| Author |
 Topic  |
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
 Posted - 10/15/2005 : 09:00:43 AM
|
Hi all --
I believe I've already ranted a bit about the x64 version of Server so I won't recapitulate it, but I ran into and solved a problem that may be of value to others.
Problem: Windows Server 2003, x64 standard edition gets a constant stream of Userenv errors, event IDs 1030 and 1058. The error text refers to not being able to read a gpt.ini file in Sysvol.
So it looks like a permission problem. I try to DIR the file via sysvol, and all's well. I check the NTFS, share and GPO permissions on the particular GPO, and they all look good.
There are a number of pages on the Internet about this -- the eventid.net writeup on 1058 is very good -- but none of it worked for me. So I figured, "configuration error on the permissions." I went to each GPO, brought up its Security settings, checked a box, un-checked the box, clicked Apply and moved on to the next one. In other words, I just forced the Security tab to re-write the ACL on the GPO.
Problem went away.
Hope it helps someone.
|
Mark
tweetin' at mminasi |
|
|
angel
Old Timer
USA
525 Posts
Status: offline |
Posted - 11/02/2005 : 11:47:42 AM
|
Hi Mark,
I wish you would've written this few months back as I had nightmares with it. Of course you figured it out quick; but for me, it took me a long time :(
The list of things I tried is big, but towards the end, the fix you just mentioned is the one did the trick... and 1030 & 1058s went away.
Thank you for putting it so simple. Even though I had fixed it, it was still foggy for me but the re-writing of the ACL makes sense.
Thanks |
 |
|
|
zeno
Welcome Newcomer
Hong Kong
1 Posts
Status: offline |
Posted - 11/26/2005 : 04:32:38 AM
|
So your saying that a source for the 1030 and 1058 errors is the permissions on the \sysvol........
Because I've recently setup and Win2k3 Enterprise AD Domain as well with a Root Domain, then a Child domain with the DNS being hosted on the root....
The thing is 'm getting these 1030 and 1058's on my workstations frequently.... the strange thing is the GPOs are getting applied execept for the startup scripts....
I get this error " cannot access \\sysvol\domain\policies\scripts\scriptname.vbs DC unavailable ot access is denied..."
I tried searching for the fix all over the place but can't seem to fix it...
From the workstations I can browse the \sysvol dirs via network neighborhood and I can see \sysvol execept the only strange thing is that when I click on \sysvol it seems to take awhile before I can see the contents inside it (hourglass icon appears) which seems odd....
Do you have any tips that can help me ..........
Thanks........
 |
|
|
|
bbuhac
Welcome Newcomer
Yugoslavia
1 Posts
Status: offline |
Posted - 12/06/2005 : 05:55:02 AM
|
Hi
I had a same problem on a brand new SBS2003 with SP1. And found out tha from very beginning server and users frequently had this error.
Since comapany uses Sophos antivirus protection, I had to add local exclusion for on-access scanning for server, and network exclusion for \\servername\sysvol. This solved my problem in a second.
Browsing for solution ihave stumbled on couple off other solutions but if your network and other server services are workin' fine, check your antivirus settings first, and than go minning for other solutions.
Bojan Buhac |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
7396 Posts
Status: offline |
Posted - 12/06/2005 : 06:34:35 AM
|
quote:
Originally posted by bbuhac
Since comapany uses Sophos antivirus protection, I had to add local exclusion for on-access scanning for server, and network exclusion for \\servername\sysvol. This solved my problem in a second.
We had a DC stop replicating SYSVOL a year or so ago. During our investigations, we found that MS recommend that you never AV scan your SYSVOL. I think their particular expample fingered McAfee (as usual) but they did say it was possible others would cause the problem. The problem was the AV would change the file that was scanned (a flag of some sort) and FRS would then have to replicate it unecessarily... this could lead to a circular log overrun with larger SYSVOL's. |
|
|
|
yooperjeb
Seasoned But Casual Onlooker
USA
36 Posts
Status: offline |
Posted - 12/28/2005 : 2:20:08 PM
|
Hi All,
I have a question about these errors. I am currently running SBS 2003 and I created a policy for folder redirection, no big deal. However, I started getting a ton of these errors on my server but not on my workstations. I had two nics on the box and as soon as I disabled the WAN nic the errors stopped. I have no idea why this would be does anyone else? |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 12/28/2005 : 2:48:32 PM
|
Just a guess, but SBS may disable file sharing on the WAN NIC and that'd hack Sysvol off.
(I don't know SBS, it was again just a guess.) |
Mark
tweetin' at mminasi |
|
|
|
clarinathan
Moderator
United Kingdom
4893 Posts
Status: offline |
Posted - 12/28/2005 : 4:58:36 PM
|
Hi,
I believe Mark is right, I think the Microsoft client for windows networks and the file and printer sharing protocol is not ticked on the WAN NIC in SBS.
Cheers
Nathan |
Nathan Winters - [MSFT] - Exchange Technical Specialist
Checkout my blog:
http://www.nathanwinters.co.uk |
|
|
|
smeogul
Major Contributor
Canada
1009 Posts
Status: offline |
Posted - 12/28/2005 : 6:35:18 PM
|
there are a number of files and folders that shouldn't be scanned
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
this is common on a multi-homed DC as well, disable IP registration on all but one of the nic's
now we need to find someone to write a script to re-acl everything ;)
arrrrrrrgh
cheers
|
Ron |
|
|
|
Mort
Old Timer
USA
305 Posts
Status: offline |
Posted - 01/30/2006 : 09:03:29 AM
|
Mark,
Can you break down what you did a bit more. I am getting this error and can not seem to get rid of them. |
|
|
|
ArikGr
Welcome Newcomer
1 Posts
Status: offline |
Posted - 05/01/2006 : 02:50:27 AM
|
Mark,
Can you break down what you did a bit more. I am getting this error and can not seem to get rid of them.
Please... |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 05/01/2006 : 2:22:21 PM
|
First try this:
dfsutil /PurgeMupCache
Do it on the DC. See if that helps. (Dfsutil is either a Support Tool or a Resource Kit tool, I forget which.) |
Mark
tweetin' at mminasi |
|
|
|
mitachu
Honorable But Hopeless Addict
United Kingdom
1947 Posts
Status: offline |
Posted - 11/27/2006 : 12:19:53 PM
|
dfsutil.exe is part of the Windows Support Tools. There's a new version available for download with SP1, by the way.
|
Tim |
|
|
|
syscon
Welcome Newcomer
1 Posts
Status: offline |
Posted - 12/07/2006 : 12:54:43 PM
|
I used Mark's method of rewriting the ACL on the default domain GPO & default domain controllers GPO, but that by itself did not correct the problem. Once I rewrote the ACL directly on the GPT.INI file, poof ... problem fixed. |
|
|
|
takeos
Welcome Newcomer
3 Posts
Status: offline |
Posted - 01/19/2007 : 1:34:03 PM
|
> I went to each GPO...
> Problem went away.
> Hope it helps someone.
Sounds like magic, but can you maybe explain "went" and "each GPO"?
I mean, what administration tool did you use, and what objects did you modify?
Thank you!
|
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 01/19/2007 : 4:49:26 PM
|
| Use any administration tool. Right-click in ADUC, use GPMC, whatever. Make a new setting, then delete it. Net effect is that while you didn't really change anything, the admin tool must re-write the GPO, and thereby its permissions list. |
Mark
tweetin' at mminasi |
|
|
|
takeos
Welcome Newcomer
3 Posts
Status: offline |
Posted - 01/19/2007 : 6:29:16 PM
|
> Use any administration tool
Please be patient with me, as I've been reading and learning from you since the BYTE days, but Sysvol issues are a bit over my head, I just found this page searching for 1030 1058 after other things I tried didn't work. I have a Start menu with several Administrative Tools, and an MMC, also with dozens of tools. Now, you are telling me to use "any" tool. This doesn't really help me. Could you perhaps just tell me what tool to use, out of the dozens? |
|
|
|
jmrllc
Here To Stay
USA
110 Posts
Status: offline |
Posted - 01/19/2007 : 11:56:03 PM
|
I think Mark is saying go where you would typically administer your GPO (Group Policy Object). If the object is set up on a particular Group or OU, then for example go to Admin Tools then click on Active Directory Users and Computers and drill down to the group or OU in question. Right click on the Group or OU and select properties then proceed to the Group Policy tab. There you will find the individual GPOs (Group Policy Objects) linked to that particular object.
(How did I do Mark?) |
MCSA 2000
Net+,A+
|
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 01/20/2007 : 2:15:20 PM
|
Sounded good to me, Joe.
Some more background...
There is a piece of every group policy object called the group policy template or GPT. It's just a set of ASCII text files sitting on every domain controller in a share called Sysvol. (Try NET USEing to \\anydomaincontroller\sysvol and you'll see that you can connect.) As with any shared resource, it has two kinds of permissions: the share permissions on the Sysvol share, and the NTFS permissions on the particular set of files that comprise the GPT.
