Solved

What is the best way to recreate the Default Domain Policy on an a production system.

Posted on 2014-11-11
7
146 Views
Last Modified: 2014-11-13
I have corruption on my default domain policy and  I need to recreate it. What is the best way to remake this policy without causing little or no down time on the domain?

Below is a screenshot of what the policy looks like.

Corrupt Group Policy
0
Comment
Question by:JerryPotter
  • 3
  • 3
7 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 40436237
Say, you don't do backups of your DCs? The GPOs are just files and files can be restored from backups.
If you prefer an empty, default def.dom.pol, read https://support.microsoft.com/kb/556025?wa=wsignin1.0 for options.
0
 

Author Comment

by:JerryPotter
ID: 40436251
Thanks for the quick response, we have backups, but the problem is I am not sure when the GPO became corrupt. I also found those options before. Does anyone know which option is the easiest? Does Dcgpofix.exe work well?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40436271
"I am not sure when the GPO became corrupt" - I'd restore it from backup, it's just a folder. Do you have file level backups of your DC?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:JerryPotter
ID: 40436303
I do have file level backups, unfortunately I believe that this became corrupt before I started working here and that was almost 3 years ago. I know we have changed how our backup works and I believe, got rid of the old things. I think I am stuck with remaking it. I do have a printed copy of the GPO with the settings that were in it.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40436315
Since 3 years the default domain policy is corrupt? How would you know that?
Well, use dcgpofix and recreate your settings. http://technet.microsoft.com/en-us/library/hh875588.aspx explains the syntax, you should restore only the defdompol, not both.
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 40436445
A lot of companies set a PKI policy in their default domain policy. I would investigate first if you are patched for this:

https://support.microsoft.com/kb/2028605

It would suggest to me that something like this is the cause if the problem has been around for potentially 3 years because the problem only affects GPO reports and GPMC's settings view. The settings themselves are fine and still apply. With investigating before you try restoring or fixing any GPO files for potential corruption.
0
 

Author Comment

by:JerryPotter
ID: 40441469
Thanks for the answers, I found out I did have some corrupt files and also the Certificate Services Client was messed up. After fixing that issue I ran the dcgpofix and reconfigured everything. Everything seems to be working. Thanks for the help.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a trade show? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now