Solved

Domain controler Secutiry Policy has been deleted from the file system

Posted on 2003-11-26
15
436 Views
Last Modified: 2012-05-04
I am a network admin. I inherited this botched bag of @#$# as do all admins in for the first few months…..    Anyway

The domain security and domain controller security policies which are access by clicking on [Start>programs>administrative tools>] have been deleted at the file system level.
When I try to access I get an error message that it can not access files, and under details it states the files can not be found. When a policy is created or modified via Active Directory for an OU or from the ones in question from the administrative tools the file is actually stored in [C:\WINNT\SYSVOL\domain\Policies] directory. These were at one time cleared out at the file system level.

My question is how to I recreate this policy object so they can be modified. Do I need to obtain an ADM file or is there a command or utility that will do this for me.

 I need to add a domain controller to the domain but the domain. I am getting a permissions issue when I run DCPROMO no matter what account I use when it tries to modify the machine account and add it to the domain controllers group; I would love to trash this bag of tricks and set the domain up correctly but it is not an option. All server upgrades are expected with no down time and no user issues.

Steve
Scrose32@bellsouth.net
0
Comment
Question by:srose6
  • 7
  • 5
  • 3
15 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9827241
tried sededit to use the templates in cd <windoze dir>\security\templates ?

secedit /configure /cfg basicsv.inf /db basicsv.sdb /log basicsv.log /verbose

not sure if that works without the policy files in place ...

tried an undelete util?

did they ever back the thin up?

>All server upgrades are expected with no down time and no user issues.
like the BBG upgrade went?
0
 
LVL 4

Author Comment

by:srose6
ID: 9828106
no undelete utils in place.
No backups of that directory
Have not tried the Security templetes. Will test in lab this weekend.
I am not running any tests live here at work.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9829245
So you can't make any modifications by getting to the GPO properties via the properites of any specific OU where a GPO is linked ?
0
 
LVL 4

Author Comment

by:srose6
ID: 9829403
Nope these poliices are outside the scope of the OUs. These are the Domain controller and Domain security policies. Nothing you do to the OUs in AD affects these policies
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9832662
What about the GPO's at the Site Level ? Any there you can change, because they can lay a policy on domains within their sites. If you need to there might be an option of creating a new site with new policies and then moving your domains into this site and forcing the domains to inherit their policies.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9832676
By the way explain to your manager that if the expectation is to never be down there should literaly be a mirror server in place for every critical server in the infrastructure.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9839988
in fact a three tiered infrastructure is necessary, DEVELOPMENT - TEST -  PRODUCTION and PRODUCTION MIRROR, not to mention HSRP, redundant switches, BGP, hot sites, etc.etc....
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 4

Author Comment

by:srose6
ID: 9841396
Ok can someone from the real world of working with Accountants and non technical bean counter managers please chime in? I am not a novice I am also not going to spend $150K of my own money on their IT shop. I have worked for large companies such as Microsoft, i2 technologies, Software Spectrum, among others on contract. This is a small company with a small budget, no one with any real IT sense in management, and huge expectations. They hired some PHD in computer science for about 6 months paid him way too much money and got left with a disaster.

What I have been able to figure out is the root cause of the actual permissions issues is a LDAP, DNS issue. The SRV records in DNS are not resolving the GUID records for the existing domain controllers so the new server can not authenticate the credentials for the domain admin user name and password. I loaded the Windows 2000 Server Resource Kit tools. I ran DSASTAT and all records contained in the AD on all the DCs match. DCDIAG fails on LDAP authentication and points to an error in the GUID records. I setup a lab at the house and was able to confirm these will FUBAR adding a DC. This can be resolved on my own accord.

What I am still left is the remaining issue of the default "domain controller security" and "domain security" links on the "Administrative Tools" program bar.  The GPO in AD passes permissions down to these actual objects in AD but the links to these in the Administrative tools program bar bring up different ADM templates. There probably is little consequence to using the GPO objects but I would like to get these reset to working as engineered. This is one of those odd things I do not know how to do because this is one of those bone headed things that probably isn't done or addressed often. I have co-workers and the expectation is for these objects to work as designed. I know this sounds trivial but they will not notice the hours of my own time spent getting this botched LDAP setup to work so I can add the domain controller. All they will see is what does not work.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9841519
We're just lamenting the unrealistic expectations we all run into while we mull this over.
Dcgpofix.exe chokes too?
0
 
LVL 4

Author Comment

by:srose6
ID: 9867219
Sorry for the delay, it's that wife and kids and that 70 hour work week. I have been reading about DCGPOFIX.EXE and you may be onto something. I am testing it this morning. I have setup my own test 2000 domain at home. Of course I run Linux on all critical systems. I can get Red Hat 9 to work with AD but not another 2000 server. Isn’t that a kick in the pants?
0
 
LVL 4

Author Comment

by:srose6
ID: 9867305
No go this tool is for Windows 2003 DC only. No mention of it's use on Windows 2000 domain.
0
 
LVL 4

Author Comment

by:srose6
ID: 9867445
I was able to get he EXE file from 2003 server CD. Will not run, I get a kernel error as in it will not run on 2000 server. It is installed on 2003 as part of the OS install so there is not a add on pack I can install to get this tool on the system.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9867777
0
 
LVL 4

Author Comment

by:srose6
ID: 9869210
Nope that KB is how to reset, as in one already exists.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 400 total points
ID: 9869275
it refers to http://support.microsoft.com/default.aspx?scid=kb;EN-US;253268
which seems to be the case in your situation
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now