"Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client only.

[Chris Simmons]

Hello:

I see this is a somewhat common problem, however I've seen nothing
specific to my problem that works. I'm getting the following event
(along with a subsequent event 1030 referencing the 1058) on the XP
client:

*** START EVENT TEXT ***
Windows cannot access the file gpt.ini for GPO
CN={GUID},CN=Policies,CN=System,DC=Domain,DC=com. The file must be
present at the location
<\\Domain.com\sysvol\Domain.com\Policies\{GUID}\gpt.ini>. (The network
path was not found. ). Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
*** END EVENT TEXT ***

This is a small network with a DC (W2K server), a mail server (W2K
server), and one laptop client (XP). The error occurs only on the XP
client.

I have seen messages suggesting a problem with DNS, however nothing
specific as to what problem to look for. The base host (A) records
for domain.com point to the IPs of the DC's internal (192.168.1.2) and
external NICs. When I ping domain.com from any machine, I get what I
expect: 192.168.1.2. However, at the client, I try this:
dir \\domain.com\SYSVOL
and I get "The network path was not found". On the mail server and
DC, I get what is expected:

Volume in drive \\Domain.com\SYSVOL has no label.
Volume Serial Number is XXXX-XXXX

Directory of \\Domain.com\SYSVOL

06/27/2002 05:20p <DIR> .
06/27/2002 05:20p <DIR> ..
06/27/2002 05:20p <JUNCTION> Domain.com
0 File(s) 0 bytes
3 Dir(s) 20,294,721,536 bytes free


I have re-installed the OS on the laptop client and the same issue
remains, so I'm guessing this is something I need to fix on the domain
side.

Can someone please help?

--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Christian Schindler]

Are you able to resolve any host records on the client? Seems as if the
client can't
contact the DNS Server...

--

Christian Schindler
MCSA / MCSE / MCT / CCEA

Senior Consultant

NTx BackOffice Consulting Group Austria
mailto:[email protected]

 

[Chris Simmons]

Are you able to resolve any host records on the client? Seems as if the
client can't
contact the DNS Server...


Christian Schindler
MCSA / MCSE / MCT / CCEA

Senior Consultant

NTx BackOffice Consulting Group Austria
mailto:[email protected]

Christian:

(Thanks so much for your quick response.)

Well, I don't know the formal test is for this, but I would imagine a
ping of each of the machines (after ipconfig /flushdns) would test it,
and all resolve to their proper IPs. I also went into nslookup and
the same success occurred. I don't think this is DNS connectivity,
however improper setup is not out of the question.

--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Kevin D. Goodknecht [MVP]]

In Chris Simmons <[email protected]> posted a question
Then Kevin replied below:
Follow up set to microsoft.public.win2000.dns
: Hello:
:
: I see this is a somewhat common problem, however I've seen nothing
: specific to my problem that works. I'm getting the following event
: (along with a subsequent event 1030 referencing the 1058) on the XP
: client:
:
: *** START EVENT TEXT ***
: Windows cannot access the file gpt.ini for GPO
: CN={GUID},CN=Policies,CN=System,DC=Domain,DC=com. The file must be
: present at the location
: <\\Domain.com\sysvol\Domain.com\Policies\{GUID}\gpt.ini>. (The network
: path was not found. ). Group Policy processing aborted.
:
: For more information, see Help and Support Center at
: http://go.microsoft.com/fwlink/events.asp.
: *** END EVENT TEXT ***
:
: This is a small network with a DC (W2K server), a mail server (W2K
: server), and one laptop client (XP). The error occurs only on the XP
: client.
:
: I have seen messages suggesting a problem with DNS, however nothing
: specific as to what problem to look for. The base host (A) records
: for domain.com point to the IPs of the DC's internal (192.168.1.2) and
: external NICs. When I ping domain.com from any machine, I get what I
: expect: 192.168.1.2. However, at the client, I try this:
: dir \\domain.com\SYSVOL
: and I get "The network path was not found". On the mail server and
: DC, I get what is expected:
:
: Volume in drive \\Domain.com\SYSVOL has no label.
: Volume Serial Number is XXXX-XXXX
:
: Directory of \\Domain.com\SYSVOL
:
: 06/27/2002 05:20p <DIR> .
: 06/27/2002 05:20p <DIR> ..
: 06/27/2002 05:20p <JUNCTION> Domain.com
: 0 File(s) 0 bytes
: 3 Dir(s) 20,294,721,536 bytes free
:
:
: I have re-installed the OS on the laptop client and the same issue
: remains, so I'm guessing this is something I need to fix on the domain
: side.
:
: Can someone please help?

This is one problem with Multihomed DCs in order to cure this you need to do
a couple of things.

1. Set the binding order, by going into network properties Control panel, in
the Advanced menu select Advanced Settings. Make sure the internal NIC is at
the top of the connections list and the Client for MS networks and File
sharing are only bound on the internal interface.

2. You will need to make registry entries to stop the creation of the blank
records for the external interface for both the domain name and the global
catalog record. You will then have to manually create these two blank
records. There is a KB describing this but I'm unable to find it but here is
the reg entry, you must use regedt32 to make this entry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

3. On the Interfaces tab of the DNS server properties set the DNS listener
address to the internal IP.

4. On an XP Client you need to upgrade the GPO by following this KB article
Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/?id=307900

What happens is DNS returns the IP of the external interface and file
sharing is not enabled on the interface and LDAP won't pass NAT.

 

[Ace Fekay [MVP]]

In

Christian:

(Thanks so much for your quick response.)

Well, I don't know the formal test is for this, but I would imagine a
ping of each of the machines (after ipconfig /flushdns) would test it,
and all resolve to their proper IPs. I also went into nslookup and
the same success occurred. I don't think this is DNS connectivity,
however improper setup is not out of the question.

One question, what DNS address is being used on the client?
Hope you're not using your ISP's DNS ....

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Chris Simmons]

In

One question, what DNS address is being used on the client?
Hope you're not using your ISP's DNS ....

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

No, it's set up through DHCP. And it uses my own: 192.168.1.2.

--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Chris Simmons]

<SNIP>

This is one problem with Multihomed DCs in order to cure this you need to do
a couple of things.

1. Set the binding order, by going into network properties Control panel, in
the Advanced menu select Advanced Settings. Make sure the internal NIC is at
the top of the connections list and the Client for MS networks and File
sharing are only bound on the internal interface.

2. You will need to make registry entries to stop the creation of the blank
records for the external interface for both the domain name and the global
catalog record. You will then have to manually create these two blank
records. There is a KB describing this but I'm unable to find it but here is
the reg entry, you must use regedt32 to make this entry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

3. On the Interfaces tab of the DNS server properties set the DNS listener
address to the internal IP.

4. On an XP Client you need to upgrade the GPO by following this KB article
Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/?id=307900

What happens is DNS returns the IP of the external interface and file
sharing is not enabled on the interface and LDAP won't pass NAT.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

Thanks so much for this response, however no luck. For the KB
article, I couldn't find one, but I did find this which seemed to
correspond: http://tinyurl.com/3ymd5


I think the key problem here is that I cannot "see" the
\\domain.com\SYSVOL share. I can open up Windows Explorer and type
\\domain.com <enter> in the address bar and the share appears in the
file list. However, when I try to double-click the share, I get
"\\domain.com\SYSVOL is not accessible. You may not have permission
to use this network resource ... The network path was not found.". I
checked the permissions on the share and Everyone has read, the
Authenticated Users and Administrators groups have full access. On
the path where the share points (C:\WINNT\SYSVOL\sysvol), Everyone
does not have any access, however Authenticated Users has read. I can
see other shares on the DC fine, using the \\domain.com\sharename
convention; it's only the \SYSVOL share that's giving the problem.

(By the way, I couldn't complete step 4 because of this very problem:
"The network path was not found" was returned when I tried to update a
domain GPO.)


