none
GPRESULT return different domain type for COMPUTER & USER

    Question

  • The challenge remains to me to be inherited. I do not know the causes of the problem.

    1) Value "domainReplica" (in ADSI) is "PHOBOS" in "DC=ads,DC=DOMAIN,DC=kz". I can't clean this attibute in ADSI - error return "ERROR_DS_ATTRIBUTE_OWNED_BY_SAM,8346,0x209A,Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)."

    2) GPRESULT RETURN:

    Microsoft (R) Windows (R) Operating System Group Policy Copyright (C) Microsoft Corp. 1981-2001

    Created On 24.02.2009 at 10:00:30

    RSOP data for DOMAIN\Administrator on DC1 :
    -------------------------------------------------------------------
    OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edition
    OS Configuration:            Primary Domain Controller
    OS Version:                  5.2.3790
    Terminal Server Mode:        Remote Administration
    Site Name:                   GO
    Roaming Profile:
    Local Profile:               C:\Documents and Settings\Administrator
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=DC1,OU=Domain Controllers,DC=ads,DC=DOMAIN,DC=kz
        Last time Group Policy was applied: 24.02.2009 at 9:57:17
        Group Policy was applied from:      DC1.ads.domain.kz
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        ads
        Domain Type:                        WindowsNT 4

        Applied Group Policy Objects
        -----------------------------
            Default Domain Controllers Policy
            WSUS
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
        <deleted>


    USER SETTINGS
    --------------
        CN=Administrator,OU=GO,DC=ads,DC=DOMAIN,DC=kz
        Last time Group Policy was applied: 24.02.2009 at 9:53:55
        Group Policy was applied from:      DC1.ads.domain.kz
        Group Policy slow link threshold:   0 kbps
        Domain Name:                        DOMAIN
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            IT policy
            Global Users Settings
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Admins Computers Group Settings
                Filtering:  Denied (Security)

            Connect Network Disk
                Filtering:  Disabled (GPO)

            WSUS
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
         <deleted>

    3) Domain and Forest - Windows 2003 Native mode, Windows 2003 have Service Pack 2.


    PROBLEM:
    1) GPO applied only on computer restart and not applied on 5 minutes interval.
    2) GPRESULT domain type different for COMPUTER and USER

    Somebody knows a solution to the problem ?

    Tuesday, February 24, 2009 5:24 AM

Answers

  • Hi,

    Regarding the "different domain type" issue, it occurs not in older version of gpresult. It affects the gpresult version delivered with Windows Server 2003 SP2 (version number 5.2.3790.3959) and maybe later versions.

    There was a change in the behavior gpresult reads the “Domain Name” data: In the new version delivered with Windows Server 2003 SP2 gpresult does a lookup for the domain name in the registry of the client under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters --> REG_SZ “Domain”.

    This “Domain” parameter is a copy of the key “NV Domain” which is written from “NV Domain” to “Domain” at the boot of the machine. The “NV Domain” itself is the primary DNS suffix for the machine.

    If the primary DNS suffix of the machine is wrong or if there is a disjoined DNS namespace and the machine’s primary DNS domain is another one than the DNS domain name the server is joined, gpresult will try to connect to the NetBIOS name of the domain which is set in primary DNS suffix. That’s why there is a wrong NetBIOS domain name shown in gpresult “Domain Name”.Because this domain does not exist and could not be reached, gpresult will fall back to a default value for “Domain Type” which is “WindowsNT 4”.

    You can run an older version of gpresult (e.g. gpresult from a SP1 box) and you will get the correct information without the broadcast delay in the gpresult export while querying the domain name.

    If you change the mentioned “Domain” value in the registry you will get a correct result - but this value will be overwritten by the “NV Domain” value while rebooting the machine. Changing the “NV Domain” would change the primary DNS suffix of the machine and

    Regarding the Value "domainReplica" of "DC=ads,DC=DOMAIN,DC=kz", please try the steps below to check permissions.

