- question
- Event ID: 1058 — Processing of Group Policy failed.Windows attempted to read file \domain.com\SysVol\ domain.com \Policies\gpt.ini from domain controller and was not successful.
- RSOP data for DomainName\Administrator on DC02 Site B : Logging Mode
- COMPUTER SETTINGS
- USER SETTINGS
- Processing group policy failed windows
- Asked by:
- General discussion
- All replies
question
Event ID: 1058 — Processing of Group Policy failed.Windows attempted to read file \\domain.com\SysVol\ domain.com \Policies\\gpt.ini from domain controller and was not successful.
Background of issue : We promoted a 2016 AD from 2008 . after being promoted to domain controller we demoted the 2008 using DCpromo. However a few days , we noticed that some sysvol replication is not synchronized on DC01 siteA and DC02 Site B.
What we do is to perform the Force authoritative Synchronization DFSR sysvol replication and it’s successfully working. The DFSR sysvol is now replicated on each site DCO1 site A and DC02 site B. Unfortunately, upon pushing «GPUPDATE /force» we encountered a error occurred. which is Processing of Group Policy failed.Windows attempted to read file \\domain.com\SysVol\ domain.com \Policies
Event ID :1058 shows the processing of group policy failed. Windows attempted to read file \\domain.com\sysvol\domain.com\Policies
An error event occurred. EventID: 0x00000422
Time Generated: 07/28/2020 17:51:56
Event String:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2016 Microsoft Corporation. All rights reserved.
Created on 28/07/2020 at 6:41:49 PM
RSOP data for DomainName\Administrator on DC02 Site B : Logging Mode
OS Configuration: Primary Domain Controller
OS Version: 10.0.14393
Site Name: MANILA
Roaming Profile: N/A
Local Profile: C:\Users\Administrator.DomainName
Connected over a slow link?: No
COMPUTER SETTINGS
USER SETTINGS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server.
Home Server = DC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MANILA\DC01
Starting test: Connectivity
. DC01 passed test Connectivity
Doing primary tests
Testing server: MANILA\DC01
Starting test: Advertising
. DC01 passed test Advertising
Starting test: FrsEvent
. DC01passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
. DC01 passed test DFSREvent
Starting test: SysVolCheck
. DC01 passed test SysVolCheck
Starting test: KccEvent
. DC010 passed test KccEvent
Starting test: KnowsOfRoleHolders
. DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
. DC01 passed test MachineAccount
Starting test: NCSecDesc
. DC01 passed test NCSecDesc
Starting test: NetLogons
. DC01 passed test NetLogons
Starting test: ObjectsReplicated
. DC01 passed test ObjectsReplicated
Starting test: Replications
. DC01 passed test Replications
Starting test: RidManager
. DC01 passed test RidManager
Starting test: Services
. DC010 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 07/28/2020 17:47:04
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\petcad1100\SysVol\petcad1100\Policies
An error event occurred. EventID: 0x00000422
Time Generated: 07/28/2020 17:51:56
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\Domain.com\SysVol\Domain.com\Policies
An error event occurred. EventID: 0x00000422
Time Generated: 07/28/2020 17:52:05
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\Domain.com\SysVol\Domain.com\Policies
An error event occurred. EventID: 0x00000422
Time Generated: 07/28/2020 17:54:08
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\Domain.com\SysVol\Domain.com\Policies
An error event occurred. EventID: 0x00000422
Time Generated: 07/28/2020 17:57:05
Event String:
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
. DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
. DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
. Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
. Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
. Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
. Configuration passed test CrossRefValidation
Processing group policy failed windows
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
General discussion
I’m having some seious issues with Replication of Group policies. The event that is filling the system log is as follows :
| Provider |
| [ Name] | Microsoft-Windows-GroupPolicy |
| [ Guid] |
|
|
|
|
|
|
|
|
|
|
|
|
|
| — | EventData |
| SupportInfo1 | 4 |
| SupportInfo2 | 2667 |
| ProcessingMode | 0 |
| ProcessingTimeInMilliseconds | 2141 |
| ErrorCode | 82 |
| ErrorDescription | Local Error |
| DCName | \\server.domain.local |
Group Policy Infrastructure failed due to the error listed below.
A directory service error has occurred.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
- Changed type Tiger Li Microsoft employee Friday, November 19, 2010 9:27 AM
All replies
I couldn’t find anything on Error Code 82, either. I guess you’ve already found this link?
It could be something as simple as a DNS lookup, multihomed DC, wrong DNS address, etc. Let’s take a look at some additional information to help diagnose it. Please post the folllowing:
- How many DCs in the infrastructure?
- What operating system and service pack level are the DCs?
- A complete ipconfig /all from your DCs
- Any additional Event log errors
- If you have more than one DC, run a repadmin /showrepl
- To see if anything is in the queue waiting for replication, run repadmin /queue *
- This switch shows partitions if replicated or not — repadmin /showreps
Also run a dcdiag and netdiag:
- dcdiag /V /C /D /E /s:DC’sName > c:\dcdiag.log (The /E switch runs diagnostics on all DCs)
- netdiag /v > c:\netdiag.log (Run this on each DC)
You can also use Paul Bergson’s script to run the above utilities, which may be easier: http://www.pbbergs.com/windows/downloads.htm.
