Solved

Microsoft Server 2003r2  Default Domain Controller Policy Blank

Posted on 2009-03-31
6
843 Views
Last Modified: 2012-05-06
Hi all,

I have a very interesting problem that may require a very creative solution.
In short, I have inherited a school site running a Microsoft 2003R2 server. I am wanting to add a second server (as a DC) to this site to add redundancy and am working through the errors in the current domain before bringing in the second DC.

At current I am receiving multiple errors in the application event log example
Source: SceCli
Category: None
Type: Error
EventID: 1001
User: N/A
Compuer: Cardiniasvr1
Description
Security policy cannot be propagated. Cannot access the template.
Error code = -536870656.
\\Cardinia.chairo.vic.edu.au\sysvol\Cardinia.chairo.vic.edu.au\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

I have traced this file to the Default Domain Controller Policy and checked the file and this file is empty.

Two things to note...
1. There is no other DC in this domain (I would like to kill the original installer)
2. The current backups for this server only hold about 2 weeks data and this error seems to have occured well outside this time frame.

So here is the hard part....
Is there a way to repopulate the Default Domain Controller Policy without the aid of a 2nd DC or a good backup ?
0
Comment
Question by:oratek
  • 3
  • 2
6 Comments
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 24035172
0
 
LVL 1

Expert Comment

by:cool_apj
ID: 24035302
Check for the SYSVOL. Do you see any SYSVOL errors.
If you are running an Exchange mailing Enviroment then kindly do not use the dcgpofix. If you do the same the then you will have to run the Domain Prep again.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035369
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:oratek
ID: 24035556
Thanks guys for your responses so far.
To clarify the issue, there is nothing complex about the installation and by that I mean there are no exhange servers or sequel services running on the server.

Further, the gpttmpl.inf file referenced in the error is 5kb in size but blank when opened with notepad.
As far as I can tell the biggest issue for the error is that the information here is missing and is therefore not a security access issue, but a missing content issue.

In the directory where the gpttmpl.inf files lives for this policy, there is also a 5kb gpttmpl.tmp file which is also empty. So from this point of view, I am leading toward the dcpgofix.

Cool_apj, when you say check for the SYSVOL, what do you mean exactly ?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035594

http://windowsitpro.com/article/articleid/26441/domain-security-policy-problem.html

The Microsoft article "HOW TO: Reset User Rights in the Default Domain Group Policy"(http://support.microsoft.com/default.aspx?scid=kb;en-us;q226243) explains that you need to reset user rights under Domain Policy. I knew that my problem wasn't a matter of not having permission to view the Domain Policy, because I had already checked the permissions on each folder. Section 2b in the article explains how to increase the Domain Policy's version number so that the Domain Policy's version will replicate as the newest version. I knew I had a version mismatch. The article says to make a backup copy of gpttmpl.inf (i.e., the Group Policy Template file). But first, I decided to compare my gpttmpl.inf file's contents with the default settings that the article gives as an example. I opened gpttmpl.inf in WordPad, and the file was empty. So, I copied the default contents into my gpttmpl.inf file, then saved and closed the file. Next, I increased the version of the gpttmpl.inf file in gpt.ini so that the version number was the highest on the network. Finally, I ran the following command:

 secedit /refreshpolicy machine_policy
0
 

Author Closing Comment

by:oratek
ID: 31565128
Hi guys,
Thanks for all your input. Given the circumstances I went with the first option of dcgpofix after I had backed up the GP's with GPMC.
The command dcgpofix /target:DC caused the Default DC Group Policy to be reinstated similiar to what would be preset after a DCPromo and worked for me as there has never been any real changes to the security part of this policy.

I have updated a couple of settings to bring the GP into line with other servers around the place, but thankfully all else is ok.

Thanks.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question