The Case of the Broken Default Domain Policy

So over the last couple of days, I decided as part of my server virtualization project at home with my new hard disks, I would rename the domain to something more suitable.

I found a tool on the Microsoft site called rendom.exe along with a few other tools for renaming a domain. I read all of the instructions and had a plan set out for doing it, and the process was fairly painless due to only having one Domain Controller, so there was no need to wait for forest and domain replication to take place.

However, after running the gpfixup.exe application which adjusts the path for all of the GPO objects in the domain to reflect the new domain name, I had issues as the tool didn’t run properly and all of my GPO objects where broken.

With this, I decided I would rename the domain back to it’s original name. Great – This fixed all of the GPO objects except for the Default Domain Policy and the Default Domain Controllers policy which where still reporting as unavailable in the GPMC (Group Policy Management Console).

Being that it’s now getting quite drastic, I decided to run the dcgpofix.exe tool with the /target:both switch to reset the two GPO’s back to factory settings and get things going again, however I got a warning about the scheme version. A quick Live Search discovers that because during this whole process I upgraded the DC to Windows Server 2008, so I used the switch described in the Microsoft KB /ignoreschema. Sounds scary, and it still didn’t work.

At this point, I’m getting scared I’ve really totalled the GPO links for the domain because even the tool which is supposed to reset the GPO’s to OOBE settings didn’t work, so it’s time for extreme action: ADSI Edit.

I popped open ADSI Edit, which in Server 2008 is automatically installed with Active Directory unlike Server 2003 where you need to install the Server 2003 Administration Tools Pack to get it.

When browsing through the GPO objects in the CN=System,CN=Policies part of Active Directory, I noticed that the path specified in some of the GPO’s properties was wrong, and that the gpfixup.exe tool hadn’t put them back to the correct name so the link was wrongname.comsysvolwrongname.com instead of rightname.comsysvolrightname.com.

After changing the paths and reloading the schema, I was able to access all of the Group Policy Objects again – Cured!

richardjgreen

Richard works as a Cloud Consultant for Fordway Solution where his primary focus is to help customers understand, adopt and develop with Microsoft Azure, Office 365 and System Center. Richard Green is an IT Pro with over 15 years' of experience in all things Microsoft including System Center and Office 365. He has previously worked as a System Center consultant and as an internal solutions architect across many verticals. Outside of work, he loves motorbikes and is part of the orange army, marshaling for NGRRC, British Superbikes and MotoGP. He is also an Assistant Cub Scout Leader.