MMC.EXE hangs editing GPO

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We recently upgraded our legacy NT domain to Win2003 Active Directory. All
appears to be successful but we are having a problem editing the default GPOs.

An attempt to browse Computer Configuration --> Windows Settings -->
Security Settings results in a hung GPO editor. Attempting to browse User
Configuration --> Windows Settings --> Security Settings also hangs the GPO
editor. All other settings can be browsed without incident.

This turns out not to be an ADM file version problem. We've figured out that
when the "Security Settings" of a GPO is expanded on a Win2003 server,
MMC.EXE attempts LDAP connections to several servers. The problem in our
situation is that it is attempting an LDAP connection to an Exchange 5.5
Server (on a Win2000 member server). Because MMC.EXE successfully makes a
non-AD LDAP connection, it hangs and does not timeout.

How it probably happened:
Shortly before our AD upgrade we took an NT4 BDC off the wire in case of an
upgrade failure. The DNS equivalent of its NetBIOS name had been assigned to
the Exchange server several months earlier for other purposes. Our guess is
that, after the upgrade, a DC went looking for (B)DCs and accidentally found
the Exchange server via DNS. Presumably it has cached (or stored somewhere in
AD) either the IP address of the Exchange server or the DNS name of the
missing NT4 BDC.

We have removed the computer account for the NT4 BDC with no effect on this
problem.
Windows 2003 DCs and members both exhibit this behavior.
Windows XP does not exhibit this behavior.
AD replication looks good and neither the NT4 BDC nor the Exchange server
are found in AD service records in DNS.

We can work around this problem with IPSec filters on the Win2003 servers
that keep them from connecting to TCP389 on the Exchange server. We would
rather fix this by convincing the servers (or AD) that they should not be
contacting the Exchange server at all.


Thanks,
Marcus
 
No problem!

Instead of posting the same question individually to several news groups you
should post the same question to multiple news groups by using the ";" to
separate the NGs. For example, microsoft.public.activedirectory;
microsoft.public.exchange;microsoft.public.termserv. That way, were I to
respond to the post in the Active Directory news group that reply would
appear in all three!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top