Tuesday, January 03, 2006

Windows 2003 Group Policy

3 days after installing brand new DC, I have heaps of event errors on my DC:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=X,DC=local. The file must be present at the location <\\X.local\sysvol\X.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.


This is very annoying for me. However, I found solution from Google:


This is one problem with Multihomed DCs in order to cure this you need to do
a couple of things.

1. Set the binding order, by going into network properties Control panel, in
the Advanced menu select Advanced Settings. Make sure the internal NIC is at
the top of the connections list and the Client for MS networks and File
sharing are only bound on the internal interface.

2. You will need to make registry entries to stop the creation of the blank
records for the external interface for both the domain name and the global
catalog record. You will then have to manually create these two blank
records. There is a KB describing this but I'm unable to find it but here is
the reg entry, you must use regedt32 to make this entry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

3. On the Interfaces tab of the DNS server properties set the DNS listener
address to the internal IP.

4. On an XP Client you need to upgrade the GPO by following this KB article
Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/?id=307900

What happens is DNS returns the IP of the external interface and file
sharing is not enabled on the interface and LDAP won't pass NAT.

Full Article: http://www.mcse.ms/message395201.html

My DC has dual NICs card btw, one for Internal LAN, the other one for DMZ (only for Virtual machines)

No comments: