Multi-homed Domain controller logs Event ID 1030 and 1058
Sam McGeownI recently had an issue where a hosting environment was registering a lot of Netlogon Event 1030/1058 issues, being unable to find the Group Policy objects or download them. In this example, the server DC is the domain controller for DOMAIN.LCL.
_Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 10/09/2009
Time: 06:24:29
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at_ http://go.microsoft.com/fwlink/events.asp.
_Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 10/09/2009
Time: 06:24:29
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DOMAIN,DC=LCL. The file must be present at the location <\DOMAIN.LCL\sysvol\DOMAIN.LCL\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator. ). Group Policy processing aborted. For more information, see Help and Support Center at_ http://go.microsoft.com/fwlink/events.asp.
On the affected machines, when navigating to \DOMAIN.LCL there were no shares available, however navigating to \DC shows the NETLOGON and SYSVOL shares. Pinging DOMAIN.LCL and then the DC showed that the IP addresses were not the same as expected, DOMAIN.LCL was resolving to the backup network, whereas DC was resolving to the servers LAN IP.
I checked the DNS records for the server, which were correct. Investigating the adaptor binding settings under Control Panel > Network Connections > Advanced > Advanced Settings showed that the backup network’s adaptor was first in the list. I moved the adaptor for the LAN to the top of the list and OK’d my way out. I restarted the NETLOGON service and the issue was solved.
Windows servers have never been particularly good at being multi-homed, especially domain controllers. My advice comes from some bitter experience…
- If you have multiple network adaptors for extra bandwidth/redundancy/resiliance, then I would strongly recommend using Teamed adaptors, most of the major manufacturers' drivers and management software support it. This will eliminate any issues with multi-homing because as far as the server is concerned, it has one adaptor.
- If you have multiple network adaptors for different network segments and you're using RRAS to route between them, I would strongly suggest not using a Domain Controller at all for this purpose. Better yet, buy a hardware router.
- If you have multiple network adaptors for different purpose networks (e.g. a LAN, a backup network and an iSCSI network) then make sure you do the following:
- Disable "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" on all but the LAN adaptor.
- Ensure that your LAN adaptor is the FIRST adaptor in the bindings in the advanced network settings.
Hope that helps!