I ran across an interesting bug with Windows Server 2019 today. I was running a routine new GPO creation task across multiple client server environments when I hit a nasty snag. When I tried to simply add a new Group Policy Object via the Group Policy Management Console, I was greeted with the following error:

The specified server cannot perform the requested operation.

I’ll admit this particular error threw me for a loop. I am particularly good at troubleshooting Windows Server issues and yet I spent almost three hours figuring this one out.

I started off by running my favorite AD health diagnostics tool and resolving any and all issues it found, but the issue persisted.

The most promising lead I had found in all my research was a Reddit article detailing the exact same issues I was having:

r/msp – Server 2019 Group Policy stops working after FSRM passive file screen on C: drive
5 votes and 12 comments so far on Reddit

When I checked the File Server Resource Manager on the server in question, though, there was no File Screen setup for the C:\ drive. There were a couple of screens for Shares ON the C:\ drive, but nothing covering the entire drive. Still though, I created an exemption for the SYSVOL folder and rebooted, but the issue persisted.

It wasn’t until much later that I ran across another article detailing some key factors that the Reddit article left out:

Can’t create or modify files inside a Junction on a Windows file share
This is caused by FSRM on 2019 and is definitely a bug…

If you read the only answer on that page, they detail the following key elements to resolving the GPO issue:

  1. Fixing the bug does NOT require uninstalling FSRM.
  2. You must make sure that there are NO screens setup for any file or folder on your system volume (Usually C:\)
  3. It does not matter if the screen is set to Passive
  4. It does not matter if you manually add exclusions at any level (to the junction, the share, etc.)
  5. It does not matter what the content of the file screens are
  6. Nothing is ever logged/alerted in FSRM

Sure enough, my issue was the fact that FSRM is installed by default on Server 2019 and by default, file screens are setup for any shares created on the DC. Since we had file shares that existed on the C:\ drive, it created screens for those. I simply had to remove any screens for anything on the C:\ drive and reboot and the issue was resolved.

Hope this helps someone else out there that may struggle with this before Microsoft finally gets it patched.

, , ,
Show Comments