Event 1058 gpt.ini file access denied

[Adrian Marsh (NNTP)]

Hi,

Looking at the event logs of some of my DCs, I've seeing a complaint:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 23/07/2009
Time: 16:32:59
User: NT AUTHORITY\SYSTEM
Computer: UBIQ-SERV9
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ubiquisys,DC=local.
The file must be present at the location
.
(Access is denied. ). Group Policy processing aborted.


but the gpt.ini file is there (GPT.INI)

It has access perms:

Authenticated Users: Read & Execute
Server Operators R & E
Administrators Full Control
SYSTEM Full Control

seems ok to me !?!

 

[Adrian Marsh (NNTP)]

Just to add: As I've seen some posts about multi-homed DCs.

This is from one of the DCs itself. It has a single NIC, but it does
provide RRAS (PPTP VPN) services to Internet clients. Not sure if that
classifies it as multi-homed or not.

DNS is configured for the internal DNS server (and as far as I can tell
all the SRV records are good).

There are some other issues on the DC I'm checking into about
Autoenrollment and DC certificate failures (0x80070005), but clients
seem to be ok using this server as a DC.


Adrian Marsh (NNTP) wrote:
> Hi,
>
> Looking at the event logs of some of my DCs, I've seeing a complaint:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 23/07/2009
> Time: 16:32:59
> User: NT AUTHORITYSYSTEM
> Computer: UBIQ-SERV9
> Description:
> Windows cannot access the file gpt.ini for GPO
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ubiquisys,DC=local.
> The file must be present at the location
> .
> (Access is denied. ). Group Policy processing aborted.
>
>
> but the gpt.ini file is there (GPT.INI)
>
> It has access perms:
>
> Authenticated Users: Read & Execute
> Server Operators R & E
> Administrators Full Control
> SYSTEM Full Control
>
> seems ok to me !?!

 

[Meinolf Weber [MVP-DS]]

Hello Adrian,

Please post an unedited ipconfig /all from the server. And to answer your
question, using RRAS on a DC is a kind of multihoming.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Just to add: As I've seen some posts about multi-homed DCs.
>
> This is from one of the DCs itself. It has a single NIC, but it does
> provide RRAS (PPTP VPN) services to Internet clients. Not sure if that
> classifies it as multi-homed or not.
>
> DNS is configured for the internal DNS server (and as far as I can
> tell all the SRV records are good).
>
> There are some other issues on the DC I'm checking into about
> Autoenrollment and DC certificate failures (0x80070005), but clients
> seem to be ok using this server as a DC.
>
> Adrian Marsh (NNTP) wrote:
>
>> Hi,
>>
>> Looking at the event logs of some of my DCs, I've seeing a complaint:
>>
>> Event Type: Error
>> Event Source: Userenv
>> Event Category: None
>> Event ID: 1058
>> Date: 23/07/2009
>> Time: 16:32:59
>> User: NT AUTHORITYSYSTEM
>> Computer: UBIQ-SERV9
>> Description:
>> Windows cannot access the file gpt.ini for GPO
>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ub
>> iquisys,DC=local.
>> The file must be present at the location
>> > 2-945F-00C04FB984F9}gpt.ini>.
>> (Access is denied. ). Group Policy processing aborted.
>> but the gpt.ini file is there (GPT.INI)
>>
>> It has access perms:
>>
>> Authenticated Users: Read & Execute
>> Server Operators R & E
>> Administrators Full Control
>> SYSTEM Full Control
>> seems ok to me !?!
>>

 

[Adrian Marsh (NNTP)]

Hi Meinolf,

serv9 (DC + RRAS + DNS/WINS secondary) config below. Static assigned IPs.

serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003 server)

Looking at it, I'm not sure why there are two .28 IPs defined on the LAN
interface... I'll try removing one.


C:\Documents and Settings\adm1n>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ubiq-serv9
Primary Dns Suffix . . . . . . . : mynetwork.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : mynetwork.local

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.50.154
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller
Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.52.28
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.50.28
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.50.1
DNS Servers . . . . . . . . . . . : 192.168.50.28
Primary WINS Server . . . . . . . : 192.168.50.28
Secondary WINS Server . . . . . . : 192.168.50.3



Meinolf Weber [MVP-DS] wrote:
> Hello Adrian,
>
> Please post an unedited ipconfig /all from the server. And to answer
> your question, using RRAS on a DC is a kind of multihoming.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Just to add: As I've seen some posts about multi-homed DCs.
>>
>> This is from one of the DCs itself. It has a single NIC, but it does
>> provide RRAS (PPTP VPN) services to Internet clients. Not sure if that
>> classifies it as multi-homed or not.
>>
>> DNS is configured for the internal DNS server (and as far as I can
>> tell all the SRV records are good).
>>
>> There are some other issues on the DC I'm checking into about
>> Autoenrollment and DC certificate failures (0x80070005), but clients
>> seem to be ok using this server as a DC.
>>
>> Adrian Marsh (NNTP) wrote:
>>
>>> Hi,
>>>
>>> Looking at the event logs of some of my DCs, I've seeing a complaint:
>>>
>>> Event Type: Error
>>> Event Source: Userenv
>>> Event Category: None
>>> Event ID: 1058
>>> Date: 23/07/2009
>>> Time: 16:32:59
>>> User: NT AUTHORITYSYSTEM
>>> Computer: UBIQ-SERV9
>>> Description:
>>> Windows cannot access the file gpt.ini for GPO
>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ub
>>> iquisys,DC=local.
>>> The file must be present at the location
>>> >> 2-945F-00C04FB984F9}gpt.ini>.
>>> (Access is denied. ). Group Policy processing aborted.
>>> but the gpt.ini file is there (GPT.INI)
>>>
>>> It has access perms:
>>>
>>> Authenticated Users: Read & Execute
>>> Server Operators R & E
>>> Administrators Full Control
>>> SYSTEM Full Control
>>> seems ok to me !?!
>>>
>
>

 

[Meinolf Weber [MVP-DS]]

Hello Adrian,

As said before remove the RRAS form the DC and use a dedicated member server
instead. Additional the DC has 2 fixed ip addresses (192.168.52.28 and 192.168.50.28),
so remove 192.168.52.28(different subnet), check the advanced NIC settings.

Serv1 is a bot strange for you wrote an old SBS server, is it still used
and configured as DC? Wich DC has the 5 FSMO roles?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf,
>
> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static assigned
> IPs.
>
> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
> server)
>
> Looking at it, I'm not sure why there are two .28 IPs defined on the
> LAN interface... I'll try removing one.
>
> Cocuments and Settingsadm1n>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : ubiq-serv9
> Primary Dns Suffix . . . . . . . : mynetwork.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : Yes
> WINS Proxy Enabled. . . . . . . . : Yes
> DNS Suffix Search List. . . . . . : mynetwork.local
> PPP adapter RAS Server (Dial In) Interface:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> Physical Address. . . . . . . . . : 00-53-45-00-00-00
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.50.154
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
> Gigabit
> Controller
> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.52.28
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> IP Address. . . . . . . . . . . . : 192.168.50.28
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.50.1
> DNS Servers . . . . . . . . . . . : 192.168.50.28
> Primary WINS Server . . . . . . . : 192.168.50.28
> Secondary WINS Server . . . . . . : 192.168.50.3
> Meinolf Weber [MVP-DS] wrote:
>
>> Hello Adrian,
>>
>> Please post an unedited ipconfig /all from the server. And to answer
>> your question, using RRAS on a DC is a kind of multihoming.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>
>>> This is from one of the DCs itself. It has a single NIC, but it
>>> does provide RRAS (PPTP VPN) services to Internet clients. Not sure
>>> if that classifies it as multi-homed or not.
>>>
>>> DNS is configured for the internal DNS server (and as far as I can
>>> tell all the SRV records are good).
>>>
>>> There are some other issues on the DC I'm checking into about
>>> Autoenrollment and DC certificate failures (0x80070005), but clients
>>> seem to be ok using this server as a DC.
>>>
>>> Adrian Marsh (NNTP) wrote:
>>>
>>>> Hi,
>>>>
>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>> complaint:
>>>>
>>>> Event Type: Error
>>>> Event Source: Userenv
>>>> Event Category: None
>>>> Event ID: 1058
>>>> Date: 23/07/2009
>>>> Time: 16:32:59
>>>> User: NT AUTHORITYSYSTEM
>>>> Computer: UBIQ-SERV9
>>>> Description:
>>>> Windows cannot access the file gpt.ini for GPO
>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=
>>>> ub
>>>> iquisys,DC=local.
>>>> The file must be present at the location
>>>> >>> 1D
>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>> (Access is denied. ). Group Policy processing aborted.
>>>> but the gpt.ini file is there (GPT.INI)
>>>> It has access perms:
>>>>
>>>> Authenticated Users: Read & Execute
>>>> Server Operators R & E
>>>> Administrators Full Control
>>>> SYSTEM Full Control
>>>> seems ok to me !?!

