?
Solved

What is the best way to recreate the Default Domain Policy on an a production system.

Posted on 2014-11-11
7
Medium Priority
?
164 Views
Last Modified: 2014-11-13
I have corruption on my default domain policy and  I need to recreate it. What is the best way to remake this policy without causing little or no down time on the domain?

Below is a screenshot of what the policy looks like.

Corrupt Group Policy
0
Comment
Question by:JerryPotter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 40436237
Say, you don't do backups of your DCs? The GPOs are just files and files can be restored from backups.
If you prefer an empty, default def.dom.pol, read https://support.microsoft.com/kb/556025?wa=wsignin1.0 for options.
0
 

Author Comment

by:JerryPotter
ID: 40436251
Thanks for the quick response, we have backups, but the problem is I am not sure when the GPO became corrupt. I also found those options before. Does anyone know which option is the easiest? Does Dcgpofix.exe work well?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40436271
"I am not sure when the GPO became corrupt" - I'd restore it from backup, it's just a folder. Do you have file level backups of your DC?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:JerryPotter
ID: 40436303
I do have file level backups, unfortunately I believe that this became corrupt before I started working here and that was almost 3 years ago. I know we have changed how our backup works and I believe, got rid of the old things. I think I am stuck with remaking it. I do have a printed copy of the GPO with the settings that were in it.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 40436315
Since 3 years the default domain policy is corrupt? How would you know that?
Well, use dcgpofix and recreate your settings. http://technet.microsoft.com/en-us/library/hh875588.aspx explains the syntax, you should restore only the defdompol, not both.
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 1000 total points
ID: 40436445
A lot of companies set a PKI policy in their default domain policy. I would investigate first if you are patched for this:

https://support.microsoft.com/kb/2028605

It would suggest to me that something like this is the cause if the problem has been around for potentially 3 years because the problem only affects GPO reports and GPMC's settings view. The settings themselves are fine and still apply. With investigating before you try restoring or fixing any GPO files for potential corruption.
0
 

Author Comment

by:JerryPotter
ID: 40441469
Thanks for the answers, I found out I did have some corrupt files and also the Certificate Services Client was messed up. After fixing that issue I ran the dcgpofix and reconfigured everything. Everything seems to be working. Thanks for the help.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question