Solved

Default Domain Policy

Posted on 2009-05-12
19
1,049 Views
Last Modified: 2012-08-13
Gee what a mess...

Got this "new" client who's been looked after by clowns.
Where should I start...

- DCDiag full of errors
- AD replication ok between 2003 and 2008 but fails between 2008 and 2008
- AD Site and Services still refers to old accounts
- DNS not configured
- GPO not applying to some machines
- GPO can be edited from 2008 DC but can't from 2003 DC
- "Default Domain Policy" is blank, and replaced by another "Company Default Policy" which has weird settings, etc.

I'll start with rebuilding the GPO and cleaning up the AD Schema.  As the Default Domain Policy is blank, I need to recreate it from scratch...(and of course there were no backup until now).

My question : is there a "Default "Default Domain Policy" " I can download and apply ? Or should I just build a lab environment, write down all the settings and create these in the live environment ? or a procedure from Msoft to recreate this GPO from a template somewhere ?
0
Comment
Question by:unisolutions
  • 9
  • 5
  • 4
  • +1
19 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
Comment Utility
Dcgpofix tool recreates the two default Group Policy objects (default domain and default domain controller policy)
http://technet.microsoft.com/en-us/library/cc739095.aspx
How is exchange setup there?
Thanks
Mike
0
 
LVL 18

Expert Comment

by:Americom
Comment Utility
If there's no reason not to configure your DNS as Active Directory-Integrated zone, configure DNS as ADIZ zones on all your DCs(win2k3 and win2k8). This may solve some of your problems such as replication etc.
GPO can be edited by win2k8 but not win2k3, there are some GPOs cannot be view and edited by win2k3 but only with Vista or Win2k8 such as wired-auto authentication etc. GPOs configured with Group Policy Preferences also can only manage by Vista and Win2k8 and not Win2k3. So, you should be managing your GPO with the later verison os OS.
GPO not applying to some machines, if the GPO is configured on the Computer Configuration settings, just make sure the GPO is link to the OU where the computer is in or not being blocked by no inheritance.
0
 

Author Comment

by:unisolutions
Comment Utility
Thanks MKLine, does Dcgpofix.exe rebuild based on a backup (I have none) or will it recreate based on "Msoft Recommended" kind of thing ?

As for Xchg, that's about the only thing that works really well (Xch07 on Win2008).

@Americom, DNS reconfig will be my next step, ADIZ is already done...  No blocking of inheritance or anything, and no Vista computers on the park, the GPO that cannot be edited are for instance folder redirection for mydocs.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
"dcgpofix" do not need any backup. It will set the default GPOs back to the state they was when your domain was created. It will not touch any custom made GPOs, only those two mkline mentioned.

DNS is the first thing you should fix. Start > run > dcdiag /test:dns /v /e /f:dnslog.txt

this will test all your DNS servers. When DNS is ok, you should run a "dcdiag /v /e /c" to check for other errors in your domain.


SG
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
forgot to mention that "dcgpofix" can not set the security on the "Default domain controller policy".

http://support.microsoft.com/kb/833783

SG
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
****Hold off on the DCGPOFIX,  I need to look up the activedir archives.  If memory serves me it may cause you to run the exchange adprep again.
I'll follow up in the morning.
Thanks
Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Ok here is the thread I was thinking of
http://74.125.47.132/search?q=cache:JU9Z14MuQSoJ:www.activedir.org/ListArchives/tabid/55/forumid/1/postid/31224/view/topic/Default.aspx+Resetting+Default+Domain+and+Default+Domain+Controller+Policies+site:activedir.org&cd=2&hl=en&ct=clnk&gl=us
Sorry I had to use the cached site.  Tony just moved activedir to a new host and it looks like the current archives need to be activated.
See the comment from Michael Smith (exchange MVP)
 
Thanks
Mike
0
 

Author Comment

by:unisolutions
Comment Utility
Right, thanks.  

So, the network has three DC, one 2003 (all five FSMO) and two 2008 (both catalogs as well).  Exch07 is on one of the two 2008.

so run "setup.com /prepareAD" and "/prepareSchema" after I ran the DcGpoFix on the 2003 box ?

What am I risking here, either two commands play with the root of the schema... not too excited about reinstalling exchange...  Can we estimate the risks ?
0
 

Author Comment

by:unisolutions
Comment Utility
(I meant 3DC in total = 1 x 2003 and 2 x 2008)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Seems to be a issue with Exchange and dcgpofix.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21825433.html

http://www.eventid.net/display.asp?eventid=2114&eventno=2458&source=MSExchangeDSAccess&phase=1 (search for "dcgpofix")

One say "Default domain policy" while the other say the "default domain controller policy". I can verify where the Exchange Enterprise Servers group needs to be set.


SG
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
typo: I can't verify where the Exchange Enterprise Servers group needs to be set.
I guess some other expert can tell you that
 
0
 

Author Comment

by:unisolutions
Comment Utility
Right-o, thanks guys for pointing that out, makes sense, sine the tool "reverts" to right after DcPromo was run, and Exchange was setup even after...

Reading this : http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21626630.html

DcGpoFix removes some Exchange entries or at least some security settings...but that post was for 2003, what about Exch2007 ?

Experts needed :P
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
i won't blow smoke...this is new to me too as I've never tried dcgpofix with E2K7
0
 

Author Comment

by:unisolutions
Comment Utility
yeah seems like few people have :)

from what I read, running setup /preparedad after dcgpofix is enough...

I'll build a lab and test, and let you guys know.
0
 

Author Comment

by:unisolutions
Comment Utility
Response from Microsoft :
Please understand that the DcGPOFix.exe tool will reset the Default Domain Policy and Default Domain Controller Policy to default status. However, if you have set any security policies in the Default Domain Policy and Default Domain Controller Policy, the domain controller may stopped working after running the DcGPOFix.exe tool. 
 

For more information, please refer to the following article: 
 

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

http://support.microsoft.com/default.aspx/kb/833783
 

As to /PrepareAD and /PrepareDomain, they are used for reset permissions for the Exchange 2007 server and created some AD objects in the domain, while /PrepareSchema is for extending schema for Exchange 2007. For more information, please refer to the following article: 
 

How to Prepare Active Directory and Domains

http://technet.microsoft.com/en-us/library/bb125224.aspx
 

They are not related to Group Policy. 
 

Also, the DcGPOFix.exe tool will only reset the Default Domain Policy and Default Domain Controller Policy and it will not touch other AD objects, such as users, computers object or other member servers. 

Open in new window

0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 250 total points
Comment Utility
http://support.microsoft.com/kb/833783 do not say anything about Exchange 2007.

I looked in the "Default Domain Controller Policy" in a coworker Exchange lab (2003 DCs and Exchange 2007) and the only thing I found was:

Computer Configuration\Windows settings\local policy\user rights assignment\Manage auditing and security log -> "Exchange Enterprise Servers" and "Exchange servers" (and administrator)

I found nothing in the Default domain policy.

With dcgpofix you can set a parameter to only reset the Default domain policy and not touch the Default domain controller policy.

I dare not to run a dcgpofix in my coworker's lab as he will kill me if I ruin it :(


SG
0
 

Author Comment

by:unisolutions
Comment Utility
Yeah thanks SG, leave the poor bastard at peace, I'll run it in my own lab, then you can ruin his :)

I spoke to the Msoft engineer and he says :

"By security policy, I mean the Audit Policy, User Rights Assignment. They can be found under Computer Configuration -> Windows Settings -> Security Settings -> Local Polices.
For detailed information, I suggest check the "MORE INFORMATION" part of the following KB article:
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state http://support.microsoft.com/default.aspx/kb/833783 "

That sounds pretty safe to me.
I'll keep you posted.

0
 

Author Comment

by:unisolutions
Comment Utility
0
 

Author Closing Comment

by:unisolutions
Comment Utility
Thank you both I'll close this for now, just FYI the client has agreed we tried this, he knows the risk.  I'll keep posting the results here for our education :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now