Error accessing GPO
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Error accessing GPO

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    19

    Error accessing GPO

    Access Denied to policy editor
    I have windows 2003 ENT. server installed with AD running on.
    When i try to open "Domain Controller Security policy" link, or "Domain Security policy" link from administrative tools or even from system32 folder, i get the error --"Failed to open the Group Policy Object. You may not have apporpriate rights." And in under details : "The network path was not found"

    Here is the screenshot of the error



    I even tried a step stated on microsoft's website
    http://support.microsoft.com/?id=294257

    After this step this is the error that's coming


    But no resolution.

    What should be done ?

  2. #2
    First off, there is a bug in all versions of Windows Server 2003 SP1 (except Web Edition) that doesn't allow you to complete the domain controller promotion process. Check your event log and see if you are getting this message:

    "MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
    will continue to function and will use the existing security settings.
    The solution to the problem is in the second post here:
    CLICK HERE


    Make sure the primary network adapter is using the IP address of the server as it's primary DNS server- i.e. you set a static IP address for the server and the primary DNS of that server is also its IP address. The author seemed to have a similar problem to yours. If the MSDTC fix doesn't work, then demote the server and repromote it using dcpromo.

    For future reference, you should install the DNS server service before running DC promo. No configuration of DNS is needed, it just needs to be there and running. DCpromo will fill in what it needs. Then, on the LAN network adapter (if you have two), you need to use the IP address of the server as the primary DNS server in the TCP-IP properties of the network adapter. You can also use localhost: 127.0.0.1, but I recommend the actual IP address.

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    19
    Some problem occured with the machine so i just reinstalled OS and everything else
    Now on machine These things are running:
    Windows 2003 ENT Ed.
    ADS, DNS server, DHCP Server, RIS, File Server, & ISA 2004

    After reinstallation and installing AD,DNS & DHCP I was able to edit the policies.
    Well but just after installing the ISA i didnot check for it.
    Now the same error i m geting "network path not found"

    This is the first error entry in the Logs regarding this :

    Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=TestLab,DC=local. The file must be present at the location <\\TestLab.local\sysvol\TestLab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy processing aborted.

    I am manually trying to access the sysvol folder directly from the drive and it is accessible but if i try to access it as a share, by going to first \\TestLab.Local , where it shows sysvol as shared folder, but when i click on it it gives error :
    "\\TestLab.Local\SYSVOL is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions."

    What could be the problem with accessing the share.
    You can close your eyes to what you donot want to see,
    But you cannot close your heart to what you donot want to feel.

  4. #4
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206

    Thumbs up

    This looks like a quite a common problem i know XP machines get affected
    and it normally a problem when clients require SMB signing and SP1 link to it is here

    http://support.microsoft.com/default...b;EN-US;810907

    As for 2003 server try this:

    http://www.jsiinc.com/SUBL/tip5800/rh5874.htm
    http://support.microsoft.com/?kbid=314494
    http://www-level3.experts-exchange.c..._20738632.html
    and this
    http://64.233.187.104/search?q=cache...ient=firefox-a

    Good luck with that
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  5. #5
    Junior Member
    Join Date
    Nov 2005
    Posts
    19
    I have tried the above links also but none of the resolution given is working for me.
    You can close your eyes to what you donot want to see,
    But you cannot close your heart to what you donot want to feel.

  6. #6
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Can you verify that netlogon service is running?
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  7. #7
    Hi MrPacket,

    Do you have 2 network cards or more in this server? If not, then get rid of ISA 2004.

    ISA 2004 is not recommended on a Domain Controller, and it definitely will not work on a Domain Controller with only 1 network card unless you get creative. The only time ISA 2004 runs well on a Domain Controller with 2 network cards is in Windows Small Business Server 2003 SP1, which is a package of software integrated together and designed to run on 1 server.

  8. #8
    Junior Member
    Join Date
    Nov 2005
    Posts
    19
    The NetLogon service is running

    I have 2 Lan cards. And why could this be related to ISA
    Why will ISA block only a specific folder and not others
    The SYSVOL folder is under Windows\sysvol\
    And another folder "\WINDOWS\SYSVOL\sysvol\TestLab.local\scripts" which is shared by name of NETLOGON is also not accessible and it is empty also.

