SBS2011 Recreate Default Domain GPO
Hi,
I recently migrated a SBS2003 to SBS 2011 standard.
I have now noticed there is an error in the system event log. I have put the error at the end of this post. This was not there initially and I can only presume this has happened after an update. The folder it is looking for does not exist. It looks like I need to recreate the default domain GPO. I have found this from Microsoft but not sure if this is the correct thing to do and also I'm not sure about step 7.
Any help would be greatly appreciated.
Thanks,
Col
Log Name: System
Source: Microsoft-Windows-GroupPol
Date: 03/01/2014 09:40:18
Event ID: 1058
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: [server].[domain].com.loca
Description:
The processing of Group Policy failed. Windows attempted to read the file \\[domain].com.local\sysvo
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Gr
<EventID>1058</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2014-01-03T09:
<EventRecordID>67009</Even
<Correlation ActivityID="{C25A1011-5A50
<Execution ProcessID="944" ThreadID="8108" />
<Channel>System</Channel>
<Computer>[server]1.[domai
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">4</Dat
<Data Name="SupportInfo2">816</D
<Data Name="ProcessingMode">0</D
<Data Name="ProcessingTimeInMill
<Data Name="ErrorCode">2</Data>
<Data Name="ErrorDescription">Th
<Data Name="DCName">[server].[do
<Data Name="GPOCNName">CN={31B2F
<Data Name="FilePath">\\[domain]
</EventData>
</Event>
I recently migrated a SBS2003 to SBS 2011 standard.
I have now noticed there is an error in the system event log. I have put the error at the end of this post. This was not there initially and I can only presume this has happened after an update. The folder it is looking for does not exist. It looks like I need to recreate the default domain GPO. I have found this from Microsoft but not sure if this is the correct thing to do and also I'm not sure about step 7.
Any help would be greatly appreciated.
Thanks,
Col
Log Name: System
Source: Microsoft-Windows-GroupPol
Date: 03/01/2014 09:40:18
Event ID: 1058
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: [server].[domain].com.loca
Description:
The processing of Group Policy failed. Windows attempted to read the file \\[domain].com.local\sysvo
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Gr
<EventID>1058</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2014-01-03T09:
<EventRecordID>67009</Even
<Correlation ActivityID="{C25A1011-5A50
<Execution ProcessID="944" ThreadID="8108" />
<Channel>System</Channel>
<Computer>[server]1.[domai
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">4</Dat
<Data Name="SupportInfo2">816</D
<Data Name="ProcessingMode">0</D
<Data Name="ProcessingTimeInMill
<Data Name="ErrorCode">2</Data>
<Data Name="ErrorDescription">Th
<Data Name="DCName">[server].[do
<Data Name="GPOCNName">CN={31B2F
<Data Name="FilePath">\\[domain]
</EventData>
</Event>
If there is more than 1 DC then find and fix the replication issue before trying the above.
The SBS2011 is the only DC. Is the dcgpofix safe to use? will it affect the exchange element of the sbs server?
Which policies will this change? Is it only the default domain policy?
sorry, I didn't read it correctly. I now realise the flags determine what is changed.
I have been researching dcgpofix and have read it will affect Exchange 2010. Is this correct?And what can I do after the running dcgpofix to ensure exchange is ok? I have read the domainprep will need to be ran again. Can anyone help me put my mind at rest before I attempt the dcgpofix.
Also is there any other gotchas I need to be aware of?
Also is there any other gotchas I need to be aware of?
You only need to run domainprep from the Exchange media to fix it.
It adds the Domain\Enterprise Exchange Servers group to the Default Domain Controllers policy to allow the user right to manage auditing and security logs.
It adds the Domain\Enterprise Exchange Servers group to the Default Domain Controllers policy to allow the user right to manage auditing and security logs.
Make you restart the Exchange services or the server entirely after the fix.
Should be make SURE ... damn phone! LOL
Hi Netman66,
Sorry about this, I think I being very thick and very paranoid.
This is SBS 2011 standard, so I don't have exchange 2010 media, only sbs2011.
I don't have the sbs0211media in front of me at the moment as I'm working on the server remotely. Is the domainprep on the sbs media?
Also, can you give me a step procedure how to run domainprep? sorry about but I have just 'googled' how to run domainprep in sbs2011 and didn't find anything relevant.
Thank you so much for your help.
Kind regards,
Col
Sorry about this, I think I being very thick and very paranoid.
This is SBS 2011 standard, so I don't have exchange 2010 media, only sbs2011.
I don't have the sbs0211media in front of me at the moment as I'm working on the server remotely. Is the domainprep on the sbs media?
Also, can you give me a step procedure how to run domainprep? sorry about but I have just 'googled' how to run domainprep in sbs2011 and didn't find anything relevant.
Thank you so much for your help.
Kind regards,
Col
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may be okay as you shouldn't need to touch the Default Domain Controllers policy.
Did you have any backup of the original Sysvol that you may be able to restore to a different location and retrieve the missing folders?
Did you have any backup of the original Sysvol that you may be able to restore to a different location and retrieve the missing folders?
Hi Netman66,
Unfortunately not. by the time this was noticed the backups with the original sysvol had been overwritten.
I don't really have any other option but to try the dcgpofix.
So I should only run it as 'DCGPOFix /ignoreschema /target:domain' ? Then hopefully Exchange will operate normally.
The only security policy that has been changed is the password policy. So it should restore security policiies to near the original state. Is this correct?
Thanks and kind regards,
Col
Unfortunately not. by the time this was noticed the backups with the original sysvol had been overwritten.
I don't really have any other option but to try the dcgpofix.
So I should only run it as 'DCGPOFix /ignoreschema /target:domain' ? Then hopefully Exchange will operate normally.
The only security policy that has been changed is the password policy. So it should restore security policiies to near the original state. Is this correct?
Thanks and kind regards,
Col
It should, yes.
Hi Netman66,
I ended up running the target as 'Both' as both policiies were missing. Then followed your instructions and everything worked fine. The servers performance has improved.
However I have now noticed all the Small Business Server policies are missing also. I will investigate how to re-create these and if I get stuck or paranoid again I will post in a different question.
I now backup the policies using gpmc.msc just in case.
Thanks you are all your help.
Kind regards,
Col
I ended up running the target as 'Both' as both policiies were missing. Then followed your instructions and everything worked fine. The servers performance has improved.
However I have now noticed all the Small Business Server policies are missing also. I will investigate how to re-create these and if I get stuck or paranoid again I will post in a different question.
I now backup the policies using gpmc.msc just in case.
Thanks you are all your help.
Kind regards,
Col
Sorry should have mentioned. I added the Enterprise Exchange Servers group to the user rights on the Default Domain Controller policy manually.
This should help with those. It is the same for 2011.
http://blogs.technet.com/b/sbs/archive/2009/09/03/how-to-manually-create-the-sbs-2008-and-wsus-group-policies-objects.aspx
http://blogs.technet.com/b/sbs/archive/2009/09/03/how-to-manually-create-the-sbs-2008-and-wsus-group-policies-objects.aspx
Dcgpofix
http://technet.microsoft.com/en-us/library/hh875588.aspx
Note this though:
http://support.microsoft.com/kb/833783