Every time your computer goes to read group policies, it must essentially do a NET USE to its local DC's Sysvol and copy down those GPTs. But sometimes -- I have no idea why -- it seems that your computer gets the equivalent of an "access denied" message from the DC when it tries to read the GPTs. THAT causes the 1030s.
Now, that doesn't make any sense at all, so I figured that there was something a bit "off" about the NTFS permissions laid onto the GPTs when the group policy objects get created or modified. So I reasoned that anything that forced the system to re-write the GPOs (and therefore the GPT) might reset the NTFS permissions to their correct state.
Does that make sense? Thanks. |
Mark
tweetin' at mminasi |
|
|
|
takeos
Welcome Newcomer
3 Posts
Status: offline |
Posted - 01/23/2007 : 02:59:23 AM
|
| You have been very kind and helpful, thank you. I am afraid I still get the 1030 every now and then, and the occasional 1058+1030. This is on all machines (both clients and servers). On the other hand some of the same machines where I see the 1030s also show event ID 1704 ("Security policy in the Group policy objects has been applied successfully.") in the logs every now and then, but then even if I do a gpupdate adter a 1030, I get another 1030, so I am not sure whether the presence of both 1030 and 1704 contains some useful hint. I can access sysvol fine, and I tried both what you suggested, and before that all the steps mentioned in the Help and Support link for 1030, and some more. Considering that this is a really simple domain with just one Default Domain Controllers Policy, and one Default Domain Policy, would you advise a way to reset everything to default values? Would that make sense? Although simple, these policies are now almost 10 years old, and I wouldn't mind starting fresh and re-entering the few custom settings we need. At this point I like the idea of a clean sysvol, but I am not sure if this is recommended or feasible. This is now Windows Server 2003 R2 with the new Group Policy snap-in. |
|
|
|
Michael Burch
Welcome Newcomer
1 Posts
Status: offline |
Posted - 02/26/2007 : 1:18:56 PM
|
| I just tried all of this but it didn't work. What appeared to work is turning on DFS (Distributed File System). It was turned off but not sure why clients need this to communicate to the sysvol directory. As soon as I turned it back on (was set to manual and not started) the errors stopped. Just to note that I have tried all of the above solutions so i may have been a combination of security being re-applied to the gps. |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 02/26/2007 : 2:55:18 PM
|
DFS handles the replication amongst DCs of the Sysvol directory. Turning off DFS, or having it disabled for some reason, will DEFINITELY affect group policies.
I'm very glad you fixed it, thanks for sharing your story, Michael! |
Mark
tweetin' at mminasi |
|
|
|
CCassino
Welcome Newcomer
USA
2 Posts
Status: offline |
Posted - 03/20/2007 : 11:38:26 AM
|
Hi, My first post here. I found the site while troubleshooting this problem. Nice topics here, great site.
The problem appeared on my FSMO DC after an upgrading to W2K3 from Win 2000.
The dfsutil /PurgeMupCache works until you reboot and the events appear again. This is mentioned at http://support.microsoft.com/kb/842804
A hotfix is available through PSS.
The server also is having some DNS issues which are requiring me to remove and reinstall DNS on this server. I will be calling PSS if the errors continue after reinstalling DNS.
Thanks for the help, I am sure I'll be spending plenty of time here.
|
|
|
|
eltecnico
Welcome Newcomer
USA
10 Posts
Status: offline |
Posted - 04/26/2007 : 12:45:36 PM
|
| Hi, I've been getting this errors since a Server restart (win sbs 2003) do to clients could not login. After that clients with Windows XP Pro could get in normally but we have one xp home and one xp media center that access the Server via shared folders. After that those two in particular cannot access either the Peachtree 2007 Server Service and cannot acces the exchange server, but they can browse all folders of the Server without no problem. WEIRD!!!!!!!!!!!!!!!!!!!!!!!!, need help, have tried everything that has been stated here and from eventid.net as well still cannot access the Peachtree or Exchange Server. Even installed Win Server 2003 SP2 to very this helped Event Log in Server state errors 1030, 1058, and 8063. Please help |
ricardo_robles_robles@hotmail.com |
|
|
|
RaymondR
Welcome Newcomer
9 Posts
Status: offline |
Posted - 05/11/2007 : 2:58:49 PM
|
Found this thread on google.
New DC with Windows Server 2003 R2. It is being added to an existing domain.
