No Authentication between PDC and BDC after Domain GPO edit.
Posted on 2004-09-28
PDC = Windows Server 2003 Enterprise
BDC = Windows Advanced Server 2000
After reviewing an EE posting I performed an edit on my domain GPO ( to solve some Event Log errors) and changed the following settings.
Computer Configurations\Windows Security\Security Settings\Local Policies\Security Options
Digitally sign client communication (always)
Digitally sign client communication (when possible)
Digitally sign server communication (always)
Digitally sign server communication (when possible)
I changed all of them from "not defined" to "disabled"
I performed the edit from the BDC. After a secedit refresh and a reboot, I no longer have communications between the PDC and the BDC.
I then when to the PDC and edited the domain GPO and set those same settings from "disabled" to "not defined" and rebooted.
That not only failed to help, but I found I was no longer able to edit domain GPO from either dc.
When I click on the Group Policy tab under the domain properties I get the following error...
"The domain controller for Group Policy operations is not available. You may cancel this operation for this session or retry on of the following domain controller choices:"
"The one with the Operations Master token for this PDC emulator"
"The one used by the Active Directory Snap-ins"
"Use any available domain controller"
Any of the above options will get me an access denied error.
I have confirmed my PDC is listed under Operations Master.
I have checked relevant permissions under Adsiedit and all is in order there.
I should add that I can ping the dc's from each other. I also have all access on the LAN except between the two dc's.
I have run out of ideas and this is a critical week for these two servers.
I will have to leave the office about 5p EST 10/28 but will monitor answers and try to implement solutions remotely, so if I don't seem to answer, please be patient. I will be posting by morning. Thanks for all your help.