Windows cannot query for the list of Group Policy objects.

paintb4707

Event 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Event 1058
Windows cannot access the file gpt.ini for GPO cn={9E447732-A6FA-461A-971F-C293B61D1EE2},cn=policies,cn=system,DC=domain,DC=domain,DC=com. The file must be present at the location <\\domain.domain.com\SysVol\domain.domain.com\Policies\{9E447732-A6FA-461A-971F-C293B61D1EE2}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

Both are being logged every 5 minutes or so. I have two domain controllers, one being an Exchange 2003 server and the other a standard server with DNS/DHCP. Only being logged on the standard server however. Ironically this a new DC in the environment, its only several weeks old but had no problems prior. This started happening about 2 days ago, I'm almost positive it was after I teamed up the Broadcom NIC's for offloading but could this really be probably cause?

I'd prefer not to change any NIC drivers yet as these Broadcom adapters tend to be very picky. I found that if I used the drivers included on the TCP/IP offload CD from Dell, the virtual adapter was able to ping out but could not be connected to. Instead I used the drivers that came on the Dell driver CD and it seems to work fine.

Anyways I have confirmed that the gpt.ini file is there with proper permissions so that it can be modified by domain controllers. Also ensured that the SYSVOL folder is being excluded from SAV scans and the DFS service is running.

I've searched all over and each seem to be unique situations in their own so any help would be appreciated.

Thanks

blargoe

I think you sort of know what caused this - probably the last thing that changed on the server, the nic teaming. I don't know that much about the NIC teaming. Only thing I can think of offhand - the IP address of the teamed adapter, is it the same as what you were using before as the IP address?

IS DNS still running? Does the teamed adapter have DNS addresses set up?

What do you see in the Active Directory event logs?

You need to run some diagnostics on the server that is having these failures. Look into dcdiag and netdiag.

blargoe

double post

paintb4707

blargoe wrote:

I think you sort of know what caused this - probably the last thing that changed on the server, the nic teaming. I don't know that much about the NIC teaming. Only thing I can think of offhand - the IP address of the teamed adapter, is it the same as what you were using before as the IP address?

IS DNS still running? Does the teamed adapter have DNS addresses set up?

What do you see in the Active Directory event logs?

You need to run some diagnostics on the server that is having these failures. Look into dcdiag and netdiag.

DNS still running and pointing to localhost as a DNS server should. Everything works fine really, its just that this is flooding the event viewer and I'd like to stop it. Nothing wrong with GPOs either, they're applying fine as they always have been.

Nothing unusual in the Directory logs, at least nothing different from before this started happening.

I saw this from eventid.net which lead me to my assumption:

Anonymous (Last update 2/19/2006):
We started to receive this error in the event logs of a new DC for a new domain after rebooting. The server in question has a dual port ethernet card, Intel 1000MT. We created a "Team", two ethernet ports functioning as one, using the Intel PROSet software and Intel drivers. We were also getting the Userenv 1058 error in our event logs. We found that the Intel drivers being used were from the year 2004. We went to the server manufacturer web site looking for updated drivers, but found that the drivers on the website were the same as the ones we had loaded on the server. Went to the Intel web site and downloaded the most recent drivers for the 1000MT. After installing the updated drivers and rebooting, the errors in the event log have ceased to occur.

But I'd just like to be sure that there isn't any other causes for this before I start screwing with these finicky adapters.

hypnotoad

I get this sometimes, and it apparently relates to DNS but the symptoms are difficult to pinpoint. Sometimes when it is happening, systems take a long time to log on to the domain. I also get messages about a DC not being found for kerberos, and sometimes file shares take a long time to open up.

For several months I have been rebooting both DC's when the problems come up and the error goes away for a few weeks or months.

I'm also using Broadcom carts with TCP/IP Offloading. I wonder if that has something to do with it.

If you reboot your DC's, does it go away for a while?

cisco_trooper

Make sure your permissions are correct on your GPO Objects inside this folder. Break out the GPO Administration Tool and check them that way if you prefer the user friendly names.

\\domain.domain.com\SysVol\domain.domain.com\Policies\

I had this issue a while back and I don't remember what the hell it was, but the permissions on all the GPOs got FUBAR and had to be manually reset on every one of them. That error is sticking out as aweful familiar so I bet that is the same one I had.

paintb4707

cisco_trooper wrote:

Make sure your permissions are correct on your GPO Objects inside this folder. Break out the GPO Administration Tool and check them that way if you prefer the user friendly names.

