Solved

Deleted Default Domain Policy on W2003K

Posted on 2010-09-10
29
456 Views
Last Modified: 2012-05-10
I deleted the Default Domain policy. I am in a single domain environment also running Exchange Server 2007. I have seen a few options as to how to proceed. What are the recommendations?
0
Comment
Question by:guitarcolossus
  • 15
  • 6
  • 6
  • +1
29 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Are you sure it was deleted.  The reason I ask is because   http://support.microsoft.com/kb/910201

Check for those GUID's mentioned.  Do you need to just relink it?

Thanks

Mike
0
 

Author Comment

by:guitarcolossus
Comment Utility
Yeah, I checked for the GUID and could not find it. I'd be happy to re-check, but I'm pretty sure I deleted instead of just disassociating it.
0
 

Author Comment

by:guitarcolossus
Comment Utility
Nope. Not there. She's definitely deleted.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Run DCGPOFIX /target:domain from the command prompt and it should regenerate the Default Domain Policy. More info here: http://technet.microsoft.com/en-us/library/cc772811%28WS.10%29.aspx
0
 

Author Comment

by:guitarcolossus
Comment Utility
ACBrown: I have seen a few links that talk about using this tool and then having to modify some settings to get Exchange to operate correctly. Is this the case?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
I don't see why that would be the case. Exchange doesn't make any changes to the default domain policy and it doesn't require changes to work.
0
 

Author Comment

by:guitarcolossus
Comment Utility
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
I haven't tested but from what I've seen on different boards is when you run the dcgpofix you may have to run the exchange prep again http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/31224/view/topic/Default.aspxMichael1 is Michael Smith (an exchange MVP)ThanksMike
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
The changes mentioned in some of what you're looking at may be tied to restores of the Default Domain Controller policy. If that one is still around, running the /target:domain switch will make sure the DDC policy is left alone.
0
 

Author Comment

by:guitarcolossus
Comment Utility
So, would you all collectively agree that DCGPOFIX is a better way to go over restoring System State?
0
 

Author Comment

by:guitarcolossus
Comment Utility
...sorry: Would you all agree that DCGPOFIX is better than restoring from System State?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Might also depend on the version of Exchange. I have 2010 on my test network, so...
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
Oh goodness yes. DCGPOFIX is both easier and less likely to explode on you.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
Comment Utility
and you still have the system state as another option
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:guitarcolossus
Comment Utility
I REALLY appreciate both of you helping. I am going to get on this right now and get back to this board. I am prepared to accept multiple solutions as I
0
 

Author Comment

by:guitarcolossus
Comment Utility
...am grateful to you both. Sorry. I'm nervous as Hell right now.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
when we are talking about Exchange and users....everyone gets nervous....normal
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
Comment Utility
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
burflags restore doesn't really help in this situation.
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
Comment Utility
0
 

Author Comment

by:guitarcolossus
Comment Utility
All:

DCGPOFIX reports a successful restoration of the GrpPolcy, but the policy is not showing up as restored. Will I have to re-link it?
0
 

Author Comment

by:guitarcolossus
Comment Utility
Nothing to re-link. Windows still looking for original GUID, which did not populate in Sysvol/Policies
0
 

Author Comment

by:guitarcolossus
Comment Utility
wvdhoute:...thanks for the utility but it did nothing. DCGPOFIX has done nothing, unless I am missing something...quite possible.
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
I ran a couple tests on my test network and found that the correct syntax is dcgpofix /Ignoreschema /Target:Domain (Case sensitive, and ignoreschema has to go before target:domain.) This restored a purposefully deleted default domain policy on my test network...Not sure why it didn't work for you. Do you have anything showing up in your event log that might explain what is not happening?
0
 

Author Comment

by:guitarcolossus
Comment Utility
acbrown2010:

I ran dcgpofix with those switches you mentioned above. The operation comes back successful without any errors, , but ho policy is populated in the properties of my domain or through Group Policy Management snap-in.

Even Viewer/Application continues to generate Event ID 1030:

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Followed by Event ID 1058
Windows cannot access the file gpt.ini for GPO CN={7C3EABE3-AAA4-4382-B484-1582F68234CA},CN=Policies,CN=System,DC=MTESNJ,DC=local. The file must be present at the location <\\MTESNJ.local\SysVol\MTESNJ.local\Policies\{7C3EABE3-AAA4-4382-B484-1582F68234CA}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.
0
 

Author Comment

by:guitarcolossus
Comment Utility
Here is my DCGPOFIX output

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\tyoung>dcgpofix /ignoreschema /target:both

Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5
.1

Copyright (C) Microsoft Corporation. 1981-2003

Description: Recreates the Default Group Policy Objects (GPOs) for a domain

Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]


This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.

WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

You are about to restore Default Domain policy  and Default domain Controller po
licy for the following domain
MTESNJ.local
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
The Default Domain Policy was restored successfully
Note: Only the contents of the Default Domain Policy was restored. Group Policy
links to this Group Policy Object were not altered.
By default, The Default Domain Policy is linked to the Domain.

The Default Domain Controller Policy was restored successfully
Note: Only the contents of the Default Domain Controller Policy was restored. Gr
oup Policy links to this Group Policy Object were not altered.
By default, The Default Domain Controller Policy is linked to the Domain Control
lers OU.


C:\Documents and Settings\tyoung>
0
 

Author Closing Comment

by:guitarcolossus
Comment Utility
I would have preferred to use DCGPOFIX, but it went nowhere. In any case, thanks for chiming in.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Thanks a lot, just a heads up, you can also split points (ac helped a lot too)

Thanks

Mike
0
 

Author Comment

by:guitarcolossus
Comment Utility
Mike:

Just (I think) awarded some points to AC, too. Definitely grateful for the support you guys provided.
Today I restored Active Directory from a backup. It was messy for too many reasons to enumerate, but all of the lose ends are cleaned up and I have an AD that's not generating any errors.

This board and its members continue to be a valued resource...

Thane (that's me!)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now