BP
Guest
|
 Posted: Tue May 16, 2006 11:24 am Post subject: Group Policy Error: Failed to open the Group Policy Object |
 |
|
Hi Everyone,
I am having an issue with accessing the Domain Controller Security Policy
and Domain Security Policy consoles on all of the 3 DCs in our domain. The
error is:
Group Policy Error
Failed to open the Group Policy Object. You may not have appropriate rights.
Details:
The specified domain either does not exist or could not be contacted.
The shortcut to Domain Controller Security Policy is:
C:\WINDOWS\system32\dcpol.msc
/gpobject:"LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=australia,DC=office"
The shortcut to Domain Security Policy is:
C:\WINDOWS\system32\dompol.msc
/gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=australia,DC=office"
I have done netdiag, dcdiag, looked at a hunded KB articles and forum posts,
but nothing fits/fixes the issue.
A little background. There is one DC in Australia (ERNIE) and there are two
DCs in Seattle (DC03 and DATA03.) The Seattle DCs used to be on a different
domain but were renamed to the Australian domain. I think it is this domain
renaming that is the root of the issues. There are still entries in the DNS
(all 3 DCs are DNS servers) that point to the old domain. I've paused the
zones relating to the old domain in all 3 DNS servers. All of the replication
is working well. No Event Log errors to really speak of. The only issue I
have other than the error mentioned is that on both of the Seattle DCs (DC03
and DATA03) the netlogon.dns file in C:\WINDOWS\SYSTEM32\CONFIG have double
entries for almost everything. One line entry for the new domain and a
duplicate line for the old domain. I've gone through and removed the lines
referring to the old domain, but when I restart the Netlogon service the
entries reappear.
The only issue in dcdiag and netdiag log was this:
Running enterprise tests on : australia.office
Starting test: Intersite
Doing intersite inbound replication test on site Seattle:
Locating & Contacting Intersite Topology Generator (ISTG) ...
*Warning: ISTG time stamp is 26660 minutes old on DC03.
Looking
for a new ISTG.
*Warning: The next ISTG could not be authoratively determined
for site Seattle. A DC should make an ISTG failover attempt in
25 minutes.
* Warning: Current ISTG failed, ISTG role should be taken by
DATA03 in 25 minutes.
Checking for down bridgeheads ...
Bridghead Brisbane\ERNIE is up and replicating fine.
Bridghead Seattle\DC03 is up and replicating fine.
Doing in depth site analysis ...
All expected sites and bridgeheads are replicating into site
Seattle.
Doing intersite inbound replication test on site Brisbane:
Locating & Contacting Intersite Topology Generator (ISTG) ...
*Warning: ISTG time stamp is 27878 minutes old on ERNIE.
Looking for a new ISTG.
***Error: The current ISTG is down in site Brisbane and further
dcdiag could not contact any other servers in the site that
could take the ISTG role. Ensure there is at least one up DC.
Must abandon inbound intersite replication test for this site.
*Warning: Could not locate the next ISTG or site Brisbane.
Using the last known ISTG ERNIE as the ISTG.
The ISTG for site Brisbane is: ERNIE.
Checking for down bridgeheads ...
Bridghead Seattle\DC03 is up and replicating fine.
Bridghead Brisbane\ERNIE is up and replicating fine.
Doing in depth site analysis ...
All expected sites and bridgeheads are replicating into site
Brisbane.
......................... australia.office passed test Intersite
One other thing that some KB articles make reference to are the DNS settings
on the NICs in the servers. At this stage, ERNIE has itself as the primary
DNS and DC03 as the secondary. Vice versa for DC03 (itself as primary, ERNIE
as secondary.) DATA03 has DC03 as primary and itself as secondary. None of
them have any external DNS servers entered in their NIC settings.
The FSMO roles are as follows:
Schema owner DC03.australia.office
Domain role owner DC03.australia.office
PDC role ernie.australia.office
RID pool manager DC03.australia.office
Infrastructure owner DC03.australia.office
DC03 and ERNIE are Global Catalog servers.
The replication is set up to happen between DC03 and ERNIE and DC03 and
DATA03.
All of the servers are Windows 2003.
I am sure I've forgotten something, but if you need any more info, please
let me know. I am hoping someone can point me in the right direction, because
I've been fighting with this for a day and a half now.
Thanks
B. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
