Re: [ActiveDir] Default Domain Policy Issues
Hi Steve,
I ended up calling MS, time restraints for deadlines just not worth the
sweat. Anyway, the engineer I got told me of a hotfix for this particular
issue KB890338. We deployed this on the PDC Emulator but that did not fix
anything, the article does state installing the hotfix on all DC's in the
domain.
I'm hoping this will work, already put in a change for bouncing all DC's
tonight. Then put up a case for recovering the cost for the call.
Will keep you posted.
Thanks,
Devan.
Original Message Follows
From: Steve Patrick [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 12:37:33 -0700
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is
actually doing its job (replicating the data back in properly)
However you could have enough latency in site replication where something
(like the AD in some cases) is causing the file to be replicated back out
towards the original change due to changes. Maybe the changes are not fast
enough to be caught via the FRS churn warning indicator.
There is a process where, as Joe noted, the AD and FRS are kept in sync for
domain password policies. The real trick here is to find the originating
change and determine why that server caused the original FRS change order
(IMHO)
First of all you need to make sure that replication is actually working end
to end- it sounds like you have done this
scenario:
DC1 is your PDCE and you change password policy from A to B
DC10 is another DC which receives the value B but then reverts back to A -
this eventually gets replicated back to DC1 and now all DC's show original
value of A
The hard way but I dont know any others since I never have really used
frsdiag\sonar\ultrasound
On DC10 run ntfrsutl idtable
Find the file name - in your case gpttmpl.inf and make sure it is the
correct one by mapping the ParentGuid back to
31B2F340-016D-11D2-945F-00C04FB984F9
Note the OriginatorGuid value
To match the OriginatorGUID to a machine you have to gather the ntfrsutl
configtable data from the DCs and match the
ReplicaVersionGuid to the OriginatorGuid value on the file.
This can all be scripted into a batch file to parse all the data - or --
wait someone just told me you can also do this (mapping the GUIDS to server)
via frsdiag here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en
Good luck!
steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 10:19 AM
Subject: RE: [ActiveDir] Default Domain Policy Issues
Hi Darren,
22 Domain Controllers at Windows 2000/ SP4.
Just about 15mins ago I restarted the NTfrs service on DC's then I made
the
change on the PDC Emulator on the password policy.
I noted down the file size and time stamp of that gpttmpl.inf file. It's
set
to 11:58 (CST) today when I changed the policy. While looking at some of
the
other DC's its set to last year (perhaps the last time I made a change to
the scurity policies.
Now I will wait for it to replicate then see what happens.
What if this file reverts back to what it was (with last years time
stamp),
any thoughts at that point...
Your help is very much appreciated.
Thanks,
Firefox - Rediscover the web
Original Message Follows
From: Darren Mar-Elia [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 09:45:48 -0700
How many DCs do you have and what OS version? First thing you can do is
go to the PDC role holder DC, look at the file at
\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and
date/timestamp. Then check the same file on all other DCs. They should
be the same. This is the file that delivers the security policy within
the Default Domain Policy. If its not in synch, then you could be
getting the differences you are experiencing.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, June 28, 2005 7:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound.
Sonar tells me evrything is OK!
Not sure what I'm looking for actually, how can I pinpoint which DC is
causing the reversion back to the old setting (being authoratative)?
Thanks,
Original Message Follows
From: joe [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Mon, 27 Jun 2005 18:28:13 -0400
I would check very carefully to verify the policy has made it properly
to all DCs. It is possible
Re: [ActiveDir] Default Domain Policy Issues
Thanks!
Ahh yes - it looks like a regression on MS04-011
The reason I asked the original question of OS and Service Pack was due to
the original fix (pre Sp4) but I was not aware of the regression.
If this is indeed the real problem you will need to apply it to all DC's -
it basically stops what is called PFP\PPP process on all DC's except for the
PDCE so loops are not introduced.
steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, June 29, 2005 7:30 AM
Subject: Re: [ActiveDir] Default Domain Policy Issues
Hi Steve,
I ended up calling MS, time restraints for deadlines just not worth the
sweat. Anyway, the engineer I got told me of a hotfix for this particular
issue KB890338. We deployed this on the PDC Emulator but that did not fix
anything, the article does state installing the hotfix on all DC's in the
domain.
I'm hoping this will work, already put in a change for bouncing all DC's
tonight. Then put up a case for recovering the cost for the call.
Will keep you posted.
