Sunday, March 20, 2011

Group Policy (Event ID 1030 and 1058) and The account is not a DC account error

Symptoms
There is 1 domain controller in my product environment. Being installed Windows Server 2003 with service pack 2, the server was installed Group Policy Management Console. When I try to edit a group policy, the following group policy error will be displayed.

Figure 1: “Failed to open the Group Policy Object. You may not have appropriate rights"

Click “Close”.

            Figure 2: Group Policy Object Editor

The Group Policy can’t be modified.
At the Event Viewer, select “Application” log. The server generates the error about Userenv.

Figure 3: Event ID 1058


Figure 4: Event ID 1030
Then I launched the Command Prompt, enter “dcgpofix”.

Figure 5: The result of dcgpofix

The Group Policy also can’t be fixed.

At command prompt, I entered “dcdiag”. There is the following error in my domain controller:

Figure 6: The result of dcdiag

Solution
I try to following the method of KB837513 to fix my domain controller.
a)     Method 1: Fix Domain Name System (DNS) errors.
b)    Method 2: Synchronize the time between computers.
c)     Method 3: Check the Access this computer from the network user rights.
d)    Method 4: Verify that the domain controller's userAccountControl attribute is 532480.
e)     Method 5: Fix the Kerberos realm (confirm that the PolAcDmN registry key and the PolPrDmN registry key match) (Windows 2000 domain controller only).
f)     Method 6: Reset the machine account password, and then obtain a new Kerberos ticket.
 
Prerequisites
·         You have to install the Windows Server 2003 support tools

Method 1: Fix Domain Name System (DNS) errors

1.     At the domain controller, login as Domain Administrator.
2.     Verify your domain controller IP setting, make sure that the DNS setting of the domain controller is configured correctly.


Figure 7: IP configuration of the domain controller


3.     Enter “netdiag /v” to generate the result of your DNS test.


Method 2: Synchronize the time between computers

4.     Verify that the time is correctly synchronized between domain controllers. Additionally, verify that the time is correctly synchronized between client computers and domain controllers.

Method 3: Check the Access this computer from the network user rights

5.     At the domain controller of PDC role, login as Domain Administrator.
6.     Launch Windows Explorer, navigate to
C:\WINDOWS\Sysvol\Sysvol\<Domainname>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\
7.     Open “GptTmpl.inf” by Notepad.
8.     Navigate to “SeNetworkLogonRight”, add the security identifiers for Administrators, for Authenticated Users, and for Everyone.
SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-32-544,*S-1-1-0

Figure 8: SeNetworkLogonRight entry

 
Remark:            Administrators (S-1-5-32-544), Authenticated Users (S-1-5-11), Everyone (S-1-1-0), and Enterprise Controllers (S-1-5-9) use well-known security identifiers that are the same in every domain.

9.     Navigate to “SeDenyNetworkLogonRight”, remove any entries to the right of the “SeDenyNetworkLogonRight entry.

Figure 9: SeDenyNetworkLogonRight entry

Method 4: Verify that the domain controller's userAccountControl attribute is 532480

10.     Still in Domain Controller, launch “ADSI Edit”.
11.     Expand “Domain > DC=contoso,DC=com > OU=Domain Controllers”.
12.     Right-click “CN=<DC Name>”, select “Properties”.
13.     Check “Show mandatory attributes”.
14.     Select “userAccountControl”, click “Edit”.
15.     Under “Value”, type “532480”.
16.     Click “OK”.

Figure 10: userAccountControl entry

Remark:            532480 is the default of Domain controller.

Reference:        http://support.microsoft.com/kb/305144


Method 6: Reset the machine account password, and then obtain a new Kerberos ticket


17.     Still in domain controller, launch Service console.

18.     Navigate to “Kerberos Key Distribution Center”, stop the services.

Figure 11: Kerberos Key Distribution Center service

19.     Launch Command Prompt, enter the following command:
netdom resetpwd /server:<DC Name> /userd:domain\administrator /passwordd:*

Remark:            If your domain is more than 1 domain controller, you have to follow the method 6 of KB837513.

Using Netdom to reset a machine account password reference:

20.     Restart the domain controller.

As a result, the GPO error and the computer account are fixed.

This posting is provided “AS IS” with no warranties, and confers no rights!

2 comments:

  1. Thanks for this wonderful post.
    I am also having similar problem (Event ID 1030 and 1058 in DC and clients) from quite some time after resetting secure channel between DNS and AD through nltest /sc_change_pwd:domain

    Now my problem had solved from this procedure.

    ReplyDelete
  2. The same issue like previuos Anonymous.
    Problem has solved too.
    Thanks!

    ReplyDelete