Solved

Default Domain Policy

Posted on 2009-05-12
19
1,056 Views
Last Modified: 2012-08-13
Gee what a mess...

Got this "new" client who's been looked after by clowns.
Where should I start...

- DCDiag full of errors
- AD replication ok between 2003 and 2008 but fails between 2008 and 2008
- AD Site and Services still refers to old accounts
- DNS not configured
- GPO not applying to some machines
- GPO can be edited from 2008 DC but can't from 2003 DC
- "Default Domain Policy" is blank, and replaced by another "Company Default Policy" which has weird settings, etc.

I'll start with rebuilding the GPO and cleaning up the AD Schema.  As the Default Domain Policy is blank, I need to recreate it from scratch...(and of course there were no backup until now).

My question : is there a "Default "Default Domain Policy" " I can download and apply ? Or should I just build a lab environment, write down all the settings and create these in the live environment ? or a procedure from Msoft to recreate this GPO from a template somewhere ?
0
Comment
Question by:unisolutions
  • 9
  • 5
  • 4
  • +1
19 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24370747
Dcgpofix tool recreates the two default Group Policy objects (default domain and default domain controller policy)
http://technet.microsoft.com/en-us/library/cc739095.aspx
How is exchange setup there?
Thanks
Mike
0
 
LVL 18

Expert Comment

by:Americom
ID: 24370791
If there's no reason not to configure your DNS as Active Directory-Integrated zone, configure DNS as ADIZ zones on all your DCs(win2k3 and win2k8). This may solve some of your problems such as replication etc.
GPO can be edited by win2k8 but not win2k3, there are some GPOs cannot be view and edited by win2k3 but only with Vista or Win2k8 such as wired-auto authentication etc. GPOs configured with Group Policy Preferences also can only manage by Vista and Win2k8 and not Win2k3. So, you should be managing your GPO with the later verison os OS.
GPO not applying to some machines, if the GPO is configured on the Computer Configuration settings, just make sure the GPO is link to the OU where the computer is in or not being blocked by no inheritance.
0
 

Author Comment

by:unisolutions
ID: 24370944
Thanks MKLine, does Dcgpofix.exe rebuild based on a backup (I have none) or will it recreate based on "Msoft Recommended" kind of thing ?

As for Xchg, that's about the only thing that works really well (Xch07 on Win2008).

@Americom, DNS reconfig will be my next step, ADIZ is already done...  No blocking of inheritance or anything, and no Vista computers on the park, the GPO that cannot be edited are for instance folder redirection for mydocs.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 21

Expert Comment

by:snusgubben
ID: 24371921
"dcgpofix" do not need any backup. It will set the default GPOs back to the state they was when your domain was created. It will not touch any custom made GPOs, only those two mkline mentioned.

DNS is the first thing you should fix. Start > run > dcdiag /test:dns /v /e /f:dnslog.txt

this will test all your DNS servers. When DNS is ok, you should run a "dcdiag /v /e /c" to check for other errors in your domain.


SG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24371941
forgot to mention that "dcgpofix" can not set the security on the "Default domain controller policy".

http://support.microsoft.com/kb/833783

SG
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24371963
****Hold off on the DCGPOFIX,  I need to look up the activedir archives.  If memory serves me it may cause you to run the exchange adprep again.
I'll follow up in the morning.
Thanks
Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24375698
Ok here is the thread I was thinking of
http://74.125.47.132/search?q=cache:JU9Z14MuQSoJ:www.activedir.org/ListArchives/tabid/55/forumid/1/postid/31224/view/topic/Default.aspx+Resetting+Default+Domain+and+Default+Domain+Controller+Policies+site:activedir.org&cd=2&hl=en&ct=clnk&gl=us
Sorry I had to use the cached site.  Tony just moved activedir to a new host and it looks like the current archives need to be activated.
See the comment from Michael Smith (exchange MVP)
 
Thanks
Mike
0
 

Author Comment

by:unisolutions
ID: 24381774
Right, thanks.  

So, the network has three DC, one 2003 (all five FSMO) and two 2008 (both catalogs as well).  Exch07 is on one of the two 2008.

so run "setup.com /prepareAD" and "/prepareSchema" after I ran the DcGpoFix on the 2003 box ?

What am I risking here, either two commands play with the root of the schema... not too excited about reinstalling exchange...  Can we estimate the risks ?
0
 

Author Comment

by:unisolutions
ID: 24381825
(I meant 3DC in total = 1 x 2003 and 2 x 2008)
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24382237
Seems to be a issue with Exchange and dcgpofix.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21825433.html

http://www.eventid.net/display.asp?eventid=2114&eventno=2458&source=MSExchangeDSAccess&phase=1 (search for "dcgpofix")

One say "Default domain policy" while the other say the "default domain controller policy". I can verify where the Exchange Enterprise Servers group needs to be set.


SG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24382242
typo: I can't verify where the Exchange Enterprise Servers group needs to be set.
I guess some other expert can tell you that
 
0
 

Author Comment

by:unisolutions
ID: 24390633
Right-o, thanks guys for pointing that out, makes sense, sine the tool "reverts" to right after DcPromo was run, and Exchange was setup even after...

Reading this : http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21626630.html

DcGpoFix removes some Exchange entries or at least some security settings...but that post was for 2003, what about Exch2007 ?

Experts needed :P
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24391380
i won't blow smoke...this is new to me too as I've never tried dcgpofix with E2K7
0
 

Author Comment

by:unisolutions
ID: 24391766
yeah seems like few people have :)

from what I read, running setup /preparedad after dcgpofix is enough...

I'll build a lab and test, and let you guys know.
0
 

Author Comment

by:unisolutions
ID: 24392875
Response from Microsoft :
Please understand that the DcGPOFix.exe tool will reset the Default Domain Policy and Default Domain Controller Policy to default status. However, if you have set any security policies in the Default Domain Policy and Default Domain Controller Policy, the domain controller may stopped working after running the DcGPOFix.exe tool. 
 
For more information, please refer to the following article: 
 
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
http://support.microsoft.com/default.aspx/kb/833783
 
As to /PrepareAD and /PrepareDomain, they are used for reset permissions for the Exchange 2007 server and created some AD objects in the domain, while /PrepareSchema is for extending schema for Exchange 2007. For more information, please refer to the following article: 
 
How to Prepare Active Directory and Domains
http://technet.microsoft.com/en-us/library/bb125224.aspx
 
They are not related to Group Policy. 
 
Also, the DcGPOFix.exe tool will only reset the Default Domain Policy and Default Domain Controller Policy and it will not touch other AD objects, such as users, computers object or other member servers. 

Open in new window

0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 250 total points
ID: 24393472
http://support.microsoft.com/kb/833783 do not say anything about Exchange 2007.

I looked in the "Default Domain Controller Policy" in a coworker Exchange lab (2003 DCs and Exchange 2007) and the only thing I found was:

Computer Configuration\Windows settings\local policy\user rights assignment\Manage auditing and security log -> "Exchange Enterprise Servers" and "Exchange servers" (and administrator)

I found nothing in the Default domain policy.

With dcgpofix you can set a parameter to only reset the Default domain policy and not touch the Default domain controller policy.

I dare not to run a dcgpofix in my coworker's lab as he will kill me if I ruin it :(


SG
0
 

Author Comment

by:unisolutions
ID: 24394970
Yeah thanks SG, leave the poor bastard at peace, I'll run it in my own lab, then you can ruin his :)

I spoke to the Msoft engineer and he says :

"By security policy, I mean the Audit Policy, User Rights Assignment. They can be found under Computer Configuration -> Windows Settings -> Security Settings -> Local Polices.
For detailed information, I suggest check the "MORE INFORMATION" part of the following KB article:
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state http://support.microsoft.com/default.aspx/kb/833783 "

That sounds pretty safe to me.
I'll keep you posted.

0
 

Author Comment

by:unisolutions
ID: 24427653
0
 

Author Closing Comment

by:unisolutions
ID: 31580806
Thank you both I'll close this for now, just FYI the client has agreed we tried this, he knows the risk.  I'll keep posting the results here for our education :)
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question