?
Solved

Domain controler Secutiry Policy has been deleted from the file system

Posted on 2003-11-26
15
Medium Priority
?
444 Views
Last Modified: 2012-05-04
I am a network admin. I inherited this botched bag of @#$# as do all admins in for the first few months…..    Anyway

The domain security and domain controller security policies which are access by clicking on [Start>programs>administrative tools>] have been deleted at the file system level.
When I try to access I get an error message that it can not access files, and under details it states the files can not be found. When a policy is created or modified via Active Directory for an OU or from the ones in question from the administrative tools the file is actually stored in [C:\WINNT\SYSVOL\domain\Policies] directory. These were at one time cleared out at the file system level.

My question is how to I recreate this policy object so they can be modified. Do I need to obtain an ADM file or is there a command or utility that will do this for me.

 I need to add a domain controller to the domain but the domain. I am getting a permissions issue when I run DCPROMO no matter what account I use when it tries to modify the machine account and add it to the domain controllers group; I would love to trash this bag of tricks and set the domain up correctly but it is not an option. All server upgrades are expected with no down time and no user issues.

Steve
Scrose32@bellsouth.net
0
Comment
Question by:srose6
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
15 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9827241
tried sededit to use the templates in cd <windoze dir>\security\templates ?

secedit /configure /cfg basicsv.inf /db basicsv.sdb /log basicsv.log /verbose

not sure if that works without the policy files in place ...

tried an undelete util?

did they ever back the thin up?

>All server upgrades are expected with no down time and no user issues.
like the BBG upgrade went?
0
 
LVL 4

Author Comment

by:srose6
ID: 9828106
no undelete utils in place.
No backups of that directory
Have not tried the Security templetes. Will test in lab this weekend.
I am not running any tests live here at work.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9829245
So you can't make any modifications by getting to the GPO properties via the properites of any specific OU where a GPO is linked ?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 4

Author Comment

by:srose6
ID: 9829403
Nope these poliices are outside the scope of the OUs. These are the Domain controller and Domain security policies. Nothing you do to the OUs in AD affects these policies
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9832662
What about the GPO's at the Site Level ? Any there you can change, because they can lay a policy on domains within their sites. If you need to there might be an option of creating a new site with new policies and then moving your domains into this site and forcing the domains to inherit their policies.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9832676
By the way explain to your manager that if the expectation is to never be down there should literaly be a mirror server in place for every critical server in the infrastructure.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9839988
in fact a three tiered infrastructure is necessary, DEVELOPMENT - TEST -  PRODUCTION and PRODUCTION MIRROR, not to mention HSRP, redundant switches, BGP, hot sites, etc.etc....
0
 
LVL 4

Author Comment

by:srose6
ID: 9841396
Ok can someone from the real world of working with Accountants and non technical bean counter managers please chime in? I am not a novice I am also not going to spend $150K of my own money on their IT shop. I have worked for large companies such as Microsoft, i2 technologies, Software Spectrum, among others on contract. This is a small company with a small budget, no one with any real IT sense in management, and huge expectations. They hired some PHD in computer science for about 6 months paid him way too much money and got left with a disaster.

What I have been able to figure out is the root cause of the actual permissions issues is a LDAP, DNS issue. The SRV records in DNS are not resolving the GUID records for the existing domain controllers so the new server can not authenticate the credentials for the domain admin user name and password. I loaded the Windows 2000 Server Resource Kit tools. I ran DSASTAT and all records contained in the AD on all the DCs match. DCDIAG fails on LDAP authentication and points to an error in the GUID records. I setup a lab at the house and was able to confirm these will FUBAR adding a DC. This can be resolved on my own accord.

What I am still left is the remaining issue of the default "domain controller security" and "domain security" links on the "Administrative Tools" program bar.  The GPO in AD passes permissions down to these actual objects in AD but the links to these in the Administrative tools program bar bring up different ADM templates. There probably is little consequence to using the GPO objects but I would like to get these reset to working as engineered. This is one of those odd things I do not know how to do because this is one of those bone headed things that probably isn't done or addressed often. I have co-workers and the expectation is for these objects to work as designed. I know this sounds trivial but they will not notice the hours of my own time spent getting this botched LDAP setup to work so I can add the domain controller. All they will see is what does not work.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9841519
We're just lamenting the unrealistic expectations we all run into while we mull this over.
Dcgpofix.exe chokes too?
0
 
LVL 4

Author Comment

by:srose6
ID: 9867219
Sorry for the delay, it's that wife and kids and that 70 hour work week. I have been reading about DCGPOFIX.EXE and you may be onto something. I am testing it this morning. I have setup my own test 2000 domain at home. Of course I run Linux on all critical systems. I can get Red Hat 9 to work with AD but not another 2000 server. Isn’t that a kick in the pants?
0
 
LVL 4

Author Comment

by:srose6
ID: 9867305
No go this tool is for Windows 2003 DC only. No mention of it's use on Windows 2000 domain.
0
 
LVL 4

Author Comment

by:srose6
ID: 9867445
I was able to get he EXE file from 2003 server CD. Will not run, I get a kernel error as in it will not run on 2000 server. It is installed on 2003 as part of the OS install so there is not a add on pack I can install to get this tool on the system.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9867777
0
 
LVL 4

Author Comment

by:srose6
ID: 9869210
Nope that KB is how to reset, as in one already exists.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 1600 total points
ID: 9869275
it refers to http://support.microsoft.com/default.aspx?scid=kb;EN-US;253268
which seems to be the case in your situation
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question