Default Domain Policy missing

I am having an issue at a site I support and need some advise.

Site:
1 * Win 2K SP4 Server Standard DC running dhcp/dns/File & print
1 * Server 2003 Standard running Exchange 2003 Standard
6 * Member Servers running Win 2000 server or Win 2003 standard.
30 XP clients

Last week I went to install a new server 2003 R2  SP2 server to become the new
DC running dhcp/dns/File & print.

On the existing Win 2K Standard DC I ran from the Win 2003 R2 cd2
adprep /forestprep
adprep /domainprep

On the new 2003 R2 server
I added it as a member server to the domain and then I ran a Dcpromo on it and all seems to run fine.
On the new dc the Sysvol and the Netlogon folders were automatically created and shared and I can see the login scripts are in them.

I am getting an issue on the new 2003 Dc in the event log every 5 minutes.
Event ID: 1058
“Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Athlone,DC=local. The file must be present at the location <\\Athlone.local\sysvol\Athlone.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.”

Looking from both servers at the Sysvol\sysvol\athlone.local\policies folder I do not see a folder called 31B2F340-016D-11D2-945F-00C04FB984F9, I do see another folder called A0CA9A6E-1944-46E7-4124178B1C9F.
When I go onto active directory on either DC I can access the GPO I have on the users OU but when I try to access the Domain Controllers – Default Domain Controllers  Policy to edit it I get an error “Failed to open the group policy object. You may not have the appropiate rights,the system cannot find the path specified.

Also when I try to access the Default Domain Policy I get the same errors.

I ran DCDIAG on the 2K DC and it comes back all fine.

Looking online for fixes I have come across:
1)      Using DCGPOFIX for Server 2003 to recreate the Default Domain Controllers  Policy
2)      Dcgpofix for server 2000 to recreate the Default Domain Controllers  Policy
I have read there can be issues after the 2 above of where “The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
OR
3)      http://support.microsoft.com/kb/315457  , this instructs me on “How to rebuild the SYSVOL tree and its content in a domain”
I have not moved over the 5 FSMO roles to the new DC as yet as I intend to retire the 2000 DC as its an old server.

So I may have 2 other options
a)      Move over the 5 roles onto the new DC and setup dhcp/dns and then try the DCGPOFIX
b)      Demote the new DC and then run the DCGPOFIX on the 2K Server.

I have read http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Server/2003_Server/Diagnosing-and-repairing-Events-1030-and-1058.html
By ChiefIT

Any advise?
Thanks
James
MidCompAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
AwinishConnect With a Mentor Commented:
adprep /domainprep /gpprep is run on infrastructure master & it adds the inheritable access  control entries (ACEs) on GPOs in the Sysvol shared resource. The additional  ACEs give enterprise domain controllers read access permissions on GPOs. These  permissions are required to support Resultant Set of Policy (RSoP) functionality  for site-based policy.

http://support.microsoft.com/kb/324392

If you don't have backup & policies are missing form all the dc.
Run dcgpofix /ignoreschema on PDC.

Note: Don't modify any settings into default GPO,they contains few pre defined settings required for dc to function properly.

0
 
Mike KlineCommented:
Have you seen this article also:

http://support.microsoft.com/kb/887303

I'd try step 8  dfsutil /purgemupcache  and then go through the others if that doesn't help.

DCGPOFIX would be the last resort; I think you would have to run the exchange /domainprep again if you do that (I'll have to look that up to make sure my memory is not failing me)

Thanks

Mike



0
 
MidCompAuthor Commented:
Which Server should I try running dfsutil /purgemupcache on?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
MidCompAuthor Commented:
Does this solution look like a likely fix?
http://support.microsoft.com/kb/315457/
0
 
AwinishCommented:
This is default domain policy (31B2F340-016D-11D2-945F-00C04FB984F9) & it looks to be corrupted either by antivirus scan or virus infection of by modifying.
Copy the same from healthy dc to problem dc.
Run gpotool.exe on the problem server & see it reports error.
If you don't have any healthy server containging default policy,you can run dcgpofix but as its said by blunttony its a last option.
You should always exclude sysvol & ntds from scanning & never modify default domain & domain controller policy,if you want create new policy & link it.
You can also use Group policy best practice analyser.
http://blogs.technet.com/askds/archive/2008/04/11/group-policy-best-practice-analyzer.aspx 
0
 
Hi8uSConnect With a Mentor Commented:
A simple fix.  Did you run adprep /domainprep /gpprep if not he enterprise domain controllers ace has not been added to your GPO's. This is required for 2003 DC's to read GPo created in w2k.
0
 
MidCompAuthor Commented:
I have no good DC, just the 2K DC and the 2003 DC both are missing the 2 policys in their sysvol.
I will run gpotool.exe this evening on the site.

