Microsoft KB Archive/895149

= The DHCP Client service does not start after you upgrade a Windows 2000 Server-based domain controller to Windows Server 2003 =

Article ID: 895149

Article Last Modified on 1/7/2008

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
After you upgrade a Microsoft Windows 2000 Server-based domain controller to Microsoft Windows Server 2003, you may experience the following symptoms:  The upgraded server does not obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.  The following event appears in the System log in Event Viewer:

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Date:

Time:

User: N/A

Computer:

Description: The DHCP Client service terminated with the following error: Access is denied.  When you click Start, point to Administrative Tools, and then click Services, you notice that the DHCP Client service does not start. If you try to start the DHCP Client service, you receive the following error message:

Could not start the DCHP Client service on Local Computer.

Error 5: Access is denied.





CAUSE
This problem occurs because the Network Service account does not have sufficient permissions to access the following registry subkeys when you upgrade to Windows Server 2003:

This problem may also occur when you modify the Windows 2000 Group Policy security settings, and the following conditions are true:
 * You modify the security settings by applying the domain controller default security template (DC Security.inf) to the Windows 2000 Server-based domain controller.
 * You apply the template before you upgrade the domain controller to Windows Server 2003.



RESOLUTION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem, assign the Network Service account Full Control access to the following registry subkeys:

To do this, use one of the following methods:

Method 1: Use Registry Editor
To use Registry editor to resolve this problem, follow these steps:  On the upgraded Windows Server 2003-based domain controller, click Start, click Run, type regedit in the Open box, and then click OK. Locate and then right-click the following registry subkey:

</li> Click Permissions, click Add, type network service, and then click OK.</li> Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.</li> Locate and then right-click the following registry subkey:

</li> Click Permissions, click Add, type network service, and then click OK.</li> Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.</li></ol>

Method 2: Use Group Policy
To use Group Policy to resolve this problem, follow these steps:
 * 1) On the upgraded Windows Server 2003-based domain controller, open Active Directory Users and Computers.
 * 2) Expand your domain, right-click the Domain Controllers organizational unit, and then click Properties.
 * 3) Click the Group Policy tab, click New, type a descriptive name for this new policy, and then press ENTER.
 * 4) Click Properties, and then click the Security tab.
 * 5) In the Group or user names list, click ENTERPRISE DOMAIN CONTROLLERS.
 * 6) In the Allow column of the Permissions for ENTERPRISE DOMAIN CONTROLLERS box, click to clear the Read check box.
 * 7) Click Add, type the Windows Server 2003-based domain controller in the Enter the object names to select box, and then click OK.
 * 8) In the Group or user names list, click the Windows Server 2003-based domain controller that you added in step 7.
 * 9) In the Allow column of the Permissions box, click to select the following check boxes:
 * 10) * Read
 * 11) * Apply Group Policy
 * 12) Click Apply, and then click OK.
 * 13) Click Edit.
 * 14) Under Computer Configuration, expand Windows Settings, expand Security Settings, right-click Registry, and then click Add Key.
 * 15) In the Registry list, expand MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, click Dhcp, and then click OK.
 * 16) Click Add, type network service, and then click OK.
 * 17) Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.
 * 18) In the Add Object dialog box, keep the original settings, and then click OK.
 * 19) Under Computer Configuration, expand Windows Settings, expand Security Settings, right-click Registry, and then click Add Key.
 * 20) In the Registry list, expand MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, click Tcpip, and then click OK.
 * 21) Click Add, type network service, and then click OK.
 * 22) Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.
 * 23) In the Add Object dialog box, keep the original settings, and then click OK.

Additional query words: insufficient DNS records fail

Keywords: kbtshoot kbprb KB895149

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.