 

[Adrian Marsh (NNTP)]

Hi Meinolf,

I've been diagnosing this a little further. I cant seperate out the DC
and RRAS just yet.

Maybe the multi-homed setup is all the same cause here, but:

I started to see the same error start to happen on serv1 too.
serv1 was an SBS 2003, but has had the transition pack applied.

When I queried DNS on serv1, for mynetwork.local, it returned the IP of
ubiq-serv9, meaning that the A record for mynetwork.local as a domain
was not serv1, but serv9.

serv1 holds all 5 Operations masters still.

For some reason, I guess serv9 is updating DNS to point to itself.

When I tried to browse in explorer to \\mynetwork.local\SYSVOL from
serv1 (so serv1 -> serv9), I get "... is not accessible. You might not
have permission to use this network resource"

So, on serv1, I edited the local hosts file temporarily, to put the A
record for DNS to 192.168.50.3 (itself), did an "ipconfig /flushdns" and
re-browsed to SYSVOL, and everything was fine. So perms on serv1 are OK,
but SYSVOL on serv9 is, in some way blocked.

I undid the hosts entry, and I've compared both Share permissions for
SYSVOL on serv9 to serv1, and also file-level security. Both are the same.

Would the multi-home setup screw up sysvol sharing on serv9 in some way ?

Adrian

Meinolf Weber [MVP-DS] wrote:
> Hello Adrian,
>
> As said before remove the RRAS form the DC and use a dedicated member
> server instead. Additional the DC has 2 fixed ip addresses
> (192.168.52.28 and 192.168.50.28), so remove 192.168.52.28(different
> subnet), check the advanced NIC settings.
>
> Serv1 is a bot strange for you wrote an old SBS server, is it still used
> and configured as DC? Wich DC has the 5 FSMO roles?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi Meinolf,
>>
>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static assigned
>> IPs.
>>
>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
>> server)
>>
>> Looking at it, I'm not sure why there are two .28 IPs defined on the
>> LAN interface... I'll try removing one.
>>
>> Cocuments and Settingsadm1n>ipconfig /all
>>
>> Windows IP Configuration
>>
>> Host Name . . . . . . . . . . . . : ubiq-serv9
>> Primary Dns Suffix . . . . . . . : mynetwork.local
>> Node Type . . . . . . . . . . . . : Unknown
>> IP Routing Enabled. . . . . . . . : Yes
>> WINS Proxy Enabled. . . . . . . . : Yes
>> DNS Suffix Search List. . . . . . : mynetwork.local
>> PPP adapter RAS Server (Dial In) Interface:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.50.154
>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>> Default Gateway . . . . . . . . . :
>> Ethernet adapter Local Area Connection:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>> Gigabit
>> Controller
>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.52.28
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> IP Address. . . . . . . . . . . . : 192.168.50.28
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . : 192.168.50.1
>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>> Primary WINS Server . . . . . . . : 192.168.50.28
>> Secondary WINS Server . . . . . . : 192.168.50.3
>> Meinolf Weber [MVP-DS] wrote:
>>
>>> Hello Adrian,
>>>
>>> Please post an unedited ipconfig /all from the server. And to answer
>>> your question, using RRAS on a DC is a kind of multihoming.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>
>>>> This is from one of the DCs itself. It has a single NIC, but it
>>>> does provide RRAS (PPTP VPN) services to Internet clients. Not sure
>>>> if that classifies it as multi-homed or not.
>>>>
>>>> DNS is configured for the internal DNS server (and as far as I can
>>>> tell all the SRV records are good).
>>>>
>>>> There are some other issues on the DC I'm checking into about
>>>> Autoenrollment and DC certificate failures (0x80070005), but clients
>>>> seem to be ok using this server as a DC.
>>>>
>>>> Adrian Marsh (NNTP) wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>> complaint:
>>>>>
>>>>> Event Type: Error
>>>>> Event Source: Userenv
>>>>> Event Category: None
>>>>> Event ID: 1058
>>>>> Date: 23/07/2009
>>>>> Time: 16:32:59
>>>>> User: NT AUTHORITYSYSTEM
>>>>> Computer: UBIQ-SERV9
>>>>> Description:
>>>>> Windows cannot access the file gpt.ini for GPO
>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=
>>>>> ub
>>>>> iquisys,DC=local.
>>>>> The file must be present at the location
>>>>> >>>> 1D
>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>> but the gpt.ini file is there (GPT.INI)
>>>>> It has access perms:
>>>>>
>>>>> Authenticated Users: Read & Execute
>>>>> Server Operators R & E
>>>>> Administrators Full Control
>>>>> SYSTEM Full Control
>>>>> seems ok to me !?!
>
>

 

[Meinolf Weber [MVP-DS]]

Hello Adrian,

Check that the sysvol and netlogon folder exist on srv9 and you can access
them locally. Check your DCs with dcdidag /v, netdiag /v and repadmin /showrepl
for errors.

Also make sure they are all having SP2 installed and the latest patches.
If that is the case check also this articles:
http://support.microsoft.com/kb/887303