I have not ran adprep /domainprep /gpprep  , I just ran
On the existing Win 2K Standard DC I ran from the Win 2003 R2 cd2
adprep /forestprep
adprep /domainprep

Do I run adprep /domainprep /gpprep  on the 2003 DC? What will it do? Will it recreate the missing policys?

Note: No client pc's in this site are having any issues other than the errors in their event logs - they can all login to the domain and access shares as normal.
0
 
Hi8uSCommented:
You should have run the GPprep as part of the domain upgrade.  You will need to do this in any case and can be run from any server that has the adprep files on it.  The gpotool will not help if you have lost the gpo.

You can recreate teh default policies using teh dcgpofix tool, but it will overwrite the files. You will also have to recreate any setting you had within them.
0
 
MidCompAuthor Commented:
Ok I will run adprep /domainprep /gpprep on the 2K DC first as this machine is the infrastructure master.

Am I right in saying that the dcgpofix /ignoreschema  has to be ran on the 2003 DC and not the 2K 2000 DC as this tool only works on 2003 server family?
So on the 2003 DC from a command prompt I go to C:\Windows\Repair folder
and just run dcgpofix /ignoreschema  and accept when asked:
"  You are about to restore Default Domain policy and Default Domain
  Controller policy for the following domain
 
  MyDomain.local
 
  Do you want to continue: ? Y"

Will this have any effect or issues on the 2K DC as it still has all the 5 roles running on it and is currently the only global catalog server in the domain? Also will it effect the 2003 Exchange member server ?


I had made no settings or changes to the 2 GPO's.
0
 
AwinishCommented:
There will be no impact runnin dcgpofix on dc.

i think dcgpofix is installed with support tool of windows 2003.

For win2000 there is tool called Recreatedefpol.exe

http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Running dcgpofix will create gpo with default settings.
0
 
MidCompAuthor Commented:
Thanks guy's - I will run
1) adprep /domainprep /gpprep on the 2K DC
2) dcgpofix /ignoreschema on the 2003 DC

It will be Monday when I run these as I am not back at the site until then.
0
 
MidCompAuthor Commented:
I ran the above today, All seem's fine with the policys now but I ran into an issue on the exchnage 2003 server: After the gpo decurity settings were reset:
Only Administrators had the Manage auditing and security log right under Computer Configuration > Security Settings > Local Policy > User Rights Assignment > Manage Auditing and Security Log. Which resulted in the Exchange Server not functioning (STORE.EXE does not have audit security privilege on the Domain Controller. This Domain Controller will not be used by DSAccess).
Here is the fix:
1.Open the Default Domain Controllers Security Settings snap-in on the domain controller specified in the event description.

2.In the console tree, under Security Settings, expand Local Policies, and then click User Rights Assignments.

3.In the results pane, double-click Manage auditing and security log. Verify that both the Exchange Servers group and the Exchange Enterprise Servers group are listed.

Make sure that the Exchange server is still a member of the Exchange Domain Servers group. Also, make sure that the Exchange Domain Servers group is a member of Exchange Enterprise Servers group.

I could not see any other issues - I will be onsite tomorrow and once everything is ok there, I will update and award points.
0
 
AwinishCommented:
The reason for default exchange group were not ther is because when you ran dcgpofix,it reset the default polices & the exchange groups are added when you run exchange setup.

So,its normal..
0
 
MidCompAuthor Commented:
The exchanger server is not sending/receiving mail since:

LDAP Bind was unsuccessful on directory HODBAYFS.Athlone.local for distinguished name ''. Directory returned error:[0x51] Server Down.  DC=Athlone,DC=local
Could not open LDAP session to directory 'HODBAYFS.Athlone.local' using local service credentials. Cannot access Address List configuration information.  Make sure the server 'HODBAYFS.Athlone.local' is running.  DC=Athlone,DC=local
Permanent failure reported by policy group provider for 'CN=System Policies,CN=HBH,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Athlone,DC=local':'MAD.EXE', error=80040103.  Taking provider offline.  
The Win32 API call 'DsGetDCNameW' returned error code [0x54b] The specified domain either does not exist or could not be contacted.  The service could not be initialized.  Make sure that the operating system was installed properly.
Process MAD.EXE (PID=2416). All Global Catalog Servers in use are not responding:
HODBAYFS.Athlone.local
The MAPI call 'OpenMsgStore' failed with the following error:
The information store could not be opened.
The logon to the Microsoft Exchange Server computer failed.
MAPI 1.0
ID no: 80040111-0286-00000000
Where HODBAYFS is the Win2K DC
0
 
MidCompAuthor Commented:
Did a reboot of the Exchange System Attentant service and it now seems ok, I will monitor but mail is going in/out.
0
 
MidCompAuthor Commented:
All working now - The exchange threw me off but I got it resolved easily enough.

Thanks
0
All Courses

From novice to tech pro — start learning today.