JSI Tip 3354. Event log errors are generated each time the Default Domain Controllers policy is applied?


After you import the Basicdc.inf file in to the Default Domain Controllers Group Policy object ( GPO), errors are generated each time the policy is applied.

Application log:

        Event Type: Error
        Event Source: Userenv
        Event Category: None
        Event ID: 1000
        Date: 3/1/2000
        Time: 6:16:43 PM
        User: NT AUTHORITY\SYSTEM
        Computer: COMPUTERNAME
        Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure
        status code of (13). 

        Event Type: Warning
        Event Source: SceCli
        Event Category: None
        Event ID: 1202
        Date: 3/1/2000
        Time: 6:16:43 PM
        User: N/A
        Computer: COMPUTERNAME
        Description: Security policies are propagated with warning. 0xd : The data is invalid. Please look for
        more details in TroubleShooting section in Security Help. 

Winlogon.log:

        Error 13: The data is invalid. Error convert %SYSVOL%\DOMAIN\POLICIES.
        Error 13: The data is invalid. Error converting section File Security. 

Userenv.log:

        ProcessGPOs: Extension Security ProcessGroupPolicy failed, status 0xd.
Basicdc.inf references three environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%), that are only defined during the Dcpromo process.

To fix the problem:

1. Open a CMD prompt on the domain controller and type net share sysvol. Record the path that is returned.

2. Right-click My Computer and press Properties.

3. Select the Advanced tab.

4. Press Environment Variables.

5. In the System variables section, press New.

6. Type SYSVOL in the Variable Name box.

7. In the Variable Value box, type the path from step 1, without the last \sysvol.

8. Repeat this process to create the DSDIT and DSLOG variables, whose values can be obtained at:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

       Database log files path    REG_SZ    C:\WINNT\NTDS (Set DSLOG to C:\WINNT\NTDS) 
       DSA Working Directory      REG_SZ    C:\WINNT\NTDS (Set DSDIT to C:\WINNT\NTDS)
9. At a CMD prompt, type secedit /refreshpolicy machine_policy /enforce


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish