Solved

default domain policy failed warning

Posted on 2010-08-31
13
678 Views
Last Modified: 2012-06-27
our outsourced monitoring service sent us an alert stating that it has "discovered problems with the Default Domain Policy. This policy contain Password Policy, Account Lockout Policy and Kerberos Policy settings.Users will not get home folders and logon scripts will not work properly.And they may face permissions issue while accessing domain resources."

Earlier today we changed the password policy through GPO on our PDC to enforce changes every 60 days, with 7 days between changes, and 4 passwords remembered. 30 minutes later, we received this alert. I see nothing in the event viewer on that PDC. Some users have already been prompted to change their password. Some have not. No one has reported not being able to logon or access shares. I am able to get to and open the netlogon and sysvol shares from my desktop. Ran set logonserver and it showed the PDC in question. What else should I check top ensure the GPO is OK?

Any ideas to the meaning of this, and more specifically - do I need to worry about it, are greatly appreciated.
0
Comment
Question by:rpliner
  • 5
  • 4
  • 4
13 Comments
 
LVL 2

Expert Comment

by:merkage
ID: 33570950
Very common problem you have here. Default domain policy should NEVER be touched. NOTHING should be configured in this policy. It is the top level policy that defines your organization, and if it becomes corrupt you can lose your entire AD database, so I suggest removing all configured policies and then making a new one with the settings you have applied in the default.

I can tell you from past experience it is an absolute nightmare when a DDGPO gets corrupt.

0
 
LVL 7

Author Comment

by:rpliner
ID: 33571075
merkage - I printed out an html report from group policy just so I had it in case anything went awry. The company that managed the network before I was brought on has a lot of things configured in the default policy. I need to figure out how to back it up and then create a new one without disrupting business or worse. Is there any way to "roll it back" so-to-speak? Thanks.


0
 
LVL 12

Accepted Solution

by:
Rant32 earned 400 total points
ID: 33571119
merkage: that is not correct. Password policies should always be defined in the Default Domain Policy.

Source: http://support.microsoft.com/kb/269236
Source: http://technet.microsoft.com/en-us/library/dd378987%28WS.10%29.aspx

For all other computer and user settings, yes, you should create a new policy.

rpliner, I can't tell from here if this warning/error is going to give more problems.

If you want to be sure, I'd first inventory the settings in the Default Domain Policy. Any settings other than Security settings (Administrative Templates and such) must be transferred to a new GPO. If there are only security settings, then:
1) record the settings in the Default Domain Policy and Default DC Policy
2) restore the default domain policy with the help of DcGpoFix:
 http://www.windowsitpro.com/article/tips/jsi-tip-6493-window-server-2003-default-group-policy-restore-utility-v5-1-.aspx
3) re-create the security settings in the Default Domain Policy.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 2

Expert Comment

by:merkage
ID: 33571125
Well, a roll back would only be possible if you had a backup system in place. The easiest thing you can do is use Microsoft GPO editor, take a screen shot or 3 of the configuration within the policy, then start making your new policies but keep them disable for now. When you are ready to go live, you'll want to go into your default policy, change everything back to not configured, and then enable the new policies you created. In general, you'll want to have a 'security' policy that defines Password Policy, Account Lockout Policy and Kerberos Policy settings. you'll then want to create other policies for any other configurations made within your existing default domain policy.
0
 
LVL 7

Author Comment

by:rpliner
ID: 33571168
rant32 - I will check that tool out. Can't hurt to run it. Worst case is I still get a warning. Thanks.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571254
Do you have an Event ID, source and error codes of the relevant messages in your Event Viewer?
0
 
LVL 7

Author Comment

by:rpliner
ID: 33571269
rant32 - nothing shows up in the event viewer.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571369
Then that makes you wonder what generated the ticket? Do that monitoring service check for specific options in the password policy, so they generate a warning if the policy changes?

Modifying the default domain GPO is not wise in case you have to restore it to defaults, and in case someone badly screws up the settings, but changing the password policy is normally not "omg-epic outage" bad like the alert pretends it is.
0
 
LVL 2

Assisted Solution

by:merkage
merkage earned 100 total points
ID: 33571404
Rant32 - I still keep all mine separate. I had a default domain GPO become corrupt once, and it was hell getting it back. Microsoft was involved and actually had me configure it in that way to avoid ever having to worry about corruption again (ie, we would never touch/modify the default again). you always run the risk of corruption when your modifying, so the less you can do to the policy, the better off you are. this was done by a Microsoft engineer that assist us with the 2 day long recovery process.


0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571543
Yes, it can work for you if the Link order is set correctly and if you have no downlevel clients.

From http://technet.microsoft.com/en-us/library/cc772803%28WS.10%29.aspx:

You can make changes to Group Policy by modifying the default GPO or by creating a new GPO. The recommendation for making changes to domain security policy is to always modify the default GPO. The primary reason for this recommendation is that APIs that were developed for earlier versions of the operating system update policy settings in the Default Domain Policy GPO. For this reason, make all changes to domain security policy settings by editing this GPO.

Note that it says 'primary reason'. That suggests that there are others involved, I don't know which.
I'm trying to educate on the factors involved, not prove your methods wrong. However, the statement to never touch the Default Domain policy is just not true as generic advice.
0
 
LVL 2

Expert Comment

by:merkage
ID: 33571564
Thank you for that explanation, I won't argue with that coming directly from Microsoft. I did want to offer my experience up though :)

0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571628
Yes, I saw that. Welcome to EE :)
0
 
LVL 7

Author Comment

by:rpliner
ID: 33571912
rant32 -the alert has gone away. I will still investigate the DCGPOfix tool though. Thanks for your assistance.

merkage - thanks for sharing your experience.




0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question