This problem has been going on for several months with a work-around in place. I would finally like to get this issue resolved. I am not a Windows admin but was placed in the role to get the job done (we all know how that goes). The end goal was to replace the original domain controller with a fully patched and hardened machine.
Things were running fine (nuance issues on the workstations disregarded) for a few days and over the course of a weekend in July, the event logs filled up causing the machine to hang. The event logs were wiped out and the domain controller rebooted. The DC was then functional but the majority of the domain users could not see their shares or the files in “My Documents” after logging in. Some of the users were able to login and see everything they expected because, as determined later, they were part of one of the default administrative groups (Enterprise Admin, Domain Admin, etc.). What we discovered was that if the user was NOT part of any administrative group they could NOT see their shares and folder redirection would not work. If they were put in one of the administrative groups, they could. As a fix, we put all the users in the Domain Admin group to allow all the users to continue to work (Huge security issue here).
Here is a summary of how the group policies are currently laid out:
There are 4 group policies: Default Domain Controller Policy, Default Domain Policy, Hardened Workstation Policy, and Hardened Domain Controller Policy. The GPO settings for each type of server are scattered between the respective default and hardened policies. We were not aware of the possibility of creating additional group policies beforehand. In GPMC, they are layered as such
- Forest: my.domain.com
- Domains
- my.domain.com
- Default Domain Policy
- Hardened Workstation Policy
+ Site Laptops <empty in AD>
+ Site Servers <empty in AD>
+ Site Workstations <empty in AD>
+ MySite <users in AD>
- Domain Controllers
- Default Domain Controller Policy
- Hardened Domain Controller Policy
+ Group Policy Objects
+ WMI Filters
All the computers in the network are listed under Computers in the AD Users and Computers window. We performed a limited test of moving computers from the "Computers" Organizational Unit (in the Active Directory Users and Computers Add-in) to the DCMS Workstations Organizational Unit. We were able to successfully log in but the problems persisted. We rolled back the changes.
For the rest of this document we will use the following:
domain = my.domain.com
original domain controller = DC01
new domain controller = DC251
testuser = user without admin
gooduser = user with admin
Problems we fixed:
Fixed issues in DNS:
* Removed invalid IP address (new DC before becoming “production”) and server name (original “production” DC)
* Removed conflicting forward and reverse lookup information
FSMO fix:
* The DC roles were out of sync as two of the roles were still assigned to DC01. They were seized removing the warning event messages we were receiving concerning not being able to contact DC01.
Group Policies Missing:
* After the DC251 reboot, the Hardened policies were missing. We recovered them from DC01 and successfully imported them on DC251.
Issues/Problems:
Here are the alerts we see when we type the following in IE while logged in as testuser:
In URL bar type: \\my.domain.com
===========================================================
\\my.domain.com is not accessible. You might not have permission to use the network resource. Contact the administrator of the server to find out if you have access permissions.
The user is not allowed to log on from this workstation.
===========================================================
In URL bar type: \\dc1
===========================================================
\\dc1 is not accessible. You might not have permission to use the network resource. Contact the administrator of the server to find out if you have access permissions.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
===========================================================
Here are the alerts we see when we type the following in IE while logged in as gooduser:
In URL bar type: \\my.domain.com, we can see all the shares on DC251
In URL bar type: \\dc1, we can see all the shares on DC251
In URL bar type: \\dc1\sysvol, we can see a directory with the domain name
Error Messages:
In the application event log (as can be seen as gooduser):
===========================================================
Source: Userenv
Event ID: 1053
Type: Error
User: NT AUTHORITY\SYSTEM
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
===========================================================
===========================================================
Source: AutoEnrollment
Event ID: 15
Type: Error
User: N/A
Automatic certificate enrollment for local system failed to contact the active directory (0x8007052b). Unable to update the password. The value provided as the current password is incorrect.
Enrollment will not be performed.
===========================================================
In the system event log shortly a couple of minutes after logging in:
===========================================================
Source: DnsApi
Event ID: 11163
Type: Warning
The system failed to register host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {<adapter key>}
Host Name : <correct hostname>
Primary Domain Suffix : <correct domain suffix>
DNS server list :
<correct DNS server IP address>
Sent update to server : 192.1.1.1
IP Address(es) :
<correct host IP address>
The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.
You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
===========================================================
Logged in as gooduser, we use the the RSoP snap-in and we get a little red X over the computer configuration. Here is the error information:
===========================================================
Group Policy Infrastucture Failed
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
===========================================================
When RSoP is open, another window pops up with:
===========================================================
The latest versions of the ADM files below are not available. This can be due to insufficient permissions or unavailable network resources. The local copy of these ADM files will be used.
Error – The network path was not found.
===========================================================
We also ran netdiag and dcdiag as gooduser from a workstation:
Dcdiag:
All tests passed except:
===========================================================
Starting test: Services
NtFrs Service is stopped on [DC251]
===========================================================
Netdiag:
We received warnings on NetBT and fatals on gateways (we do not use gateways in this environment). The only other fatal c
===========================================================
Modem Diagnostic Test . . . . . . . . . FAILED
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
===========================================================
Any help would be greatly appreciated with any of the issues above.
