Domain controler Secutiry Policy has been deleted from the file system

I am a network admin. I inherited this botched bag of @#$# as do all admins in for the first few months…..    Anyway

The domain security and domain controller security policies which are access by clicking on [Start>programs>administrative tools>] have been deleted at the file system level.
When I try to access I get an error message that it can not access files, and under details it states the files can not be found. When a policy is created or modified via Active Directory for an OU or from the ones in question from the administrative tools the file is actually stored in [C:\WINNT\SYSVOL\domain\Policies] directory. These were at one time cleared out at the file system level.

My question is how to I recreate this policy object so they can be modified. Do I need to obtain an ADM file or is there a command or utility that will do this for me.

 I need to add a domain controller to the domain but the domain. I am getting a permissions issue when I run DCPROMO no matter what account I use when it tries to modify the machine account and add it to the domain controllers group; I would love to trash this bag of tricks and set the domain up correctly but it is not an option. All server upgrades are expected with no down time and no user issues.

Steve
Scrose32@bellsouth.net
LVL 4
Steve RoseAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chicagoanCommented:
tried sededit to use the templates in cd <windoze dir>\security\templates ?

secedit /configure /cfg basicsv.inf /db basicsv.sdb /log basicsv.log /verbose

not sure if that works without the policy files in place ...

tried an undelete util?

did they ever back the thin up?

>All server upgrades are expected with no down time and no user issues.
like the BBG upgrade went?
0
Steve RoseAuthor Commented:
no undelete utils in place.
No backups of that directory
Have not tried the Security templetes. Will test in lab this weekend.
I am not running any tests live here at work.
0
TooKoolKrisCommented:
So you can't make any modifications by getting to the GPO properties via the properites of any specific OU where a GPO is linked ?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Steve RoseAuthor Commented:
Nope these poliices are outside the scope of the OUs. These are the Domain controller and Domain security policies. Nothing you do to the OUs in AD affects these policies
0
TooKoolKrisCommented:
What about the GPO's at the Site Level ? Any there you can change, because they can lay a policy on domains within their sites. If you need to there might be an option of creating a new site with new policies and then moving your domains into this site and forcing the domains to inherit their policies.
0
TooKoolKrisCommented:
By the way explain to your manager that if the expectation is to never be down there should literaly be a mirror server in place for every critical server in the infrastructure.
0
chicagoanCommented:
in fact a three tiered infrastructure is necessary, DEVELOPMENT - TEST -  PRODUCTION and PRODUCTION MIRROR, not to mention HSRP, redundant switches, BGP, hot sites, etc.etc....
0
Steve RoseAuthor Commented:
Ok can someone from the real world of working with Accountants and non technical bean counter managers please chime in? I am not a novice I am also not going to spend $150K of my own money on their IT shop. I have worked for large companies such as Microsoft, i2 technologies, Software Spectrum, among others on contract. This is a small company with a small budget, no one with any real IT sense in management, and huge expectations. They hired some PHD in computer science for about 6 months paid him way too much money and got left with a disaster.

What I have been able to figure out is the root cause of the actual permissions issues is a LDAP, DNS issue. The SRV records in DNS are not resolving the GUID records for the existing domain controllers so the new server can not authenticate the credentials for the domain admin user name and password. I loaded the Windows 2000 Server Resource Kit tools. I ran DSASTAT and all records contained in the AD on all the DCs match. DCDIAG fails on LDAP authentication and points to an error in the GUID records. I setup a lab at the house and was able to confirm these will FUBAR adding a DC. This can be resolved on my own accord.

What I am still left is the remaining issue of the default "domain controller security" and "domain security" links on the "Administrative Tools" program bar.  The GPO in AD passes permissions down to these actual objects in AD but the links to these in the Administrative tools program bar bring up different ADM templates. There probably is little consequence to using the GPO objects but I would like to get these reset to working as engineered. This is one of those odd things I do not know how to do because this is one of those bone headed things that probably isn't done or addressed often. I have co-workers and the expectation is for these objects to work as designed. I know this sounds trivial but they will not notice the hours of my own time spent getting this botched LDAP setup to work so I can add the domain controller. All they will see is what does not work.
0
chicagoanCommented:
We're just lamenting the unrealistic expectations we all run into while we mull this over.
Dcgpofix.exe chokes too?
0
Steve RoseAuthor Commented:
Sorry for the delay, it's that wife and kids and that 70 hour work week. I have been reading about DCGPOFIX.EXE and you may be onto something. I am testing it this morning. I have setup my own test 2000 domain at home. Of course I run Linux on all critical systems. I can get Red Hat 9 to work with AD but not another 2000 server. Isn’t that a kick in the pants?
0
Steve RoseAuthor Commented:
No go this tool is for Windows 2003 DC only. No mention of it's use on Windows 2000 domain.
0
Steve RoseAuthor Commented:
I was able to get he EXE file from 2003 server CD. Will not run, I get a kernel error as in it will not run on 2000 server. It is installed on 2003 as part of the OS install so there is not a add on pack I can install to get this tool on the system.
0
chicagoanCommented:
0
Steve RoseAuthor Commented:
Nope that KB is how to reset, as in one already exists.
0
chicagoanCommented:
it refers to http://support.microsoft.com/default.aspx?scid=kb;EN-US;253268
which seems to be the case in your situation
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.