**Please note this only applies to Community Connect 3™ and RM Smart-Tools 3 networks**

Any references to Community Connect 3 in this document apply equally to RM Smart-Tools 3.

Community Connect 3 networks that contain Member Servers may stop performing scheduled server backups after the server has been commissioned and rebooted. The cause of this issue has been identified as a local backup user account on Community Connect 3 Member Servers not having the Default Domain Controller's Policy "Log on as Batch Job" users' permission. The problem occurs because the Member Server is moved in to an Organisational Unit (OU) under the Domain Controllers OU which causes the global Default Domain Controllers policy to apply and overwrite the local policy.

Application of the Default Domain Controller's Editor patch adds Local Member server backup users to the global DDC policy "Log on as Batch Job" permission, which allows scheduled backups to run. However, because domain controllers are unable to resolve local users, the Default Domain Controller's policy no longer propagates and consequently any changes made to the policy will not be applied. Domain Controllers in the same domain will produce the following application errors every five minutes:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
User: N/A
Description: Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help.

Member Server Hotfix 2 (HFXCC3022) will make changes to the local Active Directory so that Member Servers no longer inherit the Default Domain Controller's policy; this change will in turn prevent local policies from being overwritten and allow scheduled backups to work without restriction. It will also stop the recurring Application Event log errors caused by the installation of the Default Domain Controllers Editor patch, as detailed in the Problem Statement section above. 

HFXCC3022 will perform the following actions:

1. Create a new OU called "Servers - No Inheritance" in the Domain Controllers\Establishments\<SchoolCode> OU of the local domain.
2. Block policy inheritance on this OU.
3. Set the rmCom2000-StnUsrMgr-Container attribute of this OU to 410.
4. Apply the RM Domain Controllers policy to this OU.
5. Search for all member (non-domain controller) servers under the domain controllers OU.
6. Move these servers in to the Servers - No Inheritance OU.
7. Delete any users granted "Log on as Batch Job" permission in the Default Domain Controller's policy. The user can be of the following format:

MemberServerName\MemberServerName Backup
MemberServerName/MemberServerName Backup

And

MemberServerName\MemberServerName Bac
MemberServerName/MemberServerName Bac

Where "MemberServerName Bac" is concatenated to 20 characters, which is the maximum string length for SAM names.

8. Increment the Default Domain Controller's policy version in the Active Directory and in the SYSVOL share by 1, if versions differ it will set both to max version + 1.
9. Refresh all machine polices for the local domain.

Network administrators who have Member Server products on their Community Connect 3 networks (e.g. Member Servers, DAMMS Servers or MIS Servers) should run HFXCC3022 to ensure that the Active Directory structure is updated and local policies are no longer over-written by global policies.

HFXCC3022 should be run on one Community Connect 3 domain controller.  It does NOT need to be run directly on a Member Server.

1. Select the HFXCC3022.exe file to download.
2. Choose to "Save" the file, browse to the location you wish to save it to and click OK.
3. When it has downloaded follow the installation instructions below to apply the hotfix to your Community Connect 3 network.

(NOTE: If you previously started to install the hotfix but cancelled the operation, follow the installation instructions in the 'Installing after cancelling a previous install' section below)

1.      Download HFXCC3022.

2.      Log on to a Community Connect 3 domain controller as Administrator (not SystemAdmin) and copy the hotfix to a temporary location (e.g. D:\temp).

3.      You are only required to install the hotfix on one Domain Controller server. Run the hotfix by double-clicking the self-extracting executable file (HFXCC3022.exe).  The hotfix will extract files automatically and run the RM Installation Assistant to install the hotfix.

4.      When prompted, click Continue.

5.      The installation will proceed automatically.

6.      When prompted that the RM Installation Assistant has finished, click Finish.

7.       Note: Reboot any Member Servers on the network.

8.      If you are prompted with any failure messages during application of the hotfix, or scheduled backups do not run, please contact RM Support and forward on the Member Server HF2.log file which may be found in D:\RMNetwork\Server\Utilities\Member Server Hot Fix 2\v2.1.0.0.
If a Member Server or DAMMS server has been joined to the local domain but is not connected or switched on, the hotfix may warn that these computers could not be contacted - If this is the case, re-establish a connection with the domain and re-run the hotfix by running D:\RMNetwork\RMManage\RM Hotfixes\HFXCC3022_extracted\RM Installation Assistant.exe.

1.      Browse to D:\RMNetwork\RMManage\RM Hotfixes\HFXCC3022_extracted and double-click the file RM Installation Assistant.exe. (If this folder or its contents does not exist, re-run the HFXCC3022.exe file downloaded from the RM Support website).

2.      The RM Installation Assistant will initialise; click Continue to proceed with the installation.

3.      The installation should proceed automatically.

4.      Follow the procedures in 'How to install the Hotfix' from step 5 above.

HFXCC3022 is not included in RM Community Connect 3 Service Release 1, 2 or 3. (SR1, SR2 or SR3).

HFXCC3022 does not have to be reapplied if any of these Service Releases are installed after installing HFXCC3022. 

HFXCC3022 will be included in Service Release 4.