Solved

dcgpofix preparations

Posted on 2007-11-28
4
899 Views
Last Modified: 2008-05-31
Our old IT staff made some major changes to the default domain policy and default domain controller policies.  Over the past few months we've broken most of the necessary settings into individual GPOs and applied them to the appropriate OUs.  

There are still some settings that I can't seem to un-do in the Default policies, for example we have an "extra registry settings" section in our User Configuration\Administrative Templates\Extra Registry Settings\ on both default domain policy and default DC policies.  

To remedy these problems and start from scratch with default domain and default DC policies, I'd like to use dcgpofix to reset those two policies to an out of the box state.  
http://technet2.microsoft.com/windowsserver/en/library/48872034-1907-4149-b6aa-9788d38209d21033.mspx?mfr=true
The reason I'm doing this is because we're having some strange issues with policies not replicating to the clients, even when running gpupdate /force we still see a lot of computers that don't get the correct policies and that have problems with published applications.  Many of the errors logged on the clients are generic, "Check to make sure that you have access to the installation folder, etc..." I know the access rights are configured correctly because not all clients are affected by these widespread issues.  I'm not sure if this will fix or help to fix our problems, but I think it will be a good place to start.

I have a few questions that I haven't been able to find answers to so far:
I've never worked anywhere where the default domain policies have been so heavily modified, I'm just looking for someone who's done this before and the problems that they encountered as a result of this utility.
Will this utility reset the policies back to when we upgraded our DC's to 2003 or just the default out of the box configuration for 2003 server?
We're using RIS, will we need to reconfigure all of our RIS settings and start from scratch with RIS?
Will there be any negative impact on Exchange 2003 sp2?

Thanks in advance for your help.
0
Comment
Question by:hh_techservices
  • 2
4 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Yes, there are negative effects on Exchange when you do this.

You can use GPMC and backup the policies, then restore them to the fixed policies, but I think that will simply return all the bad entries too.

You'll have to see where the registry adm is located and figure out what keys were touched.  Create a script to revert those registry settings then put it in a Startup script for the workstations.  This will fix the clients.
At the same time, rename the ADM so it can't be picked up again.  Track down the gpt.ini for that policy and scrub it of these entries from the registry adm and you should be all set.

Registry-based ADMs will tatoo the registry on whatver machines it touches.
0
 
LVL 3

Expert Comment

by:l84work
Comment Utility
Assigning and publish application from GPO has never been very reliable.  It does work given enough time.

DCgpofix tool :
http://support.microsoft.com/kb/833783

RIS -

"If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won’t be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication. Upgrading the RIS server to Windows Server 2003 gives it the ability to communicate with the remaining Windows 2000 domain controllers, as well as with Windows Server 2003 domain controllers." (download.microsoft.com/download/9/9/6/996f17f2-e008-4581-a26f-9098f87690e2/Upgwin2k.doc)
0
 
LVL 1

Author Comment

by:hh_techservices
Comment Utility
Netman66- There's only one "registry" based .adm that I'm worried about... it's Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92809.mspx?mfr=true
This policy was probably set before we upgraded to 2003?? but it's now an option in xp/2003.  In a group policy you can configure Computer Configuration\Administrative Templates\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network.  Whether or not this option is configured on the clients doesn't really matter to me... And after checking a handful of our workstations that should have the registry entry... none of them did.  So it would appear that the .adm portion of this policy isn't working anymore, which is fine by me.

You said that we will have negative effects on Exchange, specifically what kind of problems will we experience with exchange and what can I do to prevent or remedy these problems?

Thanks



0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
Exchange adds some things to the Default Domain and Default Domain Controller policies - specifically, accounts to certain policy elements.

Simon would likely know just what, as I'm not perfectly certain.

All I know is that Exchange will stop working properly - for example sending mail, and maybe even the service startup on reboot.  I've run into this with a few people already and restoring the old policies returned it to service.

I'm sure if I spent an hour or two I could figure out what changes, but I don't have the cycles to look at this in that detail.

I just wanted to warn you to tread carefully if that was what you were going to ultimately do.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now