Policy change kills access to template

[Peter J. Persing]

On a Windows 2003 domain controller, if I go into either Domain Security
Policy or Domain Controller Security Policy, local policies, and make ANY
changes in Audit Policies, User Rights Assignment or Security Options the
changes appear to complete successfully. But if I close the snap-in, and
reopen it I get a message "Windows cannot open the template file". In the
event log I get Event 1001 from SecCli that says "Security policy cannot be
propagated. Cannot access the template. Error code = -536870656". The error
message then gives the path to the relevant GptTmpl.inf file, which I can
access just fine. It does not appear to be corrupt, and in fact before
making any changes, all existing security policies are applied just fine.

When I say ANY changes can cause this, I mean something as minor as removing
or adding an audit policy.

Anyone run into this before?

 

[Steven L Umbach]

Hi Peter. Here is the link to a couple KB articles that may help. I would also run
netdiag dcdiag on that domain controller looking for any failed tests that may help
pinpoint problem. --- Steve

http://support.microsoft.com/?kbid=258296
http://support.microsoft.com/?kbid=271213

 

[Peter J. Persing]

Thanks Steve,

I have checked all those things and they are not the answer. I have run
netdiag, dcdiag, and lots of other tests on the domain controller and they
all show everything is ok. The real interesting thing is that everything
works properly unless I change one of the policies. That rules out a lot of
possible problems. Incidentally, the way I get out of this situation is by
restoring the system from a disk image. Had I not taken an image of the
system prior to making these changes I would be in a lot of trouble. I think
my only hope here is to find out what Error code = -536870656 means. A
search of the Windows and .net magazine forums shows that one other person
has this problem, but they don't know what the code means either. I found
nothing in my Technet CD or on the Microsoft sites. I can just let it run
this way until Microsoft comes out with SP1 and see if somehow it magically
gets fixed, but I would sure like to know what is causing this.

 

[Steven L Umbach]

Hi Peter. Thanks for posting back. Glad you got it working and kudos to you
for having the image to restore from. Kind of scary though. --- Steve

 

[Peter J. Persing]

UPDATE:

First (always) I took an image copy of both domain controllers. Then, using
the Domain Security Policy and Domain Controller Security Policy snap-ins I
exported all the account policies and local policies to text files and
printed them (6 lists for each environment). Then I ran the DCGPOFIX
utility. Then I changed an audit policy. It worked, I didn't get any error
code, and I could close and reopen the snap-in and read the template. Yea!

Using the printed lists I obtained before running the utility, I reviewed
each policy list and made additions and changes where necessary. The utility
does not preserve policy changes made through Exchange 2000 setup and other
changes such as migrated changes from a earlier system upgrade. I was very
surprised at the number of additional settings that were present, and of
course there were a number missing. It only took me about 45 minutes to
retrofit all the changes from the lists and now everything is working ok.

I have no idea why this problem occurred in the first place, but I suspect
it might have happened when I added my first Windows 2003 domain controller
to the Windows 2000 domain. I think that these files were copied from the
Windows 2000 DC without adding any new settings that were required for
Windows 2003. What I did manually should have happened during DomainPrep or
at some other step when the security settings from the existing domain
controller were copied to the new domain controller. I further suspect that
a number of people complaining about 1030/1058 events in new Windows 2003
DC's are suffering from a variation of this same problem.