No announcement yet.

Constant 1030 / 1058 errors - W2003 (Solved)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Constant 1030 / 1058 errors - W2003 (Solved)

    Good Day,

    I have spent the last three weeks in a nightmarish fight with my network. The main cause was an inability for servers and workstations to access the Default Domain Policy in SYSVOL. I made notes throughout the ordeal and wanted to share them in case someone else experiences the same issues. is the first place I check when I encounter issues and I hope this can help someone else.

    We have three W2000, two W2003, and two W2008 servers. Fully patched and with latest SP. We have 15 users in our office running WinXP and Win7. Server6 was our Primary DC and the one we had the issues with.

    It started with users reporting painfully slow boot times (35 - 45 minutes sitting at the "Loading Computer Settings" screen) and sporadic inability to access some network resources. Our satellite office connecting over our VPN reported huge wait times for file transfers and remote file folder access. If I unplugged the workstation from the network before booting, it came up in a few minutes. I found a series of paired 1030 / 1058 errors in Server6 Event Viewer like this:

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1030
    Date: 8/28/2011
    Time: 8:19:45 PM
    Computer: SERVER6
    Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1058
    Date: 8/28/2011
    Time: 8:19:45 PM
    Computer: SERVER6
    Windows cannot access the file gpt.ini for GPO CN={31B2F340-0000-11D2-945F-00D04FB984FC},CN=Policies,CN=System,DC=DOMAIN,DC=l ocal. The file must be present at the location <\\DOMAIN.local\sysvol\DOMAIN.local\Policies\{31B2 F340-0000-11D2-945F-00D04FB984FC}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

    If I ran GPUpdate /force on a server or workstation I would see more paired errors. I was able to access the SYSVOL share from the servers and workstations in WIndows Explorer without issue.

    I found a series of articles on and found that 75% of the time if I ran the following script:

    Dfsutil /purgemupcache
    Dfsutil /pktflush
    Dfsutil /spcflush
    IPCONFIG /RegisterDNS
    GPUpdate /force

    The GPUpdate /force would work, the errors vanished and the policies would update. If the above script did not work, I would go into SYSVOL shared permissions and delselect any of the permissions, apply, then reselect whatever I changed and apply again. Then I would run GPUpdate /force and it would usually work. (Note: I had already checked that proper SYSVOL permissions were being applied as seen here:

    However, 4 - 12 hours later I would see the errors return in Event Viewer.

    I ran SFC /scannow on all DC's.

    Based on articles I found. I added an exception in Symantec EndPoint Security to not scan the SYSVOL or any sub-folders. Still had the same issue with the errors returning.

    I brought in a consultant to review our network and he checked DNS, AD and DFS / FRS Replication. All was fine. He created a new DC and promoted it looking for errors and found none. He suggested deleting and rebuilding the Default Domain Policy and this was done. We were still getting the errors so he suggested opening up a case with Microsoft.

    Case opened and the MS tech ran a series of diagnostics to locate the issue. Again the DNS, AD, DFS / FRS was checked successfully. I was sent this KB article which we followed line by line for fault finding.

    Took a while with several server reboots and monitoring in-between, but we eventually worked our way through the entire article without any improvement. We still had the 1030 / 1058 errors.

    Microsoft tech suggested we set SMB signing on the local security policy and finally this made a difference. The 1030 / 1058 errors disappeared and the network and boot times really sped up. Then I discovered the W2000 servers could not access the file shares on the W2003 and W2008 servers. The Microsoft tech recommended I upgrade those servers to the latest OS, but as our software will not run on W2008 I simply amended the W2000 server registries to use SMB signing and that problem disappeared after 15 min of so.

    I left the network for 24 hours to monitor and found the errors had returned the next morning. The MS tech (quite frustrated by the lack of progress by this time) could only think of transferring the DC powers listed in a NETDOM QUERY over to another DC. This was done, all servers were rebooted and for the last 48 hours we have not had a single 1030 / 1058 error.

    I have no idea what started the issue in the first place. Again, I hope documenting this helps someone.

  • #2
    Re: Constant 1030 / 1058 errors - W2003 (Solved)

    Thanks for an excellent, and very comprehensive, report.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **