Consider the following scenario. You create an organizational unit (OU) in the Active Directory directory service on a Microsoft Windows Server 2003-based computer. Then, you try to assign an Internet Protocol security (IPsec) policy to the Group Policy object (GPO) of the new OU before this OU is fully replicated. In this scenario, you receive the following error message:
A constraint violation occurred.This symptom occurs when you are working on a domain controller that is not in the same domain as the primary domain controller (PDC) emulator. Therefore, replication is not immediate.
By default, the Group Policy Object Editor snap-in connects to the PDC emulator when the Active Directory Users and Computers snap-in connects to the closest domain controller. In this case, the closest domain controller is the local computer.
To work around this problem, make sure that the Active Directory Users and Computers snap-in and the Group Policy Object Editor snap-in connect to the same domain controller.
Steps to reproduce the problem
- Set up a Windows Server 2003-based domain controller. Name this domain controller " DC1."
- Set up a second Windows Server 2003-based domain controller. Name this domain controller "DC2." Make sure that DC2 is in the same domain as DC1.
- Log on to DC2, and then start the Active Directory Users and Computers snap-in.
- Create a custom OU.
- Select the properties of this OU to change the Group Policy settings.
- Modify the GPO.
- Create a new IPsec policy, and then try to assign this policy. You receive the error message that is mentioned in the "Symptoms" section.