RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security

[Salandra, Justin A.]

That also might explain why your test environment did not have these issues and your production environment did.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, November 08, 2004 11:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security   Guido- You might want to check the Win2K security hardening guide templates as a culprit. Those have a tendency to make a lot of changes to file, registry and service security. If one or more of those were imported into the GPO, that could explain the fun you've had.   Darren   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, November 08, 2004 5:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security Hello folks,   I've just had a very curious issue at a customer, which took us a while to figure out. You should all be aware of this as it could hurt you as well.  After testing everything successfully in the lab (and ADPREPing the production forest + domains), we've inplace-upgraded the first production DC from Win2000 to Win2003 and it failed with errors such as a crashing LSASS and a DHCP service, which couldn't start due to access violation etc.   It turns out that this was caused due to a lengthy list of policy settings on the Def Domain and Def DC Policy, which configured Security (ACL) over one hundred registry keys and File System folders and files.   The resulting permissions were ok for Windows 2000, but incompatible with Windows Server 2003 - e.g. the DHCP Client Service and the TCPIP Service require specific permissions on their respective registry keys for the DHCP service to start via the new Network Service account. I see other's in this list have also had issues with the DCHP service, which may be related to the same thing.   Although we now fixed the issue by cleaning the policies and un-promoting the DC and reinstalling it from scratch (since the 2003 OS's default permissions were effectively overwritten due to the policy), I am looking for clues on how these weird settings were introduced to the Def Dom and the Def DC policy in the first place?     The settings were definitely not added manually "by accident" -  more likely by some whacky setup routine.  Does anybody have an ideas or experience with respect to services/apps which could have changed the domain policies in this way?     Thanks for any feedback, Guido