Domain Controller Security Policy errors
From: Karen Swanberg (swanberg_at_NOSPAM.umn.edu)
Date: 02/25/04
- Next message: Rob: "GPO Software Installation"
- Previous message: Jerold Schulman: "Re: Windows 2000 Inactive Domain Accounts"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 25 Feb 2004 07:39:23 -0600
Greetings, all
I'm having some problems with my domain. I can't edit the Domain
Security Policy or the Domain Controller Security Policy. Nor can I add
a second DC to the domain.
First, a description of the setup:
Currently, one Domain Controller, running Win2K Server (SP4, build 2195,
fully patched for critical updates) running on an Intel chip. 0.5G RAM.
The DC is also a print and file server. There is only one NIC.
Roughly 20 workstations in the Domain, all WinNT, Win2K or WinXP. All of
this is behind an OpenBSD 3.4 firewall (PF) running NAT (172.16.0.0)
which does allow DNS queries in and out of the LAN to the University's
DNS servers.
A very thorough outline of what I've tried, and details of my setup, are
in the next section.
* Checked out Q290647, "Event ID 1000, 1001 Is Logged Every Five Minutes
in the Application Event Log"
Permissions were all set correctly on the various folders, EXCEPT, on
\sysvol\sysvol\domain\ the Group Policy Creator Owner did NOT have
Modify rights. I fixed that and rebooted.
While following this document, it says:
"2. Expand Active Directory Users and Computers, and then expand the
domain name.
3. Right-click Domain Controllers, and then click Properties.
4. On the Group Policy tab, click Default Domain Controllers Policy, and
then click Edit."
When I do that, I get a dialog that says:
The domain controller for Group Policy operations is not available. You
may cancel this operation for this session or retry using one of the
following domain controller choices:
** The one wiht the Operations Master token for the PDC emulator.
** The one used by the Active Directory Snap-Ins.
** Use any available Domain Controller.
for EACH one of these, if I choose it, I get a "You do not have
permission to perform this operation. Access is denied" error.
I've doublechecked that my server has all of it's FSMO roles:
(O'reilly's Active Directory bk, pg. 305)
c:\ ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server SERVER
Binging to SERVER ...
Connected to SERVER using credentials of locally logged on user
Server connections: quit
fsmo maintenance: seize schema master
Attempting safe transfer of schema FSMO before seizure.
FSMO transferred successfully - seizure not required.
Server "SERVER" knows about 5 roles ...
[and SERVER has all 5]
*** Next Section ***
I forwarded the server.FQDN.dns file to the University DNS server
admins, and they added the information to the U DNS servers (which I
think are running BIND).
Microsoft networking is not allowed through the firewall.
DNS is set up on the server, set with forwarderding to the U DNS
servers. I have tried it both using the .dns file and using AD to manage
the DNS. I'm perfectly willing to believe that I'm doing something
drastically wrong with the DNS, and that's causing this problem.
The Domain controller crashed about 6 months ago due to a toasted HD,
and it hasn't worked all that well since, after the rebuild.
Specifically the issues are:
1) When I try to edit the Domain Controller Security Policy, or the
Domain Security Policy, I get this error: "You do not have permission to
perform this operation. Access is denied."
-I am logged in as the administrator (built-in) account, and I have
tried giving the account Enterprise Admin permissions. Didn't help.
2) In the Application Event Log, I'm getting this, every 5 minutes:
Type: Error EventID: 1000
Windows cannot access the registry information at:
\\server\sysvol\server\Policies\
{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).
3) When I try to add a second Domain Controller to the domain, I get
this error:
"The domain 'domain' cannot be contacted. Ensure that the DNS domain is
typed correctly. This condition may be caused by a DNS lookup problem.
If this domain was recently created, its name may not yet be registerd
with the Domain Naming Service. For more information about
troubleshooting common DNS lookup probblems, please see the following
Microsoft website: http://go.microsoft.com/fwlink/?LinkId=5171
or this error (when running DCPromo on the second DC):
"The wizard cannot gain access to the list of domains in the Forest..."
