Share via

Default Domain Policy unable to access

hendri yu 66 Reputation points
2020-10-20T08:17:53.05+00:00

Hi Guys,

I have question to ask regarding the "Default Domain Policy".

We have 2 domain controller - AD1 and AD2 , both are running Windows Server 2012 Data Centre. Because these was on the old servers and we planned to migrate to new servers one by one. However, we have to maintain the old AD static IP Address. We have setup a new Hyper-V VM on new server running Windows Server 2019 Standard, hostname: AD3. Now, we have promote AD3 as DC controller and demote "AD1".

now, i have one funny issue. Suddenly the GPO is not working even for the "Default Domain Policy. When i try to click and edit the "Default Domain Policy", it is given an error message attached below "The network name can not be found"

33510-group-policy-error.png

May i know whether you guys has encountered similar issue with me?

Appreciate your guys advise on this

Thanks
H

Windows for business Windows Client for IT Pros User experience Other
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-10-20T09:23:35.31+00:00

    Hello,

    Thank you so much for posting here.

    To further troubleshoot, we can check whether our AD environment is healthy as below:

    1. We should check if all DCs work fine by running Dcdiag /v on every DC.
    2. And check if AD replication is working properly by running repadmin /showrepl and repadmin /replsum on every DC.
    3. Check the whole AD replication status by running Repadmin /showrepl * /csv >showrepl.csv on one of the DCs.
    4. Check if we can run gpupdate /force successfully on every DC.
    5. Check if the SYSVOL and Netlogon are shared by running net share on every DC.

    We could run the above command to check the AD environment and see if there are any error messages.

    According to your description, it should be sysvol share issue. Please check the following registry on domain controller.

    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Please check if SysvolReady this registry is 1. If it is 0, please change it to 1.

    And please check if there are policy and script folder under sysvol folder. If they are all there, please check are sysvol and netlogon folder share folder. If not, please run command net stop netlogon and net start netlogon to restart netlogon.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. hendri yu 66 Reputation points
    2020-10-20T10:14:09.17+00:00

    Dear Hannah,

    Good Day

    Thanks for the advise. Below is the result of repadmin /replsum on one of the DC. From the result, does it mean that the replication work as per normal?

    33547-replsum.png

    You mentioned about sysvol share issue. I don't know where is the the sysvol folder located. However, on one of the DC "AD2", which is the one that still resides in the old server, when i run "\ad2.int\, i am able to see "Sysvol" and "Netlogon" shared folder. Inside Sysvol, there is one sub folder called "domainname.int" and below this sub folder there are two sub sub folders: policies and scripts. The policies folders has a lot of files, but scripts folder is empty. The Netlogon folder is empty as well. To be clear below is how the Sysvol shared folder looks like:

     SYSVOL (Shared folder)  

         Domain.int (folder)  

                     Policies Folder + Scripts Folder.

    On the newly setup DC (AD1), when i try to run "\AD1.int", there are no SYSVOL and Netlogon shared folders found. Is this normal, or they supposed to be only resides in one of the DC? I am not sure why they are not in sync.

    For your information, the FSMO roles is currently on "AD1", which is a new DC.

    Please help to advise what should i do in order to let all of my GPO working again.

    Many Thanks for help

    0 comments
  3. Anonymous
    2020-10-21T06:34:31.87+00:00

    Hello,

    You are welcome. Thank you so much for your kindly reply.

    1, As for the result of repadmin /replsum on one of the DC, the replication works normally. But to check the AD replication, this result is not effective. We could run the below command to get the result of AD replication:

    Repadmin /showrepl /csv >showrepl.csv

    Please note: Before we make any changes to our environment, please make sure DCs and AD replication all work fine.

    2, SYSVOL is an important component of Active Directory. The SYSVOL folder is shared on an NTFS volume on all the domain controllers within a particular domain. SYSVOL is used to deliver the policy and logon scripts to domain members.

    By default, SYSVOL includes 2 folders:

    Policies
    Default location: %SystemRoot%\SYSVOL\SYSVOL\<domain_name>\Policies

    Under the Policies folder all the Group policies which are defined in a particular domain exist.

    Scripts
    Default location: %SystemRoot%\SYSVOL\SYSVOL\<domain_name>\scripts

    3, As mentioned, there are no SYSVOL and Netlogon shared folders on the newly setup DC. The shared folders should reside on all the DCs. When you add a new domain controller to your domain and you see there is no SYSVOL and NETLOGON folder available on the domain controller. This mainly occurs if the SYSVOL replication is broken.

    We can check if the SYSVOL folder replication type is DFSR by viewing the following registry on the existing DC.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating Sysvols\LocalState registry subkey.

    If this registry subkey exists and its value is set to 3 (ELIMINATED), DFSR is being used.

    If the subkey does not exist, or if it has a different value, FRS is being used.

    33837-11111.png

    As for how to resolve this issue, we could refer to:

    https://social.technet.microsoft.com/wiki/contents/articles/8548.active-directory-sysvol-and-netlogon.aspx

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. hendri yu 66 Reputation points
    2020-12-07T11:53:56.613+00:00

    Dear Hannah,

    My apology of the super late response. Currently, the issue still persist when I am trying to edit my Default Domain Policy in Group Policy Management. Below is the error message:

    45648-dc1-gpo-error1.png

    I did remembered that when I did DCPROMO to the new Windows Server 2019 DC (AD3), it is still working fine. Till the FSMO roles has been transferred from AD2 to AD3. Currently the fsmo roles is at AD3. I am not sure whether this is the one that causing the issue though.

    As previously mentioned, the SYSVOL folder is still there with AD2. Inside the SYSVOL folder there are 2 subfolders, Policies and Scripts. When i tried to check the Unique ID of my Default domain policy, i am still able to find this Unique ID in the Policies folder .

    45772-dc1-gpo-uniqueid.png

    Here is the location of the file:

    45698-dc1-gpo-uniqueid-location.png

    Please help to advise whether what i could do next in order to resolve the issue.

    Many Thanks

    H

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.