Default Domain Controller policy

  • Thread starter Thread starter Helgi B.
  • Start date Start date
H

Helgi B.

I seem to have a corrupt Default DC Policy. Event ID 1000 and 1202 is logged
in the Application Logs on the DCs every 5 minutes. I have found KB article
279432 that describes similar problem but the solution suggested, to make
sure the Default DC policy is linked to the DCs OU, is not applicable (i.e.
this is already linked).

When I open the policy I have nodes for "Public Key Policies" and "IP
Security Policies on Active Directory" but I don't have "Account Policies",
"Local Policies", "Event Log", "Restricted Groups", "System Services",
"Registry" or "File System".

I have a crummy suspicion this may be caused by the DCs having been moved
from the DC OU a few months ago and then quickly moved back due to
unexpected problems. Anyway, I reckon I could probably get away with
deleting the "Default Domain Controllers" policy (or at least removing the
link from the DCs OU) and creating a new policy with the settings needed.
But I don't want to reckon, I want to be sure! I've got 8 E2K servers, the
companies Intranet plus a few other services relying on AD, so I don't want
to take any unnecessary risks.

So, Ladies and Gents, how should I progress?

Thanks,
Helgi
 
Hi Helgi-

We do not recommend that you remove your default policies (default domain
controllers or default domain policies). They have settings that are needed
for your domain to function properly. The most notable is that the Default
Domain Controllers policy contains user rights settings that are necessary
for domain controllers to communicate (and hence replicate) successfully.

I would start by verifying that the GUID for the Default Domain Controllers
Policy matches that of the default:

{6AC1786C-016F-11D2-945F-00C04fB98F9}

This GUID should be found in 2 basic places (actually more but that's not
really relevant at this point):

In the Properties of that policy. To reach it, go to the Domain Controllers
OU Properties in AD Users and Computers, then click on the Group Policy
folder tab. Select the Default Domain Controllers Policy then click the
Properties button-the GUID should be displayed.

The second place on a DC is in this directory:

%systemroot%\SYSVOL\SYSVOL\<domainname>\Policies\{6AC1786C-016F-11D2-945F-00
C04fB98F9}

Please repost on what you find.
 
Hi Tim,

The GUID on my policy is 6AC1786C-016F-11D2-945F-00C04fB984F9, almost the
same as the one you mentioned, guess you just missed a digit?

Helgi
 
Probably, copy and paste can be tricky at times.

This may be a situation where using a tool called recreatedefpol.exe (for
Windows 2000) can be used to put the default settings in place (replacing
what is currently there for the default policies). You can call in to
Microsoft PSS (contact info is at http://support.microsoft.com) for a copy
of this tool. It's a good idea to talk to someone before using it if
posible.

You should not be charged for the incident if all you need is that tool. If
you have any difficulty just let me know or repost to the newsgroup.

Incidentally, Windows Server 2003 comes with a similar tool called
DCGPOFIX.EXE. It is present on a default install of 2003, but it will not
work with 2000.
 
Back
Top