I have a small Windows 2012 domain that includes 3 Win 2008 servers and 8 Windows 2012 servers. None of the 2012 servers have an issue connecting with AD or viewing \\<domain controller>\netlogon or \\<domain controller>\sysvol> in Windows explorer.

If I try to do the same thing from the Win 2008 servers though, I get prompted for a username/password and even with a valid password supplied I get an "Access Denied" error.

I can otherwise ping the domain controllers, access the C: drive via the admin share (c$), users authenticate with no issue. If I manually drill down from the admin share (C$) I can get into the sysvol folders and browse them.

Running gpupdate from a 2008 server generates these messages:

"The processing of group policy failed. Windows attempted to read the file  \\xxx\sysvol\xxx\Policies\{long string}\gpt.ini from a domain controller and was not successful. Group policy settings may not be applied until this event is resolved."

Using windows explorer and \\domain controller\c$, though, from the 2008 server, I can drill down and find that gpt.ini file and open it and edit it if I want.

Running rsop.msc generates the message "Unable to generate RSoP Data. In logging mode, likely causes are group policy has never successfully processed for the computer or user, RSoP logging was never enabled, or data is corrupt. In planning mode, verify that the selected domain controllers supports RSoP"

Running rsop.msc from any 2012 server runs without problem however, so it appears the domain controllers support it.

I'm stumped - any suggestions?

Paul

• Edited by PaulGreene Thursday, September 03, 2015 3:17 AM

There are no errors in the first two.

The output from dcdiag was extensive, so I don't want to post it here (that output includes a lot of sensitive information anyway; it would be foolish to post it all on a public forum where anybody can read it).

I'll just post stuff about the failed tests:

Starting test: DFSREvent. The event log DFS replication on server domain.controller2.info could not be queried, error 0x6ba "The RPC server is unavailable" - failed test DFSREvent

Starting test: KCCEvent. The event log directory server on server domain.controller2.info could not be queried, error 0x6ba "The RPC server is unavailable" - failed test KccEvent

Starting test: Systemlog. The event log system on server domain.controller2.info could not be queried, error 0x6ba "The RPC server is unavailable" - failed test Systemlog

A bunch of tests failed with Record registration where it queried the list of root-servers.net, which is probably as it should be because those root servers shouldn't be directly accessible inside this network and private IP addresses are used anyway.

the DNS tests failed under the forw column (passed on auth, basic, del, dyn, rreg)

(edit - The RPC server IS actually running on domain.controller2)

• Edited by PaulGreene Thursday, September 03, 2015 7:34 PM

If anyone is still following this thread, the issue turned out to be a GPO that was configured to harden UNC pathnames in response to MS15-011 and MS15-014.

(I still can't copy and paste to this forum - google search on the string "issues caused by UNC hardening" and its the first link in the search results)

I disabled the GPO, had to unjoin and then rejoin the servers to the domain to get them speaking with Active Directory again. Still don't know why only the 2008 servers had issues and not the 2012 servers though.

• Marked as answer by PaulGreene 3 hours 57 minutes ago

Hi,

Thanks for sharing the article it will useful to everyone.