none
Services on first Windows 2008 R2 Domain Controller not start due to Default Domain Controller Policy security settings

    Question

  • Hi,

    Our domain is windows server 2003 level with 6 windows 2003 R2 DC’s. We want to upgrade to windows 2008 R2 DC’s. After we successfully run ADprep and a DCPromo on a windows 2008 R2 member server, we started having issues with services on that 2008 R2 server. The Network location Awareness, Base Filtering Engine, Diagnostic Policy service, MS Distribution Transaction Coordinator, Windows Firewall services all failed to start (“Access denied” error).

    After long research we found that is problem is due to the Default Domain Controller Policy (DDCP). The registry permissions for the services had been changed once the new server was automatically added to the DC OU.

    The DDCP is “loaded” with windows 2000 and windows 2003 Predefined Security Settings for DC’s. In the past our domain is upgraded from windows 2000 to windows 2003. The DDCP is full of double registry settingsand file systempermission items
    which affects our windows 2008 R2 server not to start correctly.

    We set up a testdomain, but we cannot load our production DDCP correctly. When we do changes in the DDCP, the test windows 2003 R2 servers start with errors. So make changes in de DDCP is very dangerous.

    What can we do to get a healthy windows 2008 R2 DC?

    Do we have to clean up or get rid of the rubbish in the DDCP and how to do that? In the future we want upgrade to Server 8. We do not want to face this problem again.

    Please help!

    Thanks!


    Tuesday, February 28, 2012 12:31 PM

Answers

  • solution:

    we choise option 2: Delete all ‘registry’ keys and all ‘file system’ keys within security settings of the DDCP.

    (make backups of DDCP and system state!!)

    After all new windows 2008R2 domanin controllers are healthy, but the windows 2003R2 servers had 2 services not start:

    1)Performance Logs & Alerts ( add Network Service account with FC to Local machine\system\current control set\services\sysmonlog\log queries in registry)

    2)Distribution Transaction coordinator (cmd ---> msdtc -resetlog). The same as add Network Service account with FC to ...\system32\MSDTC

    Thanks all !

    • Marked as answer by wingei Monday, March 26, 2012 3:04 PM
    Monday, March 26, 2012 3:04 PM

All replies

  • What I have always seen (Doesn't mean there couldn't be something else) is the services are all set to "Undefined".  This sounds to me like there were previous settings that were mirgated across from the dcPromo process.  It isn't going to hurt anything to have you "Enable" the services in question, unless you want these services disabled.  It sounds to me like they already were on your 2003 DC's.

    I did find the following but this appears to relate to 2000 boxes.
    http://support.microsoft.com/kb/815414/e

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, February 28, 2012 12:58 PM
    Moderator
  • I agree with the Paul there might me some predefined settings(carried from windows 2000 or 2K3) as i haven't witness anything as such in any up-gradation i have been part of. You can reset the default domain and domain controller policy back to the default level using dcgpofix tool (dcgpofix to be run in last resort or DR)but it will wipe all the custom defined settings.



    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, February 28, 2012 1:31 PM
    Moderator
  • Update: In Windows2008R2 you have some new accounts like the NT Service\NlaSvc account for the Network Location Awareness service and  NT Service\BFE account for the Base Filtering Engine Service…. This accounts will be overwritten by the DDCP security settings - registry

    Local Machine\System\currentcontrolset\services

    “Replace existing permissions on all subkeys” by the accounts administrator,authenticated users, creator owner, server operators and system. So the W2008 services have no rights to run. If you change to “propagate inheritable permissions to all subkeys” the services will start !

    I have changed this already ( it works) , but still I have services like the Event Logging service, Diagnostic policy service en Distribution Transaction Coordinator have no access to start on the W2008R2 server. This is possibly caused by the DDCP security settings – file system on the permissions at  % systemdirectory% .

    Someone know more about the predefined security settings templates from W2000 ->W2003? Please help!

    I cannot use the dcgpfix tool, because it is not disaster recovery scenario.


    Wednesday, February 29, 2012 8:57 AM
  • Take a look at below article.

    http://support.microsoft.com/kb/313222


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    DisclaimerThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, February 29, 2012 9:11 AM
    Moderator
  • In our situation there are no backups or backpoints to go back, so the article give my no usefull information. What we want is to get rid of the security settings from the win2000/2003 security templates loaded in the DCCP. More suggestions?
    Wednesday, February 29, 2012 10:50 AM
  • The only option i can think of at this stage is running dcgpofix which will bring the domain and domain controller policy to its default and this is the situation actually we use this fix when no other options are available. Take a look at below article, might provide you some way to proceed.

    http://www.microsoft.com/download/en/details.aspx?id=18664


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, February 29, 2012 10:59 AM
    Moderator
  • What is the result of using dcgpofix for our domain and servers?

    I know that Exchange make 'Exchange server groups' in the Default Domain Controller Policy. Will Exchange work after dcgpofix?

    Link: We are not dealing with .adm files ( administrative templates) but .inf files ( security settings), like basicdc.inf ( w2000), dc security.inf ( w2003)..

    Wednesday, February 29, 2012 12:38 PM
  • You need to do that again, because using dcgpfix bring only default domain and default domain controller policy back to default level. It is always recommended to maintain a backup. You can use GPMC tool to backup GPO.

    http://blogs.technet.com/b/janelewis/archive/2006/09/22/458132.aspx


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Bruce-Liu Monday, March 05, 2012 8:14 AM
    • Unmarked as answer by wingei Monday, March 05, 2012 10:13 AM
    Wednesday, February 29, 2012 1:03 PM
    Moderator
  • Update: After some testing in a clean testdomain with 2 x W2003 DC’s ( I have imported the settings of our production Default Domain Controller Policy)  the possible options are:

    1)DCGPOFIX tool and import DCSecurtiy.inf. No errors.

    If I use the DCGPOFIX tool without import DC Security.inf, the first W2003 DC have errors like “cannot open Performance Log and Alert Configuration”, “MS DTC Transaction Manager could not start” and “DHCP Client Service Access Denied”. This has to do with the "Network Service account"?

    2)Delete all ‘registry’ keys and all ‘file system’ keys within security settings of the DDCP. No errors.

    I think DCGPOFIX will remove too much like for example network accounts for “log on as a service” in User Rights Assignment and it is a surprise what kind of problems  you get.

    The goal is a W2008Rr2 DC with no errors and off course no new problems with our current 6 W2003R2 DC’s.

    Does someone have experience with option 2?


    Tuesday, March 06, 2012 1:50 PM
  • solution:

    we choise option 2: Delete all ‘registry’ keys and all ‘file system’ keys within security settings of the DDCP.

    (make backups of DDCP and system state!!)

    After all new windows 2008R2 domanin controllers are healthy, but the windows 2003R2 servers had 2 services not start:

    1)Performance Logs & Alerts ( add Network Service account with FC to Local machine\system\current control set\services\sysmonlog\log queries in registry)

    2)Distribution Transaction coordinator (cmd ---> msdtc -resetlog). The same as add Network Service account with FC to ...\system32\MSDTC

    Thanks all !

    • Marked as answer by wingei Monday, March 26, 2012 3:04 PM
    Monday, March 26, 2012 3:04 PM