Default Domain Policy missing

I am having an issue at a site I support and need some advise.

1 * Win 2K SP4 Server Standard DC running dhcp/dns/File & print
1 * Server 2003 Standard running Exchange 2003 Standard
6 * Member Servers running Win 2000 server or Win 2003 standard.
30 XP clients

Last week I went to install a new server 2003 R2  SP2 server to become the new
DC running dhcp/dns/File & print.

On the existing Win 2K Standard DC I ran from the Win 2003 R2 cd2
adprep /forestprep
adprep /domainprep

On the new 2003 R2 server
I added it as a member server to the domain and then I ran a Dcpromo on it and all seems to run fine.
On the new dc the Sysvol and the Netlogon folders were automatically created and shared and I can see the login scripts are in them.

I am getting an issue on the new 2003 Dc in the event log every 5 minutes.
Event ID: 1058
“Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Athlone,DC=local. The file must be present at the location <\\Athlone.local\sysvol\Athlone.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.”

Looking from both servers at the Sysvol\sysvol\athlone.local\policies folder I do not see a folder called 31B2F340-016D-11D2-945F-00C04FB984F9, I do see another folder called A0CA9A6E-1944-46E7-4124178B1C9F.
When I go onto active directory on either DC I can access the GPO I have on the users OU but when I try to access the Domain Controllers – Default Domain Controllers  Policy to edit it I get an error “Failed to open the group policy object. You may not have the appropiate rights,the system cannot find the path specified.

Also when I try to access the Default Domain Policy I get the same errors.

I ran DCDIAG on the 2K DC and it comes back all fine.

Looking online for fixes I have come across:
1)      Using DCGPOFIX for Server 2003 to recreate the Default Domain Controllers  Policy
2)      Dcgpofix for server 2000 to recreate the Default Domain Controllers  Policy
I have read there can be issues after the 2 above of where “The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
3)  , this instructs me on “How to rebuild the SYSVOL tree and its content in a domain”
I have not moved over the 5 FSMO roles to the new DC as yet as I intend to retire the 2000 DC as its an old server.

So I may have 2 other options
a)      Move over the 5 roles onto the new DC and setup dhcp/dns and then try the DCGPOFIX
b)      Demote the new DC and then run the DCGPOFIX on the 2K Server.

I have read
By ChiefIT

Any advise?
MidCompCompany OwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Have you seen this article also:

I'd try step 8  dfsutil /purgemupcache  and then go through the others if that doesn't help.

DCGPOFIX would be the last resort; I think you would have to run the exchange /domainprep again if you do that (I'll have to look that up to make sure my memory is not failing me)



MidCompCompany OwnerAuthor Commented:
Which Server should I try running dfsutil /purgemupcache on?
MidCompCompany OwnerAuthor Commented:
Does this solution look like a likely fix?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

This is default domain policy (31B2F340-016D-11D2-945F-00C04FB984F9) & it looks to be corrupted either by antivirus scan or virus infection of by modifying.
Copy the same from healthy dc to problem dc.
Run gpotool.exe on the problem server & see it reports error.
If you don't have any healthy server containging default policy,you can run dcgpofix but as its said by blunttony its a last option.
You should always exclude sysvol & ntds from scanning & never modify default domain & domain controller policy,if you want create new policy & link it.
You can also use Group policy best practice analyser. 
A simple fix.  Did you run adprep /domainprep /gpprep if not he enterprise domain controllers ace has not been added to your GPO's. This is required for 2003 DC's to read GPo created in w2k.
MidCompCompany OwnerAuthor Commented:
I have no good DC, just the 2K DC and the 2003 DC both are missing the 2 policys in their sysvol.
I will run gpotool.exe this evening on the site.

I have not ran adprep /domainprep /gpprep  , I just ran
On the existing Win 2K Standard DC I ran from the Win 2003 R2 cd2
adprep /forestprep
adprep /domainprep

Do I run adprep /domainprep /gpprep  on the 2003 DC? What will it do? Will it recreate the missing policys?

Note: No client pc's in this site are having any issues other than the errors in their event logs - they can all login to the domain and access shares as normal.
You should have run the GPprep as part of the domain upgrade.  You will need to do this in any case and can be run from any server that has the adprep files on it.  The gpotool will not help if you have lost the gpo.

