D
derek pearson
The horrid story thus far.
Last Monday I DCPROMO'd a DC in a child domain down to a
member server in the parent doamin domain. DCPROMO ran with
no errors.
I then reformated said server and rebuilt it as a 2000
advanced server in the parent domain while retaining the
same name and IP address.
By thursday there were the following errors comming from
the newly rebuilt server plus the other member servers in
the parent doamin:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/8/2003
Time: 1:32:44 PM
User: NT AUTHORITY\SYSTEM
Computer: STAPH
Description:
Windows cannot access the registry information at
\\soe.cse.ucsc.edu\sysvol\soe.cse.ucsc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol
with (1240).
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/8/2003
Time: 12:54:32 PM
User: NT AUTHORITY\SYSTEM
Computer: CABFRANC
Description:
The Group Policy client-side extension Security was passed
flags (17) and returned a failure status code of (3).
Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 7/8/2003
Time: 12:54:32 PM
User: N/A
Computer: CABFRANC
Description:
Security policy cannot be propagated. Cannot access the
template. Error code = 3.
\\soe.cse.ucsc.edu\sysvol\soe.cse.ucsc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
these are repeating.
So I did some digging and checked the permissions on the
SYSVOL and its contents on both the parent domain DC's.
Everything looked fine. I then ran replmon and found that
one of the DC's (infrastructure master) was having version
mismatches between the DS and SYSVOL in regards to the
Default Domain GPO and Default Domain controller GPO. The
other DC is running fine. The gpotool output shows the
following:
Domain: soe.cse.ucsc.edu
Validating DCs...
pinot.soe.cse.ucsc.edu: OK
cabernet.soe.cse.ucsc.edu: OK
Available DCs:
pinot.soe.cse.ucsc.edu
cabernet.soe.cse.ucsc.edu
Searching for policies...
Found 7 policies
============================================================
Policy {0D735E8F-9026-4050-9A44-DEC41BC68D06}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Baseline Policy
Created: 8/23/2002 11:19:23 PM
Changed: 8/23/2002 11:25:51 PM
DS version: 0(user) 1(machine)
Sysvol version: 0(user) 1(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Baseline Policy
Created: 8/23/2002 11:19:23 PM
Changed: 8/23/2002 11:22:34 PM
DS version: 0(user) 1(machine)
Sysvol version: 0(user) 1(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {1FD1B818-F395-43F5-AF38-950501493595}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: IIS Server Incremental
Created: 8/23/2002 11:37:42 PM
Changed: 8/23/2002 11:42:50 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: IIS Server Incremental
Created: 8/23/2002 11:37:42 PM
Changed: 8/23/2002 11:38:34 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {2FF2867B-F7FA-4B16-A811-858BBF649DC5}
Error: Cannot access
\\pinot.soe.cse.ucsc.edu\sysvol\soe.cse.ucsc.edu\policies\{2FF2867B-F7FA-4B16-A811-858BBF649DC5},
error 2
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: New Group Policy Object
Created: 4/24/2003 5:07:37 PM
Changed: 4/24/2003 5:12:01 PM
DS version: 0(user) 0(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: New Group Policy Object
Created: 4/24/2003 5:07:37 PM
Changed: 4/24/2003 5:07:37 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Version mismatch on pinot.soe.cse.ucsc.edu,
DS=65597, sysvol=65586
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Default Domain Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/7/2003 9:42:03 PM
DS version: 1(user) 61(machine)
Sysvol version: 1(user) 50(machine)
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Default Domain Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/7/2003 9:37:47 PM
DS version: 1(user) 61(machine)
Sysvol version: 1(user) 61(machine)
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {34BE395C-27CE-401B-A07A-71492E9477B2}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: File & Print Incremental
Created: 8/23/2002 11:35:44 PM
Changed: 8/23/2002 11:37:31 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: File & Print Incremental
Created: 8/23/2002 11:35:44 PM
Changed: 8/23/2002 11:37:01 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Version mismatch on pinot.soe.cse.ucsc.edu, DS=1231,
sysvol=26
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Default Domain Controllers Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/3/2003 12:05:02 AM
DS version: 0(user) 1231(machine)
Sysvol version: 0(user) 26(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Default Domain Controllers Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/3/2003 12:02:43 AM
DS version: 0(user) 1231(machine)
Sysvol version: 0(user) 1231(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {BD710317-7C6E-41EB-BA49-30F4BB3C2ADD}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Infrastructure Incremental
Created: 8/23/2002 11:38:43 PM
Changed: 8/23/2002 11:42:50 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Infrastructure Incremental
Created: 8/23/2002 11:38:43 PM
Changed: 8/23/2002 11:39:46 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
Errors found
In addition to this I am seeing unknown user profiles on
both DC's
I think it is a permissions thing somewhere but I'm not
sure. I did cleanup DNS after I dcpromo'd the one server
down to a member server and there is apparent metadata
floating about. Don't if there is still DNS issues or what.
Things still replicate in AD and the end user has not been
affected so far.
Please, if anyone could shed some light on this issue and
maybe point me in the right direction, I would be very
gratefull.
Regards,
Derek Pearson
Sysadmin for School of Engineering UCSC
Last Monday I DCPROMO'd a DC in a child domain down to a
member server in the parent doamin domain. DCPROMO ran with
no errors.
I then reformated said server and rebuilt it as a 2000
advanced server in the parent domain while retaining the
same name and IP address.
By thursday there were the following errors comming from
the newly rebuilt server plus the other member servers in
the parent doamin:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/8/2003
Time: 1:32:44 PM
User: NT AUTHORITY\SYSTEM
Computer: STAPH
Description:
Windows cannot access the registry information at
\\soe.cse.ucsc.edu\sysvol\soe.cse.ucsc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol
with (1240).
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/8/2003
Time: 12:54:32 PM
User: NT AUTHORITY\SYSTEM
Computer: CABFRANC
Description:
The Group Policy client-side extension Security was passed
flags (17) and returned a failure status code of (3).
Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 7/8/2003
Time: 12:54:32 PM
User: N/A
Computer: CABFRANC
Description:
Security policy cannot be propagated. Cannot access the
template. Error code = 3.
\\soe.cse.ucsc.edu\sysvol\soe.cse.ucsc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
these are repeating.
So I did some digging and checked the permissions on the
SYSVOL and its contents on both the parent domain DC's.
Everything looked fine. I then ran replmon and found that
one of the DC's (infrastructure master) was having version
mismatches between the DS and SYSVOL in regards to the
Default Domain GPO and Default Domain controller GPO. The
other DC is running fine. The gpotool output shows the
following:
Domain: soe.cse.ucsc.edu
Validating DCs...
pinot.soe.cse.ucsc.edu: OK
cabernet.soe.cse.ucsc.edu: OK
Available DCs:
pinot.soe.cse.ucsc.edu
cabernet.soe.cse.ucsc.edu
Searching for policies...
Found 7 policies
============================================================
Policy {0D735E8F-9026-4050-9A44-DEC41BC68D06}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Baseline Policy
Created: 8/23/2002 11:19:23 PM
Changed: 8/23/2002 11:25:51 PM
DS version: 0(user) 1(machine)
Sysvol version: 0(user) 1(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Baseline Policy
Created: 8/23/2002 11:19:23 PM
Changed: 8/23/2002 11:22:34 PM
DS version: 0(user) 1(machine)
Sysvol version: 0(user) 1(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {1FD1B818-F395-43F5-AF38-950501493595}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: IIS Server Incremental
Created: 8/23/2002 11:37:42 PM
Changed: 8/23/2002 11:42:50 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: IIS Server Incremental
Created: 8/23/2002 11:37:42 PM
Changed: 8/23/2002 11:38:34 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {2FF2867B-F7FA-4B16-A811-858BBF649DC5}
Error: Cannot access
\\pinot.soe.cse.ucsc.edu\sysvol\soe.cse.ucsc.edu\policies\{2FF2867B-F7FA-4B16-A811-858BBF649DC5},
error 2
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: New Group Policy Object
Created: 4/24/2003 5:07:37 PM
Changed: 4/24/2003 5:12:01 PM
DS version: 0(user) 0(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: New Group Policy Object
Created: 4/24/2003 5:07:37 PM
Changed: 4/24/2003 5:07:37 PM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Version mismatch on pinot.soe.cse.ucsc.edu,
DS=65597, sysvol=65586
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Default Domain Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/7/2003 9:42:03 PM
DS version: 1(user) 61(machine)
Sysvol version: 1(user) 50(machine)
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Default Domain Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/7/2003 9:37:47 PM
DS version: 1(user) 61(machine)
Sysvol version: 1(user) 61(machine)
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {34BE395C-27CE-401B-A07A-71492E9477B2}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: File & Print Incremental
Created: 8/23/2002 11:35:44 PM
Changed: 8/23/2002 11:37:31 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: File & Print Incremental
Created: 8/23/2002 11:35:44 PM
Changed: 8/23/2002 11:37:01 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Version mismatch on pinot.soe.cse.ucsc.edu, DS=1231,
sysvol=26
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Default Domain Controllers Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/3/2003 12:05:02 AM
DS version: 0(user) 1231(machine)
Sysvol version: 0(user) 26(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Default Domain Controllers Policy
Created: 8/13/2002 12:24:43 AM
Changed: 7/3/2003 12:02:43 AM
DS version: 0(user) 1231(machine)
Sysvol version: 0(user) 1231(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {BD710317-7C6E-41EB-BA49-30F4BB3C2ADD}
Policy OK
Details:
------------------------------------------------------------
DC: pinot.soe.cse.ucsc.edu
Friendly name: Infrastructure Incremental
Created: 8/23/2002 11:38:43 PM
Changed: 8/23/2002 11:42:50 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: cabernet.soe.cse.ucsc.edu
Friendly name: Infrastructure Incremental
Created: 8/23/2002 11:38:43 PM
Changed: 8/23/2002 11:39:46 PM
DS version: 0(user) 2(machine)
Sysvol version: 0(user) 2(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
Errors found
In addition to this I am seeing unknown user profiles on
both DC's
I think it is a permissions thing somewhere but I'm not
sure. I did cleanup DNS after I dcpromo'd the one server
down to a member server and there is apparent metadata
floating about. Don't if there is still DNS issues or what.
Things still replicate in AD and the end user has not been
affected so far.
Please, if anyone could shed some light on this issue and
maybe point me in the right direction, I would be very
gratefull.
Regards,
Derek Pearson
Sysadmin for School of Engineering UCSC