\\domain.domain.com\SysVol\domain.domain.com\Policies\

I had this issue a while back and I don't remember what the hell it was, but the permissions on all the GPOs got FUBAR and had to be manually reset on every one of them. That error is sticking out as aweful familiar so I bet that is the same one I had.

Permissions seem fine and Enterprise Domain Controllers have full control as they should.

nl wrote:

I get this sometimes, and it apparently relates to DNS but the symptoms are difficult to pinpoint. Sometimes when it is happening, systems take a long time to log on to the domain. I also get messages about a DC not being found for kerberos, and sometimes file shares take a long time to open up.

For several months I have been rebooting both DC's when the problems come up and the error goes away for a few weeks or months.

I'm also using Broadcom carts with TCP/IP Offloading. I wonder if that has something to do with it.

If you reboot your DC's, does it go away for a while?

I haven't had the chance to reboot yet but I'll let you know.

cisco_trooper

Are these errors in the event logs of the domain controller, or the end workstation?

helms20

I remember having the same problem, but do not have teamed nics. What happened on our network is we replaced one of the domain controllers, because it was freezing. The problem was that when I inherited the network the domain controllers were not set up correctly and they were not synchronizing back and forth. After running netdiag and dcdiag to diagnose the problem I found that there was a setting that was incorrect. Sorry I don't remember the exact thing that it was but I would start with that and see if it gives you an idea as to what is going on.

paintb4707

cisco_trooper wrote:

Are these errors in the event logs of the domain controller, or the end workstation?

The Standard 2k3 Server DC. Funny thing is it's not being logged on our Exchange server which is also a DC. So it's something specific to this new machine.

cisco_trooper

paintb4707 wrote:

cisco_trooper wrote:

Are these errors in the event logs of the domain controller, or the end workstation?

The Standard 2k3 Server DC. Funny thing is it's not being logged on our Exchange server which is also a DC. So it's something specific to this new machine.

make sure the ntfrs service is running.....

on that local machine see if there is anything even in the policies folder. do not browse to it via the domain name. compare the policies folder on both your DCs looking for discrepancies in the contents.

paintb4707

cisco_trooper wrote:

paintb4707 wrote:

cisco_trooper wrote:

Are these errors in the event logs of the domain controller, or the end workstation?

The Standard 2k3 Server DC. Funny thing is it's not being logged on our Exchange server which is also a DC. So it's something specific to this new machine.

make sure the ntfrs service is running.....

on that local machine see if there is anything even in the policies folder. do not browse to it via the domain name. compare the policies folder on both your DCs looking for discrepancies in the contents.

It's running. Permissions seem fine on the local machine and contents are the same.

cisco_trooper

DFS Client Service running?

paintb4707

cisco_trooper wrote:

DFS Client Service running?

Yes

cisco_trooper

I'm officially stumped. I've had this problem in the past. I wish I could remember what it ended up being. I'd swear it was one of the services or permissions...

File Replication Service must run to keep the policies synchronized between the DCs
dfs client must run to access the sysvol share (it is sort of a distributed file system)
permissions must be set correctly on SYSVOL share, Policies folder, and individual GPOs.

Past that I'd have to do more research than I care to since I don't touch MS stuff anymore....

Ahriakin

Check that the Sysvol folder is correct on your problematic DC, and is Netlogon shared correctly? If the Netlogon share is not setup FRS will fail, which will stop the server operating as a DC and replicating. The simplest check is to go to \\(servername)\netlogon. Get hold of GPOTool (I think it's part of the resource kit tools) and use it to check the consistency of all policies across your DC's, it takes a while to run if you have remote DC's but it till tell you if the version number for each policy is current or not).

cisco_trooper

Ahriakin wrote:

Check that the Sysvol folder is correct on your problematic DC, and is Netlogon shared correctly? If the Netlogon share is not setup FRS will fail, which will stop the server operating as a DC and replicating. The simplest check is to go to \\(servername)\netlogon. Get hold of GPOTool (I think it's part of the resource kit tools) and use it to check the consistency of all policies across your DC's, it takes a while to run if you have remote DC's but it till tell you if the version number for each policy is current or not).

Ahhh. Don't forget to check the NETLOGON service....

blargoe

Did you run DCDIAG?

paintb4707

blargoe wrote:

Did you run DCDIAG?

Just did it now. Seems like it really is a permissions issue but I just can't see it. I've compared permissions side by side and they seem identical. There's an orphaned DC in there but I don't think that has anything to do with it considering this only started 2 days ago.

