cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Domain policy difference in Primary/Secondary Domain Controller

K-Ang
Copper Contributor

‎Feb 09 2020 07:31 PM

‎Feb 09 2020 07:31 PM

Domain policy difference in Primary/Secondary Domain Controller

Hi guys,

 

I faced this issue whereby i am designing the same domain policy for both primary and secondary domain controller. But what i see is that only primary domain controller is applying the policy that i setup, only partial policies applied in secondary domain controller (password and account policy is not applied to secondary domain controller). I have checked on domain policy management and saw both domain controller status are showing green tick. My understanding is that file replication are working fine. I have also did domain policy modelling on both domain controllers and i can see the result are applied even to secondary DC. However when i issue command for GPupdate/force it shows successful with no password policy/ account policy applied. Any advice to further troubleshooting the issue?

 

Worth to note that both domain controllers are using Windows Server 2016. They are able to ping each other. I also simulate to create a new domain account and it does replicate to secondary domain controller.

Labels:
8,149 Views
0 Likes
6 Replies
Reply
6 Replies
Mark Lewis

‎Feb 10 2020 06:15 AM

‎Feb 10 2020 06:15 AM

Re: Domain policy difference in Primary/Secondary Domain Controller

@K-AngDaft question, your DNS Client settings, on DC1 do you have DC2 as its primary address and on DC2 do you have DC1 as its primary? They should have their own address as secondary. Also ensure that the IPv6 address isn't ::1

 

It sounds like replication issue but you are getting account creation replicated across.

 

Are you editing the default domain policy for the password settings? It's worth noting that only one GPO can do the password policy on a domain

0 Likes
Reply
K-Ang

‎Feb 11 2020 03:18 AM

‎Feb 11 2020 03:18 AM

Re: Domain policy difference in Primary/Secondary Domain Controller

Dear @Mark Lewis ,

 

Yes i have setup DC1 to have DC2 ip address as primary, same goes to DC2 as well. I could have just disable ipv6 but may i know why it cannot be ::1?

 

I have default domain policy for password settings but in that case i can't have kerberos policy setup because default domain policy is assigned to domain computer. May i know if i setup 2 policies with password policies inside and assigned separately will it work?

0 Likes
Reply
Mark Lewis

‎Feb 11 2020 05:44 AM

‎Feb 11 2020 05:44 AM

Re: Domain policy difference in Primary/Secondary Domain Controller

@K-AngI've had all sorts of odd issues when the DNS client address has been ::1.

 

I don't believe you can. What you need to be looking at are Fine Grained Password Policies for running multiple policies.

0 Likes
Reply
K-Ang

‎Feb 11 2020 07:04 PM

‎Feb 11 2020 07:04 PM

Re: Domain policy difference in Primary/Secondary Domain Controller

Dear @Mark Lewis,

 

Sorry for providing wrong information. There is only one domain policy that contains password policy, account policy, kerberos policy and security options. They are in default domain policy. However we have additional policies that defines rules other than the mentioned policies above. 

0 Likes
Reply
Mark Lewis

‎Feb 12 2020 01:31 AM

‎Feb 12 2020 01:31 AM

Re: Domain policy difference in Primary/Secondary Domain Controller

@K-AngSo, is the issue with other policies that set options other than password and kerberos not replicating? Things like Only use NTLMv2? Who can log on, drive mapping via preferences?

0 Likes
Reply
K-Ang

‎Feb 12 2020 02:49 AM

‎Feb 12 2020 02:49 AM

Re: Domain policy difference in Primary/Secondary Domain Controller

Those are replicated fine. Only password policy and account lockout policy is not applying.
0 Likes
Reply