Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: MS03 -048 causing problems for our 2003 DCs
From: John G. Chang (jchangMEDATA.COM)
Date: Tue Nov 25 2003 - 14:36:17 CST
Just wanted to let anyone interested to know that
the bug appeared again in our DC's this morning. I was
also able to learn more about this unpublished bug.
The fix for it will be in Service Pack 1 for 2003. The bug
itself, seems to affect the group policies for the default
domain controller policy and default domain policy preventing
the DCs from reading their own policies.
Another thing it does is remove the the domain controller
policy from %systemroot%\sysvol\domain\ and %systemroot%\
I was given a work around to get past this bug until they
release a fix.
Turn off the file replication service on all the DCs except the one
you will be "fixing".
Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg
Then you will be allowed back into the Default Domain Controller Policies.
Go in there and disable any digital security setting. You're basically
loosening up every security setting having to do with the DC and the network.
make sure the other DCs have the same settings in their policies before
re-activating File Replication Service.
That's the work around I was given and it does work.
At 03:20 PM 11/21/2003 -0500, you wrote:
> I was asked to resubmit this post with the
>CASE_ID_NUM: SRX031118602169 so others
>could reference it if they have similar problems.
>I ended up opening a ticket with Microsoft about this issue.
>They could neither confirm or deny that the patch in question
>caused this issue. I was informed that a bug was the cause
>of this problem and no fix existed at this time for it. Again, it
>is not known whether MS03 - 048 was the catalyst for the
>bug to appear.
>It made a change that Dean Halter was kind enough to reply
>back to me about.
>Just a thought, but is your security policy set to shutdown systems
>when the security log becomes full? If so, check your servers to make
>is set to 1. A value of 0, I believe, means the policy is disabled. If 2,
>will have to reset the entry to 1 and restart the box. dsh
>The setting above was changed to "2". However, it was more
>involved than that as we spent two days on the issue.
>That particular setting was the main culprit.
>Here's what Microsoft said:
>Access is denied ad replication
>Set crashonauditfail equal to 0
>Ran dcgpofix /target:both
>Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg
>We also needed to modify the default domain controller policy so that it
>would not require signing between the client and the server.
>The only thing I know is that I am uneasy about
>loading future patches on our 2003 DCs. At least
>I can always contact Microsoft again about this
>particular issue if it happens again.
>NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
>code "NT1003" when registering to take the TICSA exam at www.2test.com.
>Prove to your employer and peers that you have the knowledge and
>abilities to be an active stakeholder in today's enterprise security.
>Become TICSA certified www.trusecure.com/ticsa. Promotion expires
>12/31/03 and cannot be used in combination with other offers.
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.