DC Security Policy..

[Sushil]

When i try to open DOMAIN CONTROLLER SECURITY POLICY or
try to edit the DEFAULT DOMAIN CONTROLLER GROUP POLICY, I
get the following error: "Failed to open the Group Policy
Object. You may not have appropriate rights. Details: The
system can not find the path specified". Due to this i am
not being able to edit the domain controller's group
policy. I have the following information about my DC which
is running W2K Server.

1. My network adapter binding order is upmost i.e. first
order.
2. SYSVOL share doesn't contain the NETLOGON share and
there is no SCRIPT folder withing the SYSVOL and NETLOGON
share. I am getting event id 2511 with server error
regarding "no C:\WINNT\SYSVOL\sysvol\mydomain.com\SCRIPTS"
and event id 5706 with netlogon error with "The Netlogon
service could not create server share
C:\WINNT\SYSVOL\sysvol\pmc.db\SCRIPTS" in system event
log. I have tried to solve this problem and checked SYSVOL
contains as mentioned in microsoft KB but couldn't solve
this problem.
3. I didn't find the GUID of Domain Controller OU within
SYSVOL\sysvol\mydomain.com\policies. What may be the
reason of this?

pls help me.

 

[Buz [MSFT]]

For the 2511 error you need to reshare out the scripts directory as
Netlogon. If the Scripts directory no longer exists recreate it manually.

Go through this article to recreate and/or verify correct sysvol
permissions.

290647 Event ID 1000, 1001 Is Logged Every Five Minutes in the Application
http://support.microsoft.com/?id=290647

Look for recreatedefpol attachement in another post here. To get the Default
Domain Controller policy back.

Think about disregarding the above and DCPROMoing down and then back up on
this DC. (Only if you have another healthy DC available)

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Guest]

Thanks for your information. I have recreated the script
directory as netlogon share within the
C:\WINNT\SYSVOL\sysvol\mydomain.com\ and i am not getting
the netlogon and server error now but the problem is that
i am still unable to open Domain Controller Security
Policy when i point and click this from administrative
tool which gives the same error as "Failed to open the
Group Policy
Object. You may not have appropriate rights. Details: The
system can not find the path specified". I still also
couldn't edit the Default Domain Controller Group Policy
of Domain Controllers OU from Active Directory Users and
Computers MMC which gives the same error as above. I have
the replicated DC but it also have the same error as main
DC. What could be the solution to edit default domain
controller group policy? hope to get solution soon. thanks.

 

[Buz [MSFT]]

Verify the structure of sysvol is intact:

253268 Group Policy Error Message When Appropriate Sysvol Contents Are
Missing
http://support.microsoft.com/?id=253268

Fix the DC if it is multihomed:

258296 Cannot Access Group Policy Objects--Event ID 1000 and Event ID 1001
http://support.microsoft.com/?id=258296

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Guest]

Thanks for your information. I have already checked the
containts of the sysvol folder. For your reference, I have
all the structure as mentioned in KB253268 but the sysvol
folder is not complete either as my DC has no SCRIPTS
folder within the C:\winnt\syvol, within
C:\winnt\sysvol\domain\ and within C:\winnt\sysvol\sysvol
share\MyDomain.com but i have created manually withing
C:\winnt\sysvol\sysvol(sysvol share)\MyDomain.com and it
automatically shared with netlogon share and i am not
getting 2511 and 5706 error since manually creation of
scripts(netlogon share) but i am not able to edit the
default domain controller group policy and cannot open
domain controller security policy yet. I have also removed
and regranted the DOMAIN ADMINS groups from DSACLS
command but it didn't work too. The binding order and file
and printer sharing bound is in first order as of
KB258296. Isn't there any proper solution now? thanks for
ur help. hope to get reply soon with solution.

 

[Buz [MSFT]]

There are many possible solutions, the solution that works for you depends
on how it broke.You may want to call MS Support if you need immediate
assistance.

1. DNS
2. Permissions messed up somewhere (lots and lots of possibilites here)
3. DFS Server Service disabled on the server.
4. Multihomed DC.
5. %SystemRoot%\Sysvol\Sysvol\DomainName\Policies\6AC....(default domain
controller policy) missing or access denied to root ro subfolders
6. %SystemRoot%\Sysvol\Sysvol\DomainName\Policies\31B.....(Default domain
policy) missing or access denied to root or subfolders
7. %SystemRoot%\Sysvol\Sysvol\DomainName\Policies\6AC folder structure not
complete. (missing the .adm files for example)
8. Can't find the PDC Emulator for your domain.
9. Removed a DC from AD without DCPROMOing it down first
10. Sysvol folder isn't linked correctly (Linkd)
11.Time syncronization issue (Kerberos failures)
13. TCP/IP NetBIOS Helper Service stopped on the server.
14. MS File and Printer Sharing not bound to NIC
15. GPO is not linked to the OU.
16. Virus, trojan, unauthorized sotware on the server.
16. DNS

Based on the information I have been given so far I would look into option 7
first. If you have a way of getting a MPSREPORTS.cab to me I will look at
it. Remove "online" from my address to send to me.

Link to MPSREPORTS, download and run on the DC. Send me the .cab file.
http://www.microsoft.com/downloads/...7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en

The MPSREPORT should assist for many of the causes I outlined above but it
is possible that it may not. I will do what I can to help you.

The sooner you get this done the more likely I will look at it today.


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.