--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Kevin D. Goodknecht [MVP]]

In Chris Simmons <[email protected]> posted a question
Then Kevin replied below:
: On Sun, 15 Feb 2004 14:11:32 -0600, "Kevin D. Goodknecht [MVP]"
:
:: <SNIP>
::
:: This is one problem with Multihomed DCs in order to cure this you
:: need to do a couple of things.
::
:: 1. Set the binding order, by going into network properties Control
:: panel, in the Advanced menu select Advanced Settings. Make sure the
:: internal NIC is at the top of the connections list and the Client
:: for MS networks and File sharing are only bound on the internal
:: interface.
::
:: 2. You will need to make registry entries to stop the creation of
:: the blank records for the external interface for both the domain
:: name and the global catalog record. You will then have to manually
:: create these two blank records. There is a KB describing this but
:: I'm unable to find it but here is the reg entry, you must use
:: regedt32 to make this entry.
:: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
::
:: Registry value: DnsAvoidRegisterRecords
:: Data type: REG_MULTI_SZ
::
:: LdapIpAddress
:: GcIpAddress
::
:: 3. On the Interfaces tab of the DNS server properties set the DNS
:: listener address to the internal IP.
::
:: 4. On an XP Client you need to upgrade the GPO by following this KB
:: article Upgrading Windows 2000 Group Policy for Windows XP
:: http://support.microsoft.com/?id=307900
::
:: What happens is DNS returns the IP of the external interface and file
:: sharing is not enabled on the interface and LDAP won't pass NAT.
::
:: --
:: Best regards,
:: Kevin D4 Dad Goodknecht Sr. [MVP]
:: Hope This Helps
:: ============================
:
: Thanks so much for this response, however no luck. For the KB
: article, I couldn't find one, but I did find this which seemed to
: correspond: http://tinyurl.com/3ymd5
:
:
: I think the key problem here is that I cannot "see" the
: \\domain.com\SYSVOL share. I can open up Windows Explorer and type
: \\domain.com <enter> in the address bar and the share appears in the
: file list. However, when I try to double-click the share, I get
: "\\domain.com\SYSVOL is not accessible. You may not have permission
: to use this network resource ... The network path was not found.". I
: checked the permissions on the share and Everyone has read, the
: Authenticated Users and Administrators groups have full access. On
: the path where the share points (C:\WINNT\SYSVOL\sysvol), Everyone
: does not have any access, however Authenticated Users has read. I can
: see other shares on the DC fine, using the \\domain.com\sharename
: convention; it's only the \SYSVOL share that's giving the problem.
The NTFS permissions on the SYSVOL share are
Administrators Full Folder, subfolder, files
Authenticated RX, List, Read Folder, subfolder, files
System Full Folder, subfolder, files
Owner Full Subfolder and files


:
: (By the way, I couldn't complete step 4 because of this very problem:
: "The network path was not found" was returned when I tried to update a
: domain GPO.)

What steps did you complete?
Did you set the bindings?
Did you make the registry entry?
Did you create the Blank Host for the private IP of the NIC that has file
sharing bound?
Did you create the Blank host with the Private IP in the
gc._msdcs.domainname sub folder?
You must only have blank records for the private IP if you have records with
the public IPs they need to be deleted. After you complete these steps run
ipconfig /flushdns.
To verify use nslookup to resolve your domain name and make sure that only
the private IP is returned.

 

[Chris Simmons]

In Chris Simmons <[email protected]> posted a question
Then Kevin replied below:
: On Sun, 15 Feb 2004 14:11:32 -0600, "Kevin D. Goodknecht [MVP]"
:
:: <SNIP>
::
:: This is one problem with Multihomed DCs in order to cure this you
:: need to do a couple of things.
::
:: 1. Set the binding order, by going into network properties Control
:: panel, in the Advanced menu select Advanced Settings. Make sure the
:: internal NIC is at the top of the connections list and the Client
:: for MS networks and File sharing are only bound on the internal
:: interface.
::
:: 2. You will need to make registry entries to stop the creation of
:: the blank records for the external interface for both the domain
:: name and the global catalog record. You will then have to manually
:: create these two blank records. There is a KB describing this but
:: I'm unable to find it but here is the reg entry, you must use
:: regedt32 to make this entry.
:: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
::
:: Registry value: DnsAvoidRegisterRecords
:: Data type: REG_MULTI_SZ
::
:: LdapIpAddress
:: GcIpAddress
::
:: 3. On the Interfaces tab of the DNS server properties set the DNS
:: listener address to the internal IP.
::
:: 4. On an XP Client you need to upgrade the GPO by following this KB
:: article Upgrading Windows 2000 Group Policy for Windows XP
:: http://support.microsoft.com/?id=307900
::
:: What happens is DNS returns the IP of the external interface and file
:: sharing is not enabled on the interface and LDAP won't pass NAT.
::
:: --
:: Best regards,
:: Kevin D4 Dad Goodknecht Sr. [MVP]
:: Hope This Helps
:: ============================
:
: Thanks so much for this response, however no luck. For the KB
: article, I couldn't find one, but I did find this which seemed to
: correspond: http://tinyurl.com/3ymd5
:
:
: I think the key problem here is that I cannot "see" the
: \\domain.com\SYSVOL share. I can open up Windows Explorer and type
: \\domain.com <enter> in the address bar and the share appears in the
: file list. However, when I try to double-click the share, I get
: "\\domain.com\SYSVOL is not accessible. You may not have permission
: to use this network resource ... The network path was not found.". I
: checked the permissions on the share and Everyone has read, the
: Authenticated Users and Administrators groups have full access. On
: the path where the share points (C:\WINNT\SYSVOL\sysvol), Everyone
: does not have any access, however Authenticated Users has read. I can
: see other shares on the DC fine, using the \\domain.com\sharename
: convention; it's only the \SYSVOL share that's giving the problem.
The NTFS permissions on the SYSVOL share are
Administrators Full Folder, subfolder, files
Authenticated RX, List, Read Folder, subfolder, files
System Full Folder, subfolder, files
Owner Full Subfolder and files


:
: (By the way, I couldn't complete step 4 because of this very problem:
: "The network path was not found" was returned when I tried to update a
: domain GPO.)

What steps did you complete?
Did you set the bindings?
Did you make the registry entry?
Did you create the Blank Host for the private IP of the NIC that has file
sharing bound?
Did you create the Blank host with the Private IP in the
gc._msdcs.domainname sub folder?
You must only have blank records for the private IP if you have records with
the public IPs they need to be deleted. After you complete these steps run
ipconfig /flushdns.
To verify use nslookup to resolve your domain name and make sure that only
the private IP is returned.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

My apologies. I should have been more thorough in my reply. I
completed all steps, except for #4 (because of the network not found
issue).

1. Set the bindings.
2. Made the registry entry.
3. Created a (same as parent folder) entry at domain root for the
internal IP. Also, while there was not a _gc folder, I manually
created the folders (domains?):
_gc
_gc._msdcs
_gc._msdcs.com
_gc._msdcs.com.domain
_gc._msdcs.domain

and made (same as parent folder) entries at the com.domain and domain
levels, all pointing to the internal IP.

As for nslookup, is it bad that there are two entries for domain.com,
one pointing to the DC, the other to the domain? Here's the output:

C:\Documents and Settings\Chris>nslookup
Default Server: dc.domain.com
Address: 192.168.1.2

domain.com

Server: dc.domain.com
Address: 192.168.1.2

Name: domain.com
Address: 192.168.1.2


--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Kevin D. Goodknecht [MVP]]

In Chris Simmons <[email protected]> posted a question
Then Kevin replied below:
:
: My apologies. I should have been more thorough in my reply. I
: completed all steps, except for #4 (because of the network not found
: issue).
:
: 1. Set the bindings.
: 2. Made the registry entry.
: 3. Created a (same as parent folder) entry at domain root for the
: internal IP. Also, while there was not a _gc folder, I manually
: created the folders (domains?):
: _gc
: _gc._msdcs
: _gc._msdcs.com
: _gc._msdcs.com.domain
: _gc._msdcs.domain

You did not need to add any folders, there is a mistake in the article that
I broubht to their attention but apparently it has not been corrected. there
is no underscore in the gc subdomain.

You have an _msdcs subdomain in the domain zone, in the _msdcs sub domain
there is a subdomain named gc. It is in that subdomain that you create the
blank host. This resolves by gc._msdcs.dnsdomainname.


:
: and made (same as parent folder) entries at the com.domain and domain
: levels, all pointing to the internal IP.
:
This is very confusing "com.domain"?
Can you email me a screen shot of your open forward lookup zone?
Please expand all subdomains, but have the domain zone selected so I can see
the records in your zone. I think you may have this over complicated.
Remove the nospam from my email address.

You are the second poster this week with the same behavior. It seems to be
resolving correctly.

 

[sharad]

Hello Chris,
If you set the binding order correct (the NIC for LAN is
at the top in the binding order) and still facing same problem,
Then just a basic question.. Is file and printer sharing enabled on that
NIC? If not enable it.

