Solved

SBS2011 Recreate Default Domain GPO

Posted on 2014-01-03
17
724 Views
Last Modified: 2014-01-21
Hi,

I recently migrated a SBS2003 to SBS 2011 standard.

I have now noticed there is an error in the system event log. I have put the error at the end of this post. This was not there initially and I can only presume this has happened after an update. The folder it is looking for does not exist.  It looks like I need to recreate the default domain GPO. I have found this from Microsoft but not sure if this is the correct thing to do and also I'm not sure about step 7.

Any help would be greatly appreciated.

Thanks,
Col

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          03/01/2014 09:40:18
Event ID:      1058
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      [server].[domain].com.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\[domain].com.local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1058</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-03T09:40:18.489594100Z" />
    <EventRecordID>67009</EventRecordID>
    <Correlation ActivityID="{C25A1011-5A50-4353-B547-9A15C04C5B2F}" />
    <Execution ProcessID="944" ThreadID="8108" />
    <Channel>System</Channel>
    <Computer>[server]1.[domain].com.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">4</Data>
    <Data Name="SupportInfo2">816</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">562</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">[server].[domain].com.local</Data>
    <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=[domain],DC=COM,DC=LOCAL</Data>
    <Data Name="FilePath">\\[domain].local\sysvol\[domain].com.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
  </EventData>
</Event>
0
Comment
Question by:VitalNetworkSolutions
  • 9
  • 8
17 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 39753494
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39753496
If there is more than 1 DC then find and fix the replication issue before trying the above.
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753500
The SBS2011 is the only DC. Is the dcgpofix safe to use? will it affect the exchange element of the sbs server?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753539
Which policies will this change? Is it only the default domain policy?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39753541
sorry, I didn't read it correctly. I now realise the flags determine what is changed.
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39783926
I have been researching dcgpofix and have read it will affect Exchange 2010. Is this correct?And what can I do after the running dcgpofix to ensure exchange is ok? I have read the domainprep will need to be ran again. Can anyone help me put my mind at rest before I attempt the dcgpofix.

Also is there any other gotchas I need to be aware of?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783969
You only need to run domainprep from the Exchange media to fix it.

It adds the Domain\Enterprise Exchange Servers group to the Default Domain Controllers policy to allow the user right to manage auditing and security logs.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39783993
Make you restart the Exchange services or the server entirely after the fix.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 51

Expert Comment

by:Netman66
ID: 39783998
Should be make SURE ... damn phone!  LOL
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39784028
Hi Netman66,
Sorry about this, I think I being very thick and very paranoid.

This is SBS 2011 standard, so I don't have exchange 2010 media, only sbs2011.
I don't have the sbs0211media in front of me at the moment as I'm working on the server remotely. Is the domainprep on the sbs media?

Also, can you give me a step procedure how to run domainprep? sorry about but I have just 'googled' how to run domainprep in sbs2011 and didn't find anything relevant.

Thank you so much for your help.

Kind regards,
Col
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 39784365
I'm not sure I would be doing this remotely, but that's me.

There should be an installation folder on the SBS Dvd called "CMPNENTS\EXCHANGE14_SP1".   Running setup /domainprep will likely do what you want.

I would (personally) just add the Enterprise Exchange Servers group to the user rights for Manage Auditing and Security logs on the Default Domain Controller policy manually then test out Exchange rather than running domainprep as domainprep does other things in AD that are already completed and won't change with DCGPOFIX.  I'm somewhat cautious though.

Make sure you only target the Domain Policy using the /target:Domain switch.

You may want to read the following before you do this:


http://support.microsoft.com/kb/833783
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39784370
You may be okay as you shouldn't need to touch the Default Domain Controllers policy.

Did you have any backup of the original Sysvol that you may be able to restore to a different location and retrieve the missing folders?
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39784694
Hi Netman66,

Unfortunately not. by the time this was noticed the backups with the original sysvol had been overwritten.
I don't really have any other option but to try the dcgpofix.

So I should only run it as 'DCGPOFix /ignoreschema /target:domain' ? Then hopefully Exchange will operate normally.

The only security policy that has been changed is the password policy. So it should restore security policiies to near the original state. Is this correct?

Thanks and kind regards,
Col
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39784989
It should, yes.
0
 

Author Closing Comment

by:VitalNetworkSolutions
ID: 39796884
Hi Netman66,

I ended up running the target as 'Both' as both policiies were missing. Then followed your instructions and everything worked fine. The servers performance has improved.

However I have now noticed all the Small Business Server policies are missing also. I will investigate how to re-create these and if I get stuck or paranoid again I will post in a different question.

I now backup the policies using gpmc.msc just in case.

Thanks you are all your help.

Kind regards,
Col
0
 

Author Comment

by:VitalNetworkSolutions
ID: 39796902
Sorry should have mentioned. I added the Enterprise Exchange Servers group to the user rights on the Default Domain Controller policy manually.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39796945
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now