Default Domain Policy
Gee what a mess...
Got this "new" client who's been looked after by clowns.
Where should I start...
- DCDiag full of errors
- AD replication ok between 2003 and 2008 but fails between 2008 and 2008
- AD Site and Services still refers to old accounts
- DNS not configured
- GPO not applying to some machines
- GPO can be edited from 2008 DC but can't from 2003 DC
- "Default Domain Policy" is blank, and replaced by another "Company Default Policy" which has weird settings, etc.
I'll start with rebuilding the GPO and cleaning up the AD Schema. As the Default Domain Policy is blank, I need to recreate it from scratch...(and of course there were no backup until now).
My question : is there a "Default "Default Domain Policy" " I can download and apply ? Or should I just build a lab environment, write down all the settings and create these in the live environment ? or a procedure from Msoft to recreate this GPO from a template somewhere ?
Got this "new" client who's been looked after by clowns.
Where should I start...
- DCDiag full of errors
- AD replication ok between 2003 and 2008 but fails between 2008 and 2008
- AD Site and Services still refers to old accounts
- DNS not configured
- GPO not applying to some machines
- GPO can be edited from 2008 DC but can't from 2003 DC
- "Default Domain Policy" is blank, and replaced by another "Company Default Policy" which has weird settings, etc.
I'll start with rebuilding the GPO and cleaning up the AD Schema. As the Default Domain Policy is blank, I need to recreate it from scratch...(and of course there were no backup until now).
My question : is there a "Default "Default Domain Policy" " I can download and apply ? Or should I just build a lab environment, write down all the settings and create these in the live environment ? or a procedure from Msoft to recreate this GPO from a template somewhere ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks MKLine, does Dcgpofix.exe rebuild based on a backup (I have none) or will it recreate based on "Msoft Recommended" kind of thing ?
As for Xchg, that's about the only thing that works really well (Xch07 on Win2008).
@Americom, DNS reconfig will be my next step, ADIZ is already done... No blocking of inheritance or anything, and no Vista computers on the park, the GPO that cannot be edited are for instance folder redirection for mydocs.
As for Xchg, that's about the only thing that works really well (Xch07 on Win2008).
@Americom, DNS reconfig will be my next step, ADIZ is already done... No blocking of inheritance or anything, and no Vista computers on the park, the GPO that cannot be edited are for instance folder redirection for mydocs.
"dcgpofix" do not need any backup. It will set the default GPOs back to the state they was when your domain was created. It will not touch any custom made GPOs, only those two mkline mentioned.
DNS is the first thing you should fix. Start > run > dcdiag /test:dns /v /e /f:dnslog.txt
this will test all your DNS servers. When DNS is ok, you should run a "dcdiag /v /e /c" to check for other errors in your domain.
SG
DNS is the first thing you should fix. Start > run > dcdiag /test:dns /v /e /f:dnslog.txt
this will test all your DNS servers. When DNS is ok, you should run a "dcdiag /v /e /c" to check for other errors in your domain.
SG
forgot to mention that "dcgpofix" can not set the security on the "Default domain controller policy".
http://support.microsoft.com/kb/833783
SG
http://support.microsoft.com/kb/833783
SG
****Hold off on the DCGPOFIX, I need to look up the activedir archives. If memory serves me it may cause you to run the exchange adprep again.
I'll follow up in the morning.
Thanks
Mike
I'll follow up in the morning.
Thanks
Mike
Ok here is the thread I was thinking of
http://74.125.47.132/searc
Sorry I had to use the cached site. Tony just moved activedir to a new host and it looks like the current archives need to be activated.
See the comment from Michael Smith (exchange MVP)
Thanks
Mike
http://74.125.47.132/searc
Sorry I had to use the cached site. Tony just moved activedir to a new host and it looks like the current archives need to be activated.
See the comment from Michael Smith (exchange MVP)
Thanks
Mike
ASKER
Right, thanks.
So, the network has three DC, one 2003 (all five FSMO) and two 2008 (both catalogs as well). Exch07 is on one of the two 2008.
so run "setup.com /prepareAD" and "/prepareSchema" after I ran the DcGpoFix on the 2003 box ?
What am I risking here, either two commands play with the root of the schema... not too excited about reinstalling exchange... Can we estimate the risks ?
So, the network has three DC, one 2003 (all five FSMO) and two 2008 (both catalogs as well). Exch07 is on one of the two 2008.
so run "setup.com /prepareAD" and "/prepareSchema" after I ran the DcGpoFix on the 2003 box ?
What am I risking here, either two commands play with the root of the schema... not too excited about reinstalling exchange... Can we estimate the risks ?
