Win2003: Different DefaultDomainPolicy between root and sub domain

[Guest]

Server: all Windows Server 2003 Enterprise Editio
Environment: all newly installed as one DC in a root domain and one DC in its subdomain in one forest
AD mode is AD-integrated and also 2003 forest and domain level
DCs are also windows DNS server
================================================================
Problem
I deployed system above
However I have one big problem right now
Default Group Policy was different between a parent and a child domains even I didn't change ithem at all
Although I haven't checked all difference, at least password policy in a child domain is downgraded t
member server-like policy level
(e.g. password complexity is invalid in child domain, etc.
This sympton occurs not always
No error or warning in event logs so that replication between domains seems working fine

Please give me some advice. I'd really appreciate

Thank you for your time
Ri

 

[Tim Springston [MSFT]]

Hi Rie-

It's not clear to me what the error is, but if you are looking to replace
the current default policies in your Windows 2003 domain with the default
settings, the command below should do that:

DCGPOFIX /TARGET:BOTH

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Server: all Windows Server 2003 Enterprise Edition
Environment: all newly installed as one DC in a root domain and one DC in its subdomain in one forest.
AD mode is AD-integrated and also 2003 forest and domain level.
DCs are also windows DNS server.
=================================================================
Problem:
I deployed system above.
However I have one big problem right now.
Default Group Policy was different between a parent and a child domains

even I didn't change ithem at all.

 

[Guest]

Hi Tim

Thank you for your advice

What the probolem is

My understanding is
Contents of Defalut Group Policy is the same regardless of domain layer
if GPO is not changed at all manually

If it's true, do you have any idea why the policy settings become differen
between a root and a child domains as mentioned earlier in my test environment

I will try to use the command for fixing current environment though
need a long-term solution

I'd appreciate more advice..

Thanks

Best
Ri

----- Tim Springston [MSFT] wrote: ----

Hi Rie

It's not clear to me what the error is, but if you are looking to replac
the current default policies in your Windows 2003 domain with the defaul
settings, the command below should do that

DCGPOFIX /TARGET:BOT

--
Tim Springsto
Microsoft Corporatio

This posting is provided "AS IS" with no warranties, and confers no rights

Server: all Windows Server 2003 Enterprise Editio
Environment: all newly installed as one DC in a root domain and one DC i its subdomain in one forest
AD mode is AD-integrated and also 2003 forest an domain level
DCs are also windows DNS server
================================================================
Problem
I deployed system above
However I have one big problem right now
Default Group Policy was different between a parent and a child domain

even I didn't change ithem at all

 

[Guest]

Is this problem realted to MS03-048 problem

Thanks
rie

----- rieh wrote: ----

Hi Tim

Thank you for your advice

What the probolem is

My understanding is
Contents of Defalut Group Policy is the same regardless of domain layer
if GPO is not changed at all manually

If it's true, do you have any idea why the policy settings become differen
between a root and a child domains as mentioned earlier in my test environment

I will try to use the command for fixing current environment though
need a long-term solution

I'd appreciate more advice..

Thanks

Best
Ri

----- Tim Springston [MSFT] wrote: ----

Hi Rie

It's not clear to me what the error is, but if you are looking to replac
the current default policies in your Windows 2003 domain with the defaul
settings, the command below should do that

DCGPOFIX /TARGET:BOT

--
Tim Springsto
Microsoft Corporatio

This posting is provided "AS IS" with no warranties, and confers no rights

Server: all Windows Server 2003 Enterprise Editio
Environment: all newly installed as one DC in a root domain and one DC i its subdomain in one forest
AD mode is AD-integrated and also 2003 forest an domain level
DCs are also windows DNS server
================================================================
Problem
I deployed system above
However I have one big problem right now
Default Group Policy was different between a parent and a child domain

even I didn't change ithem at all

 

[Tim Springston [MSFT]]

Hi Rieh-

The settings within the default domain policies start out as the same, but
those policies can be edited. Each domain's default policies are entirely
separate from each other; in other words, editing fhe Default Domain Policy
in the root domain will have no affect on the Default Domain Policy in a
child domain.

If you are seeing a difference between these policies it suggests that the
policiy settings may have been changed by someone at some point. No
hotfixes change the settings that the policies provide.

If I have misunderstood or if you have additional concerns please repost.

 

[Guest]

Hello Tim,

Thank you again.

Well, nobody changes the policy settings since I manage these machines alone.
I could recreate this environment several times so that I checked the settings
as soon as a new child domain created.

I started worrying about Default Group Ppolicy itself might not be reflected on the
child domain somehow.

I haven't compared between policy of a child domain and original one yet
since the volume is huge.

The reason brought up MS03-048, the hotfix seems has a bit policy-related
problem. That is all.

I really appreciate for your time and patience.
Rie

----- Tim Springston [MSFT] wrote: -----

Hi Rieh-

The settings within the default domain policies start out as the same, but
those policies can be edited. Each domain's default policies are entirely
separate from each other; in other words, editing fhe Default Domain Policy
in the root domain will have no affect on the Default Domain Policy in a
child domain.

