Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsoft Server 2003r2  Default Domain Controller Policy Blank

Posted on 2009-03-31
6
Medium Priority
?
877 Views
Last Modified: 2012-05-06
Hi all,

I have a very interesting problem that may require a very creative solution.
In short, I have inherited a school site running a Microsoft 2003R2 server. I am wanting to add a second server (as a DC) to this site to add redundancy and am working through the errors in the current domain before bringing in the second DC.

At current I am receiving multiple errors in the application event log example
Source: SceCli
Category: None
Type: Error
EventID: 1001
User: N/A
Compuer: Cardiniasvr1
Description
Security policy cannot be propagated. Cannot access the template.
Error code = -536870656.
\\Cardinia.chairo.vic.edu.au\sysvol\Cardinia.chairo.vic.edu.au\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

I have traced this file to the Default Domain Controller Policy and checked the file and this file is empty.

Two things to note...
1. There is no other DC in this domain (I would like to kill the original installer)
2. The current backups for this server only hold about 2 weeks data and this error seems to have occured well outside this time frame.

So here is the hard part....
Is there a way to repopulate the Default Domain Controller Policy without the aid of a 2nd DC or a good backup ?
0
Comment
Question by:oratek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 2000 total points
ID: 24035172
0
 
LVL 1

Expert Comment

by:cool_apj
ID: 24035302
Check for the SYSVOL. Do you see any SYSVOL errors.
If you are running an Exchange mailing Enviroment then kindly do not use the dcgpofix. If you do the same the then you will have to run the Domain Prep again.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035369
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:oratek
ID: 24035556
Thanks guys for your responses so far.
To clarify the issue, there is nothing complex about the installation and by that I mean there are no exhange servers or sequel services running on the server.

Further, the gpttmpl.inf file referenced in the error is 5kb in size but blank when opened with notepad.
As far as I can tell the biggest issue for the error is that the information here is missing and is therefore not a security access issue, but a missing content issue.

In the directory where the gpttmpl.inf files lives for this policy, there is also a 5kb gpttmpl.tmp file which is also empty. So from this point of view, I am leading toward the dcpgofix.

Cool_apj, when you say check for the SYSVOL, what do you mean exactly ?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035594

http://windowsitpro.com/article/articleid/26441/domain-security-policy-problem.html

The Microsoft article "HOW TO: Reset User Rights in the Default Domain Group Policy"(http://support.microsoft.com/default.aspx?scid=kb;en-us;q226243) explains that you need to reset user rights under Domain Policy. I knew that my problem wasn't a matter of not having permission to view the Domain Policy, because I had already checked the permissions on each folder. Section 2b in the article explains how to increase the Domain Policy's version number so that the Domain Policy's version will replicate as the newest version. I knew I had a version mismatch. The article says to make a backup copy of gpttmpl.inf (i.e., the Group Policy Template file). But first, I decided to compare my gpttmpl.inf file's contents with the default settings that the article gives as an example. I opened gpttmpl.inf in WordPad, and the file was empty. So, I copied the default contents into my gpttmpl.inf file, then saved and closed the file. Next, I increased the version of the gpttmpl.inf file in gpt.ini so that the version number was the highest on the network. Finally, I ran the following command:

 secedit /refreshpolicy machine_policy
0
 

Author Closing Comment

by:oratek
ID: 31565128
Hi guys,
Thanks for all your input. Given the circumstances I went with the first option of dcgpofix after I had backed up the GP's with GPMC.
The command dcgpofix /target:DC caused the Default DC Group Policy to be reinstated similiar to what would be preset after a DCPromo and worked for me as there has never been any real changes to the security part of this policy.

I have updated a couple of settings to bring the GP into line with other servers around the place, but thankfully all else is ok.

Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question