AWG Blogs

Saturday, September 25, 2010

Missing GPOs After DC Decommission

I followed the standard Microsoft method for decommissioning a domain controller. After retiring the server from lab, to my consternation, I started getting errors such as the following, for instance, when running gpupdate /force from a member workstation:The processing of Group Policy failed. Windows attempted to read the file \\my.domain\sysvol\my.domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.i
ni from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could
be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

I found out that all the GPOs were missing from \\my.domain\sysvol\my.domain\policies. In fact even the policies folder was missing until and I created a couple of new GPOs in gpmc.msc.
The only way to fix things now is delete the dangling referenced GPOs from Group Policy Management (for which there is no corresponding ID file in the policies folder), and recreate them. I should have either backed up the DC or the GPOs individually so that I could restore them.
I followed the decommision procedure to a tee, however, I did encounter errors which I assumed were cleared up after fixing them...but apparently not.

Other symptoms of this problem: when you right click the policy in Group Policy Management and click edit, this error message appears: "Failed to open the group policy object. You may not have appropriate rights." "Details: the system cannot find the path specified."

Besides the missing GPOs, the NetLogon share was missing as well. This was solved by creating a folder called "Scripts" in \\my.domain\sysvol\my.domain and rebooting the computer.