baeke.info :: Main Page

About

You arrived at the weblog of Geert Baeke. I am a technology consultant for a company called Xylos (Belgium). I mostly work with Microsoft technologies such as Windows, Active Directory, Exchange, Sharepoint, MSCS, and more. I am also actively busy with VMware's products, focussing on VMware ESX.

Sections

Tutorials

Twitter

follow GeertBaeke at http://twitter.com

XBOX 360

RSS Newsfeeds

Main Page RSS

Main Page

« January 26 | January 30 »

Friday, January 27

Several issues when you add a Windows 2003 SP1 domain controllers to an existing domain

by rastix on Fri 27 Jan 2006 05:56 PM CET

When you add Windows Server 2003 SP1 domain controllers to an existing domain that has Windows 2000 domain controllers, several issues will pop up. There is an issue with the Windows Time Service and an issue with the MSDTC service. The issues all have to do with changes in the security configuration of Windows 2003 SP1.

Because your new domain controller will get security settings from the Default Domain Controllers policy (Windows 2000 timeframe), these settings do not work with Windows 2003 SP1.

This post provides some details about these issues and how to resolve them.

Windows Time Service Errors
An error from source W32Time with event ID 46 with the following description:

The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

The reason for this error is that Windows 2003 SP1 uses the nt authority\localservice account for the time service. That account needs the right to change the windows time. You should grant that right in the Default Domain Controllers Policy or create a separate policy for Windows 2003 domain controllers with that right. In the policy, navigate to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and then set the user right “Change the system time” as shown below.

Timeright

You will also need to change the configuration of services in the domain controller’s policy in AD. In the policy, go to Computer Configuration, Windows Settings, Security Settings, System Services. On the Net Logon and Windows Time service, set the settings as below:

Netlogon

Click Edit Security and set as below:

Security

The rights for Administrators and SYSTEM are Full Control.

After you set the user right and you configured the Net Logon and Windows Time Service, reboot the server. When the server comes back up, check that the Windows Time service is started. To verify that time sync is happening, open a command prompt and type w32tm /monitor. You should see that the Windows 2003 domain controller syncs with its PDC (check the refid). If not, use w32tm /resync and then try w32tm /monitor again. Also check the system log for an event from the W32Time service with event ID 35 (The time service is now synchronizing….).

MSDTC Errors
You might see the following MSDTC errors:

Event with source MSDTC, ID 53258: MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
Event with source MSDTC, ID 4439: Failed to verify MS DTC service account information. Internal Information : msdtc_trace : File: d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp, Line: 9390, VerifyAccountInfo: CService::Create failed, hr=0x80070005

To get rid of the first event, do the following:

From Administrative Tools, start Component Services.
In the MMC snap-in, go to Component Services, Computers, My Computer.
Open the properties of My Computer and click the MSDTC tab.
Click the button Security Configuration.
Do not change anything, just click OK (silly, I know).
Click OK again and then close the MMC.

Stop and start MSDTC. The event with ID 53258 should not appear anymore.

To get rid of the 4439 event, do the same as for the Windows Time Service. In the Sytem Services section of the server’s policy in AD, give the account SERVICE read/start/stop rights. Refresh group policy with gpupdate /force and then restart MSTDC. The error should disappear.

Hope this helps…

Comments (5) | Permanent Link | Cosmos