locked
windows server 2008 r2 some services do not start - access denied - bfe, dps, windows firewall, dhcp, windows time,

    Question

  • i have a server that we have install windows server 2008 r2 , and join it to a domain and made it a dc in the domain.  Everything works fine until a few days later and the server is rebooted and all of a sudden all of these services stop running with access denied error.  This is the second time we have rebuilt the server with the same results.  I have a feeling it has something to do with our existing group policy for the domain, but i can not find anything in there that could be causing the problem.  With that being said I have made a new ou and move the server to this ou and stop all group policies from affecting this server.  I have also run on the new server gpudate serveral times to make sure it has removed the existing group policy.  This did not solve the problem.  So back to the internet to search for answers.  Came accross a couple of posts leading to the same answers.  Followed the instructions on KB 943996.  Which basicly adds premissions to the services in the registry.  After following these instructions, I have gotten DHCP, time, BFE, and serveral other services back to running.  However I am still having trouble with Diagnositic policy service and windows firewall, both still giving access deined errors when the service trys to start.

    In the registry i have added the following for the firewall

    For the NT Service\MpsSvc account, it needs permissions for the following keys:



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch

    Query Value;Set Value



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

    Full Control;Read



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy

    Full Control;Read

    and for dps i have added the following

    Trustedinstaller


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS\Parameters

    permission needed: Full Control, Read

    But i still can not get these services started.

    i even try giving everyone full control and read to these registry entries , but still could not get the services started. 

    Anyone have any other ideas for me to try.

    Thanks,

    Chris

    Sunday, October 18, 2009 4:00 PM

Answers

  • Just a little update,  after removing the group polices from this dc, i check the local policies - user rights assignment , that local services had access to impersonate a client after authentication and replace a process level token, as i read in a KB aticle.  I also found two more errors in the event log in addition to 7023 diagnostic policy service, access denied, and the windows firewall failed to start.  I found event id id - 8193 Volume shadow service  filed to reg open key - access denied, and event id 10154 WinRM faile to created following SPN wsman/computer name.   

    In additon to all of these steps i updated the drivers for the network cards. 

    With all of these steps I made some progress in removing the errors and problems, but was not able to remove all of them.  I feel it has to be something else in the user rights assignment for local service, and or network service that i am missing that was in my default group policy.

    Anyway, i have found a solution that has corrected the problem for a couple of hours so far.  With the machine still in its own OU and no group policies being aplied, i did an upgrade to the machine with my windows server 2008 r2 disk, and it came up with no errors, and i now have access to the machine through remote desktop again.

    Monday, October 19, 2009 7:01 PM