Solved

SBS2011 Recreate Default Domain GPO

Posted on 2014-01-03
17
743 Views
Last Modified: 2014-01-21
Hi,

I recently migrated a SBS2003 to SBS 2011 standard.

I have now noticed there is an error in the system event log. I have put the error at the end of this post. This was not there initially and I can only presume this has happened after an update. The folder it is looking for does not exist.  It looks like I need to recreate the default domain GPO. I have found this from Microsoft but not sure if this is the correct thing to do and also I'm not sure about step 7.

Any help would be greatly appreciated.

Thanks,
Col

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          03/01/2014 09:40:18
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      [server].[domain].com.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\[domain].com.local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-03T09:40:18.489594100Z" />
    <EventRecordID>67009</EventRecordID>
    <Correlation ActivityID="{C25A1011-5A50-4353-B547-9A15C04C5B2F}" />
    <Execution ProcessID="944" ThreadID="8108" />
    <Channel>System</Channel>
    <Computer>[server]1.[domain].com.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">562</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">[server].[domain].com.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=[domain],DC=COM,DC=LOCAL</Data>
    <Data Name="FilePath">\\[domain].local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>
0
Comment
Question by:VitalNetworkSolutions
  • 9
  • 8
17 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 39753494
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39753496
If there is more than 1 DC then find and fix the replication issue before trying the above.
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753500
The SBS2011 is the only DC. Is the dcgpofix safe to use? will it affect the exchange element of the sbs server?
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 

Author Comment

by:VitalNetworkSolutions
ID: 39753539
Which policies will this change? Is it only the default domain policy?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753541
sorry, I didn't read it correctly. I now realise the flags determine what is changed.
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39783926
I have been researching dcgpofix and have read it will affect Exchange 2010. Is this correct?And what can I do after the running dcgpofix to ensure exchange is ok? I have read the domainprep will need to be ran again. Can anyone help me put my mind at rest before I attempt the dcgpofix.

Also is there any other gotchas I need to be aware of?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783969
You only need to run domainprep from the Exchange media to fix it.

It adds the Domain\Enterprise Exchange Servers group to the Default Domain Controllers policy to allow the user right to manage auditing and security logs.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783993
Make you restart the Exchange services or the server entirely after the fix.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783998
Should be make SURE ... damn phone!  LOL
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39784028
Hi Netman66,
Sorry about this, I think I being very thick and very paranoid.

This is SBS 2011 standard, so I don't have exchange 2010 media, only sbs2011.
I don't have the sbs0211media in front of me at the moment as I'm working on the server remotely. Is the domainprep on the sbs media?

Also, can you give me a step procedure how to run domainprep? sorry about but I have just 'googled' how to run domainprep in sbs2011 and didn't find anything relevant.

Thank you so much for your help.

Kind regards,
Col
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 39784365
I'm not sure I would be doing this remotely, but that's me.

There should be an installation folder on the SBS Dvd called "CMPNENTS\EXCHANGE14_SP1".   Running setup /domainprep will likely do what you want.

I would (personally) just add the Enterprise Exchange Servers group to the user rights for Manage Auditing and Security logs on the Default Domain Controller policy manually then test out Exchange rather than running domainprep as domainprep does other things in AD that are already completed and won't change with DCGPOFIX.  I'm somewhat cautious though.

Make sure you only target the Domain Policy using the /target:Domain switch.

You may want to read the following before you do this:


http://support.microsoft.com/kb/833783
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39784370
You may be okay as you shouldn't need to touch the Default Domain Controllers policy.

Did you have any backup of the original Sysvol that you may be able to restore to a different location and retrieve the missing folders?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39784694
Hi Netman66,

Unfortunately not. by the time this was noticed the backups with the original sysvol had been overwritten.
I don't really have any other option but to try the dcgpofix.

So I should only run it as 'DCGPOFix /ignoreschema /target:domain' ? Then hopefully Exchange will operate normally.

The only security policy that has been changed is the password policy. So it should restore security policiies to near the original state. Is this correct?

Thanks and kind regards,
Col
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39784989
It should, yes.
0
 

Author Closing Comment

by:VitalNetworkSolutions
ID: 39796884
Hi Netman66,

I ended up running the target as 'Both' as both policiies were missing. Then followed your instructions and everything worked fine. The servers performance has improved.

However I have now noticed all the Small Business Server policies are missing also. I will investigate how to re-create these and if I get stuck or paranoid again I will post in a different question.

I now backup the policies using gpmc.msc just in case.

Thanks you are all your help.

Kind regards,
Col
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39796902
Sorry should have mentioned. I added the Enterprise Exchange Servers group to the user rights on the Default Domain Controller policy manually.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39796945
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question