Solved

What is the best way to recreate the Default Domain Policy on an a production system.

Posted on 2014-11-11
7
156 Views
Last Modified: 2014-11-13
I have corruption on my default domain policy and  I need to recreate it. What is the best way to remake this policy without causing little or no down time on the domain?

Below is a screenshot of what the policy looks like.

Corrupt Group Policy
0
Comment
Question by:JerryPotter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40436237
Say, you don't do backups of your DCs? The GPOs are just files and files can be restored from backups.
If you prefer an empty, default def.dom.pol, read https://support.microsoft.com/kb/556025?wa=wsignin1.0 for options.
0
 

Author Comment

by:JerryPotter
ID: 40436251
Thanks for the quick response, we have backups, but the problem is I am not sure when the GPO became corrupt. I also found those options before. Does anyone know which option is the easiest? Does Dcgpofix.exe work well?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40436271
"I am not sure when the GPO became corrupt" - I'd restore it from backup, it's just a folder. Do you have file level backups of your DC?
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:JerryPotter
ID: 40436303
I do have file level backups, unfortunately I believe that this became corrupt before I started working here and that was almost 3 years ago. I know we have changed how our backup works and I believe, got rid of the old things. I think I am stuck with remaking it. I do have a printed copy of the GPO with the settings that were in it.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 40436315
Since 3 years the default domain policy is corrupt? How would you know that?
Well, use dcgpofix and recreate your settings. http://technet.microsoft.com/en-us/library/hh875588.aspx explains the syntax, you should restore only the defdompol, not both.
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 40436445
A lot of companies set a PKI policy in their default domain policy. I would investigate first if you are patched for this:

https://support.microsoft.com/kb/2028605

It would suggest to me that something like this is the cause if the problem has been around for potentially 3 years because the problem only affects GPO reports and GPMC's settings view. The settings themselves are fine and still apply. With investigating before you try restoring or fixing any GPO files for potential corruption.
0
 

Author Comment

by:JerryPotter
ID: 40441469
Thanks for the answers, I found out I did have some corrupt files and also the Certificate Services Client was messed up. After fixing that issue I ran the dcgpofix and reconfigured everything. Everything seems to be working. Thanks for the help.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question