Re: Time Sync Problem on AD 2003 domain

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a0119a272d259@uwe...
>I restored the group policy settings to the settings that worked last
>night -
> following the procedure I outlined above, and I'm back to eventID 12.
>
> The server once again insists on trying to synchronize with itself. It
> seems
> insistent on ignoring commands and reg settings instructing it to sync to
> an
> outside source.
>
> ka
>

Honestly there are changes in the Default Domain GPO that are apparently
causing it, based on what you've described. I believe you need to find a way
to reverse all the time settings. I don't know what else is in the default
policy other than time settings that were changed that would cause a company
wide issue, but I would truly consider trying to get that Default Domain GPO
back to stock (default). Since there were Time service reg changes made
too, it may complicate things. I don't think time settings would cause
profiles to go ballistic. Is there a redirect setting? If you run an RSOP,
what else is in it?

Also, have you considered contacting Microsoft?

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a017017d1f6a8@uwe...
> Also, when I look at the time-providers on the RSOP, they are set to
> "enabled
> - Enabled - Disabled" and when I look at the "configure windows ntp client
> properties" it shows the settings that the other guy had in there rather
> than
> the default settings that I had tried to restore (eg NtpServer was still
> set
> to 10.4.34.48 - the PDCE - rather than time.microsoft.com)
>
> ka
>

Backup the Default Domain and Default Domain Controller GPOs.

Back up a Group Policy object using GPMC: Group PolicyJan 21, 2005 ... To
backup a single GPO, right-click the GPO, and then click Back Up. To backup
all GPOs in the domain, right-click Group Policy Objects and ...
http://technet.microsoft.com/en-us/l...89(WS.10).aspx

Create another GPO with all those settings you see in the RSOP

Then run the dcgpofix tool to reset the two GPOs to default.
Download details: Windows 2000 Default Policy Restore ToolMay 21, 2004 ...
Recreatedefpol.exe is a tool developed to restore the Default ... where
either the Default Domain Policy, the Default Domain ... Others who
downloaded Windows 2000 Default Group Policy Restore Tool also downloaded:
....
http://www.microsoft.com/downloads/d...displaylang=en

Then start playing with GPO you created instead of the Default Domain GPO.
Make sure the settings apply. When done, then change it, and make sure those
settings apply. If they do, then you can disable it in your GPO, reapply,
then change it to default.

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a01918f783d97@uwe...
> Thanks Ace!
>
> I started another thread for restoring the default domain policy (since
> the
> timesync title doesn't fit that issue) and was looking at just this
> approach!
>
>
> Once I have the default back to default, I can return to the time issue if
> it's still an issue.
>
> Thanks!
> Keith
>

Keith, that sounds like a plan! Let us know if it worked.

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a04caed9e41db@uwe...
> OK Ace,
>
> Obviously I'm missing something here.
>
> I created another domain-level policy (called Standard Policy) and
> modified
> it to our normal domain settings - things like 5 passwords remembered
> instead
> of 24. and clicked enforce.
>
> Then I ran dcgpofix and returned default doman, and default domain
> controller
> polices to default.
>
> Then I created a domain controller level policy (called standard dc) with
> the
> domain controller policy cnanges.
>
> but when I look at a GPResults, I can see that the only place the
> 'Standard"
> policy has an effect, is where the Default Domain policy is "not
> configured"
>
> This suggests that in order to avoid modifying the true Default Domain
> Policy
> (and DC policy I presume), you must create a 'Standard' policy that is
> identical to the Default policy, then make changes as desired, then set
> the
> true default to 'unenforced'.
>
> Is this true, or is there a wayto tell it that the 'Standard' policy has
> precedence over the 'default domain' policy.
>
> thx,
> Keith


No, not exactly. I think you are looking at an elephant through a
microscope. Just leave the password and other account settings to the
Default Domain Policy. That's what it's for. If you try to mirror it with
another policy, you will have duplicates resulting in two account policies.
If you want to add additional settings at the domain level, create a GPO and
adjust that for your custom stuff that is not in the Default Domain Policy
by default. Leave the Default settings in the Default policies, and that
goes for both the Default Domain and Default Domain Controller policies.
Hence why they call it "default." I mean you can mess with which one applies
first, but I don't suggest, recommend or even like to mess with the default
policies. It's something all the course teaches, what is recommended by
Microsoft engineers, and it just works. Besides, I constantly hear of issues
when messing with them, such as your posts.

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a04d22f71111e@uwe...
> Ok, I found the spot where you promote the policies. As long as it takes
> the
> defaults, and overlays the modifieds (now at the top of the list) I think
> I'm
> ok.
>
> The process resolved the time issues, and resolved the SceCLI errors (or
> at
> least it appears that way thus far)
>
> When I did a GPR with a test user I had established, some things
> disappeared
> from the report that I had thought were default.
>
> local polices/audit policy - audit account management -
> success/failure ---
> is this not default?
>
> System services - Windows Firewall/Internet Conneciton Sharing ---
> pretty
> sure this is not part of the default set
>
> Software Restriction Policies (several associated sections with this
> one)---
> Not part of the default policy?
>
> Administrative Templates - System - Display Shutdown Event Tracker ---Not
> part of default policy?
>
> Actually there are several sections in Administrative Templates, and User
> Configuration that dropped off. ---- I assume nothing in either of these
> two
> templates are part of the default policy?
>
> My goal was to add as little as possible initially. I will go back and add
> changes for the non-default settings after things have run a few days and
> (hopefully) I am not seeing further issues.
>
> Thx,
> ka
>
>
>
> kabbott wrote:
>>OK Ace,
>>
>>Obviously I'm missing something here.
>>
>>I created another domain-level policy (called Standard Policy) and
>>modified
>>it to our normal domain settings - things like 5 passwords remembered
>>instead
>>of 24. and clicked enforce.
>>
>>Then I ran dcgpofix and returned default doman, and default domain
>>controller
>>polices to default.
>>
>>Then I created a domain controller level policy (called standard dc) with
>>the
>>domain controller policy cnanges.
>>
>>but when I look at a GPResults, I can see that the only place the
>>'Standard"
>>policy has an effect, is where the Default Domain policy is "not
>>configured"
>>
>>This suggests that in order to avoid modifying the true Default Domain
>>Policy
>>(and DC policy I presume), you must create a 'Standard' policy that is
>>identical to the Default policy, then make changes as desired, then set
>>the
>>true default to 'unenforced'.
>>
>>Is this true, or is there a wayto tell it that the 'Standard' policy has
>>precedence over the 'default domain' policy.
>>
>>thx,
>>Keith
>>>> Thanks Ace!
>>>>
>>[quoted text clipped - 5 lines]
>>>
>>>Ace
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forum...er-ad/200912/1
>


Instead of going through them one by one for you, what I would do to answer
your questions, is use the GPMC to run a report on the Default Domain GPO,
that is if your Default Domain Policy is truly default (you've ran
dcgpofix). Read and compare what is in the report to the list of settings
you posted above.

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a09505cd192fb@uwe...
> Hi Ace,
>
> I did exactly that. I defaulted the default policy and left it default.
> Then
> created a new policy with just bare-bones settings (for right now) - stuff
> like password age, etc, and put that policy at the top of the tree and it
> seems to work great..
>
> However.... I am having people getting profile issues and 1508 errors. At
> first I thought it was just damaged profiles from the errors in the
> default
> GPO and that once we clean those up, we'll be ok. But this morning we had
> a
> user who had not previously had issues - no event log errors and no
> profile
> corrupt messages - get his profile trashed. Some people just had to reboot
> and they were fine but others - like him - lost their profile and had to
> have
> settings copied over from the old profile.
>
> Doing a rebuild of the damaged profiles on those who have been having to
> reboot to come up to their profile seems to fix the problem (using
> uphclean
> in the 1 case we tried it also seems to solve the problem) but we didn't
> see
> any of these problems until I tried to make changes to resolve the time
> issue.
> With the default GPO back to default, it looks like we might still be
> losing
> profiles.
>
> When I ran the dcgpofix, I had to run it with /ignoreschema because of the
> whole v30 - v31 thing brought about by R2. Could it have missed something
> because of that? If so, where can I find a copy of the default settings
> for
> defaut domain and default domain controller policies so I can manually
> compare them?
>
> Do you have any other ideas of which way to go?
>
> I sure appreciate all of your help.
> Keith

Hi Keith,

Looks like it's snowballed. It seems that UPHClean should be installed on
all machines. It helps with what you are seeing.

The dcgpofix tool should have put them back to default. So you are ok. As
far as comparing GPOs, you can use the Security & Configuration Analysis
snap- in to compare the security and account settings to the default DC
template. Don't apply anything, just run a comparison. Read the following
for more info.

Step-by-Step Guide to Using the Security Configuration Tool Set
http://technet.microsoft.com/en-us/l.../bb742512.aspx

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a095c59e1b331@uwe...
> Also, Can we use CopyProfile in the process of creating the new profiles
> or
> will this possibly copy the corrupt garbage over?
>
> Thanks Ace,
> ka
>

I haven't used CopyProfile yet, but from reading up on it, it appears it
will copy a profile, not clean it up. So IMHO, I am leaning towards tgat it
will copy over any corrupted files. My only suggestion is to test it.

Ace

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message
news:a0be0ac474f2c@uwe...
> Hi Ace,
>
> Which INF template should I be using for checking that my Default Domain
> GPO
> policies and controller policies are back to defaut?
>
> I tried DC security.inf and there were a lot of differences that I didn't
> add
> to the policy I created.
> The ones I see listed are :
> compatws
> dc security
> hisecdc
> hisecws
> iesacls
> rootsec
> securedc
> securews
> setup security
>
> Thx,
> ka


Sorry, I was thinking Windows 2000, which had a basicdc.inf template, which
Windows 2003 does not. For Windows 2003, you'll have to use the dcgpofix
tool.

Ace