Upgrading Domain Controllers to SP2

Here’s a catch if you are applying SP2 to your Windows 2003 Domain controller. After the post-installation reboot, you may not be able to connect to anything at all. The Server will work fine but it will not connect to anything on the network… it took us a while to solve this one but we finally found it out

The Issue

Windows Server 2003 SP1, it made some significant changes to security including start up account for services, DCOM security etc.  Since Windows Server SP2 has stronger defaults and privilege reduction on services, it may result in some issues after installing Windows 2003 SP2.

Windows 2003 SP2 uses Network Service account for the RPC service. Prior to SP2 and SP1, the OS was using Local System account for the same. After installing SP2 for Windows Server 2003 services will not start that use the Network Service or Local Service account.
Have you ever encountered the following problem?

•    RPC service or other services set to automatic dependent on RPC will not start properly.  For example, when trying to start the service, get error of "Error 1068: The dependency service or group failed to start"
•    Network connection fails to open or Network adapter icons do not appear in Network Connections.
•    Incoming and outgoing network communication fails
•    COM+, Volume Shadow Copy and Shell Hardware Detection services are in the “starting” state
•    Receive “Access is denies” when selecting the dependencies tab of a service that does not start

Why?

Remote Procedure Call (RPC) service has been changed from Local System account to Network Service account for better security. “Impersonate a client after authentication” right is required to include Administrators and the SERVICE group if the RPC Service runs as the Network Service account.

What can we do if meeting with the issue?

  1. Open the Group Policy configuration window (gpedit.msc or open it in Active Directory Users and Computers).
  2. Locate the policy entry: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication.
  3. Ensure that the “Administrators” group and the “SERVICE” group is granted this privilege.
  4. If the problem remains, correct the Access Control List for HKEY_CLASSES_ROOTCLSID (and all child keys and values) to ensure NT AuthorityNetwork Service can read. This can be accomplished by adding Authenticated Users or Users group and providing Read permissions.
  5. If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings. 
  6. In the Enter the object names to select box, type Administrators , and then click OK.
  7. Repeat step d through e for the SERVICE group account. 
  8. Click OK to close the Impersonate a client after authentication Properties dialog box. 
  9. On the File menu, click Exit. 
  10. Restart the computer. 
  11. If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer.

I hope that if this helps, it’ll at least save you a couple of hours that we went through to track donw the issue…

Advertisements
This entry was posted in Work. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s