Solved

SBS2011 Recreate Default Domain GPO

Posted on 2014-01-03
17
782 Views
Last Modified: 2014-01-21
Hi,

I recently migrated a SBS2003 to SBS 2011 standard.

I have now noticed there is an error in the system event log. I have put the error at the end of this post. This was not there initially and I can only presume this has happened after an update. The folder it is looking for does not exist.  It looks like I need to recreate the default domain GPO. I have found this from Microsoft but not sure if this is the correct thing to do and also I'm not sure about step 7.

Any help would be greatly appreciated.

Thanks,
Col

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          03/01/2014 09:40:18
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      [server].[domain].com.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\[domain].com.local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-03T09:40:18.489594100Z" />
    <EventRecordID>67009</EventRecordID>
    <Correlation ActivityID="{C25A1011-5A50-4353-B547-9A15C04C5B2F}" />
    <Execution ProcessID="944" ThreadID="8108" />
    <Channel>System</Channel>
    <Computer>[server]1.[domain].com.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">562</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">[server].[domain].com.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=[domain],DC=COM,DC=LOCAL</Data>
    <Data Name="FilePath">\\[domain].local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>
0
Comment
Question by:VitalNetworkSolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 39753494
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39753496
If there is more than 1 DC then find and fix the replication issue before trying the above.
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753500
The SBS2011 is the only DC. Is the dcgpofix safe to use? will it affect the exchange element of the sbs server?
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:VitalNetworkSolutions
ID: 39753539
Which policies will this change? Is it only the default domain policy?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753541
sorry, I didn't read it correctly. I now realise the flags determine what is changed.
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39783926
I have been researching dcgpofix and have read it will affect Exchange 2010. Is this correct?And what can I do after the running dcgpofix to ensure exchange is ok? I have read the domainprep will need to be ran again. Can anyone help me put my mind at rest before I attempt the dcgpofix.

Also is there any other gotchas I need to be aware of?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783969
You only need to run domainprep from the Exchange media to fix it.

It adds the Domain\Enterprise Exchange Servers group to the Default Domain Controllers policy to allow the user right to manage auditing and security logs.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783993
Make you restart the Exchange services or the server entirely after the fix.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783998
Should be make SURE ... damn phone!  LOL
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39784028
Hi Netman66,
Sorry about this, I think I being very thick and very paranoid.

This is SBS 2011 standard, so I don't have exchange 2010 media, only sbs2011.
I don't have the sbs0211media in front of me at the moment as I'm working on the server remotely. Is the domainprep on the sbs media?

Also, can you give me a step procedure how to run domainprep? sorry about but I have just 'googled' how to run domainprep in sbs2011 and didn't find anything relevant.

Thank you so much for your help.

Kind regards,
Col
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 39784365
I'm not sure I would be doing this remotely, but that's me.

There should be an installation folder on the SBS Dvd called "CMPNENTS\EXCHANGE14_SP1".   Running setup /domainprep will likely do what you want.

I would (personally) just add the Enterprise Exchange Servers group to the user rights for Manage Auditing and Security logs on the Default Domain Controller policy manually then test out Exchange rather than running domainprep as domainprep does other things in AD that are already completed and won't change with DCGPOFIX.  I'm somewhat cautious though.

Make sure you only target the Domain Policy using the /target:Domain switch.

You may want to read the following before you do this:


http://support.microsoft.com/kb/833783
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39784370
You may be okay as you shouldn't need to touch the Default Domain Controllers policy.

Did you have any backup of the original Sysvol that you may be able to restore to a different location and retrieve the missing folders?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39784694
Hi Netman66,

Unfortunately not. by the time this was noticed the backups with the original sysvol had been overwritten.
I don't really have any other option but to try the dcgpofix.

So I should only run it as 'DCGPOFix /ignoreschema /target:domain' ? Then hopefully Exchange will operate normally.

The only security policy that has been changed is the password policy. So it should restore security policiies to near the original state. Is this correct?

Thanks and kind regards,
Col
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39784989
It should, yes.
0
 

Author Closing Comment

by:VitalNetworkSolutions
ID: 39796884
Hi Netman66,

I ended up running the target as 'Both' as both policiies were missing. Then followed your instructions and everything worked fine. The servers performance has improved.

However I have now noticed all the Small Business Server policies are missing also. I will investigate how to re-create these and if I get stuck or paranoid again I will post in a different question.

I now backup the policies using gpmc.msc just in case.

Thanks you are all your help.

Kind regards,
Col
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39796902
Sorry should have mentioned. I added the Enterprise Exchange Servers group to the user rights on the Default Domain Controller policy manually.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39796945
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question