Knowledge Base

Kerberos policy changes are not updated on your Windows 2000-based domain controllers

Article ID: 828692

Article Last Modified on 10/26/2006

APPLIES TO

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Service Pack 4

SYMPTOMS

When you try to change the password and Kerberos policies in Domain Security Policy on a domain controller in your Microsoft Windows 2000-based network, Kerberos policy changes are updated on the primary domain controller (PDC) emulator operations master, but Kerberos policy changes are not updated on the other domain controllers on your network.

CAUSE

This problem occurs if all the following conditions are true:

You have installed Microsoft Windows 2000 Service Pack 4 on the domain controllers.
You have a mixed network environment that includes Microsoft Windows NT-based computers.
The domain controller that you used to change the Kerberos policies is not the PDC operations master.

Starting with Windows 2000 Service Pack 4, domain-wide account and Kerberos policies are processed only by the PDC emulator operations master. This change prevents unnecessary Active Directory replication of directory-based account policies.

Because Kerberos policies are registry-based, these policies are not replicated to the domain controllers that are not PDCs. Kerberos policy changes are not processed or updated on the other domain controllers.

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

Microsoft Windows 2000 Service Pack 4

Restart requirement

You must restart your computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   11-Sep-2003  18:10  5.0.2195.6748     124,688  Adsldp.dll       
   11-Sep-2003  18:10  5.0.2195.6748     132,368  Adsldpc.dll      
   11-Sep-2003  18:10  5.0.2195.6748      63,760  Adsmsext.dll     
   11-Sep-2003  18:10  5.0.2195.6815     381,712  Advapi32.dll     
   11-Sep-2003  18:10  5.0.2195.6816      69,904  Browser.dll      
   11-Sep-2003  18:10  5.0.2195.6815     136,464  Dnsapi.dll       
   11-Sep-2003  18:10  5.0.2195.6780      96,528  Dnsrslvr.dll     
   11-Sep-2003  18:10  5.0.2195.6810      47,376  Eventlog.dll     
   11-Sep-2003  18:10  5.0.2195.6815     148,240  Kdcsvc.dll       
   18-Jun-2003  17:43  5.0.2195.6758     205,072  Kerberos.dll     
   26-Mar-2003  21:37  5.0.2195.6695      71,888  Ksecdd.sys
   01-Aug-2003  17:40  5.0.2195.6797     509,712  Lsasrv.dll       
   01-Aug-2003  17:40  5.0.2195.6797      33,552  Lsass.exe        
   17-Jul-2003  23:13  5.0.2195.6786     109,840  Msv1_0.dll       
   11-Sep-2003  18:10  5.0.2195.6601     311,568  Netapi32.dll     
   11-Sep-2003  18:10  5.0.2195.6791     361,232  Netlogon.dll     
   11-Sep-2003  18:10  5.0.2195.6817     931,600  Ntdsa.dll        
   11-Sep-2003  18:10  5.0.2195.6815     392,464  Samsrv.dll       
   11-Sep-2003  18:10  5.0.2195.6817     113,936  Scecli.dll       
   11-Sep-2003  18:10  5.0.2195.6817     259,856  Scesrv.dll       
   04-Sep-2003  17:06  5.0.2195.6801   5,232,128  Sp3res.dll       
   11-Sep-2003  18:10  5.0.2195.6601      51,472  W32time.dll      
   16-Aug-2002  13:32  5.0.2195.6601      57,104  W32tm.exe        
   11-Sep-2003  18:10  5.0.2195.6741     126,224  Wldap32.dll

WORKAROUND

To work around this problem, create a new security database, import the security policy that you want to use, and then apply that policy specifically to each affected domain controller. This procedure updates the local registry and changes the settings in the tickets that have been issued by the Key Distribution Center (KDC).

The following is a sample .inf file that describes the default Kerberos policy. Make whatever changes are appropriate to your environment.

; (c) Microsoft Corporation 1997-2000
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name:    KerbPol.INF
;
; Contains Default Policy Settings for Windows NT 5.0 Domain Controller.
; This template is NOT used by SCE during setup
; This template is applied via GP during Winlogon for the first DC in a Tree
; This template should NOT be used on Workstations or Servers.

; Please DO NOT EDIT version section.
;
[version]
signature="$CHICAGO$"
revision=1
DriverVer=11/14/1999,5.00.2183.1

[Kerberos Policy]
; in hours
MaxTicketAge=10
; in days
MaxRenewAge=7
; in minutes
MaxServiceAge=600
; in minutes
MaxClockSkew=5
; enforce user logon restrictions = yes
TicketValidateClient=1

To use this template, follow these steps:

Save the sample template to a file. Name the file KerbPol.inf.
Start the Microsoft Management Console (MMC). To do this, click Start, click Run, type MMC, and then click OK.
Add the Security Configuration and Analysis snap-in. To do this, follow these steps:
1. Click Console, and then click Add/Remove Snap-in.
2. On the Standalone tab, click Add.
3. In the Available Standalone Snap-ins list, click Security Configuration and Analysis, click Add, and then click Close.
4. In the Add/Remove Snap-in dialog box, click OK.
In the tree-view pane, right-click Security Configuration and Analysis, and then click Open Database.
In the File Name box, type KerbPol.sdb, and then click Open.
In the Import Template dialog box, locate the .inf file that you saved in step 1.
Click to select the Clear this database before importing check box, and then click Open.
In the tree-view pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
In the Perform Analysis dialog box, click OK.
When the Analysis is complete, expand Security Configuration and Analysis, expand Account Policies, and then click Kerberos Policy. Make sure that the settings in the Database Settings column are correct.
In the tree-view pane, right-click Security Configuration and Analysis, and then click Configure Computer Now.
In the Configure System dialog box, click OK.
Restart the server.

The domain controller is now configured with the new policy. You can rerun the analysis by using the database that you created in step 4. When you complete the analysis, make sure that the Effective Settings column matches the Database Settings column in Security Configuration and Analysis.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816915 New file naming schema for Microsoft Windows software update packages

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe kbwin2000presp5fix KB828692

Microsoft KB Archive/828692

Contents