Re: MS03 -048 causing problems for our 2003 DCs

From: John G. Chang (jchang_at_MEDATA.COM)
Date: 11/21/03

  • Next message: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs" 
    Date:         Fri, 21 Nov 2003 13:43:30 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I ended up opening a ticket with Microsoft about this issue.
    They could neither confirm or deny that the patch in question
    caused this issue. I was informed that a bug was the cause
    of this problem and no fix existed at this time for it. Again, it
    is not known whether MS03 - 048 was the catalyst for the
    bug to appear.

    It made a change that Dean Halter was kind enough to reply
    back to me about.

    >>
    Just a thought, but is your security policy set to shutdown systems
    when the security log becomes full? If so, check your servers to make
    sure the
    hkey_local_machine\system\currentcontrolset\control\lsa\crashonauditfail
    is set to 1. A value of 0, I believe, means the policy is disabled. If 2,
    you
    will have to reset the entry to 1 and restart the box. dsh
    >>

    The setting above was changed to "2". However, it was more
    involved than that as we spent two days on the issue.
    That particular setting was the main culprit.

    Here's what Microsoft said:

    >>
    PROBLEM:
    ___________________
    Access is denied ad replication

    RESOLUTION:
    ___________________

    Set crashonauditfail equal to 0
    and
    Ran dcgpofix /target:both
    and
    Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg
    "%SYSTEMROOT%\security\templates\securedc.inf"

    We also needed to modify the default domain controller policy so that it
    would not require signing between the client and the server.
    >>

    The only thing I know is that I am uneasy about
    loading future patches on our 2003 DCs. At least
    I can always contact Microsoft again about this
    particular issue if it happens again.

    John

    At 08:37 AM 11/18/2003 -0500, you wrote:
    >Hello,
    >
    > This is my first time posting. Ever since we patched our Windows 2003
    >Server Domain Controllers
    >with MS03 - 048 we've been having problems. The authentication on the PDC
    >was some how altered on by
    >the cumulative patch that it will no longer replicate with the BDC because
    >it no longer trusts it. This is causing
    >major problems for us on our network as both out of sync DCs are putting
    >out different information preventing
    >us from adding new users, adding new computers and sharing printers to name
    >a few. Has anyone else
    >experienced this problem? The event logs on the PDC is failure after
    >failure after failure.
    >
    > What's weird is even after I uninstalled the patch the problem
    > will not go
    >away and the DCs still will not sync.
    >However, I did not remove the patch from the BDC. I guess I can try that
    >out and see's if that will resolve it. I didn't
    >try it before because it was actually accepting logon requests and other
    >service requests from everyone successfully.
    >Then when I take the PDC offline, the BDC takes over for real and starts
    >failing as well.
    >
    > Any help or ideas would be appreciated.
    >
    >Thanks,
    >John
    >
    >-----
    >Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    >is available from http://www.amazon.com/ranum In this hard-hitting
    >review of the homeland security business, Ranum shows us how the problem
    >is vastly harder than it's being made to sound, and how special
    >interests, *** covering, and bureaucracy are threatening to derail any
    >chance of making progress.
    >----- 

    ----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----
  • Next message: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"