none
Default Domain Policy and Default Domain Controller Policy - Default Settings?

    Question

  • I have done lots of searching and can't find my answer.

    We have upgraded from Server 2003 to 2008.

    I am now tweaking settings but have some strange activity.

    After looking at the Default Domain Policy i think it's pulled in settings from 2003 however when i edit the Default Domain Policy i can't see them where they are meant to be.

    What i would like to do is create a new Default Domain Policy based on the Default settings set by Microsoft. I would like to cross reference the settings between the Default 2008 settings (From New) and my current settings.

    I know you can reset the currently Default Domain Policy but it isn't advised, so rather than resetting i can create a new one to replace it that way i can switch back easily if i ever needed to and it would allow me to easily cross reference settings.

    same applies for the default Domain Controllers policy.

    So to summerise can someone link me to all the settings set by default in a new Default Domain Policy and Default Domain Controller Policy as if they were setup as new and unchanged.  Server 2008 R2


    Thanks.
    • Edited by Jaffaz32 Thursday, May 03, 2012 2:49 PM
    Thursday, May 03, 2012 2:49 PM

Answers

  • Hi,

    As you mentioned, the Dcgpofix tool is intended for use only as a last-resort disaster-recovery tool, since DcGpofix tool does not restore security settings in the Default Domain Controller Policy to their original state.

    The Dcgpofix tool cannot know what state the security settings were in before you run Dcpromo. Therefore, the Dcgpofix tool cannot return the security settings to precisely the original state. Instead, the Dcgpofix tool recreates the two default Group Policy objects (GPOs) and creates the settings based on the operations that are performed only during Dcpromo.
    If you have a new installation of Microsoft Windows Server 2003 and no security changes are made to the operating system before you run Dcpromo, the recreated Default Domain Controller Policy that is created by Dcgpofix will be almost the same as the Default Domain Controller Policy just after you run Dcpromo. However, there will be some differences in the settings in the Default Domain Controller Policy in this case.

    But if you don’t have GPO backups for the Default Domain Policy GPO and Default Domain Controller Policy GPO, we recommend you use DCgpofix tool to reset these two default policies.

    > I can simply link the new and unlink the old. any problems unlink the old and link the new.

    It’s not correct method in my opinion, since Default Domain Policy and Default Domain Controller Policy has its own fixed GUID. Although your new GPO has the same settings and same names with these two default polices, they are not be identified as Default Domain Policy and Default Domain Controller Policy.

    > Couple of articles mention that it may cause problems with our exchange server. Some mention resetting
    > may cause permission problems.

    I think you can first using GPMC to back up these two old policies, then use Dcgpofix tool to restore default policy. If everything is ok, that’s best. If you meet issue, back up two new default GPOs and restore old two GPOs. Refer default GPO settings to modify your two old GPOs

    For more information please refer to following MS articles:

    Default Group Policy objects become corrupted: disaster recovery
    http://technet.microsoft.com/en-us/library/cc739095(v=WS.10).aspx
    The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
    http://support.microsoft.com/kb/833783/en-us
    Backing up, Restoring, Migrating, and Copying GPOs
    http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx

    Lawrence

    TechNet Community Support


    Monday, May 07, 2012 6:32 AM

All replies

  • Also to add to this is this guide correct??

    http://bittangents.com/2010/02/03/default-domain-policies-windows-server-2003-sp2-windows-server-2008-r2/

    Because i can't find.... any of these settings

    - Allow users to select new root certification authorities (CAs) to trust = Enable

    - Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

    - To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

    Apparently they should be under...

    + Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

    But i don't see any of them. I have these settings and other setting in my Default Domain Policy and wonder if they should be there on 2008 because it was a upgrade from 2003.

