Hi, I noticed that all of our RODCs (all on Windows Server 2012 R2) do not apply the 'User Rights Assignment' part of the Default Domain Controllers Policy. They all have the state that was valid during their promotion. If we promote a new RODC, that one gets the current User Rights Assignment, but also does not apply changes done after its promotion.
Writable DCs apply the policy without issues.
I enabled debug logging, and it seems that the following happens:
- User rights are added
- "Policy server is not ready"
- User rights are removed again (changes from step 1 are undone)
- Start over from 1.
I uploaded the complete winlogon.log to here:
The relevant portions seem to be these:
----Configure User Rights... ... Configure S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-84077. add SeAuditPrivilege. add SeServiceLogonRight. ... User Rights configuration was completed successfully. ... ----Un-initialize configuration engine... Policy server is not ready, retry count #1. ... ----Configure User Rights... SeImpersonatePrivilege must be assigned to administrators. This setting is adjusted. SeImpersonatePrivilege must be assigned to SERVICE. This setting is adjusted. SeNetworkLogonRight must be assigned to Enterprise Controllers account for policy propagation and replication to succeed. .... Configure S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-84077. remove SeAuditPrivilege. remove SeServiceLogonRight. ... User Rights configuration was completed successfully.
As I said before, this happens on ALL Read Only Domain Controllers, but not on any writable Domain Controller.
Our Domain Functional Level is 2008 R2. Does anyone have an idea what could be the reason, or where I could continue to investigate?