GPO Error on Default Domain Policy

[Guest]

I am getting an error with the Default Domain Policy in my domain. First of
all, I am in the middle of a 2003 transition, so I have one 2003 server
operating, AD is upgraded and my 2000 domain controllers have not been taken
offline yet.

I am getting the following error :

Event Log Message from AM-DC0 at 2:49:19 PM
Error Event 1058 in the Application log
From Userenv (User NT AUTHORITY\SYSTEM)
------------------------------
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=amthinking,DC=net.
The file must be present at the location <
\\amthinking.net\sysvol\amthinking.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

So far I have checked the security settings for the default domain policy
and it looks fine. Any other suggestions?

 

[Steven L Umbach]

See the link below from www.eventid.net which may help as it shows how other
users have corrected the problem on their network.

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

From a domain computer see if you can access the sysvol [it should show in
My Network Places or you can use UNC as in \\dcname\sysvol ] and drill down
to and find and read that gpt.ini file even logged on as a regular user or
not. I would also run the support tool netiag on the domain computer that is
showing the error and netdiag, dcdiag, and gpotool on the domain controller
looking for any pertinent error or warnings and check it's logs via Event
Viewer. See if you can open and configure that Group Policy as an
administrator. --- Steve

 

[Guest]

dcdiag gives me:

Performing initial setup:
[am-dc0] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please
ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\AM-DC0
Starting test: Connectivity
[AM-DC0] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security.
Please
ensure that you can contact the server that authenticated you..
......................... AM-DC0 failed test Connectivity

With an event log error of:

The Security System detected an authentication error for the server
LDAP/2ad178a8-16dd-4abb-ad95-73b47224743d._msdcs.amthinking.net. The failure
code from authentication protocol Kerberos was "The handle specified is
invalid
(0x80090301)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

See the link below from www.eventid.net which may help as it shows how other
users have corrected the problem on their network.

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

From a domain computer see if you can access the sysvol [it should show in
My Network Places or you can use UNC as in \\dcname\sysvol ] and drill down
to and find and read that gpt.ini file even logged on as a regular user or
not. I would also run the support tool netiag on the domain computer that is
showing the error and netdiag, dcdiag, and gpotool on the domain controller
looking for any pertinent error or warnings and check it's logs via Event
Viewer. See if you can open and configure that Group Policy as an
administrator. --- Steve

I am getting an error with the Default Domain Policy in my domain. First of
all, I am in the middle of a 2003 transition, so I have one 2003 server
operating, AD is upgraded and my 2000 domain controllers have not been
taken
offline yet.

I am getting the following error :

Event Log Message from AM-DC0 at 2:49:19 PM
Error Event 1058 in the Application log
From Userenv (User NT AUTHORITY\SYSTEM)
------------------------------
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=amthinking,DC=net.
The file must be present at the location <
\\amthinking.net\sysvol\amthinking.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

So far I have checked the security settings for the default domain policy
and it looks fine. Any other suggestions?

 

[Steven L Umbach]

Interesting I have never seen that before on a dcdiag. I did a Google search
and came up with the discussion below which may be helpful as someone else
that got the same results. --- Steve

http://www.tek-tips.com/viewthread.cfm?qid=1080824&page=7
http://support.microsoft.com/?id=898060

dcdiag gives me:

Performing initial setup:
[am-dc0] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please
ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\AM-DC0
Starting test: Connectivity
[AM-DC0] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security.
Please
ensure that you can contact the server that authenticated you..
......................... AM-DC0 failed test Connectivity

With an event log error of:

The Security System detected an authentication error for the server
LDAP/2ad178a8-16dd-4abb-ad95-73b47224743d._msdcs.amthinking.net. The
failure
code from authentication protocol Kerberos was "The handle specified is
invalid
(0x80090301)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

See the link below from www.eventid.net which may help as it shows how
other
users have corrected the problem on their network.

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

From a domain computer see if you can access the sysvol [it should show
in
My Network Places or you can use UNC as in \\dcname\sysvol ] and drill
down
to and find and read that gpt.ini file even logged on as a regular user
or
not. I would also run the support tool netiag on the domain computer that
is
showing the error and netdiag, dcdiag, and gpotool on the domain
controller
looking for any pertinent error or warnings and check it's logs via Event
Viewer. See if you can open and configure that Group Policy as an
administrator. --- Steve

I am getting an error with the Default Domain Policy in my domain. First
of
all, I am in the middle of a 2003 transition, so I have one 2003 server
operating, AD is upgraded and my 2000 domain controllers have not been
taken
offline yet.

I am getting the following error :

Event Log Message from AM-DC0 at 2:49:19 PM
Error Event 1058 in the Application log
From Userenv (User NT AUTHORITY\SYSTEM)
------------------------------
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=amthinking,DC=net.
The file must be present at the location <
\\amthinking.net\sysvol\amthinking.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

So far I have checked the security settings for the default domain
policy
and it looks fine. Any other suggestions?

 

[Guest]

I tried to install the patch. After restart I got the following error and I
am still getting the same results with dcdiag.

The Security Account Manager failed a KDC request in an unexpected way. The
error is in the data field. The account name was host/[email protected]
and lookup type 0x20.

Interesting I have never seen that before on a dcdiag. I did a Google search
and came up with the discussion below which may be helpful as someone else
that got the same results. --- Steve

http://www.tek-tips.com/viewthread.cfm?qid=1080824&page=7
http://support.microsoft.com/?id=898060

dcdiag gives me:

Performing initial setup:
[am-dc0] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please
ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\AM-DC0
Starting test: Connectivity
[AM-DC0] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security.
Please
ensure that you can contact the server that authenticated you..
......................... AM-DC0 failed test Connectivity

With an event log error of:

The Security System detected an authentication error for the server
LDAP/2ad178a8-16dd-4abb-ad95-73b47224743d._msdcs.amthinking.net. The
failure
code from authentication protocol Kerberos was "The handle specified is
invalid
(0x80090301)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

See the link below from www.eventid.net which may help as it shows how
other
users have corrected the problem on their network.

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

From a domain computer see if you can access the sysvol [it should show
in
My Network Places or you can use UNC as in \\dcname\sysvol ] and drill
down
to and find and read that gpt.ini file even logged on as a regular user
or
not. I would also run the support tool netiag on the domain computer that
is
showing the error and netdiag, dcdiag, and gpotool on the domain
controller
looking for any pertinent error or warnings and check it's logs via Event
Viewer. See if you can open and configure that Group Policy as an
administrator. --- Steve

I am getting an error with the Default Domain Policy in my domain. First
of
all, I am in the middle of a 2003 transition, so I have one 2003 server
operating, AD is upgraded and my 2000 domain controllers have not been
taken
offline yet.

I am getting the following error :

Event Log Message from AM-DC0 at 2:49:19 PM
Error Event 1058 in the Application log
From Userenv (User NT AUTHORITY\SYSTEM)
------------------------------
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=amthinking,DC=net.
The file must be present at the location <
\\amthinking.net\sysvol\amthinking.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

So far I have checked the security settings for the default domain
policy
and it looks fine. Any other suggestions?

 

[Steven L Umbach]

Is that the only error you get with dcdiag and does the rest of the tests
pass or does it fail to run?? What about netdiag, how are the results for
that one? Were you able to access the sysvol from another domain computer
and drill down to the gti.ini file?? Can you open/edit Domain Security
Policy? If not can you open Domain Controller Security Policy or any other
Group Policy? --- Steve

I tried to install the patch. After restart I got the following error and I
am still getting the same results with dcdiag.

The Security Account Manager failed a KDC request in an unexpected way.
The
error is in the data field. The account name was
host/[email protected]
and lookup type 0x20.

Interesting I have never seen that before on a dcdiag. I did a Google
search
and came up with the discussion below which may be helpful as someone
else
that got the same results. --- Steve

http://www.tek-tips.com/viewthread.cfm?qid=1080824&page=7
http://support.microsoft.com/?id=898060

dcdiag gives me:

Performing initial setup:
[am-dc0] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security.
Please
ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\AM-DC0
Starting test: Connectivity
[AM-DC0] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security.
Please
ensure that you can contact the server that authenticated you..
......................... AM-DC0 failed test Connectivity

With an event log error of:

The Security System detected an authentication error for the server
LDAP/2ad178a8-16dd-4abb-ad95-73b47224743d._msdcs.amthinking.net. The
failure
code from authentication protocol Kerberos was "The handle specified is
invalid
(0x80090301)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



:

See the link below from www.eventid.net which may help as it shows how
other
users have corrected the problem on their network.

http://www.eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

From a domain computer see if you can access the sysvol [it should
show
in
My Network Places or you can use UNC as in \\dcname\sysvol ] and drill
down
to and find and read that gpt.ini file even logged on as a regular
user
or
not. I would also run the support tool netiag on the domain computer
that
is
showing the error and netdiag, dcdiag, and gpotool on the domain
controller
looking for any pertinent error or warnings and check it's logs via
Event
Viewer. See if you can open and configure that Group Policy as an
administrator. --- Steve

I am getting an error with the Default Domain Policy in my domain.
First
of
all, I am in the middle of a 2003 transition, so I have one 2003
server
operating, AD is upgraded and my 2000 domain controllers have not
been
taken
offline yet.

I am getting the following error :

Event Log Message from AM-DC0 at 2:49:19 PM
Error Event 1058 in the Application log
From Userenv (User NT AUTHORITY\SYSTEM)
------------------------------
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=amthinking,DC=net.
The file must be present at the location <
\\amthinking.net\sysvol\amthinking.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

So far I have checked the security settings for the default domain
policy
and it looks fine. Any other suggestions?