http://support.microsoft.com/kb/314494/en-us

http://support.microsoft.com/kb/842804/en-us

http://support.microsoft.com/kb/883271/en-us

http://support.microsoft.com/kb/290647



Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf,
>
> I've been diagnosing this a little further. I cant seperate out the
> DC and RRAS just yet.
>
> Maybe the multi-homed setup is all the same cause here, but:
>
> I started to see the same error start to happen on serv1 too. serv1
> was an SBS 2003, but has had the transition pack applied.
>
> When I queried DNS on serv1, for mynetwork.local, it returned the IP
> of ubiq-serv9, meaning that the A record for mynetwork.local as a
> domain was not serv1, but serv9.
>
> serv1 holds all 5 Operations masters still.
>
> For some reason, I guess serv9 is updating DNS to point to itself.
>
> When I tried to browse in explorer to \mynetwork.localSYSVOL from
> serv1 (so serv1 -> serv9), I get "... is not accessible. You might not
> have permission to use this network resource"
>
> So, on serv1, I edited the local hosts file temporarily, to put the A
> record for DNS to 192.168.50.3 (itself), did an "ipconfig /flushdns"
> and re-browsed to SYSVOL, and everything was fine. So perms on serv1
> are OK, but SYSVOL on serv9 is, in some way blocked.
>
> I undid the hosts entry, and I've compared both Share permissions for
> SYSVOL on serv9 to serv1, and also file-level security. Both are the
> same.
>
> Would the multi-home setup screw up sysvol sharing on serv9 in some
> way ?
>
> Adrian
>
> Meinolf Weber [MVP-DS] wrote:
>
>> Hello Adrian,
>>
>> As said before remove the RRAS form the DC and use a dedicated member
>> server instead. Additional the DC has 2 fixed ip addresses
>> (192.168.52.28 and 192.168.50.28), so remove 192.168.52.28(different
>> subnet), check the advanced NIC settings.
>>
>> Serv1 is a bot strange for you wrote an old SBS server, is it still
>> used and configured as DC? Wich DC has the 5 FSMO roles?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi Meinolf,
>>>
>>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static
>>> assigned IPs.
>>>
>>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
>>> server)
>>>
>>> Looking at it, I'm not sure why there are two .28 IPs defined on the
>>> LAN interface... I'll try removing one.
>>>
>>> Cocuments and Settingsadm1n>ipconfig /all
>>>
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : ubiq-serv9
>>> Primary Dns Suffix . . . . . . . : mynetwork.local
>>> Node Type . . . . . . . . . . . . : Unknown
>>> IP Routing Enabled. . . . . . . . : Yes
>>> WINS Proxy Enabled. . . . . . . . : Yes
>>> DNS Suffix Search List. . . . . . : mynetwork.local
>>> PPP adapter RAS Server (Dial In) Interface:
>>> Connection-specific DNS Suffix . :
>>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . : 192.168.50.154
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>>> Default Gateway . . . . . . . . . :
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix . :
>>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>>> Gigabit
>>> Controller
>>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . : 192.168.52.28
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> IP Address. . . . . . . . . . . . : 192.168.50.28
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.50.1
>>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>>> Primary WINS Server . . . . . . . : 192.168.50.28
>>> Secondary WINS Server . . . . . . : 192.168.50.3
>>> Meinolf Weber [MVP-DS] wrote:
>>>> Hello Adrian,
>>>>
>>>> Please post an unedited ipconfig /all from the server. And to
>>>> answer your question, using RRAS on a DC is a kind of multihoming.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>>
>>>>> This is from one of the DCs itself. It has a single NIC, but it
>>>>> does provide RRAS (PPTP VPN) services to Internet clients. Not
>>>>> sure if that classifies it as multi-homed or not.
>>>>>
>>>>> DNS is configured for the internal DNS server (and as far as I can
>>>>> tell all the SRV records are good).
>>>>>
>>>>> There are some other issues on the DC I'm checking into about
>>>>> Autoenrollment and DC certificate failures (0x80070005), but
>>>>> clients seem to be ok using this server as a DC.
>>>>>
>>>>> Adrian Marsh (NNTP) wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>>> complaint:
>>>>>>
>>>>>> Event Type: Error
>>>>>> Event Source: Userenv
>>>>>> Event Category: None
>>>>>> Event ID: 1058
>>>>>> Date: 23/07/2009
>>>>>> Time: 16:32:59
>>>>>> User: NT AUTHORITYSYSTEM
>>>>>> Computer: UBIQ-SERV9
>>>>>> Description:
>>>>>> Windows cannot access the file gpt.ini for GPO
>>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,D
>>>>>> C=
>>>>>> ub
>>>>>> iquisys,DC=local.
>>>>>> The file must be present at the location
>>>>>> >>>>> -1
>>>>>> 1D
>>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>>> but the gpt.ini file is there (GPT.INI)
>>>>>> It has access perms:
>>>>>> Authenticated Users: Read & Execute
>>>>>> Server Operators R & E
>>>>>> Administrators Full Control
>>>>>> SYSTEM Full Control
>>>>>> seems ok to me !?!

 

[Adrian Marsh (NNTP)]

Hi Meinholf,

I'll run those tests, thankyou. I'm also wondering if FRS is working
properly, as when I look in SYSVOL, I can see some files in serv9's,
that I cant see in the PDC, serv1. So I'm thinking of demoting serv9
(so were back temporarily to single DC), then promoting serv8 (currently
has a very lightly used SQL server on it, single NIC).

Basicaly, bring the network back to one known-working DC and re-expand
again from there.

Adrian

Meinolf Weber [MVP-DS] wrote:
> Hello Adrian,
>
> Check that the sysvol and netlogon folder exist on srv9 and you can
> access them locally. Check your DCs with dcdidag /v, netdiag /v and