    Thursday, May 03, 2012 3:21 PM
  • Hello,

    if you think they are messed up somehow then use the resest tool to be sure everything is ok. That is the way to handle it. You cannot delete the Default Domain and Default Domain Controllers GPO, only unlink or disable it http://support.microsoft.com/kb/910201

    Here is the way to reset them http://technet.microsoft.com/en-us/library/cc739095(WS.10).aspx Also see:

    Usage from dcgpofix:

    Defaul Domain GPO reset:
    dcgpofix /target:Domain

    Default Domain Controller GPO reset:
    dcgpofix /target:DC

    Both together:
    dcgpofix /target:both

    You have pay attention to:
    http://support.microsoft.com/kb/947053

    http://support.microsoft.com/kb/946395/en-us

    http://support.microsoft.com/kb/833783

    http://support.microsoft.com/kb/932445


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, May 03, 2012 5:15 PM
  • Thanks for your reply.

    I was trying to think of a alternative way of doing a reset, i have been reading up on the above command prior to posting my questions.

    There are mixed reviews, mainly seen as a last resort.

    Couple of articles mention that it may cause problems with our exchange server. Some mention resetting may cause permission problems.

    I was hoping i could find the default settings for the main domain policy on server 2008, create it from scratch as a duplicate policy with the default settings myself, this way i still have the original policy to resort back to if anything goes terribly wrong. I can simply link the new and unlink the old. any problems unlink the old and link the new.

    I could back up the current which i have already done, reset and if it causes any problems restore the old, but i would really like to keep both old and new, would be allot easier for cross referencing settings.

    Thanks

    Friday, May 04, 2012 9:45 AM
  • I was hoping i could find the default settings for the main domain policy on server 2008, create it from scratch as a duplicate policy with the default settings myself, this way i still have the original policy to resort back to if anything goes terribly wrong. I can simply link the new and unlink the old. any problems unlink the old and link the new.

    Thanks

    Why don't you go the other way arround ? Meaning, you create a copy the default domain policy, rename it and then you do a default domain policy reset. This way, you accomplish exactly what you wanted, but in a much more "doable" manner.

    " Never panic before reboot ! "

    Friday, May 04, 2012 5:37 PM
  • Hi,

    As you mentioned, the Dcgpofix tool is intended for use only as a last-resort disaster-recovery tool, since DcGpofix tool does not restore security settings in the Default Domain Controller Policy to their original state.

    The Dcgpofix tool cannot know what state the security settings were in before you run Dcpromo. Therefore, the Dcgpofix tool cannot return the security settings to precisely the original state. Instead, the Dcgpofix tool recreates the two default Group Policy objects (GPOs) and creates the settings based on the operations that are performed only during Dcpromo.
    If you have a new installation of Microsoft Windows Server 2003 and no security changes are made to the operating system before you run Dcpromo, the recreated Default Domain Controller Policy that is created by Dcgpofix will be almost the same as the Default Domain Controller Policy just after you run Dcpromo. However, there will be some differences in the settings in the Default Domain Controller Policy in this case.

    But if you don’t have GPO backups for the Default Domain Policy GPO and Default Domain Controller Policy GPO, we recommend you use DCgpofix tool to reset these two default policies.

    > I can simply link the new and unlink the old. any problems unlink the old and link the new.

    It’s not correct method in my opinion, since Default Domain Policy and Default Domain Controller Policy has its own fixed GUID. Although your new GPO has the same settings and same names with these two default polices, they are not be identified as Default Domain Policy and Default Domain Controller Policy.

    > Couple of articles mention that it may cause problems with our exchange server. Some mention resetting
    > may cause permission problems.

    I think you can first using GPMC to back up these two old policies, then use Dcgpofix tool to restore default policy. If everything is ok, that’s best. If you meet issue, back up two new default GPOs and restore old two GPOs. Refer default GPO settings to modify your two old GPOs

    For more information please refer to following MS articles:

    Default Group Policy objects become corrupted: disaster recovery
    http://technet.microsoft.com/en-us/library/cc739095(v=WS.10).aspx
    The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
    http://support.microsoft.com/kb/833783/en-us
    Backing up, Restoring, Migrating, and Copying GPOs
    http://technet.microsoft.com/en-us/library/cc781458(v=WS.10).aspx

    Lawrence

    TechNet Community Support


    Monday, May 07, 2012 6:32 AM