I made a similar mistake to "dcgpofix not working -getting ldap error" at
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22040225.html?sfQueryTermInfo=1+dcgpofix+ldap.
==========================
==========
==========
==========
==========
==========
=========
His Post
==========================
==========
==========
==========
==========
==========
=========
Title:dcgpofix not working -getting ldap error
Bookmark:
Question: today i denieid the apply group policy and the read permissions to the enterprise admins group for the default domain policy gpo with the hope of blocking certain settings from that group, what happened after was the gpo immediately went to "inaccessible", and the policies set to be applied across the domain were not applied tot the whole network. i deleted the link from the gpmc console then i went to the sysvol folder found the corresponding policy sid folder and gave the enterprise admin full control. i then ran the dcgpofix command and i am getting this error "could not open active directory object ldap:// etc" the specified sid id folder here have all the appropriate permissions. i need to know where else do i need to go to make changes so the command will follow through.
the default policy had some very important settings like the firewall on it so i recreated anothe rgpo linked it to the domain and put the settings on it, this works across the domain but if i go to the control panel/admin tools /domain security policy....................
......i get an error because the shorcut still points to the original folder, i changed this on one dc to reflect the new gpo i created. which it then opened the the gpo for modification.
i still need to restore the original default policy please help,,,,,,,,,,,,,,,my solution is only a temporary one.
==========================
==========
==========
==========
==========
==========
=========
My problem and how I got there
==========================
==========
==========
==========
==========
==========
=========
I was learning about group policies and setting them up. I know I made at least 2 big mistakes.
1 - I set the ipsec policy to require for the servers after I enrolled them for IPSec certificates.
I must have needed to fully explore and design an ipsec policy or some additional steps.
2 - I set ldap to require signing, again thinking that the certificates I enrolled for would work with this.
In the process I got locked out of almost everything. I was able to do a DCGPOFIX.exe, but only with the parameter /ignoreschemas. When doing so I saw a message that the policies did not match from the ones installed and the ones in the tool dcgpofix.exe. I decided that it was my best option to do so anyways and restored the emtpy GPO's. After a reboot or two I was back in. Some services such as DHCP server stopped working and some LSA messages showed up saying Unable to verify an Active Directory. From the post I relayed above, I saw a resolution to reapply permissions in ADUC -> Advanced View -> System>Policies. I went ahead and gave administrators, domain admins, and enterprise admins full control to play it safe. My guess is that I need to delegate control of the domain via Active DIrectory Sites and Services, but I'm still seeing Access is Denied.
Where can I go from here? I assume I might be able to dcpromo (to demote) both domain controllers, but I don't want to have to resetup more than perhaps I don't need to.
==========================
==========
==========
==========
==========
==========
=========
Additionally
==========================
==========
==========
==========
==========
==========
=========
Unfortunately, I did not make a backup after installing the Group Policy Management Tool of the schema I had prior to dcgpofix. If I create an empty policy to start rebuilding, will this take the dcgpofix.exe's model or what I assume the appropriate one I had prior?
Thank you
Start Free Trial
