Microsoft KB Archive/842207

= You cannot use the Fax service on a Windows Server 2003-based domain controller or you receive a &quot;Permissions could not be properly configured for Fax Operators&quot; error message when you run the Windows Small Business Server 2003 Setup program =

Article ID: 842207

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





SYMPTOMS
You cannot use the Fax service on a Microsoft Windows Server 2003-based domain controller. Additionally, when you run the Microsoft Windows Small Business Server 2003 Setup program on a Microsoft Small Business Server 2000-based computer or on a Windows Server 2003-based domain controller, you receive an error message. The error message says that the permissions for the Fax Operators group are incorrectly configured.

When you try to use the Fax service on a Windows Server 2003-based domain controller, you may experience one or more of the following symptoms:  When you right-click a Fax device in the Printer and Faxes tool in Control Panel and then click Properties, you receive the following error message:

You do not have security permissions to complete this operation. Contact the fax administrator for more information.

 You cannot configure the Fax service in the Computer Management tool. If you expand Services and Applications, right-click Fax, and then click Properties, you receive the following error message:

Access denied

If you expand Services and Applications and then click Fax, you receive the following error message:

Could not open the connection to the fax service.

The fax service might not be started or the computer name might be incorrect.

 You cannot access any fax devices by using the Fax Console. If you click Configure Fax on the Tools menu, you receive the following error message:

Connection to the fax server cannot be made.

If you click Fax Printers Status on the Tools menu, an icon that has a white &quot;X&quot; on a red background is displayed over the local fax printer in the Fax Printers Status dialog box, and the Status is listed as Connection error.

When you run the Windows Small Business Server 2003 Setup program on a Small Business Server 2000-based computer or on a Windows Server 2003-based domain controller, you receive the following error message:

Permissions could not be properly configured for the Fax Operators security group. Run Setup again and choose to reinstall the Administration component.

When you view the Errorlog.txt file, you see entries that are similar to the following:

[, ] Server Configuration: [2] DoFaxPermissions Fax Server object failed to connect. Error was [0x80070005].

[, ] Server Configuration: [2] Unable to set Fax Permissions on the Fax Object for Fax Operators. Error: [0x80070005]

[, ] Fax Services: [2] HrRegisterFaxRtExt - failed to register fax routing extension. hr= [80070005]

Note By default, the Errorlog.txt file is located in the Program Files\Microsoft Integration\Windows Small Business Server 2003\Logs folder.



CAUSE
This issue may occur if the following policy settings are not assigned to the Network Service account and the Local Service account on the domain controller:
 * Adjust memory quotas for a process
 * Generate security audits
 * Log on as a service
 * Replace a process level token
 * Log on as a batch job

The Fax service runs under the Network Service account. To use the Fax service, the Network Service account must be added to the policy settings in the list. This issue may occur if Group Policy settings that were applied at the domain level have modified the policy settings for the Network Service account on the domain controller. This issue may occur after you promote a member server to a domain controller.



RESOLUTION
To resolve this issue, make sure that the Network Service account and the Local Service account is added to the following policy settings on the domain controller:
 * Adjust memory quotas for a process
 * Generate security audits
 * Log on as a service
 * Replace a process level token
 * Log on as a batch job

To configure the policy settings for the Network Service account on the domain controller, follow these steps:
 * 1) Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
 * 2) Expand Local Policies, and then click User Rights Assignment.

The policy settings are displayed in the right pane.
 * 1) Double-click the policy setting that you want to add the Network Service account to.
 * 2) If the Network Service account and the Local service account is not in the list of users and groups that are assigned to that policy setting, click Add User or Group.
 * 3) In the Select User or Groups dialog box, type Network Service in the Enter the object names to select box, and then click OK.
 * 4) Verify that NETWORK SERVICE is displayed in the list of users and groups that are assigned to that policy setting, and then click OK.
 * 5) Add Local service the same way.
 * 6) Reboot the server.



MORE INFORMATION
Use the Domain Controller Security Policy tool to view or to modify Group Policy security settings on a domain controller.

For additional information about setting security for system services in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

324802 How to configure Group Policies to set security for system services in Windows Server 2003

For more information about Group Policy in Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

Keywords: kbwinservnetwork kbfileprintservices kbtshoot kbprb KB842207

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.