Failed to open group policy object

I have been given the task of fixing this issue and I dont know the events that let up to this.  The problem is that I am getting the following error when I try to open up the Group Policy Object:

Failed to open the group policy object.  You may not have appropriate rights.
Details: The system cannot find the path specified.

This domain is running two Win2k domain controllers, which from what I gather one was recently added and one was recently removed to replace an older server.  I have checked all the FSMO roles and they are fine.  However when I browse to WINNT/SYSVOL/SYSVOL/DOMAINNAME, the only folder in there is "DO_NOT_REMOVE_NtFrs_PreInstall_Directory" and nothing else.  So I am pretty sure that this is the problem.  How do I go about rebuilding the default domain controller policy with the minimal amout of impact on the domain.

Who is Participating?
Kini pradeepConnect With a Mentor Principal Cloud and security consultantCommented:
probably you do not have the support tools on the second DC.
do you have a healthy sysvol with all the folders and policies on the other Dc ?
so the policies and script folders are missing under the domain folder.
its actually the scripts which is shared as netlogon by the system.
can you stop and start the FRS on this machine and check for errors in the eventvwr.
if the other Dc has the folder intact then we can have them replicated from the other else there is a tool for windows 2000 called recreatedefpol to create the default domain and domain controllers policy which can be downloaded from MS. The policies can be recreated to the default, as long as no EFS is used in the domain because there would be NP with the recovery agent, also do you use any certificate services ?
Kini pradeepPrincipal Cloud and security consultantCommented:
that would depend now on how many Dc's do you have in the domain,
was the Dc removed gracefully ?
and the Dc which was added had it replicated with the other DC's.

1. how many Dc's currently in the domain, if more than one do any of the other have sysvol intact with all the folders.

2. on the Dc under c:\winnt\sysvol do you see the following

staging area and sysvol.
under domain there would be policies and script and under policies are there the 31b and 6AC.
what do you see under the DO_NOT_REMOVE_NtFrs_PreInstall_Directory

3. type net share on cmd and does it show netlogon and sysvol.
can you also run a Dcdiag /v on that dc and paste the errors.

and if you need to recreate the policies then do you you certificate services or file encryptions in the domain?
brennonAuthor Commented:
There are currently 2 DC in the domain.  Yes the controller was gracefully removed.  I have checked both controllers and they are both showing the same thing, I do not see anything folders/files under the c:\winnt\sysvol\domain and there is nothing under DO_NOT_REMOVE_NtFrs_PreInstall_Directory.

When i run net share I see the sysvol folder being shared but not netlogon.

DC Diagnosis

Performing initial setup:
   * Verifing that the local machine server11, is a DC.
   * Connecting to directory service on server server11.
   * Collecting site info.
   * Identifying all servers.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: MyDomain\Server11
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... Server 11 passed test Connectivity

Doing primary tests

   Testing server: MyDomain\Server11
      Starting test: Replications
         * Replications Check
         ......................... Server11 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
         * Security Permissions Check for
         * Security Permissions Check for
         ......................... Server11 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... Server11 passed test NetLogons
      Starting test: Advertising
         The DC Server11 is advertising itself as a DC and having a DS.
         The DC Server11 is advertising as an LDAP server
         The DC Server11 is advertising as having a writeable directory
         The DC Server11 is advertising as a Key Distribution Center
         The DC Server11 is advertising as a time server
         The DS Server11 is advertising as a GC.
         ......................... Server11 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Syne
         Role Domain Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Syne
         Role PDC Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Synergy
         Role Rid Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Synergy
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=Server33,CN=
         ......................... Server11 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 10904 to 1073741823
         * is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 8392 to 8891
         * rIDNextRID: 8527
         * rIDPreviousAllocationPool is 8392 to 8891
         ......................... Server11 passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/Server11.MyDomain/MyDomain
         * SPN found :LDAP/Server11.MyDomain
         * SPN found :LDAP/Server11
         * SPN found :LDAP/Server11.MyDomain/MyDomain
         * SPN found :LDAP/fa4335b1-89b5-4087-b518-093cb0034635._msdcs.MyDomain
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fa4335b1-89b5-4087-
         * SPN found :HOST/Server11.MyDomain/MyDomain
         * SPN found :HOST/Server11.MyDomain
         * SPN found :HOST/Server11
         * SPN found :HOST/Server11.MyDomain/MyDomain
         * SPN found :GC/Server11.MyDomain/MyDomain
         ......................... Server11 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: RPCLOCATOR
         * Checking Service: w32time
         * Checking Service: TrkWks
         * Checking Service: TrkSvr
         * Checking Service: NETLOGON
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         ......................... Server11 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         Server11 is in domain DC=MyDomain,DC=com
         Checking for CN=Server11,OU=Domain Controllers,DC=MyDomain,
=com in domain DC=MyDomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=Server11,CN=Servers,CN=MyDomain,CN=
tes,CN=Configuration,DC=MyDomain,DC=com in domain CN=Configuration,DC=
MyDomain,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... Server11 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service Event log test
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         ......................... Server11 passed test frssysvol
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 min
         ......................... Server11 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... Server11 passed test systemlog

   Running enterprise tests on : MyDomain
      Starting test: Intersite
         Skipping site MyDomain, this site is outside the scope provided by the
         command line arguments provided.
         ......................... MyDomain passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         PDC Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         Time Server Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         Preferred Time Server Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         KDC Name: \\Server11.MyDomain
         Locator Flags: 0xe00001fd
         ......................... MyDomain passed test FsmoCheck
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

brennonAuthor Commented:
One more thing, when I try to run DCdiag /v on the second DC i get the following error:
C:\>DCdiag /v
'DCdiag' is not recognized as an
operable program or batch file.
brennonAuthor Commented:
Neither server has the sysvol folder intact.  I started and stopped the FRS service on both machines and came up with no errors.  I have run the recreatedefpol.exe and it has replaced the folders.  Everything seems to be working ok now.  I will give it a couple of days and then close out this question.

Thanks for the help
Kini pradeepPrincipal Cloud and security consultantCommented:
seems like you have got things under control,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.