Was the KRBTGT account ever restored with an Authorative Restore? Run a repadmin /showmeta. Look at the unicodePwd attribute PVN (the Ver column). If it’s 100002, then it means it was restored at one point. If this is the case and it’s a Windows 2003 DC, take a look at this KB article:
Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or error message: «No authority could be contacted for authentication» when you use Remote Desktop Connection
http://support.microsoft.com//kb/939820
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thanks for posting here.
Are you using CNAME records to point to records in your DNS server ? if yes, please change the CNAME (Alias) entries to HOST (A) records in DNS.
Meanwhile, please check the entries in host file make sure there is no incorrect entry for DC name.
Please post back the result .
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hi, and thanks for responding:-)
I’ve tried to include answers to most of your questions, however I do not want to disclose too much about my customer :
•How many DCs in the infrastructure?
I’ve got 2 Root DCs in the root domain, and 2 std DC’s in logon domain (sub). In addition to that, I have 3 RODC’s at branch offices.
•What operating system and service pack level are the DCs?
Windows 2008 X64 up to date – patch
•A complete ipconfig /all from your DCs
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-9A-10-22
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.50.20.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.50.20.1
DNS Servers . . . . . . . . . . . : 10.50.20.21
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-83-3E-1A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.50.20.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.50.20.1
DNS Servers . . . . . . . . . . . : 10.50.20.22
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP Network Team #1
Physical Address. . . . . . . . . : 00-26-55-86-94-F6
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.170.10.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.170.10.1
DNS Servers . . . . . . . . . . . : 10.50.20.21
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 12:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
The others rodcs are the same, but on their own subnets.
•Any additional Event log errors
Actually I also have some netlogon errors as well :
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
•If you have more than one DC, run a repadmin /showrepl
•To see if anything is in the queue waiting for replication, run repadmin /queue *
Queue has 0 items
•This switch shows partitions if replicated or not — repadmin /showreps
Also run a dcdiag and netdiag:
•dcdiag /V /C /D /E /s:DC’sName > c:\dcdiag.log (The /E switch runs diagnostics on all DCs)
Contains a lot of these :
An Error Event occurred. EventID: 0x000003EE
Time Generated: 11/11/2010 11:57:55
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
•netdiag /v > c:\netdiag.log (Run this on each DC)
You can also use Paul Bergson’s script to run the above utilities, which may be easier: http://www.pbbergs.com/windows/downloads.htm.
Not with 2008 it seams J
Was the KRBTGT account ever restored with an Authorative Restore? Run a repadmin /showmeta. Look at the unicodePwd attribute PVN (the Ver column). If it’s 100002, then it means it was restored at one point. If this is the case and it’s a Windows 2003 DC, take a look at this KB article:
Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or error message: «No authority could be contacted for authentication» when you use Remote Desktop Connection
Not when using remote desktop, however I have some event regarding this.
Hope this clarifies a bit more 🙂
Well, if you are referring to the records under _MSDCS. .xx, the answer is YES! Are these the records that I need to change to a records ?
Name Type Data Timestamp
dc
domains
gc
pdc
Currently it looks like below :
05b9cb72-bcbe-4f84-a2c2-ab4af900ed9d Alias (CNAME) DomRDC10002.rootdomain.xx. 08.11.2010 08:00:00
29c51fbe-913e-4326-b579-ea3d2df5bdd9 Alias (CNAME) domDC10002.logon.rootdomain.xx. 08.11.2010 15:00:00
5030193f-b054-4b45-bdcf-2c6d8706e984 Alias (CNAME) domDC22001.logon.rootdomain.xx. 10.11.2010 03:00:00
55c362ce-753d-4a35-a125-16aa60513945 Alias (CNAME) domDC21001.logon.rootdomain.xx. 09.11.2010 22:00:00
77069a4a-da69-4b7a-84f4-3b2c6f54918e Alias (CNAME) DomRDC10001.rootdomain.xx. 08.11.2010 07:00:00
abc7b2dc-eb73-417b-8fa5-35afe1515626 Alias (CNAME) domDC20001.logon.rootdomain.xx. 04.11.2010 16:00:00
b89faab2-038a-4859-8ef5-240bdeceed49 Alias (CNAME) domDC10001.logon.rootdomain.xx. 08.11.2010 08:00:00
(same as parent folder) Name Server (NS) domDC10001.logon.rootdomain.xx. 08.11.2010 13:00:00
(same as parent folder) Name Server (NS) domDC10002.logon.rootdomain.xx. 08.11.2010 09:00:00
(same as parent folder) Name Server (NS) DomRDC10002.rootdomain.xx. 14.10.2010 03:00:00
(same as parent folder) Name Server (NS) DomRDC10001.rootdomain.xx. 13.10.2010 03:00:00
(same as parent folder) Start of Authority (SOA) [136], domDC10002.logon.rootdomain.xx., hostmaster.rootdomain.xx. static
Thanks for your reply.
