[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 874
  • Last Modified:

SBS2011 Recreate Default Domain GPO

Hi,

I recently migrated a SBS2003 to SBS 2011 standard.

I have now noticed there is an error in the system event log. I have put the error at the end of this post. This was not there initially and I can only presume this has happened after an update. The folder it is looking for does not exist.  It looks like I need to recreate the default domain GPO. I have found this from Microsoft but not sure if this is the correct thing to do and also I'm not sure about step 7.

Any help would be greatly appreciated.

Thanks,
Col

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          03/01/2014 09:40:18
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      [server].[domain].com.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\[domain].com.local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-03T09:40:18.489594100Z" />
    <EventRecordID>67009</EventRecordID>
    <Correlation ActivityID="{C25A1011-5A50-4353-B547-9A15C04C5B2F}" />
    <Execution ProcessID="944" ThreadID="8108" />
    <Channel>System</Channel>
    <Computer>[server]1.[domain].com.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">562</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">[server].[domain].com.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=[domain],DC=COM,DC=LOCAL</Data>
    <Data Name="FilePath">\\[domain].local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>
0
VitalNetworkSolutions
Asked:
VitalNetworkSolutions
  • 9
  • 8
1 Solution
 
Netman66Commented:
0
 
Netman66Commented:
If there is more than 1 DC then find and fix the replication issue before trying the above.
0
 
VitalNetworkSolutionsAuthor Commented:
The SBS2011 is the only DC. Is the dcgpofix safe to use? will it affect the exchange element of the sbs server?
0
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

 
VitalNetworkSolutionsAuthor Commented:
Which policies will this change? Is it only the default domain policy?
0
 
VitalNetworkSolutionsAuthor Commented:
sorry, I didn't read it correctly. I now realise the flags determine what is changed.
0
 
VitalNetworkSolutionsAuthor Commented:
I have been researching dcgpofix and have read it will affect Exchange 2010. Is this correct?And what can I do after the running dcgpofix to ensure exchange is ok? I have read the domainprep will need to be ran again. Can anyone help me put my mind at rest before I attempt the dcgpofix.

Also is there any other gotchas I need to be aware of?
0
 
Netman66Commented:
You only need to run domainprep from the Exchange media to fix it.

It adds the Domain\Enterprise Exchange Servers group to the Default Domain Controllers policy to allow the user right to manage auditing and security logs.
0
 
Netman66Commented:
Make you restart the Exchange services or the server entirely after the fix.
0
 
Netman66Commented:
Should be make SURE ... damn phone!  LOL
0
 
VitalNetworkSolutionsAuthor Commented:
Hi Netman66,
Sorry about this, I think I being very thick and very paranoid.

This is SBS 2011 standard, so I don't have exchange 2010 media, only sbs2011.
I don't have the sbs0211media in front of me at the moment as I'm working on the server remotely. Is the domainprep on the sbs media?

Also, can you give me a step procedure how to run domainprep? sorry about but I have just 'googled' how to run domainprep in sbs2011 and didn't find anything relevant.

Thank you so much for your help.

Kind regards,
Col
0
 
Netman66Commented:
I'm not sure I would be doing this remotely, but that's me.

There should be an installation folder on the SBS Dvd called "CMPNENTS\EXCHANGE14_SP1".   Running setup /domainprep will likely do what you want.

I would (personally) just add the Enterprise Exchange Servers group to the user rights for Manage Auditing and Security logs on the Default Domain Controller policy manually then test out Exchange rather than running domainprep as domainprep does other things in AD that are already completed and won't change with DCGPOFIX.  I'm somewhat cautious though.

Make sure you only target the Domain Policy using the /target:Domain switch.

You may want to read the following before you do this:


http://support.microsoft.com/kb/833783
0
 
Netman66Commented:
You may be okay as you shouldn't need to touch the Default Domain Controllers policy.

Did you have any backup of the original Sysvol that you may be able to restore to a different location and retrieve the missing folders?
0
 
VitalNetworkSolutionsAuthor Commented:
Hi Netman66,

Unfortunately not. by the time this was noticed the backups with the original sysvol had been overwritten.
I don't really have any other option but to try the dcgpofix.

So I should only run it as 'DCGPOFix /ignoreschema /target:domain' ? Then hopefully Exchange will operate normally.

The only security policy that has been changed is the password policy. So it should restore security policiies to near the original state. Is this correct?

Thanks and kind regards,
Col
0
 
Netman66Commented:
It should, yes.
0
 
VitalNetworkSolutionsAuthor Commented:
Hi Netman66,

I ended up running the target as 'Both' as both policiies were missing. Then followed your instructions and everything worked fine. The servers performance has improved.

However I have now noticed all the Small Business Server policies are missing also. I will investigate how to re-create these and if I get stuck or paranoid again I will post in a different question.

I now backup the policies using gpmc.msc just in case.

Thanks you are all your help.

Kind regards,
Col
0
 
VitalNetworkSolutionsAuthor Commented:
Sorry should have mentioned. I added the Enterprise Exchange Servers group to the user rights on the Default Domain Controller policy manually.
0
 
Netman66Commented:
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now