SceCli Event ID 1001 and UserEnv Event ID 1000 when DFS client is disabled

Article translations Article translations
Article ID: 259398 - View products that this article applies to.
This article was previously published under Q259398
Expand all | Collapse all

SYMPTOMS

Group Policies may not be applied and error messages similar to the following messages may be recorded in the Application log in Event Viewer:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 4/7/2000
Time: 4:25:40 AM
User: NT AUTHORITY\SYSTEM
Computer: MYCOMPUTER
Description: Windows cannot access the registry information at \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (51).

Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1001
Date: 4/7/2000
Time: 4:30:46 AM
User: N/A
Computer: MYCOMPUTER
Description: Security policy cannot be propagated. Cannot access the template. Error code = 3. \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 4/7/2000
Time: 4:30:46 AM
User: NT AUTHORITY\SYSTEM
Computer: MYCOMPUTER
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).

CAUSE

The \\Active Directory Domain Name\Sysvol share is a special share that requires the distributed file system (DFS) client to make a connection, and a valid Domain name record in DNS. If the DFS client is disabled, the domain records are missing, or the DNS records are not being registered properly, the error messages are generated.

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Check the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
DisableDFS: REG_DWORD: range: 0 or 1
0 = enabled; 1 = disabled
Default: 0
Make sure that the value is set to 0, enabling the Dfs client. Also, File and Printer Sharing for Microsoft Networks must be enabled on the interface.

Verify the DNS Forward Lookup Zone has the correct A records for the domain name and domain controllers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
258213 Registration of gc._msdcs.<DnsForestName> records in DNS Is required
To ensure the DNS Records are being registered, verify the following registry setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value: RegisterDnsARecords
Data type: REG_DWORD
Default value: 1 (1=Enabled, 0=Disabled)

Properties

Article ID: 259398 - Last Review: February 28, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbdfs kberrmsg kbprb KB259398

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com