> repadmin /showrepl for errors.
>
> Also make sure they are all having SP2 installed and the latest patches.
> If that is the case check also this articles:
> http://support.microsoft.com/kb/887303
>
> http://support.microsoft.com/kb/314494/en-us
>
> http://support.microsoft.com/kb/842804/en-us
>
> http://support.microsoft.com/kb/883271/en-us
>
> http://support.microsoft.com/kb/290647
>
>
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi Meinolf,
>>
>> I've been diagnosing this a little further. I cant seperate out the
>> DC and RRAS just yet.
>>
>> Maybe the multi-homed setup is all the same cause here, but:
>>
>> I started to see the same error start to happen on serv1 too. serv1
>> was an SBS 2003, but has had the transition pack applied.
>>
>> When I queried DNS on serv1, for mynetwork.local, it returned the IP
>> of ubiq-serv9, meaning that the A record for mynetwork.local as a
>> domain was not serv1, but serv9.
>>
>> serv1 holds all 5 Operations masters still.
>>
>> For some reason, I guess serv9 is updating DNS to point to itself.
>>
>> When I tried to browse in explorer to mynetwork.localSYSVOL from
>> serv1 (so serv1 -> serv9), I get "... is not accessible. You might not
>> have permission to use this network resource"
>>
>> So, on serv1, I edited the local hosts file temporarily, to put the A
>> record for DNS to 192.168.50.3 (itself), did an "ipconfig /flushdns"
>> and re-browsed to SYSVOL, and everything was fine. So perms on serv1
>> are OK, but SYSVOL on serv9 is, in some way blocked.
>>
>> I undid the hosts entry, and I've compared both Share permissions for
>> SYSVOL on serv9 to serv1, and also file-level security. Both are the
>> same.
>>
>> Would the multi-home setup screw up sysvol sharing on serv9 in some
>> way ?
>>
>> Adrian
>>
>> Meinolf Weber [MVP-DS] wrote:
>>
>>> Hello Adrian,
>>>
>>> As said before remove the RRAS form the DC and use a dedicated member
>>> server instead. Additional the DC has 2 fixed ip addresses
>>> (192.168.52.28 and 192.168.50.28), so remove 192.168.52.28(different
>>> subnet), check the advanced NIC settings.
>>>
>>> Serv1 is a bot strange for you wrote an old SBS server, is it still
>>> used and configured as DC? Wich DC has the 5 FSMO roles?
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Hi Meinolf,
>>>>
>>>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static
>>>> assigned IPs.
>>>>
>>>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
>>>> server)
>>>>
>>>> Looking at it, I'm not sure why there are two .28 IPs defined on the
>>>> LAN interface... I'll try removing one.
>>>>
>>>> Cocuments and Settingsadm1n>ipconfig /all
>>>>
>>>> Windows IP Configuration
>>>>
>>>> Host Name . . . . . . . . . . . . : ubiq-serv9
>>>> Primary Dns Suffix . . . . . . . : mynetwork.local
>>>> Node Type . . . . . . . . . . . . : Unknown
>>>> IP Routing Enabled. . . . . . . . : Yes
>>>> WINS Proxy Enabled. . . . . . . . : Yes
>>>> DNS Suffix Search List. . . . . . : mynetwork.local
>>>> PPP adapter RAS Server (Dial In) Interface:
>>>> Connection-specific DNS Suffix . :
>>>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>>>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>>>> DHCP Enabled. . . . . . . . . . . : No
>>>> IP Address. . . . . . . . . . . . : 192.168.50.154
>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>>>> Default Gateway . . . . . . . . . :
>>>> Ethernet adapter Local Area Connection:
>>>> Connection-specific DNS Suffix . :
>>>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>>>> Gigabit
>>>> Controller
>>>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>>>> DHCP Enabled. . . . . . . . . . . : No
>>>> IP Address. . . . . . . . . . . . : 192.168.52.28
>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>> IP Address. . . . . . . . . . . . : 192.168.50.28
>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>> Default Gateway . . . . . . . . . : 192.168.50.1
>>>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>>>> Primary WINS Server . . . . . . . : 192.168.50.28
>>>> Secondary WINS Server . . . . . . : 192.168.50.3
>>>> Meinolf Weber [MVP-DS] wrote:
>>>>> Hello Adrian,
>>>>>
>>>>> Please post an unedited ipconfig /all from the server. And to
>>>>> answer your question, using RRAS on a DC is a kind of multihoming.
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>>>
>>>>>> This is from one of the DCs itself. It has a single NIC, but it
>>>>>> does provide RRAS (PPTP VPN) services to Internet clients. Not
>>>>>> sure if that classifies it as multi-homed or not.
>>>>>>
>>>>>> DNS is configured for the internal DNS server (and as far as I can
>>>>>> tell all the SRV records are good).
>>>>>>
>>>>>> There are some other issues on the DC I'm checking into about
>>>>>> Autoenrollment and DC certificate failures (0x80070005), but
>>>>>> clients seem to be ok using this server as a DC.
>>>>>>
>>>>>> Adrian Marsh (NNTP) wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>>>> complaint:
>>>>>>>
>>>>>>> Event Type: Error
>>>>>>> Event Source: Userenv
>>>>>>> Event Category: None
>>>>>>> Event ID: 1058
>>>>>>> Date: 23/07/2009
>>>>>>> Time: 16:32:59
>>>>>>> User: NT AUTHORITYSYSTEM
>>>>>>> Computer: UBIQ-SERV9
>>>>>>> Description:
>>>>>>> Windows cannot access the file gpt.ini for GPO
>>>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,D
>>>>>>> C=
>>>>>>> ub
>>>>>>> iquisys,DC=local.
>>>>>>> The file must be present at the location
>>>>>>> >>>>>> -1
>>>>>>> 1D
>>>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>>>> but the gpt.ini file is there (GPT.INI)
>>>>>>> It has access perms:
>>>>>>> Authenticated Users: Read & Execute
>>>>>>> Server Operators R & E
>>>>>>> Administrators Full Control
>>>>>>> SYSTEM Full Control
>>>>>>> seems ok to me !?!
>
>

