You may experience problems when you configure the Primary DNS Suffix Group Policy setting on a domain controller or a CA server that is running Windows Server 2003 (920717)

SYMPTOMS

On a computer that is running Microsoft Windows Server 2003, you may experience problems when you configure the Primary DNS Suffix Group Policy setting. For example, if you apply this policy setting to a domain controller, you may experience problems when you log on to the domain controller. Also, if you apply this policy setting to a certification authority (CA) server, you may experience the following problems:

The certificates that the server issued no longer work.
The CA server cannot issue new certificates.
Subordinate CA servers can no longer connect to the CA server.

Note The path of the Primary DNS Suffix Group Policy setting is Computer Configuration/Administrative Templates/Network/DNS Client.

CAUSE

This problem occurs because the DNS client policy engine does not check the computer's role before the engine applies policy settings to the local TCP/IP stack.

RESOLUTION

To resolve this problem, follow these steps on the domain controller or on the CA server:

Delete the Primary DNS Suffix Group Policy setting.
Refresh all Group Policy settings. To do this, type GPUpdate /Force at a command prompt, and then press ENTER.
Restart the computer.

MORE INFORMATION

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

258503 Event ID 5788 and event ID 5789 occur when the DNS domain name and the Active Directory domain name differ on a Windows Server 2003-based, Windows XP-based, or Windows 2000-based computer