Local Service and other well-known security principals do not appear on your Windows Server 2003 domain controller
| Article ID | : | 827016 |
| Last Review | : | October 30, 2006 |
| Revision | : | 2.2 |
SYMPTOMS
After you run the dcpromo.exe command on a Microsoft Windows Server 2003 computer to promote the server to a domain controller, the Local Service and other well-known security principals that are introduced with Windows Server 2003 do not appear. You cannot resolve the well-known security principals when you try to add the well-known accounts by using NTFS file system permissions on a file or a folder. Additionally, you cannot resolve the well-known security principals when you use the ADSI Edit tool, the Group Policy Object Editor snap-in (Gpedit.msc), or Registry Editor. Also, if you use the ADSI Edit tool or the LDP tool (Ldp.exe), the well-known accounts do not appear in the following container:
CN=WellKnown Security Principals,CN=Configuration,DC=YourDomain
Back to the topCAUSE
This behavior occurs when the forest root domain controller that holds the primary domain controller (PDC) emulator operations master role is running Microsoft Windows 2000 Server. If the forest root PDC emulator operations master is running Windows 2000, the CN=WellKnown Security Principals,CN=Configuration,DC=YourDomain container is not updated with the well-known security principals that are introduced in Windows Server 2003. Therefore, the Object Picker cannot find and resolve the corresponding names. The Object Picker queries the WellKnown Security Principals container to find the list of well-known security principals.
RESOLUTION
To resolve this behavior, upgrade the forest root PDC emulator operations master role holder to Windows Server 2003.
WORKAROUND
To work around this behavior, you can script the maintenance of the Windows Server 2003 well-known security principals by using the Subinacl.exe tool. For example, to grant Read permissions to a registry key for the Local Service account, type the following command:
subinacl /keyreg RegKey /grant="local service"=r
Note The Subinacl.exe tool is included in the Windows 2000 Resource Kit.MORE INFORMATION
You may experience the behavior that is described in the "Symptoms" section with one or more of the following well-known security principals that are introduced in Windows Server 2003:
| • | Digest Authentication |
| • | Local Service |
| • | Network Service |
| • | NTLM Authentication |
| • | Other Organization |
| • | Remote Interactive Logon |
| • | SChannel Authentication |
| • | This Organization |
REFERENCES
For additional information about how to determine what domain controller holds the PDC emulator FSMO role, click the following article number to view the article in the Microsoft Knowledge Base:234790 (http://support.microsoft.com/kb/234790/) How to find servers that hold Flexible Single Master Operations roles
For additional information about FSMO roles, click the following article number to view the article in the Microsoft Knowledge Base: 197132 (http://support.microsoft.com/kb/197132/) Windows 2000 Active Directory FSMO roles
For additional information about how to upgrade a Windows 2000 domain controller, click the following article number to view the article in the Microsoft Knowledge Base: 325379 (http://support.microsoft.com/kb/325379/) How to upgrade Windows 2000 domain controllers to Windows Server 2003
No comments:
Post a Comment