If you are seeing a difference between these policies it suggests that the
policiy settings may have been changed by someone at some point. No
hotfixes change the settings that the policies provide.

If I have misunderstood or if you have additional concerns please repost.

 

[Tim Springston [MSFT]]

Hi Rieh-

If you are concerned that the settings are not default for your GPOs, and
you want them to be, you can still replace the current ones with the
defaults for that domain with the command we mentioned earlier:

DCGPOFIX /TARGET:BOTH

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Tim,

Thank you again.

Well, nobody changes the policy settings since I manage these machines alone.
I could recreate this environment several times so that I checked the settings
as soon as a new child domain created.

I started worrying about Default Group Ppolicy itself might not be reflected on the
child domain somehow.

I haven't compared between policy of a child domain and original one yet
since the volume is huge.

The reason brought up MS03-048, the hotfix seems has a bit policy-related
problem. That is all.

I really appreciate for your time and patience.
Rie

----- Tim Springston [MSFT] wrote: -----

Hi Rieh-

The settings within the default domain policies start out as the same, but
those policies can be edited. Each domain's default policies are entirely
separate from each other; in other words, editing fhe Default Domain Policy
in the root domain will have no affect on the Default Domain Policy in a
child domain.

If you are seeing a difference between these policies it suggests that the
policiy settings may have been changed by someone at some point. No
hotfixes change the settings that the policies provide.

If I have misunderstood or if you have additional concerns please repost.

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Rie- replace
the current default policies in your Windows 2003 domain with the default
settings, the command below should do that:
Tim Springston
Microsoft Corporation

no

rights.

one DC
in

its subdomain in one forest. and
domain level. domains
even I didn't change ithem at all. policy in a
child domain is downgraded to domains
seems working fine.

 

[Guest]

Hi Tim,

I understand what you mean but we don't want to use that command
whenever we add a new domain for actual environment.
We have to create lots of new domains soon.

Also, if we can't solve this problem, there is possibility to change the settings
again for some reason during operation even executing that command at
creating a domain.

I am really sorry to bother you but we truely need to resolve this.

If you know more than that, please help me more.

Thanks alot.
rieh


----- Tim Springston [MSFT] wrote: -----

Hi Rieh-

If you are concerned that the settings are not default for your GPOs, and
you want them to be, you can still replace the current ones with the
defaults for that domain with the command we mentioned earlier:

DCGPOFIX /TARGET:BOTH

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Tim,

Thank you again.
Well, nobody changes the policy settings since I manage these machines

alone.
I could recreate this environment several times so that I checked the settings
as soon as a new child domain created.

I started worrying about Default Group Ppolicy itself might not be

reflected on the
child domain somehow.

I haven't compared between policy of a child domain and original one yet since the volume is huge.
The reason brought up MS03-048, the hotfix seems has a bit policy-related problem. That is all.
I really appreciate for your time and patience. Rie
----- Tim Springston [MSFT] wrote: -----
Hi Rieh-
The settings within the default domain policies start out as the

same, but
those policies can be edited. Each domain's default policies are entirely
separate from each other; in other words, editing fhe Default Domain Policy
in the root domain will have no affect on the Default Domain Policy in a
child domain.

If you are seeing a difference between these policies it suggests

that the
policiy settings may have been changed by someone at some point. No
hotfixes change the settings that the policies provide.

If I have misunderstood or if you have additional concerns please repost.
--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no

rights.

Hi Rie- replace
the current default policies in your Windows 2003 domain with the default
settings, the command below should do that:
Tim Springston
Microsoft Corporation

no

rights.

one DC
in

its subdomain in one forest. and
domain level. domains
even I didn't change ithem at all. policy in a
child domain is downgraded to domains
seems working fine.

 

[Buz [MSFT]]

Ok so the exact issue you are dealing with here is the default domain
policies? Password section is different between the parent and child domain.
The child domain is not seeming to get the password policies from the parent
domain and there are no erors anywhere. Is this a correct synopsis of the
issue? If not please add details.

Something I have seen that will cause behaviour such as this is if the
default domain controller OU has the block from above privilage in the child
or if the domain controllers OU has somehow been denied access to the
Default Domain Policy.

When changes to
a domain account password are made they are made on a Domain Controller.
Since
Password settings must be consistent Domain wide these settings must be
configured
at the domain. In order for these domain settings to be effective they must
also be
applied to the Domain controllers. When a Domain password is changed the DC
will
adhere to the last applied domain policy and any password settings therein.
If
Block Policy is checked on the Domain Controllers OU and No Overide is not
set on
the Domain Policy with the desired password settings the DC's will not
receive the
password settings from the domain and the desired settings will not be
effective on
Domain accounts.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

Hi Tim,

I understand what you mean but we don't want to use that command
whenever we add a new domain for actual environment.
We have to create lots of new domains soon.

