Windows Server 2008 DHCP Server in SBS 2003 Domain Issue
I installed a Windows Server 2003 R2 box as an additonal domain controller in our SBS 2003 domain. As a domain controller, it is all working - replication fine, DNS fine. The issue I'm having and have had since installation is the DHCP Server. After a reboot, the DHCP Server service will not start. The error is "Access Denied". Checking the DHCP Server service, it runs under the "NETWORK SERVICE" account by default. Checking the C:\Windows\System32\DHCP folder, the NETWORK SERVICE account doesn't have any permissions on this folder. Therefore, I can see why the error exists, but I am having trouble putting a permanent fix in place. If I manually edit the security on the folder, and give the NETWORK SERVICE account full access, I can start the DHCP server and it serves clients on the network. But, 5 mins later you can check the permissions and they have been removed. I have tracked this down to the "Default Domain Controllers Policy" in group policy. Our domain was first created as a SBS 2003 domain. Should installing a Windows Server 2008 domain controller alter the policy so that the correct folder permissions are locked down or what? The server is a domain controller. It is therefore in a group called "Default domain controllers", which has a GPO applied to it called "Default Domain Controllers Policy" The policy appears to control the security on the domain controllers, settting file and registry based permissions. I would not want to unlink this GPO, or indeed change it without seeing a document from Microsoft recommending it.
December 2nd, 2011 5:19am

There are two possible reasons. 1. You are on the right track. Here is how finish the task http://support.microsoft.com/kb/895149 2. AV program make the trouble. Exception rules are not set correctly http://support.microsoft.com/kb/927059 Regards Milos
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 5:53am

Hi Milos I have read the first article already. It is talking about an upgrade from Win2k to Win2k3. I'm just putting a Win2k server into a SBS 2003 domain. I think that adding the "network service" account with Full Access permissions from the "Default Domain Controllers Policy" would likely solve the issue, but I want to see an MS KB article saying such. I understand that in Win2k3, the DHCP Server service runs as "Local System" whereas for security this has changed in Win2k8 to run as "Network Service". Therefore, somewhere along the lines something or somebody must need to change the Default Domain Controllers Policy - but why is this not documented anywhere?
December 2nd, 2011 6:03am

Hi Mark in this case I would suggest to dig a bit deeper with Process Monitor for ongoing processes and Process Monitor to catch the dependences. There are a lot of dark spots, that are not published or hidden deeply in the "cloud". Many setting are inherited from previous versions of operating system. This article in question has a target W2K3 and this is why I guessed that it may help. In any case I would rely on the Sysinternals tools that I have mentioned above. Regards Milos
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 7:19am

Hi I don't immediately see any reference to SysInternals tool? Also, I can clearly see the issue - group policy is setting a folder permission, not including the Network Service account. Windows Server 2008 DHCP runs under this context, therefore can't access the folder. The problem is clear cut and plainly evident, what isn't obvious is the MS documentation to say change it! I've actually made a change to the "Default Domain Controllers Policy" now to give Network Service full access permissions only to C:\windows\system32\dhcp, but I still want to see the official documentation!! Regards Mark
December 2nd, 2011 7:23am

Mark is DHCP authorized in domain? Here is an article that aims at W2K3 DHCP http://support.microsoft.com/kb/938456/en-us Regards Milos
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2011 1:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics