RE: Logon problems after running dcgpofix.exe to reset domain policies

Hi Gane,

Thank you for posting in SBS newsgroup.

You said: "I am using the following setup: Windows 2003 Server standard
edition with clients running Windows 2000 pro and Windows XP pro", to
narrow down the problem, would you please help me confirm if you are using
Windows server 2003 Standard Edition or Windows Small Business Server 2003
Standard Edition?

As I know, DCgpofix itself won't cause severe issue like this. May you tell
me why you want to use this command and what's previous issue and does the
issue persist before you do so? Do you have backup before you running the
command?

Current, we may try to disable SMB signing in the whole server domain:

1. Make sure the following policies are all ''Disable'' (instead of ''Not
defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
Controller Policy'':

1) Microsoft network client: Digitally sign communications (always):
Disabled
2) Microsoft network client: Digitally sign communications (if server
agrees): Disabled
3) Microsoft network server: Digitally sign communications (always):
Disabled
4) Microsoft network server: Digitally sign communications (if client
agrees): Disabled
5) LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
session security if negotiated

You can find the policy as following:

1) Open Server Management, and then expand Advanced Management | Group
Policy Management | Forest | Domains | Server name.
2) Right click Default Domain Policy and select Edit.
3) In Group Policy Object Editor, expand Computer Configuration | Windows
Settings | Security Settings | Local Policies.
4) Click Security Options.
5) Open Server Management, and then expand Advanced Management | Group
Policy Management | Forest | Domains | Server name | Domain Controllers.
6) Right click Default Domain Controllers Policy and select Edit.
7) In Group Policy Object Editor, expand Computer Configuration | Windows
Settings | Security Settings | Local Policies.
8) Click Security Options.

2. Still on the DC, issue ''gpupdate /force'' in a command console.
3. Restart the DC and client computer to take effect.
4. Disable Oplock, please refer to the following KB article:

296264 Configuring opportunistic locking in Windows
http://support.microsoft.com/?id=296264

Does it work now?

If it does not work, please help me collect the following information:

1) Please check if the Server service and RPC service are running and are
set to Automatic on SBS.
2) Please check if the Server service and Workstation service are running
and are set to Automatic on client computer.
3) Is ISA installed on the SBS server? If so, is it ISA 2000 or ISA 2004?

More information:

833783 The Dcgpofix tool does not restore security settings in the Default
Domain Controller Policy to their original state
http://support.microsoft.com/?id=833783

324800 How To Reset User Rights in the Default Domain Group Policy in
Windows Server 2003
http://support.microsoft.com/?id=324800

Thanks for your time and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: ganeshokade@xxxxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Logon problems after running dcgpofix.exe to reset domain
policies
| Date: 1 Dec 2005 12:59:20 -0800
| Organization: http://groups.google.com
||
| Dear Experts,
| I am using the following setup: Windows 2003 Server standard
| edition with clients running Windows 2000 pro and Windows XP pro. I was
| having some minor issues with group policies and so I ran dcgpofix.exe
| to reset the Default Domain Policies and Default Domain Controller
| policies. After doing this I am facing series problems on the clients:
| a) When trying to logon into the domain, the login process takes up a
| long time (around 3 minutes or so)
| b) I am unable to login into the domain. Event viewer has errors:
| Under "Application": Windows cannot determine the user or computer
| name. (The RPC server is unavailable. ). Group Policy processing
| aborted.
|
| Under "System": No Domain Controller is available for domain SUNLUX
| due to the following:
| There are currently no logon servers available to service the logon
| request. .
| c) Accesses to the domain controllers "shares" are very slow (though
| successful)
|
| After running dcgpofix.exe, I notice that most of the policies
| in the Default Domain Policy GPO have been set to "Not Defined". I am
| sure this was not how it was before I reset the GPO - there were
| several policies that were defined. I feel that this is the reason for
| my problems now.
|
| I would like to know if there is a source for a list of
| default settings for the various policies in the Default Domain Polic.
| I can use this as a reference to reset my policies manually one by one.
|
| Thanks for the help.
|
|

.

Relevant Pages

  • Re: The Web site cannot be found - errors
    ... What is the server OS version? ... SBS 2003 or Windows 2003? ... setup and deployment newsgroup. ... this issue may occur if the web site is using ...
    (microsoft.public.windows.server.sbs)
  • RE: DFS & GPO Problems
    ... Thank you for posting in SBS newsgroup. ... DNS Server address is not configured correctly on the affected ... We can also try to disable the Windows Firewall on the problematic ...
    (microsoft.public.windows.server.sbs)
  • RE: Windows Messenger - Auto Log Off
    ... 827182 Group Policy settings are not applied when you log on to a server by ... 239924 How to disable Media Sensing for TCP/IP in Windows ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Hanging on Applying personal settings
    ... clients shows disconnected to server. ... How to troubleshoot a problem by performing a clean boot in Windows Vista ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: trying to recover files on SBS2K3 disk using XP Pro
    ... the IMAPI CD-Burning COM Service is installed with Windows ... Server 2003 and it is by default disabled. ... This newsgroup only focuses on SBS technical issues. ... | files but can't open the important "Users Shared Folders" folders ("Not ...
    (microsoft.public.windows.server.sbs)