Re: SBS 2003 Lost all the Security Policies.

Hi,

First thank you for your help.

Regarding the policies creation, i didn't use dcgpofix i used another sbs 2003 premium has example and created the policies manually.
But in the mean time after reading this, i've run dcgpofix.
I've also check sysvol sharing permissions and everything is ok.
I also noticed that i can't browse the server by name ( \\servername )has it always give the "Logon Failure: The target account name is incorrect" but if i use the ip address it works ( \\xxx.xxx.xxx.xxx ).
More the dns was empty too, it was saying it could not contact AD, what i've done was to restore it manually too. Making it use a file has db instead of the AD, also wins was stopped and damaged and i've re-installed.

The requested report result file will be sent has requeste.

Best regards,
Fernando Morais


Robert Li [MSFT] wrote:
Hello,

Thank for posting in our newsgroup.

From your description, I know that your Default Domain Controller Security Policy or Domain Security Policy it is empty. Also your Exchange server is stopped. If I am off-base, please don't hesitate to let me know.

First, please understand that our newsgroup is an issue based service, meaning we usually respond to one question/issue per post. This will lessen the confusion for both of us, as well as ensure that our results are accurate and not a result of a test for a different question. Since we're not sure whether these issues are related, I suggest we focus on the Security policy question in this post. I suggest you to open a new post on Exchange problem in our newsgroup. Also, the Exchange server is down and your business is affected by this, a suggestion is to call CSS which will provide more speedy support. Thanks for your understanding.

Please take the following steps to see if the problem can be resolved:

Step 1: You said you created the policies, did you using the dcgpofix to repair the default domain policy?

DCGPOFIX.EXE will restore the Default Domain Policy and the Default Domain Controller Policy to original default settings. It does not affect other GPOs on SBS server. Note: This tool can restore default domain policy and default domain controllers policy. When you run dcgpofix, you will lose any changes made to these Group Policy objects. So please perform a complete backup first.

To restore Domain only , Domain Controller only or both at the same time, the commands are as follows:

dcgpofix /target:domain
or dcgpofix /target:dc
or
dcgpofix /target:both

For more information, please refer to:

Restore Default Group Policy Objects
http://www.microsoft.com/resources/documentation/windowsserv/2003/enterprise
/proddocs/en-us/dcgpofix.asp

Step 2: Please check the security setting for sysvol.

1. On the SBS server, open C:\WINDOWS\SYSVOL
2. There should be another sysvol subfolder in the above directory and it should have been shared. Please right click the sysvol subfolder and click Properties.
3. On the Sharing tab, click the Permissions button.
4. Ensure that the Administrators and Authenticated Users group have Full Control permissions and Everyone has Read permission. Also, there should be NO Deny items.
5. Browse to the Security tab and click Advanced button.
6. Ensure the following:

1) Administrators and SYSTEM should have Full Control permissions which apply to "This folder, subfolders and files".
2) Authenticated Users and Server Operators should have Read & Execute permissions which apply to "This folder, subfolders and files".
3) CREATOR OWNER should have Full Control permissions which apply to "Subfolders and files only".
4) There should be NO Deny items.
5) All the permissions are inherited from the parent folder (C:\WINDOWS\SYSVOL).

Please also help me collect the following information for further research:

MPS Report on both SBS server and one problematic client.

1. Download the MPSRPT_NETWORK.EXE from the following link and then run this tool to gather some information from the problematic computer:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE
2. Double-click on the MPSRPT_NETWORK.EXE file.
[Note] This process may take some time; however, it will not have a negative effect on the performance.
3. A CAB file will be generated in the %systemroot%\MPSReports\Network\Reports\Cab directory called
%COMPUTERNAME%_MPSReports.CAB. The CAB file will contain the reports generated by the MPS Reporting Tool.
4. Please send the CAB to SBSCDATA@xxxxxxxxxxxxx with subject:Windowsserver.sbs: Active Directory Errors (37452027).

I am looking forward to hear from you.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue.

Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Date: Wed, 13 Jun 2007 20:54:37 +0100
<From: Fernando Morais <nandox7@xxxxxxxxx>
<User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
<MIME-Version: 1.0
<Subject: SBS 2003 Lost all the Security Policies.
<Content-Type: text/plain; charset=ISO-8859-1; format=flowed
<Content-Transfer-Encoding: 7bit
<Message-ID: <uqe7sSfrHHA.4104@xxxxxxxxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<NNTP-Posting-Host: bl5-10-209.dsl.telepac.pt 82.154.10.209
<Lines: 1 <Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:43711
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi,
<
<I have a SBS 2003 Premium that had a strange (for me) and a severe problem.
<For no reason that i can understand, it lost all the security policies.
<For example, if i go to Default Domain Controller Security Policy or <Domain Security Policy it is clean.
<
<My main problem is exchange, it stopped working too has Exchange System <Attendant can't start always giving the event id 1005 with the message:
<
<"Unexpected error Logon failure: unknown user name or bad password. <Facility: Win32 ID no: 8007052e Microsoft Exchange System Attendant <occurred. "
<
<I've tried to recreate all the Default Domain Controller Security <Policies, re-run /forestprep and /domainprep to try to re-apply all the
<needed setting for it to run. But it's not working.
<
<One other thing, is that no other machine or server can list or broswe <this machine shares, sysvol, Clientapps. Everytime i try it get the <error "Target logon account is invalid". But locally it works.
<
<I tend to suspect that i still need to fix some security settings on the <server but how can i do that? Any help on this?
<
<Thank you.
<
<Nando
<

.