SceCli Event ID 1001 and UserEnv Event ID 1000 When Dfs Client Is Disabled (259398)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q259398 IMPORTANT: This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you understand how to restore
the registry if a problem occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
Group Policies may not be applied and error messages similar to the following messages may be recorded in the Application log in Event Viewer:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 4/7/2000
Time: 4:25:40 AM
User: NT AUTHORITY\SYSTEM
Computer: MYCOMPUTER
Description:
Windows cannot access the registry information at \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (51).
Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 4/7/2000
Time: 4:30:46 AM
User: N/A
Computer: MYCOMPUTER
Description:
Security policy cannot be propagated. Cannot access the template. Error code = 3.
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 4/7/2000
Time: 4:30:46 AM
User: NT AUTHORITY\SYSTEM
Computer: MYCOMPUTER
Description:
The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).
CAUSE
The \\Active Directory Domain Name\Sysvol share is a special share that requires the distributed file system (DFS) client to make a connection, and a valid Domain name record in DNS. If the DFS client is disabled, the domain records are missing, or the DNS records are not being registered properly, the error messages are generated.
RESOLUTIONWARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own
risk.
Check the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
DisableDFS: REG_DWORD: range: 0 or 1
0 = enabled; 1 = disabled
Default: 0
Make sure that the value is set to 0, enabling the Dfs client.
Also, File and Printer Sharing for Microsoft Networks must be enabled on the interface.
Verify the DNS Forward Lookup Zone has the correct A records for the domain name and domain controllers. For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
258213 Registration of gc._msdcs.DnsForestName Records Is Required
To ensure the DNS Records are being registered, verify the following registry setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value: RegisterDnsARecords
Data type: REG_DWORD
Default value: 1 (1=Enabled, 0=Disabled)
| Modification Type: | Major | Last Reviewed: | 11/20/2003 |
|---|
| Keywords: | kbDFS kberrmsg kbprb KB259398 |
|---|
|