Dear all, i have an error on my Domain controller affecting all servers in that Group policy cannot update. the error is as below The processing of Group Policy failed. Windows attempted to read the file %9 from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. Any idea on how to resolve this error? i am on a windows server 2008 platform.
How things coming along with this issue?
Hi Felix,
I did face the same problem at our customer’s site. The DC was a windows 2008 server and the group policy processing used to fail on the windows 2008 member servers. In a forum it was mentioned to enable remote registry service on the dc. By default it is disabled in windows 2008. You have to make it automatic and start the service. Run gpupdate /force on the member servers it should work fine.
It worked for me, hope this works for you.
regards
vinod.s
With regard to netdiag.exe it only supports windows 2000 server. I am on server 2008. I have already posted the results on my earlier email.
Thank you dacree. your info is very useful. on running dcdiag.exe the results came with the following warnings and errors:
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
… EXCHANGE passed test FrsEvent
Starting test: NetLogons
Unable to connect to the NETLOGON share! (EXCHANGEnetlogon)
[EXCHANGE] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found…
… EXCHANGE failed test NetLogons
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 01/08/2011 09:07:06
Event String:
The processing of Group Policy failed. Windows attempted to read the
file Domainsysvol%Domain%lPolicies{31B
2F340-016D-11D2-945F-00C04FB984F9}gpt.ini from a domain controller and was not
successful. Group Policy settings may not be applied until this event is resolve
d. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/08/2011 09:12:06
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
An error event occurred. EventID: 0x00000422
Time Generated: 01/08/2011 09:57:12
Event String:
i will share the result of the netdiag.exe on my next email.
Believe it or not, some of the posts from others are kind of what you have to do. The one from William is excellent. The problem (in my opinion) is that what they advised does not take into account how many DNS servers you have and what type of zone they may be hosting…
So, your structure is important cause if you have more than one DNS server with a “primary zone” copy and they are replicating, then flushing the DNS on a server and re-registering won’t do much good unless you are doing it on the DNS server with SOA (Start Of Authority).
Since I doubt you want (I know I would not) to hand out any info on what I have to presume is a production network, I can only give you a guide based on what I would do. Please take your time when doing this and if you are unsure of any consequences, then ask first! It can only get worst if you take steps you are unsure of.
If you have more than two DNS servers running, then take one server and ensure all records are current and accurate. Then shut down the service on this server so that it cannot receive any updates after the next steps below. This ensures you have a fallback in case of fubar…
Now try this:
-
Simply edit the record in question by hand. The record in the AD Sites & Services is the correct one. So get the one in DNS to match the one in AD. Then test and see if all is well.
-
If option #1 doesn’t do the job then on the server that is your DNS with SOA, go into your NIC’s TCPIP settings and on the DNS tab set the “DNS suffix for this connection:” to match your domain. Then re-register your DNS by stopping and starting the Net Logon service. While this is the same as what someone else advised, you need to do this on the server with SOA and my assumption is that the server also happens to be a DC… then test and see if all is well.
-
If neither #1 or #2 can do anything for you then read up on the info from the first link that William Acree posted. I am providing it again for ease of reference…
http://support.microsoft.com/kb/824449
the info there is what you need to apply, but with some adaptation to match your situation.
- To end my long post and ease your tired eyes from all this reading I just want to mention a couple things. A situation such as this most likely occurred either because there were unplanned changes to your DNS (or its settings) or a rapid series of changes to your DCs… usually your DNS is reliable and you won’t encounter issues like this every day/month/year. So once you have sorted out this issue, you will need to take note of your correct settings and document them so that in the future when troubleshooting, you will know what is supposed to be there and what is not.
If nothing helps, then please remember that you should have a DNS server with correct records that you can turn back on and replicate back out so that you do not end up in an even more unpleasant situation.
Let me know how it goes…
Start with dcdiag.exe and netdiag.exe to verify exactly what type of DNS issue you have.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en
Next, read this. I know it’s not the same error but the DNS troubleshooting info is good.
http://support.microsoft.com/kb/824449
dnslint is another great tool to help yo get your DNS back in order.
http://support.microsoft.com/kb/321046
Finally, here are a few more articles I like on the subject of Windows Server AD DNS
Good luck Felix and let us know if you need more help with anything.
Thanks for the post. The problem is indeed here. The values do not match. Now how to fix this. What do we need to know about the DNS and AD structure I got here?
Sifisowattah,
I did flush DNS and AD services as well on the particular server and reinstalled them but the problem still persits. The IP settings are also correct.
Thanks for your response cornel. I have confirmed that DHCP client service is running on the server in question. I have restarted the service just to be sure. I can also ping the servers using either IP or FQDN.
I can ping the server using FQDN from client computers as well as from the servers.
Thank you for your email. I have followed the procedure you outlined and found out the values on the DNS MMC and AD sites and services are different. Clearly there is a problem. Now how do I go about fixing this cbleeyin? I await your response.
Thanks, hope his issue gets solved soon though. Seems like its been going on for a while.
Spot on Charles. Excellent post.
A quick way to check for this issue is to ping your server by FQDN
Cornel5854
(Cornel5854)
16
Might be a DNS problem. Keep in mind that your computers must have the “DHCP Client” service started; if not, they’re not going to be able to register in your DNS using “ipconfig /registerdns” command. You’ll have to register them by hand, but there’s no guarantee that the DNS record will stay there forever.
Also keep in mind that if a computer cannot ping your domain controller(s) (ICMP is restricted/disabled by a router/switch or your ADs’ firewall), your group policies will not apply on that computer.
You can also read
Please try the following and let me know the results, you will go into your DNS Management and double check if the server is correctly registered:
-
Open up the DNS MMC
-
Navigate to the “Forward Lookup Zones[DNS Name]_msdcs” file, [DNS Name] being whatever is the name of your domain…
-
When you click on _msdcs and it is highlighted, you should see on the right hand side a long alphanumeric value which is a CNAME record. This is the value I am talking about and this is the internal reference that all machines in your domain use to find a DC…
-
To verify if this is the correct value, you can leave this window open and then also open up the Active Directory Sites and Services MMC
-
Navigate to the “Default-First-Site-NameServers” location, by clicking on the [+] sign…
-
You will eventually reach to a listing of all your servers for your domain, please note that if you implemented sites in your domain, then there will be more than one site and you will have to do this for all of your sites
-
For each server there is a sub-option called “NTDS Settings”
-
Right-click on this and select the properties option
-
After doing this a new window will pop-up… You will see a field called “DNS Alias”, this is what you need to verify
-
If the DNS Alias value is the same as what you see when looking at the DNS records (in step 3) then your DNS is good, if not then you need to fix your DNS
-
Fixing your DNS will depend on what your DNS and AD structure is like.
I will also try and revert with feedback.thanks a bunch
