Group Policy Not Applied with Many Domain Controllers in Domain (276516)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q276516

SYMPTOMS

When you run Windows 2000 Professional as a member of a Windows 2000-based domain with many domain controllers, the application of Group Policy may not work. The most notable error is event 1001 by SceCli in the Application event log:
Security policy cannot be propagated. The system cannot find the path specified. Error code = 3.

\\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
In a network trace, you see that the client sends "DFS Get Referral" SMBs to the server with buffer sizes of 4,096; 8,192; 16,384; 32,768; and 57,344. Each request does not work and generates STATUS_BUFFER_OVERFLOW.

CAUSE

When a Windows 2000-based client attempts connect to the Sysvol share, it treats the share like any other Distributed File System (DFS) volume. It attempts to obtain a list of servers that host this volume. To do this, it sends a transact2 SMB to the server with the "DFS Get Referral" command. Because Sysvol has as many replicas as there are domain controllers in the domain, the list of servers that host the volume can become very long.

The resultant UNICODE FQDNs of the domain controllers that are able to host Sysvol need to fit into the response to the transact2 SMB. The limit is demonstrated by:

MaxNumOfDCsInASingleDomain ~= 57344 / ((<length of DC FQDN> + 1) * 2)

Therefore, the length of the domain controller FQDNs and the number of domain controllers in the domain determine the threshold at which this limitation will occur.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later: 
   Date        Time    Version        Size    File name
   -----------------------------------------------------
   10/24/2000  09:38p  5.0.2195.2560  74,448  Dfs.sys
   10/24/2000  09:38p  5.0.2195.2560  90,384  Dfssvc.exe



This is a server side fix. To prevent this issue, install this update on all Domain Controllers. Also install this fix on member servers that host Domain DFS replicas, because this issue affects them as well.

WORKAROUND

The only temporary workaround that may work is to reduce the number of domain controllers in the domain below the threshold at which the problem is experienced.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.

MORE INFORMATION

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbDFS kbfix kbGPO kbQFE kbWin2000PreSP2Fix KB276516
©2004 Microsoft Corporation. All rights reserved.