I have an error on startup that is causing a 10 minute delay: 1058 Userenv
I have checked to see if the file is there, and it is.
Accessing the share from the explorer window by typing \\servername\sysvol works.
net use k \\servername\sysvol returns an error 67 The network name cannot be found.
This error only occurs on startup. do you have any ideas of where I might start? |
|
|
|
dmarelia
Moderator
USA
2922 Posts
Status: offline |
|
|
RaymondR
Welcome Newcomer
9 Posts
Status: offline |
Posted - 05/16/2007 : 12:14:14 PM
|
Here is the userenv.log file (normal logging):
USERENV(1294.1298) 09:44:50:468 UnloadUserProfile: Entering, hProfile = <0x2f0>
USERENV(1294.1298) 09:44:50:468 UnloadUserProfile: no thread token found, impersonating self.
USERENV(1294.1298) 09:44:50:468 GetInterface: Returning rpc binding handle
USERENV(15c.2c0) 09:44:50:468 IProfileSecurityCallBack: client authenticated.
USERENV(1294.1298) 09:44:50:468 UnLoadUserProfile: Calling DropClientToken (as self) succeeded
USERENV(1294.1298) 09:44:50:671 UnloadUserProfile: Calling UnloadUserProfileI succeeded
USERENV(1294.1298) 09:44:50:671 ReleaseInterface: Releasing rpc binding handle
USERENV(1294.1298) 09:44:50:671 UnloadUserProfile: returning 1
USERENV(18c.954) 09:45:15:156 UnloadUserProfile: Entering, hProfile = <0x5ec>
USERENV(18c.328) 09:45:15:203 UnloadUserProfile: Entering, hProfile = <0x650>
USERENV(18c.ee0) 09:45:15:218 UnloadUserProfile: Entering, hProfile = <0x4b4>
USERENV(18c.954) 09:45:15:234 UnloadUserProfile: no thread token found, impersonating self.
USERENV(18c.328) 09:45:15:234 UnloadUserProfile: no thread token found, impersonating self.
USERENV(18c.ee0) 09:45:15:234 UnloadUserProfile: no thread token found, impersonating self.
USERENV(18c.954) 09:45:15:234 GetInterface: Returning rpc binding handle
USERENV(18c.328) 09:45:15:234 GetInterface: Returning rpc binding handle
USERENV(15c.1334) 09:45:15:234 IProfileSecurityCallBack: RpcBindingInqAuthClient failed with 534
USERENV(15c.2c0) 09:45:15:234 IProfileSecurityCallBack: RpcBindingInqAuthClient failed with 534
USERENV(15c.1328) 09:45:15:234 IProfileSecurityCallBack: RpcBindingInqAuthClient failed with 534
USERENV(18c.954) 09:45:15:249 UnLoadUserProfile: Calling DropClientToken took exception. error 5
USERENV(18c.328) 09:45:15:249 UnLoadUserProfile: Calling DropClientToken took exception. error 5
USERENV(18c.954) 09:45:15:265 UnLoadUserProfile: Calling DropClientContext failed. err = 5
USERENV(18c.ee0) 09:45:15:265 UnLoadUserProfile: Calling DropClientToken took exception. error 5
USERENV(18c.328) 09:45:15:265 UnLoadUserProfile: Calling DropClientContext failed. err = 5
USERENV(18c.954) 09:45:15:281 ReleaseInterface: Releasing rpc binding handle
USERENV(18c.ee0) 09:45:15:281 UnLoadUserProfile: Calling DropClientContext failed. err = 5
USERENV(18c.328) 09:45:15:281 ReleaseInterface: Releasing rpc binding handle
USERENV(18c.954) 09:45:15:281 UnloadUserProfile: returning 0
USERENV(18c.ee0) 09:45:15:281 ReleaseInterface: Releasing rpc binding handle
USERENV(18c.328) 09:45:15:281 UnloadUserProfile: returning 0
USERENV(18c.ee0) 09:45:15:296 UnloadUserProfile: returning 0
USERENV(18c.1674) 09:45:15:718 UnloadUserProfile: Entering, hProfile = <0x570>
USERENV(18c.1674) 09:45:15:718 UnloadUserProfile: no thread token found, impersonating self.
