Microsoft KB Archive/828692

= Kerberos policy changes are not updated on your Windows 2000-based domain controllers =

Article ID: 828692

Article Last Modified on 10/26/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 4

-





SYMPTOMS
When you try to change the password and Kerberos policies in Domain Security Policy on a domain controller in your Microsoft Windows 2000-based network, Kerberos policy changes are updated on the primary domain controller (PDC) emulator operations master, but Kerberos policy changes are not updated on the other domain controllers on your network.



CAUSE
This problem occurs if all the following conditions are true:
 * You have installed Microsoft Windows 2000 Service Pack 4 on the domain controllers.
 * You have a mixed network environment that includes Microsoft Windows NT-based computers.
 * The domain controller that you used to change the Kerberos policies is not the PDC operations master.

Starting with Windows 2000 Service Pack 4, domain-wide account and Kerberos policies are processed only by the PDC emulator operations master. This change prevents unnecessary Active Directory replication of directory-based account policies.

Because Kerberos policies are registry-based, these policies are not replicated to the domain controllers that are not PDCs. Kerberos policy changes are not processed or updated on the other domain controllers.



Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites
Microsoft Windows 2000 Service Pack 4

Restart requirement
You must restart your computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version            Size    File name --  11-Sep-2003  18:10  5.0.2195.6748     124,688  Adsldp.dll 11-Sep-2003 18:10  5.0.2195.6748     132,368  Adsldpc.dll 11-Sep-2003 18:10  5.0.2195.6748      63,760  Adsmsext.dll 11-Sep-2003 18:10  5.0.2195.6815     381,712  Advapi32.dll 11-Sep-2003 18:10  5.0.2195.6816      69,904  Browser.dll 11-Sep-2003 18:10  5.0.2195.6815     136,464  Dnsapi.dll 11-Sep-2003 18:10  5.0.2195.6780      96,528  Dnsrslvr.dll 11-Sep-2003 18:10  5.0.2195.6810      47,376  Eventlog.dll 11-Sep-2003 18:10  5.0.2195.6815     148,240  Kdcsvc.dll 18-Jun-2003 17:43  5.0.2195.6758     205,072  Kerberos.dll 26-Mar-2003 21:37  5.0.2195.6695      71,888  Ksecdd.sys 01-Aug-2003 17:40  5.0.2195.6797     509,712  Lsasrv.dll 01-Aug-2003 17:40  5.0.2195.6797      33,552  Lsass.exe 17-Jul-2003 23:13  5.0.2195.6786     109,840  Msv1_0.dll 11-Sep-2003 18:10  5.0.2195.6601     311,568  Netapi32.dll 11-Sep-2003 18:10  5.0.2195.6791     361,232  Netlogon.dll 11-Sep-2003 18:10  5.0.2195.6817     931,600  Ntdsa.dll 11-Sep-2003 18:10  5.0.2195.6815     392,464  Samsrv.dll 11-Sep-2003 18:10  5.0.2195.6817     113,936  Scecli.dll 11-Sep-2003 18:10  5.0.2195.6817     259,856  Scesrv.dll 04-Sep-2003 17:06  5.0.2195.6801   5,232,128  Sp3res.dll 11-Sep-2003 18:10  5.0.2195.6601      51,472  W32time.dll 16-Aug-2002 13:32  5.0.2195.6601      57,104  W32tm.exe 11-Sep-2003 18:10  5.0.2195.6741     126,224  Wldap32.dll



WORKAROUND
To work around this problem, create a new security database, import the security policy that you want to use, and then apply that policy specifically to each affected domain controller. This procedure updates the local registry and changes the settings in the tickets that have been issued by the Key Distribution Center (KDC).

The following is a sample .inf file that describes the default Kerberos policy. Make whatever changes are appropriate to your environment. ; (c) Microsoft Corporation 1997-2000
 * Security Configuration Template for Security Configuration Editor
 * Template Name:   KerbPol.INF
 * Contains Default Policy Settings for Windows NT 5.0 Domain Controller.
 * This template is NOT used by SCE during setup
 * This template is applied via GP during Winlogon for the first DC in a Tree
 * This template should NOT be used on Workstations or Servers.
 * This template is NOT used by SCE during setup
 * This template is applied via GP during Winlogon for the first DC in a Tree
 * This template should NOT be used on Workstations or Servers.

[version] signature=&quot;$CHICAGO$&quot; revision=1 DriverVer=11/14/1999,5.00.2183.1
 * Please DO NOT EDIT version section.

[Kerberos Policy] MaxTicketAge=10 MaxRenewAge=7 MaxServiceAge=600 MaxClockSkew=5 TicketValidateClient=1 To use this template, follow these steps:  Save the sample template to a file. Name the file KerbPol.inf. Start the Microsoft Management Console (MMC). To do this, click Start, click Run, type MMC, and then click OK. Add the Security Configuration and Analysis snap-in. To do this, follow these steps:  Click Console, and then click Add/Remove Snap-in. On the Standalone tab, click Add.</li> In the Available Standalone Snap-ins list, click Security Configuration and Analysis, click Add, and then click Close.</li> In the Add/Remove Snap-in dialog box, click OK.</li></ol> </li> In the tree-view pane, right-click Security Configuration and Analysis, and then click Open Database.</li> In the File Name box, type KerbPol.sdb, and then click Open.</li> In the Import Template dialog box, locate the .inf file that you saved in step 1.</li> Click to select the Clear this database before importing check box, and then click Open.</li> In the tree-view pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now.</li> In the Perform Analysis dialog box, click OK.</li> When the Analysis is complete, expand Security Configuration and Analysis, expand Account Policies, and then click Kerberos Policy. Make sure that the settings in the Database Settings column are correct.</li> In the tree-view pane, right-click Security Configuration and Analysis, and then click Configure Computer Now.</li> In the Configure System dialog box, click OK.</li> Restart the server.</li></ol>
 * in hours
 * in days
 * in minutes
 * in minutes
 * enforce user logon restrictions = yes

The domain controller is now configured with the new policy. You can rerun the analysis by using the database that you created in step 4. When you complete the analysis, make sure that the Effective Settings column matches the Database Settings column in Security Configuration and Analysis.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816915 New file naming schema for Microsoft Windows software update packages

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe kbwin2000presp5fix KB828692

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.