Thanks,
Devan.
Original Message Follows
From: Steve Patrick [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 12:37:33 -0700
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is
actually doing its job (replicating the data back in properly)
However you could have enough latency in site replication where something
(like the AD in some cases) is causing the file to be replicated back out
towards the original change due to changes. Maybe the changes are not fast
enough to be caught via the FRS churn warning indicator.
There is a process where, as Joe noted, the AD and FRS are kept in sync
for
domain password policies. The real trick here is to find the originating
change and determine why that server caused the original FRS change order
(IMHO)
First of all you need to make sure that replication is actually working
end
to end- it sounds like you have done this
scenario:
DC1 is your PDCE and you change password policy from A to B
DC10 is another DC which receives the value B but then reverts back to A -
this eventually gets replicated back to DC1 and now all DC's show original
value of A
The hard way but I dont know any others since I never have really used
frsdiag\sonar\ultrasound
On DC10 run ntfrsutl idtable
Find the file name - in your case gpttmpl.inf and make sure it is the
correct one by mapping the ParentGuid back to
31B2F340-016D-11D2-945F-00C04FB984F9
Note the OriginatorGuid value
To match the OriginatorGUID to a machine you have to gather the ntfrsutl
configtable data from the DCs and match the
ReplicaVersionGuid to the OriginatorGuid value on the file.
This can all be scripted into a batch file to parse all the data - or --
wait someone just told me you can also do this (mapping the GUIDS to
server)
via frsdiag here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en
Good luck!
steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 10:19 AM
Subject: RE: [ActiveDir] Default Domain Policy Issues
Hi Darren,
22 Domain Controllers at Windows 2000/ SP4.
Just about 15mins ago I restarted the NTfrs service on DC's then I made
the
change on the PDC Emulator on the password policy.
I noted down the file size and time stamp of that gpttmpl.inf file.
It's
set
to 11:58 (CST) today when I changed the policy. While looking at some
of
the
other DC's its set to last year (perhaps the last time I made a change
to
the scurity policies.
Now I will wait for it to replicate then see what happens.
What if this file reverts back to what it was (with last years time
stamp),
any thoughts at that point...
Your help is very much appreciated.
Thanks,
Firefox - Rediscover the web
Original Message Follows
From: Darren Mar-Elia [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 09:45:48 -0700
How many DCs do you have and what OS version? First thing you can do is
go to the PDC role holder DC, look at the file at
\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and
date/timestamp. Then check the same file on all other DCs. They should
be the same. This is the file that delivers the security policy within
the Default Domain Policy. If its not in synch, then you could be
getting the differences you are experiencing.
-Original Message-
From: [EMAIL PROTECTED]
[mailto
RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Policy Issues
How many DCs do you have and what OS version? First thing you can do is
go to the PDC role holder DC, look at the file at
\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and
date/timestamp. Then check the same file on all other DCs. They should
be the same. This is the file that delivers the security policy within
the Default Domain Policy. If its not in synch, then you could be
getting the differences you are experiencing.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, June 28, 2005 7:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound.
Sonar tells me evrything is OK!
Not sure what I'm looking for actually, how can I pinpoint which DC is
causing the reversion back to the old setting (being authoratative)?
Thanks,
Original Message Follows
From: joe [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Mon, 27 Jun 2005 18:28:13 -0400
I would check very carefully to verify the policy has made it properly
to all DCs. It is possible you have a little policy battle going on
where one or more machines have the old policy and the rest have the
newer policy and they keep changing it back and forth. I have seen this
more times than I can count. It is due to the fact that domain level
account policy replicates both through FRS and through AD.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Monday, June 27, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Default Domain Policy Issues
Hi all,
After making changes to the Password Policy (Enforing password History)
for a child domain's Default Domain Policy it reverts back to the
previous setting right after the replication cycle has completed with
other DC's.
I don't see any out of the ordinary NTFRS log events.
Any leads would be appreciated?
Thanks,
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Policy Issues
Hi Darren,
22 Domain Controllers at Windows 2000/ SP4.
Just about 15mins ago I restarted the NTfrs service on DC's then I made the
change on the PDC Emulator on the password policy.
I noted down the file size and time stamp of that gpttmpl.inf file. It's set
to 11:58 (CST) today when I changed the policy. While looking at some of the
other DC's its set to last year (perhaps the last time I made a change to
the scurity policies.
Now I will wait for it to replicate then see what happens.
What if this file reverts back to what it was (with last years time stamp),
any thoughts at that point...
Your help is very much appreciated.
Thanks,
Firefox - Rediscover the web
Original Message Follows
From: Darren Mar-Elia [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 09:45:48 -0700
How many DCs do you have and what OS version? First thing you can do is
go to the PDC role holder DC, look at the file at
\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and
date/timestamp. Then check the same file on all other DCs. They should
be the same. This is the file that delivers the security policy within
the Default Domain Policy. If its not in synch, then you could be
getting the differences you are experiencing.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, June 28, 2005 7:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound.
Sonar tells me evrything is OK!
Not sure what I'm looking for actually, how can I pinpoint which DC is
causing the reversion back to the old setting (being authoratative)?
Thanks,
Original Message Follows
From: joe [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Mon, 27 Jun 2005 18:28:13 -0400
I would check very carefully to verify the policy has made it properly
to all DCs. It is possible you have a little policy battle going on
where one or more machines have the old policy and the rest have the
newer policy and they keep changing it back and forth. I have seen this
more times than I can count. It is due to the fact that domain level
account policy replicates both through FRS and through AD.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Monday, June 27, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Default Domain Policy Issues
Hi all,
After making changes to the Password Policy (Enforing password History)
for a child domain's Default Domain Policy it reverts back to the
previous setting right after the replication cycle has completed with
other DC's.
I don't see any out of the ordinary NTFRS log events.
Any leads would be appreciated?
Thanks,
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain Policy Issues
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is
actually doing its job (replicating the data back in properly)
However you could have enough latency in site replication where something
(like the AD in some cases) is causing the file to be replicated back out
towards the original change due to changes. Maybe the changes are not fast
enough to be caught via the FRS churn warning indicator.
There is a process where, as Joe noted, the AD and FRS are kept in sync for
domain password policies. The real trick here is to find the originating
change and determine why that server caused the original FRS change order
(IMHO)
First of all you need to make sure that replication is actually working end
to end- it sounds like you have done this
scenario:
DC1 is your PDCE and you change password policy from A to B
DC10 is another DC which receives the value B but then reverts back to A -
this eventually gets replicated back to DC1 and now all DC's show original
value of A
The hard way but I dont know any others since I never have really used
frsdiag\sonar\ultrasound
On DC10 run ntfrsutl idtable
Find the file name - in your case gpttmpl.inf and make sure it is the
correct one by mapping the ParentGuid back to
31B2F340-016D-11D2-945F-00C04FB984F9
Note the OriginatorGuid value
To match the OriginatorGUID to a machine you have to gather the ntfrsutl
configtable data from the DCs and match the
ReplicaVersionGuid to the OriginatorGuid value on the file.
This can all be scripted into a batch file to parse all the data - or --
wait someone just told me you can also do this (mapping the GUIDS to server)
via frsdiag here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en
Good luck!
steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 10:19 AM
Subject: RE: [ActiveDir] Default Domain Policy Issues
Hi Darren,
22 Domain Controllers at Windows 2000/ SP4.
Just about 15mins ago I restarted the NTfrs service on DC's then I made
the
change on the PDC Emulator on the password policy.
I noted down the file size and time stamp of that gpttmpl.inf file. It's
set
to 11:58 (CST) today when I changed the policy. While looking at some of
the
other DC's its set to last year (perhaps the last time I made a change to
the scurity policies.
Now I will wait for it to replicate then see what happens.
What if this file reverts back to what it was (with last years time
stamp),
any thoughts at that point...
Your help is very much appreciated.
Thanks,
Firefox - Rediscover the web
Original Message Follows
From: Darren Mar-Elia [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 09:45:48 -0700
How many DCs do you have and what OS version? First thing you can do is
go to the PDC role holder DC, look at the file at
\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and
date/timestamp. Then check the same file on all other DCs. They should
be the same. This is the file that delivers the security policy within
the Default Domain Policy. If its not in synch, then you could be
getting the differences you are experiencing.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, June 28, 2005 7:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound.
Sonar tells me evrything is OK!
Not sure what I'm looking for actually, how can I pinpoint which DC is
causing the reversion back to the old setting (being authoratative)?