Sharad

 

[Chris Simmons]

Hello Chris,
If you set the binding order correct (the NIC for LAN is
at the top in the binding order) and still facing same problem,
Then just a basic question.. Is file and printer sharing enabled on that
NIC? If not enable it.

Sharad


<SNIP>

I got that (good advice from Kevin G previous) and F/P sharing is
enabled. Here's the bottom line:
dc.domain.com is the machine name
domain.com is the domain name
192.168.1.2 is the IP for dc.domain.com
ping domain.com returns 192.168.1.2
(everything cool so far)
dir \\dc.domain.com\SYSVOL returns a directory
dir \\192.168.1.2\SYSVOL returns a directory
dir \\domain.com\SYSVOL returns "The network path was not found."

I'm stumped. Kevin is being a true sport and helping me out via
e-mail. I'll post the final verdict.


--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Kevin D. Goodknecht [MVP]]

In Chris,
Thanks for the email with the screen print, your zone seems to be in good
order, the name resolves correctly.
I just found this in the KB see if this resolves your behavior.
314494 - Group Policies Are Not Applied The Way You Expect; "Event ID 1058"
and "Event ID 1030"
http://support.microsoft.com/default.aspx?scid=kb;en-us;314494

 

[Gary Mudgett [MSFT]]

I haven't read all of the posts in this thread, but this is what comes to
mind regarding this issue.

Are the following services running on the server?
- Distributed File System
- TCP/IP Netbios Helper

On the client?
- TCP/IP netbios helper

297177 "Network Path Not Found" Error Message If More Than 15 Domain
http://support.microsoft.com/?id=297177

--
Gary Mudgett, MCSE, MCSA
Windows 2000/2003 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[tim0]

Chris

I am having a similar issue with 2000 servers and connnecting `XP
clients, I would love to hear a solution to this issue as I have been
scouring for weeks now to find a resolution

 

[Kevin D. Goodknecht [MVP]]

In
Have you tried this one?
314494 - Group Policies Are Not Applied The Way You Expect; "Event ID 1058"
and "Event ID 1030"
http://support.microsoft.com/default.aspx?scid=kb;en-us;314494

 

[Chris Simmons]

I haven't read all of the posts in this thread, but this is what comes to
mind regarding this issue.

Are the following services running on the server?
- Distributed File System
- TCP/IP Netbios Helper

On the client?
- TCP/IP netbios helper

297177 "Network Path Not Found" Error Message If More Than 15 Domain
http://support.microsoft.com/?id=297177

All checked. However, from what I've read, DFS is apparently required
on the *client* as well. No DFS here. Not even installed. Is there
any way to manually install?
--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Chris Simmons]

Chris

I am having a similar issue with 2000 servers and connnecting `XP
clients, I would love to hear a solution to this issue as I have been
scouring for weeks now to find a resolution

Where is the event occurring? On the servers or just the client (my
issue)?


Either way, I'll definitely post the final solution. I'm thinking
it's going to come down to getting DFS on the client.

--
Thanks,
Chris Simmons
(e-mail address removed)

*** IMPORTANT - DO NOT REPLY TO ABOVE E-MAIL ADDRESS ***
It exists solely as bait for spam. If you wish to e-mail
me (and have me actually READ your e-mail), use the address
listed in the From: header.

 

[Gary Mudgett [MSFT]]

XP and 2000 Pro have the funcationality built in. There is not a client to
install.

A network trace might yield something.

 

[sharad]

dir \\dc.domain.com\SYSVOL returns a directory
dir \\192.168.1.2\SYSVOL returns a directory
dir \\domain.com\SYSVOL returns "The network path was not found."

I have win XP home and win 98 clients. ( And ofcourse on win 2003 standard
edition, AD)
DID NOT install DFS client on win 98
(and I think on XP it is already there.)
But still all including win98 clients return directory with dir
\\domain.com\SYSVOL
Moreover I stopped DFS service on the server and still it returns directory
from all clients.

So I thinl DFS is not the issue for the behaviour you described.
I guess on the laptop you have Win XP Pro (and not Home),
correct?
On the server in AD U&C add the laptop in the Computers,
reboot the latop, and then try 'dir \\ ' commands

Sharad