Multi-homed Domain controller logs Event ID 1030 and 1058

10. September 2009
Comments (0)

I recently had an issue where a hosting environment was registering a lot of Netlogon Event 1030/1058 issues, being unable to find the Group Policy objects or download them. In this example, the server DC is the domain controller for DOMAIN.LCL.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date:  10/09/2009
Time:  06:24:29
User:  NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DOMAIN,DC=LCL. The file must be present at the location <\\DOMAIN.LCL\sysvol\DOMAIN.LCL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

On the affected machines, when navigating to \\DOMAIN.LCL there were no shares available, however navigating to \\DC shows the NETLOGON and SYSVOL shares. Pinging DOMAIN.LCL and then the DC showed that the IP addresses were not the same as expected, DOMAIN.LCL was resolving to the backup network, whereas DC was resolving to the servers LAN IP.

I checked the DNS records for the server, which were correct. Investigating the adaptor binding settings under Control Panel > Network Connections > Advanced > Advanced Settings showed that the backup network's adaptor was first in the list. I moved the adaptor for the LAN to the top of the list and OK'd my way out. I restarted the NETLOGON service and the issue was solved.

Windows servers have never been particularly good at being multi-homed, especially domain controllers. My advice comes from some bitter experience...

  • If you have multiple network adaptors for extra bandwidth/redundancy/resiliance, then I would strongly recommend using Teamed adaptors, most of the major manufacturers' drivers and management software support it. This will eliminate any issues with multi-homing because as far as the server is concerned, it has one adaptor.
  • If you have multiple network adaptors for different network segments and you're using RRAS to route between them, I would strongly suggest not using a Domain Controller at all for this purpose. Better yet, buy a hardware router.
  • If you have multiple network adaptors for different purpose networks (e.g. a LAN, a backup network and an iSCSI network) then make sure you do the following:
    • Disable "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" on all but the LAN adaptor.
    • Ensure that your LAN adaptor is the FIRST adaptor in the bindings in the advanced network settings.

 Hope that helps!

Active Directory, Networking, Windows Server 2000, Windows Server 2003, Windows Server 2008 , , , , ,

How to force the removal of Folder Redirection from specific user accounts

3. April 2009
Comments (0)

We have a folder redirection policy in place for all of our users in combination with a roaming profile policy - this policy is applied to the OU that contains our users. Unfortunately this policy was accidently linked to the root of our domain too, causing our Domain Admin users to be redirected too - something we do not want. When the mistake was discovered, the policy was unlinked, but the redirection remained (despite being set to revert when users fall out of scope). I tried re-applying the policy, modifying the out of scope policy and then moving the Domain Admin user out of scope, but it failed to remove the folder redirection.

In the end, the solution was straight forward enough:

Create a new OU (I used "Temp") and move the affected user(s) there:

image

Create and link a new Group Policy Object to the new OU. Name it something descriptive so you know what it is in future - Folder Redirection Removal.

image

Edit the group policy, drill down to User Configuration > Windows Settings > Folder Redirection and right click - properties on each folder you want to reset. Set the setting to “Basic – Redirect everyone’s folder to the same location” and set the target folder location to “Redirect to the local userprofile location”.

image

Select the settings tab and make sure the Policy Removal setting is set to “Redirect the folder back to the local userprofile location when the policy is removed.”

image

Set that for each folder you want to reset. Close the Group Policy Object Editor, and GPMC. Log onto the user's account on each computer you want to remove the redirection on - in my case, several servers. Check the location of the redirected folders to make sure it’s been removed. Once you’re sure, you can move your user back to the correct OU.

Active Directory, User Profiles, Windows Server 2003, Windows Vista, Windows XP , , , , , , ,

I've achieved my MCSE

10. September 2008
Comments (0)

Well, I've been away with my friends at Firebrand again and guess what...MCSE Windows Server 2003!

