Windows Server - GUI folders missing in \\sysvol\domain\policies
Asked By Andrei
11-Jun-08 04:30 PM
Long short story.
One domain - 1 DC
1 month ago created the 2nd DC -> 1 domain 2 DCs
One of the DC become hw unstable (the 1st dc in the domain - old machine)
and I had to demote it using /forcedemote switch. Cleaned up AD using
ntdsutil.
status: 1 domain - 1 DC
1 week ago promoted another DC -> 1 domain - 2 DCs
Immediately after I found out that sysvol folder was missing. I've recreated
the sysvol folder and subfolders using the D2 and D4 reg values.
Yesterday after I checked the sysvol folder and I noticed that under
\\sysvol\domain\policies there were no folders (GUI with brackets). I checked
the advanced tab in AD\users and computers\system\default domain policy also
nothing there but tones of event id :1030 source:usernv.
log for possible messages previously logged by the policy engine that
describes the reason for this."
GPMC cannot find path in group policy objects for DC policy, domain policy
and sp users logon deny.
At this point I do have only a copy of the sysvol folder that was taken 1
month ago from the 1st DC that has been forcedemoted. The GUI folders all
three of them are there. They seem to be intact.
1. Is there any possibility to restore those policies having those folders
from backup?
2. If not what would be the consequences if I use dcgpofix?
Thank you very much in advance.
Andrei
Active Directory
(1)
Windows Server
(1)
Report
(1)
GPOs
(1)
Howdie
(1)
Forcedemote
(1)
Authoritive
(1)
Frickelsoft
(1)
Florian Frommherz [MVP] replied...
Howdie!
Andrei G schrieb:
If there is an accurate backup of the very first DC that you demoted (as
I believe the replication between the first and the one you added a
month ago didn't work correctly), you can restore it. Use the backup and
restore the folders to a seperate location and then copy them manually
into the "Policies" folder.
I'd first try to circumvent dcgpofix and use the backup. It doesn't
re-create all GPOs you have but the two default policies and might, if
you have Exchange running, mess its security settings up (there's a KB
for this, I think).
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Andrei replied...
Thank you very much Florian.
There is no exchange server in the domain and I realized that if there is no
policy in place then dcgofix won't do that much harm.
Anyways I'm going to take your advice 1st and put back the old policies back
to their original place and I'll report back. Question is if the AD finding
the policies is going to recreate back the necessary links and then replicate
to the other DC?
Florian Frommherz [MVP] replied...
Howdie!
Andrei G schrieb:
If the policies are still there (in Active Directory, in the CN=Policies
container), there shouldn't be any further steps to take than just
re-create the GUID-folders in SYSVOL.
I'd go for the re-creation. If there's anything left, feel free to post
back. Make sure replication is healthy now so that both DCs are
up-to-date right now.
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Andrei replied...
Hey Florian,
I copied over the GUIDs to the policies folder. They have been replicated to
the other DC. The GPMC sees them and it corrected some permission/security
issues. I don't see them in AD though (users and computers\advanced\default
domain policy).
By the way the usernv event id 1030 disappeared and I'm happy with that.
What else should I do. It seems to be ok.
Andrei
Florian Frommherz [MVP] replied...
Howdie!
Andrei G schrieb:
What do you mean by "I don't see them in AD though"?
Can you successfully open and edit the policy? Do clients apply them?
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Andrei replied...
Hey Florian,
I don't know how to check that. I can open them with GPMC and if I go in
setting tab and hit show I can see them with success or no audit etc.
Yesterday at 5 pm th usernv 1030 event id stopped.
At this point I don't know what to do more.
In administrative tools\users and computers advance view there is is a tab
there called system and in system another one called default domain policy. I
don't see the GUIDs there but I see them in sysvol.
Any idea?
Thank you.
Andrei replied...
Right now I ran a gpupdate on one of the clients and did not see any error in
the event viewer. Is it good? How else should I check that the global
p[policies are working fine?
Thank you.
Andrei
Florian Frommherz [MVP] replied...
Howdie!
Andrei G schrieb:
Check with rsop.msc on a client if all policies are applied as expected.
When turning on advanced mode, you should see the policy under System -
Policies. There should be a folder for every single policy named with
the policy's GUID. If it isn't there, you will have to restore them with
an authoritive restore from the backup of your old server. I hoped those
were replicated at least.
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
Andrei replied...
Florian,
Using rsop.msc is a success. I see for example password domain policy
successfully applied and audited.
I'm checking now how to use that authoritative restore of the GUIDs. I
haven't done it before.
Do you have a link to a KB how to do it or any other source?
Thank you.
Andrei replied...
Hey Florian,
I repeat. The backup I have is only a copy of the sysvol folder and not a
backup of the policy. Hope that helps to evaluate better the situation.
Andrei
Andrei replied...
Florian,
I think I've got it. In GPMC a did 1st a backup of all policies and then an
authoritative restore of the same backup. Very simple solution :). I see now
the policies in system\policies but the folders machine and user are empty.
Maybe they should be like this.
I would say the problem is solved now.'Thank you very much.
Cheers,
Andrei
Removing Traces before demoting Active Directory Windows Server Dear All, I want to demote Windows Active Directory from one of my domain controller. This server was upgraded from Windows 2000 Active Directory to Windows 2003 Active Directory. This server donot have any FSMO role installed. When
Books on Windows 2003 Server Active Directory Windows Server Any recommendations on some of the best books to buy for learning / fixing issues in Active Directory. (2003) Active Directory Cookbook Active Directory both by Robbie Allen. Are they any good. Thanks, Windows Server Active
Windows 2008 in a Windows 2000 Active directory? Windows Server Hi make the preparation tasks in the Windows 2000 servers, and laterinstalled windows 2008, but i cant administer the active directory from the win2008, i receive a cant connect to active directory error, why? thanks
Looking for Photocopier on Active Directory Windows Server Is there a photocopier that recognizes Active Directory? I'd like to manage our copiers through Active Directory including a destination folder for scans. Accounting would be nice too. Thanks for your suggestions. Windows Server Active Directory Discussions Active Directory (1) Windows Server (1) Accounting (1) Linux (1) ScanRoute
Active Directory Windows Server Trying to reload my AD zone. Error Failed to reload zone Active Directory Service not available. How do I get my AD Service back and running? - - CGarron Windows Server Active Directory Discussions Windows Server 2003 (1) Active Directory (1) CGarron (1) NetDiag (1) CSci (1) Achiever