USERENV(18c.1674) 09:45:15:718 GetInterface: Returning rpc binding handle
USERENV(15c.c70) 09:45:15:718 IProfileSecurityCallBack: RpcBindingInqAuthClient failed with 534
USERENV(18c.1674) 09:45:15:734 UnLoadUserProfile: Calling DropClientToken took exception. error 5
USERENV(18c.1674) 09:45:15:734 UnLoadUserProfile: Calling DropClientContext failed. err = 5
USERENV(18c.1674) 09:45:15:734 ReleaseInterface: Releasing rpc binding handle
USERENV(18c.1674) 09:45:15:734 UnloadUserProfile: returning 0
USERENV(18c.274) 09:45:19:999 UnloadUserProfile: Entering, hProfile = <0x44c>
USERENV(18c.274) 09:45:19:999 UnloadUserProfile: no thread token found, impersonating self.
USERENV(18c.274) 09:45:19:999 GetInterface: Returning rpc binding handle
USERENV(15c.1334) 09:45:19:999 IProfileSecurityCallBack: RpcBindingInqAuthClient failed with 534
USERENV(18c.274) 09:45:19:999 UnLoadUserProfile: Calling DropClientToken took exception. error 5
USERENV(18c.274) 09:45:19:999 UnLoadUserProfile: Calling DropClientContext failed. err = 5
USERENV(18c.274) 09:45:19:999 ReleaseInterface: Releasing rpc binding handle
USERENV(18c.274) 09:45:19:999 UnloadUserProfile: returning 0
USERENV(15c.160) 09:47:30:546 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(15c.160) 09:47:30:562 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(15c.160) 09:47:30:562 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(15c.160) 09:47:30:562 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(15c.10f8) 09:57:36:750 MyGetUserName: GetUserNameEx failed with -2146892976.
USERENV(15c.10f8) 09:57:39:578 ProcessGPO: Couldn't find the group policy template file <\\DOMAINNAME\sysvol\DOMAINNAME\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>, error = 0x35.
USERENV(15c.10f8) 09:57:39:593 EvalList: ProcessGPO failed
USERENV(15c.10f8) 09:57:39:593 GetGPOInfo: EvaluateDeferredGPOs failed. Exiting
USERENV(15c.10f8) 09:57:39:609 ProcessGPOs: GetGPOInfo failed.
One thing that stands out, but may be correct, is the bolded type above. It is looking for \\DOMAINNAME\path instead of \\COMPUTERNAME\path for the gpt.ini file.
I didn't think you could specify a domain name in a UNC path?
Either way, the path doesn't work. If it should, do I need an entry in DNS or something?
And any advice on the other errors would be great!
Help! |
|
|
|
aacc11
Welcome Newcomer
3 Posts
Status: offline |
Posted - 07/15/2007 : 1:23:38 PM
|
RaymondR
try this out
You have to redirect the path of the policy in the DC
download the support tool
form windows server 2003 cd - suptools.msi
then
start -->all programs -->windows support tools --> command
type Adsiedit.msc
1- Expand the first folder (domain)
2- And the next one go to CN=SYSTEM expand it
3- Go to CN=Policies expand it
4- Right click each folder of the policies click properties and search for gPCFileSysPath press edit and add the server name before the domain name do it for the remain policies folders.
I found this sulotion in microsoft support site but i can't remember where. Any way i also find some recommandation form microsoft to apply the sp2 will fix the proplem. For me I tried this and it's working just fine.
Good Lock
|
|
|
|
eltecnico
Welcome Newcomer
USA
10 Posts
Status: offline |
Posted - 07/16/2007 : 07:04:52 AM
|
| In my case I had to reinstall the OS again. To my luck this was a samll office with 5 computers + Server. I tried everything I found in this forum, and in other well known forums on the web. What I believe is that some Windows files got corrupted, although this had never happened to us except for another client the the hard disk started failing, which in this case was not the problem. |
ricardo_robles_robles@hotmail.com |
|
|
|
RaymondR
Welcome Newcomer
9 Posts
Status: offline |
Posted - 07/16/2007 : 10:13:55 AM
|
Thanks for the suggestions. I will try them if I have time today and report back the results.
Cheers! |
|
|
|
aacc11
Welcome Newcomer
3 Posts
Status: offline |
Posted - 07/19/2007 : 1:55:28 PM
|
Hi back
after one week of seach and jump from site to site I found this.
use kiss rule = keep it simle stupid
http://www.chicagotech.net/Security/domaingp1.htm
for first while I thought this will not help.
Recommand : 1- set one server for test always if you are using business one.
2- Backup your system state before change made,will not cost you a lot.
|
Edited by - aacc11 on 07/19/2007 1:58:59 PM |
|
|
|
Topic |
|
Solving event ID 1058 and 1030 userenv errors
