Solved

Microsoft Server 2003r2  Default Domain Controller Policy Blank

Posted on 2009-03-31
6
807 Views
Last Modified: 2012-05-06
Hi all,

I have a very interesting problem that may require a very creative solution.
In short, I have inherited a school site running a Microsoft 2003R2 server. I am wanting to add a second server (as a DC) to this site to add redundancy and am working through the errors in the current domain before bringing in the second DC.

At current I am receiving multiple errors in the application event log example
Source: SceCli
Category: None
Type: Error
EventID: 1001
User: N/A
Compuer: Cardiniasvr1
Description
Security policy cannot be propagated. Cannot access the template.
Error code = -536870656.
\\Cardinia.chairo.vic.edu.au\sysvol\Cardinia.chairo.vic.edu.au\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

I have traced this file to the Default Domain Controller Policy and checked the file and this file is empty.

Two things to note...
1. There is no other DC in this domain (I would like to kill the original installer)
2. The current backups for this server only hold about 2 weeks data and this error seems to have occured well outside this time frame.

So here is the hard part....
Is there a way to repopulate the Default Domain Controller Policy without the aid of a 2nd DC or a good backup ?
0
Comment
Question by:oratek
  • 3
  • 2
6 Comments
 
LVL 47

Accepted Solution

by:
dstewartjr earned 500 total points
Comment Utility
0
 
LVL 1

Expert Comment

by:cool_apj
Comment Utility
Check for the SYSVOL. Do you see any SYSVOL errors.
If you are running an Exchange mailing Enviroment then kindly do not use the dcgpofix. If you do the same the then you will have to run the Domain Prep again.
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:oratek
Comment Utility
Thanks guys for your responses so far.
To clarify the issue, there is nothing complex about the installation and by that I mean there are no exhange servers or sequel services running on the server.

Further, the gpttmpl.inf file referenced in the error is 5kb in size but blank when opened with notepad.
As far as I can tell the biggest issue for the error is that the information here is missing and is therefore not a security access issue, but a missing content issue.

In the directory where the gpttmpl.inf files lives for this policy, there is also a 5kb gpttmpl.tmp file which is also empty. So from this point of view, I am leading toward the dcpgofix.

Cool_apj, when you say check for the SYSVOL, what do you mean exactly ?
0
 
LVL 47

Expert Comment

by:dstewartjr
Comment Utility

http://windowsitpro.com/article/articleid/26441/domain-security-policy-problem.html

The Microsoft article "HOW TO: Reset User Rights in the Default Domain Group Policy"(http://support.microsoft.com/default.aspx?scid=kb;en-us;q226243) explains that you need to reset user rights under Domain Policy. I knew that my problem wasn't a matter of not having permission to view the Domain Policy, because I had already checked the permissions on each folder. Section 2b in the article explains how to increase the Domain Policy's version number so that the Domain Policy's version will replicate as the newest version. I knew I had a version mismatch. The article says to make a backup copy of gpttmpl.inf (i.e., the Group Policy Template file). But first, I decided to compare my gpttmpl.inf file's contents with the default settings that the article gives as an example. I opened gpttmpl.inf in WordPad, and the file was empty. So, I copied the default contents into my gpttmpl.inf file, then saved and closed the file. Next, I increased the version of the gpttmpl.inf file in gpt.ini so that the version number was the highest on the network. Finally, I ran the following command:

 secedit /refreshpolicy machine_policy
0
 

Author Closing Comment

by:oratek
Comment Utility
Hi guys,
Thanks for all your input. Given the circumstances I went with the first option of dcgpofix after I had backed up the GP's with GPMC.
The command dcgpofix /target:DC caused the Default DC Group Policy to be reinstated similiar to what would be preset after a DCPromo and worked for me as there has never been any real changes to the security part of this policy.

I have updated a couple of settings to bring the GP into line with other servers around the place, but thankfully all else is ok.

Thanks.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now