none
AD-Default domain policy

    Question

  • Dear All,

    recently there was a disaster and our AD and Exchange went down.

    We recovered AD and Exchnage from backup

    Mail flow everything is working fine

    Now I am stuck with two issues

    1.netlog on folder is not shared

    2. When i am expanding the default domain GPO i get access is denied error

    anything we can check 

    Tuesday, December 27, 2016 8:42 AM

All replies

  • Once you restore the AD in non-authoritatively and SYSVOL in authoritatively you should see the SYSVOL shared.

    Please find the proper steps for restoring the root forest properly.

    3 Decide the DC for recovery
    4 Update DSRM password for the DC's
    5 Configure Selected DC's boot in DSRM mode
    6 Disconnect the network cable from root domain dc / Shutdown all the DC's except the selected Root DC
    7 Reboot selected forest DC in DSRM mode
    8 On the first Root DC : Perform nonauthoritative of AD DS & Authoritative SYSVOL restore
                    a. Login to DC using DSRM pwd
                    b. get the version number of the backups which you have created
                    c. identify the backup you want to restore
                    d. restore AD in nonauthoritativly & SYSVOL in authoritativly 
    9 Reboot the DC in normal mode 
    10 Verify that the DC has all the datas (Objects, GPO, SYSVOL conetent & it is shared)
    11 Create DWORD "HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations" with value 0
    12 Seize all Domain-wide and Forest-wide operation master roles
    13 Metadata cleanup of other DC's in the root domain that we are not restoring from backup
    14 Check DNS service
                    a. Check if DNS service is available.
                    b. Make sure the restored DC's primary DNS is pointing to its own IP
                    c. In the _msdcs and domain DNS zones, delete NS records of DCs that no longer exist after metadata cleanup
                    d. Check if the SRV records of the cleaned up DCs have been removed
    15 Remove Global Catalog
    16 Raise the value of the available RID pool by 100,000
    17 Invalidate the current RID pool
    18 Reset the computer account password of this DC twice
    19 Reset the krbtgt password twice
    20 Reset the trust password
    21 Configure Time Source

     

    Regards, Nidhin.CK

    Tuesday, December 27, 2016 9:14 AM
  • have you tried to open or edit any other GPO , also try to create a new GPO and edit it,if for the other it works fine then there is probable chance of s some sort of corruption. I would be sure to run gpotool to see if anything 
    unusual is reported with version numbers or replication. If you have a copy of the System State from a domain controller at a time before this all started happening, you might try an authoritative restore of it. There is a tool called recreatedefpol.exe that can be used to repair create new default GPO for domain or domain controller.

    Also as a percaution you Check the security on the GPO that you get Access Denied on:

    1. in GPMC, select the GPO
    2. select the Delegation tab in the right pane
    3. click the Advanced button
    4. click the Advanced button (on the Security tab) - check if you are a 
    member of any of the groups that have Write
    5. click Owner

    if any access is missing for the account, you can find that.

    Tuesday, December 27, 2016 11:42 AM
  • If you have only  specific access issue on one GPO, then open ADSI edit and select Domain partition. There you have an option to select select the specific GPO and grant the required access. My assumption is that after the restoration, the access might be removed for the specific GPO.


    Regards Sajin P S

    Tuesday, December 27, 2016 1:22 PM
  • Hello,

    As the NetLogon is not shared I would first check if Sysvol is shared. If Sysvol is not shared, your AD recovery went wrong and you need to either redo or finalize it.

    Please check the  following links, just to make sure your AD recovery strategy includes all the necessary steps: https://technet.microsoft.com/en-us/library/cc961934.aspx?f=255&MSPPError=-2147217396

    /Regards

    Tuesday, December 27, 2016 4:42 PM
  • Hi,
    Agree with others that please firstly check the following aspects:
    1. If Sysvol folder is working and its share is gone or not?
    2. Except for Default domain policy GPO, check if the other GPOs are working and could be edited.
    3. Run dcdiag command to check if the DC is healthy after restoring.
    4. Check if any related events are logged in the event viewer.
    Here is an article discussing a similar issue, you could refer to and have a try following it:
    Directory Service: NETLOGON missing after a restore
    https://social.technet.microsoft.com/wiki/contents/articles/17478.directory-service-netlogon-missing-after-a-restore.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 28, 2016 2:38 AM
    Moderator
  • Dear All,

    I did the following steps:

    1. Performed d4 on PDC and D2 on ADC

    2. Got sysvol and netlog on shared

    3. REpadmin /syncall command now completes without any error

    4. for Default domain policy i ran dcgpofix and now even they are present

    5. I have issues while contacting new VM to domain. It says active directory cannot be contacted

    6. I checked one of the old machines removed from domain joined it back and its working fine without any issues

    I am getting request timed out for DNS


    • Edited by vgahod Thursday, December 29, 2016 11:08 AM
    Thursday, December 29, 2016 11:08 AM
  • Your current situation looks like a pure DNS problem. You need to enable new servers to resolve DNS names using your new DC. 

    • Please ensure that your servers are pointed to the correct DNS server.
    • Please make sure that firewall ports are opened to allow them contacting this DNS server for name resolution.

    Until you can resolve domain DNS names, you won't get it to work.

    /Rregards

    Thursday, December 29, 2016 1:14 PM