[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 890
  • Last Modified:

Microsoft Server 2003r2 Default Domain Controller Policy Blank

Hi all,

I have a very interesting problem that may require a very creative solution.
In short, I have inherited a school site running a Microsoft 2003R2 server. I am wanting to add a second server (as a DC) to this site to add redundancy and am working through the errors in the current domain before bringing in the second DC.

At current I am receiving multiple errors in the application event log example
Source: SceCli
Category: None
Type: Error
EventID: 1001
User: N/A
Compuer: Cardiniasvr1
Description
Security policy cannot be propagated. Cannot access the template.
Error code = -536870656.
\\Cardinia.chairo.vic.edu.au\sysvol\Cardinia.chairo.vic.edu.au\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

I have traced this file to the Default Domain Controller Policy and checked the file and this file is empty.

Two things to note...
1. There is no other DC in this domain (I would like to kill the original installer)
2. The current backups for this server only hold about 2 weeks data and this error seems to have occured well outside this time frame.

So here is the hard part....
Is there a way to repopulate the Default Domain Controller Policy without the aid of a 2nd DC or a good backup ?
0
oratek
Asked:
oratek
  • 3
  • 2
1 Solution
 
Donald StewartNetwork AdministratorCommented:
0
 
cool_apjCommented:
Check for the SYSVOL. Do you see any SYSVOL errors.
If you are running an Exchange mailing Enviroment then kindly do not use the dcgpofix. If you do the same the then you will have to run the Domain Prep again.
0
 
Donald StewartNetwork AdministratorCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
oratekAuthor Commented:
Thanks guys for your responses so far.
To clarify the issue, there is nothing complex about the installation and by that I mean there are no exhange servers or sequel services running on the server.

Further, the gpttmpl.inf file referenced in the error is 5kb in size but blank when opened with notepad.
As far as I can tell the biggest issue for the error is that the information here is missing and is therefore not a security access issue, but a missing content issue.

In the directory where the gpttmpl.inf files lives for this policy, there is also a 5kb gpttmpl.tmp file which is also empty. So from this point of view, I am leading toward the dcpgofix.

Cool_apj, when you say check for the SYSVOL, what do you mean exactly ?
0
 
Donald StewartNetwork AdministratorCommented:

http://windowsitpro.com/article/articleid/26441/domain-security-policy-problem.html

The Microsoft article "HOW TO: Reset User Rights in the Default Domain Group Policy"(http://support.microsoft.com/default.aspx?scid=kb;en-us;q226243) explains that you need to reset user rights under Domain Policy. I knew that my problem wasn't a matter of not having permission to view the Domain Policy, because I had already checked the permissions on each folder. Section 2b in the article explains how to increase the Domain Policy's version number so that the Domain Policy's version will replicate as the newest version. I knew I had a version mismatch. The article says to make a backup copy of gpttmpl.inf (i.e., the Group Policy Template file). But first, I decided to compare my gpttmpl.inf file's contents with the default settings that the article gives as an example. I opened gpttmpl.inf in WordPad, and the file was empty. So, I copied the default contents into my gpttmpl.inf file, then saved and closed the file. Next, I increased the version of the gpttmpl.inf file in gpt.ini so that the version number was the highest on the network. Finally, I ran the following command:

 secedit /refreshpolicy machine_policy
0
 
oratekAuthor Commented:
Hi guys,
Thanks for all your input. Given the circumstances I went with the first option of dcgpofix after I had backed up the GP's with GPMC.
The command dcgpofix /target:DC caused the Default DC Group Policy to be reinstated similiar to what would be preset after a DCPromo and worked for me as there has never been any real changes to the security part of this policy.

I have updated a couple of settings to bring the GP into line with other servers around the place, but thankfully all else is ok.

Thanks.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now