Sign in with
Sign up | Sign in
Your question

Weirdness when disable EFS via Group Policy

Last response: in Windows 2000/NT
Share
Anonymous
July 27, 2004 2:38:56 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

I have two domain controllers, A & B...

A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active Directory
integrated mode)
B = Windows Server 2003; DNS ('primary' designation; AD integrated mode)
domain functional level = "Native 2000"

I wanted to disable EFS (Encrypting File System) across the entire domain.
Of course, none of the Microsoft knowledgebase articles EXPLICITLY discuss a
MIXED environment of '2000 Server' and 'Server 2003'...

I have never messed with Group Policy before, so only the domain's default
Group Policy Object (GPO) existed. On server 'A', I created a brand new
GPO, moved it up in priority (above the default GPO), and followed Microsoft
article 222022 (for 2000 Server.) I then let that new GPO replicate, and
subsequently followed Microsoft article 324897 (for Server 2003) on server
'B'. I made no other changes to the new GPO, so theoretically, all other
policies within this new GPO were "not defined", and thus should not have
overrided anything crazy in the default GPO (so I would think...)

After this, everything got squirrelly, and I traced it down to something
related to DNS. On server 'A', the following was logged in the Application
Event Log:

Source = Userenv
EventID = 1000
Description = Windows cannot obtain the domain controller name for your
computer network. Return value (2146).

After I disabled the new GPO, the domain cleared itself up. ...Now, when I
make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my domain
behaves properly, and EFS is truly disabled on a domain-wide basis.

Can any gurus out there shed light on why my seemingly simple,
higher-priority GPO failed and caused the AD-DNS to fizzle out?
Anonymous
July 27, 2004 9:22:35 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Your error points to possibly a dns misconfiguration which is the number one reason
for AD problems. When you configure AD the first domain controller in the domain must
point to itself as it's preferred dns server in tcp/ip properties and additional
domain controllers need to point to the first domain controller [first in the list]
and themselves as their preferred dns servers. Then domain computers must point ONLY
to a W2K domain controller with the AD dns zone for the domain [they all do by
default]. Never list an ISP dns server in the tcp/ip properties of any domain
computer. The support tools netdiag and dcdiag can be used to check for proper domain
configuration with dcdiag reserved for domain controllers. If you change dns config
on a domain controller run netdiag /fix and then restart netlogon service on it and
view Event Viewer for problems.

What may have happened is that there was a replication problem with the new policy
due to a dns lookup failure. You can also check on GPO replication using the gpotool
and the replmon resource kit tool. Gpotool is quick and easy and will report
mismatches in policy between active domain controllers. The links below may
help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
http://www.microsoft.com/windows2000/techinfo/reskit/to...

"Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote in message
news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> I have two domain controllers, A & B...
>
> A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active Directory
> integrated mode)
> B = Windows Server 2003; DNS ('primary' designation; AD integrated mode)
> domain functional level = "Native 2000"
>
> I wanted to disable EFS (Encrypting File System) across the entire domain.
> Of course, none of the Microsoft knowledgebase articles EXPLICITLY discuss a
> MIXED environment of '2000 Server' and 'Server 2003'...
>
> I have never messed with Group Policy before, so only the domain's default
> Group Policy Object (GPO) existed. On server 'A', I created a brand new
> GPO, moved it up in priority (above the default GPO), and followed Microsoft
> article 222022 (for 2000 Server.) I then let that new GPO replicate, and
> subsequently followed Microsoft article 324897 (for Server 2003) on server
> 'B'. I made no other changes to the new GPO, so theoretically, all other
> policies within this new GPO were "not defined", and thus should not have
> overrided anything crazy in the default GPO (so I would think...)
>
> After this, everything got squirrelly, and I traced it down to something
> related to DNS. On server 'A', the following was logged in the Application
> Event Log:
>
> Source = Userenv
> EventID = 1000
> Description = Windows cannot obtain the domain controller name for your
> computer network. Return value (2146).
>
> After I disabled the new GPO, the domain cleared itself up. ...Now, when I
> make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my domain
> behaves properly, and EFS is truly disabled on a domain-wide basis.
>
> Can any gurus out there shed light on why my seemingly simple,
> higher-priority GPO failed and caused the AD-DNS to fizzle out?
>
>
Anonymous
July 28, 2004 12:48:12 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Steve, I think you hit the nail on the head. I think you may be correct
that my "EFS/Group Policy" issue was just a symptom of the problem, and the
actual problem was my DNS infrastructure configuration.

In my case, both server A and server B pointed at themselves as the
"primary" DNS server. I also had the FSMO roles assigned to these two
domain controllers in a haphazard way (but I think the core problem was the
"primary" DNS misconfiguration.)

