Microsoft KB Archive/911801

= Computers lose functionality after you upgrade the domain controllers to Windows Server 2003 with Service Pack 1 =

Article ID: 911801

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

 Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul> </li> Microsoft Windows Server 2003, Standard x64 Edition</li> Microsoft Windows Server 2003, Enterprise x64 Edition</li> Microsoft Windows Server 2003, Datacenter x64 Edition</li></ul>

-

<div class="notice_section">

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista

<div class="symptoms_section">

SYMPTOMS
After you upgrade a domain's domain controllers to Windows Server 2003 with Service Pack 1, computers that are running Microsoft Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1 may encounter one or more of the following symptoms. The following symptoms may appear after the computers restart or after the computers rejoin the domain:
 * Network adapter icons do not appear in Network Connections.
 * The following services indefinitely maintain the Starting status:
 * COM+
 * Shell Hardware Detection
 * Volume Shadow Copy
 * The RPC service does not start.
 * You cannot search.
 * You cannot use Windows Update.
 * You cannot install or remove programs.
 * You have trouble opening Microsoft Office documents.
 * You cannot access the Computers item in Component Services. A red arrow appears next to the item.
 * When you click the Dependencies tab in the properties dialog box of a service that does not start, you receive a &quot;Win32: Access is denied&quot; error message.
 * When you try to start Disk Management, you receive an &quot;Access denied&quot; error message.
 * On a computer that is running Windows XP with Service Pack 2, Windows Firewall reports that the network setting is corrupted.

<div class="cause_section">

CAUSE
These problems occur when a Group Policy setting that defines the Impersonate a client after authentication user right is linked to the domain.

Note This user right should be linked only to a site or to an organizational unit (OU).

<div class="resolution_section">

RESOLUTION
To resolve this problem, use one of the following methods.

Method 1: Modify Group Policy settings
On any domain controller in the domain, follow these steps to modify the Group Policy settings: <ol> Click Start, click Run, type gpedit.msc, and then click OK.

Note If you receive the following error message, use Method 2 instead of this method:

There are no more endpoints available from the endpoint mapper.

</li> In the console tree, expand Windows Settings under Computer Configuration.</li> Expand Security Settings, expand Local Policies, expand User Rights Assignment, and then examine the groups that are defined in the Impersonate a client after authentication setting.

Note On a domain controller that is running Windows Server 2003 with Service Pack 1, you expect the following groups to be defined in this setting:  ADMINISTRATORS</li> SERVICE</li> IIS_WPG</li></ul> </li> Run the Directory Services version of Microsoft Product Support Reporting Tool, and then examine the _GPRESULT.txt file.</li> Search the _GPRESULT.txt file for the word &quot;Impersonate.&quot; Then, examine the Group Policy objects (GPOs) that are indicated by the search results.</li> <li>Remove the Impersonate a client after authentication setting from the Default Domain Policy GPO or from the Default Domain Controllers Security Policy GPO if the setting is present. Also, remove the Impersonate a client after authentication setting from any GPO that is linked at the domain level. Make sure that the policy settings that have this setting are only linked at the site level or at the OU level.</li> <li>Restart the computer.</li></ol>

Method 2: Modify the registry
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

On any domain controller in the domain, follow these steps to modify the registry: <ol> <li>Click Start, click Run, type services.msc, and then click OK.</li> <li>Right-click Remote Procedure Call (RPC), and then click Properties.</li> <li>Click the Log On tab, and then click Local System account in the Log on as area.</li> <li>Restart the computer.</li> <li>Click Start, click Run, type gpedit.msc, and then click OK.</li> <li>In the console tree, expand Windows Settings under Computer Configuration.</li> <li>Expand Security Settings, expand Local Policies, expand User Rights Assignment, and then examine the groups that are defined in the Impersonate a client after authentication setting.

Note On a domain controller that is running Windows Server 2003 with Service Pack 1, you expect the following groups to be defined in this setting: <ul> <li>ADMINISTRATORS</li> <li>SERVICE</li> <li>IIS_WPG</li></ul> </li> <li>Run the Directory Services version of Microsoft Product Support Reporting Tool, and then examine the _GPRESULT.txt file.</li> <li>Search the _GPRESULT.txt file for the word &quot;Impersonate.&quot; Then, examine the Group Policy objects (GPOs) that are indicated by the search results.</li> <li>Remove the Impersonate a client after authentication setting from the Default Domain Policy GPO or from the Default Domain Controllers Security Policy GPO if the setting is present. Also, remove the Impersonate a client after authentication setting from any GPO that is linked at the domain level. Make sure that the policy settings that have this setting are only linked at the site level or at the OU level.</li> <li>Restart the computer.</li> <li>Click Start, click Run, type cmd, and then click OK.</li> <li>At the command prompt, type gpupdate \force, and then press ENTER.</li> <li>Close the Command Prompt window.</li> <li>Click Start, click Run, type regedit, and then click OK.</li> <li>In Registry Editor, locate the following registry key:

Note As a precaution, export a copy of this registry key before you continue.</li> <li>Right-click ObjectName, and then click Modify.</li> <li>Type NT Authority\NetworkService in the Value data box, and then click OK.</li> <li>Restart the computer.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbmgmtservices kbwinservperf kbpermissions kbbug kbtshoot kbprb KB911801

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.