Got this message from Ganesh Kumar:

I am tried to edit the Default Domain Policy in the group policy management console.

When I tried to change the logon Success/Failure event, it shows the error message states that “Access Denied Failed to Save”. The Screen Shot is attached to you.

I check the details in the Event Viewer. It Shows as Follows


The processing of Group Policy failed. Windows attempted to read the file \\pacrdc1.com\SysVol\pacrdc1.com\Policies\{6650E4B E-18BB-494A-9CE5-4C3F784717BC}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

I tried to clear the logs in the event viewer, but it shows the error message as "Event View could not clear the log. The following error occurred: The process cannot access the file because it is being used by another process."

Any help on this would be great. The attached image is the screen shot mentioned.

Hi,

It sounds like you are getting event id: 1058.

If you google search that event you will find many articles about it. I would point you to some, but each one has its own set of circumstances.

You might also want to try eventid.net. They have good solutions sometimes.

Ed

Off hand it is tough to tell but from the screen shot and the error I would make sure that the Distributed File System (DFS) has not been turned off.

You can check this by going into the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Mup

If the key is not there add Dword "DisableDFS” with an entry of 0 to enable it.

The other thing you might want to check is in the sysvol folder and make sure that the everyone group has not been removed from the system file permissions.

This is all I can think of at the moment. You could try running dcpromo and demote AD and then reboot and then premote it again. Backup any DNS or DCHP settings if you set any thus far.

demoting ADS using dcpromo is impossible, because it almost contains around 50 Users and 30 of them having folder redirection option in group policy.

I'm trying to interpret what you mean by demoting ADS using dcpromo is impossible:

Are you saying that demoting ADS using dcpromo is physically impossible? Are you getting an error when trying to demote? If so, what is the error?

or

Are you saying that demoting is not practical because of the 50 users already in place?

You could backup AD by doing a Non-authoritative and then a authoritative backup/restore this way all your user accts are safe. Also Backup your Group policy settigns so nothing gets lost.

In Server 2008 R2 there is a new recycle bin feature that makes sure all your users and OUs will be intact. I have not used it yet but heard it is really cool and worth it.

Coach or Ed may want to take it from here as they are the experts and I am out of ideas. Ed or coach if I am sort of on the right track pls let me know.

Yes, I do believe that you have the right idea if his issue he doesn't want to demote because of the users. If the issue is that the system physically won't let him do a dcpromo demotion and is receiving an error then we need to look into that error.

I'm trying to interpret what you mean by demoting ADS using dcpromo is impossible:

Are you saying that demoting ADS using dcpromo is physically impossible? Are you getting an error when trying to demote? If so, what is the error?

or

Are you saying that demoting is not practical because of the 50 users already in place?

Yes demoting is not practical, because 50 users already placed and reconnecting 170 Vista/XP Clients in server is one of the tedious problem. Because 140 Clients are located in 3 different halls and 40 more systems are located different Heads of Department Rooms which are seperated by 100 to 400 meters All our system in our campus are connected with structured cable network with OFC backbone.

Can I upgrade this Server with Server 2008 R2 RC1.

Till now I am not trying that, because R2 is commercialy released.

If i install Windows Server 2008 r2 (RC1), i have to reconfigure the things once again after the final version of server 2008 R2 released.

Dear Mr. Flipper,

Demoting is not practical, because 50 users already placed and reconnecting 170 Vista/XP Clients in server is one of the tedious problem.

Because 140 Clients are located in 3 different halls and 40 more systems are located different Heads of Department Rooms which are seperated by 100 to 400 meters.

All our system in our campus are connected with structured cable network with OFC backbone.

Did you have any other Specific idea to backup the Active Directory without disturbign Client Systems.

Well again I am not an expert so I would def rely more on Ed or Coach, but if you backup the system state that should backup:

- SYSVOL Folder - I beleive this holds your GP templates and logon scripts.
- Registry
- Startup Files
-COM+ database

You'll still want to do a non-authoritative and authoritative Backup anyhow.

Me personally this is what I would do. Don't do anything on the system that is live. Build another box. Then from the problem machine perform a backup of Active Directory and the system state. Go to the new box and restore the info. If everything looks good then transfer the FSMO roles accordingly.

