Microsoft KB Archive/277682

{|
 * width="100%"|

Group Policies Do Not Work If Many Domain Controllers Have Long Domain Names

 * }

Q277682

-

The information in this article applies to:


 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-

SYMPTOMS
When you are running Windows 2000 Professional as a member in a domain with many domain controllers, you may see the following error in the Application event log:

Event ID 1001

Source: SceCli

Security policy cannot be propagated. The system cannot find the path specified. Error code = 3.

\\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

Note that &quot;{31B2F340-016D-11D2-945F-00C04FB984F9}&quot; is a sample policy globally unique identifier (GUID). The actual number you see may be different depending on the policy requested.

You may also see other error messages that state that applying group policies did not work. In a network trace, you can see that the client sends &quot;DFS Get Referral&quot; server message blocks (SMBs) to the server with buffer sizes of 4,096; 8,192; 16,384; 32,768; and 57,344. None of these work and they have a status of STATUS_BUFFER_OVERFLOW.

CAUSE
When a client attempts to connect to the Sysvol share, the client treats the share like any other Distributed File System (DFS) volume. The client tries to get a list of servers that host this volume. To do this, the client sends a &quot;transact2&quot; SMB to the server with the &quot;DFS Get Referral&quot; command. Because the Sysvol share has as many replicas as there are domain controllers in the domain, the list of servers that host the volume can become quite long.

All the Unicode fully qualified domain names (FQDNs) of the domain controllers need to fit in the transact SMB. The formula is:

"MaxNumOfDCsInASingleDomain ~= 57344 / ((length_of_DC_FQDN + 1) * 2)" Therefore, depending on the length of the domain controllers' FQDNs and the number of domain controllers, you may experience this limitation.

RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. This fix may receive additional testing at a later time, to further ensure product quality. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp

NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:

  Date        Time    Version        Size    File name -  10/24/2000  09:38p  5.0.2195.2560  74,448  Dfs.sys 10/24/2000 09:38p  5.0.2195.2560  90,384  Dfssvc.exe

NOTE: Install this fix on your DFS servers and domain controllers to solve the problem.

STATUS
Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

"Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes" Additional query words:

Keywords : kbWin2000PreSP2Fix

Issue type : kbbug

Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro kbWinAdvServSearch