DOMAIN Password Policies doesn't get enforced: what's the misconfiguraiton

Hi,
I don't see where I did a mistake. I am use to create gpo for domain password requirement on AD2003 but not on 2016.
I created one and applied it to my Domain but it is not getting enforced.
Can you look at it and tell me what I did wrong?
gpo-password.pngtx!
philjansAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Where you looking for enforcement?

How did you identified that policy is not working
McKnifeCommented:
See if this GPO is applied to the DCs - this is what matters.
Since the policy was last changed a while back, it would have been applied by now, unless you explicitly set the permissions on that GPO so that DCs don't get it (or you set "no inheritance" on the DC OU).
philjansAuthor Commented:
@Mahesh:
for starter: the password policies requires 16 caracters and complex. All users I asked where able to enter less then 16 caratères. And some of them confirmed that they don't even use numbers or that their password matches their usernames which is not allowed in the "complex requirements".

@McKnife:
Yes they applies
gpo-password2.png
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

McKnifeCommented:
On all DCs, open an elevated command prompt and run
gpresult /h %temp%\result.html && %temp%\result.html

Open in new window

Go through the result and tell us what you see in the pw policies section.
philjansAuthor Commented:
@McKnife:
I do see the passwords settings applied
gpo-password3.png
McKnifeCommented:
And you did that on all DCs, not just on one?
philjansAuthor Commented:
@McKnife: good call. I see that on my 2nd DC the GPO DefaultDomain Policy was not fully applied... just parts of it.
gpo-password4.png
McKnifeCommented:
Parts? Nothing of it is seen.
So please run gpupdate on an elevated command line on tzhat DC and then retry with
gpresult /h %temp%\result.html /f && %temp%\result.html

Open in new window

philjansAuthor Commented:
It was run using elevated.
Yes you can see the difference between my 2 print screen.
On one Dc you see that:
-  "Account Policies/Password Policy"
- "Account Lockout Policy"
- "Kerberos Policy"
are applied and on the other print screen we see only
- Kerberos Policy"
was applied
Here's the rest;
gpo-password5.png
And there is this:
gpo-password6.png
McKnifeCommented:
I asked you to run gpupdate on that DC and then run that last command I have you.
MaheshArchitectCommented:
Can you run dcdiag /v and repadmin /replsum * from elevated prompt and post results here
philjansAuthor Commented:
C:\Windows\system32>repadmin /replsum *
Replication Summary Start Time: 2019-02-07 14:16:37

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 PPDC16                    20m:28s    0 /   5    0
 PPDC16B                   28m:57s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 PPDC16                    28m:57s    0 /   5    0
 PPDC16B                   20m:28s    0 /   5    0


C:\Windows\system32>dcdiag /v

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine PPDC16, is a Directory Server.
   Home Server = PPDC16
   * Connecting to directory service on server PPDC16.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=pp,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=pp,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=PPDC16,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=PPDC16B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\PPDC16
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... PPDC16 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\PPDC16
      Starting test: Advertising
         The DC PPDC16 is advertising itself as a DC and having a DS.
         The DC PPDC16 is advertising as an LDAP server
         The DC PPDC16 is advertising as having a writeable directory
         The DC PPDC16 is advertising as a Key Distribution Center
         Warning: PPDC16 is not advertising as a time server.
         The DS PPDC16 is advertising as a GC.
         ......................... PPDC16 failed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ......................... PPDC16 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... PPDC16 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... PPDC16 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... PPDC16 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=PPDC16B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=PPDC16B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=PPDC16B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=PPDC16B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=PPDC16B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local
         ......................... PPDC16 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC PPDC16 on DC PPDC16.
         * SPN found :LDAP/PPDC16.pp.local/pp.local
         * SPN found :LDAP/PPDC16.pp.local
         * SPN found :LDAP/PPDC16
         * SPN found :LDAP/PPDC16.pp.local/PP
         * SPN found :LDAP/9307443b-2549-4cb6-8def-7a90ecdc14bb._msdcs.pp.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9307443b-2549-4cb6-8def-7a90ecdc14bb/pp.local
         * SPN found :HOST/PPDC16.pp.local/pp.local
         * SPN found :HOST/PPDC16.pp.local
         * SPN found :HOST/PPDC16
         * SPN found :HOST/PPDC16.pp.local/PP
         * SPN found :GC/PPDC16.pp.local/pp.local
         ......................... PPDC16 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC PPDC16.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=pp,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=pp,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=pp,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=pp,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=pp,DC=local
            (Domain,Version 3)
         ......................... PPDC16 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\PPDC16\netlogon
         Verified share \\PPDC16\sysvol
         ......................... PPDC16 passed test NetLogons
      Starting test: ObjectsReplicated
         PPDC16 is in domain DC=pp,DC=local
         Checking for CN=PPDC16,OU=Domain Controllers,DC=pp,DC=local in domain DC=pp,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=PPDC16,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local in domain CN=Configuration,DC=pp,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... PPDC16 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         ......................... PPDC16 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 2100 to 1073741823
         * PPDC16b.pp.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1100 to 1599
         * rIDPreviousAllocationPool is 1100 to 1599
         * rIDNextRID: 1127
         ......................... PPDC16 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
            Invalid service startup type: w32time on PPDC16, current value DISABLED, expected value DEMAND_START
         * Checking Service: NETLOGON
         ......................... PPDC16 failed test Services
      Starting test: SystemLog
         * The System Event log test
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:27:27
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:27:27
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:32:28
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:32:28
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:32:40
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:32:40
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:37:41
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:37:41
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:42:41
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:42:41
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:47:42
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:47:42
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:52:44
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:52:44
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/07/2019   13:52:49
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
            {D63B10C5-BB46-4990-A94F-E40B9D520160}
             and APPID
            {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
             to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:57:45
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   13:57:45
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   14:02:46
            Event String:
            The IP Helper service depends on the WinHTTP Web Proxy Auto-Discovery Service service which failed to start because of the following error:
            The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
         An error event occurred.  EventID: 0xC0001B59
            Time Generated: 02/07/2019   14:02:46
            Event String: The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error:
            The dependency service or group failed to start.
         An error event occurred.  EventID: 0xC0001B6F
            Time Generated: 02/07/2019   14:07:59
            Event String: The Connected Devices Platform Service service terminated with the following error:
            Unspecified error
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 02/07/2019   14:09:59
            Event String: The server {21F282D1-A881-49E1-9A3A-26E44E39B86C} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0xC0001B6F
            Time Generated: 02/07/2019   14:09:59
            Event String: The Connected Devices Platform Service service terminated with the following error:
            Unspecified error
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 02/07/2019   14:11:59
            Event String: The server {21F282D1-A881-49E1-9A3A-26E44E39B86C} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0xC0001B6F
            Time Generated: 02/07/2019   14:11:59
            Event String: The Connected Devices Platform Service service terminated with the following error:
            Unspecified error
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 02/07/2019   14:13:59
            Event String: The server {21F282D1-A881-49E1-9A3A-26E44E39B86C} did not register with DCOM within the required timeout.
         ......................... PPDC16 failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference) CN=PPDC16,OU=Domain Controllers,DC=pp,DC=local and backlink on CN=PPDC16,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local are correct.
         The system object reference (serverReferenceBL) CN=PPDC16,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=pp,DC=local and backlink on
         CN=NTDS Settings,CN=PPDC16,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pp,DC=local are correct.
         The system object reference (msDFSR-ComputerReferenceBL) CN=PPDC16,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=pp,DC=local and backlink on CN=PPDC16,OU=Domain Controllers,DC=pp,DC=local are correct.
         ......................... PPDC16 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : pp
      Starting test: CheckSDRefDom
         ......................... pp passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... pp passed test CrossRefValidation

