Domain policy difference in Primary/Secondary Domain Controller

Copper Contributor

Hi guys,


I faced this issue whereby i am designing the same domain policy for both primary and secondary domain controller. But what i see is that only primary domain controller is applying the policy that i setup, only partial policies applied in secondary domain controller (password and account policy is not applied to secondary domain controller). I have checked on domain policy management and saw both domain controller status are showing green tick. My understanding is that file replication are working fine. I have also did domain policy modelling on both domain controllers and i can see the result are applied even to secondary DC. However when i issue command for GPupdate/force it shows successful with no password policy/ account policy applied. Any advice to further troubleshooting the issue?


Worth to note that both domain controllers are using Windows Server 2016. They are able to ping each other. I also simulate to create a new domain account and it does replicate to secondary domain controller.

6 Replies

@K-AngDaft question, your DNS Client settings, on DC1 do you have DC2 as its primary address and on DC2 do you have DC1 as its primary? They should have their own address as secondary. Also ensure that the IPv6 address isn't ::1


It sounds like replication issue but you are getting account creation replicated across.


Are you editing the default domain policy for the password settings? It's worth noting that only one GPO can do the password policy on a domain

Dear @Mark Lewis ,


Yes i have setup DC1 to have DC2 ip address as primary, same goes to DC2 as well. I could have just disable ipv6 but may i know why it cannot be ::1?


I have default domain policy for password settings but in that case i can't have kerberos policy setup because default domain policy is assigned to domain computer. May i know if i setup 2 policies with password policies inside and assigned separately will it work?

@K-AngI've had all sorts of odd issues when the DNS client address has been ::1.


I don't believe you can. What you need to be looking at are Fine Grained Password Policies for running multiple policies.

Dear @Mark Lewis,


Sorry for providing wrong information. There is only one domain policy that contains password policy, account policy, kerberos policy and security options. They are in default domain policy. However we have additional policies that defines rules other than the mentioned policies above. 

@K-AngSo, is the issue with other policies that set options other than password and kerberos not replicating? Things like Only use NTLMv2? Who can log on, drive mapping via preferences?

Those are replicated fine. Only password policy and account lockout policy is not applying.