Unity Migration Blog

After much frustration, I think I figured out why we were unable to create GPOs when connected to DC00.

GPOs could successfully be created if GPMC was connected to DC01 or DC03. An "Access is denied" message would appear if you tried to create a GPO while GPMC was connected to DC00.

The AD permissions on the System\Policies container looked correct. The NTFS permissions on DC00's Sysvol\...\Policies directory looked correct.

DC00's security event log would add an entry like the one below whenever someone tried to create a GPO and was denied:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 6/26/2007
Time: 3:54:00 PM
User: NT AUTHORITY\SYSTEM
Computer: DC00
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: itd.arkurth
Source Workstation: SANDBERG-VMWARE
Error Code: 0xC000006A

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So, an authentication error occurred. I captured packet traces with Wireshark while trying to create a GPO when connected to DC00 (failed) and DC01 (succeeded). This showed it was failing after being referred to \\DC00.UNITY.AD.NCSU.EDU\SYSVOL. It couldn't connect to the share.

I then examined the share permissions on the DCs. They were not consistent. DC01 and DC03 had Authenticated Users with Full Control. DC00 did not have this entry.

I then found KB812538 - Authenticated Users Group Has Too Many Permissions to the SYSVOL Network Share. This article suggests that Authenticated Users NOT be granted Full Control:

...the default installation of Windows Server 2003 unnecessarily provides too many permissions to the SYSVOL share for the Authenticated Users group

I removed Authenticated Users from the share permissions. This obviously would cause GPO creation to fail when connected to any of the DCs. The article also states:

Delegated users will not be able to create Group Policy if you give Authenticated Users Read permission on the SYSVOL share. You must add the Group Policy Creator Owners group to the SYSVOL share with Full Control.

The Group Policy Creator Owners group is usually used to delegate the ability to create GPOs. We don't use this group. Instead, we use another that follows are groups & permissions design. I added this group to the share permission lists on all of the DCs with Full Control.

GPO creation seems to work correctly now.

Weekly defragmentation of the two local partitions for the DC and FS servers has been scheduled for the 4 & 5 AM time frame. WSUS00 runs the process in in 9 PM time frame weekly.

I'll add the script to the other servers in the near future.
-- Joe W.

The server DC00 is now running Windows Server 2003 R2. Service Pack 2 had been applied at an earlier time. The server was restarted after the update to the OS. The update occurred at 4:40 PM.

The Microsoft resource:
http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/adpog3.mspx
Active Directory Product Operations Guide
Chapter 3 - Detailed Maintenance Actions

provides specifics on the desired number of Global Catalogs in single global domain / single-domain forest environments, quite relevent the Unity AD forest

To the point: "If your deployment uses a single global domain, configure all domain controllers as global catalog servers. In a single-domain forest, configuring all domain controllers as global catalog servers requires no additional resources".

The same resource, in the area with the header "Task: Add the Global Catalog to a Domain Controller", there was mention that all global catalog servers require 0.6 GB of storage.