So based on your prompting, and based on a few Microsoft knowledgebase
articles, I performed the following reconfiguration:

0) I didn't have to do anything with respect to my ISP's DNS servers. They
were already configured as just "forwarders".

1) I reconfigured my FSMO role placement. (An insignificant step, but I
did it anyway.)

(see article 223346)
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&Product=win2000

2) I reconfigured my two domain controllers to point at only server A as
"primary". Furthermore, on server A, I removed server B as a secondary.
Restated, server A now has NO secondary DNS configured.

(see article 825036)
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&Product=win2000

3) On server B, I removed itself as secondary. Restated, server B now has
NO secondary DNS configured. I'm sure this is a debatable step, but not
being an expert, I'm following the Microsoft knowledgebase article. Anybody
feel free to chime in.

(see article 275278)
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000

4) I updated my DHCP server configuration so that it hands out server A as
'primary' and server B as 'secondary'.

I won't have time to test this updated configuration with my "Disable EFS"
GPO for a few days, but I'll attempt and post the outcome!

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:vbwNc.169700$%_6.46028@attbi_s01...
> Your error points to possibly a dns misconfiguration which is the number
one reason
> for AD problems. When you configure AD the first domain controller in the
domain must
> point to itself as it's preferred dns server in tcp/ip properties and
additional
> domain controllers need to point to the first domain controller [first in
the list]
> and themselves as their preferred dns servers. Then domain computers must
point ONLY
> to a W2K domain controller with the AD dns zone for the domain [they all
do by
> default]. Never list an ISP dns server in the tcp/ip properties of any
domain
> computer. The support tools netdiag and dcdiag can be used to check for
proper domain
> configuration with dcdiag reserved for domain controllers. If you change
dns config
> on a domain controller run netdiag /fix and then restart netlogon service
on it and
> view Event Viewer for problems.
>
> What may have happened is that there was a replication problem with the
new policy
> due to a dns lookup failure. You can also check on GPO replication using
the gpotool
> and the replmon resource kit tool. Gpotool is quick and easy and will
report
> mismatches in policy between active domain controllers. The links below
may
> help. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
http://www.microsoft.com/windows2000/techinfo/reskit/to...
>
> "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote
in message
> news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> > I have two domain controllers, A & B...
> >
> > A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active
Directory
> > integrated mode)
> > B = Windows Server 2003; DNS ('primary' designation; AD integrated mode)
> > domain functional level = "Native 2000"
> >
> > I wanted to disable EFS (Encrypting File System) across the entire
domain.
> > Of course, none of the Microsoft knowledgebase articles EXPLICITLY
discuss a
> > MIXED environment of '2000 Server' and 'Server 2003'...
> >
> > I have never messed with Group Policy before, so only the domain's
default
> > Group Policy Object (GPO) existed. On server 'A', I created a brand new
> > GPO, moved it up in priority (above the default GPO), and followed
Microsoft
> > article 222022 (for 2000 Server.) I then let that new GPO replicate,
and
> > subsequently followed Microsoft article 324897 (for Server 2003) on
server
> > 'B'. I made no other changes to the new GPO, so theoretically, all
other
> > policies within this new GPO were "not defined", and thus should not
have
> > overrided anything crazy in the default GPO (so I would think...)
> >
> > After this, everything got squirrelly, and I traced it down to something
> > related to DNS. On server 'A', the following was logged in the
Application
> > Event Log:
> >
> > Source = Userenv
> > EventID = 1000
> > Description = Windows cannot obtain the domain controller name for your
> > computer network. Return value (2146).
> >
> > After I disabled the new GPO, the domain cleared itself up. ...Now,
when I
> > make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my
domain
> > behaves properly, and EFS is truly disabled on a domain-wide basis.
> >
> > Can any gurus out there shed light on why my seemingly simple,
> > higher-priority GPO failed and caused the AD-DNS to fizzle out?
> >
> >
>
>
Related resources
Anonymous
July 28, 2004 8:46:02 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

There is more than one way to configure dns on domain controllers and the important
thing is that they point to only AD domain controllers running dns for the domain and
that they are registering correctly in dns. What you have done should work, just
remember that if you ever retire the "chief" domain controller you want the remaining
domain controllers to point to an existing/functioning dc. Netdiag and dcdiag are two
great tools in determining if your AD configuration is firing on all eight cylinders
or not. I assume you also have static IP address for the domain controllers. Good
luck. --- Steve


"Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote in message
news:XfSdnThyBulJIZrcRVn-hA@giganews.com...
> Steve, I think you hit the nail on the head. I think you may be correct
> that my "EFS/Group Policy" issue was just a symptom of the problem, and the
> actual problem was my DNS infrastructure configuration.
>
> In my case, both server A and server B pointed at themselves as the
> "primary" DNS server. I also had the FSMO roles assigned to these two
> domain controllers in a haphazard way (but I think the core problem was the
> "primary" DNS misconfiguration.)
>
> So based on your prompting, and based on a few Microsoft knowledgebase
> articles, I performed the following reconfiguration:
>
> 0) I didn't have to do anything with respect to my ISP's DNS servers. They
> were already configured as just "forwarders".
>
> 1) I reconfigured my FSMO role placement. (An insignificant step, but I
> did it anyway.)
>
> (see article 223346)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&Product=win2000
>
> 2) I reconfigured my two domain controllers to point at only server A as
> "primary". Furthermore, on server A, I removed server B as a secondary.
> Restated, server A now has NO secondary DNS configured.
>
> (see article 825036)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&Product=win2000
>
> 3) On server B, I removed itself as secondary. Restated, server B now has
> NO secondary DNS configured. I'm sure this is a debatable step, but not
> being an expert, I'm following the Microsoft knowledgebase article. Anybody
> feel free to chime in.
>
> (see article 275278)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000
>
> 4) I updated my DHCP server configuration so that it hands out server A as
> 'primary' and server B as 'secondary'.
>
> I won't have time to test this updated configuration with my "Disable EFS"
> GPO for a few days, but I'll attempt and post the outcome!
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:vbwNc.169700$%_6.46028@attbi_s01...
> > Your error points to possibly a dns misconfiguration which is the number
> one reason
> > for AD problems. When you configure AD the first domain controller in the
> domain must
> > point to itself as it's preferred dns server in tcp/ip properties and
> additional
> > domain controllers need to point to the first domain controller [first in
> the list]
> > and themselves as their preferred dns servers. Then domain computers must
> point ONLY
> > to a W2K domain controller with the AD dns zone for the domain [they all
> do by
> > default]. Never list an ISP dns server in the tcp/ip properties of any
> domain
> > computer. The support tools netdiag and dcdiag can be used to check for
> proper domain
> > configuration with dcdiag reserved for domain controllers. If you change
> dns config
> > on a domain controller run netdiag /fix and then restart netlogon service
> on it and
> > view Event Viewer for problems.
> >
> > What may have happened is that there was a replication problem with the
> new policy
> > due to a dns lookup failure. You can also check on GPO replication using
> the gpotool
> > and the replmon resource kit tool. Gpotool is quick and easy and will
> report
> > mismatches in policy between active domain controllers. The links below
> may
> > help. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >
> http://www.microsoft.com/windows2000/techinfo/reskit/to...
> >
> > "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote
> in message
> > news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> > > I have two domain controllers, A & B...
> > >
> > > A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active
> Directory
> > > integrated mode)
> > > B = Windows Server 2003; DNS ('primary' designation; AD integrated mode)
> > > domain functional level = "Native 2000"
> > >
> > > I wanted to disable EFS (Encrypting File System) across the entire
> domain.
> > > Of course, none of the Microsoft knowledgebase articles EXPLICITLY
> discuss a
> > > MIXED environment of '2000 Server' and 'Server 2003'...
> > >
> > > I have never messed with Group Policy before, so only the domain's
> default
> > > Group Policy Object (GPO) existed. On server 'A', I created a brand new
> > > GPO, moved it up in priority (above the default GPO), and followed
> Microsoft
> > > article 222022 (for 2000 Server.) I then let that new GPO replicate,
> and
> > > subsequently followed Microsoft article 324897 (for Server 2003) on
> server
> > > 'B'. I made no other changes to the new GPO, so theoretically, all
> other
> > > policies within this new GPO were "not defined", and thus should not
> have
> > > overrided anything crazy in the default GPO (so I would think...)
> > >
> > > After this, everything got squirrelly, and I traced it down to something
> > > related to DNS. On server 'A', the following was logged in the
> Application
> > > Event Log:
> > >
> > > Source = Userenv
> > > EventID = 1000
> > > Description = Windows cannot obtain the domain controller name for your
> > > computer network. Return value (2146).
> > >
> > > After I disabled the new GPO, the domain cleared itself up. ...Now,
> when I
> > > make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my
> domain
> > > behaves properly, and EFS is truly disabled on a domain-wide basis.
> > >
> > > Can any gurus out there shed light on why my seemingly simple,
> > > higher-priority GPO failed and caused the AD-DNS to fizzle out?
> > >
> > >
> >
> >
>
>
Anonymous
July 28, 2004 8:46:03 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Yes, definitely static IPs on both domain controllers (and even on a few of
our member servers.)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:eLQNc.172994$a24.103916@attbi_s03...
> There is more than one way to configure dns on domain controllers and the
important
> thing is that they point to only AD domain controllers running dns for the
domain and
> that they are registering correctly in dns. What you have done should
work, just
> remember that if you ever retire the "chief" domain controller you want
the remaining
> domain controllers to point to an existing/functioning dc. Netdiag and
dcdiag are two
