| Author |
Message |
Al Blake
Guest
|
 Posted:
Sat Jan 08, 2005 1:45 am Post subject:
Events 673 (kerberos) + 1030 + 1058 on DC |
|
|
I have just reinstalled a W2k3 DC into a domain. It is that ONLY DC and ONLY
machine in this domain. It all looked fine until a few hours after the
installation when I noticed event log errors indicating that it could not
read the policies from AD. I have checked the FRS and there is no errors.
The SYSVOL is shared out and I can get to the policy files - ther
permissions seem to be correct.
I then noticed that there were lots of kerberos errors in the security log
indicating that the machine count issue a certificate to itself! I am
assuming that the two problem are related?
Can anyone tell me whay a DC (newly installed) would not be able to issue
kerberos tickets to itself and how I can fix this?
Here are the errors:
From security log:
===================================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 8/01/2005
Time: 6:35:46 AM
User: NT AUTHORITY\SYSTEM
Computer: FLUFFY
Description:
Service Ticket Request:
User Name:
User Domain: HADES.LOCAL
Service Name: host/fluffy.hades.local
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 127.0.0.1
Failure Code: 0xD
Logon GUID: -
Transited Services: -
=====================================================================
From application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
AND
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hades,DC=
local. The file must be present at the location
<\\hades.local\sysvol\hades.local\Policies\{31B2F340-016D-11D2-945F-00C04FB9
84F9}\gpt.ini>. (Configuration information could not be read from the domain
controller, either because the machine is unavailable, or access has been
denied. ). Group Policy processing aborted.
Please remember that this os ON the DC itself.
Regards
Al Blake, Canberra |
|
| Back to top |
|
 |
Al Blake
Guest
|
| Posted:
Sat Jan 08, 2005 6:50 am Post subject:
Re: Events 673 (kerberos) + 1030 + 1058 on DC |
|
|
Update:
I just booted a virtual machine into the same domain and ran dcpromo to
produce a second DC in the same domain.
The dcpromo went perfectly - AND I can manage the GPOs on the DC2 without
any problems - no errors in the applicaiotn log related to access to the
GPOs......so the issue seems to be exclusively related to the DC1, rather
than the actual AD domain.....
.....so then I looked back in the app log and dicovered that the machine DC1
was reporting the SAME error BEFORE it became DC1 (ie when it was just a
member server).
So it seems as though this machine has a real problem GPOs, regardless of
whether it is a DC or a member server...the question is why?
Obviously the GPOs themselves are ok or DC2 would not be able to read
them.....and the Sysvol on DC1 is fine....has anyone got any suggestions as
to how I can troubleshoot this as I am running out of options.
Al.
"Al Blake" <al@blakes.net> wrote in message
news:#Csm5FP9EHA.3260@TK2MSFTNGP14.phx.gbl...
| Quote: | I have just reinstalled a W2k3 DC into a domain. It is that ONLY DC and
ONLY
machine in this domain. It all looked fine until a few hours after the
installation when I noticed event log errors indicating that it could not
read the policies from AD. I have checked the FRS and there is no errors.
The SYSVOL is shared out and I can get to the policy files - ther
permissions seem to be correct.
I then noticed that there were lots of kerberos errors in the security log
indicating that the machine count issue a certificate to itself! I am
assuming that the two problem are related?
Can anyone tell me whay a DC (newly installed) would not be able to issue
kerberos tickets to itself and how I can fix this?
Here are the errors:
From security log:
===================================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 8/01/2005
Time: 6:35:46 AM
User: NT AUTHORITY\SYSTEM
Computer: FLUFFY
Description:
Service Ticket Request:
User Name:
User Domain: HADES.LOCAL
Service Name: host/fluffy.hades.local
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 127.0.0.1
Failure Code: 0xD
Logon GUID: -
Transited Services: -
=====================================================================
From application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.
AND
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hades,DC=
local. The file must be present at the location
\\hades.local\sysvol\hades.local\Policies\{31B2F340-016D-11D2-945F-00C04FB9
84F9}\gpt.ini>. (Configuration information could not be read from the
domain
controller, either because the machine is unavailable, or access has been
denied. ). Group Policy processing aborted.
Please remember that this os ON the DC itself.
Regards
Al Blake, Canberra
|
|
|
| Back to top |
|
|
Al Blake
Guest
|
| Posted:
Sat Jan 08, 2005 9:16 am Post subject:
Re: Events 673 (kerberos) + 1030 + 1058 on DC (fixed) |
|
|
I'll post this just in case it helps someone else.......
After 18 hours for trying EVERYTHING and looking at every newsgroup,
fiddling with the registry etc I found the answer.......
this box has 2 NICS (because it is an ISA server).....now ONLY the internal
NIC has dns entries pointing at our internal dns. ALL dns works PERFECTLY
except trying to find the 'PDC' for certain operations like...you guessed
it...reading the GPOs......
....seems that becuase the external NIC has no dns those API calls cant cope
and fall over before they try the internal NIC (bloddy stupid if you ask
me).
the solution....
change the bind order of the NICS so that the Internal NIC is always used
first.......now everything works perfectly!
-of course the reason I didnt find it straight up is that MOST network
functions work...eg nslookup, ping, traceroute etc etc...its only stuff that
has a short timeout that fails before it can try the other NIC.
Hope this helps someone else.
regards
Al Blake
"Al Blake" <al@blakes.net> wrote in message
news:Ol$WfwR9EHA.1084@TK2MSFTNGP15.phx.gbl...
| Quote: | Update:
I just booted a virtual machine into the same domain and ran dcpromo to
produce a second DC in the same domain.
The dcpromo went perfectly - AND I can manage the GPOs on the DC2 without
any problems - no errors in the applicaiotn log related to access to the
GPOs......so the issue seems to be exclusively related to the DC1, rather
than the actual AD domain.....
....so then I looked back in the app log and dicovered that the machine
DC1
was reporting the SAME error BEFORE it became DC1 (ie when it was just a
member server).
So it seems as though this machine has a real problem GPOs, regardless of
whether it is a DC or a member server...the question is why?
Obviously the GPOs themselves are ok or DC2 would not be able to read
them.....and the Sysvol on DC1 is fine....has anyone got any suggestions
as
to how I can troubleshoot this as I am running out of options.
Al.
"Al Blake" <al@blakes.net> wrote in message
news:#Csm5FP9EHA.3260@TK2MSFTNGP14.phx.gbl...
I have just reinstalled a W2k3 DC into a domain. It is that ONLY DC and
ONLY
machine in this domain. It all looked fine until a few hours after the
installation when I noticed event log errors indicating that it could
not
read the policies from AD. I have checked the FRS and there is no
errors.
The SYSVOL is shared out and I can get to the policy files - ther
permissions seem to be correct.
I then noticed that there were lots of kerberos errors in the security
log
indicating that the machine count issue a certificate to itself! I am
assuming that the two problem are related?
Can anyone tell me whay a DC (newly installed) would not be able to
issue
kerberos tickets to itself and how I can fix this?
Here are the errors:
From security log:
===================================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 8/01/2005
Time: 6:35:46 AM
User: NT AUTHORITY\SYSTEM
Computer: FLUFFY
Description:
Service Ticket Request:
User Name:
User Domain: HADES.LOCAL
Service Name: host/fluffy.hades.local
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 127.0.0.1
Failure Code: 0xD
Logon GUID: -
Transited Services: -
=====================================================================
From application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot query for the list of Group Policy objects. Check the
event
log for possible messages previously logged by the policy engine that
describes the reason for this.
AND
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hades,DC=
local. The file must be present at the location
\\hades.local\sysvol\hades.local\Policies\{31B2F340-016D-11D2-945F-00C04FB9
84F9}\gpt.ini>. (Configuration information could not be read from the
domain
controller, either because the machine is unavailable, or access has
been
denied. ). Group Policy processing aborted.
