New 2003 DCs services fail to start (NetworkService) 1

[tpittman]

Hi, I have a problem here that I can't seem to find any solution for. I ran adprep and installed the first 2003 DC on our Windows 2000 domain and things looked good, no errors and it's authenticating. I moved the FSMOs to it, and plan to leave most of the Windows 2000 DCs in place for a while since we'll be replacing their hardware and installing new instances of Server2003 to replace them. When I brought the second Server 2003 DC online and promoted it, the DHCP client service, MSDTC service, and SysPerfMon service failed to start with "access denied".

I've found several references to this being caused by the Network Service account not existing or not resolving, but I have the PDC Emulator role on a Server2003 DC and I can add the Network Service account to the ACL of folders on the DC that's giving me trouble so the account name is resolving. I installed another instance of Server 2003 and promoted it to rule out a problem with that installation, and it behaves the same way. I have moved the PDC Emulator role back to the Windows 2000 DC, waited longer than the replication period just in case, and moved it back to the Server 2003 DC.

I can go into the registry and change the permissions on the appropriate keys and get the services to start. If I reboot, the services will continue to start, but by the next day the permissions have reverted, removing the NetworkService account from the ACL on the registry keys, so a reboot the next day will result in the services failing to start and sometimes they'll fail out on their own, without the reboot.

I thought this might be due to a security policy on the Default Domain Controller GPO, so I went to the original Server 2003 DC and used Security Configuration and Analysis to implement the DC policy, with no change. Doing an RSOP I don't see anything on the Server 2003 DCs that would be removing this acct from the ACL. There's a reference to the Tcpip reg key but it only adds Read permission to Everyone.

When I add a GPO to make the registry changes and apply it to the Server2003 DC that's giving me trouble, it adds the NetworkService account to the ACLs on the MSDTC reg key and the SysPerfMon reg key but doesn't add it to the Dhcp reg key.

Here are the events I'm getting:

Application:

Source Event
Description
SysmonLog 2003
Unable to open the Performance Logs and Alerts configuration. This configuration is initialized when you use the Performance Logs and Alerts Management Console snapin to create a Log or Alert session.

MSDTC 4112
Could not start the MS DTC Transaction Manager.

MSDTC 4185
MS DTC Transaction Manager start failed. LogInit returned error 0x5.

MSDTC 4163
MS DTC log file not found. After ensuring that all Resource Managers coordinated by MS DTC have no indoubt transactions, please run msdtc -resetlog to create the log file.

System:
Source Event
Description

Service Control Manager 7024
The Performance Logs and Alerts service terminated with service-specific error 2003 (0x7D3).

Service Control Manager 7024
The Distributed Transaction Coordinator service terminated with service-specific error 3221229584 (0xC0001010).

Service Control Manager 7023
The DHCP Client service terminated with the following error:
Access is denied

Would anyone have any suggestions on what to try next, or what to try again? Thank you for anything that might help me get this figured out.

 

[NetIntruder]

Look in the Domain Controllers policy quick - does the account your services are running under have "log on as a service" rights?

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[tpittman]

The services are running under the built-in NetworkService account. I checked the policy and I ran an RSoP on the affected server and it shows 5 accounts with Log on as a Service rights, 2 are accounts I'm aware of, 3 are unresolved so it only shows the SID. Unless one of the unresolved SIDs is NetworkService, no it's not listed there.

 

[tpittman]

I should add that the "DNS client" service also runs under the NetworkService built-in account and it starts without error. I'm presuming that's because the NetworkService account doesn't need full control to any registry keys to run the "DNS client" service, but that's just a guess.

 

[NetIntruder]

Add Network Service into the proper Policy. From what i remember, this is the default in a Vanilla install. Anyhow, add that and refresh the policy... let me know if that fixes it.


~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[tpittman]

That did it. I had tried that previously but I have done several things since then trying to get this resolved, plus last time I had done it as a separate GPO linked to the Domain Controllers OU and filtered to only apply to the affected DC, and also I had created the GPO from my WindowsXP workstation wheras this time I added the registry key permissions into the Default Domain Controllers GPO from the console of the Server2003 DC that holds the FSMO's.

Thanks for the suggestion

 

[NetIntruder]

fantastic! Glad to hear you're back up and running!

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[tpittman]

In case someone else refers to this thread later: I also had to add a new object %SystemRoot%\system32\MsDtc to the Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\File System\ and edit security to give the Network Service, Modify, Read and Execute, List Folder Contents, Read and Write permissions. Before doing that, I was receiving event 4163's specifying to run msdtc -resetlog each time I rebooted that DC.

 

[NetIntruder]

good post tpittman, always good to see the total resolution!

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"