> great tools in determining if your AD configuration is firing on all eight
cylinders
> or not. I assume you also have static IP address for the domain
controllers. Good
> luck. --- Steve
>
>
> "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote
in message
> news:XfSdnThyBulJIZrcRVn-hA@giganews.com...
> > Steve, I think you hit the nail on the head. I think you may be correct
> > that my "EFS/Group Policy" issue was just a symptom of the problem, and
the
> > actual problem was my DNS infrastructure configuration.
> >
> > In my case, both server A and server B pointed at themselves as the
> > "primary" DNS server. I also had the FSMO roles assigned to these two
> > domain controllers in a haphazard way (but I think the core problem was
the
> > "primary" DNS misconfiguration.)
> >
> > So based on your prompting, and based on a few Microsoft knowledgebase
> > articles, I performed the following reconfiguration:
> >
> > 0) I didn't have to do anything with respect to my ISP's DNS servers.
They
> > were already configured as just "forwarders".
> >
> > 1) I reconfigured my FSMO role placement. (An insignificant step, but
I
> > did it anyway.)
> >
> > (see article 223346)
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&Product=win2000
> >
> > 2) I reconfigured my two domain controllers to point at only server A
as
> > "primary". Furthermore, on server A, I removed server B as a secondary.
> > Restated, server A now has NO secondary DNS configured.
> >
> > (see article 825036)
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&Product=win2000
> >
> > 3) On server B, I removed itself as secondary. Restated, server B now
has
> > NO secondary DNS configured. I'm sure this is a debatable step, but not
> > being an expert, I'm following the Microsoft knowledgebase article.
Anybody
> > feel free to chime in.
> >
> > (see article 275278)
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000
> >
> > 4) I updated my DHCP server configuration so that it hands out server A
as
> > 'primary' and server B as 'secondary'.
> >
> > I won't have time to test this updated configuration with my "Disable
EFS"
> > GPO for a few days, but I'll attempt and post the outcome!
> >
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:vbwNc.169700$%_6.46028@attbi_s01...
> > > Your error points to possibly a dns misconfiguration which is the
number
> > one reason
> > > for AD problems. When you configure AD the first domain controller in
the
> > domain must
> > > point to itself as it's preferred dns server in tcp/ip properties and
> > additional
> > > domain controllers need to point to the first domain controller [first
in
> > the list]
> > > and themselves as their preferred dns servers. Then domain computers
must
> > point ONLY
> > > to a W2K domain controller with the AD dns zone for the domain [they
all
> > do by
> > > default]. Never list an ISP dns server in the tcp/ip properties of any
> > domain
> > > computer. The support tools netdiag and dcdiag can be used to check
for
> > proper domain
> > > configuration with dcdiag reserved for domain controllers. If you
change
> > dns config
> > > on a domain controller run netdiag /fix and then restart netlogon
service
> > on it and
> > > view Event Viewer for problems.
> > >
> > > What may have happened is that there was a replication problem with
the
> > new policy
> > > due to a dns lookup failure. You can also check on GPO replication
using
> > the gpotool
> > > and the replmon resource kit tool. Gpotool is quick and easy and will
> > report
> > > mismatches in policy between active domain controllers. The links
below
> > may
> > > help. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> > >
> >
http://www.microsoft.com/windows2000/techinfo/reskit/to...
> > >
> > > "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com>
wrote
> > in message
> > > news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> > > > I have two domain controllers, A & B...
> > > >
> > > > A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active
> > Directory
> > > > integrated mode)
> > > > B = Windows Server 2003; DNS ('primary' designation; AD integrated
mode)
> > > > domain functional level = "Native 2000"
> > > >
> > > > I wanted to disable EFS (Encrypting File System) across the entire
> > domain.
> > > > Of course, none of the Microsoft knowledgebase articles EXPLICITLY
> > discuss a
> > > > MIXED environment of '2000 Server' and 'Server 2003'...
> > > >
> > > > I have never messed with Group Policy before, so only the domain's
> > default
> > > > Group Policy Object (GPO) existed. On server 'A', I created a brand
new
> > > > GPO, moved it up in priority (above the default GPO), and followed
> > Microsoft
> > > > article 222022 (for 2000 Server.) I then let that new GPO
replicate,
> > and
> > > > subsequently followed Microsoft article 324897 (for Server 2003) on
> > server
> > > > 'B'. I made no other changes to the new GPO, so theoretically, all
> > other
> > > > policies within this new GPO were "not defined", and thus should not
> > have
> > > > overrided anything crazy in the default GPO (so I would think...)
> > > >
> > > > After this, everything got squirrelly, and I traced it down to
something
> > > > related to DNS. On server 'A', the following was logged in the
> > Application
> > > > Event Log:
> > > >
> > > > Source = Userenv
> > > > EventID = 1000
> > > > Description = Windows cannot obtain the domain controller name for
your
> > > > computer network. Return value (2146).
> > > >
> > > > After I disabled the new GPO, the domain cleared itself up. ...Now,
> > when I
> > > > make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my
> > domain
> > > > behaves properly, and EFS is truly disabled on a domain-wide basis.
> > > >
> > > > Can any gurus out there shed light on why my seemingly simple,
> > > > higher-priority GPO failed and caused the AD-DNS to fizzle out?
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
August 1, 2004 9:02:52 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Yep, this was the fundamental problem (i.e, incorrect Domain Controller DNS
configuration.) Subsequent to my posted corrections, my "Disable EFS"
custom GPO is now working perfectly.

