Re: adding 2003 domain controller to 2000 domain

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

see if the following helps:

taken from: http://support.microsoft.com/kb/889101

----
Certificate Services: Effects of security enhancements to the DCOM protocol
Windows Server 2003 SP1 introduces enhanced default security settings for
the DCOM protocol. Specifically, SP1 introduces more precise rights that
give an administrator independent control over local and remote permissions
for launching, activating, and accessing COM servers. For more information
about the DCOM security enhancements that are introduced by Windows Server
2003 SP1, see Changes to Functionality in Microsoft Windows Server 2003
Service Pack 1. To do this, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-46E2-B1B6-3659B92B2CDE&displaylang=en
(http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-46E2-B1B6-3659B92B2CDE&displaylang=en)
Windows Server 2003 Certificate Services provides enrollment and
administration services by using the DCOM protocol. Certificate Services
provides several DCOM interfaces to make these services available. For
correct access and usage of these services, Certificate Services assumes
that its DCOM interfaces are set to permit remote activation and access
permissions. However, because of the enhanced default security settings for
DCOM that are introduced by SP1, you may have to update these security
settings to make sure of the continued availability of these services after
you install SP1. The following information explains how to do this.

By default, all DCOM interfaces in Windows Server 2003 SP1 are configured to
grant remote access permissions, remote launch permissions, and remote
activation permissions only to administrators. However, when you upgrade to
Windows Server 2003 SP1, security configuration changes are made to the
global DCOM interface and to the CertSrv Request DCOM interface. These
changes are made to enable Certificate Services to work correctly.

Note that any changes that have been made to the CertSrv Request DCOM
interface security settings before the installation of SP1 will be lost. The
SP1 installation procedure resets all previous security settings in the
CertSrv Request DCOM interface to their default settings.

During the SP1 installation process, Certificate Services automatically
updates the DCOM security settings as follows: • CertSrv Request DCOM
interface:• The Everyone security group is granted local and remote access
permissions.
• The Everyone security group is granted local and remote activation
permissions.
• The Everyone security group is not granted local or remote launch
permissions.

• DCOM Computer Restriction Settings:• A new security group,
CERTSVC_DCOM_ACCESS, is automatically created.

If the certification authority is installed on a member server,
CERTSVC_DCOM_ACCESS is a computer local group, and the Everyone security
group is added to it.

If the certification authority is installed on a domain controller,
CERTSVC_DCOM_ACCESS is a domain local group. The Domain Users security group
and the Domain Computers security group from the certification authority’s
domain are added to it.
• The CERTSVC_DCOM_ACCESS security group is granted local and remote access
permissions.
• The CERTSVC_DCOM_ACCESS security group is granted local and remote
activation permissions.
• The CERTSVC_DCOM_ACCESS security group is not granted local or remote
launch permissions.
Note that if the certification authority is installed on a domain
controller, and the enterprise is made up of more than one domain,
Certificate Services cannot automatically update the DCOM security settings
for enrollees from outside the certification authority’s domain. Therefore,
these enrollees will be denied enroll access to the certification authority.

To resolve this issue, you must manually add the users to the
CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security
group is a domain local group, you can add only domain groups to it. For
example, if users and computers from another domain, a domain named Contoso,
have to enroll with the certification authority, you must manually add the
Contoso\Domain Users group and the Contoso\Domain Computers group to the
CERTSVC_DCOM_ACCESS security group.

If any enrollees that should be authorized by the certification authority
are denied authorization after the installation of SP1, you can have
Certificate Services update the DCOM security settings again. To do this,
run the following commands at the command prompt in the following order.
Press ENTER after each command.1. certutil –setreg
SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
2. net stop certsvc
3. net start certsvc
The DCOM_SECURITY_UPDATED_FLAG is an internal Certificate Services registry
flag that indicates that the DCOM security settings were updated completely
and successfully. Certificate Services checks this flag every time that it
is started. The commands in the previous list reset the flag and then stop
and start Certificate Services, causing it to update the DCOM security
settings again.

----

also see:
http://www.eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1



--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"ace95hockey" <ace95hockey@xxxxxxxxxxxxxx> wrote in message news:74D9B4C6-8EEE-48D1-8102-4DEB684674FC@xxxxxxxxxxxxxxxx
Over the holidays I went through the process of adding a Windows 2003 SP2
server as a Domain Controller. I am hoping to add a second, move the FSMO
roles and then demote the Windows 2000 servers.

To do this I first ran adprep /forestprep and /domainprep on the Windows
2000 server (SP4 and all updates) that holds the Schema Master. It ran
without any errors.

I then ran through the dcpromo wizard on the Windows 2003 server and again
everything went ok. I then added DNS and set the server to be a DNS server
on both Windows 2000 servers.

From what I can tell though the Windows 2003 server will not finish its
promotion. I am getting a couple of errors that I can not determine a
solution for.

On the Windows 2003 Server I am getting the following error in the
Application log
Event ID 13 Source AutoEnrollment
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x800706ba). The RPC server is unavailable.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

On the Windows 2000 domain controllers I am getting the following error in
File Replication Service log
Event Id 1265 Source NTDS KCC
The attempt to establish a replication link with parameters

Partition: CN=Schema,CN=Configuration,DC=csu,DC=mcmaster,DC=ca
Source DSA DN: CN=NTDS
Settings,CN=FHSDC2,CN=Servers,CN=fhsadmin,CN=Sites,CN=Configuration,DC=csu,DC=mcmaster,DC=ca
Source DSA Address:
266db451-6596-44bf-ae6f-643f653fc9b0._msdcs.csu.mcmaster.ca
Inter-site Transport (if any):

failed with the following status:

The DSA operation is unable to proceed because of a DNS lookup failure.

The record data is the status code. This operation will be retried.

Any ideas what went wrong and how to fix it would be great. I want to get
rid of the two Windows 2000 domain controllers soon.

.

Relevant Pages