Default Group Policy objects become corrupted: disaster recovery
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The default domain GPOs become corrupted and there are no GPO backups for the Default Domain Policy GPO and Default Domain Controller Policy GPO.
Cause
The default domain GPOs are corrupted (for example, because of misconfiguration) and you do not have backed up versions of the Default Domain Policy GPO or the Default Domain Controller Policy GPO.
Solution
If you are in a disaster recovery scenario, you may consider using the Dcgpofix tool. If you use the Dcgpofix tool, it is strongly recommended that as soon as you run it, you review the security settings in these GPOs and manually adjust the security settings to suit your requirements.
Dcgpofix restores the default Group Policy objects to their original default state after initial installation of a domain controller. The Dcgpofix tool recreates the two default Group Policy objects and creates the settings based on the operations that are performed only during Dcpromo. It is important to understand that Dcgpofix does not restore the security settings to the state they were in before you run Dcpromo.
Important
The Dcgpofix tool is intended for use only as a last-resort disaster-recovery tool. To create regular backups of the default domain and all other GPOs, you must use Group Policy Management Console (GPMC). It is also recommended that you backup the Sysvol directory with a regularly scheduled backup procedure.
To run Dcgpofix
- Type the following at the command prompt: dcgpofix [/ignoreschema][/target: {domain | dc | both}]
Where:
/ignoreschema is an optional parameter. If you set this parameter, the Active Directory schema version number is ignored.
/target: {domain | dc | both} is an optional parameter that specifies the target domain, domain controller, or both. If you do not specify /target, dcgpofix uses both by default.
Note
Dcgpofix.exe is located in the C:\Windows\Repair folder. You must be a domain or enterprise Administrator to use this tool. Dcgpofix.exe checks the Active Directory schema version number to ensure compatibility between the version of Dcgpofix you are using and the Active Directory schema configuration. If the versions are not compatible, Dcgpofix.exe does not run. The following extension settings are maintained in a default Group Policy object: Remote Installation Services (RIS), security settings, and Encrypting File System (EFS). The following extension settings are not maintained or restored in a default Group Policy object: Software Installation, Internet Explorer maintenance, scripts, folder redirection, and administrative templates. The following changes are not maintained or restored in a default Group Policy object: Security settings made by Exchange 2000 Setup, security settings migrated to default Group Policy during an upgrade from Windows NT to Windows 2000, and policy object changes made through Systems Management Server (SMS). You can run this tool only on servers running the Windows Server 2003 family.
For more information about using GPMC to back up and restore GPOs, see the Administering Group Policy with the GPMC white paper on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=17528).
For more information about restoring system state data by using the Backup utility in Windows ServerĀ 2003, see Backing Up and Recovering Data on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=22347).
For more information about managing the Sysvol directory, see Best Practices for Sysvol Maintenance on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=39986).
For more information about use of Dcgpofix, see The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=35269).