[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1076
  • Last Modified:

Default Domain Policy

Gee what a mess...

Got this "new" client who's been looked after by clowns.
Where should I start...

- DCDiag full of errors
- AD replication ok between 2003 and 2008 but fails between 2008 and 2008
- AD Site and Services still refers to old accounts
- DNS not configured
- GPO not applying to some machines
- GPO can be edited from 2008 DC but can't from 2003 DC
- "Default Domain Policy" is blank, and replaced by another "Company Default Policy" which has weird settings, etc.

I'll start with rebuilding the GPO and cleaning up the AD Schema.  As the Default Domain Policy is blank, I need to recreate it from scratch...(and of course there were no backup until now).

My question : is there a "Default "Default Domain Policy" " I can download and apply ? Or should I just build a lab environment, write down all the settings and create these in the live environment ? or a procedure from Msoft to recreate this GPO from a template somewhere ?
0
unisolutions
Asked:
unisolutions
  • 9
  • 5
  • 4
  • +1
2 Solutions
 
Mike KlineCommented:
Dcgpofix tool recreates the two default Group Policy objects (default domain and default domain controller policy)
http://technet.microsoft.com/en-us/library/cc739095.aspx
How is exchange setup there?
Thanks
Mike
0
 
AmericomCommented:
If there's no reason not to configure your DNS as Active Directory-Integrated zone, configure DNS as ADIZ zones on all your DCs(win2k3 and win2k8). This may solve some of your problems such as replication etc.
GPO can be edited by win2k8 but not win2k3, there are some GPOs cannot be view and edited by win2k3 but only with Vista or Win2k8 such as wired-auto authentication etc. GPOs configured with Group Policy Preferences also can only manage by Vista and Win2k8 and not Win2k3. So, you should be managing your GPO with the later verison os OS.
GPO not applying to some machines, if the GPO is configured on the Computer Configuration settings, just make sure the GPO is link to the OU where the computer is in or not being blocked by no inheritance.
0
 
unisolutionsAuthor Commented:
Thanks MKLine, does Dcgpofix.exe rebuild based on a backup (I have none) or will it recreate based on "Msoft Recommended" kind of thing ?

As for Xchg, that's about the only thing that works really well (Xch07 on Win2008).

@Americom, DNS reconfig will be my next step, ADIZ is already done...  No blocking of inheritance or anything, and no Vista computers on the park, the GPO that cannot be edited are for instance folder redirection for mydocs.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
snusgubbenCommented:
"dcgpofix" do not need any backup. It will set the default GPOs back to the state they was when your domain was created. It will not touch any custom made GPOs, only those two mkline mentioned.

DNS is the first thing you should fix. Start > run > dcdiag /test:dns /v /e /f:dnslog.txt

this will test all your DNS servers. When DNS is ok, you should run a "dcdiag /v /e /c" to check for other errors in your domain.


SG
0
 
snusgubbenCommented:
forgot to mention that "dcgpofix" can not set the security on the "Default domain controller policy".

http://support.microsoft.com/kb/833783

SG
0
 
Mike KlineCommented:
****Hold off on the DCGPOFIX,  I need to look up the activedir archives.  If memory serves me it may cause you to run the exchange adprep again.
I'll follow up in the morning.
Thanks
Mike
0
 
Mike KlineCommented:
Ok here is the thread I was thinking of
http://74.125.47.132/search?q=cache:JU9Z14MuQSoJ:www.activedir.org/ListArchives/tabid/55/forumid/1/postid/31224/view/topic/Default.aspx+Resetting+Default+Domain+and+Default+Domain+Controller+Policies+site:activedir.org&cd=2&hl=en&ct=clnk&gl=us
Sorry I had to use the cached site.  Tony just moved activedir to a new host and it looks like the current archives need to be activated.
See the comment from Michael Smith (exchange MVP)
 
Thanks
Mike
0
 
unisolutionsAuthor Commented:
Right, thanks.  

So, the network has three DC, one 2003 (all five FSMO) and two 2008 (both catalogs as well).  Exch07 is on one of the two 2008.

so run "setup.com /prepareAD" and "/prepareSchema" after I ran the DcGpoFix on the 2003 box ?

What am I risking here, either two commands play with the root of the schema... not too excited about reinstalling exchange...  Can we estimate the risks ?
0
 
unisolutionsAuthor Commented:
(I meant 3DC in total = 1 x 2003 and 2 x 2008)
0
 
snusgubbenCommented:
Seems to be a issue with Exchange and dcgpofix.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21825433.html

http://www.eventid.net/display.asp?eventid=2114&eventno=2458&source=MSExchangeDSAccess&phase=1 (search for "dcgpofix")

One say "Default domain policy" while the other say the "default domain controller policy". I can verify where the Exchange Enterprise Servers group needs to be set.


SG
0
 
snusgubbenCommented:
typo: I can't verify where the Exchange Enterprise Servers group needs to be set.
I guess some other expert can tell you that
 
0
 
unisolutionsAuthor Commented:
Right-o, thanks guys for pointing that out, makes sense, sine the tool "reverts" to right after DcPromo was run, and Exchange was setup even after...

Reading this : http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_21626630.html

DcGpoFix removes some Exchange entries or at least some security settings...but that post was for 2003, what about Exch2007 ?

Experts needed :P
0
 
Mike KlineCommented:
i won't blow smoke...this is new to me too as I've never tried dcgpofix with E2K7
0
 
unisolutionsAuthor Commented:
yeah seems like few people have :)

from what I read, running setup /preparedad after dcgpofix is enough...

I'll build a lab and test, and let you guys know.
0
 
unisolutionsAuthor Commented:
Response from Microsoft :
Please understand that the DcGPOFix.exe tool will reset the Default Domain Policy and Default Domain Controller Policy to default status. However, if you have set any security policies in the Default Domain Policy and Default Domain Controller Policy, the domain controller may stopped working after running the DcGPOFix.exe tool. 
 
For more information, please refer to the following article: 
 
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
http://support.microsoft.com/default.aspx/kb/833783
 
As to /PrepareAD and /PrepareDomain, they are used for reset permissions for the Exchange 2007 server and created some AD objects in the domain, while /PrepareSchema is for extending schema for Exchange 2007. For more information, please refer to the following article: 
 
How to Prepare Active Directory and Domains
http://technet.microsoft.com/en-us/library/bb125224.aspx
 
They are not related to Group Policy. 
 
Also, the DcGPOFix.exe tool will only reset the Default Domain Policy and Default Domain Controller Policy and it will not touch other AD objects, such as users, computers object or other member servers. 

Open in new window

0
 
snusgubbenCommented:
http://support.microsoft.com/kb/833783 do not say anything about Exchange 2007.

I looked in the "Default Domain Controller Policy" in a coworker Exchange lab (2003 DCs and Exchange 2007) and the only thing I found was:

Computer Configuration\Windows settings\local policy\user rights assignment\Manage auditing and security log -> "Exchange Enterprise Servers" and "Exchange servers" (and administrator)

I found nothing in the Default domain policy.

With dcgpofix you can set a parameter to only reset the Default domain policy and not touch the Default domain controller policy.

I dare not to run a dcgpofix in my coworker's lab as he will kill me if I ruin it :(


SG
0
 
unisolutionsAuthor Commented:
Yeah thanks SG, leave the poor bastard at peace, I'll run it in my own lab, then you can ruin his :)

I spoke to the Msoft engineer and he says :

"By security policy, I mean the Audit Policy, User Rights Assignment. They can be found under Computer Configuration -> Windows Settings -> Security Settings -> Local Polices.
For detailed information, I suggest check the "MORE INFORMATION" part of the following KB article:
The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state http://support.microsoft.com/default.aspx/kb/833783 "

That sounds pretty safe to me.
I'll keep you posted.

0
 
unisolutionsAuthor Commented:
Thank you both I'll close this for now, just FYI the client has agreed we tried this, he knows the risk.  I'll keep posting the results here for our education :)
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 9
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now