Things were running fine (nuance issues on the workstations disregarded) for a few days and over the course of a weekend in July, the event logs filled up causing the machine to hang. The event logs were wiped out and the domain controller rebooted. The DC was then functional but the majority of the domain users could not see their shares or the files in “My Documents” after logging in. Some of the users were able to login and see everything they expected because, as determined later, they were part of one of the default administrative groups (Enterprise Admin, Domain Admin, etc.). What we discovered was that if the user was NOT part of any administrative group they could NOT see their shares and folder redirection would not work. If they were put in one of the administrative groups, they could. As a fix, we put all the users in the Domain Admin group to allow all the users to continue to work (Huge security issue here).
Here is a summary of how the group policies are currently laid out:
There are 4 group policies: Default Domain Controller Policy, Default Domain Policy, Hardened Workstation Policy, and Hardened Domain Controller Policy. The GPO settings for each type of server are scattered between the respective default and hardened policies. We were not aware of the possibility of creating additional group policies beforehand. In GPMC, they are layered as such
- Forest: my.domain.com
- Domains
- my.domain.com
- Default Domain Policy
- Hardened Workstation Policy
+ Site Laptops <empty in AD>
+ Site Servers <empty in AD>
+ Site Workstations <empty in AD>
+ MySite <users in AD>
- Domain Controllers
- Default Domain Controller Policy
- Hardened Domain Controller Policy
+ Group Policy Objects
+ WMI Filters
All the computers in the network are listed under Computers in the AD Users and Computers window. We performed a limited test of moving computers from the "Computers" Organizational Unit (in the Active Directory Users and Computers Add-in) to the DCMS Workstations Organizational Unit. We were able to successfully log in but the problems persisted. We rolled back the changes.
For the rest of this document we will use the following:
domain = my.domain.com
original domain controller = DC01
new domain controller = DC251
testuser = user without admin
gooduser = user with admin
Problems we fixed:
Fixed issues in DNS:
* Removed invalid IP address (new DC before becoming “production”) and server name (original “production” DC)
* Removed conflicting forward and reverse lookup information
FSMO fix:
* The DC roles were out of sync as two of the roles were still assigned to DC01. They were seized removing the warning event messages we were receiving concerning not being able to contact DC01.
Group Policies Missing:
* After the DC251 reboot, the Hardened policies were missing. We recovered them from DC01 and successfully imported them on DC251.
Issues/Problems:
Here are the alerts we see when we type the following in IE while logged in as testuser:
In URL bar type: \\my.domain.com
===========================================================
\\my.domain.com is not accessible. You might not have permission to use the network resource. Contact the administrator of the server to find out if you have access permissions.
The user is not allowed to log on from this workstation.
===========================================================
In URL bar type: \\dc1
===========================================================
\\dc1 is not accessible. You might not have permission to use the network resource. Contact the administrator of the server to find out if you have access permissions.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
===========================================================
Here are the alerts we see when we type the following in IE while logged in as gooduser:
In URL bar type: \\my.domain.com, we can see all the shares on DC251
In URL bar type: \\dc1, we can see all the shares on DC251
In URL bar type: \\dc1\sysvol, we can see a directory with the domain name
Error Messages:
In the application event log (as can be seen as gooduser):
===========================================================
Source: Userenv
Event ID: 1053
Type: Error
User: NT AUTHORITY\SYSTEM
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
===========================================================
===========================================================
Source: AutoEnrollment
Event ID: 15
Type: Error
User: N/A
Automatic certificate enrollment for local system failed to contact the active directory (0x8007052b). Unable to update the password. The value provided as the current password is incorrect.
Enrollment will not be performed.
===========================================================
In the system event log shortly a couple of minutes after logging in:
===========================================================
Source: DnsApi
Event ID: 11163
Type: Warning
The system failed to register host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {<adapter key>}
Host Name : <correct hostname>
Primary Domain Suffix : <correct domain suffix>
DNS server list :
<correct DNS server IP address>
Sent update to server : 192.1.1.1
IP Address(es) :
<correct host IP address>
The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.
You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
===========================================================
Logged in as gooduser, we use the the RSoP snap-in and we get a little red X over the computer configuration. Here is the error information:
===========================================================
Group Policy Infrastucture Failed
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
===========================================================
When RSoP is open, another window pops up with:
===========================================================
The latest versions of the ADM files below are not available. This can be due to insufficient permissions or unavailable network resources. The local copy of these ADM files will be used.
Error – The network path was not found.
===========================================================
We also ran netdiag and dcdiag as gooduser from a workstation:
Dcdiag:
All tests passed except:
===========================================================
Starting test: Services
NtFrs Service is stopped on [DC251]
===========================================================
Netdiag:
We received warnings on NetBT and fatals on gateways (we do not use gateways in this environment). The only other fatal c
===========================================================
Modem Diagnostic Test . . . . . . . . . FAILED
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).
===========================================================
Any help would be greatly appreciated with any of the issues above.