Thanks,
Original Message Follows
From: joe [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Mon, 27 Jun 2005 18:28:13 -0400
I would check very carefully to verify the policy has made it properly
to all DCs. It is possible you have a little policy battle going on
where one or more machines have the old policy and the rest have the
newer policy and they keep changing it back and forth. I have seen this
more times than I can count. It is due to the fact that domain level
account policy replicates both through FRS and through AD.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Monday, June 27, 2005 6:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Default Domain Policy Issues
Hi all,
After making changes to the Password Policy (Enforing password History)
for a child domain's Default Domain Policy it reverts back to the
previous setting right after
Re: [ActiveDir] Default Domain Policy Issues
One more thing - since you are on Win2k you might as well make sure you are
on the latest Win2k FRS version - which is 896712 (youll need to call into
PSS to get this one)
steve
- Original Message -
From: Steve Patrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 12:37 PM
Subject: Re: [ActiveDir] Default Domain Policy Issues
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is
actually doing its job (replicating the data back in properly)
However you could have enough latency in site replication where something
(like the AD in some cases) is causing the file to be replicated back out
towards the original change due to changes. Maybe the changes are not fast
enough to be caught via the FRS churn warning indicator.
There is a process where, as Joe noted, the AD and FRS are kept in sync
for
domain password policies. The real trick here is to find the originating
change and determine why that server caused the original FRS change order
(IMHO)
First of all you need to make sure that replication is actually working
end
to end- it sounds like you have done this
scenario:
DC1 is your PDCE and you change password policy from A to B
DC10 is another DC which receives the value B but then reverts back to A -
this eventually gets replicated back to DC1 and now all DC's show original
value of A
The hard way but I dont know any others since I never have really used
frsdiag\sonar\ultrasound
On DC10 run ntfrsutl idtable
Find the file name - in your case gpttmpl.inf and make sure it is the
correct one by mapping the ParentGuid back to
31B2F340-016D-11D2-945F-00C04FB984F9
Note the OriginatorGuid value
To match the OriginatorGUID to a machine you have to gather the ntfrsutl
configtable data from the DCs and match the
ReplicaVersionGuid to the OriginatorGuid value on the file.
This can all be scripted into a batch file to parse all the data - or --
wait someone just told me you can also do this (mapping the GUIDS to
server)
via frsdiag here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en
Good luck!
steve
- Original Message -
From: Devan Pala [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, June 28, 2005 10:19 AM
Subject: RE: [ActiveDir] Default Domain Policy Issues
Hi Darren,
22 Domain Controllers at Windows 2000/ SP4.
Just about 15mins ago I restarted the NTfrs service on DC's then I made
the
change on the PDC Emulator on the password policy.
I noted down the file size and time stamp of that gpttmpl.inf file. It's
set
to 11:58 (CST) today when I changed the policy. While looking at some of
the
other DC's its set to last year (perhaps the last time I made a change
to
the scurity policies.
Now I will wait for it to replicate then see what happens.
What if this file reverts back to what it was (with last years time
stamp),
any thoughts at that point...
Your help is very much appreciated.
Thanks,
Firefox - Rediscover the web
Original Message Follows
From: Darren Mar-Elia [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Tue, 28 Jun 2005 09:45:48 -0700
How many DCs do you have and what OS version? First thing you can do is
go to the PDC role holder DC, look at the file at
\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and
date/timestamp. Then check the same file on all other DCs. They should
be the same. This is the file that delivers the security policy within
the Default Domain Policy. If its not in synch, then you could be
getting the differences you are experiencing.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, June 28, 2005 7:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound.
Sonar tells me evrything is OK!
Not sure what I'm looking for actually, how can I pinpoint which DC is
causing the reversion back to the old setting (being authoratative)?
Thanks,
Original Message Follows
From: joe [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Default Domain Policy Issues
Date: Mon, 27 Jun 2005 18:28:13 -0400
I would check very carefully to verify the policy has made it properly
to all DCs. It is possible you have a little policy battle going on
where one or more machines have the old policy and the rest have the
newer policy and they keep changing it back and forth. I have seen this
more times than I can count. It is due to the fact that domain
Re: [ActiveDir] Default Domain Policy Issues
What OS and what Service pack are all DC's at? steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, June 27, 2005 3:01 PM Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain Policy Issues
Oh I'm sorry, Windows 2000, SP4, Native Mode Domains. The other child domain is similar but there the settings have changed. Thanks, Original Message Follows From: Steve Patrick [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 15:17:51 -0700 What OS and what Service pack are all DC's at? steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, June 27, 2005 3:01 PM Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