 

[Meinolf Weber [MVP-DS]]

Hello Adrian,

You mentioned that you moved from SBS with transition pack, maybe something
is going wrong there.

So i suggest, before removing the DC to use the SBS newsgroup:
microsoft.public.windows.server.sbs

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinholf,
>
> I'll run those tests, thankyou. I'm also wondering if FRS is working
> properly, as when I look in SYSVOL, I can see some files in serv9's,
> that I cant see in the PDC, serv1. So I'm thinking of demoting serv9
> (so were back temporarily to single DC), then promoting serv8
> (currently has a very lightly used SQL server on it, single NIC).
>
> Basicaly, bring the network back to one known-working DC and re-expand
> again from there.
>
> Adrian
>
> Meinolf Weber [MVP-DS] wrote:
>
>> Hello Adrian,
>>
>> Check that the sysvol and netlogon folder exist on srv9 and you can
>> access them locally. Check your DCs with dcdidag /v, netdiag /v and
>> repadmin /showrepl for errors.
>>
>> Also make sure they are all having SP2 installed and the latest
>> patches. If that is the case check also this articles:
>> http://support.microsoft.com/kb/887303
>>
>> http://support.microsoft.com/kb/314494/en-us
>>
>> http://support.microsoft.com/kb/842804/en-us
>>
>> http://support.microsoft.com/kb/883271/en-us
>>
>> http://support.microsoft.com/kb/290647
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi Meinolf,
>>>
>>> I've been diagnosing this a little further. I cant seperate out the
>>> DC and RRAS just yet.
>>>
>>> Maybe the multi-homed setup is all the same cause here, but:
>>>
>>> I started to see the same error start to happen on serv1 too. serv1
>>> was an SBS 2003, but has had the transition pack applied.
>>>
>>> When I queried DNS on serv1, for mynetwork.local, it returned the IP
>>> of ubiq-serv9, meaning that the A record for mynetwork.local as a
>>> domain was not serv1, but serv9.
>>>
>>> serv1 holds all 5 Operations masters still.
>>>
>>> For some reason, I guess serv9 is updating DNS to point to itself.
>>>
>>> When I tried to browse in explorer to mynetwork.localSYSVOL
>>> from serv1 (so serv1 -> serv9), I get "... is not accessible. You
>>> might not have permission to use this network resource"
>>>
>>> So, on serv1, I edited the local hosts file temporarily, to put the
>>> A record for DNS to 192.168.50.3 (itself), did an "ipconfig
>>> /flushdns" and re-browsed to SYSVOL, and everything was fine. So
>>> perms on serv1 are OK, but SYSVOL on serv9 is, in some way blocked.
>>>
>>> I undid the hosts entry, and I've compared both Share permissions
>>> for SYSVOL on serv9 to serv1, and also file-level security. Both are
>>> the same.
>>>
>>> Would the multi-home setup screw up sysvol sharing on serv9 in some
>>> way ?
>>>
>>> Adrian
>>>
>>> Meinolf Weber [MVP-DS] wrote:
>>>
>>>> Hello Adrian,
>>>>
>>>> As said before remove the RRAS form the DC and use a dedicated
>>>> member server instead. Additional the DC has 2 fixed ip addresses
>>>> (192.168.52.28 and 192.168.50.28), so remove
>>>> 192.168.52.28(different subnet), check the advanced NIC settings.
>>>>
>>>> Serv1 is a bot strange for you wrote an old SBS server, is it still
>>>> used and configured as DC? Wich DC has the 5 FSMO roles?
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi Meinolf,
>>>>>
>>>>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static
>>>>> assigned IPs.
>>>>>
>>>>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
>>>>> server)
>>>>>
>>>>> Looking at it, I'm not sure why there are two .28 IPs defined on
>>>>> the LAN interface... I'll try removing one.
>>>>>
>>>>> Cocuments and Settingsadm1n>ipconfig /all
>>>>>
>>>>> Windows IP Configuration
>>>>>
>>>>> Host Name . . . . . . . . . . . . : ubiq-serv9
>>>>> Primary Dns Suffix . . . . . . . : mynetwork.local
>>>>> Node Type . . . . . . . . . . . . : Unknown
>>>>> IP Routing Enabled. . . . . . . . : Yes
>>>>> WINS Proxy Enabled. . . . . . . . : Yes
>>>>> DNS Suffix Search List. . . . . . : mynetwork.local
>>>>> PPP adapter RAS Server (Dial In) Interface:
>>>>> Connection-specific DNS Suffix . :
>>>>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>>>>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> IP Address. . . . . . . . . . . . : 192.168.50.154
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>>>>> Default Gateway . . . . . . . . . :
>>>>> Ethernet adapter Local Area Connection:
>>>>> Connection-specific DNS Suffix . :
>>>>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>>>>> Gigabit
>>>>> Controller
>>>>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> IP Address. . . . . . . . . . . . : 192.168.52.28
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>> IP Address. . . . . . . . . . . . : 192.168.50.28
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>> Default Gateway . . . . . . . . . : 192.168.50.1
>>>>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>>>>> Primary WINS Server . . . . . . . : 192.168.50.28
>>>>> Secondary WINS Server . . . . . . : 192.168.50.3
>>>>> Meinolf Weber [MVP-DS] wrote:
>>>>>> Hello Adrian,
>>>>>>
>>>>>> Please post an unedited ipconfig /all from the server. And to
>>>>>> answer your question, using RRAS on a DC is a kind of
>>>>>> multihoming.
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Meinolf Weber
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>> ** HELP us help YOU!!!
>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>>>>
>>>>>>> This is from one of the DCs itself. It has a single NIC, but it
>>>>>>> does provide RRAS (PPTP VPN) services to Internet clients. Not
>>>>>>> sure if that classifies it as multi-homed or not.
>>>>>>>
>>>>>>> DNS is configured for the internal DNS server (and as far as I
>>>>>>> can tell all the SRV records are good).
>>>>>>>
>>>>>>> There are some other issues on the DC I'm checking into about
>>>>>>> Autoenrollment and DC certificate failures (0x80070005), but
>>>>>>> clients seem to be ok using this server as a DC.
>>>>>>>
>>>>>>> Adrian Marsh (NNTP) wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>>>>> complaint:
>>>>>>>>
>>>>>>>> Event Type: Error
>>>>>>>> Event Source: Userenv
>>>>>>>> Event Category: None
>>>>>>>> Event ID: 1058
>>>>>>>> Date: 23/07/2009
>>>>>>>> Time: 16:32:59
>>>>>>>> User: NT AUTHORITYSYSTEM
>>>>>>>> Computer: UBIQ-SERV9
>>>>>>>> Description:
>>>>>>>> Windows cannot access the file gpt.ini for GPO
>>>>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System
>>>>>>>> ,D
>>>>>>>> C=
>>>>>>>> ub
>>>>>>>> iquisys,DC=local.
>>>>>>>> The file must be present at the location
>>>>>>>> >>>>>>> 6D
>>>>>>>> -1
>>>>>>>> 1D
>>>>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>>>>> but the gpt.ini file is there (GPT.INI)
>>>>>>>> It has access perms:
>>>>>>>> Authenticated Users: Read & Execute
>>>>>>>> Server Operators R & E
>>>>>>>> Administrators Full Control
>>>>>>>> SYSTEM Full Control
>>>>>>>> seems ok to me !?!

 

[Adrian Marsh (NNTP)]

Hi Mehinolf,

As far as I can see, the transitioned machine (serv1) is all working fine.

I've setup another 2 DCs, in preperation for shutting down ubiq-serv9.
(In two sites). I'm now seeing some FRS-type propgation issues in
Sysvol I need to look at too. But only inter-site...

Meinolf Weber [MVP-DS] wrote:
> Hello Adrian,
>
> You mentioned that you moved from SBS with transition pack, maybe
> something is going wrong there.
>
> So i suggest, before removing the DC to use the SBS newsgroup:
> microsoft.public.windows.server.sbs
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi Meinholf,
>>
>> I'll run those tests, thankyou. I'm also wondering if FRS is working
>> properly, as when I look in SYSVOL, I can see some files in serv9's,
>> that I cant see in the PDC, serv1. So I'm thinking of demoting serv9
>> (so were back temporarily to single DC), then promoting serv8
>> (currently has a very lightly used SQL server on it, single NIC).
>>
>> Basicaly, bring the network back to one known-working DC and re-expand
>> again from there.
>>
>> Adrian
>>
>> Meinolf Weber [MVP-DS] wrote:
>>
>>> Hello Adrian,
>>>
>>> Check that the sysvol and netlogon folder exist on srv9 and you can
>>> access them locally. Check your DCs with dcdidag /v, netdiag /v and
>>> repadmin /showrepl for errors.
>>>
>>> Also make sure they are all having SP2 installed and the latest
>>> patches. If that is the case check also this articles:
>>> http://support.microsoft.com/kb/887303
>>>
>>> http://support.microsoft.com/kb/314494/en-us
>>>
>>> http://support.microsoft.com/kb/842804/en-us
>>>
>>> http://support.microsoft.com/kb/883271/en-us
>>>
>>> http://support.microsoft.com/kb/290647
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Hi Meinolf,
>>>>
>>>> I've been diagnosing this a little further. I cant seperate out the
>>>> DC and RRAS just yet.
>>>>
>>>> Maybe the multi-homed setup is all the same cause here, but:
>>>>
>>>> I started to see the same error start to happen on serv1 too. serv1
>>>> was an SBS 2003, but has had the transition pack applied.
>>>>
>>>> When I queried DNS on serv1, for mynetwork.local, it returned the IP
>>>> of ubiq-serv9, meaning that the A record for mynetwork.local as a
>>>> domain was not serv1, but serv9.
>>>>
>>>> serv1 holds all 5 Operations masters still.
>>>>
>>>> For some reason, I guess serv9 is updating DNS to point to itself.
>>>>
>>>> When I tried to browse in explorer to mynetwork.localSYSVOL
>>>> from serv1 (so serv1 -> serv9), I get "... is not accessible. You
>>>> might not have permission to use this network resource"
>>>>
>>>> So, on serv1, I edited the local hosts file temporarily, to put the
>>>> A record for DNS to 192.168.50.3 (itself), did an "ipconfig
>>>> /flushdns" and re-browsed to SYSVOL, and everything was fine. So
>>>> perms on serv1 are OK, but SYSVOL on serv9 is, in some way blocked.
>>>>
>>>> I undid the hosts entry, and I've compared both Share permissions
>>>> for SYSVOL on serv9 to serv1, and also file-level security. Both are
>>>> the same.
>>>>
>>>> Would the multi-home setup screw up sysvol sharing on serv9 in some
>>>> way ?
>>>>
>>>> Adrian
>>>>
>>>> Meinolf Weber [MVP-DS] wrote:
>>>>
>>>>> Hello Adrian,
>>>>>
>>>>> As said before remove the RRAS form the DC and use a dedicated
>>>>> member server instead. Additional the DC has 2 fixed ip addresses
>>>>> (192.168.52.28 and 192.168.50.28), so remove
>>>>> 192.168.52.28(different subnet), check the advanced NIC settings.
>>>>>
>>>>> Serv1 is a bot strange for you wrote an old SBS server, is it still
>>>>> used and configured as DC? Wich DC has the 5 FSMO roles?
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> Hi Meinolf,
>>>>>>
>>>>>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static
>>>>>> assigned IPs.
>>>>>>
>>>>>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
>>>>>> server)
>>>>>>
>>>>>> Looking at it, I'm not sure why there are two .28 IPs defined on
>>>>>> the LAN interface... I'll try removing one.
>>>>>>
>>>>>> Cocuments and Settingsadm1n>ipconfig /all
>>>>>>
>>>>>> Windows IP Configuration
>>>>>>
>>>>>> Host Name . . . . . . . . . . . . : ubiq-serv9
>>>>>> Primary Dns Suffix . . . . . . . : mynetwork.local
>>>>>> Node Type . . . . . . . . . . . . : Unknown
>>>>>> IP Routing Enabled. . . . . . . . : Yes
>>>>>> WINS Proxy Enabled. . . . . . . . : Yes
>>>>>> DNS Suffix Search List. . . . . . : mynetwork.local
>>>>>> PPP adapter RAS Server (Dial In) Interface:
>>>>>> Connection-specific DNS Suffix . :
>>>>>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>>>>>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>> IP Address. . . . . . . . . . . . : 192.168.50.154
>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>>>>>> Default Gateway . . . . . . . . . :
>>>>>> Ethernet adapter Local Area Connection:
>>>>>> Connection-specific DNS Suffix . :
>>>>>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>>>>>> Gigabit
>>>>>> Controller
>>>>>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>> IP Address. . . . . . . . . . . . : 192.168.52.28
>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>> IP Address. . . . . . . . . . . . : 192.168.50.28
>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>> Default Gateway . . . . . . . . . : 192.168.50.1
>>>>>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>>>>>> Primary WINS Server . . . . . . . : 192.168.50.28
>>>>>> Secondary WINS Server . . . . . . : 192.168.50.3
>>>>>> Meinolf Weber [MVP-DS] wrote:
>>>>>>> Hello Adrian,
>>>>>>>
>>>>>>> Please post an unedited ipconfig /all from the server. And to
>>>>>>> answer your question, using RRAS on a DC is a kind of
>>>>>>> multihoming.
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Meinolf Weber
>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>>> and
>>>>>>> confers no rights.
>>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>>> ** HELP us help YOU!!!
>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>>>>>
>>>>>>>> This is from one of the DCs itself. It has a single NIC, but it
>>>>>>>> does provide RRAS (PPTP VPN) services to Internet clients. Not
>>>>>>>> sure if that classifies it as multi-homed or not.
>>>>>>>>
>>>>>>>> DNS is configured for the internal DNS server (and as far as I
>>>>>>>> can tell all the SRV records are good).
>>>>>>>>
>>>>>>>> There are some other issues on the DC I'm checking into about
>>>>>>>> Autoenrollment and DC certificate failures (0x80070005), but
>>>>>>>> clients seem to be ok using this server as a DC.
>>>>>>>>
>>>>>>>> Adrian Marsh (NNTP) wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>>>>>> complaint:
>>>>>>>>>
>>>>>>>>> Event Type: Error
>>>>>>>>> Event Source: Userenv
>>>>>>>>> Event Category: None
>>>>>>>>> Event ID: 1058
>>>>>>>>> Date: 23/07/2009
>>>>>>>>> Time: 16:32:59
>>>>>>>>> User: NT AUTHORITYSYSTEM
>>>>>>>>> Computer: UBIQ-SERV9
>>>>>>>>> Description:
>>>>>>>>> Windows cannot access the file gpt.ini for GPO
>>>>>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System
>>>>>>>>> ,D
>>>>>>>>> C=
>>>>>>>>> ub
>>>>>>>>> iquisys,DC=local.
>>>>>>>>> The file must be present at the location
>>>>>>>>> >>>>>>>> 6D
>>>>>>>>> -1
>>>>>>>>> 1D
>>>>>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>>>>>> but the gpt.ini file is there (GPT.INI)
>>>>>>>>> It has access perms:
>>>>>>>>> Authenticated Users: Read & Execute
>>>>>>>>> Server Operators R & E
>>>>>>>>> Administrators Full Control
>>>>>>>>> SYSTEM Full Control
>>>>>>>>> seems ok to me !?!
>
>

