Rick - Thanks for the detailed info! I do have a backup of the environment, but since this is a test environment, I'll be more comfortable building it from scratch (4 servers - 2 in 2 different sites).
The only thing I can see that caused this was installing Doubletake software being used for DR. When the AD was originally loaded in the remote site, the database files were not on the same drive as on the server it was being replicated with in the original site. This was required for Doubletake, so the files were moved successfully as per http://support.microsoft.com/?kbid=257420 . I say successfully as the database integrety was verified. About a day later, this issue came to light. As for the GUID, I didn't realize it was a standard string - hence my lame attempt to recreate it. I'm still puzzled as to why I can't delete the existing one from the Properties page if the GUID does not exist. Thanks again for the details! Regards, Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, April 05, 2003 8:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Can't access Default Domain Controller Security policy Jeffrey, This is not exactly easy to resolve - but it can be done. Firstly, some background as to why your valiant efforts met with no success. The Default Domain Controllers Policy has a unique GUID that is the same on all systems. In fact, everything is coded to look for this GUID. So, if it's not in SYSVOL, simply creating another GPO and naming it the same won't work - because it has a different GUID. The GUID for the Default DC Pol will be: {6AC1786C-016F-11D2-945F-00C04fB984F9}. Now, knowing this - you have a problem. You can't just 'make' a new on. At least in Windows 2000 you can't. Knowing that you are a good Administrator who backs up frequently (right?? ;-) ), you CAN restore this object from one of your backup tapes. Doing the procedure of an Authoritative Restore on the DC that holds the PDC Emulator role in your domain that the Default DC Policy has gone missing would be best. You will need: 1. Ability to get into DS Restore Mode (F8 during the Starting Windows status bar) 2. Backup tape WITH SYSTEM STATE (less than the tombstone time - typically 60 days) 3. NTDSUTIL 4. Knowledge of the Distingushed Name of the Default DC Policy Number 4 can be answered by a trip to ADSIEdit. Turns out that the Default DC Policy lives in the Policies CN under System CN under the DC. So, the full path to be stipulated to NTDSUTIL might be: CN={6AC1786C-016F-11D2-945F-00C04fB984F9,CN=Policies,CN=System,DC=Corp,DC=Co m To get the other pieces in place, I suggest reviewing this Q article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;248132 Using method 2: 1. Restart the domain controller. 2. When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER. 3. At a command prompt, type ntdsutil, and then press ENTER. 4. Restore the System State from a backup set that was created prior to the computer account deletion. 5. Type authoritative restore, and then press ENTER. 6. Type restore subtree "CN={6AC1786C-016F-11D2-945F-00C04fB984F9,CN=Policies,CN=System,DC=Corp,DC=C om", and then press ENTER, where Corp is the domain name the domain controller resides in, and Com is the top level domain name of the domain controller, such as com, org, or net. 7. Type quit, press ENTER, type quit, and then press ENTER. 8. Type exit, and then press ENTER. 9. Restart the domain controller. One other method that I have used in tests is to use the 'not quite yet released' Group Policy Management Console. To do it with GPMC, you can connect to a foreign forest and backup and existing GP - in this case the Default DC Policy. GPMC has a restore function which will allow you to restore to another DC - in this case, your DC with the PDC-E role missing the GP. See the GPMC help, if you can get your hands on the tool. It should be avaiable at the same time that Win2k3 is released, but works just fine on Windows 2000. Hope this all helps..... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Dubyn Sent: Saturday, April 05, 2003 4:51 PM To: [EMAIL PROTECTED] Problem started with a new DC in a new site not being able to access the Windows Update site giving the "Administrators Only" error. That was odd as we were logged in with the administrator username. We can access the Windows Update site on the DC in the original site with the same user name. The exact problem is described in this Q article "Cannot Access Group Policy Objects--Event ID 1000 and Event ID 1001 Logged http://support.microsoft.com/?kbid=258296 " Unfortunately, the fix was already in place so was not relevant. Looking at the GUID of the GPO in the Event Log, I cannot see it in the SYSVOL folder - it's just not there. After some troubleshooting, found that on both DC's, I cannot open the Default Domain Controllers Policy object with an error of: "Failed to open the Group Policy Object. You may not have appropriate rights. Details The system cannot find the path specified." To attempt to rectify this, I renamed the Default Domain Controllers Policy object and then created a new Default Domain Controller Policy and disabled the renamed one. After using secedit /refreshpolicy for both machine and user, I forced replication and could see the new policy and the old, renamed disabled policy in the other DC in the new site. I logged out and back in as the administrator but unfortunately, this did not fix the problem - I could not access the Default Domain Controller Policy with the same error, and received the same issue with Windows Update. I tried deleting the renamed object, yet I could not. The system did not give any errors, but when I confirmed YES to delete it, it was still there. Any suggestions on how to proceed? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
