Error message when you try to apply a policy setting to Windows Server 2003-based domain controllers and to other domain clients: "Configuration information could not be read from the domain controller"

Symptoms

In a domain environment, when you try to apply a Group Policy setting to Microsoft Windows Server 2003-based domain controllers and to other domain clients, the policy setting is not applied. When you try to access the Sysvol folder on a domain controller by using its fully qualified domain name (FQDN) in the form \\contoso.com\Sysvol, you may receive the following error message:
"Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied."
Note you can access the Sysvol folder by using the domain controller's IP address or the domain controller's NetBIOS name.

When this issue occurs, the following event messages may be logged every five minutes in the domain controllers' Application logs.
Event 1058
Event 1030
When you type the dfsutil /pktinfo command at a command prompt on the domain controller, you may see output that resembles the following.
Microsoft(R) Windows(TM) Dfs Utility Version 4.0
Copyright (C) Microsoft Corporation 1991-2001. All Rights Reserved.

--mup.sys--
1 entries...
Entry: \ contoso.com \sysvol
ShortEntry: \ contoso.com \sysvol
Expires in 300 seconds
UseCount: 0 Type:0x11 ( OUTSIDE_MY_DOM DFS )
0:[\ dc1.contoso.com\sysvol ] State:0x21 ( )
1:[\ dc2.contoso.com\sysvol ] State:0x21 ( )

DfsUtil command completed successfully.

Cause

This issue may occur if you have used the FQDNs of the domain controllers of the domain forest to create trust relationships between domain controllers in Active Directory Domains and Trusts.

Resolution

To resolve this issue, remove the domain controller entries from Active Directory Domains and Trusts. To do this, follow these steps:
  1. Click Start, type domain.msc, and then click OK to open Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain that contains the trust entries that you want to remove, and then click Properties.
  3. Click the Trusts tab, click the trust entry for a domain controller that you want to remove, and then click Remove.
  4. Follow the instructions on the screen to remove the trust entry for the domain.
  5. Repeat steps 3 and 4 for other domain controller trust entries.
  6. Click OK to close the domain properties dialog box.
  7. Exit Active Directory Domains and Trusts.
  8. Restart all the domain controllers for which you removed the trust entries.

More Information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

888943 Event 1030 and event 1058 may be logged, and you may not be able to start the Group Policy snap-in on your Windows Small Business Server 2003 computer

Properties

Article ID: 935918 - Last Review: Jan 4, 2008 - Revision: 1

Feedback