Environment
Open Enterprise Server 11SP1 (OES11SP1)
Domain Services for Windows
DSfW
Situation
gposync runs in a loop
Resolution
Apply November 2012 Maintenance Patch
The fix is done in gpo2nmas tool to take care of updating the GPO or NMAS based on certain decisions taken which depends on the timestamp of the container,
password policy and GPO template file.
The fix is as follows:
1. GPO timestamp (gpo) is greater than container (co) and password policy object (ppo), GPO to NMAS
2. co and ppo both updated using iManager, and their timestamp is greater than GPO, NMAS to GPO
3. only co is greater than GPO, or only ppo is greater than GPO, do NMAS to GPO
4. if all timestamp matches, nothing doing
5. incase of parallel update, that co and/or ppo is updated and also gpo is updated, then it is always GPO to NMAS. GPO takes precedence in case of
parallel updates.
6. if a GPO is updated to a new container, GPO to nmas
Cause
gpo2nmas tool relies on modifiedTimeStamp of the domain root object to make sure that attributes related to login policy
"intruderAttemptResetInterval", "loginIntruderLimit" are in sync with that of GPO template in SYSVOL.
This leads to looping as Domain root object's modified timestamp varies frequently. The below scenario shows the looping
Run 1: If there is difference in time between Domain DN timstamp and GPO template in SYSVOL timstamp, then NMAS->GPO is triggered.
Run 2: There is an another check on password policy object timestamp to see if that is older than GPO template timestamp. Run 1 makes the GPO timestamp to be latest and hence GPO->NMAS is pushed on next run of gposync utility.
Run 3: The Domain DN timestamp gets updated (it get updated for other changes as well) and this difference triggers NMAS->GPO. This leads to the GPO template timestamp to a new value later than NMAS policy timestamp.
Hence the loop.