    Right-click "DC=ads,DC=DOMAIN,DC=kz" in ADSIEDIT, choose Properties, switch to Security tab, make sure the Enterprise Admins have Full Control permission. You can also give Full Controller permission to Domain Admins to test.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, February 25, 2009 10:05 AM

All replies

  •  

    dcdiag /s:DC1

    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests

       Testing server: GO\DC1
          Starting test: Connectivity
             ......................... DC1 passed test Connectivity

    Doing primary tests

       Testing server: GO\DC1
          Starting test: Replications
             ......................... DC1 passed test Replications
          Starting test: NCSecDesc
             ......................... DC1 passed test NCSecDesc
          Starting test: NetLogons
             ......................... DC1 passed test NetLogons
          Starting test: Advertising
             ......................... DC1 passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... DC1 passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... DC1 passed test RidManager
          Starting test: MachineAccount
             ......................... DC1 passed test MachineAccount
          Starting test: Services
             ......................... DC1 passed test Services
          Starting test: ObjectsReplicated
             ......................... DC1 passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... DC1 passed test frssysvol
          Starting test: frsevent
             ......................... DC1 passed test frsevent
          Starting test: kccevent
             ......................... DC1 passed test kccevent
          Starting test: systemlog
             ......................... DC1 passed test systemlog
          Starting test: VerifyReferences
             ......................... DC1 passed test VerifyReferences

       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation

          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom

       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation

          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom

       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom

       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom

       Running partition tests on : ads
          Starting test: CrossRefValidation
             ......................... ads passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ads passed test CheckSDRefDom

       Running enterprise tests on : ads.DOMAIN.kz
          Starting test: Intersite
             ......................... ads.DOMAIN.kz passed test Intersite
          Starting test: FsmoCheck
             ......................... ads.DOMAIN.kz passed test FsmoCheck

     

    Tuesday, February 24, 2009 5:28 AM
  • Hi,

    Regarding the "different domain type" issue, it occurs not in older version of gpresult. It affects the gpresult version delivered with Windows Server 2003 SP2 (version number 5.2.3790.3959) and maybe later versions.

    There was a change in the behavior gpresult reads the “Domain Name” data: In the new version delivered with Windows Server 2003 SP2 gpresult does a lookup for the domain name in the registry of the client under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters --> REG_SZ “Domain”.

    This “Domain” parameter is a copy of the key “NV Domain” which is written from “NV Domain” to “Domain” at the boot of the machine. The “NV Domain” itself is the primary DNS suffix for the machine.

    If the primary DNS suffix of the machine is wrong or if there is a disjoined DNS namespace and the machine’s primary DNS domain is another one than the DNS domain name the server is joined, gpresult will try to connect to the NetBIOS name of the domain which is set in primary DNS suffix. That’s why there is a wrong NetBIOS domain name shown in gpresult “Domain Name”.Because this domain does not exist and could not be reached, gpresult will fall back to a default value for “Domain Type” which is “WindowsNT 4”.

    You can run an older version of gpresult (e.g. gpresult from a SP1 box) and you will get the correct information without the broadcast delay in the gpresult export while querying the domain name.

    If you change the mentioned “Domain” value in the registry you will get a correct result - but this value will be overwritten by the “NV Domain” value while rebooting the machine. Changing the “NV Domain” would change the primary DNS suffix of the machine and

    Regarding the Value "domainReplica" of "DC=ads,DC=DOMAIN,DC=kz", please try the steps below to check permissions.

    Right-click "DC=ads,DC=DOMAIN,DC=kz" in ADSIEDIT, choose Properties, switch to Security tab, make sure the Enterprise Admins have Full Control permission. You can also give Full Controller permission to Domain Admins to test.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, February 25, 2009 10:05 AM
  • Mervyn,

    I have gone through the registry where your response said and I was wondering where the "Domain Type" came from?  I thought it was the functional level but it is not.  Why would this guys be different (NT 4 really?) and why would mine say Win2k when I only have one Windows 2008 server on my domain.  There never has been a windows 200 or 2003 server here in any capacity.  I installa  brand new server with all the bells and whistles and I am apparently running a windows  2000 domain from somewhere.

    I have posted a question regarding this here (http://social.technet.microsoft.com/Forums/en-ca/windowsserver2008r2general/thread/15c09637-ef13-480f-af25-fea16f24c603) but you seem to know what you are talking about so I thought i might get a quick answer here.

    Thansk,


    Shayne Neal
    Saturday, March 20, 2010 12:33 AM