GPO - Should the Domain Controllers OU be set to block inheritance of other GPO's?
My Exchange 2010 servers suddenly lost connectivity to the Domain Controllers and when checking things out, I found the Domain Controller policy some how dropped the "Domain\Exchange Servers" from an Audit/Manage permission. Tracking that down, I looked at GPOs and discovered that my Domain Controllers were inheriting all sorts of policies.
So, is it best practice for the OU for the Domain Controllers to block GPO inheritance (and use only the "Default Domain Controller policy"?
Is it best practice to set the "Default Domain policy" to enforced?
Environment: 2012 R2 DCs, Exchange 2010 (and legacy 2003), Functional level at 2008