Please remember that this os ON the DC itself.
Regards
Al Blake, Canberra
|
|
|
| Back to top |
|
|
Al Blake
Guest
|
| Posted:
Sat Jan 08, 2005 9:16 am Post subject:
Re: Events 673 (kerberos) + 1030 + 1058 on DC (fixed) |
|
|
I'll post this just in case it helps someone else.......
After 18 hours for trying EVERYTHING and looking at every newsgroup,
fiddling with the registry etc I found the answer.......
this box has 2 NICS (because it is an ISA server).....now ONLY the internal
NIC has dns entries pointing at our internal dns. ALL dns works PERFECTLY
except trying to find the 'PDC' for certain operations like...you guessed
it...reading the GPOs......
....seems that becuase the external NIC has no dns those API calls cant cope
and fall over before they try the internal NIC (bloddy stupid if you ask
me).
the solution....
change the bind order of the NICS so that the Internal NIC is always used
first.......now everything works perfectly!
-of course the reason I didnt find it straight up is that MOST network
functions work...eg nslookup, ping, traceroute etc etc...its only stuff that
has a short timeout that fails before it can try the other NIC.
Hope this helps someone else.
regards
Al Blake
"Al Blake" <al@blakes.net> wrote in message
news:Ol$WfwR9EHA.1084@TK2MSFTNGP15.phx.gbl...
| Quote: | Update:
I just booted a virtual machine into the same domain and ran dcpromo to
produce a second DC in the same domain.
The dcpromo went perfectly - AND I can manage the GPOs on the DC2 without
any problems - no errors in the applicaiotn log related to access to the
GPOs......so the issue seems to be exclusively related to the DC1, rather
than the actual AD domain.....
....so then I looked back in the app log and dicovered that the machine
DC1
was reporting the SAME error BEFORE it became DC1 (ie when it was just a
member server).
So it seems as though this machine has a real problem GPOs, regardless of
whether it is a DC or a member server...the question is why?
Obviously the GPOs themselves are ok or DC2 would not be able to read
them.....and the Sysvol on DC1 is fine....has anyone got any suggestions
as
to how I can troubleshoot this as I am running out of options.
Al.
"Al Blake" <al@blakes.net> wrote in message
news:#Csm5FP9EHA.3260@TK2MSFTNGP14.phx.gbl...
I have just reinstalled a W2k3 DC into a domain. It is that ONLY DC and
ONLY
machine in this domain. It all looked fine until a few hours after the
installation when I noticed event log errors indicating that it could
not
read the policies from AD. I have checked the FRS and there is no
errors.
The SYSVOL is shared out and I can get to the policy files - ther
permissions seem to be correct.
I then noticed that there were lots of kerberos errors in the security
log
indicating that the machine count issue a certificate to itself! I am
assuming that the two problem are related?
Can anyone tell me whay a DC (newly installed) would not be able to
issue
kerberos tickets to itself and how I can fix this?
Here are the errors:
From security log:
===================================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 8/01/2005
Time: 6:35:46 AM
User: NT AUTHORITY\SYSTEM
Computer: FLUFFY
Description:
Service Ticket Request:
User Name:
User Domain: HADES.LOCAL
Service Name: host/fluffy.hades.local
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 127.0.0.1
Failure Code: 0xD
Logon GUID: -
Transited Services: -
=====================================================================
From application log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot query for the list of Group Policy objects. Check the
event
log for possible messages previously logged by the policy engine that
describes the reason for this.
AND
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 8/01/2005
Time: 6:36:35 AM
User: HADES\bilbo
Computer: FLUFFY
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hades,DC=
local. The file must be present at the location
\\hades.local\sysvol\hades.local\Policies\{31B2F340-016D-11D2-945F-00C04FB9
84F9}\gpt.ini>. (Configuration information could not be read from the
domain
controller, either because the machine is unavailable, or access has
been
denied. ). Group Policy processing aborted.
Please remember that this os ON the DC itself.
Regards
Al Blake, Canberra
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in