Dear all,

I do have a problem I can't solve by myself. I have a flawlessy running Windows 2012 R2 Standard OEM Version in German on VmWare ESXi 5.5 host which I promoted to be an additional Domain Controller in an existing domain. After adding AD Services and reboot the server works not as expected. 

- the server is no more activated and can't be again and some services are not started ( Error 5, Access denied)

I found out that most of the problems are related to the stopped SoftwareProtectionService

There are a some suggestions to edit (windir)folder and registry permissions for NetworkService etc.

These changes solve the problems for a while but after a few hours windows resets the changed permissions to default values and the failures rearise.

What has to be done to get this server stable? How can it be that such an essential function is not running out-of-the-box?

I reinstalled the server three times from the scratch and always after promoting these problems arise.

I hope someone can help me with this issue, I spent hours and hours with it until now and I don't have new ideas.

Thank your very much in advance.

Best regards,

Rick

Tweaking the registry is not a a supported practice by Microsoft so the clean way to proceed is to rebuild your server from scratch.

To do that, you can proceed like the following:

• Apply your workaround on the faulty VM to make it back online
• Create a new VM and promote it as a DC/DNS/GC server
• Transfer FSMO roles to the new VM
• Use dcdiag and repadmin commands to make sure that your DCs are in healthy state and that AD replication is okay
• Demote the faulty VM and remove it

Please also install the available Windows Updates and make sure that it is up-to-date. That will let you be sure that all known bugs are

Thank you very much for your support.

As mentioned I did this three times with a fresh VM and a new install. All three times with the same result.

After additional research I came to the conclusion that it might be related to the "Default Domain Controller Policy" which was managed from another person in the past. Therefore I decided to go the at last successfull way and edited this GPO and set the required access rights there.

I know it is not the clean way but I'am a little afraid to drop the "Default Domain Controller Policy"  and to create a new one.

Kind regards,

Rick

You can fix these GPOs and revert back to the original configuration using dcgpofix: https://technet.microsoft.com/en-us/library/hh875588.aspx?f=255&MSPPError=-2147217396

Yes that is right.

I copied the VM into a test lab environment and used dcgpofix. Afterwards I compared the Policies and found that every additional information under local policies - access rights were reset. In fact that was what I excpected and were afraid of. I will have to do further examination before I decide to revert or stay with todays DDCP.

Best regards,

Rick

Dear Ahmed,

fixing the screwed up default domain controller policy was the solution. But... fixing it was only one part of it.

After dcgpofix I had to demote the affected server and to promote it again. A pure gpupdate /force on the domain controller was not sufficient at all.

Kind regards,

Rick