rebuild or fix

is it better to fix a 2012 active directory n group policy with best practices analyzer or to build one from fresh. i've been task at a new company there AD is screwy its a small shop less than 30 user on pc the rest is on mac computer. not sure which will be faster or better. how long does it take to build up a windows server 2012 server Active directory group policy and DNS. once active directory is stable and working properly want to start to add the mac pc to the domain. they might get a software called casper to manage the mac pc which integrate with active directory. first thing is to fix directory. one problem they have is adding new user n computer to domain it take but won't let you login gives you a error you need to un join n re join another problem it doesn't fail over to the second DC.

Find more posts tagged with

Comments

BornToBeMild

Rebuilding an AD from scratch, even a small one, is usually seen as a last resort, high risk procedure. IMO the two problems you've mentioned wouldn't justify the risk.

The first step should be to understand the problem better. Both problems could be caused by client issues. I've seen problem 1 where a company didn't sysprep the client image properly before deploying it.

If it was a client problem and you rebuilt AD, the problem would still be there!

slee335

i don't think its a client issue most likely a Group policy issue i noticed looking through the Group Policy forest it is missing the file Default Group Policy Domain. i ran best pratice analyzer and it says its missing that file. i wonder if that could ccause the problem. this is the message i get
[h=2]you cannot log on because the logon method you are using is not allowed on this computer. [/h]only seems to happend when i add a new computer to the domain. is possible computer policy and not user policy

sthomas

As BornToBeMild said it is usually better to try and repair a screwed up Active Directory structure than to start from scratch. If you can't get it working correctly and you can't find a good consultant to help you out your last resort is to call Microsoft for support. Their support can be expensive but worth it in certain situations, I have seen it before.

In this case however in that small of an environment it may be better to start from scratch as a last resort it just depends on a lot of factors.

BornToBeMild

There is a command to restore missing default GPOs in a domain, which coincidentally I first heard of studying for my MCSA. You could back up the existing GPOs and then run DCGPOFix. Google for options. Just goes to show that this studying does have real world applications

The error message you listed relates to the "Allow logon locally" permission, which is not changed by the default GPO, so this might not fix your issue.

1) The first time you add the computer to the domain, and then login with a domain account, you get the error.

2) The second time you add the computer to the domain and then login with a domain account it works fine, and continues to work.

Is that correct? Are you using a different method to join the domain? Does the computer account join to the same OU both times?

slee335

BornToBeMild wrote: »

There is a command to restore missing default GPOs in a domain, which coincidentally I first heard of studying for my MCSA. You could back up the existing GPOs and then run DCGPOFix. Google for options. Just goes to show that this studying does have real world applications

The error message you listed relates to the "Allow logon locally" permission, which is not changed by the default GPO, so this might not fix your issue.

1) The first time you add the computer to the domain, and then login with a domain account, you get the error.

2) The second time you add the computer to the domain and then login with a domain account it works fine, and continues to work.

Is that correct? Are you using a different method to join the domain? Does the computer account join to the same OU both times?

that is not correct i tried removing and adding and still getting the same issue. but if i add the user to IT dept group policy it works. i came in to this mess they also told me it was working fine till they got a virus maybe it screwed it up.

i'm also not a fan of his ad naming he named it .local i read it should be ad.corp.com instead

i'm thinking of working on the backup DC2 and rebuild the active directory and group policy since they got a lot of un nesscary policy. i got the green light to do it if they think i can. since its a small like 20 user on it. they also said its not replicating properly last time DC1 failed it didn't failover to DC2. its my chance to build it correctly. my plan is to rebuild DC2 properly and have it replicate to DC1 or make DC2 primary and make DC1 backup.

i told them it might a week to do because the small user group and they don't need a lot of GPO just some simple one the last guy made it too complicated. what do you think? i think i might be able do it faster but i don't want to rush it.