Missing domain controller policies? Help!

The default domain controller policy dictates the standard behaviors for a domain controller, and can be edited if needed. Unfortunately, it can also be damaged or erased due to carelessness. If this happens, the usual fix is to reinstall Windows, but there may be a more elegant solution.

If you believe that a missing domain controller policy is causing problems, the first thing to do is determine if the policy is in fact missing. Open the folder %SystemRoot%\SYSVOL\DOMAIN\POLICIES on the domain controller in question and look for a directory with a name formatted like a GUID (a series of numbers between curly braces). If there is a directory that starts with "{31B2", then the default domain policy is present; if it is missing or the folder is empty, then it is damaged.

(Another policy present in the same area, which can also be damaged or deleted carelessly, begins with "{6AC1" and is the default domain controller security policy, which is also important.)

To replace the missing policy or policies, you will need either another existing standalone Windows domain controller with intact default policies, or another Windows server in the same domain that can be promoted to the status of a domain controller. If you're going to use the second option, use DCPROMO to bring the server up to the level of a standalone domain controller, since that will reduce the chances of it interfering with other domain controllers in the same

Requires Free Membership to View


Once you have a new domain controller to work with, look in the %SystemRoot%\SYSVOL\DOMAIN\POLICIES folder of the new domain controller and copy out the GUID-like directories. Paste them into the same directory on your original (troubled) domain controller, demote or shut down the newly-created one, and reboot. This will provide you with a set of functional but unedited policies, so if you had configured them before on that server, take the time to re-configure them once the system comes back up.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

This was first published in August 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.