Domain controler Secutiry Policy has been deleted from the file system
I am a network admin. I inherited this botched bag of @#$# as do all admins in for the first few months….. Anyway
The domain security and domain controller security policies which are access by clicking on [Start>programs>administra
When I try to access I get an error message that it can not access files, and under details it states the files can not be found. When a policy is created or modified via Active Directory for an OU or from the ones in question from the administrative tools the file is actually stored in [C:\WINNT\SYSVOL\domain\Po
My question is how to I recreate this policy object so they can be modified. Do I need to obtain an ADM file or is there a command or utility that will do this for me.
I need to add a domain controller to the domain but the domain. I am getting a permissions issue when I run DCPROMO no matter what account I use when it tries to modify the machine account and add it to the domain controllers group; I would love to trash this bag of tricks and set the domain up correctly but it is not an option. All server upgrades are expected with no down time and no user issues.
Steve
Scrose32@bellsouth.net
The domain security and domain controller security policies which are access by clicking on [Start>programs>administra
When I try to access I get an error message that it can not access files, and under details it states the files can not be found. When a policy is created or modified via Active Directory for an OU or from the ones in question from the administrative tools the file is actually stored in [C:\WINNT\SYSVOL\domain\Po
My question is how to I recreate this policy object so they can be modified. Do I need to obtain an ADM file or is there a command or utility that will do this for me.
I need to add a domain controller to the domain but the domain. I am getting a permissions issue when I run DCPROMO no matter what account I use when it tries to modify the machine account and add it to the domain controllers group; I would love to trash this bag of tricks and set the domain up correctly but it is not an option. All server upgrades are expected with no down time and no user issues.
Steve
Scrose32@bellsouth.net
ASKER
no undelete utils in place.
No backups of that directory
Have not tried the Security templetes. Will test in lab this weekend.
I am not running any tests live here at work.
No backups of that directory
Have not tried the Security templetes. Will test in lab this weekend.
I am not running any tests live here at work.
So you can't make any modifications by getting to the GPO properties via the properites of any specific OU where a GPO is linked ?
ASKER
Nope these poliices are outside the scope of the OUs. These are the Domain controller and Domain security policies. Nothing you do to the OUs in AD affects these policies
What about the GPO's at the Site Level ? Any there you can change, because they can lay a policy on domains within their sites. If you need to there might be an option of creating a new site with new policies and then moving your domains into this site and forcing the domains to inherit their policies.
By the way explain to your manager that if the expectation is to never be down there should literaly be a mirror server in place for every critical server in the infrastructure.
in fact a three tiered infrastructure is necessary, DEVELOPMENT - TEST - PRODUCTION and PRODUCTION MIRROR, not to mention HSRP, redundant switches, BGP, hot sites, etc.etc....
ASKER
Ok can someone from the real world of working with Accountants and non technical bean counter managers please chime in? I am not a novice I am also not going to spend $150K of my own money on their IT shop. I have worked for large companies such as Microsoft, i2 technologies, Software Spectrum, among others on contract. This is a small company with a small budget, no one with any real IT sense in management, and huge expectations. They hired some PHD in computer science for about 6 months paid him way too much money and got left with a disaster.
What I have been able to figure out is the root cause of the actual permissions issues is a LDAP, DNS issue. The SRV records in DNS are not resolving the GUID records for the existing domain controllers so the new server can not authenticate the credentials for the domain admin user name and password. I loaded the Windows 2000 Server Resource Kit tools. I ran DSASTAT and all records contained in the AD on all the DCs match. DCDIAG fails on LDAP authentication and points to an error in the GUID records. I setup a lab at the house and was able to confirm these will FUBAR adding a DC. This can be resolved on my own accord.
What I am still left is the remaining issue of the default "domain controller security" and "domain security" links on the "Administrative Tools" program bar. The GPO in AD passes permissions down to these actual objects in AD but the links to these in the Administrative tools program bar bring up different ADM templates. There probably is little consequence to using the GPO objects but I would like to get these reset to working as engineered. This is one of those odd things I do not know how to do because this is one of those bone headed things that probably isn't done or addressed often. I have co-workers and the expectation is for these objects to work as designed. I know this sounds trivial but they will not notice the hours of my own time spent getting this botched LDAP setup to work so I can add the domain controller. All they will see is what does not work.
What I have been able to figure out is the root cause of the actual permissions issues is a LDAP, DNS issue. The SRV records in DNS are not resolving the GUID records for the existing domain controllers so the new server can not authenticate the credentials for the domain admin user name and password. I loaded the Windows 2000 Server Resource Kit tools. I ran DSASTAT and all records contained in the AD on all the DCs match. DCDIAG fails on LDAP authentication and points to an error in the GUID records. I setup a lab at the house and was able to confirm these will FUBAR adding a DC. This can be resolved on my own accord.
What I am still left is the remaining issue of the default "domain controller security" and "domain security" links on the "Administrative Tools" program bar. The GPO in AD passes permissions down to these actual objects in AD but the links to these in the Administrative tools program bar bring up different ADM templates. There probably is little consequence to using the GPO objects but I would like to get these reset to working as engineered. This is one of those odd things I do not know how to do because this is one of those bone headed things that probably isn't done or addressed often. I have co-workers and the expectation is for these objects to work as designed. I know this sounds trivial but they will not notice the hours of my own time spent getting this botched LDAP setup to work so I can add the domain controller. All they will see is what does not work.
We're just lamenting the unrealistic expectations we all run into while we mull this over.
Dcgpofix.exe chokes too?
Dcgpofix.exe chokes too?
ASKER
Sorry for the delay, it's that wife and kids and that 70 hour work week. I have been reading about DCGPOFIX.EXE and you may be onto something. I am testing it this morning. I have setup my own test 2000 domain at home. Of course I run Linux on all critical systems. I can get Red Hat 9 to work with AD but not another 2000 server. Isn’t that a kick in the pants?
ASKER
No go this tool is for Windows 2003 DC only. No mention of it's use on Windows 2000 domain.
ASKER
I was able to get he EXE file from 2003 server CD. Will not run, I get a kernel error as in it will not run on 2000 server. It is installed on 2003 as part of the OS install so there is not a add on pack I can install to get this tool on the system.
ASKER
Nope that KB is how to reset, as in one already exists.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
secedit /configure /cfg basicsv.inf /db basicsv.sdb /log basicsv.log /verbose
not sure if that works without the policy files in place ...
tried an undelete util?
did they ever back the thin up?
>All server upgrades are expected with no down time and no user issues.
like the BBG upgrade went?