You can recreate teh default policies using teh dcgpofix tool, but it will overwrite the files. You will also have to recreate any setting you had within them.
adprep /domainprep /gpprep is run on infrastructure master & it adds the inheritable access  control entries (ACEs) on GPOs in the Sysvol shared resource. The additional  ACEs give enterprise domain controllers read access permissions on GPOs. These  permissions are required to support Resultant Set of Policy (RSoP) functionality  for site-based policy.

If you don't have backup & policies are missing form all the dc.
Run dcgpofix /ignoreschema on PDC.

Note: Don't modify any settings into default GPO,they contains few pre defined settings required for dc to function properly.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MidCompCompany OwnerAuthor Commented:
Ok I will run adprep /domainprep /gpprep on the 2K DC first as this machine is the infrastructure master.

Am I right in saying that the dcgpofix /ignoreschema  has to be ran on the 2003 DC and not the 2K 2000 DC as this tool only works on 2003 server family?
So on the 2003 DC from a command prompt I go to C:\Windows\Repair folder
and just run dcgpofix /ignoreschema  and accept when asked:
"  You are about to restore Default Domain policy and Default Domain
  Controller policy for the following domain
  Do you want to continue: ? Y"

Will this have any effect or issues on the 2K DC as it still has all the 5 roles running on it and is currently the only global catalog server in the domain? Also will it effect the 2003 Exchange member server ?

I had made no settings or changes to the 2 GPO's.
There will be no impact runnin dcgpofix on dc.

i think dcgpofix is installed with support tool of windows 2003.

For win2000 there is tool called Recreatedefpol.exe

Running dcgpofix will create gpo with default settings.
MidCompCompany OwnerAuthor Commented:
Thanks guy's - I will run
1) adprep /domainprep /gpprep on the 2K DC
2) dcgpofix /ignoreschema on the 2003 DC

It will be Monday when I run these as I am not back at the site until then.
MidCompCompany OwnerAuthor Commented:
I ran the above today, All seem's fine with the policys now but I ran into an issue on the exchnage 2003 server: After the gpo decurity settings were reset:
Only Administrators had the Manage auditing and security log right under Computer Configuration > Security Settings > Local Policy > User Rights Assignment > Manage Auditing and Security Log. Which resulted in the Exchange Server not functioning (STORE.EXE does not have audit security privilege on the Domain Controller. This Domain Controller will not be used by DSAccess).
Here is the fix:
1.Open the Default Domain Controllers Security Settings snap-in on the domain controller specified in the event description.

2.In the console tree, under Security Settings, expand Local Policies, and then click User Rights Assignments.

3.In the results pane, double-click Manage auditing and security log. Verify that both the Exchange Servers group and the Exchange Enterprise Servers group are listed.

Make sure that the Exchange server is still a member of the Exchange Domain Servers group. Also, make sure that the Exchange Domain Servers group is a member of Exchange Enterprise Servers group.

I could not see any other issues - I will be onsite tomorrow and once everything is ok there, I will update and award points.
The reason for default exchange group were not ther is because when you ran dcgpofix,it reset the default polices & the exchange groups are added when you run exchange setup.

So,its normal..
MidCompCompany OwnerAuthor Commented:
The exchanger server is not sending/receiving mail since:

LDAP Bind was unsuccessful on directory HODBAYFS.Athlone.local for distinguished name ''. Directory returned error:[0x51] Server Down.  DC=Athlone,DC=local
Could not open LDAP session to directory 'HODBAYFS.Athlone.local' using local service credentials. Cannot access Address List configuration information.  Make sure the server 'HODBAYFS.Athlone.local' is running.  DC=Athlone,DC=local
Permanent failure reported by policy group provider for 'CN=System Policies,CN=HBH,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Athlone,DC=local':'MAD.EXE', error=80040103.  Taking provider offline.  
The Win32 API call 'DsGetDCNameW' returned error code [0x54b] The specified domain either does not exist or could not be contacted.  The service could not be initialized.  Make sure that the operating system was installed properly.
Process MAD.EXE (PID=2416). All Global Catalog Servers in use are not responding:
The MAPI call 'OpenMsgStore' failed with the following error:
The information store could not be opened.
The logon to the Microsoft Exchange Server computer failed.
MAPI 1.0
ID no: 80040111-0286-00000000
Where HODBAYFS is the Win2K DC
MidCompCompany OwnerAuthor Commented:
Did a reboot of the Exchange System Attentant service and it now seems ok, I will monitor but mail is going in/out.
MidCompCompany OwnerAuthor Commented:
All working now - The exchange threw me off but I got it resolved easily enough.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.