Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DC and Domain access denied 2003 Std by GP

Status
Not open for further replies.
nocum

nocum

Technical User
May 23, 2002
21
US
Somehow Group Policy activated on a W2k3 Server and is now denying access to DC and Domain Security settings. I do not want to use Group Policies for the small domain. This is my first encounter with GP, so I need some help guys.

Single server domain, all critical updates, 1GB RAM, 2 2.8GHz Xeon, 136GB Array ..., unit is PDC.

Desired solution is to get rid of GP. The alternative is what to modify in GP to resolve access issue. This is a 10 user network without a resident techie so we need to keep it simple.

I found a similar post from October but the fellow never provided the requested server config.

"Whether you believe you can or you believe you cannot, either way you are right." Henry Ford
 
Sort by date Sort by votes
What were you doing and what error did you get?

Televison will make radio obsolete.
 
Upvote 0 Downvote
Thank you for posting. The issue is now dead. I spent over 8 hours researching and trying workarounds - no joy. I decided at 7am to reload the W2k3 server and restore data files from tape. So far no issues, but I have not installed the DC as of yet. Will post results.

As to what happened. Server fully configured as PDC for 5 days without issue. Just before packing for delivery, I ran a WindowsUpdate and found a critical security patch I had missed. Don't know the number. After required reboot I could no longer access dc or domain security policies msc. I received a group policy error to the effect that I did not have rights to edit them. Compounding that were 1058 and 1030 errors that Group Policy could not start because of a missing g..ini file. I never instituted GP intentionally - it just showed up. There is only the default OU and a single server in the domain and forrest. Very frustrating and annoying.

If there is a way to avoid the activation of GP on the domain, I would appreciate knowing how. This is my 5th W2k3 server and it didn't happen on any of the others.

"Whether you believe you can or you believe you cannot, either way you are right." Henry Ford
 
Upvote 0 Downvote
There are always a minimum of two GPOs on every domain: the default domain and default domain controllers policies. These are required.

A critical update would not change any settings in these two policies.

You could've saved yourself a format by posting the 1058 and 1030 errors in your first message, they are relatively straightforward to resolve.
 
Upvote 0 Downvote
Attempted to resolve following many different KBs and postings - no joy. Could not gain access to DC or domain default policies.

I have just imaged my system partition with ASR prior to installing. All software and tools other than AD, DNS, WINS and MacFiles have been installed. Will post results once all are in place again.


"Whether you believe you can or you believe you cannot, either way you are right." Henry Ford
 
Upvote 0 Downvote
AD, DNS, DHCP & WINS are installed. Server is fully funcional with access to GP default domain policies and access to dcpol.msc and dompol.msc. Hypothesis: the domain controller and domain policies were trashed leaving only local GP. Whether the timing of the last critical update concided with the corruption of the policies, or the CU was at fault, I do not know.

Now, with this bloody-nose experience somewhat out of the way what can be done to avoid it in the future? I have no other server to replicate to, so is there a reliable way of backing up these policies and/or repairing them? Are they a part of backing up AD?

"Whether you believe you can or you believe you cannot, either way you are right." Henry Ford
 
Upvote 0 Downvote
Thank you for your posts. I will make sure that our backups include the system state. I will use MSbackup to backup the system volume to a file on the NTFS data volume on a daily basis.

I will leave this thread open for the next few days as I monitor the status of the server in the lab on it's second burn-in. I will be setting up the user accounts today and configuring folders in a separate partition for the Apple users. I will post exceptions or a final summary.


"Whether you believe you can or you believe you cannot, either way you are right." Henry Ford
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
366
ADB100
ADB100
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
336
RRankin355
RRankin355
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
373
hairlessupportmonkey
hairlessupportmonkey
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
833
fredmartinmaine
fredmartinmaine

Part and Inventory Search

Sponsor

Back
Top