 

[Adrian Marsh (NNTP)]

Just to tie this off...

I've not seen the error in a while now.
I had another problem, with autoenrollment, where I found a fix for
that, and maybe thats cured this too. Basically 2003 SP1 at some point
had removed the Domain Controllers group membership of the DCOM group. I
added that, autoenrollment cleared up and so now it seems this has too.

Replication between sites also seems to work (although it does take a
long time, and Im still not sure why)


Adrian Marsh (NNTP) wrote:
> Hi Mehinolf,
>
> As far as I can see, the transitioned machine (serv1) is all working fine.
>
> I've setup another 2 DCs, in preperation for shutting down ubiq-serv9.
> (In two sites). I'm now seeing some FRS-type propgation issues in
> Sysvol I need to look at too. But only inter-site...
>
> Meinolf Weber [MVP-DS] wrote:
>> Hello Adrian,
>>
>> You mentioned that you moved from SBS with transition pack, maybe
>> something is going wrong there.
>>
>> So i suggest, before removing the DC to use the SBS newsgroup:
>> microsoft.public.windows.server.sbs
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Hi Meinholf,
>>>
>>> I'll run those tests, thankyou. I'm also wondering if FRS is working
>>> properly, as when I look in SYSVOL, I can see some files in serv9's,
>>> that I cant see in the PDC, serv1. So I'm thinking of demoting serv9
>>> (so were back temporarily to single DC), then promoting serv8
>>> (currently has a very lightly used SQL server on it, single NIC).
>>>
>>> Basicaly, bring the network back to one known-working DC and re-expand
>>> again from there.
>>>
>>> Adrian
>>>
>>> Meinolf Weber [MVP-DS] wrote:
>>>
>>>> Hello Adrian,
>>>>
>>>> Check that the sysvol and netlogon folder exist on srv9 and you can
>>>> access them locally. Check your DCs with dcdidag /v, netdiag /v and
>>>> repadmin /showrepl for errors.
>>>>
>>>> Also make sure they are all having SP2 installed and the latest
>>>> patches. If that is the case check also this articles:
>>>> http://support.microsoft.com/kb/887303
>>>>
>>>> http://support.microsoft.com/kb/314494/en-us
>>>>
>>>> http://support.microsoft.com/kb/842804/en-us
>>>>
>>>> http://support.microsoft.com/kb/883271/en-us
>>>>
>>>> http://support.microsoft.com/kb/290647
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi Meinolf,
>>>>>
>>>>> I've been diagnosing this a little further. I cant seperate out the
>>>>> DC and RRAS just yet.
>>>>>
>>>>> Maybe the multi-homed setup is all the same cause here, but:
>>>>>
>>>>> I started to see the same error start to happen on serv1 too. serv1
>>>>> was an SBS 2003, but has had the transition pack applied.
>>>>>
>>>>> When I queried DNS on serv1, for mynetwork.local, it returned the IP
>>>>> of ubiq-serv9, meaning that the A record for mynetwork.local as a
>>>>> domain was not serv1, but serv9.
>>>>>
>>>>> serv1 holds all 5 Operations masters still.
>>>>>
>>>>> For some reason, I guess serv9 is updating DNS to point to itself.
>>>>>
>>>>> When I tried to browse in explorer to mynetwork.localSYSVOL
>>>>> from serv1 (so serv1 -> serv9), I get "... is not accessible. You
>>>>> might not have permission to use this network resource"
>>>>>
>>>>> So, on serv1, I edited the local hosts file temporarily, to put the
>>>>> A record for DNS to 192.168.50.3 (itself), did an "ipconfig
>>>>> /flushdns" and re-browsed to SYSVOL, and everything was fine. So
>>>>> perms on serv1 are OK, but SYSVOL on serv9 is, in some way blocked.
>>>>>
>>>>> I undid the hosts entry, and I've compared both Share permissions
>>>>> for SYSVOL on serv9 to serv1, and also file-level security. Both are
>>>>> the same.
>>>>>
>>>>> Would the multi-home setup screw up sysvol sharing on serv9 in some
>>>>> way ?
>>>>>
>>>>> Adrian
>>>>>
>>>>> Meinolf Weber [MVP-DS] wrote:
>>>>>
>>>>>> Hello Adrian,
>>>>>>
>>>>>> As said before remove the RRAS form the DC and use a dedicated
>>>>>> member server instead. Additional the DC has 2 fixed ip addresses
>>>>>> (192.168.52.28 and 192.168.50.28), so remove
>>>>>> 192.168.52.28(different subnet), check the advanced NIC settings.
>>>>>>
>>>>>> Serv1 is a bot strange for you wrote an old SBS server, is it still
>>>>>> used and configured as DC? Wich DC has the 5 FSMO roles?
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> Meinolf Weber
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>> Hi Meinolf,
>>>>>>>
>>>>>>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static
>>>>>>> assigned IPs.
>>>>>>>
>>>>>>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS 2003
>>>>>>> server)
>>>>>>>
>>>>>>> Looking at it, I'm not sure why there are two .28 IPs defined on
>>>>>>> the LAN interface... I'll try removing one.
>>>>>>>
>>>>>>> Cocuments and Settingsadm1n>ipconfig /all
>>>>>>>
>>>>>>> Windows IP Configuration
>>>>>>>
>>>>>>> Host Name . . . . . . . . . . . . : ubiq-serv9
>>>>>>> Primary Dns Suffix . . . . . . . : mynetwork.local
>>>>>>> Node Type . . . . . . . . . . . . : Unknown
>>>>>>> IP Routing Enabled. . . . . . . . : Yes
>>>>>>> WINS Proxy Enabled. . . . . . . . : Yes
>>>>>>> DNS Suffix Search List. . . . . . : mynetwork.local
>>>>>>> PPP adapter RAS Server (Dial In) Interface:
>>>>>>> Connection-specific DNS Suffix . :
>>>>>>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>>>>>>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>>> IP Address. . . . . . . . . . . . : 192.168.50.154
>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>>>>>>> Default Gateway . . . . . . . . . :
>>>>>>> Ethernet adapter Local Area Connection:
>>>>>>> Connection-specific DNS Suffix . :
>>>>>>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>>>>>>> Gigabit
>>>>>>> Controller
>>>>>>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>>> IP Address. . . . . . . . . . . . : 192.168.52.28
>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>>> IP Address. . . . . . . . . . . . : 192.168.50.28
>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>>> Default Gateway . . . . . . . . . : 192.168.50.1
>>>>>>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>>>>>>> Primary WINS Server . . . . . . . : 192.168.50.28
>>>>>>> Secondary WINS Server . . . . . . : 192.168.50.3
>>>>>>> Meinolf Weber [MVP-DS] wrote:
>>>>>>>> Hello Adrian,
>>>>>>>>
>>>>>>>> Please post an unedited ipconfig /all from the server. And to
>>>>>>>> answer your question, using RRAS on a DC is a kind of
>>>>>>>> multihoming.
>>>>>>>>
>>>>>>>> Best regards
>>>>>>>>
>>>>>>>> Meinolf Weber
>>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>>>> and
>>>>>>>> confers no rights.
>>>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>>>> ** HELP us help YOU!!!
>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>>>>>>
>>>>>>>>> This is from one of the DCs itself. It has a single NIC, but it
>>>>>>>>> does provide RRAS (PPTP VPN) services to Internet clients. Not
>>>>>>>>> sure if that classifies it as multi-homed or not.
>>>>>>>>>
>>>>>>>>> DNS is configured for the internal DNS server (and as far as I
>>>>>>>>> can tell all the SRV records are good).
>>>>>>>>>
>>>>>>>>> There are some other issues on the DC I'm checking into about
>>>>>>>>> Autoenrollment and DC certificate failures (0x80070005), but
>>>>>>>>> clients seem to be ok using this server as a DC.
>>>>>>>>>
>>>>>>>>> Adrian Marsh (NNTP) wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>>>>>>> complaint:
>>>>>>>>>>
>>>>>>>>>> Event Type: Error
>>>>>>>>>> Event Source: Userenv
>>>>>>>>>> Event Category: None
>>>>>>>>>> Event ID: 1058
>>>>>>>>>> Date: 23/07/2009
>>>>>>>>>> Time: 16:32:59
>>>>>>>>>> User: NT AUTHORITYSYSTEM
>>>>>>>>>> Computer: UBIQ-SERV9
>>>>>>>>>> Description:
>>>>>>>>>> Windows cannot access the file gpt.ini for GPO
>>>>>>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System
>>>>>>>>>> ,D
>>>>>>>>>> C=
>>>>>>>>>> ub
>>>>>>>>>> iquisys,DC=local.
>>>>>>>>>> The file must be present at the location
>>>>>>>>>> >>>>>>>>> 6D
>>>>>>>>>> -1
>>>>>>>>>> 1D
>>>>>>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>>>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>>>>>>> but the gpt.ini file is there (GPT.INI)
>>>>>>>>>> It has access perms:
>>>>>>>>>> Authenticated Users: Read & Execute
>>>>>>>>>> Server Operators R & E
>>>>>>>>>> Administrators Full Control
>>>>>>>>>> SYSTEM Full Control
>>>>>>>>>> seems ok to me !?!
>>
>>

 

[Meinolf Weber [MVP-DS]]