ASKER
(I meant 3DC in total = 1 x 2003 and 2 x 2008)
Seems to be a issue with Exchange and dcgpofix.
https://www.experts-exchange.com/questions/21825433/Ran-dcgpofix-exe-and-now-exchange-will-not-work.html
http://www.eventid.net/display.asp?eventid=2114&eventno=2458&source=MSExchangeDSAccess&phase=1 (search for "dcgpofix")
One say "Default domain policy" while the other say the "default domain controller policy". I can verify where the Exchange Enterprise Servers group needs to be set.
SG
https://www.experts-exchange.com/questions/21825433/Ran-dcgpofix-exe-and-now-exchange-will-not-work.html
http://www.eventid.net/display.asp?eventid=2114&eventno=2458&source=MSExchangeDSAccess&phase=1 (search for "dcgpofix")
One say "Default domain policy" while the other say the "default domain controller policy". I can verify where the Exchange Enterprise Servers group needs to be set.
SG
typo: I can't verify where the Exchange Enterprise Servers group needs to be set.
I guess some other expert can tell you that
I guess some other expert can tell you that
ASKER
Right-o, thanks guys for pointing that out, makes sense, sine the tool "reverts" to right after DcPromo was run, and Exchange was setup even after...
Reading this : https://www.experts-exchange.com/questions/21626630/Exchange-2003-default-GPO-and-dcgpofix-exe-What-mods-does-exchange-2003-setup-do-to-the-Default-GPO-Of-course-I-ran-it-and-now-exchange-front-ends-are-broken.html
DcGpoFix removes some Exchange entries or at least some security settings...but that post was for 2003, what about Exch2007 ?
Experts needed :P
Reading this : https://www.experts-exchange.com/questions/21626630/Exchange-2003-default-GPO-and-dcgpofix-exe-What-mods-does-exchange-2003-setup-do-to-the-Default-GPO-Of-course-I-ran-it-and-now-exchange-front-ends-are-broken.html
DcGpoFix removes some Exchange entries or at least some security settings...but that post was for 2003, what about Exch2007 ?
Experts needed :P
i won't blow smoke...this is new to me too as I've never tried dcgpofix with E2K7
ASKER
yeah seems like few people have :)
from what I read, running setup /preparedad after dcgpofix is enough...
I'll build a lab and test, and let you guys know.
from what I read, running setup /preparedad after dcgpofix is enough...
I'll build a lab and test, and let you guys know.
ASKER
Response from Microsoft :
Please understand that the DcGPOFix.exe tool will reset the Default Domain Policy and Default Domain Controller Policy to default status. However, if you have set any security policies in the Default Domain Policy and Default Domain Controller Policy, the domain controller may stopped working after running the DcGPOFix.exe tool.
For more information, please refer to the following article:
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
http://support.microsoft.com/default.aspx/kb/833783
As to /PrepareAD and /PrepareDomain, they are used for reset permissions for the Exchange 2007 server and created some AD objects in the domain, while /PrepareSchema is for extending schema for Exchange 2007. For more information, please refer to the following article:
How to Prepare Active Directory and Domains
http://technet.microsoft.com/en-us/library/bb125224.aspx
They are not related to Group Policy.
Also, the DcGPOFix.exe tool will only reset the Default Domain Policy and Default Domain Controller Policy and it will not touch other AD objects, such as users, computers object or other member servers. SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah thanks SG, leave the poor bastard at peace, I'll run it in my own lab, then you can ruin his :)
I spoke to the Msoft engineer and he says :
"By security policy, I mean the Audit Policy, User Rights Assignment. They can be found under Computer Configuration -> Windows Settings -> Security Settings -> Local Polices.
For detailed information, I suggest check the "MORE INFORMATION" part of the following KB article:
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state http://support.microsoft.com/default.aspx/kb/833783 "
That sounds pretty safe to me.
I'll keep you posted.
I spoke to the Msoft engineer and he says :
"By security policy, I mean the Audit Policy, User Rights Assignment. They can be found under Computer Configuration -> Windows Settings -> Security Settings -> Local Polices.
For detailed information, I suggest check the "MORE INFORMATION" part of the following KB article:
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state http://support.microsoft.com/default.aspx/kb/833783 "
That sounds pretty safe to me.
I'll keep you posted.
ASKER
ASKER
Thank you both I'll close this for now, just FYI the client has agreed we tried this, he knows the risk. I'll keep posting the results here for our education :)
GPO can be edited by win2k8 but not win2k3, there are some GPOs cannot be view and edited by win2k3 but only with Vista or Win2k8 such as wired-auto authentication etc. GPOs configured with Group Policy Preferences also can only manage by Vista and Win2k8 and not Win2k3. So, you should be managing your GPO with the later verison os OS.
GPO not applying to some machines, if the GPO is configured on the Computer Configuration settings, just make sure the GPO is link to the OU where the computer is in or not being blocked by no inheritance.