?
Solved

default domain policy failed warning

Posted on 2010-08-31
13
Medium Priority
?
703 Views
Last Modified: 2012-06-27
our outsourced monitoring service sent us an alert stating that it has "discovered problems with the Default Domain Policy. This policy contain Password Policy, Account Lockout Policy and Kerberos Policy settings.Users will not get home folders and logon scripts will not work properly.And they may face permissions issue while accessing domain resources."

Earlier today we changed the password policy through GPO on our PDC to enforce changes every 60 days, with 7 days between changes, and 4 passwords remembered. 30 minutes later, we received this alert. I see nothing in the event viewer on that PDC. Some users have already been prompted to change their password. Some have not. No one has reported not being able to logon or access shares. I am able to get to and open the netlogon and sysvol shares from my desktop. Ran set logonserver and it showed the PDC in question. What else should I check top ensure the GPO is OK?

Any ideas to the meaning of this, and more specifically - do I need to worry about it, are greatly appreciated.
0
Comment
Question by:rpliner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
13 Comments
 
LVL 2

Expert Comment

by:merkage
ID: 33570950
Very common problem you have here. Default domain policy should NEVER be touched. NOTHING should be configured in this policy. It is the top level policy that defines your organization, and if it becomes corrupt you can lose your entire AD database, so I suggest removing all configured policies and then making a new one with the settings you have applied in the default.

I can tell you from past experience it is an absolute nightmare when a DDGPO gets corrupt.

0
 
LVL 7

Author Comment

by:rpliner
ID: 33571075
merkage - I printed out an html report from group policy just so I had it in case anything went awry. The company that managed the network before I was brought on has a lot of things configured in the default policy. I need to figure out how to back it up and then create a new one without disrupting business or worse. Is there any way to "roll it back" so-to-speak? Thanks.


0
 
LVL 12

Accepted Solution

by:
Rant32 earned 1600 total points
ID: 33571119
merkage: that is not correct. Password policies should always be defined in the Default Domain Policy.

Source: http://support.microsoft.com/kb/269236
Source: http://technet.microsoft.com/en-us/library/dd378987%28WS.10%29.aspx

For all other computer and user settings, yes, you should create a new policy.

rpliner, I can't tell from here if this warning/error is going to give more problems.

If you want to be sure, I'd first inventory the settings in the Default Domain Policy. Any settings other than Security settings (Administrative Templates and such) must be transferred to a new GPO. If there are only security settings, then:
1) record the settings in the Default Domain Policy and Default DC Policy
2) restore the default domain policy with the help of DcGpoFix:
 http://www.windowsitpro.com/article/tips/jsi-tip-6493-window-server-2003-default-group-policy-restore-utility-v5-1-.aspx
3) re-create the security settings in the Default Domain Policy.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:merkage
ID: 33571125
Well, a roll back would only be possible if you had a backup system in place. The easiest thing you can do is use Microsoft GPO editor, take a screen shot or 3 of the configuration within the policy, then start making your new policies but keep them disable for now. When you are ready to go live, you'll want to go into your default policy, change everything back to not configured, and then enable the new policies you created. In general, you'll want to have a 'security' policy that defines Password Policy, Account Lockout Policy and Kerberos Policy settings. you'll then want to create other policies for any other configurations made within your existing default domain policy.
0
 
LVL 7

Author Comment

by:rpliner
ID: 33571168
rant32 - I will check that tool out. Can't hurt to run it. Worst case is I still get a warning. Thanks.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571254
Do you have an Event ID, source and error codes of the relevant messages in your Event Viewer?
0
 
LVL 7

Author Comment

by:rpliner
ID: 33571269
rant32 - nothing shows up in the event viewer.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571369
Then that makes you wonder what generated the ticket? Do that monitoring service check for specific options in the password policy, so they generate a warning if the policy changes?

Modifying the default domain GPO is not wise in case you have to restore it to defaults, and in case someone badly screws up the settings, but changing the password policy is normally not "omg-epic outage" bad like the alert pretends it is.
0
 
LVL 2

Assisted Solution

by:merkage
merkage earned 400 total points
ID: 33571404
Rant32 - I still keep all mine separate. I had a default domain GPO become corrupt once, and it was hell getting it back. Microsoft was involved and actually had me configure it in that way to avoid ever having to worry about corruption again (ie, we would never touch/modify the default again). you always run the risk of corruption when your modifying, so the less you can do to the policy, the better off you are. this was done by a Microsoft engineer that assist us with the 2 day long recovery process.


0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571543
Yes, it can work for you if the Link order is set correctly and if you have no downlevel clients.

From http://technet.microsoft.com/en-us/library/cc772803%28WS.10%29.aspx:

You can make changes to Group Policy by modifying the default GPO or by creating a new GPO. The recommendation for making changes to domain security policy is to always modify the default GPO. The primary reason for this recommendation is that APIs that were developed for earlier versions of the operating system update policy settings in the Default Domain Policy GPO. For this reason, make all changes to domain security policy settings by editing this GPO.

Note that it says 'primary reason'. That suggests that there are others involved, I don't know which.
I'm trying to educate on the factors involved, not prove your methods wrong. However, the statement to never touch the Default Domain policy is just not true as generic advice.
0
 
LVL 2

Expert Comment

by:merkage
ID: 33571564
Thank you for that explanation, I won't argue with that coming directly from Microsoft. I did want to offer my experience up though :)

0
 
LVL 12

Expert Comment

by:Rant32
ID: 33571628
Yes, I saw that. Welcome to EE :)
0
 
LVL 7

Author Comment

by:rpliner
ID: 33571912
rant32 -the alert has gone away. I will still investigate the DCGPOfix tool though. Thanks for your assistance.

merkage - thanks for sharing your experience.




0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question