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\NVDC
Starting test: Connectivity
......................... NVDC passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\NVDC
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
NVDC: Current time is 2008-02-26 14:24:49.
CN=Schema,CN=Configuration,DC=Nature,DC=Naturesvalue,DC=com
Last replication recieved from NTSERVER at 2006-07-07 16:48:12.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

CN=Configuration,DC=Nature,DC=Naturesvalue,DC=com
Last replication recieved from NTSERVER at 2006-07-07 17:05:43.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

DC=Nature,DC=Naturesvalue,DC=com
Last replication recieved from NTSERVER at 2006-07-07 17:01:52.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

......................... NVDC passed test Replications
Starting test: NCSecDesc
......................... NVDC passed test NCSecDesc
Starting test: NetLogons
......................... NVDC passed test NetLogons
Starting test: Advertising
......................... NVDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... NVDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... NVDC passed test RidManager
Starting test: MachineAccount
......................... NVDC passed test MachineAccount
Starting test: Services
......................... NVDC passed test Services
Starting test: ObjectsReplicated
......................... NVDC passed test ObjectsReplicated
Starting test: frssysvol
......................... NVDC passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... NVDC failed test frsevent
Starting test: kccevent
......................... NVDC passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 02/26/2008 14:18:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/26/2008 14:18:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/26/2008 14:18:09
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/26/2008 14:18:10
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/26/2008 14:18:10
(Event String could not be retrieved)
......................... NVDC failed test systemlog
Starting test: VerifyReferences
......................... NVDC passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : Nature
Starting test: CrossRefValidation
......................... Nature passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Nature passed test CheckSDRefDom

Running enterprise tests on : Nature.Naturesvalue.com
Starting test: Intersite
......................... Nature.Naturesvalue.com passed test Intersite

Starting test: FsmoCheck
......................... Nature.Naturesvalue.com passed test FsmoCheck

cisco_trooper

I think you can use ntdsutil to blow that tombstoned DC away....

Won't fix your problem but at least you get to KILL something, as I'm sure you want to right about now....

cisco_trooper

Just rambling here, but try assigning "everyone" permissions to the root of the drive that contains NTDS. See if the problem then goes away. If so you will have to really start digging into the permissions. I know it's not apparent, but I'm pretty convinced that permissions are the problem here....

paintb4707

Here's the results from gpotool.

Domain: Nature.Naturesvalue.com
Validating DCs...
Available DCs:
exchange.Nature.Naturesvalue.com
nvdc.Nature.Naturesvalue.com
Searching for policies...
Found 6 policies
============================================================
Policy {2FC04055-BEEB-4E64-90AB-4F40923D99A0}
Friendly name: Microbiology
Policy OK
Details:

---

DC: exchange.Nature.Naturesvalue.com
Friendly name: Microbiology
Created: 12/5/2007 10:38:46 PM
Changed: 2/25/2008 5:33:29 PM
DS version: 0(user) 12(machine)
Sysvol version: 0(user) 12(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A
7CC-0000F87571E3}]
Functionality version: 2

---

---

DC: nvdc.Nature.Naturesvalue.com
Friendly name: Microbiology
Created: 12/5/2007 10:38:46 PM
Changed: 2/25/2008 5:33:13 PM
DS version: 0(user) 12(machine)
Sysvol version: 0(user) 12(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A
7CC-0000F87571E3}]
Functionality version: 2

---

============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Policy OK
Details:

---

DC: exchange.Nature.Naturesvalue.com
Friendly name: Default Domain Policy
Created: 4/7/2000 5:49:19 PM
Changed: 2/25/2008 7:37:56 PM
DS version: 1(user) 23(machine)
Sysvol version: 1(user) 23(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D
-00C04FA372D4}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A
28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D
0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}]
Functionality version: 2

---

---

DC: nvdc.Nature.Naturesvalue.com
Friendly name: Default Domain Policy
Created: 4/7/2000 5:49:19 PM
Changed: 2/25/2008 7:37:41 PM
DS version: 1(user) 23(machine)
Sysvol version: 1(user) 23(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D
-00C04FA372D4}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A
28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D
0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}]
Functionality version: 2

---

============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
Details:

---

DC: exchange.Nature.Naturesvalue.com
Friendly name: Default Domain Controllers Policy
Created: 4/7/2000 5:49:22 PM
Changed: 12/13/2007 8:11:14 PM
DS version: 0(user) 12(machine)
Sysvol version: 0(user) 12(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2

