Re: Group Policy broke my DCs

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
• Date: Thu, 13 Oct 2005 13:29:19 -0500

---

Keep in mind that services have dependencies and if a service that another
service depends on is not started the service will eventually stop. You need
to be very careful with tweaking services on domain controllers. Verify
that services set to automatic are indeed started. Run the support tools
netdiag, dcdiag, and gpotool on your domain controllers to see if they
report anything that may be of help and view the logs of the domain
controllers using Event Viewer to see what is reported. My guess is you will
see a lot of problems recorded with Event IDs that may help give you a
handle on the situation. You can also apply services configurations via
Group Policy - security policy at the OU level which makes it much easier to
undo changes by unlinking the GPO when problems arise. The list below is
complied from the Windows 2003 Server Security guide for baseline core
services which you may want to review for startup configuration. Windows
2000 may not have all these services possibly but it still can be used as a
guide. --- Steve

Windows 2003 services.


Baseline server ---------------------------

Automatic Updates - automatic
Background Intelligent Transfer Service - manual
Com+ Event System - manual
Computer Browser - automatic
Cryptographic Services - automatic
DHCP Client - automatic
DNS Client - automatic
Event Log - automatic
Ipsec Policy Agent - automatic
MS Software Shadow Copy - manual
Netlogon - automatic
Network Connections - manual
Network Location Awareness - manual
NTLM Security Support Provider - automatic
Performance Logs - manual
Plug and Play - automatic
Protected Storage - automatic
Remote Administration Service - manual
Remote Procedure Call RPC - automatic
Remote Registry Service - automatic
Security Accounts Manager - automatic
Server - automatic
System Event Notification - automatic
TCP/IP Netbios Helper Service - automatic
Terminal Services - automatic
Volume Shadow Copy - manual
Windows Installer - automatic
Windows Management Instrumentation - automatic
Windows Management Instrumentation Driver Ext - automatic
Windows Time - automatic
WMI Performance Adapter - manual
Workstation - automatic

**********************************************
Added critical services for Domain Controllers
**********************************************

Distributed File System - automatic
DNS Server - automatic
File Replication - automatic
Intersite Messaging - automatic
Kerberos Key Distribution Center - automatic
Remote Procedure Call RPC Locator - automatic




"Anand" <Anand@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D385104B-DA38-424E-BDFA-9412D3C7FDE2@xxxxxxxxxxxxxxxx
> Hello,
>
> We have an empty root domain and a child domain.
> We have 3 DCs (in the root domain) and we tweaked the GPOs a little (we
> made
> changes to the system services portion of our Default Domain Controller
> Policy).
>
> We changed the startup type and also the security permissions on few of
> the
> services. We made these changes based on the settings that we saw in the
> Default domain controller policy of the child domain.
>
> The first thing that happened after we made the GPO changes, was that our
> Live Communication Server broke. The service wouldn't start. The LCS
> server
> is installed in our child domain and no GPO changes were made here in the
> child domain. Dont know why the root domian chnages broke the LCS server.
>
> then we made few changes to security permissions on few services inorder
> to
> bring the LCS server back up. After this one of our DCs went down and
> wouldn't come up.
> The after an hour the second DC went down.
>
> Any suggestions to fix this will be greatly appreciated!
>
> thanks
>


.

---

• Follow-Ups:
  • Re: Group Policy broke my DCs
    • From: Anand Nair

• Prev by Date: Re: Restricted Groups - Local Users Group
• Next by Date: Re: Hang @ Applying Computer Settings/Applying Your Personal Setti
• Previous by thread: Re: Access to Server 2003 Event Viewer
• Next by thread: Re: Group Policy broke my DCs
• Index(es):
  • Date
  • Thread

---

Relevant Pages SecurityFocus Microsoft Newsletter #164 ... Got Storage Security Risks? ... MICROSOFT VULNERABILITY SUMMARY ... Chat Client FTP Server Default Username Credential Weak... ... NetServe Web Server is a compact web server for Microsoft Windows ... (Focus-Microsoft) Re: im being held in memory ... How can I harden my computer or server to secure it from hackers? ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ... (microsoft.public.security) MS and security: good effort but no cigar ... build upon the progress it's already made in security. ... The low-hanging fruit of millions of insecure Windows machines ... Then there's the issue of poorly secured server applications. ... and execute external virus and filtering ... (microsoft.public.windowsxp.general) SecurityFocus Microsoft Newsletter #167 ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Vendor XML Parser SOAP Server Denial Of Service Vul... ... Proactive Windows Security Explorer ... (Focus-Microsoft) Re: Group Policy broke my DCs ... > need to be very careful with tweaking services on domain controllers. ... > Group Policy - security policy at the OU level which makes it much easier ... > is complied from the Windows 2003 Server Security guide for baseline core ... (microsoft.public.windows.group_policy)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.group_policy  > 2005-10