gpupdate fail - error "access denied" sporadically - event 1058 and 1096

[FantasticTA]

Hello there,

I'm asking some help about a problem that we are facing since ages.

The problem :

PC on domain sometimes can't do a gpupdate /force and get the following error in terminal :

The processing of Group Policy failed. Windows attempted to read the file "\our.domain.fr\sysvol\our.domain.fr\Policies{GPO-UID}\gpt.ini" from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Sometimes, its the gpt.ini that cannot be read, sometimes its the \Machine\registry.pol file. Always the same error.

When i get this error in terminal, i then go the event viewer and see that two events :

• 1058 : (With same message found in the terminal)

Event data : ErrorCode 5
ErrorDescription access denied
DCName DC2.ourdomain.fr
GPOCNName cn={GPO-UID},cn=policies,cn=system,DC=ourdomain,DC=fr
FilePath \ourdomain.fr\SysVol\ourdomain.fr\Policies{GPO-UID}\gpt.ini

• 1096 :

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=User,cn={GPO-UID},cn=policies,cn=system,DC=ourdomain,DC=fr. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
Event data : ErrorCode 5
ErrorDescription access denied
DCName \DC2.ourdomain.fr
GPOCNName LDAP://CN=User,cn={GPO-UID},cn=policies,cn=system,DC=ourdomain,DC=fr
FilePath \ourdomain.fr\SysVol\ourdomain.fr\Policies{GPO-UID}\User\registry.pol

What's important :

- This error don't happen all the time, but when it happen, it's for the next few gpupdate /force (For exemple, it will not work until like 5 or 10 minutes, or after 1,2 or even 3 reboot). It's really anoying beacuse i cannot test new GPO, or edit existing GPO as i don't have consistent way to test theses, because i cannot tell for sure if the GPO will be apply to all computer on domain

- This error can happen on all computer in the domain. But it's not all at the same time. For exemple i can have the error on my computer, but the other it technician can do a gpupdate just fine, or in reverse.

- We have 2 DC. DC1 and DC2. ourdomain.fr points to both of them (as it should be), and the error mostly happen when the computers ask the DC2 to do gpupdate, but i have also sometimes seen this error on DC1.

- When the error occur, i've checked that the computer can access the file marked as "access denied", and he can access it and open it manually, but the gpupdate can't for some reason.

- It's been only 4 month that i started working for this company, but i can tell this problem is far older than 2023

- At one time, i know that the old technician had replace the old DC2 Windows server 2012 and installed a new Windows server 2016 with the same name (DC2).


I'm really struggling with this, i need to rework the entire domain policy, but it's a pain for me as i can't trust no more the gpupdate process.


Thanks to other forums comments, i know that my 2 DC and my domain is in good health, i don't have permission problems on the GPO (Authenticated user has read access to all GPO).
I also know that the replication between the two DCs are fine.
Any other suggestions ?

Thank you for your reading time and for your help !

 

[ChatGPT]

Based on the information you've provided, it seems like the issue could be related to the network connectivity or replication latency. Here are some troubleshooting steps you can try:

1. Check the DNS settings on the affected machines: Make sure that the DNS server entries are pointing to the correct IP addresses of your domain controllers. You can also try flushing the DNS cache using the command "ipconfig /flushdns" on the affected machines.

2. Check the file replication service (FRS) logs: Use the command "repadmin /showrepl" to check the FRS logs and make sure that there are no replication errors. If there are any errors, you'll need to troubleshoot the FRS service.

3. Check the DFS client settings: Make sure that the DFS client service is enabled and running on the affected machines. You can check this through the Services console.

4. Check the permissions on the SYSVOL folder: Make sure that the Authenticated Users group has read access to the SYSVOL folder and that the GPOs are stored in the correct location.

5. Check the time synchronization: Make sure that the time on the domain controllers and the affected machines are synced. You can check this by running the command "w32tm /query /source" on the affected machines.

6. Check the firewall settings: Make sure that the firewall settings on the affected machines are not blocking any necessary ports for the domain controllers.