Again Ed or Coach is best to answer this as they are the true experts and I am a guy who can be dangerous enough but know not to touch certain things. I should be in System Admins but I do mostly deskside work. Ed or Coach are the guys I would take the advice from unless they say I am correct.

Dear All,

Details of the proble posted earlier.

When I am tried to edit the default domain policy, It gives the following error message.

Access Denied.
Failed to save

\\pacrdc1.com\sysvol\pacrdc1.com\Policies\{31B2F34 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf. Make sure that you have the right permission to this object.

I create new policy and try to edit the computer policy settings, same error replicates. Existing policies are also not alloing the change the settings.

Then I posted this question to Train Signal Mr. Benjamin “Coach” Culbertson and Coach put this issue in train signal forums. Thanks to Coach, Ed,& Eric Munn.

Due to this problem, I formated the Server and reinstalled all the services and roles. It works fine for 20 more days. But after 20 days, the same error replicates.


The same Group Policy error 1058 eveint id is replicated in the server. I didnt understand what is route cause of this problem and where it is started.

I have a doubt, this error occours after the installization DFS in the file server.

The server details are listed below.

Main Server : PACR-DC1-2K9 (dedicated SunFire x2100 Server - Entry Model)
Back Server : PACR-DC2-2K9 (dedicated IBM x226 Server - Entry Model)
File Server : PACR-MEM1-2K9 (desktop system configured as server )

All are Windows Server 2008 Enterprise OS execpt File Server (Windows Server 2008 Standard)

I use the gpresult commmand in different clients and that are attached to you as zip file. Here the default domain policies are empty.

Hope this problem is rectified soon.

Well again I am not an expert so I would def rely more on Ed or Coach, but if you backup the system state that should backup:

- SYSVOL Folder - I beleive this holds your GP templates and logon scripts.
- Registry
- Startup Files
-COM+ database

You'll still want to do a non-authoritative and authoritative Backup anyhow.

Me personally this is what I would do. Don't do anything on the system that is live. Build another box. Then from the problem machine perform a backup of Active Directory and the system state. Go to the new box and restore the info. If everything looks good then transfer the FSMO roles accordingly.

Again Ed or Coach is best to answer this as they are the true experts and I am a guy who can be dangerous enough but know not to touch certain things. I should be in System Admins but I do mostly deskside work. Ed or Coach are the guys I would take the advice from unless they say I am correct.
problem found in the sysvol folder, if i backup sysvol folder, the error is rectified or reoccur.

It sounds like you probably have a DFS issue which is leading to the failure to appropriately replicate and access certain components of AD and Group Policy. I have read through many articles on the Internet and many of them point to the possibility of DNS not being configured properly for the DFS shares.

Also, is your domain/forest set to Windows Server 2008 functional level? If you only have 2008 then you can do that and may get good results. The reason I say this is because it seems that the problem you are having is one that happened very often in Windows Server 2003 and if you are still in a mixed mode then you might be getting hit with the old 2003 problem and would go away once you allow 2008 to use its full functionality.

Sorry I don't have a more specific answer for you, but it is very difficult to troubleshoot issues like this without actually being at the network.

Ed

Thanks Ed. I already set my domain forest to Windows 2008 Functional Level. And I will try to identify the problem with the dns and reconfigure it as per the instruction given in Training Video Windows Server 2008 Active Directory (70-640) Video3 (The First Two Domain Controller). This Video is already Configured as per the instruction given.

Mr. Ed,


I have trouble shooted with Microsoft Technical Assistance to solve above said issue.

After 3 1/2 hours they found that the problem is with McAfee 8.7i

All the Services of McAfee were disabled and stopped and reboot the server. It is working fine. When i enable and start the service, it wont works.

Then I contacted McAfee Support Team, and we trouble shooted the problem in McAfee 8.7i, They tried lots of Exclusion in ePO server and in Work Station and it won't work.

Finally we uninstall McAfee 8.7i and install McAfee 8.5i with patch 8.

Now it is prefectly working without any exclusion.

And a big headache problem is rectified and all are working fine.

Thanks to Ed, Coach & Eric for giving the wonderful oppertunity to share this problem in Trainsignal Forums.

Thanks a lot. Bye.:)

McAfee 8.7i patch 1 resolved this issue.