Article ID: 828692 - View products that this article applies to.
When you try to change the password and Kerberos policies in Domain Security Policy on a domain controller in your Microsoft Windows 2000-based network, Kerberos policy changes are updated on the primary domain controller (PDC) emulator operations master, but Kerberos policy changes are not updated on the other domain controllers on your network.
This problem occurs if all the following conditions are true:
Because Kerberos policies are registry-based, these policies are not replicated to the domain controllers that are not PDCs. Kerberos policy changes are not processed or updated on the other domain controllers.
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
PrerequisitesMicrosoft Windows 2000 Service Pack 4
Restart requirementYou must restart your computer after you apply this hotfix.
Hotfix replacement informationThis hotfix does not replace any other hotfixes.
File informationThe English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name -------------------------------------------------------------- 11-Sep-2003 18:10 5.0.2195.6748 124,688 Adsldp.dll 11-Sep-2003 18:10 5.0.2195.6748 132,368 Adsldpc.dll 11-Sep-2003 18:10 5.0.2195.6748 63,760 Adsmsext.dll 11-Sep-2003 18:10 5.0.2195.6815 381,712 Advapi32.dll 11-Sep-2003 18:10 5.0.2195.6816 69,904 Browser.dll 11-Sep-2003 18:10 5.0.2195.6815 136,464 Dnsapi.dll 11-Sep-2003 18:10 5.0.2195.6780 96,528 Dnsrslvr.dll 11-Sep-2003 18:10 5.0.2195.6810 47,376 Eventlog.dll 11-Sep-2003 18:10 5.0.2195.6815 148,240 Kdcsvc.dll 18-Jun-2003 17:43 5.0.2195.6758 205,072 Kerberos.dll 26-Mar-2003 21:37 5.0.2195.6695 71,888 Ksecdd.sys 01-Aug-2003 17:40 5.0.2195.6797 509,712 Lsasrv.dll 01-Aug-2003 17:40 5.0.2195.6797 33,552 Lsass.exe 17-Jul-2003 23:13 5.0.2195.6786 109,840 Msv1_0.dll 11-Sep-2003 18:10 5.0.2195.6601 311,568 Netapi32.dll 11-Sep-2003 18:10 5.0.2195.6791 361,232 Netlogon.dll 11-Sep-2003 18:10 5.0.2195.6817 931,600 Ntdsa.dll 11-Sep-2003 18:10 5.0.2195.6815 392,464 Samsrv.dll 11-Sep-2003 18:10 5.0.2195.6817 113,936 Scecli.dll 11-Sep-2003 18:10 5.0.2195.6817 259,856 Scesrv.dll 04-Sep-2003 17:06 5.0.2195.6801 5,232,128 Sp3res.dll 11-Sep-2003 18:10 5.0.2195.6601 51,472 W32time.dll 16-Aug-2002 13:32 5.0.2195.6601 57,104 W32tm.exe 11-Sep-2003 18:10 5.0.2195.6741 126,224 Wldap32.dll
To work around this problem, create a new security database, import the security policy that you want to use, and then apply that policy specifically to each affected domain controller. This procedure updates the local registry and changes the settings in the tickets that have been issued by the Key Distribution Center (KDC).
The following is a sample .inf file that describes the default Kerberos policy. Make whatever changes are appropriate to your environment.
To use this template, follow these steps:
; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: KerbPol.INF ; ; Contains Default Policy Settings for Windows NT 5.0 Domain Controller. ; This template is NOT used by SCE during setup ; This template is applied via GP during Winlogon for the first DC in a Tree ; This template should NOT be used on Workstations or Servers. ; Please DO NOT EDIT version section. ; [version] signature="$CHICAGO$" revision=1 DriverVer=11/14/1999,5.00.2183.1 [Kerberos Policy] ; in hours MaxTicketAge=10 ; in days MaxRenewAge=7 ; in minutes MaxServiceAge=600 ; in minutes MaxClockSkew=5 ; enforce user logon restrictions = yes TicketValidateClient=1
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/816915/ )New file naming schema for Microsoft Windows software update packages
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates