Default Domain Controller Policy and Default Domain Policy


P

Paul D

I'm sure this has been asked a hundred times, but I cannot find the answer.
My apologies for this.

Does anyone know of an article which describes how the "Default Domain
Controller" and "Default Domain" Policies relate to custom GPOs confuged at
the Deomain Conrollers OU, and also where they can be accessed by
right-clicking an object and choosing Properties rather than using the
Default Domain Controller Policy and Default Domain Policy MMCs?

Any help would be great!

Thank you in advance
Paul
 
Ad

Advertisements

M

Mark Renoden [MSFT]

Hi Paul

These policies can be accessed via AD Users and Computers. The Default
Domain Policy is linked to the domain (properties of the domain -> GP tab)
and the Default Domain Controllers Policy is linked to the Domain
Controllers OU.

I'm not sure what you're asking with respect to the relationship between
these policies and custom GPO's linked at the Domain Controllers OU. Please
clarify.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
P

Paul D

Hi Mark

That's very strange, then. You describe exactly the location where I would
expect to find the GPO Links, but in our environment they are not there.
However, I am certain that both default GPOs are being applied, as changes
to them affect our domain.

Accessing object properties, viewing the GP tab, and pressing the Add (Add a
GPO Link) button allows us to view/link to any of our custom GPOs, but not
the Default GPOs.

Hence, it is not clear when the Default GPO is applied in the Site/Domain/OU
order of processing. Obviously the name "Default" implies that it gets
applied first, but it would be good to know how to access it just like the
custom GPOs.

Thanks for your input so far
Best regards
Paul
 
M

Mark Renoden [MSFT]

Hi Paul

This is strange indeed. If you click Add when you're at the Group Policy
tab, do you have the option of adding these default policies? What's
represented here is just the link between the GPO and the OU. Wondering if
just the link is missing (which doesn't explain why they'd still apply to
the environment).

I assume this is a Windows 2000 environment?

Can you absolutely confirm that these are applying by running gpresult /v on
a DC and checking to see which GPO's are processed?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
P

Paul D

Mark

I'd forgotten about that command - thank you!

You are right - gpresults /v shows that only our custom GPOs are being
applied. This doesn't really make sense, because we were having major
problems with users logging on after I applied a securedc template on our
domain controllers. When I relaxed digital signing and authentication
options at the Default GPOs, the problems ceased.

One thing I noticed from the gpresults output is that, although both DCs are
Windows 2003 Server Standard, the "Domain Type" shows as Windows 2000. Is
this normal?

Do you know of an article which will explain how to re-establish links to
GPOs if you think this is the problem? Any other advice would be greatly
appreciated.

Thanks for your help so far
Paul
 
M

Mark Renoden [MSFT]

Hi Paul

If the GPO still exist in SYSVOL, you should be able to re-establish the
links easily. The folders that should exist in SYSVOL are:

{31B2F340-016D-11D2-945F-00C04FB984F9}

and

{6AC1786C-016F-11D2-945F-00C04fB984F9}

under C:\WINDOWS\SYSVOL\sysvol\<domain name>\Policies

If these don't exist, you'll have to resolve the issue by running
dcgpofix.exe. The dcgpofix.exe program is included on Windows Server 2003.
For help on using this program, run the command "dcgpofix /?" in a command
prompt window. You may also want to refer to:

833783 The Dcgpofix tool does not restore security settings in the
Default
http://support.microsoft.com/?id=833783

If the policy folders do exist, you just need to re-establish the links.
You can do this by:

1. Opening AD Users and Computers

2. For the Default Domain Policy, right-click the domain name and select
Properties.

3. Navigate to the Group Policy tab and click Add.

4. Selecting the All tab and choosing the Default Domain Policy.

5. Repeat steps 2 - 4 but select the properties for the Domain Controllers
OU instead of the domain name in step 2 and select the Default Domain
Controllers Policy in step 4.

Lastly, to answer your question, it is normal for your domain type to be set
to Windows 2000. You can raise the forest and domain functional levels to
Windows 2003 when you have no Windows 2000 domain controllers left in the
environment:

322692 How to raise domain and forest functional levels in Windows
Server 2003
http://support.microsoft.com/?id=322692

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Ad

Advertisements

P

Paul D

Thank you very much Mark - I'll carry out all you suggest, and report back.
I'm not sure if the policies appear as
{31B2F340-016D-11D2-945F-00C04FB984F9}and
{6AC1786C-016F-11D2-945F-00C04fB984F9} in SYSVOL, but I'm afraid there are
no Default policies in the "All" tab of GP properties. Only our custom GPOs
appear. If anything springs to mind, I'd be interested.

Many thanks again
Paul
 
Ad

Advertisements

M

Mark Renoden [MSFT]

Hi Paul

It sounds like a dcgpofix.exe is in order. Make sure you have a backup of
everything before you embark on this.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top