Article ID: 256000
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q256000
SYMPTOMS
This error may occur after you import the Basicdc.inf file into the default domain controllers Group Policy object (GPO), the following error messages may be generated.
Application log:
Winlogon.log:
Userenv.log:
CAUSE
This behavior occurs because three system environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%) are referenced in the Basicdc.inf file, but exist only during the Dcpromo process. These error messages are generated each time the Default Domain Controllers policy is applied.
RESOLUTION
To resolve this issue, do not import the Basicdc.inf file into the default domain controllers Group Policy object (GPO). This security template modifies ACLS on files and folders in sysvol. The File Replication service may try to replicate these changes to other domain controllers depending on what version of NTFRS your domain controllers use.
Windows 2000-based domain controllers apply the policy when they are restarted, during policy updates, and then at regular intervals. The policy is updated every five minutes. If no change is pending, the policy is not applied. The policy is enforced every 16 hours regardless of whether there has been a change to the policy or not. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
279156 Effects of Setting File System Policy on a Disk Drive or Folder
321557 Improvements in the Post-SP2 Release of Ntfrs.exe
If you want to apply this policy periodically, a better solution is to apply it with the secedit command:
secedit /configure /cfg "%SYSTEMROOT%\security\templates\basicdc.inf" /db "%SYSTEMROOT%\security\database\basicdc.sdb" /log "%SYSTEMROOT%\security\database\basicdc.log" /verbose
First, you must create the following three system environment variables:
- At a command prompt, type net share sysvol, and then press ENTER. Note the path that is returned.
- Right-click My Computer, and then click Properties.
- On the Advanced tab, click Environment Variables.
- In the System Variables section, click New.
- In the Variable Name box, type SYSVOL.
- In the Variable Value box, type the path that you noted in step 1, minus the last "\sysvol" item.
- Repeat these steps to create the %DSDIT% and %DSLOG% variables.
You can view the path for these variables by examining these variables in the registry under the following key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
For example the default location for Database log files path and DSA Working Directory are listed below:
Database log files path:REG_SZ:C:\WINNT\NTDS (%DSLOG% equals C:\WINNT\NTDS)
DSA Working Directory:REG_SZ:C:\WINNT\NTDS (%DSDIT% equals C:\WINNT\NTDS) - At a command prompt, type the following command, and then press ENTER:
secedit /configure /cfg "%SYSTEMROOT%\security\templates\basicdc.inf" /db "%SYSTEMROOT%\security\database\basicdc.sdb" /log "%SYSTEMROOT%\security\database\basicdc.log" /verbose
- Examine the Userenv.log file, Winlogon.log file, and Application event log. The error messages should no longer occur.
- If the error messages persist, restart the computer and confirm that the error messages no longer occur.
Important Implementing a security template on a domain controller may change the settings of the Default Domain Controller Policy or Default Domain Policy. The applied template may overwrite permissions on new files, registry keys, and system services that are created by other programs. You may have to restore these policies after you apply a security template. Before you follow these steps on a domain controller, create a backup of the SYSVOL share.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Keywords: kbdcpromo kbenv kberrmsg kbgpo kbprb KB256000