   Running enterprise tests on : pp.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\PPDC16.pp.local
         Locator Flags: 0xe001f1bc
         PDC Name: \\PPDC16b.pp.local
         Locator Flags: 0xe001f1bd
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
         A Good Time Server could not be located.
         KDC Name: \\PPDC16.pp.local
         Locator Flags: 0xe001f1bc
         ......................... pp.local failed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
         ......................... pp.local passed test Intersite

Open in new window

philjansAuthor Commented:
McKnife:
Just did the gpupdate /Force and the command and its the same results: i know see these 2 keys.

-  "Account Policies/Password Policy"
- "Account Lockout Policy"

This DC was the windows running hyper-v that contains a vm which is the main DC.
Maybe I should just demote this DC and remove it from the Domain so that it goes back to beeing a plain windows server hyper-v machine which is what Microsoft Recommands...
That would by it-self solves this problem of discrepencies between both DC's.

In that case: what is the complete procedure to demote it while not affecting the virtual DC?
MaheshArchitectCommented:
On PPDC16 time service is disabled and not started, start it in auto mode, this is DC where policy is showing updated?

If on another DC as well check status of time service, may be you can restart if its started

after that force AD replication across both DCs and run rsop.msc on both DCs and check if both showing same password policies

If still you have issues, transfer FSMO on DC where password policy is correct and force AD replication
Ensure "netdom query fsmo" output is same on both DCs and if yes, then proceed further, it means your AD replication is working but not Sysvol replication
Now attempt DFSR SYSVOL authoritative restore on PDC master and DFSR SYSVOL non authoritative restore on another DC
https://www.experts-exchange.com/articles/17360/Active-Directory-DFSR-Sysvol-Authoritative-and-Non-Authoritative-Restore-Sequence.html

It will resolve your issue
philjansAuthor Commented:
On the DC I wan't to demote called PPDC16=

C:\Windows\system32>netdom query fsmo
Schema master               PPDC16b.pp.local
Domain naming master        PPDC16b.pp.local
PDC                         PPDC16b.pp.local
RID pool manager            PPDC16b.pp.local
Infrastructure master       PPDC16b.pp.local
The command completed successfully.

On the DC I want to be alone now ppdc16b =
C:\Windows\system32>netdom query fsmo
Schema master               PPDC16b.pp.local
Domain naming master        PPDC16b.pp.local
PDC                         PPDC16b.pp.local
RID pool manager            PPDC16b.pp.local
Infrastructure master       PPDC16b.pp.local
The command completed successfully.

So I see that the good main dc has all the roles, how can I demote the 2nd one, the one that has the gpo problem?
MaheshArchitectCommented:
why you want to demote DC?

just read my last post and repair sysvol
philjansAuthor Commented:
@Mahesh:
Like I said: instead of spending time to fix ppdc16 gpo problem (using your previous post), since I want it gone anyway, i could save time by just demoting it and leaving the main DC (ppdc16b) in place, right?
PPDC16 is a DC and ALSO a hyper-v host which shouldn't not have been from the start as per "best practices". So this is why I don't mind demoting it instead of trying to fix it's gpo's replication problems,
Does it make sense?
MaheshArchitectCommented:
Yes, you can demote it, but you will never come to know what is problem then

After demoting still you face same problem for newer DC you promote, then you need to follow that post again

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
The time service being stopped is really not that good for a DC... how come, @author?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
gpos

From novice to tech pro — start learning today.