Re: [ActiveDir] Default Domain Policy Issues
Hi Steve, I ended up calling MS, time restraints for deadlines just not worth the sweat. Anyway, the engineer I got told me of a hotfix for this particular issue KB890338. We deployed this on the PDC Emulator but that did not fix anything, the article does state installing the hotfix on all DC's in the domain. I'm hoping this will work, already put in a change for bouncing all DC's tonight. Then put up a case for recovering the cost for the call. Will keep you posted. Thanks, Devan. Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 12:37:33 -0700 Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible
Re: [ActiveDir] Default Domain Policy Issues
Thanks! Ahh yes - it looks like a regression on MS04-011 The reason I asked the original question of OS and Service Pack was due to the original fix (pre Sp4) but I was not aware of the regression. If this is indeed the real problem you will need to apply it to all DC's - it basically stops what is called PFP\PPP process on all DC's except for the PDCE so loops are not introduced. steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, June 29, 2005 7:30 AM Subject: Re: [ActiveDir] Default Domain Policy Issues Hi Steve, I ended up calling MS, time restraints for deadlines just not worth the sweat. Anyway, the engineer I got told me of a hotfix for this particular issue KB890338. We deployed this on the PDC Emulator but that did not fix anything, the article does state installing the hotfix on all DC's in the domain. I'm hoping this will work, already put in a change for bouncing all DC's tonight. Then put up a case for recovering the cost for the call. Will keep you posted. Thanks, Devan. Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 12:37:33 -0700 Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto
RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Policy Issues
How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Policy Issues
Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain Policy Issues
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after
Re: [ActiveDir] Default Domain Policy Issues
One more thing - since you are on Win2k you might as well make sure you are on the latest Win2k FRS version - which is 896712 (youll need to call into PSS to get this one) steve - Original Message - From: Steve Patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 12:37 PM Subject: Re: [ActiveDir] Default Domain Policy Issues Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain
Re: [ActiveDir] Default Domain Policy Issues
What OS and what Service pack are all DC's at? steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, June 27, 2005 3:01 PM Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain Policy Issues
Oh I'm sorry, Windows 2000, SP4, Native Mode Domains. The other child domain is similar but there the settings have changed. Thanks, Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 15:17:51 -0700 What OS and what Service pack are all DC's at? steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, June 27, 2005 3:01 PM Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/