Also, if we can't solve this problem, there is possibility to change the settings
again for some reason during operation even executing that command at
creating a domain.

I am really sorry to bother you but we truely need to resolve this.

If you know more than that, please help me more.

Thanks alot.
rieh


----- Tim Springston [MSFT] wrote: -----

Hi Rieh-

If you are concerned that the settings are not default for your GPOs, and
you want them to be, you can still replace the current ones with the
defaults for that domain with the command we mentioned earlier:

DCGPOFIX /TARGET:BOTH

--
Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Tim,

machines

alone.
I could recreate this environment several times so that I checked

the

settings
as soon as a new child domain created.

I started worrying about Default Group Ppolicy itself might not be

reflected on the
child domain somehow.

I haven't compared between policy of a child domain and original

one yet
since the volume is huge.

The reason brought up MS03-048, the hotfix seems has a bit

policy-related
problem. That is all.

I really appreciate for your time and patience. Rie
----- Tim Springston [MSFT] wrote: -----
Hi Rieh-
The settings within the default domain policies start out as

the
same, but

those policies can be edited. Each domain's default policies

are

entirely
separate from each other; in other words, editing fhe Default

Domain

Policy
in the root domain will have no affect on the Default Domain

Policy
in a

child domain.

suggests
that the

policiy settings may have been changed by someone at some point. No
hotfixes change the settings that the policies provide.

please

repost.
Tim Springston
Microsoft Corporation

confers no
rights.

 

[Guest]

Thank you, Buz.

Ok so the exact issue you are dealing with here is the default domain
policies? Password section is different between the parent and child domain.

This is collect though,
Default Domain Policy is not inherit to child domain so that I don't think

The child domain is not seeming to get the password policies from the parent
domain and there are no erors anywhere.

this statement is not necessary.
Even MS provides default setting of Default Domain Policy though, my child domain
didn't get those settings. That is the problem. It really doesn't matter whether
same as parent domain's one or not.
Just always seems root domain get right policy settings. That is why...

If Block Policy is checked on the Domain Controllers OU and No Overide is not
set on the Domain Policy ...

Well, I discovered this problem when making new accounts after completed AD
installation right away. Although I didn't any other operation, will try to check
whether that check is done or not.

I am looking foward hearing from you soon.

rieh

----- Buz [MSFT] wrote: -----

Ok so the exact issue you are dealing with here is the default domain
policies? Password section is different between the parent and child domain.
The child domain is not seeming to get the password policies from the parent
domain and there are no erors anywhere. Is this a correct synopsis of the
issue? If not please add details.

Something I have seen that will cause behaviour such as this is if the
default domain controller OU has the block from above privilage in the child
or if the domain controllers OU has somehow been denied access to the
Default Domain Policy.

When changes to
a domain account password are made they are made on a Domain Controller.
Since
Password settings must be consistent Domain wide these settings must be
configured
at the domain. In order for these domain settings to be effective they must
also be
applied to the Domain controllers. When a Domain password is changed the DC
will
adhere to the last applied domain policy and any password settings therein.
If
Block Policy is checked on the Domain Controllers OU and No Overide is not
set on
the Domain Policy with the desired password settings the DC's will not
receive the
password settings from the domain and the desired settings will not be
effective on
Domain accounts.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

Hi Tim,

I understand what you mean but we don't want to use that command

whenever we add a new domain for actual environment.
We have to create lots of new domains soon.

Also, if we can't solve this problem, there is possibility to change the

settings
again for some reason during operation even executing that command at
creating a domain.

I am really sorry to bother you but we truely need to resolve this.
If you know more than that, please help me more.
Thanks alot. rieh

----- Tim Springston [MSFT] wrote: -----

Hi Rieh-
If you are concerned that the settings are not default for your GPOs,

and
you want them to be, you can still replace the current ones with the
defaults for that domain with the command we mentioned earlier:

DCGPOFIX /TARGET:BOTH
--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no

rights.

Hello Tim,

machines

alone.
I could recreate this environment several times so that I checked

the

settings
as soon as a new child domain created.

I started worrying about Default Group Ppolicy itself might not be

reflected on the
child domain somehow.

I haven't compared between policy of a child domain and original

one yet
since the volume is huge.

The reason brought up MS03-048, the hotfix seems has a bit

policy-related
problem. That is all.

I really appreciate for your time and patience. Rie
----- Tim Springston [MSFT] wrote: -----
Hi Rieh-
The settings within the default domain policies start out as

the
same, but

those policies can be edited. Each domain's default policies

are

entirely
separate from each other; in other words, editing fhe Default

Domain

Policy
in the root domain will have no affect on the Default Domain

Policy
in a

child domain.

suggests
that the

policiy settings may have been changed by someone at some point. No
hotfixes change the settings that the policies provide.

please

repost.
Tim Springston
Microsoft Corporation

confers no
rights.