What is the best way to recreate the Default Domain Policy on an a production system.

I have corruption on my default domain policy and  I need to recreate it. What is the best way to remake this policy without causing little or no down time on the domain?

Below is a screenshot of what the policy looks like.

Corrupt Group Policy
JerryPotterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Say, you don't do backups of your DCs? The GPOs are just files and files can be restored from backups.
If you prefer an empty, default def.dom.pol, read https://support.microsoft.com/kb/556025?wa=wsignin1.0 for options.
0
JerryPotterAuthor Commented:
Thanks for the quick response, we have backups, but the problem is I am not sure when the GPO became corrupt. I also found those options before. Does anyone know which option is the easiest? Does Dcgpofix.exe work well?
0
McKnifeCommented:
"I am not sure when the GPO became corrupt" - I'd restore it from backup, it's just a folder. Do you have file level backups of your DC?
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

JerryPotterAuthor Commented:
I do have file level backups, unfortunately I believe that this became corrupt before I started working here and that was almost 3 years ago. I know we have changed how our backup works and I believe, got rid of the old things. I think I am stuck with remaking it. I do have a printed copy of the GPO with the settings that were in it.
0
McKnifeCommented:
Since 3 years the default domain policy is corrupt? How would you know that?
Well, use dcgpofix and recreate your settings. http://technet.microsoft.com/en-us/library/hh875588.aspx explains the syntax, you should restore only the defdompol, not both.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LearnctxEngineerCommented:
A lot of companies set a PKI policy in their default domain policy. I would investigate first if you are patched for this:

https://support.microsoft.com/kb/2028605

It would suggest to me that something like this is the cause if the problem has been around for potentially 3 years because the problem only affects GPO reports and GPMC's settings view. The settings themselves are fine and still apply. With investigating before you try restoring or fixing any GPO files for potential corruption.
0
JerryPotterAuthor Commented:
Thanks for the answers, I found out I did have some corrupt files and also the Certificate Services Client was messed up. After fixing that issue I ran the dcgpofix and reconfigured everything. Everything seems to be working. Thanks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.