If none of these steps resolve the issue, you can try creating a new GPO from scratch with a different name and see if it's applied without any issues. If it is, then the issue may be related to the current GPOs.

 

[FantasticTA]

Based on the information you've provided, it seems like the issue could be related to the network connectivity or replication latency. Here are some troubleshooting steps you can try:

1. Check the DNS settings on the affected machines: Make sure that the DNS server entries are pointing to the correct IP addresses of your domain controllers. You can also try flushing the DNS cache using the command "ipconfig /flushdns" on the affected machines.

2. Check the file replication service (FRS) logs: Use the command "repadmin /showrepl" to check the FRS logs and make sure that there are no replication errors. If there are any errors, you'll need to troubleshoot the FRS service.

3. Check the DFS client settings: Make sure that the DFS client service is enabled and running on the affected machines. You can check this through the Services console.

4. Check the permissions on the SYSVOL folder: Make sure that the Authenticated Users group has read access to the SYSVOL folder and that the GPOs are stored in the correct location.

5. Check the time synchronization: Make sure that the time on the domain controllers and the affected machines are synced. You can check this by running the command "w32tm /query /source" on the affected machines.

6. Check the firewall settings: Make sure that the firewall settings on the affected machines are not blocking any necessary ports for the domain controllers.

If none of these steps resolve the issue, you can try creating a new GPO from scratch with a different name and see if it's applied without any issues. If it is, then the issue may be related to the current GPOs.

The only problem i could find is that repadmin /showrepl today give me 2 errors for each DCs (yesterday wasn't).
Here the result of the command repadmin /showrepl :

"Repadmin: running command /showrepl against full DC localhost
Premier-Site-par-defaut\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: xxxxxxxxxxxxxxxxxxxxxxxxx
DSA invocationID: xxxxxxxxxxxxxxxxxxxxxxxx

==== INBOUND NEIGHBORS ======================================

DC=ourdomain,DC=fr
Premier-Site-par-defaut\DC2 via RPC
DSA object GUID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Last attempt @ 2023-04-28 14:15:14 was successful.

CN=Configuration,DC=ourdomain,DC=fr
Premier-Site-par-defaut\DC2 via RPC
DSA object GUID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Last attempt @ 2023-04-28 13:46:55 was successful.

CN=Schema,CN=Configuration,DC=ourdomain,DC=fr
Premier-Site-par-defaut\DC2 via RPC
DSA object GUID: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Last attempt @ 2023-04-28 13:46:55 was successful.

DC=DomainDnsZones,DC=ourdomain,DC=fr
Premier-Site-par-defaut\DC2 via RPC
DSA object GUID: xxxxxxxxxxxxxxxxxxxxxxx
Last attempt @ 2023-04-28 13:46:55 was successful.

DC=ForestDnsZones,DC=ourdomain,DC=fr
Premier-Site-par-defaut\DC2 via RPC
DSA object GUID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Last attempt @ 2023-04-28 13:46:55 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied."

 

[FantasticTA]

Nervermind ... It was my bad, i run repadmin /showrepl without cmd open with admin privileges ... So the errors i give in response are not here when run in admin.
So the problem is still unsolved

 

[Josephur]

I would start with some dcdiag tests, make sure the domain and specifically DNS is correctly working.
You can read more about dcdiag's usage here: dcdiag

 

[FantasticTA]

I would start with some dcdiag tests, make sure the domain and specifically DNS is correctly working.
You can read more about dcdiag's usage here: dcdiag

Thank you for your help.
I've already done DCDIAG et repadmin commands and all the tests are successful. The domain health is good and no errors are shown.

 

[Neemobeer]

Well access denied can only really be one thing but in two different locations. [The GPO sysvol, or the endpoint]

Some questions,

• Is it always the same GPO policy that has the issue?
• is it always the same devices that have the issue?
• Is it always the same users that have the issue?

If the first is true, determine the second two points and validate permissions on the GPO files (should only need 'Authenticated Users' have read access)

If the GPO contains registry or file changes track down the registry entries or files in question and make sure SYSTEM as R/W access in some cases it will be SYSTEM has read access which will results in access denied.