?
Solved

Microsoft Server 2003r2  Default Domain Controller Policy Blank

Posted on 2009-03-31
6
Medium Priority
?
869 Views
Last Modified: 2012-05-06
Hi all,

I have a very interesting problem that may require a very creative solution.
In short, I have inherited a school site running a Microsoft 2003R2 server. I am wanting to add a second server (as a DC) to this site to add redundancy and am working through the errors in the current domain before bringing in the second DC.

At current I am receiving multiple errors in the application event log example
Source: SceCli
Category: None
Type: Error
EventID: 1001
User: N/A
Compuer: Cardiniasvr1
Description
Security policy cannot be propagated. Cannot access the template.
Error code = -536870656.
\\Cardinia.chairo.vic.edu.au\sysvol\Cardinia.chairo.vic.edu.au\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

I have traced this file to the Default Domain Controller Policy and checked the file and this file is empty.

Two things to note...
1. There is no other DC in this domain (I would like to kill the original installer)
2. The current backups for this server only hold about 2 weeks data and this error seems to have occured well outside this time frame.

So here is the hard part....
Is there a way to repopulate the Default Domain Controller Policy without the aid of a 2nd DC or a good backup ?
0
Comment
Question by:oratek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 2000 total points
ID: 24035172
0
 
LVL 1

Expert Comment

by:cool_apj
ID: 24035302
Check for the SYSVOL. Do you see any SYSVOL errors.
If you are running an Exchange mailing Enviroment then kindly do not use the dcgpofix. If you do the same the then you will have to run the Domain Prep again.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035369
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:oratek
ID: 24035556
Thanks guys for your responses so far.
To clarify the issue, there is nothing complex about the installation and by that I mean there are no exhange servers or sequel services running on the server.

Further, the gpttmpl.inf file referenced in the error is 5kb in size but blank when opened with notepad.
As far as I can tell the biggest issue for the error is that the information here is missing and is therefore not a security access issue, but a missing content issue.

In the directory where the gpttmpl.inf files lives for this policy, there is also a 5kb gpttmpl.tmp file which is also empty. So from this point of view, I am leading toward the dcpgofix.

Cool_apj, when you say check for the SYSVOL, what do you mean exactly ?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24035594

http://windowsitpro.com/article/articleid/26441/domain-security-policy-problem.html

The Microsoft article "HOW TO: Reset User Rights in the Default Domain Group Policy"(http://support.microsoft.com/default.aspx?scid=kb;en-us;q226243) explains that you need to reset user rights under Domain Policy. I knew that my problem wasn't a matter of not having permission to view the Domain Policy, because I had already checked the permissions on each folder. Section 2b in the article explains how to increase the Domain Policy's version number so that the Domain Policy's version will replicate as the newest version. I knew I had a version mismatch. The article says to make a backup copy of gpttmpl.inf (i.e., the Group Policy Template file). But first, I decided to compare my gpttmpl.inf file's contents with the default settings that the article gives as an example. I opened gpttmpl.inf in WordPad, and the file was empty. So, I copied the default contents into my gpttmpl.inf file, then saved and closed the file. Next, I increased the version of the gpttmpl.inf file in gpt.ini so that the version number was the highest on the network. Finally, I ran the following command:

 secedit /refreshpolicy machine_policy
0
 

Author Closing Comment

by:oratek
ID: 31565128
Hi guys,
Thanks for all your input. Given the circumstances I went with the first option of dcgpofix after I had backed up the GP's with GPMC.
The command dcgpofix /target:DC caused the Default DC Group Policy to be reinstated similiar to what would be preset after a DCPromo and worked for me as there has never been any real changes to the security part of this policy.

I have updated a couple of settings to bring the GP into line with other servers around the place, but thankfully all else is ok.

Thanks.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month12 days, 20 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question