Hello Adrian,

As mentioned before you should use SP2 and all latest patches.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Just to tie this off...
>
> I've not seen the error in a while now.
> I had another problem, with autoenrollment, where I found a fix for
> that, and maybe thats cured this too. Basically 2003 SP1 at some
> point
> had removed the Domain Controllers group membership of the DCOM group.
> I
> added that, autoenrollment cleared up and so now it seems this has
> too.
> Replication between sites also seems to work (although it does take a
> long time, and Im still not sure why)
>
> Adrian Marsh (NNTP) wrote:
>
>> Hi Mehinolf,
>>
>> As far as I can see, the transitioned machine (serv1) is all working
>> fine.
>>
>> I've setup another 2 DCs, in preperation for shutting down
>> ubiq-serv9. (In two sites). I'm now seeing some FRS-type propgation
>> issues in Sysvol I need to look at too. But only inter-site...
>>
>> Meinolf Weber [MVP-DS] wrote:
>>
>>> Hello Adrian,
>>>
>>> You mentioned that you moved from SBS with transition pack, maybe
>>> something is going wrong there.
>>>
>>> So i suggest, before removing the DC to use the SBS newsgroup:
>>> microsoft.public.windows.server.sbs
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Hi Meinholf,
>>>>
>>>> I'll run those tests, thankyou. I'm also wondering if FRS is
>>>> working properly, as when I look in SYSVOL, I can see some files in
>>>> serv9's, that I cant see in the PDC, serv1. So I'm thinking of
>>>> demoting serv9 (so were back temporarily to single DC), then
>>>> promoting serv8 (currently has a very lightly used SQL server on
>>>> it, single NIC).
>>>>
>>>> Basicaly, bring the network back to one known-working DC and
>>>> re-expand again from there.
>>>>
>>>> Adrian
>>>>
>>>> Meinolf Weber [MVP-DS] wrote:
>>>>
>>>>> Hello Adrian,
>>>>>
>>>>> Check that the sysvol and netlogon folder exist on srv9 and you
>>>>> can access them locally. Check your DCs with dcdidag /v, netdiag
>>>>> /v and repadmin /showrepl for errors.
>>>>>
>>>>> Also make sure they are all having SP2 installed and the latest
>>>>> patches. If that is the case check also this articles:
>>>>> http://support.microsoft.com/kb/887303
>>>>>
>>>>> http://support.microsoft.com/kb/314494/en-us
>>>>>
>>>>> http://support.microsoft.com/kb/842804/en-us
>>>>>
>>>>> http://support.microsoft.com/kb/883271/en-us
>>>>>
>>>>> http://support.microsoft.com/kb/290647
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> Hi Meinolf,
>>>>>>
>>>>>> I've been diagnosing this a little further. I cant seperate out
>>>>>> the DC and RRAS just yet.
>>>>>>
>>>>>> Maybe the multi-homed setup is all the same cause here, but:
>>>>>>
>>>>>> I started to see the same error start to happen on serv1 too.
>>>>>> serv1 was an SBS 2003, but has had the transition pack applied.
>>>>>>
>>>>>> When I queried DNS on serv1, for mynetwork.local, it returned the
>>>>>> IP of ubiq-serv9, meaning that the A record for mynetwork.local
>>>>>> as a domain was not serv1, but serv9.
>>>>>>
>>>>>> serv1 holds all 5 Operations masters still.
>>>>>>
>>>>>> For some reason, I guess serv9 is updating DNS to point to
>>>>>> itself.
>>>>>>
>>>>>> When I tried to browse in explorer to mynetwork.localSYSVOL
>>>>>> from serv1 (so serv1 -> serv9), I get "... is not accessible. You
>>>>>> might not have permission to use this network resource"
>>>>>>
>>>>>> So, on serv1, I edited the local hosts file temporarily, to put
>>>>>> the A record for DNS to 192.168.50.3 (itself), did an "ipconfig
>>>>>> /flushdns" and re-browsed to SYSVOL, and everything was fine. So
>>>>>> perms on serv1 are OK, but SYSVOL on serv9 is, in some way
>>>>>> blocked.
>>>>>>
>>>>>> I undid the hosts entry, and I've compared both Share permissions
>>>>>> for SYSVOL on serv9 to serv1, and also file-level security. Both
>>>>>> are the same.
>>>>>>
>>>>>> Would the multi-home setup screw up sysvol sharing on serv9 in
>>>>>> some way ?
>>>>>>
>>>>>> Adrian
>>>>>>
>>>>>> Meinolf Weber [MVP-DS] wrote:
>>>>>>
>>>>>>> Hello Adrian,
>>>>>>>
>>>>>>> As said before remove the RRAS form the DC and use a dedicated
>>>>>>> member server instead. Additional the DC has 2 fixed ip
>>>>>>> addresses (192.168.52.28 and 192.168.50.28), so remove
>>>>>>> 192.168.52.28(different subnet), check the advanced NIC
>>>>>>> settings.
>>>>>>>
>>>>>>> Serv1 is a bot strange for you wrote an old SBS server, is it
>>>>>>> still used and configured as DC? Wich DC has the 5 FSMO roles?
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Meinolf Weber
>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>>> and
>>>>>>> confers no rights.
>>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>>> ** HELP us help YOU!!!
>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>>> Hi Meinolf,
>>>>>>>>
>>>>>>>> serv9 (DC + RRAS + DNS/WINS secondary) config below. Static
>>>>>>>> assigned IPs.
>>>>>>>>
>>>>>>>> serv1 (192.168.50.3) is the main DNS/WINS server (an old SBS
>>>>>>>> 2003 server)
>>>>>>>>
>>>>>>>> Looking at it, I'm not sure why there are two .28 IPs defined
>>>>>>>> on the LAN interface... I'll try removing one.
>>>>>>>>
>>>>>>>> Cocuments and Settingsadm1n>ipconfig /all
>>>>>>>>
>>>>>>>> Windows IP Configuration
>>>>>>>>
>>>>>>>> Host Name . . . . . . . . . . . . : ubiq-serv9
>>>>>>>> Primary Dns Suffix . . . . . . . : mynetwork.local
>>>>>>>> Node Type . . . . . . . . . . . . : Unknown
>>>>>>>> IP Routing Enabled. . . . . . . . : Yes
>>>>>>>> WINS Proxy Enabled. . . . . . . . : Yes
>>>>>>>> DNS Suffix Search List. . . . . . : mynetwork.local
>>>>>>>> PPP adapter RAS Server (Dial In) Interface:
>>>>>>>> Connection-specific DNS Suffix . :
>>>>>>>> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
>>>>>>>> Physical Address. . . . . . . . . : 00-53-45-00-00-00
>>>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>>>> IP Address. . . . . . . . . . . . : 192.168.50.154
>>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.255
>>>>>>>> Default Gateway . . . . . . . . . :
>>>>>>>> Ethernet adapter Local Area Connection:
>>>>>>>> Connection-specific DNS Suffix . :
>>>>>>>> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
>>>>>>>> Gigabit
>>>>>>>> Controller
>>>>>>>> Physical Address. . . . . . . . . : 00-1A-A0-5E-6F-E3
>>>>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>>>>> IP Address. . . . . . . . . . . . : 192.168.52.28
>>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>>>> IP Address. . . . . . . . . . . . : 192.168.50.28
>>>>>>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>>>>> Default Gateway . . . . . . . . . : 192.168.50.1
>>>>>>>> DNS Servers . . . . . . . . . . . : 192.168.50.28
>>>>>>>> Primary WINS Server . . . . . . . : 192.168.50.28
>>>>>>>> Secondary WINS Server . . . . . . : 192.168.50.3
>>>>>>>> Meinolf Weber [MVP-DS] wrote:
>>>>>>>>> Hello Adrian,
>>>>>>>>>
>>>>>>>>> Please post an unedited ipconfig /all from the server. And to
>>>>>>>>> answer your question, using RRAS on a DC is a kind of
>>>>>>>>> multihoming.
>>>>>>>>>
>>>>>>>>> Best regards
>>>>>>>>>
>>>>>>>>> Meinolf Weber
>>>>>>>>> Disclaimer: This posting is provided "AS IS" with no
>>>>>>>>> warranties,
>>>>>>>>> and
>>>>>>>>> confers no rights.
>>>>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>>>>> ** HELP us help YOU!!!
>>>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>>>>> Just to add: As I've seen some posts about multi-homed DCs.
>>>>>>>>>>
>>>>>>>>>> This is from one of the DCs itself. It has a single NIC, but
>>>>>>>>>> it does provide RRAS (PPTP VPN) services to Internet clients.
>>>>>>>>>> Not sure if that classifies it as multi-homed or not.
>>>>>>>>>>
>>>>>>>>>> DNS is configured for the internal DNS server (and as far as
>>>>>>>>>> I can tell all the SRV records are good).
>>>>>>>>>>
>>>>>>>>>> There are some other issues on the DC I'm checking into about
>>>>>>>>>> Autoenrollment and DC certificate failures (0x80070005), but
>>>>>>>>>> clients seem to be ok using this server as a DC.
>>>>>>>>>>
>>>>>>>>>> Adrian Marsh (NNTP) wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> Looking at the event logs of some of my DCs, I've seeing a
>>>>>>>>>>> complaint:
>>>>>>>>>>>
>>>>>>>>>>> Event Type: Error
>>>>>>>>>>> Event Source: Userenv
>>>>>>>>>>> Event Category: None
>>>>>>>>>>> Event ID: 1058
>>>>>>>>>>> Date: 23/07/2009
>>>>>>>>>>> Time: 16:32:59
>>>>>>>>>>> User: NT AUTHORITYSYSTEM
>>>>>>>>>>> Computer: UBIQ-SERV9
>>>>>>>>>>> Description:
>>>>>>>>>>> Windows cannot access the file gpt.ini for GPO
>>>>>>>>>>> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Sys
>>>>>>>>>>> tem
>>>>>>>>>>> ,D
>>>>>>>>>>> C=
>>>>>>>>>>> ub
>>>>>>>>>>> iquisys,DC=local.
>>>>>>>>>>> The file must be present at the location
>>>>>>>>>>> >>>>>>>>>> -01
>>>>>>>>>>> 6D
>>>>>>>>>>> -1
>>>>>>>>>>> 1D
>>>>>>>>>>> 2-945F-00C04FB984F9}gpt.ini>.
>>>>>>>>>>> (Access is denied. ). Group Policy processing aborted.
>>>>>>>>>>> but the gpt.ini file is there (GPT.INI)
>>>>>>>>>>> It has access perms:
>>>>>>>>>>> Authenticated Users: Read & Execute
>>>>>>>>>>> Server Operators R & E
>>>>>>>>>>> Administrators Full Control
>>>>>>>>>>> SYSTEM Full Control
>>>>>>>>>>> seems ok to me !?!