RE: [ActiveDir] Extremely Weird Problem

[Fugleberg, David A]

Title: Message

Here's a guess on the mechanism behind your 'Extremely Weird Problem': As you know, GPOs consist of two parts - the part stored in the SYSVOL, and the part stored as an object in the domain naming context of AD.  When a GPO affects settings that are themselves attributes of objects in AD, you can run into issues like this if the part that's stored in the SYSVOL of one of the DCs is out of synch with the other DCs.   I have firsthand experience with this example: the 'maxPasswordAge' attribute of the domain NC is configured in the default domain controllers policy.  This value was changed.  Because of an earlier misconfiguration, the AD replication was much faster to converge worldwide than the FRS replication.  In other words, the change in the domain NC appeared on all DCs in minutes, but the corresponding change to the DDCP in SYSVOL took hours to propagate.   When these remote DCs next applied the DDCP, they changed the value back to what it still thought was the correct value, triggering replication of that old value in AD.  Needless to say, with a large number of DCs across the world, this caused the value to bounce back and forth between old and new on any given DC, as various DCs set it one way and others set it the other way.   From your description, I'm wondering if yours is somethig similar. Perhaps the SYSVOL portion of the policy isn't consistent across the DCs for some reason ?  AuditingPolicy is one of the attributes of the domain NC that is set in one of those policies, if I'm not mistaken.  If "repadmin /showmeta your.domain.com" on a DC shows the version of one or more attributes incrementing, often with a different 'Originating DSA', you may have such an issue.   Good luck ! Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, April 07, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem How about setting up auditing on the PDC emulator DC for the GroupPolicyContainer object that represents that GPO? Then at least you might be able to see who is making the change. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 9:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem First of all we are seeing this in the lab AND in production.  In the lab, we have 2 DC’s in the root domain and 1 DC in the child domain.  There were 2 in the child, but we removed it to test if that kept the policies from changing.  This, so far, has fixed it, but that isn’t a real resolution for the production environment.  In the Lab root domain, when I make a change, then version/time are incremented properly.  Then I force replication and check to make sure each DC has the proper version. That works fine.  Then 3 minutes later the version on the policy is incremented again by 1 and the policies have reverted back!  Unbelievable isn’t it?    From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Thursday, April 07, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem   That is an extremely weird problem.  You did not explain that you were working on the default domain controller policy in your highest (only?) domain.  I was presuming that you were working on an OU group policy for the member servers.  If that was the case, the domain policy could override the OU policy if the 'No override' box was checked.   How many domain controllers do you have in operation within the domain?  My next thought is one of the DCs is not synchronizing properly and is resetting the audit values and increasing the policy version #. Ken Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem This isn’t the case in either situation.  The settings are all set to not defined, but the Default domain controllers policy changes back to a bunch of different settins 5 minutes after I change it.  Also, how could a higher level group policy change a lower level group policy settings?  There are only two policies in the domain: Default Domain and Default Domain Controllers. On 3 people are domain admins in the domain and I’m the only one at work.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Thursday, April 07, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extremely Weird Problem   Have you checked for a higher level GPO that may have these settings configured the way they are changing back to?  My only other thought would be another person with permission to change the policy is changing it back. Ken Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Extremely Weird Problem Has anyone ever seen this?  Our Audit settings in both our lab and production environments are changing themselves automatically.  When we set them to the settings we would like, the settings actually switch back and increment the version # on the policy!  I’ve been on the phone with Microsoft for hours and hours at this point and they have never heard/seen this before.  The audit settings are the only setting that seem to change.  All others stay the way we set them.  I can give more info if needed.  I just want to know if anyone every heard of this….   Thanks,   Marc Schmieder