    The share permissions for SYSVOL share are:
    Administrators : Full Control
    Anonymous Logon : Read
    Everyone : Read
    Authenticated Users : Full Control

    The Security permissions for SYSVOL folder are:
    Administrators : Full Control
    Authenticated Users : Read, Read & Execute, List Folder Contents
    Creator Owner : None is checked
    Server Operators : Read, Read & Execute, List Folder Contents
    System : Full Control


    I shared another folder which is "\windows\sysvol\staging areas"
    And it is easily accessible.

    I will try removing ISA and seeing if things get to work.
    You can close your eyes to what you donot want to see,
    But you cannot close your heart to what you donot want to feel.

  9. #9
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Ok you should not really have issues with ISA running on a DC. I have checked with Microsoft and its quite a common scenario. I found this that might help you with that install:

    http://www.microsoft.com/technet/pro..._on_a_Domain_C

    To install the Configuration Storage server, or both the Configuration Storage server and ISA Server services on a domain controller, follow these steps:

    Important: If you install the Configuration Storage server and ISA Server services simultaneously, the setup process will restart the Routing and Remote Access service. If your initial VPN connection was established using Routing and Remote Access, this will prevent completion of the Configuration Storage server installation. For this reason, we recommend that you first install the Configuration Storage server as described in this procedure, and then install ISA Server services as described in Modifying an ISA Server Installation.

    1.


    On the target computer, log on to the domain as an enterprise administrator.

    2.


    Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

    3.


    In Microsoft ISA Server Setup, click Install ISA Server.

    4.


    After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

    5.


    If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

    6.


    Type your customer details, and then click Next.

    7.


    On the Setup Scenarios page, do one of the following:


    If you want to install ISA Server services and the Configuration Storage server, select Install both ISA Server services and Configuration Storage server, and then click Next.


    If you want to install only the Configuration Storage server, select Install Configuration Storage Server, and then click Next.

    8.


    On the Component Selection page, you can review the settings, and then click Next.

    9.


    On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Do one of the following:

    1.


    If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.

    2.


    If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you want to replicate, or click Browse to locate the server on the network. Click Next.

    10.


    If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File in this document. Click Next.

    11.


    On the Enterprise Deployment Environment page, you have the option of installing a digital certificate to enable encrypted communication between the Configuration Storage server and the ISA Server firewall computers. All communication between firewall computers and Configuration Storage servers in a single domain is encrypted. We recommend that you use this option when your ISA Server firewall computers are not in the same domain as your Configuration Storage server, or if the firewall computers are in a workgroup. Click Next.

    12.


    If you are installing ISA Server services, the next page will be the Internal Network page. Specify the IP address range that will constitute the Internal network for this array. Select Add, and then click Add Adapter to define the Internal network with the IP addresses associated with the internal network adapter. Click Next.

    13.


    If you are installing ISA Server services, the next page will be the Firewall Client Connection Settings page. On this page you can select which Firewall clients will be allowed to connect. Click Next.

    14.


    If you are installing ISA Server services, the next page will be the Services Warning page. Read the warning, and then click Next.

    15.


    Because you are installing on a domain controller, you will see the Configuration Storage Server Service Account page. Provide the credentials of the user who is not a domain administrator.

    16.


    On the Ready to Install the Program page, click Install to begin the installation.

    17.


    After the installation is complete, select Invoke ISA Server Management when the wizard closes, and then click Finish.

    18.


    You will be prompted to restart the computer. Click Yes to restart the computer.

    19.


    After installation, log on to the Configuration Storage server as a domain administrator.

    20.


    Open a command prompt, click Start, click Run, and type cmd.

    21.


    In the Program Files\Microsoft ISA Server\ADAMData folder, locate the dnsdomain.bat file. dnsdomain is the DNS domain name of the computer on which ADAM is running.

    22.


    Type dnsdomain to run the file.

    23.


    Note: The dnsdomain.bat file appears in the directory approximately one minute after ADAM installation is complete.
    I hope this will give you some ideas.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  10. #10
    Junior Member
    Join Date
    Nov 2005
    Posts
    19
    The ISA firewall and configuration storage server r both installed on the same machine.

    And for the Configuration storage server i provided credentials of Domain administrator. I had not seen this document earlier
    Could this cause some issue.

    And i am not able to find the DnsDomain.bat file. It is not in the adamdata directory
    Also searched the whole drive for it but it is not found.
    You can close your eyes to what you donot want to see,
    But you cannot close your heart to what you donot want to feel.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •