All RODCs do not apply 'User Rights Assignment' part of Default Domain Controllers Policy, 'Policy server is not ready'
hi, noticed of our rodcs (all on windows server 2012 r2) not apply 'user rights assignment' part of default domain controllers policy. have state valid during promotion. if promote new rodc, 1 gets current user rights assignment, not apply changes done after promotion.
writable dcs apply policy without issues.
i enabled debug logging, , seems following happens:
- user rights added
- "policy server not ready"
- user rights removed again (changes step 1 undone)
- start on 1.
i uploaded complete winlogon.log here:
the relevant portions seem these:
----configure user rights... ... configure s-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-84077. add seauditprivilege. add seservicelogonright. ... user rights configuration completed successfully. ... ----un-initialize configuration engine... policy server not ready, retry count #1. ... ----configure user rights... seimpersonateprivilege must assigned administrators. setting adjusted. seimpersonateprivilege must assigned service. setting adjusted. senetworklogonright must assigned enterprise controllers account policy propagation , replication succeed. .... configure s-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-84077. remove seauditprivilege. remove seservicelogonright. ... user rights configuration completed successfully.
as said before, happens on read domain controllers, not on writable domain controller.
our domain functional level 2008 r2. have idea reason, or continue investigate?
oh, forgot post solution here :(
in our case, reason gpo linked @ domain root added users local "administrators" group. since dc not have local administrators group, fails - , whatever reason, rodcs fail security policies then.
solution exclude dcs gpo.
http://theitcrownd.blogspot.bg/2014/05/security-policy-1001.html
Windows Server > Directory Services
Comments
Post a Comment