Re: MS03 -048 causing problems for our 2003 DCs
From: John G. Chang (jchang_at_MEDATA.COM)
Date: Fri, 21 Nov 2003 15:20:51 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I was asked to resubmit this post with the
CASE_ID_NUM: SRX031118602169 so others
could reference it if they have similar problems.
I ended up opening a ticket with Microsoft about this issue.
They could neither confirm or deny that the patch in question
caused this issue. I was informed that a bug was the cause
of this problem and no fix existed at this time for it. Again, it
is not known whether MS03 - 048 was the catalyst for the
bug to appear.
It made a change that Dean Halter was kind enough to reply
back to me about.
Just a thought, but is your security policy set to shutdown systems
when the security log becomes full? If so, check your servers to make
is set to 1. A value of 0, I believe, means the policy is disabled. If 2,
will have to reset the entry to 1 and restart the box. dsh
The setting above was changed to "2". However, it was more
involved than that as we spent two days on the issue.
That particular setting was the main culprit.
Here's what Microsoft said:
Access is denied ad replication
Set crashonauditfail equal to 0
Ran dcgpofix /target:both
Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg
We also needed to modify the default domain controller policy so that it
would not require signing between the client and the server.
The only thing I know is that I am uneasy about
loading future patches on our 2003 DCs. At least
I can always contact Microsoft again about this
particular issue if it happens again.
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----