---

---

DC: nvdc.Nature.Naturesvalue.com
Friendly name: Default Domain Controllers Policy
Created: 4/7/2000 5:49:22 PM
Changed: 2/9/2008 9:12:26 PM
DS version: 0(user) 12(machine)
Sysvol version: 0(user) 12(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2

---

============================================================
Policy {9E447732-A6FA-461A-971F-C293B61D1EE2}
Friendly name: NV Policy
Policy OK
Details:

---

DC: exchange.Nature.Naturesvalue.com
Friendly name: NV Policy
Created: 11/26/2007 4:26:09 PM
Changed: 2/25/2008 5:33:08 PM
DS version: 22(user) 1(machine)
Sysvol version: 22(user) 1(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC
-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-D7DE-11D2-BBDE-0
0C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2

---

---

DC: nvdc.Nature.Naturesvalue.com
Friendly name: NV Policy
Created: 11/26/2007 4:26:09 PM
Changed: 2/25/2008 5:33:06 PM
DS version: 22(user) 1(machine)
Sysvol version: 22(user) 1(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC
-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{A2E30F80-D7DE-11D2-BBDE-0
0C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}]
Functionality version: 2

---

============================================================
Policy {A7E29865-106D-4D0B-A1C4-A11374AA7BCB}
Friendly name: Folder Redirection
Policy OK
Details:

---

DC: exchange.Nature.Naturesvalue.com
Friendly name: Folder Redirection
Created: 6/17/2006 2:49:40 PM
Changed: 7/8/2006 3:23:55 PM
DS version: 2(user) 0(machine)
Sysvol version: 2(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A
-00C04FB9603F}]
Machine extensions: not found
Functionality version: 2

---

---

DC: nvdc.Nature.Naturesvalue.com
Friendly name: Folder Redirection
Created: 6/17/2006 2:49:40 PM
Changed: 2/9/2008 9:13:32 PM
DS version: 2(user) 0(machine)
Sysvol version: 2(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A
-00C04FB9603F}]
Machine extensions: not found
Functionality version: 2

---

============================================================
Policy {A8CBF702-51DC-48A8-AD2B-29AFD06DB95B}
Friendly name: Response Update
Policy OK
Details:

---

DC: exchange.Nature.Naturesvalue.com
Friendly name: Response Update
Created: 2/24/2008 8:58:59 PM
Changed: 2/25/2008 5:33:08 PM
DS version: 2(user) 3(machine)
Sysvol version: 2(user) 3(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC
-0000F87571E3}]
Machine extensions:
Functionality version: 2

---

---

DC: nvdc.Nature.Naturesvalue.com
Friendly name: Response Update
Created: 2/24/2008 8:58:59 PM
Changed: 2/25/2008 5:33:01 PM
DS version: 2(user) 3(machine)
Sysvol version: 2(user) 3(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC
-0000F87571E3}]
Machine extensions:
Functionality version: 2

---

============================================================

Policies OK

C:\Program Files\Windows Resource Kits\Tools>

paintb4707

Welp, I changed the filtering on the gpo in question from authenticated users to domain users. Now the 1058 errors have changed and are concerned with 31B, the Default Domain Policy. I noticed that the Default is being applied to authenticated users as well. I'll change that too and see what happens. Not sure if this is at all relevant but I thought it was kind of strange.

edit:

Now it has moved on to the Default Domain Controller policy.

paintb4707

I did a dcdiag on our Exchange server and it seems to have the same problem with SYSVOL and also some additional things which are pretty interesting. However the 1030 and 1058 errors are not being logged on it.

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site\EXCHANGE
Starting test: Connectivity
......................... EXCHANGE passed test Connectivity

