1030 & 1058 on DC, 1030 and 40691 on client

[jmorr34]

I dont know where to start.

dcdiag results:
Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: LocalNetwork\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity

Doing primary tests

Testing server: LocalNetwork\DC1
Starting test: Replications
......................... DC1 passed test Replications
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: Services
......................... DC1 passed test Services
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC1 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 failed test frsevent
Starting test: kccevent
......................... DC1 passed test kccevent
Starting test: systemlog
......................... DC1 passed test systemlog
Starting test: VerifyReferences
Some objects relating to the DC DC1 have problems:
[1] Problem: Conflict Mangled Value
Base Object: CN=DC1,OU=Domain Controllers,DC=buquet-leblanc,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Mangled Value:
CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Se
rvice,CN=System,DC=buquet-leblanc,DC=com
Recommended Action: Check that there is not more than one SYSVOL
FRS Member Object for this DC, and if so clean up the older
duplicates.

......................... DC1 failed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : buquet-leblanc
Starting test: CrossRefValidation
......................... buquet-leblanc passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... buquet-leblanc passed test CheckSDRefDom

Running enterprise tests on : buquet-leblanc.com
Starting test: Intersite
......................... buquet-leblanc.com passed test Intersite
Starting test: FsmoCheck
......................... buquet-leblanc.com passed test FsmoCheck

 

[jmorr34]

40961, not 40691.

Thanks in advance for any help!!

 

[sutors]

Looks like FRS is broken, hence policies are not replicating between DCs, hence they don't apply to your workstations. Based on that report you pasted, the computer reference backlink for sysvol replica set is invalid.

Use adsiedit and have a look at it and see if it looks normal. Look for any CNF objects or anything unusual.

The structure that you should be looking for should look similar as explained here:

http://technet2.microsoft.com/windo...a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true

There's not enough information posted yet to help you out further, however here are some good resources to start:

http://technet2.microsoft.com/windo...9f14-4ff9-8c0d-ec0e555522f01033.mspx?mfr=true

http://support.microsoft.com/kb/315457

Good luck.

Lukasz
SMEFS/FRS/DFSN/DFSR

 

[jmorr34]

when I restart FRS, I get an event 3019 MRxSmb under System at the same time. Is that related?

 

[jmorr34]

the 1030 and 1058 not logged on the primary controller, but they are logged on the backup being replicated to. I dont know if that helps any. 1030 and 1058 are not logged on the master.

 

[sutors]

ok, start with comparing SYSVOL folders on both DCs.
Try accessing SYSVOL share by using DC name \\DC\SYSVOL and see what happens.

 

[jmorr34]

works for both dc1 and dc2. I tried to put a text file in a policies folder also and it replicated between the two.

 

[sutors]

can you provide more detailed info about this 1030 and 1058?

 

[jmorr34]

1030 and 1058 are logged every 5 minutes on dc2. DC2 is a backup domain controller and dc1, the master, does not have the errors.

1058:
Windows cannot access the file gpt.ini for GPO CN={5204D8A8-65C7-46AE-BBAE-7ACDC687B013},CN=Policies,CN=System,DC=oursite,DC=com. The file must be present at the location <\\oursite.com\SysVol\oursite.com\Policies\{5204D8A8-65C7-46AE-BBAE-7ACDC687B013}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

I get 1030 on some clients but not all:
1030: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

 

[sutors]

For some reason your machines cannot access the path for {5204D8A8-65C7-46AE-BBAE-7ACDC687B013} policy.

Go to the machine with the problem and try to open this file:
\\DC1\SysVol\oursite.com\Policies\{5204D8A8-65C7-46AE-BBAE-7ACDC687B013}\gpt.ini
and
\\DC2\SysVol\oursite.com\Policies\{5204D8A8-65C7-46AE-BBAE-7ACDC687B013}\gpt.ini

Check if the file exists, if yes, then check permissions.

 

[jmorr34]

file exists, permissions are correct. DC1 has same permissions as DC2 and DC1 does not get the error. What the heck?

Where can I find out exactly what policy that is?

 

[MikeKhod]

Why not just demote DC2 then promote it again.
I found it much easier to do that than waist hours on trying to fix a certain errors when it comes to DCs.
This all depends on your kick, if you like the challange then enjoy, if you just want to get it fixed then demote/ promote.

 

[jmorr34]

I found the process on how to demote and promote a domain controller because I have never done it before. Is it as simple as it sounds?

 

[theravager]

do a search on burflags and d2 & d4.

That should resync your dc if dns is fine.

Some a/v products can screwup replication as well, especially if you are using code in group policies for logon scripts etc.