This article has been archived. It is offered "as is" and will no longer be updated.
When you try to change the password and Kerberos policies in Domain Security Policy on a domain controller in your Microsoft Windows 2000-based network, Kerberos policy changes are updated on the primary domain controller (PDC) emulator operations master, but Kerberos policy changes are not updated on the other domain controllers on your network.
This problem occurs if all the following conditions are true:
You have installed Microsoft Windows 2000 Service Pack 4 on the domain controllers.
You have a mixed network environment that includes Microsoft Windows NT-based computers.
The domain controller that you used to change the Kerberos policies is not the PDC operations master.
Starting with Windows 2000 Service Pack 4, domain-wide account and Kerberos policies are processed only by the PDC emulator operations master. This change prevents unnecessary Active Directory replication of directory-based account policies.
Because Kerberos policies are registry-based, these policies are not replicated to the domain controllers that are not PDCs. Kerberos policy changes are not processed or updated on the other domain controllers.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Microsoft Windows 2000 Service Pack 4
You must restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
To work around this problem, create a new security database, import the security policy that you want to use, and then apply that policy specifically to each affected domain controller. This procedure updates the local registry and changes the settings in the tickets that have been issued by the Key Distribution Center (KDC).
The following is a sample .inf file that describes the default Kerberos policy. Make whatever changes are appropriate to your environment.
; (c) Microsoft Corporation 1997-2000;; Security Configuration Template for Security Configuration Editor;; Template Name: KerbPol.INF;; Contains Default Policy Settings for Windows NT 5.0 Domain Controller.; This template is NOT used by SCE during setup; This template is applied via GP during Winlogon for the first DC in a Tree; This template should NOT be used on Workstations or Servers.; Please DO NOT EDIT version section.;[version]signature="$CHICAGO$"revision=1DriverVer=11/14/1999,5.00.2183.1[Kerberos Policy]; in hoursMaxTicketAge=10; in daysMaxRenewAge=7; in minutesMaxServiceAge=600; in minutesMaxClockSkew=5; enforce user logon restrictions = yesTicketValidateClient=1
To use this template, follow these steps:
Save the sample template to a file. Name the file KerbPol.inf.
Start the Microsoft Management Console (MMC). To do this, click Start, click Run, type MMC, and then click OK.
Add the Security Configuration and Analysis snap-in. To do this, follow these steps:
Click Console, and then click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Available Standalone Snap-ins list, click Security Configuration and Analysis, click Add, and then click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the tree-view pane, right-click Security Configuration and Analysis, and then click Open Database.
In the File Name box, type KerbPol.sdb, and then click Open.
In the Import Template dialog box, locate the .inf file that you saved in step 1.
Click to select the Clear this database before importing check box, and then click Open.
In the tree-view pane, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
In the Perform Analysis dialog box, click OK.
When the Analysis is complete, expand Security Configuration and Analysis, expand Account Policies, and then click Kerberos Policy. Make sure that the settings in the Database Settings column are correct.
In the tree-view pane, right-click Security Configuration and Analysis, and then click Configure Computer Now.
In the Configure System dialog box, click OK.
Restart the server.
The domain controller is now configured with the new policy. You can rerun the analysis by using the database that you created in step 4. When you complete the analysis, make sure that the Effective Settings column matches the Database Settings column in Security Configuration and Analysis.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
816915 New file naming schema for Microsoft Windows software update packages
824684 Description of the standard terminology that is used to describe Microsoft software updates