local IP
address should be first in the list) -- and then next to
the IP address do NOT put the host name, but put the name
of the domain. Then list the IP address for EACH domain
controller in your domain on that same hosts file (with
the domain name next to it). In other words, your hosts
file should look like this (if you have just two domain
controllers):

121.121.121.121 yourdomainname.com

121.121.121.122 yourdomainname.com

Where 121.121.121.121 = the ip address of the local domain
controller for THIS hosts file.

Where 121.121.121.122 = the ip address of your OTHER
domain controller

yourdomainname.com = the name of your domain

The list would be reversed (as far as IP address) on the
hosts file on the other domain controller. Yes, you need
a hosts file on EACH domain controller.

Try it -- it works.

Let me know if you don't know how to find the hosts file. [/B]

Thanks, it really works. Could you let me know why?