AD DS: The Default Domain Controllers Policy in this domain should be applied to this OU

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

The Default Domain Controllers Policy is not currently applied to this organizational unit (OU).

Impact

If Group Policy settings that are defined in the Default Domain Controllers Policy are not applied to domain controllers, Active Directory operations may fail.

Specifically, the following may happen:

  • Replication between domain controllers may fail.

  • Promotion of additional domain controllers in the domain may fail.

  • Members of the Administrators security group may not be delegated necessary user rights, such as Enable computer and user accounts to be trusted for delegation.

Resolution

Link the Default Domain Controllers Policy to this OU.

Microsoft strongly recommends against moving any domain controller accounts out of the Domain Controllers OU (OU=domain controllers,DC=<domain name>). Moving these accounts can disrupt the consistent application of domain controller policies. For more information, see Securing Active Directory Administrative Groups and Accounts (https://go.microsoft.com/fwlink/?LinkId=168899).

If domain controllers are in different OUs, link the Default Domain Controllers Policy to those OUs. If you have defined additional Group Policy objects (GPOs) for your domain controllers, ensure that these GPOs are also linked to all OUs that contain domain controllers, including the OU listed in the non-compliance message for this BPA rule. You should also ensure that the link order of the GPOs is the same for each OU. The link order determines which GPOs have precedence when multiple GPOs are applied to an OU. GPOs that are higher in the link order have higher precedence.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

  1. Click Start, click Administrative Tools, and then click Group Policy Management.

  2. Expand Forest: <forest name>, Domains, and <domain name>.

  3. Right-click the OU to which you want to link the Default Domain Controllers Policy, and then click Link an Existing GPO.

  4. Click Default Domain Controllers Policy, and then click OK.

If you have defined additional GPOs for domain controllers that are moved, use the following procedure to verify that the link order for the GPOs is consistent for all OUs that contain domain controllers.

  1. Click Start, click Administrative Tools, and then click Group Policy Management.

  2. Expand Forest: <forest name>, Domains, and <domain name>.

  3. Click the Domain Controllers OU, and then click the Up or Down arrows to change the link order of the GPOs that are linked to it.

  4. Click other OUs that have domain controllers, and make sure that they follow the same GPO link order.

After you complete these procedures, run gpudpate /force on the affected domain controller to ensure the Group Policy setting updates are applied.

Additional references

For more information, see the following references: