This article was previously published under Q276516
This article has been archived. It is offered "as is" and will no longer be updated.
When you run Windows 2000 Professional as a member of a Windows 2000-based domain with many domain controllers, the application of Group Policy may not work. The most notable error is event 1001 by SceCli in the Application event log:
Security policy cannot be propagated. The system cannot find the path specified. Error code = 3.
In a network trace, you see that the client sends "DFS Get Referral" SMBs to the server with buffer sizes of 4,096; 8,192; 16,384; 32,768; and 57,344. Each request does not work and generates STATUS_BUFFER_OVERFLOW.
When a Windows 2000-based client attempts connect to the Sysvol share, it treats the share like any other Distributed File System (DFS) volume. It attempts to obtain a list of servers that host this volume. To do this, it sends a transact2 SMB to the server with the "DFS Get Referral" command. Because Sysvol has as many replicas as there are domain controllers in the domain, the list of servers that host the volume can become very long.
The resultant UNICODE FQDNs of the domain controllers that are able to host Sysvol need to fit into the response to the transact2 SMB. The limit is demonstrated by:
MaxNumOfDCsInASingleDomain ~= 57344 / ((<length of DC FQDN> + 1) * 2)
Therefore, the length of the domain controller FQDNs and the number of domain controllers in the domain determine the threshold at which this limitation will occur.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name ----------------------------------------------------- 10/24/2000 09:38p 5.0.2195.2560 74,448 Dfs.sys 10/24/2000 09:38p 5.0.2195.2560 90,384 Dfssvc.exe
This is a server side fix. To prevent this issue, install this update on all Domain Controllers. Also install this fix on member servers that host Domain DFS replicas, because this issue affects them as well.
The only temporary workaround that may work is to reduce the number of domain controllers in the domain below the threshold at which the problem is experienced.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes