search
Japanese Chinese Nederlands Espanol Italiano Deutsch Francais Twitter Rss Feeds
Windows 2003 Server GroupsView
Windows Server Active_Directory
Windows Server Clustering
Windows Server Dfs_Frs
Windows Server Dns
Windows Server General
Windows Server Migration
Windows Server Networking
Windows Server Sbs
Windows Server Scripting
Windows Server Security
Windows Server Setup
Windows Server Update_Services

Group SummariesView
.NET Framework
Access
BizTalk
Certifications
CRM
DDK
Exchange Server
FoxPro
French
French .NET
Games
German
German .NET
Graphic Design
IIS
Internet
ISA Server
Italian
Italian .NET
Maps
MCIS
Miscellaneous
Mobile Application Development
Money
MSN
Networking
Office
Ops Mgr
Publisher
Security
SharePoint
Small Business
Spanish
Spanish .NET
SQL Server
Systems Management Server
Transaction Server
Virtual PC / Virtual Server
Visual Studio
Win32
Windows 2000
Windows 2003 Server
Windows 7
Windows Live
Windows Media
Windows Update
Windows Vista
Windows XP
 

View All Microsoft Windows Server Active_Directory Posts  Ask A New Question 

GUI folders missing in \\sysvol\domain\policies - Andrei

Wednesday, June 11, 2008 4:30 PM

 
Long short story.
One domain  -  1 DC
1 month ago created the 2nd DC -> 1 domain 2 DCs
One of the DC become hw unstable (the 1st dc in the domain - old machine)
and I had to demote it using /forcedemote switch. Cleaned up AD using
ntdsutil.
status: 1 domain - 1 DC
1 week ago promoted another DC -> 1 domain - 2 DCs
Immediately after I found out that sysvol folder was missing. I've recreated
the sysvol folder and subfolders using the D2 and D4 reg values.
Yesterday after I checked the sysvol folder and I noticed that under
\\sysvol\domain\policies there were no folders (GUI with brackets). I checked
the advanced tab in AD\users and computers\system\default domain policy also
nothing there but tones of event id :1030 source:usernv.
log for possible messages previously logged by the policy engine that
describes the reason for this."
GPMC cannot find path in group policy objects for DC policy, domain policy
and  sp users logon deny.
At this point I do have only a copy of the sysvol folder that was taken 1
month ago from the 1st DC that has been forcedemoted. The GUI folders all
three of them are there. They seem to be intact.
1. Is there any possibility to restore those policies having those folders
from backup?
2. If not what would be the consequences if I use dcgpofix?
Thank you very much in advance.

Andrei
reply
 

Howdie! - Florian Frommherz [MVP]

Thursday, June 12, 2008 2:39 AM

 
Howdie!

Andrei G schrieb:

If there is an accurate backup of the very first DC that you demoted (as
I believe the replication between the first and the one you added a
month ago didn't work correctly), you can restore it. Use the backup and
restore the folders to a seperate location and then copy them manually
into the "Policies" folder.


I'd first try to circumvent dcgpofix and use the backup. It doesn't
re-create all GPOs you have but the two default policies and might, if
you have Exchange running, mess its security settings up (there's a KB
for this, I think).

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
reply

Thank you very much Florian. - Andrei

Thursday, June 12, 2008 8:45 AM

 
Thank you very much Florian.
There is no exchange server in the domain and I realized that if there is no
policy in place then dcgofix won't do that much harm.
Anyways I'm going to take your advice 1st and put back the old policies back
to their original place and I'll report back. Question is if the AD finding
the policies is going to recreate back the necessary links and then replicate
to the other DC?
reply

Howdie! - Florian Frommherz [MVP]

Thursday, June 12, 2008 1:10 PM

 
Howdie!

Andrei G schrieb:

If the policies are still there (in Active Directory, in the CN=Policies
container), there shouldn't be any further steps to take than just
re-create the GUID-folders in SYSVOL.

I'd go for the re-creation. If there's anything left, feel free to post
back. Make sure replication is healthy now so that both DCs are
up-to-date right now.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
reply

Hey Florian,I copied over the GUIDs to the policies folder. - Andrei

Thursday, June 12, 2008 5:00 PM

 
Hey Florian,

I copied over the GUIDs to the policies folder. They have been replicated to
the other DC. The GPMC sees them and it corrected some permission/security
issues. I don't see them in AD though (users and computers\advanced\default
domain policy).
By the way the usernv event id 1030 disappeared and I'm happy with that.
What else should I do. It seems to be ok.

Andrei
reply

GUI folders missing in \\sysvol\domain\policies - Florian Frommherz [MVP]

Friday, June 13, 2008 1:28 AM

 
Howdie!

Andrei G schrieb:

What do you mean by "I don't see them in AD though"?
Can you successfully open and edit the policy? Do clients apply them?

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
reply

Hey Florian,I don't know how to check that. - Andrei

Friday, June 13, 2008 8:41 AM

 
Hey Florian,

I don't know how to check that. I can open them with GPMC and if I go in
setting tab and hit show I can see them with success or no audit etc.
Yesterday at 5 pm th usernv 1030 event id stopped.
At this point I don't know what to do more.
In administrative tools\users and computers advance view there is is a tab
there called system and in system another one called default domain policy. I
don't see the GUIDs there but I see them in sysvol.
Any idea?
Thank you.
reply

Right now I ran a gpupdate on one of the clients and did not see any error in - Andrei

Friday, June 13, 2008 8:58 AM

 
Right now I ran a gpupdate on one of the clients and did not see any error in
the event viewer. Is it good? How else should I check that the global
p[policies are working fine?
Thank you.

Andrei
reply

Howdie! - Florian Frommherz [MVP]

Friday, June 13, 2008 9:50 AM

 
Howdie!

Andrei G schrieb:

Check with rsop.msc on a client if all policies are applied as expected.
When turning on advanced mode, you should see the policy under System -
Policies. There should be a folder for every single policy named with
the policy's GUID. If it isn't there, you will have to restore them with
an authoritive restore from the backup of your old server. I hoped those
were replicated at least.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
reply

Florian,Using rsop.msc is a success. - Andrei

Friday, June 13, 2008 10:06 AM

 
Florian,

Using rsop.msc is a success. I see for example password domain policy
successfully applied and audited.
I'm checking now how to use that authoritative restore of the GUIDs. I
haven't done it before.
Do you have a link to a KB how to do it or any other source?
Thank you.
reply

Hey Florian,I repeat. - Andrei

Friday, June 13, 2008 10:10 AM

 
Hey Florian,

I repeat. The backup I have is only a copy of the sysvol folder and not a
backup of the policy. Hope that helps to evaluate better the situation.

Andrei
reply

Florian,I think I've got it. - Andrei

Friday, June 13, 2008 10:26 AM

 
Florian,

I think I've got it. In GPMC a did 1st a backup of all policies and then an
authoritative restore of the same backup. Very simple solution :).  I see now
the policies in system\policies but the folders machine and user are empty.
Maybe they should be like this.
I would say the problem is solved now.'Thank you very much.

Cheers,

Andrei
reply
 
 

Previous Microsoft Windows Server Active_Directory conversation.