Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Resultant Set of Policy: GP Core Failure 1

Status
Not open for further replies.
tpittman

tpittman

IS-IT--Management
Jan 10, 2003
43
US
Good Morning!
We have a strange problem, and I can't seem to find any reference to it. We noticed applications weren't being deployed through Group Policy so ran Resultant Set of Policy and received this error:

---------
Tuesday, March 01, 2005 8:09:08 AM

Group Policy Infrastructure failed due to the error listed below.
The system cannot find the path specified.

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
----------

This is being generated on all of the WinXPsp2 workstations we've checked. We have a Windows 2000sp4 Native Mode AD Domain. I checked the permissions on Sysvol and Policies folders:
Sysvol - Administrators and SYSTEM have Full Control, Authenticated Users and Server Operators have Read and Execute
Policies - Administrators and SYSTEM have Full Control, Group Policy Creator Owners have Modify, Server Operators and Authenticated Users have Read and Execute.

There is also a Policies_NTFRS_xxxxxx (where x appears to be hexadecimal) folder in the \sysvol\%domainname%\ folder. It inherits permissions from the parent folder, giving it the same permissions as Sysvol.

Can anyone shed some light on why we might be getting this error message? I cannot find anything in the event logs on the DCs that refers to this. Everything appears to me to be replicating, DNS is working, people are authenticating and accessing network resources. I'm able to browse to the sysvol and policies folders from this same workstation, by going to \\%domainname%.net\sysvol. GPOs just don't appear to be applying.

I'll appreciate any help we can get.
 
Sort by date Sort by votes
Are there any subfolders in the policies directory? They would be GUIDs, and you should have at least two. One starts with 31B, and the other starts with 6AC.

The Policies_NTFRS_xxxx folder is a morphed directory, which usually happens when there is a problem with FRS. You will probably find your policies (the folders I talked about above) in there. But I wouldn't move them back yet.

How many domain controllers do you have? If you have more than one, do they all have morphed directories in sysvol?
 
Upvote 0 Downvote
Thank you for taking the time to look at this!

There are 61 folders in the policies folder and also 61 in the morphed policies folder. We have 10 domain controllers because we're distributed over nine locations using 256k WAN links, and they all have the same number of folders in both directories.

The first Windows 2000 domain controller we brought online was giving errors in FRS:
-------
Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13559
Date: 2/27/2005
Time: 4:33:34 PM
User: N/A
Computer: %DomainControllername%
Description:
The File Replication Service has detected that the replica root path has changed from "c:\winnt\sysvol\domain" to "c:\winnt\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path.
This was detected for the following replica set:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

Changing the replica root path is a two step process which is triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file.

[1] At the first poll which will occur in 60 minutes this computer will be deleted from the replica set.
[2] At the poll following the deletion this computer will be re-added to the replica set with the new root path. This re-addition will trigger a full tree sync for the replica set. At the end of the sync all the files will be at the new location. The files may or may not be deleted from the old location depending on whether they are needed or not.
--------

I actually thought this error was tied to the problem with GP so I did a search on EventID.net and at the recommendation of a few posters there I created the NTFRS_CMD_FILE_MOVE_ROOT file in the c:\winnt\sysvol\domain directory and the error has ceased. That may or may not account for the morphed policy folder. (The policy folder I've been looking at isn't at c:\winnt\sysvol\domain, it's at c:\winnt\sysvol\sysvol<shared>\%domainname%.net)

 
Upvote 0 Downvote
Hmmm. It sounds like FRS is ok now, since you have all your policies in the correct location in sysvol and all the DCs have them.

What kind of errors (if any) are you seeing on the clients. Aside from the RSoP errors that is. Any userenv or netlogon errors?
 
Upvote 0 Downvote
Yes, I'm getting several of these:
---------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 3/1/2005
Time: 6:43:20 PM
User: NT AUTHORITY\SYSTEM
Computer: %wksname%
Description:
Windows cannot access the file gpt.ini for GPO CN={AE4Dxxxxx-xxxx-xxxxx-xxxx},CN=Policies,CN=System,DC=%domain%,DC=net. The file must be present at the location <\\%domain%.net\SysVol\%domain%.net\Policies\{AE4Dxxxxx-xxxx-xxx-xxxxx-xxxx)\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

For more information, see Help and Support Center at --------

I browsded to the policies folder and don't have a folder that starts with AE4D so this looks like the problem. Do you have any idea what policy that might be, or any way I can find out?
 
Upvote 0 Downvote
I think we might have it figured out. It appeared to be domain wide, so I opened MMC and started adding Group Policy Editor snap ins with each of the GPO's linked to the domain since there were only about 10. The last one I tried to open wouldn't, so I deleted the link and tried to re-add it and it's not listed for me to add. We then restarted a workstation here and RSoP is showing no errors. We're fortunate in that the policy only did one thing, so we'll recreate that.

We also discovered that we couldn't browse the contents of the Sysvol item in Veritas Backup Exec when trying to restore it. We're backing it up through the System State item of one of the domain controllers right now, so I'm going to do some research and get the details on the best way to back it up. I would have like to browse the contents of the Policies folder to see if we had a backup of that missing gp folder. Right now, when I go into Restore in Backup Exec I can browse down to the Sysvol item but it appears I'd have to restore the entire folder to a redirected location and then see if the folder there, again and again until i find the most recent backup that contains the folder I need.
 
Upvote 0 Downvote
We checked the computers at the remote sites now that the DCs have replicated, and that fixed it!

Thanks for helping us work this out!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
750
DrB0b
DrB0b
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
319
RRankin355
RRankin355
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
399
technome
technome
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
310
mikehook
mikehook

Part and Inventory Search

Sponsor

Back
Top