Btw, I also get this error:
Repadmin can’t connect to a «home server», because of the following error. Try
specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:
LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:
Well, if you are referring to the records under _MSDCS. .xx, the answer is YES! Are these the records that I need to change to a records ?
Name Type Data Timestamp
dc
domains
gc
pdc
Currently it looks like below :
05b9cb72-bcbe-4f84-a2c2-ab4af900ed9d Alias (CNAME) DomRDC10002.rootdomain.xx. 08.11.2010 08:00:00
29c51fbe-913e-4326-b579-ea3d2df5bdd9 Alias (CNAME) domDC10002.logon.rootdomain.xx. 08.11.2010 15:00:00
5030193f-b054-4b45-bdcf-2c6d8706e984 Alias (CNAME) domDC22001.logon.rootdomain.xx. 10.11.2010 03:00:00
55c362ce-753d-4a35-a125-16aa60513945 Alias (CNAME) domDC21001.logon.rootdomain.xx. 09.11.2010 22:00:00
77069a4a-da69-4b7a-84f4-3b2c6f54918e Alias (CNAME) DomRDC10001.rootdomain.xx. 08.11.2010 07:00:00
abc7b2dc-eb73-417b-8fa5-35afe1515626 Alias (CNAME) domDC20001.logon.rootdomain.xx. 04.11.2010 16:00:00
b89faab2-038a-4859-8ef5-240bdeceed49 Alias (CNAME) domDC10001.logon.rootdomain.xx. 08.11.2010 08:00:00
(same as parent folder) Name Server (NS) domDC10001.logon.rootdomain.xx. 08.11.2010 13:00:00
(same as parent folder) Name Server (NS) domDC10002.logon.rootdomain.xx. 08.11.2010 09:00:00
(same as parent folder) Name Server (NS) DomRDC10002.rootdomain.xx. 14.10.2010 03:00:00
(same as parent folder) Name Server (NS) DomRDC10001.rootdomain.xx. 13.10.2010 03:00:00
(same as parent folder) Start of Authority (SOA) [136], domDC10002.logon.rootdomain.xx., hostmaster.rootdomain.xx. static
Thanks for your reply.
Those CNAMES are normal and get registered by Netlogon. What Tiger was referring to is if you had manually created any CNAMES for any unknown purpose or reasons.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thanks for responding.
The Remote Desktop in the title can be ignored because it states that’s just one of the symptoms. Please re-read the article.
Netdiag doesn’t work on 2008, hence what you’re seeing. Originally you didn’t post what OS it was, so I didn’t know you had 2008.
Do you have AD Sites configured?
Dcdiags:
Please retry dcdiag with: dcdiag /v > c:\dcdiag.txt on each DC and upload them to Windows Live SkyDrive. It would be helpful to see each one, if possible. You can hide the DC and domain names using notepad’s Replace function.
DNS Design in a multi-domain forest:
I also didn’t realize you have multiple domains in the forest. This introduces another factor with DNS design. Since this is a multi-domain forest, we’ll need to know what replication scope the domains rootdomain.com, logon.rootdomain.com, and _msdcs.rootdomain.com are set to in order to understand the relationship with the DNS addresses the DCs are using.
When configuring DNS addresses in a multi-domain forest, it must be carefully designed. Do you have a parent-child DNS delegation with a forwarder from the child DNS set to the parent DNS, and parent DNS forwarder to the ISP, or are all the zones in the ForestDnsZones partition and each have a forwarder to the ISP?
The important thing is that whatever DNS servers are chosen for a DC, that DNS server must hosts the zone and the zone is in the appropriate Replication Scope based on your DNS resolution design in the forest. Read more to understand what I’m talking about:
Ipconfigs:
You pulled out the top part of the ipconfigs. They tell us the Primary DNS Suffix, IP routing, WINS proxy settings, etc. It helps in troubleshooting understanding the whole config.
So far what I see with the ipconfigs, are you have 3 DNS addresses set on each one. Actually more than 2 becomes superfluous due to the client-side resolver service time out when it queries DNS and may never get to the 3rd entry. So 2 DNS addresses are sufficient. Rule of thumb for DNS entries: point to itself as the first entry, and choose a nearby replica DC or one across the WAN if one is not in the same location/AD Site as the second entry.
Possible duplicate zone issue?
This is always a possible cause of concern and will create issues. To understand what a dupe zone is, how it may have occured, and how to fix it, please read my blog on this condition. Just to eliminate this concern, please follow the instructions on how to use ADSI Edit to just «see» if there are any dupes in any of the partitions.
Summary:
One way to see if there are any issues with DNS is to point all DCs to only one DNS server, run an ipconfig /resgisterdns, and restart the netlogon service. However, this all depends on your DNS design. If there is a delegation configured, then this won’t work.
Apparently it appears there may be a DNS lookup issue going on if GPO are not processing. Responses to the info above will be helpful.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
