none
Group Policy Objects Container Empty

    Question

  • Hi, I have two 2008 R2 domain controllers. Recently had an issue with replication but was resolved. Some time later, noticed not able to create new GPOs or edit existing ones. All existing GPOs are still at the OUs but missing from the Group Policy Objects container. In ADSIedit, the System --> Policies container is empty. If I try to create a new group policy container with same GUID, it tells me it already exists. I can navigate to SYSVOL\domain\Policies and all the GUIDs with subfolders/files are there. I have no GPO backups and both DCs are reporting the same. Any ides on how to fix this? Thanks.

    Saturday, September 19, 2015 8:30 PM

Answers

  • This is now resolved. All my attempts to replenish the missing GPOs with system state restores did not correct the problem. Although I managed to get my two domain controllers to replicate successfully (basically bringing it to a stable state) nonetheless, there was still another underlying issue that pointed me in the right direction.

    We use Centrify for Mac OS X. When joining Mac computers to Active Directory, you are able to specify what OU to place the Mac computer. Normally, the AD folders would appear for your selection. However, I began noticing that the application (sporadically) was unable to browse the AD folders. I figured it was a DNS related issue. Long story short, I realized that although replication between domain controllers were reporting successful with repadmin, "Zone Transfers" however were not happening. I also determined that the original corruption problem with AD was only with the database on the FSMO DC and not with the additional DC.

    RESOLUTION: I decided to transfer the FSMO and DHCP server to the "good" DC, then demote and shutdown the "bad" DC. Obviously this corrected the "Zone Transfer" issue but I was extremely pleased to discover that the missing GPO's reappeared!

    Technically, I don't know the connection between GPOs and Zone Transfers but the fact that the Zones would not transfer because of a discrepancy detected in the database, worked as a "fail safe" in my case.

    Needles to say, I deleted the demoted VM and recreated a new one. The new VM was then promoted to an additional domain controller for redundancy. This time, I made sure to do a backup of all GPOs.... just in case. Since both my DCs are virtual machines, I have scheduled System State backups. However, I am still moving forward with migrating to a clean Windows Server 2012 R2 domain.


    Andre1048

    • Marked as answer by Andre1048 Sunday, December 13, 2015 8:48 AM
    Sunday, December 13, 2015 8:48 AM

All replies

  • Hi,

    It seems that you lost the AD object of the GPO(s), and you're saying there is no GPO backup. Do you have any valid system state or full backup of any of the DCs? If you do you can try to authoritative restore from there. Otherwise i am not sure how you can restore them, unless you want to go thru each GUID in SYSVOL and sport out the settings and re-create new GPOs. You can't specify the GUID when you are creating the GPO only if you have a started GPO base.

    You can try to recover using dcgpofix, the default ones (domain and domain controllers GPOs), but not the rest.

    Hope it helps.

    Regards,

    Calin

    Monday, September 21, 2015 10:14 AM
  • Hi Calin,

    Thanks for responding. I have been doing system state backups, but this problem may have been around for at least 2-3 weeks... I have made some changes since then. Not sure at what point the problem began. For some reason, I can't create any new gpos. I thought of dcgpofix but syntax refers to old/new domain... not the in my case. so far, I 've been doing ad database fixes, semantic database analysis fixes, etc.   

    Monday, September 21, 2015 6:51 PM
  • Yes, I'm aware that group policy is separate from ADDS. 
    Monday, September 21, 2015 6:53 PM
  • I think I understand your point about having base GPOs in order to create new ones... I'll see what I can do with dcgpofix.
    Monday, September 21, 2015 6:54 PM
  • bummer... the dcgpofix didn't do anything. what i don't understand is what could have done this. the system doesn't allow you to delete the default domain and controllers gpos. when i had the problem with replication, an offline defrag resolved it. don't see how that could have wiped out out the GPOs in the group policy container only.
    Monday, September 21, 2015 7:39 PM
  • seems some corruption in AD database, I think the only way to get it back is to restore from a system state backup. Choose a earlier backup copy, if you want to get these GPO back, of couse you will loose recent updates, but that's the only choice at this stage.

    Monday, September 28, 2015 9:33 AM
  • Thanks for responding. I restored a test gpo from an earlier backup onto one domain controller. Although I can now see "all" the policies in the adsiedit --> system --> policies container (of the one domain controller), the GPMC, Group Policy Objects container is still empty and still has the same problem. Just to be clear, the GPOs do exist in sysvol and do exist in AD at the assigned OUs respectively. The GPOs are working and can be edited as is at the assigned OU. It just seems the links to the GPO container are severed and I don't know how to restore them. What I don't understand is how this even happened? You can't just manually delete the default domain and domain controllers policies... but they disappeared too from the GPO container. As for restoring the system state, I would have to go back to far in time which would cause more problems. I think it is time for me to establish a clean domain based on Server 2012 R2... establish a trust between the new and old domains and migrate user and computer accounts. I have a small environment so I can easily create new GPOS in the new domain.
    Friday, October 2, 2015 3:45 PM
  • This is now resolved. All my attempts to replenish the missing GPOs with system state restores did not correct the problem. Although I managed to get my two domain controllers to replicate successfully (basically bringing it to a stable state) nonetheless, there was still another underlying issue that pointed me in the right direction.

    We use Centrify for Mac OS X. When joining Mac computers to Active Directory, you are able to specify what OU to place the Mac computer. Normally, the AD folders would appear for your selection. However, I began noticing that the application (sporadically) was unable to browse the AD folders. I figured it was a DNS related issue. Long story short, I realized that although replication between domain controllers were reporting successful with repadmin, "Zone Transfers" however were not happening. I also determined that the original corruption problem with AD was only with the database on the FSMO DC and not with the additional DC.

    RESOLUTION: I decided to transfer the FSMO and DHCP server to the "good" DC, then demote and shutdown the "bad" DC. Obviously this corrected the "Zone Transfer" issue but I was extremely pleased to discover that the missing GPO's reappeared!

    Technically, I don't know the connection between GPOs and Zone Transfers but the fact that the Zones would not transfer because of a discrepancy detected in the database, worked as a "fail safe" in my case.

    Needles to say, I deleted the demoted VM and recreated a new one. The new VM was then promoted to an additional domain controller for redundancy. This time, I made sure to do a backup of all GPOs.... just in case. Since both my DCs are virtual machines, I have scheduled System State backups. However, I am still moving forward with migrating to a clean Windows Server 2012 R2 domain.


    Andre1048

    • Marked as answer by Andre1048 Sunday, December 13, 2015 8:48 AM
    Sunday, December 13, 2015 8:48 AM