Article ID: 839499 - View products that this article applies to.
You cannot open file shares or the Group Policy snap-ins on a Windows Server 2003 domain controller or on a Windows 2000 Server domain controller. When you log on to the domain controller locally and then try to open shares on the domain controller, you receive repeated password prompts, and you cannot open the shares. You can resolve this problem by changing the registry.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Scenario 1 – Server Message Block (SMB) signing is disabled for the Workstation service on a domain controller, but SMB signing is required for the Server service on the same domain controller
Scenario 2 - SMB signing is disabled for the Server service on a domain controller, but SMB signing is required for the Workstation service on the same domain controller
To resolve this behavior, follow these steps:
IMPORTANT This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows XP
Collapse this imageExpand this image
Step 1 - Change the registry
Step 2 - Restart the Server service and the Workstation service
Step 3 - Update the Sysvol share
Step 4 - Set up the SMB policy settings
Step 5 - Run the Group Policy Update utility
Step 6 - Check the application event log
Step 7 - Check the registry values
Step 8 - Check the SMB signing policy settings by using the Resultant Set of Policy (RSoP) snap-in
This behavior occurs if the SMB signing settings for the Workstation service and for the Server service contradict each other. When you configure the domain controller in this way, the Workstation service on the domain controller cannot connect to the domain controller's Sysvol share. Therefore, you cannot start Group Policy snap-ins. Also, if SMB signing policies are set by the default domain controller security policy, the problem affects all the domain controllers on the network. Therefore, Group Policy replication in the Active Directory directory service will fail, and you will not be able to edit Group Policy to undo these settings.
Scenario 1 - If you run the domain controller diagnostic tool (DcDiag.exe), you receive errors that are similar to the following for Windows 2000 Sever and for Windows Server 2003:
Scenario 2 - If you run the domain controller diagnostic tool, you receive errors that are similar to the following for Windows 2000 Server and for Windows Server 2003:
Article ID: 839499 - Last Review: July 12, 2013 - Revision: 10.1