Failed to open the Group Policy Object/DCDiag errors

Discussion in 'Active Directory' started by Johan Strange, Jan 22, 2006.

  1. Hi, I am having some issues with a Windows Server 2003 Small Business Server.
    It all started around a week ago when users reported that they could not log
    onto their Exchange Mailboxes. The Event logs showed a bunch of errors:

    Event ID: 8026. LDAP Bind was unsuccessful on directory Server1.server.local
    for distinguished name ''. Directory returned error:[0x52] Local Error.
    DC=server,DC=local

    Event ID 2114. Process INETINFO.EXE (PID=496). Topology Discovery failed,
    error 0x80040931.

    Event ID 40960. The Security System detected an authentication error for the
    server LDAP/SERVER1.server.local/. The failure code
    from authentication protocol Kerberos was "The attempted logon is invalid.
    This is either due to a bad username or authentication information.
    (0xc000006d)".

    Event ID: 4. The kerberos client received a KRB_AP_ERR_MODIFIED error from
    the server host/server1.server.local. The target name used was
    ldap/SERVER1.server.local/. This indicates that the
    password used to encrypt the kerberos service ticket is different than that
    on the target server. Commonly, this is due to identically named machine
    accounts in the target realm (SERVER.LOCAL), and the client realm. Please
    contact your system administrator.

    Event ID 7: The Security Account Manager failed a KDC request in an
    unexpected way. The error is in the data field. The account name was server1$
    and lookup type 0x0.

    I could not view AD Intergrated DNS zone or browse GPOs

    I ran the netdom resetpwd command and reset the machine password. This
    stopped the above errors and users could once more log onto their mailboxes.
    Since this I have had re occurring event error:

    Event ID 1058: Windows cannot access the file gpt.ini for GPO
    CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=server,DC=local.
    The file must be present at the location
    <\\server.local\sysvol\server.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
    (Configuration information could not be read from the domain controller,
    either because the machine is unavailable, or access has been denied. ).
    Group Policy processing aborted.

    This happens every few minutes. I can not open The Domain security policy
    snap in or edit GPOs under GPMC. I get error “Failed to open the Group Policy
    Object. You may not have appropriate rightsâ€.

    I have looked at a stack of articles: KB842804, KB839499, KB314494,
    KB887303, KB326152, KB315457. None of these have worked. I can not see any
    permission issues and all seems ok when I look at the policies container
    using ADSIEdit. I ran DCDIAG and got a Machine account error, surprise
    surprise!! Could this be because of the Netdom command? The output follows:

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\SERVER1
    Starting test: Connectivity
    ......................... SERVER1 passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\SERVER1
    Starting test: Replications
    ......................... SERVER1 passed test Replications
    Starting test: NCSecDesc
    ......................... SERVER1 passed test NCSecDesc
    Starting test: NetLogons
    ......................... SERVER1 passed test NetLogons
    Starting test: Advertising
    ......................... SERVER1 passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... SERVER1 passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... SERVER1 passed test RidManager
    Starting test: MachineAccount
    The account SERVER1 is not a DC account. It cannot replicate.
    Warning: Attribute userAccountControl of SERVER1 is: 0x81000 = (
    UF_WOR
    KSTATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
    Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
    UF_TR
    USTED_FOR_DELEGATION )
    This may be affecting replication?
    ......................... SERVER1 failed test MachineAccount
    Starting test: Services
    IsmServ Service is stopped on [SERVER1]
    ......................... SERVER1 failed test Services
    Starting test: ObjectsReplicated
    ......................... SERVER1 passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... SERVER1 passed test frssysvol
    Starting test: frsevent
    ......................... SERVER1 passed test frsevent
    Starting test: kccevent
    ......................... SERVER1 passed test kccevent
    Starting test: systemlog
    ......................... SERVER1 passed test systemlog
    Starting test: VerifyReferences
    ......................... SERVER1 passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : server
    Starting test: CrossRefValidation
    ......................... server passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... server passed test CheckSDRefDom

    Running enterprise tests on : server.local
    Starting test: Intersite
    ......................... server.local passed test Intersite
    Starting test: FsmoCheck
    ......................... server.local passed test FsmoCheck

    I have tried the /fix switch to netdiag and dc diag. I have also deleted and
    recreated the AD Intregrated DNS Zone and ran IPConfig /registerdns.

    Any ideas?
     
    Johan Strange, Jan 22, 2006
    #1
    1. Advertisements

  2. In
    <snip>

    Is the domain a single label name?
    DOMAIN versus the required format of domain.com, domain.net, domain.johan,
    etc?
    If a single label name, this can cause major issues.

    Do the SRV records in DNS exist?
    Are all machines only pointing to the internal DNS server and not the ISP's
    DNS? If so, this can cause major issues too.

    40960's can be eliminated by creating a reverse zone and making sure all DCs
    have a PTR entry. If pointing to your ISP's, this can be an additional issue
    causing this.

    If you like, please post an unedite ipconfig /all of this machine for a
    starting point in diagnosis. That will help to determine if your basic
    config is correct.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    If you are having difficulty in reading or finding responses to your post,
    instead of the website you are using, if I may suggest to use OEx (Outlook
    Express or any other newsreader of your choosing), and configure a newsgroup
    account, pointing to news.microsoft.com. This is a direct link into the
    Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
    account with your ISP. With OEx, you can easily find your post, track
    threads, cross-post, and sort by date, poster's name, watched threads or
    subject.

    Not sure how? It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Windows Server Directory Services
    Microsoft Certified Trainer
    Assimilation Imminent. Resistance is Futile.
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Jan 22, 2006
    #2
    1. Advertisements

  3. Hi Ace, Thanks for the reply. IPconfig/all follows:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : EMICO1
    Primary Dns Suffix . . . . . . . : emico.local
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : Yes
    DNS Suffix Search List. . . . . . : emico.local

    Ethernet adapter Server Local Area Connection:

    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Broadcom NetXtreme 5751 Gigabit
    Controller

    Physical Address. . . . . . . . . : 00-11-11-69-92-65

    DHCP Enabled. . . . . . . . . . . : No

    IP Address. . . . . . . . . . . . : 192.168.0.2

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.0.1

    DNS Servers . . . . . . . . . . . : 192.168.0.2

    Primary WINS Server . . . . . . . : 192.168.0.2

    All users are pointing to the Internal DNS as is the Server. A single DC,
    SBS. I have recreated the DNS ZOnes as I did think this may be the cause. I
    also ran ipconfig /registerdns to recteatedthe SRV records.

    BRGDS

    Johan

     
    Johan Strange, Jan 23, 2006
    #3
  4. In
    Thanks for posting that. It actually looks good. :)

    The 8026 errors point to an Exchange issue. I don't know if you had the ADC
    installed (source would be ADC) or not, or if the Source is=MSExchangeAL
    (Address List). If an AL issue, I would make sure the GC is available and
    that the Recipient Update service is running. Please take a look at these
    two links for more info on that one:
    http://www.eventid.net/display.asp?eventid=8026&eventno=1236&source=MSADC&phase=1
    http://www.eventid.net/display.asp?eventid=8026&eventno=3492&source=MSExchangeAL&phase=1

    The 40960 is based on a missing reverse zone.

    If you recreated the zone called "emico.local", it would also have
    benefitted to do this:
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    That will repopulate the SRV records. As I asked before, do they exist?

    Ace
     
    Ace Fekay [MVP], Jan 24, 2006
    #4
  5. Hi Ace, The SRV Records are present , I have also recreated the Reserve
    lookup zone. The errors that you refer to being 8026 and 40960 are not
    causing issues anymore. It is more the case of Event 1058 and unable to acces
    GPOs.. the strange things is that users claim that email is not being
    received by the Server. I have ran the message tracking centre and the email
    is without trace. Neither are there event errors to explain a missing mail
    nor NDRs. Could be connected..

    BRGDS

    Johan
     
    Johan Strange, Jan 24, 2006
    #5
  6. In
    Missing emails or not being sent? Are the Exchange services running? What do
    you see in the Event App log?

    Is this server enabled as a GC and Exchange is using this as a GC? In ESM,
    look at the server's properties, Dir Access tab, what's it using for a DC
    and GC?

    Looking back at your original post:
    "Event ID: 4....Commonly, this is due to identically named machine accounts
    in the target realm (SERVER.LOCAL), and the client realm."

    Do you have another domain or a trust to something? Is another machine
    identically named? Is there a user or group account, or another machine
    account with the same name in AD as this DC?

    Kerb errors can also be attributed to skewed clocks. All machines in a
    forest must be within 5 minutes of each other, no more, or numerous issues
    can occur.

    Is SP1 on this DC?

    The ipconfig doesn't show it has two NICs, but Routing is Enabled based on
    the ipconfig. Are there more than one NIC and one of them is disabled?

    Is there more than one IP for this machine name (multiple entries)? This
    includes the resource record and the LdapIpAddress, [the "(same as parent)"
    record].

    How long has this been going on? What was the most significant change that
    occured (installed, deleted or changed something) right before it first
    started?

    Did you ever change a setting or service or disabled a service?

    Is this machine a replacement for another machine that had the same name?
    Did you reinstall it after a failure with the same name and promoted it with
    the same origina domain name.

    Is the firewall turned on? Was Zone Alarm ever installed on it?

    DCHP Client service enabled?

    Run a netdiag /v /fix > c:\netdiag.txt and post any errors (failures) that
    show up.

    Obviously the problem is deeper than I originally thought. I'll need to know
    the complete history about this bad boy.

    Ace
     
    Ace Fekay [MVP], Jan 25, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.