[and continues the error above, with the same link to 5171]
Two other important things:
A) I ran the DC through many of the SANS step-by-step securing tips. I
can ennumerate exactly which ones. But particularly, currently the
domain security policy have these set:
USER RIGHTS ASSIGNMENTS
Access this computer from the network:
Local setting: Authenticated Users (AU from now on), Admins
Effective Setting: Admins, AU
[Is the order important?]
Deny access to this computer from:
Local Setting: blank
Effective Setting: blank
Impersonate a client after authenticating:
Local setting: Admin, SERVICE
Effective: Admin, SERVICE
SECURITY OPTIONS
Additional restrictions for anonymous connections:
Local: Do not allow enumeration of SAM accounts...
Effective: NO ACCESS WITHOUT EXPLICIT ANONYMOUS PERMISSIONS
(I think this is the crux of the problem of not being able to add the
second DC, but can't change it because of the Domain Security Permission
denied problem)
Digitally sign client communication (always)
Local: enabled
Effective: enabled
Digitally sign client communication (when poss)
Disabled
Disabled
digitally sign server communication (always)
Disabled
ENABLED
Digitally sign server communication (when poss)
Disabled
Disabled
LANman auth level:
Local: Send NTLMv2 response only\refuse LM & NTLM
Effective: Send NTLMv2 reponse only\refuse LM & NTLM
Secure Channel: All are enabled for both Local and Effective.
Send unencrypted password to connect to 3rd Party...
Disabled
Disabled
OK. Here's what I've tried to do to fix this problem.
* Gave admin Enterprise Admin privs.
* Read
http://www.microsoft.com/technet/security/community/security_faq.mspx,
but nothing seems to apply.
* Checked EventID.net for event ID's, and followed some of those
instructions (like uninstalling the IOMEGA backup software) but no luck.
** Searched GoogleGroups, and found and did this:
* http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=
063501c1c52e%2442811d90%24a4e62ecf%40tkmsftngxa06&rnum=1&prev=
/groups%3Fq%3D%2522domain%2Bcontroller%2Bsecurity%2Bpolicy%2522%2B
permission%2Bdenied%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%
26selm%3D063501c1c52e%252442811d90%2524a4e62ecf%2540tkmsftngxa06%
26rnum%3D1
"I figured out what the problem was, I had myself logged in
on the server as the administrator, and on my PC, and that
reset the admin rights on the server. "
Shut down all of the computers besides the DC, to confirm there was only
one admin logged on. No Joy.
* Checked out (on the advice of some other posts in this NG):
http://support.microsoft.com/support/kb/articles/q226/2/43.asp
HOW TO: Reset User Rights in the Default Domain Group Policy (226243)
Did that, didn't work. Set the domain policy back to the malfunctioning
set.
http://support.microsoft.com/support/kb/articles/q267/5/53.asp
How to Reset User Rights in the Default Domain Controllers Group Policy
Object (267553). Same results as last KB article.
On the advice of some other posts in this NG, followed all the
instructions. No Joy.
* Confirmed that the DC has all of the FSMO roles.
It does.
* Logged in with an account with Admin rights, but isn't the built-in
Admin account. It experiences all of the same problems.
* Downloaded Open Handles, and ran it. Alas, I have no idea what the
output means. I would be happy to forward the file to anyone who asks.
* Virus protection is not CURRENTLY installed. Before the RAID crash,
this server was also a Symantec Corp. Ed. 7.6 server. That has not been
re-installed since the rebuild.
* Tried to remove the share from SYSVOL and re-create it. It was
re-created automatically on reboot.
My resources, and apparently my ability on Google to find new ideas, are
tapped out. Does anyone have any ideas about this Domain Security issue?
I would really rather not have to rebuild the domain...
Sincerely,
--
- Karen Swanberg | Sys Admin | Dept. of Geology and Geophysics -
206 Pillsbury Hall | 310 Pillsbury Dr. SE | University of Minnesota
Minneapolis, MN 55455 (612) 624-6541 (612) 625-3819 (f)
The day I see a Soil Microbe Beanie Baby,
I'll know we're getting somewhere.
- Barbara Kingsolver -
- Next message: Rob: "GPO Software Installation"
- Previous message: Jerold Schulman: "Re: Windows 2000 Inactive Domain Accounts"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
