I have a Win2k3 SP2 DC. After some Windows updates the other day the server was bounced. After logging on the server exhibits strange behaviour such as not displaying pages and not being able to really run anything. There are no shares either.Anyway I found this articlehttp://blogs.technet.com/perfguru/archive/2008/07/15/services-not-starting-after-installing-service-pack-on-windows-2003-server.aspxand followed the steps and is has seemed to work however when I change thevalue of Value data back to NT AUTHORITY\NetworkService and restart, the strange behaviour comes back.Software on this DC is limited to Adobe Acrobat Reader 6.0, Symantec AVand PC Anywhere.Anyone have any ideas?

Hi Michael,What kind of update you have implemented on DC recently. There are some problem reported after installation of SP2 or related updates on Windows Server 2003, I am posting a link of Microsoft Generic article for more visibility. http://support.microsoft.com/default.aspx?scid=kb;en-us;812519I am also attachingpossible reason for the problem anda step by step procedure belowin case you have missed something in previous diagnosis.RPC Service starting problem after installing SP2 Windows Server 2003 SP2 is a combination of security updates, functionality updates, and new features. SP2 contains the latest collection of updates to help improve the security, reliability, and performance of the following operating systems. As well as Windows Server 2003 SP1, it makes some significant changes to security including start up account for services, DCOM security and etc. Since Windows Server SP2 has stronger defaults and privilege reduction on services, it may result in some issues after installing Windows 2003 SP2. Here are some typical security related issues after installing SP2: Windows 2003 SP2 uses Network Service account for the RPC service. Prior to SP2 and SP1, OS was using Local System account for the same. After installing SP2 for Windows Server 2003 services will not start that use the Network Service or Local Service account. Have you ever encountered the following problem? RPC service or other services set to automatic dependent on RPC will not start properly. For example, when trying to start the service, get error of "Error 1068: The dependency service or group failed to start" Network connection fails to open or Network adapter icons do not appear in Network Connections. Incoming and outgoing network communication fails COM+, Volume Shadow Copy and Shell Hardware Detection services are in the starting state Receive Access is denies when selecting the dependencies tab of a service that does not start Why? Remote Procedure Call (RPC) service has been changed from Local System account to Network Service account for better security. Impersonate a client after authentication right is required to include Administrators and the SERVICE group if the RPC Service runs as the Network Service account. What can we do if meeting with the issue? a. Open the Group Policy configuration window (gpedit.msc or open it in Active Directory Users and Computers). b. Locate the policy entry: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication. c. Ensure that the Administrators group and the SERVICE group is granted this privilege. d. If the problem remains, correct the Access Control List for HKEY_CLASSES_ROOT\CLSID (and all child keys and values) to ensure NT Authority\Network Service can read. This can be accomplished by adding Authenticated Users or Users group and providing Read permissions. Note: If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings. e. In the Enter the object names to select box, type Administrators , and then click OK. f. Repeat step d through e for the SERVICE group account. g. Click OK to close the Impersonate a client after authentication Properties dialog box. h. On the File menu, click Exit. i. Restart the computer. If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer.Hoping this help you resolving the issue, keep updating.Regards,TilakIT Consultant

Hi Tilak, Firstly, thankyou for your reply.The server was built with a SP2 integrated cd and I don't think there were any issues then. I think the issues started after KB949014 and KB951746 were installed and the server was restarted.Prior to my post I had checked the following: The policy entry: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication had theAdministrators group and the SERVICE group. I had to make this change using the local group poliy editor as I got an error when trying to run the Domain Controller Security Policy.Addedthe Users group (Authenticated Users was already there) and providedRead permissions to HKEY_CLASSES_ROOT\CLSID (and all child keys and values).So it seems somewhat fixed running under the LocalSystemaccount but i still get errors trying to runsome snapins like group policy etc. Any more ideas?Regards, Michael

Hi Michael, As you said, you got some errors when trying to runsome snap-ins like Group Policy snap-in after you applied KB949014 and KB951746, could you please describe the error message in detail? If possible, please take a screenshot of when the error message prompts. Would you please refer to the steps to verify that the Administrators group havs adequate permission on the computer? 1. Launch Component Services to check DCOM properties to see if the administrators group havs permission on My Computer Dcomcnfg -> Right-click "My Computer" -> Properties -> Com Security -> Access Permission -> Edit Default -> check if "Administrators group have both Local Access and Remote Access permission 2. If the issue continues, please refer to the following KB article to check if you have disabled SMB signing on the problematic server before, which may be possible cause the issue. You cannot open file shares or Group Policy snap-ins when you disable SMB signing for the Workstation or Server service on a domain controller http://support.microsoft.com/kb/839499 3. Afterwards, you may consider use the installation disc of windows server 2003 SP2 to perform an in-place upgrade of the problematic server. Please refer to: How to Perform an In-Place Upgrade of Windows Server 2003 http://support.microsoft.com/kb/816579/en-us Hope it helps.David Shen - MSFT