Thanks again Steve!

"Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote in
message news:XfSdnThyBulJIZrcRVn-hA@giganews.com...
> Steve, I think you hit the nail on the head. I think you may be correct
> that my "EFS/Group Policy" issue was just a symptom of the problem, and
the
> actual problem was my DNS infrastructure configuration.
>
> In my case, both server A and server B pointed at themselves as the
> "primary" DNS server. I also had the FSMO roles assigned to these two
> domain controllers in a haphazard way (but I think the core problem was
the
> "primary" DNS misconfiguration.)
>
> So based on your prompting, and based on a few Microsoft knowledgebase
> articles, I performed the following reconfiguration:
>
> 0) I didn't have to do anything with respect to my ISP's DNS servers.
They
> were already configured as just "forwarders".
>
> 1) I reconfigured my FSMO role placement. (An insignificant step, but I
> did it anyway.)
>
> (see article 223346)
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&Product=win2000
>
> 2) I reconfigured my two domain controllers to point at only server A as
> "primary". Furthermore, on server A, I removed server B as a secondary.
> Restated, server A now has NO secondary DNS configured.
>
> (see article 825036)
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&Product=win2000
>
> 3) On server B, I removed itself as secondary. Restated, server B now
has
> NO secondary DNS configured. I'm sure this is a debatable step, but not
> being an expert, I'm following the Microsoft knowledgebase article.
Anybody
> feel free to chime in.
>
> (see article 275278)
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000
>
> 4) I updated my DHCP server configuration so that it hands out server A
as
> 'primary' and server B as 'secondary'.
>
> I won't have time to test this updated configuration with my "Disable EFS"
> GPO for a few days, but I'll attempt and post the outcome!
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:vbwNc.169700$%_6.46028@attbi_s01...
> > Your error points to possibly a dns misconfiguration which is the number
> one reason
> > for AD problems. When you configure AD the first domain controller in
the
> domain must
> > point to itself as it's preferred dns server in tcp/ip properties and
> additional
> > domain controllers need to point to the first domain controller [first
in
> the list]
> > and themselves as their preferred dns servers. Then domain computers
must
> point ONLY
> > to a W2K domain controller with the AD dns zone for the domain [they all
> do by
> > default]. Never list an ISP dns server in the tcp/ip properties of any
> domain
> > computer. The support tools netdiag and dcdiag can be used to check for
> proper domain
> > configuration with dcdiag reserved for domain controllers. If you change
> dns config
> > on a domain controller run netdiag /fix and then restart netlogon
service
> on it and
> > view Event Viewer for problems.
> >
> > What may have happened is that there was a replication problem with the
> new policy
> > due to a dns lookup failure. You can also check on GPO replication using
> the gpotool
> > and the replmon resource kit tool. Gpotool is quick and easy and will
> report
> > mismatches in policy between active domain controllers. The links below
> may
> > help. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/to...
> >
> > "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote
> in message
> > news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> > > I have two domain controllers, A & B...
> > >
> > > A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active
> Directory
> > > integrated mode)
> > > B = Windows Server 2003; DNS ('primary' designation; AD integrated
mode)
> > > domain functional level = "Native 2000"
> > >
> > > I wanted to disable EFS (Encrypting File System) across the entire
> domain.
> > > Of course, none of the Microsoft knowledgebase articles EXPLICITLY
> discuss a
> > > MIXED environment of '2000 Server' and 'Server 2003'...
> > >
> > > I have never messed with Group Policy before, so only the domain's
> default
> > > Group Policy Object (GPO) existed. On server 'A', I created a brand
new
> > > GPO, moved it up in priority (above the default GPO), and followed
> Microsoft
> > > article 222022 (for 2000 Server.) I then let that new GPO replicate,
> and
> > > subsequently followed Microsoft article 324897 (for Server 2003) on
> server
> > > 'B'. I made no other changes to the new GPO, so theoretically, all
> other
> > > policies within this new GPO were "not defined", and thus should not
> have
> > > overrided anything crazy in the default GPO (so I would think...)
> > >
> > > After this, everything got squirrelly, and I traced it down to
something
> > > related to DNS. On server 'A', the following was logged in the
> Application
> > > Event Log:
> > >
> > > Source = Userenv
> > > EventID = 1000
> > > Description = Windows cannot obtain the domain controller name for
your
> > > computer network. Return value (2146).
> > >
> > > After I disabled the new GPO, the domain cleared itself up. ...Now,
> when I
> > > make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my
> domain
> > > behaves properly, and EFS is truly disabled on a domain-wide basis.
> > >
> > > Can any gurus out there shed light on why my seemingly simple,
> > > higher-priority GPO failed and caused the AD-DNS to fizzle out?
> > >
> > >
> >
> >
>
>
Anonymous
August 2, 2004 4:50:24 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Great Chris. Thanks for posting back your results. --- Steve


"Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote in
message news:LNqdnat4MNwB65DcRVn-iw@giganews.com...
> Yep, this was the fundamental problem (i.e, incorrect Domain Controller DNS
> configuration.) Subsequent to my posted corrections, my "Disable EFS"
> custom GPO is now working perfectly.
>
> Thanks again Steve!
>
> "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote in
> message news:XfSdnThyBulJIZrcRVn-hA@giganews.com...
> > Steve, I think you hit the nail on the head. I think you may be correct
> > that my "EFS/Group Policy" issue was just a symptom of the problem, and
> the
> > actual problem was my DNS infrastructure configuration.
> >
> > In my case, both server A and server B pointed at themselves as the
> > "primary" DNS server. I also had the FSMO roles assigned to these two
> > domain controllers in a haphazard way (but I think the core problem was
> the
> > "primary" DNS misconfiguration.)
> >
> > So based on your prompting, and based on a few Microsoft knowledgebase
> > articles, I performed the following reconfiguration:
> >
> > 0) I didn't have to do anything with respect to my ISP's DNS servers.
> They
> > were already configured as just "forwarders".
> >
> > 1) I reconfigured my FSMO role placement. (An insignificant step, but I
> > did it anyway.)
> >
> > (see article 223346)
> >
> http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&Product=win2000
> >
> > 2) I reconfigured my two domain controllers to point at only server A as
> > "primary". Furthermore, on server A, I removed server B as a secondary.
> > Restated, server A now has NO secondary DNS configured.
> >
> > (see article 825036)
> >
> http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&Product=win2000
> >
> > 3) On server B, I removed itself as secondary. Restated, server B now
> has
> > NO secondary DNS configured. I'm sure this is a debatable step, but not
> > being an expert, I'm following the Microsoft knowledgebase article.
> Anybody
> > feel free to chime in.
> >
> > (see article 275278)
> >
> http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000
> >
> > 4) I updated my DHCP server configuration so that it hands out server A
> as
> > 'primary' and server B as 'secondary'.
> >
> > I won't have time to test this updated configuration with my "Disable EFS"
> > GPO for a few days, but I'll attempt and post the outcome!
> >
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:vbwNc.169700$%_6.46028@attbi_s01...
> > > Your error points to possibly a dns misconfiguration which is the number
> > one reason
> > > for AD problems. When you configure AD the first domain controller in
> the
> > domain must
> > > point to itself as it's preferred dns server in tcp/ip properties and
> > additional
> > > domain controllers need to point to the first domain controller [first
> in
> > the list]
> > > and themselves as their preferred dns servers. Then domain computers
> must
> > point ONLY
> > > to a W2K domain controller with the AD dns zone for the domain [they all
> > do by
> > > default]. Never list an ISP dns server in the tcp/ip properties of any
> > domain
> > > computer. The support tools netdiag and dcdiag can be used to check for
> > proper domain
> > > configuration with dcdiag reserved for domain controllers. If you change
> > dns config
> > > on a domain controller run netdiag /fix and then restart netlogon
> service
> > on it and
> > > view Event Viewer for problems.
> > >
> > > What may have happened is that there was a replication problem with the
> > new policy
> > > due to a dns lookup failure. You can also check on GPO replication using
> > the gpotool
> > > and the replmon resource kit tool. Gpotool is quick and easy and will
> > report
> > > mismatches in policy between active domain controllers. The links below
> > may
> > > help. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> > >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/to...
> > >
> > > "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote
> > in message
> > > news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> > > > I have two domain controllers, A & B...
> > > >
> > > > A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active
> > Directory
> > > > integrated mode)
> > > > B = Windows Server 2003; DNS ('primary' designation; AD integrated
> mode)
> > > > domain functional level = "Native 2000"
> > > >
> > > > I wanted to disable EFS (Encrypting File System) across the entire
> > domain.
> > > > Of course, none of the Microsoft knowledgebase articles EXPLICITLY
> > discuss a
> > > > MIXED environment of '2000 Server' and 'Server 2003'...
> > > >
> > > > I have never messed with Group Policy before, so only the domain's
> > default
> > > > Group Policy Object (GPO) existed. On server 'A', I created a brand
> new
> > > > GPO, moved it up in priority (above the default GPO), and followed
> > Microsoft
> > > > article 222022 (for 2000 Server.) I then let that new GPO replicate,
> > and
> > > > subsequently followed Microsoft article 324897 (for Server 2003) on
> > server
> > > > 'B'. I made no other changes to the new GPO, so theoretically, all
> > other
> > > > policies within this new GPO were "not defined", and thus should not
> > have
> > > > overrided anything crazy in the default GPO (so I would think...)
> > > >
> > > > After this, everything got squirrelly, and I traced it down to
> something
> > > > related to DNS. On server 'A', the following was logged in the
> > Application
> > > > Event Log:
> > > >
> > > > Source = Userenv
> > > > EventID = 1000
> > > > Description = Windows cannot obtain the domain controller name for
> your
> > > > computer network. Return value (2146).
> > > >
> > > > After I disabled the new GPO, the domain cleared itself up. ...Now,
> > when I
> > > > make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my
> > domain
> > > > behaves properly, and EFS is truly disabled on a domain-wide basis.
> > > >
> > > > Can any gurus out there shed light on why my seemingly simple,
> > > > higher-priority GPO failed and caused the AD-DNS to fizzle out?
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Anonymous
August 4, 2004 12:36:59 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.win2000.security (More info?)

Ummm...errr...uh oh... I posted my results too soon. :-(

So to be clear for any future readers of this thread, my DNS configuration
wasn't actually the problem after all. Nevertheless, I'm still happy with
my new "clean" DNS infrastructure! :-)

It turns out that my particular GPO/EFS-related problem doesn't appear until
a domain user actually ATTEMPTS to encrypt a file on one of my Windows 2000
Server shares. (Note that I wrote 2000 Server...not to be confused with
Server 2003.)

When a Windows XP user attempts to use EFS on their local workstation,
everything works fine, and Windows XP properly honors the Windows Server
2003 setting and disallows the user from encrypting local files. (Note that
this time I wrote Server 2003.) However, when the same user attempts to
utilize EFS on one of our Windows 2000 Server shares, the user's XP Explorer
session locks up, and the Windows 2000 Server practically grinds to a halt.
When I subsequently try to log into the 2000 Server, it takes several
minutes before the login dialog is presented, and the server no longer
thinks that it belongs to a domain. Even when the login dialog is finally
displayed, I can't log into the server because the server doesn't have a
Local Administrator account (remember that it's a domain controller.)

To get out of this predicament, I had to delete my higher-priority "Disable
EFS" GPO on the domain controller that I could still access (Windows Server
2003), and then remotely reboot the Windows 2000 Server by using Computer
Management on the Server 2003 server. Once rebooted--and with the 'Disable
EFS' GPO gone--the 2000 Server is stable again. Yes, the same DNS-related
error is seen in the log (i.e., it was logged once the server went haywire
after the encryption attempt.)

So I've gone back to disabling EFS via the "Default Domain Policy" GPO.
This works and I'm not going to worry about it anymore. My gut tells me
that this is a mixed 2000-2003 domain controller issue, SPECIFICALLY related
to EFS.

Points to remember:
- Infrastructure works 100% until a user actually attempts to encrypt a file
(only on the Windows 2000 Server.)
- The problem only occurs when using a higher-priority GPO to disable EFS.
Using the default domain GPO to accomplish this end causes no problems
whatsoever.

"Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote in
message news:LNqdnat4MNwB65DcRVn-iw@giganews.com...
> Yep, this was the fundamental problem (i.e, incorrect Domain Controller
DNS
> configuration.) Subsequent to my posted corrections, my "Disable EFS"
> custom GPO is now working perfectly.
>
> Thanks again Steve!
>
> "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com> wrote
in
> message news:XfSdnThyBulJIZrcRVn-hA@giganews.com...
> > Steve, I think you hit the nail on the head. I think you may be correct
> > that my "EFS/Group Policy" issue was just a symptom of the problem, and
> the
> > actual problem was my DNS infrastructure configuration.
> >
> > In my case, both server A and server B pointed at themselves as the
> > "primary" DNS server. I also had the FSMO roles assigned to these two
> > domain controllers in a haphazard way (but I think the core problem was
> the
> > "primary" DNS misconfiguration.)
> >
> > So based on your prompting, and based on a few Microsoft knowledgebase
> > articles, I performed the following reconfiguration:
> >
> > 0) I didn't have to do anything with respect to my ISP's DNS servers.
> They
> > were already configured as just "forwarders".
> >
> > 1) I reconfigured my FSMO role placement. (An insignificant step, but
I
> > did it anyway.)
> >
> > (see article 223346)
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;223346&Product=win2000
> >
> > 2) I reconfigured my two domain controllers to point at only server A
as
> > "primary". Furthermore, on server A, I removed server B as a secondary.
> > Restated, server A now has NO secondary DNS configured.
> >
> > (see article 825036)
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&Product=win2000
> >
> > 3) On server B, I removed itself as secondary. Restated, server B now
> has
> > NO secondary DNS configured. I'm sure this is a debatable step, but not
> > being an expert, I'm following the Microsoft knowledgebase article.
> Anybody
> > feel free to chime in.
> >
> > (see article 275278)
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&Product=win2000
> >
> > 4) I updated my DHCP server configuration so that it hands out server A
> as
> > 'primary' and server B as 'secondary'.
> >
> > I won't have time to test this updated configuration with my "Disable
EFS"
> > GPO for a few days, but I'll attempt and post the outcome!
> >
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:vbwNc.169700$%_6.46028@attbi_s01...
> > > Your error points to possibly a dns misconfiguration which is the
number
> > one reason
> > > for AD problems. When you configure AD the first domain controller in
> the
> > domain must
> > > point to itself as it's preferred dns server in tcp/ip properties and
> > additional
> > > domain controllers need to point to the first domain controller [first
> in
> > the list]
> > > and themselves as their preferred dns servers. Then domain computers
> must
> > point ONLY
> > > to a W2K domain controller with the AD dns zone for the domain [they
all
> > do by
> > > default]. Never list an ISP dns server in the tcp/ip properties of any
> > domain
> > > computer. The support tools netdiag and dcdiag can be used to check
for
> > proper domain
> > > configuration with dcdiag reserved for domain controllers. If you
change
> > dns config
> > > on a domain controller run netdiag /fix and then restart netlogon
> service
> > on it and
> > > view Event Viewer for problems.
> > >
> > > What may have happened is that there was a replication problem with
the
> > new policy
> > > due to a dns lookup failure. You can also check on GPO replication
using
> > the gpotool
> > > and the replmon resource kit tool. Gpotool is quick and easy and will
> > report
> > > mismatches in policy between active domain controllers. The links
below
> > may
> > > help. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> > >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/to...
> > >
> > > "Chris Largent" <chris.largent@spamisnotprofessionalpro-group.com>
wrote
> > in message
> > > news:4ZmdnYFakM39QZjcRVn-jw@giganews.com...
> > > > I have two domain controllers, A & B...
> > > >
> > > > A = Windows 2000 Server; PDC; DNS ('secondary' designation; Active
> > Directory
> > > > integrated mode)
> > > > B = Windows Server 2003; DNS ('primary' designation; AD integrated
> mode)
> > > > domain functional level = "Native 2000"
> > > >
> > > > I wanted to disable EFS (Encrypting File System) across the entire
> > domain.
> > > > Of course, none of the Microsoft knowledgebase articles EXPLICITLY
> > discuss a
> > > > MIXED environment of '2000 Server' and 'Server 2003'...
> > > >
> > > > I have never messed with Group Policy before, so only the domain's
> > default
> > > > Group Policy Object (GPO) existed. On server 'A', I created a brand
> new
> > > > GPO, moved it up in priority (above the default GPO), and followed
> > Microsoft
> > > > article 222022 (for 2000 Server.) I then let that new GPO
replicate,
> > and
> > > > subsequently followed Microsoft article 324897 (for Server 2003) on
> > server
> > > > 'B'. I made no other changes to the new GPO, so theoretically, all
> > other
> > > > policies within this new GPO were "not defined", and thus should not
> > have
> > > > overrided anything crazy in the default GPO (so I would think...)
> > > >
> > > > After this, everything got squirrelly, and I traced it down to
> something
> > > > related to DNS. On server 'A', the following was logged in the
> > Application
> > > > Event Log:
> > > >
> > > > Source = Userenv
> > > > EventID = 1000
> > > > Description = Windows cannot obtain the domain controller name for
> your
> > > > computer network. Return value (2146).
> > > >
> > > > After I disabled the new GPO, the domain cleared itself up. ...Now,
> > when I
> > > > make the 'disable EFS' modifications DIRECTLY to the DEFAULT GPO, my
> > domain
> > > > behaves properly, and EFS is truly disabled on a domain-wide basis.
> > > >
> > > > Can any gurus out there shed light on why my seemingly simple,
> > > > higher-priority GPO failed and caused the AD-DNS to fizzle out?
> > > >
> > > >
> > >
> > >
> >
> >
>
>
!