Doing primary tests

Testing server: Default-First-Site\EXCHANGE
Starting test: Replications
[Replications Check,EXCHANGE] A recent replication attempt failed:
From NTSERVER to EXCHANGE
Naming Context: CN=Schema,CN=Configuration,DC=Nature,DC=Naturesvalue
,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2008-02-27 11:50:52.
The last success occurred at 2006-07-07 16:48:12.
14420 failures have occurred since the last success.
The guid-based DNS name 35dedcd1-0326-454f-9bff-1dfce640e741._msdcs.
Nature.Naturesvalue.com
is not registered on one or more DNS servers.
[NTSERVER] DsBindWithSpnEx() failed with error 1722,
The RPC server is unavailable..
[Replications Check,EXCHANGE] A recent replication attempt failed:
From NTSERVER to EXCHANGE
Naming Context: CN=Configuration,DC=Nature,DC=Naturesvalue,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2008-02-27 11:50:50.
The last success occurred at 2006-07-07 17:05:43.
14421 failures have occurred since the last success.
The guid-based DNS name 35dedcd1-0326-454f-9bff-1dfce640e741._msdcs.
Nature.Naturesvalue.com
is not registered on one or more DNS servers.
[Replications Check,EXCHANGE] A recent replication attempt failed:
From NTSERVER to EXCHANGE
Naming Context: DC=Nature,DC=Naturesvalue,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
The failure occurred at 2008-02-27 11:50:47.
The last success occurred at 2006-07-07 17:01:52.
14421 failures have occurred since the last success.
The guid-based DNS name 35dedcd1-0326-454f-9bff-1dfce640e741._msdcs.
Nature.Naturesvalue.com
is not registered on one or more DNS servers.
REPLICATION-RECEIVED LATENCY WARNING
EXCHANGE: Current time is 2008-02-27 12:18:51.
CN=Schema,CN=Configuration,DC=Nature,DC=Naturesvalue,DC=com
Last replication recieved from NTSERVER at 2006-07-07 16:48:12.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

CN=Configuration,DC=Nature,DC=Naturesvalue,DC=com
Last replication recieved from NTSERVER at 2006-07-07 17:05:43.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

DC=Nature,DC=Naturesvalue,DC=com
Last replication recieved from NTSERVER at 2006-07-07 17:01:52.
WARNING: This latency is over the Tombstone Lifetime of 60 days!

......................... EXCHANGE passed test Replications
Starting test: NCSecDesc
......................... EXCHANGE passed test NCSecDesc
Starting test: NetLogons
......................... EXCHANGE passed test NetLogons
Starting test: Advertising
......................... EXCHANGE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... EXCHANGE passed test KnowsOfRoleHolders
Starting test: RidManager
......................... EXCHANGE passed test RidManager
Starting test: MachineAccount
......................... EXCHANGE passed test MachineAccount
Starting test: Services
......................... EXCHANGE passed test Services
Starting test: ObjectsReplicated
......................... EXCHANGE passed test ObjectsReplicated
Starting test: frssysvol
......................... EXCHANGE passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... EXCHANGE failed test frsevent
Starting test: kccevent
......................... EXCHANGE passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x40000004
Time Generated: 02/27/2008 12:06:53
Event String: The kerberos client received a
An Error Event occured. EventID: 0x00000457
Time Generated: 02/27/2008 12:14:39
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/27/2008 12:15:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 02/27/2008 12:15:02
(Event String could not be retrieved)
......................... EXCHANGE failed test systemlog
Starting test: VerifyReferences
......................... EXCHANGE passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : Nature
Starting test: CrossRefValidation
......................... Nature passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Nature passed test CheckSDRefDom

Running enterprise tests on : Nature.Naturesvalue.com
Starting test: Intersite
......................... Nature.Naturesvalue.com passed test Intersite

Starting test: FsmoCheck
......................... Nature.Naturesvalue.com passed test FsmoCheck


C:\Program Files\Support Tools>

blargoe

Could you tell us more about your DNS configuration? Are both servers running DNS Servers, is it AD integrated, what IP address is the Exchange server's network adapter configured to use for DNS?

paintb4707

blargoe wrote:

Could you tell us more about your DNS configuration? Are both servers running DNS Servers, is it AD integrated, what IP address is the Exchange server's network adapter configured to use for DNS?

Both the Exchange server and Standard server are DNS servers. HOWEVER, I disabled the DNS Server service on the Exchange server since I no longer want it to handle it. Its still there merely for redundancy in ever a case I need to take down the other DC. There's really no reason to leave DNS enabled on the Exchange server since I will be doing a swing migration to a new box anyways, so that our Exchange won't be a DC at all.

The Exchange server is set to use the Standard server for DNS. DNS is AD integrated as well.

Also note that I wiped out that old NTSERVER today with ntdsutil but it didn't have an impact on these errors being logged.

edit: Finally got around to updating the NIC drivers and rebooting. Still no fix.

paintb4707

Welp, it looks like I got the issue resolved. I removed the team and uninstalled the drivers/broadcom control suite and the errors haven't been logged since yesterday. Guess I'll never team up broadcom adapters on a DC ever again.

blargoe

Glad you got it resolved.

I have heard so much bad stuff about teaming broadcoms that I'll never attempt it myself. If you really need to do teaming, buy an Intel dual port card.