userenv 1000 code 5 errors

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
On a DC I get this error every 5 minutes:


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 9/26/2007
Time: 11:05:24 AM
User: NT AUTHORITY\SYSTEM
Computer: dc2
Description:
Windows cannot access the registry information at \\domain.loc\sysvol\domain.loc\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).


I've checked the sysvol permissions, I even tried temporary adding "everyone" to ntfs and share permissions, simply to rule out permissions. I still got the errors, I removed that setting now. The permissions are mirrored with a working domain controller on a different domain using same OS. The OS is Windows 2000 Terminal. There are 3 DCs, the other two do not get this error. I can access that file fine, and it matches with the ones in the other sysvol folders of the other DCs.

On two of the DCs exchange is also installed and we get tons of virtual memory fragmentation errors, but don't think thats related. The server is pooched, but reformatting is not yet an option, even though that would be the best solution at this point. I've did tons of research and will continue to do so, but thought I'd post so I can get more insight on this.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Wow, don't change permissions on sysvol.

Is the DFS service started on the DCs?
 

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
Yep its started. I also found that the value of IRPStackSize is set to 8 and the minimum for win2k is 8. I can't see how this would affect anything, but is that something that should be switched to 8?
 

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
Yep that works. DNS is fine as well. I can browse right up to that file and even open it with notepad, or copy it. I can also write to that folder. Did not want to touch that file so I did not try to write directly to it. When I go to that path, I actually see the other DC. I can tell by the disk space. There is only like 1GB left on the drive, can this cause issues like this? This is not a very healthy disk space to have, I know.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Have you disabled any default services on the DCs? TCP/IP NetBios Helper?

Are there any errors in the file replication event log on the DCs?
 

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
nope there WAS file replication issues way back but those were rectified as far as I know. No default services were stopped/disabled that I know of. I know the exchange MTA service had failed at one point and I had to go start it back up again.

But to double check, what are some vital services that should be running? When I go work tomorrow I can double check that all of them are. But I'm pretty sure they should be on if they're supose to.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Critical services on a DC include: dhcp client, distributed file system, dns client, dns server, file replication service, kerberos key distribution center, netlogon, RPC, TCP/IP NetBIOS helper, server, and windows time.
 

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
Yep those are started and set to auto. DHCP is actually set to manual but it is started, so I'm guessing another services starts it.


More info. In FRS event viewer:


Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 8/21/2007
Time: 11:43:55 AM
User: N/A
Computer: dc2
Description:
The File Replication Service is having trouble enabling replication from dc3 to dc2 for c:\winnt\sysvol\domain using the DNS name dc3.domain.loc. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name dc3.domain.loc from this computer.
[2] FRS is not running on dc3.domain.loc.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Data:
0000: ba 06 00 00 º...



Also on this server in the userenv.log:

USERENV(158.d80) 08:47:21:737 ParseRegistryFile: CreateFile failed with 5
USERENV(158.d80) 08:47:21:752 ProcessGPORegistryPolicy: ParseRegistryFile failed.
USERENV(158.d80) 08:47:21:752 ProcessGPOList: ProcessGPORegistryPolicy failed.
USERENV(158.d80) 08:47:21:752 ProcessGPOs: Extension Registry ProcessGroupPolicy failed, status 0x80004005.

This error matches the times of the userenv ones in the event viewer.


The userenv log on dc3 is as follows (not sure how recent this is though, as theres no dates, only times)



USERENV(178.17d0) 07:54:11:567 UnloadUserProfile: Failed to flush the current user key, error = 1016
USERENV(178.174) 09:07:42:578 UnloadUserProfile: received a NULL hProfile.
USERENV(11ac.1330) 09:10:10:117 LoadUserProfile: Failed to impersonate user with 5.
USERENV(1470.1350) 15:17:15:323 LoadUserProfile: Failed to impersonate user with 5.
USERENV(1808.1750) 23:14:11:466 LoadUserProfile: Failed to impersonate user with 5.
USERENV(178.174) 11:51:21:250 UnloadUserProfile: received a NULL hProfile.
USERENV(1210.12b0) 11:53:42:968 LoadUserProfile: Failed to impersonate user with 5.
USERENV(df4.d94) 15:40:58:244 LoadUserProfile: Failed to impersonate user with 5.
USERENV(162c.1640) 23:17:28:905 LoadUserProfile: Failed to impersonate user with 5.
USERENV(c54.c00) 13:50:47:911 LoadUserProfile: Failed to impersonate user with 5.
USERENV(178.174) 09:59:19:921 UnloadUserProfile: received a NULL hProfile.
USERENV(1038.1108) 10:00:47:711 LoadUserProfile: Failed to impersonate user with 5.
USERENV(117c.1050) 16:27:21:465 LoadUserProfile: Failed to impersonate user with 5.
USERENV(254.142c) 23:19:10:389 LoadUserProfile: Failed to impersonate user with 5.



Theres little to no info online about this log it seems.

 

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
Those settings were fine, I also tried changing the policy as noted, and no go.

I also tested replication of policies and that is working fine , I also tried file replication in the sysvol and it's fine as well (considering AD uses that to replicate in first place). I created a file, it replicated, I created another on the other machine, then the other, and they all replicate properly from/to either machine. So that part is working fine. We did have an issue with it in the past though.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
I also tried file replication in the sysvol and it's fine as well (considering AD uses that to replicate in first place)
No it doesn't. FRS uses AD to replicate though.

For the problem, have you checked the user rights on the DCs? Bypass Traverse Checking is an important one:

To verify that the Bypass traverse checking right has been granted on a Windows Server 2003-based domain controller, follow these steps:
1. Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
2. Expand Local Policies, and then click User Rights Assignment.
3. Double-click Bypass traverse checking.
4. Click to select the Define these policy settings check box.
5. Verify that the Administrators, Authenticated Users, Everyone, and Pre-Windows 2000 Compatible Access groups are listed for this policy setting. If any of these groups are missing, follow these steps:
a. Click Add User or Group.
b. In the User and group names box, type the name of the missing group, and then click OK.

6. Click OK to close the policy setting.
7. Start a command prompt. To do this, click Start, click Run, type cmd in the Open box, and then click OK.
8. Type gpupdate /force , and then press ENTER.
 

Red Squirrel

No Lifer
May 24, 2003
69,860
13,425
126
www.anyf.ca
Yeah bypass traverse checking is setted fine. I'm trying to find a way to actually run an app as nt authority so I can try to access \\domain\sysvol. Theres a trick with the "at /interactive" command but it does not seem to work over a RDP connection. The app is probably popping up on right at the logon screen on the server. Thankfully I was able to terminate it.