4

We merged with a company and I'm taking over the IT duties there.

They had a 2000 domain that was upgraded to 2003.

The problem is that someone applied the W2k security policy templates to "harden" the DC's and after the upgrade it doesn't seem to work right at all.

This means that the DEFAULT DOMAIN CONTROLLER POLICY is jacked up and has tons of security settings that are messing up the upgraded domain controllers.

I am going to build up 2 new domain controllers and replicate AD/DNS/DHCP between them and then demote the existing DCs.

MY PROBLEM:

  • I think in order to do what I want I'll need to blow away and recreate the true default Default Domain Controller Policy. Then add the new DCs to the domain and replicate AD/DNS and then demote the old domain controllers and remove them.

Does that sound logical? Anyone else have to deal with such a mess?

TheCleaner
  • 32,627
  • 26
  • 132
  • 191

2 Answers2

5

This is exactly the reason why I strongly recommend against making any modifications to the "Default Domain Policy" and "Default Domain Controllers Policy" GPOs. That doesn't sound like too bad of a mess, though.

You don't want to (and, I believe, can't using the stock GUI tools) delete the "Default Domain Controllers Polciy" GPO. Rather, you need to clean it up "by hand".

(Yes, there is a utility, DCGPOFIX.EXE, that will restore this GPO. Microsoft doesn't recommend using the DCGPOFIX.EXE utility except in disaster recovery scenarios. Nonetheless, it's fine to use the documentation for the tool to get an idea of what the defaults should look like.)

It should be a pretty straightfoward operation to back off the silly changes that were made to the "Default Domain Controllers Policy" GPO using the Group Policy Editor. After you've done that, promote your new domain controllers, transfer FSMO roles, etc, and decommission the old machines.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • I agree,more often than not by the time someone that knows what they are doing gets there, the defaults are all blown away. This situation is far too commonplace. – Jim B Feb 03 '10 at 21:11
  • Well, it appears that the biggest changes by the secpol were to the file permissions and registry permissions. I'm going to change the default back to normal by removing these permissions completely. Just so I'm clear though I'm pretty screwed on the existing servers, right? I mean even if I clean up the settings, the damage is already done to the existing DCs. – TheCleaner Feb 04 '10 at 15:55
0

Why don't you try applying a looser SECPOL template to the existing DCs first?

Take a good backup before you do anything at all, and do it off-hours.

mfinni
  • 36,144
  • 4
  • 53
  • 86