Problem solve Get help with specific problems with your technologies, process and projects.

Missing domain controller policies? Help!

How to replace without reinstalling Windows.

The default domain controller policy dictates the standard behaviors for a domain controller, and can be edited if needed. Unfortunately, it can also be damaged or erased due to carelessness. If this happens, the usual fix is to reinstall Windows, but there may be a more elegant solution.

If you believe that a missing domain controller policy is causing problems, the first thing to do is determine if the policy is in fact missing. Open the folder %SystemRoot%\SYSVOL\DOMAIN\POLICIES on the domain controller in question and look for a directory with a name formatted like a GUID (a series of numbers between curly braces). If there is a directory that starts with "{31B2", then the default domain policy is present; if it is missing or the folder is empty, then it is damaged.

(Another policy present in the same area, which can also be damaged or deleted carelessly, begins with "{6AC1" and is the default domain controller security policy, which is also important.)

To replace the missing policy or policies, you will need either another existing standalone Windows domain controller with intact default policies, or another Windows server in the same domain that can be promoted to the status of a domain controller. If you're going to use the second option, use DCPROMO to bring the server up to the level of a standalone domain controller, since that will reduce the chances of it interfering with other domain controllers in the same domain.

Once you have a new domain controller to work with, look in the %SystemRoot%\SYSVOL\DOMAIN\POLICIES folder of the new domain controller and copy out the GUID-like directories. Paste them into the same directory on your original (troubled) domain controller, demote or shut down the newly-created one, and reboot. This will provide you with a set of functional but unedited policies, so if you had configured them before on that server, take the time to re-configure them once the system comes back up.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

Dig Deeper on Windows client management