Re: Account Lockout threshold by Roger
Roger
Wed Jun 15 01:38:28 CDT 2005
Not meaning to be a pita here but there simply is no such thing
as PDC and BDCs running W2k and later, although there is some
minor, necessary functionality identified under name PDC emulator
FSMO. The use of the names may hold meaning for you but for
many of us it is just confusing and distracting. W2k and later DCs
are peers and essentially equal save things like FSMO roles etc.
There are very many changes in W2k Sp4 including adjustments to
the FRS code, which may actually be a factor in your issues.
Have you tried technet searches on resolutions for the FRS journal
wrapping ? as IIRC you need to look at specifics as to what plugged
up your FRS replication out of the possible causes. Think in a hand
waving way of FRS having database-like properties, where items to
be replicated are transacted (journaled) and the transaction log (journal)
gets cleared back as all is confirmed completed. That you have this
showing in the event log for FRS likely indicates your Sysvol replication
may be toasted, and hence GP support is sick.
After FRS is healthy then addressing why GP is (was) being applied
differently at different machines would make sense. Until then, as GP
in part depends on FRS you are taking things out of order by not getting
AD replication support healthy first.
--
Roger Abell
Microsoft MVP (Windows Server: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"ikbea" <ikbea@discussions.microsoft.com> wrote in message
news:88C31553-E50E-4733-B3BD-6C6DC970A13A@microsoft.com...
> The domain has three domain controllers:
> - i.e.. one is primary domain controller (PDC) and the other two are
> backup
> domain controllers (BDC1 & BDC2) .
> - All are window 2000 advanced servers with Service pack 3, as they are
> used
> in production environment, it takes time to plan for upgrading to Service
> pack 4.
>
> There are seversal members servers:
> - windows 2000 advanced servers with Service pack 3.
> - Two of these member servers called MServer1 and MServer2
>
> Domain Security Policy - Account lockout threshold
> ================================
> effective
> PDC Not defined
> BDC1 Not defined
> BDC2 Not defined
>
> Domain Contoller Security Policy - Account lockout threshold
> ======================================
> effective
> PDC Not defined
> BDC1 Not defined
> BDC2 Not defined
>
> Local Security Policy - Account lockout threshold
> ================================
> local effective
> PDC 0 invalid logon attempts Not defined
> (WHY is not as
> same
> as local ??)
> BDC1 0 invalid logon attempts 0 invalid logon attempts
> BDC2 0 invalid logon attempts 0 invalid logon attempts
> MServer1 5 invalid logon attempts 5 invalid logon attempts
> MServer2 5 invalid logon attempts 0 invalid logon attempts
> (WHY is not as
> same as local ??)
>
> As the domain level policy is not defined, I assumed the "effective
> settings" should be same as "local settings" in "Local security policy"
> (i.e.
> domain level policy will not override local policy). However, this is not
> true for the server PDC and MServer2, why and how to correct ?
>
> Moreover, event log showed some strange entries, I don't know it's related
> or not
> 1. In security log - MServer2 and PDC
> the following log showed when new local security settings is applied (e.g.
> run secedit to refresh)
> Catagory: Account Management
> Event ID: 643
> Domain Policy Changed: Password Policy modified
>
> However, No "Domain policy changed: Lockout policy modified" is showed in
> security log
>
> 2. In PDC, file replication log,
> Source: NTFrs
> Type: Error
> Event ID: 13568
> The File Replication Service has detected that the replica set "DOMAIN
> SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR
>
> Thanks again !
>
>
>
> "Roger Abell [MVP]" wrote:
>
>> I thought you indicated W2k at Sp3 (you really, really, really need to
>> get Sp4 on those machines !!) so I have no idea what you are saying
>> about PDC and 2 BDCs ?
>>
>> That effective is showing as 0 on MServer2 and local as 5 indicates
>> that there is a GPO with this settings in use that is being applied to
>> MServer2. I would look at the OU level for a GPO that has MServer2
>> in its scope of management.
>>
>> The way to do this, if you intend to make the setting as you are statings
>> for member server login with member server local accounts (not domaini
>> accounts) is to set the policy values in a GPO that is linked at the OU
>> level to a containing OU of the members.
>>
>> If you are after affecting these behaviors for domain accounts when used
>> on the members, this can only be done in manner that affects all machines
>> in entire domain when a domain account logs in to them.
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server: Security)
>> MCDBA, MCSE W2k3+W2k+Nt4
>> "ikbea" <ikbea@discussions.microsoft.com> wrote in message
>> news:3129AE99-0262-4772-A4D3-650857D06E74@microsoft.com...
>> > For further information
>> > In All DCs, the
>> > "Domain Controoler Security Policy", "Domain Security Policy"
>> > local setting = not defined
>> > effective setting = not defined
>> >
>> > In PDC, "local policy" --> account lockout threshold
>> > local setting = 0 invalid logon attempts
>> > effective setting = not defined (WHY ??)
>> >
>> > In two BDC, local policy --> account lockout threshold
>> > local setting = 0 invalid logon attempts
>> > effective setting = 0 invalid logon attempts
>> >
>> > Thanks
>> >
>> >
>> > "ikbea" wrote:
>> >
>> >>
>> >> Three domain controller: one primary and two backup
>> >> Member servers (joined same DC) : MServer1, MServer2
>> >> All are windows 2000 SP3 servers
>> >>
>> >> I want to set account policy in MServer1 and MServer2:
>> >> Account Lockout duration: Not defined (original) --> 30minutes (new)
>> >> Account Lockout threshold: 0 (original) --> 5 (new) invalid logon
>> >> attempts
>> >> Reset account lockout counter after: Not defined (original) -->
>> >> 30minutes
>> >> (new)
>> >>
>> >> In MServer, all settings were changed as I expected.
>> >> However, for MServer2, in "local policy settings --> account lockout
>> >> threshold", the local setting = 5, the effective setting = 0.
>> >>
>> >> In DC, the
>> >> "Domain Controoler Security Policy", "Domain Security Policy" and
>> >> "Local
>> >> Security Policy", the effective setting = not defined
>> >>
>> >> I tried to change MServer2 account lockout threshold to 5 in "Local
>> >> Sercurity Policy", "MMC-->Group policy" and "MMC-->Security
>> >> Configuration
>> >> and
>> >> Analysis", but the effective setting is still = 0
>> >>
>> >> How to set account lockout threshold to 5 in MServer2?
>>
>>
>>