  • 70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
  • 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
  • 70-298 Designing Security for a Microsoft Windows Server 2003 Network

Active Directory, Microsoft, Windows Server 2003

Adding a Windows 2003 domain controller to your existing Windows 2000 domain

8. April 2008
Comments (0)

I was adding a shiny new domain controller to my server farm earlier today, we have just two Windows 2000 SP4 domain controllers on old kit and they are due to retire. With the hardware selected, purchased and a fresh copy of Windows Server 2003 R2 installed, I set to installing Active Directory. DCPromo.exe fires up and I go through the configuration steps until...

"The Active Directory Installation Wizard cannot continue because the forest is not prepared for installing Windows Server 2003. Use the Adprep command-line tool to prepare both the forest and the domain. For more information about using the Adprep, see Active Directory Help.

The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer."

A quick rootle around TechNet shows a simple solution on KB917385 - on your Schema Master (normally your first DC in the domain, unless you've changed it) pop in the second CD of your R2 install and run:

[CD]:\CMPNENTS\R2\ADPREP\Adprep.exe /forestprep

That's as far as the knowledgebase article takes you, which does resolve that specific error, but not the next one you're likely to encounter, especially if you've got more than one DC, and/or more than one domain. For each DC in your domain you will also need to run:

[CD]:\CMPNENTS\R2\ADPREP\Adprep.exe /domainprep /gpprep

Now back on your new R2 server you can fire up DCPromo.exe and install Active Directory as per normal. Daniel Petri has an excellent article on how to install and test your new domain controller that you can follow, I've installed countless domain controllers and I still refer back to that article.

Active Directory, Windows Server 2003 , , , , ,

Using NTDSUtil to transfer FSMO Roles by command line

7. January 2008
Comments (0)
I’ve just removed a domain controller (DC) from my root domain, the very first server not only in the domain, but the forest. The roles were migrating to a newer server, far more up to the job, but it isn’t a job to be taken lightly. If you mess up the root domain, you’ve potentially got problems all the way down your domain hierarchy.

 

Let me explain; the primary domain controller in a domain (normally the first domain controller) hosts all the FSMO roles. It also is (by default) the only copy of the Global Catalog (GC). Potentially, even if you have other domain controllers in the forest, you could end up with a seriously crippled domain.

So, you want to transfer them safely off of your old domain controller (from now on DC1) to your new one (from now on DC2). You must ensure that the following are transfered:

  • Schema Master - The only server in the FOREST that can edit the Schema, all other DCs recieve a read-only copy
  • Domain Naming Master - The only server in the FOREST that can add/remove domains in the Directory.
  • Infrastructure Master - Updates an objects Security ID (SID) and Distinguished Name (DN). One per DOMAIN.
  • Relative ID (RID) Master - Processes RID pool requests to all DCs in the Domain. One per DOMAIN.
  • Primary Domain Controller (PDC) Emulator - Windows Time Server (amongst other things) for Kerboros, it’s authoritative for it’s domain. If it’s the root domain, it’s authoritative for the Enterprise.

This can potentially cause irreparable damage to your Active Directory, so I strongly advise you check that your domain is in good working order and has been fully backed up before you attempt to transfer any roles.

  1.  On any domain controller open a command prompt and run “ntdsutil” (Note: You need to be an ENTERPRISE admin to modify Schema, Domain Naming and Infrastructure masters and a DOMAIN admin for the rest)
  2. Type “roles” to enter FSMO Maintenance mode.
  3. Type “connections” to enter the server connections mode, and “server ” to select the server you are transferring roles to. E.G: “server DC2″.
  4. Type “q” to drop back into FSMO Maintenance mode.
  5. Type “transfer ” to transfer the role you want to transfer. You will get a pop up warning asking if you are sure, if you are, click “Yes”. can be:
    • domain naming master
    • infrastructure master
    • RID master
    • PDC
    • schema master
  6. I transferred the roles in that order, it shouldn’t make much difference which order that you do it. Once all the roles are transfered, type “q” again to drop out, and “q” again to quit NTDSUtil.

Active Directory, Windows Server 2003 , , , ,