Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DC errors and high CPU usage

Status
Not open for further replies.

Daveyd123

MIS
Aug 25, 2004
413
US
We are a 2003/SP1, XP/SP2 enviorment. 2 DCs which are both DNS/GC servers.

I am having a problem with one of our DCs. This DC holds all FSMO roles. It seems out of nowhere, the DFS service is using 99% of the CPU, which in turn is slowing everything down. We currently do not use DFS. Stopping the DFS service takes care of the problem. Any ideas why the service is hogging the CPU?

Also, while troubleshooting the DFS service I rebooted the DC a couple of times. Now I am slammed with Events 1058 and 1030 (shown below)in the App Logs

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 3/21/2006
Time: 8:26:35 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Domain,DC=lcl. The file must be present at the location <\\domain.lcl\sysvol\domain.lcl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.



Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 3/21/2006
Time: 8:26:35 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.


I have verified that the SYSVOL directory is accessible and everything has the correct permissions.

Another odd thing...I can access GPMC from my MMC on my workstation and Edit a GPO. However, if I open GPMC on the affected DC and try to edit a GPO, I get Denied.

A couple of more errors I have which are in the System Log...

Event Type: Warning
Event Source: Server
Event Category: None
Event ID: 2510
Date: 3/20/2006
Time: 7:15:59 PM
User: N/A
Computer: DC1
Description:
The server service was unable to map error code 998.



Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 3/21/2006
Time: 8:11:55 AM
User: N/A
Computer: DC1
Description:
The redirector failed to determine the connection type.

For more information, see Help and Support Center at Data:
0000: 00 00 00 00 04 00 4e 00 ......N.
0008: 00 00 00 00 cb 0b 00 80 ....Ë..#128;
0010: 00 00 00 00 84 01 00 c0 ....#132;..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........




Any ideas??
 
This can happen if you modified the "secure channel signing" and related policied in the domain controllers or domain policies. You can actually lock the domain contoller out from being able to read the policy settings. Try setting all of these to the default setting.

I am certian that this is your problem.

A+, N+, MCSA:Messaging, MCSE
 
I was gone for a week on vacation so who knows what happened...

Where exactly is the GPO setting? Currently in my Domain Controllers GPO, Under Computer Config/Security Settings/Local Policies/Security Options/Domain Member/Policy....Domain member:Digitally encrypt or sign secure channel data(always) is set to enabled
 
Yup. Thats the problem.

Set all of these types of options to the "(when possible)" and disable the "(required)" options and you should be all right. If you require this type of security, you need to ensure that the DC can access itself. Remember that for most AD and Policy related functions, DC's access themselves "over the network" rather than locally (if that makes sense). As you can see, it is possible to require the DC (itslef) to use signing options that the DC (itself) will be unable to negotiate.

A+, N+, MCSA:Messaging, MCSE
 
I just looked on my Test DC, which still has all the default settings, and the "Domain member:Digitally encrypt or sign secure channel data(always)" is set to enabled by default
 
You are correct about this being a default setting. Try to change all the secure channel and signing/encryption settings to the less restrictive (when possible) and (if agrees) and see if it clears up your problems. I suspect it will. If it doesn't, change them back.

I ran into the same exact problem you are having about a month ago. I had adjusted these policies in an attempt to increase security when I had some downtime one day. The result was that all network clients, after a reboot, had perfect connectivity to the server. The server had no connectivity to itself. I could not edit GPO's from the local DC, getting consant permission errors. My log errors were the same as your own. I could, however, edit GPO's remotely from my desktop. I did this and changed the policies to the less restrictive settings and problem was solved. Somehow, with these policies, I configured my DC so that it couldn't negotiate its own security.

You can about the settings here:

A+, N+, MCSA:Messaging, MCSE
 
OK...here are my current Domain Controller GPO settings:

Local Policies/Security
Domain Controller

Domain controller: LDAP server signing requirements None

Domain Member
Domain member: Digitally encrypt secure channel data (when possible) Enabled

Domain member: Digitally sign secure channel data (when possible) Enabled

Microsoft Network Server
Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network Security
Network security: LAN Manager authentication level Send NTLM response only



I ran gpupdate /force on the affected DC and am still getting the 1030 and 1050 Events

Any idea?
 
and to make things more interesting, on my 2nd Domain Controller I can open GPMC and edit a GPo without getting denied
 
Well I found the issue. As I suspected it was DNS. I stopped and restarted DNS on the affected DC and no more errors!!

I have had isses with DNS on this server in the past. You think there would be any issues with uninstalling/reinstalling DNS on this Domain Controller?

I have another DC that runs AD intergrated DNS, so I don't forsee any issues....I could be wrong though
 
I thought I was free..but I guess not...I can now access GPMC on the DC but still get the error messages
 
Well, here's the issue again...DFS service is running and CPU jumps to 99% usage.

Stop DFS service and I have Events 1030 and 1050 every 5 minutes in the app log and have some user authentication problems.

Catch 22..
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top