I have a small Windows 2012 domain that includes 3 Win 2008 servers and 8 Windows 2012 servers. None of the 2012 servers have an issue connecting with AD or viewing \\<domain controller>\netlogon or \\<domain controller>\sysvol> in Windows explorer.

If I try to do the same thing from the Win 2008 servers though, I get prompted for a username/password and even with a valid password supplied I get an "Access Denied" error.

I can otherwise ping the domain controllers, access the C: drive via the admin share (c$), users authenticate with no issue. If I manually drill down from the admin share (C$) I can get into the sysvol folders and browse them.

Running gpupdate from a 2008 server generates these messages:

"The processing of group policy failed. Windows attempted to read the file  \\xxx\sysvol\xxx\Policies\{long string}\gpt.ini from a domain controller and was not successful. Group policy settings may not be applied until this event is resolved."

Using windows explorer and \\domain controller\c$, though, from the 2008 server, I can drill down and find that gpt.ini file and open it and edit it if I want.

Running rsop.msc generates the message "Unable to generate RSoP Data. In logging mode, likely causes are group policy has never successfully processed for the computer or user, RSoP logging was never enabled, or data is corrupt. In planning mode, verify that the selected domain controllers supports RSoP"

Running rsop.msc from any 2012 server runs without problem however, so it appears the domain controllers support it.

I'm stumped - any suggestions?

Paul

• Edited by PaulGreene Thursday, September 03, 2015 3:17 AM

Hi,

first check firewall settings across the sites for domain controller. Second check the TCP/Ip settings on each DC. like DNS settings etc. do nslookup and see i resolved to your domain name. Once everything thing is check from network side then provide the output of following commands.

Upload the output of command to common location like one drive.

Repadmin /SHOWREPL

Repadmin /replsum /errorsonly

DCDIAG /v /c /d /e /s:contoso.com (FQDN of domain)

There are no errors in the first two.

The output from dcdiag was extensive, so I don't want to post it here (that output includes a lot of sensitive information anyway; it would be foolish to post it all on a public forum where anybody can read it).

I'll just post stuff about the failed tests:

Starting test: DFSREvent. The event log DFS replication on server domain.controller2.info could not be queried, error 0x6ba "The RPC server is unavailable" - failed test DFSREvent

Starting test: KCCEvent. The event log directory server on server domain.controller2.info could not be queried, error 0x6ba "The RPC server is unavailable" - failed test KccEvent

Starting test: Systemlog. The event log system on server domain.controller2.info could not be queried, error 0x6ba "The RPC server is unavailable" - failed test Systemlog

A bunch of tests failed with Record registration where it queried the list of root-servers.net, which is probably as it should be because those root servers shouldn't be directly accessible inside this network and private IP addresses are used anyway.

the DNS tests failed under the forw column (passed on auth, basic, del, dyn, rreg)

(edit - The RPC server IS actually running on domain.controller2)

• Edited by PaulGreene Thursday, September 03, 2015 7:34 PM

Hi,

Have you check the RPC port is listening for both TCP & UDP? Also provide the output of following command

REPADMIN /REPLSUM /Errorsonly

The repadmin command didn't generate any errors, both the "fail" column and the "errors" column were 0.

One domain controller, the primary, is listening on rpc ports 80, 135, 443, 445, and 593.

The other domain controller is listening on rpc ports 135, 445, 593, but not on 80 and 443.

port 80 & 443 is for http & https request. so that's fine. Have you try checking the port query command for both TCP & UDP for RPC error.

portqry -n IpaddressofDC -e 135 -p both