Help and Support

Article ID: 276516 - Last Review: February 19, 2007 - Revision: 3.3

Group Policy Not Applied with Many Domain Controllers in Domain

View products that this article applies to.
This article was previously published under Q276516
Expand all | Collapse all

SYMPTOMS

When you run Windows 2000 Professional as a member of a Windows 2000-based domain with many domain controllers, the application of Group Policy may not work. The most notable error is event 1001 by SceCli in the Application event log:
Security policy cannot be propagated. The system cannot find the path specified. Error code = 3.

\\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
In a network trace, you see that the client sends "DFS Get Referral" SMBs to the server with buffer sizes of 4,096; 8,192; 16,384; 32,768; and 57,344. Each request does not work and generates STATUS_BUFFER_OVERFLOW.
Back to the top

CAUSE

When a Windows 2000-based client attempts connect to the Sysvol share, it treats the share like any other Distributed File System (DFS) volume. It attempts to obtain a list of servers that host this volume. To do this, it sends a transact2 SMB to the server with the "DFS Get Referral" command. Because Sysvol has as many replicas as there are domain controllers in the domain, the list of servers that host the volume can become very long.

The resultant UNICODE FQDNs of the domain controllers that are able to host Sysvol need to fit into the response to the transact2 SMB. The limit is demonstrated by:
MaxNumOfDCsInASingleDomain ~= 57344 / ((<length of DC FQDN> + 1) * 2)
Therefore, the length of the domain controller FQDNs and the number of domain controllers in the domain determine the threshold at which this limitation will occur.
Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910  (http://support.microsoft.com/kb/260910/EN-US/ ) How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later: 
   Date        Time    Version        Size    File name
   -----------------------------------------------------
   10/24/2000  09:38p  5.0.2195.2560  74,448  Dfs.sys
   10/24/2000  09:38p  5.0.2195.2560  90,384  Dfssvc.exe



This is a server side fix. To prevent this issue, install this update on all Domain Controllers. Also install this fix on member servers that host Domain DFS replicas, because this issue affects them as well.
Back to the top

WORKAROUND

The only temporary workaround that may work is to reduce the number of domain controllers in the domain below the threshold at which the problem is experienced.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
Back to the top

MORE INFORMATION

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149  (http://support.microsoft.com/kb/249149/EN-US/ ) Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Back to the top
Keywords: 
kbhotfixserver kbqfe kbbug kbdfs kbfix kbgpo kbqfe kbwin2000presp2fix KB276516
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers