|
Guido-
You might want to check the Win2K security hardening guide
templates as a culprit. Those have a tendency to make a lot of changes to file,
registry and service security. If one or more of those were imported into the
GPO, that could explain the fun you've had.
Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, November 08, 2004 5:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security Hello folks,
I've just had a very curious issue at a customer, which
took us a while to figure out. You should all be aware of this as it could hurt
you as well. After testing everything successfully in the lab (and
ADPREPing the production forest + domains), we've inplace-upgraded the first
production DC from Win2000 to Win2003 and it failed with errors such as a
crashing LSASS and a DHCP service, which couldn't start due to access violation
etc.
It turns out that this was caused due to a lengthy list
of policy settings on the Def Domain and Def DC Policy, which
configured Security (ACL) over one hundred registry
keys and File System folders and
files.
The resulting permissions were ok for Windows 2000,
but incompatible with Windows Server 2003 - e.g. the DHCP Client
Service and the TCPIP Service require specific permissions on their respective
registry keys for the DHCP service to start via the new Network
Service account. I see other's
in this list have also had issues with the DCHP service, which may be
related to the same thing. Although we now fixed the issue by cleaning the
policies and un-promoting the DC and reinstalling it from scratch (since
the 2003 OS's default permissions were effectively overwritten due to the
policy), I am looking for clues on how these weird settings were introduced
to the Def Dom and the Def DC policy in the first
place?
The settings were definitely not added manually "by accident" - more
likely by some whacky setup routine. Does
anybody have an ideas or experience with respect to services/apps which could
have changed the domain policies in this
way?
Thanks for any feedback,
Guido
|
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - ... Grillenmeier, Guido
- [ActiveDir] XP SP2 and AD Darren Mar-Elia
- [ActiveDir] XP SP2 and AD Za Vue
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Salandra, Justin A.
- [ActiveDir] AD Replication over VPN Lou Vega
- RE: [ActiveDir] AD Replication over VPN Paul van Geldrop
- RE: [ActiveDir] AD Replication over V... Paul van Geldrop
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Grillenmeier, Guido
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Guy Teverovsky
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Grillenmeier, Guido
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Fugleberg, David A
