trent1980
IS-IT--Management
- Dec 18, 2002
- 36
i have a windows 2003 domain with 2 dc's (dc00 and dc01). dc00 contains all the fsmo roles and dc01 is a global catalogue as well as dc00.
every 5 minutes on dc00 i get a 1030 and 1058 Userenv error as stated in microsoft's article ( - windows cannot query for the list of group policy objects
I followed microsoft's fix with the default domain policy and registry, unfortunately i didn't have to make any changes as my settings already match microsoft's article. when i run gpupdate /force, it will log the 1030 and 1058 events as well as every 5 minutes ... but only on dc00, not dc01.
when i run rsop.msc and it queries, i get a red x through the user settings, but not the computer settings.
now for the questions / puzzling part --
just for kicks, i changed a setting in the default domain policy mmc on dc00 and then changed it right back ... ran the gpupdate /force and i got the success event 1704 as well as rsop.msc doesn't have any errors. 5 minutes later, it logs both 1030 and 1058 again and any gpupdate /force after that will log them again.
obviously, something is overwriting and i have issue of synchronizing, but i can't figure out where / how -- all articles i find on microsoft seem to have some good ideas for changes that i can make, services to restart, reboots ... but all the suggestions are already the default config on my dc00. dc01 looks identical to dc00 from my persepective, yet it logs no errors in the event log.
let me know what other info you want me to post -- thanks in advance
------------- update ------------------------
if i edit the default domain controller policy ... just make a change and set it right back ... then run gpupdate /force -- i get the blue 1704 success event .. followed by some random time, then 5 minute increment of failures again.
conclusion: something is overwriting those settings ("those settings" being the ones listed in KB there is nothing to change because mine matches the kb article .. so all i do is change one of them to a "wrong" setting and then right back ... gpupdate and success
they list these two as needing to be "enabled" ...
Microsoft Network Server: Digitally Sign Communications (always)
Microsoft Network Server: Digitally Sign Communications (if client agrees)
these ARE enabled on my "default domain controller policy" but ARE NOT on my "default domain policy" --
is there any reason why the default domain policy settings would overwrite my default domain controller .. if so, is there any reason to not set my default domain and default domain controller policy the same in regards to those 2 objects ENABLED above?
what's your take on that?
every 5 minutes on dc00 i get a 1030 and 1058 Userenv error as stated in microsoft's article ( - windows cannot query for the list of group policy objects
I followed microsoft's fix with the default domain policy and registry, unfortunately i didn't have to make any changes as my settings already match microsoft's article. when i run gpupdate /force, it will log the 1030 and 1058 events as well as every 5 minutes ... but only on dc00, not dc01.
when i run rsop.msc and it queries, i get a red x through the user settings, but not the computer settings.
now for the questions / puzzling part --
just for kicks, i changed a setting in the default domain policy mmc on dc00 and then changed it right back ... ran the gpupdate /force and i got the success event 1704 as well as rsop.msc doesn't have any errors. 5 minutes later, it logs both 1030 and 1058 again and any gpupdate /force after that will log them again.
obviously, something is overwriting and i have issue of synchronizing, but i can't figure out where / how -- all articles i find on microsoft seem to have some good ideas for changes that i can make, services to restart, reboots ... but all the suggestions are already the default config on my dc00. dc01 looks identical to dc00 from my persepective, yet it logs no errors in the event log.
let me know what other info you want me to post -- thanks in advance
------------- update ------------------------
if i edit the default domain controller policy ... just make a change and set it right back ... then run gpupdate /force -- i get the blue 1704 success event .. followed by some random time, then 5 minute increment of failures again.
conclusion: something is overwriting those settings ("those settings" being the ones listed in KB there is nothing to change because mine matches the kb article .. so all i do is change one of them to a "wrong" setting and then right back ... gpupdate and success
they list these two as needing to be "enabled" ...
Microsoft Network Server: Digitally Sign Communications (always)
Microsoft Network Server: Digitally Sign Communications (if client agrees)
these ARE enabled on my "default domain controller policy" but ARE NOT on my "default domain policy" --
is there any reason why the default domain policy settings would overwrite my default domain controller .. if so, is there any reason to not set my default domain and default domain controller policy the same in regards to those 2 objects ENABLED above?
what's your take on that?
