Re: MS03 -048 causing problems for our 2003 DCs

• Previous message: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"
• In reply to: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"
• Next in thread: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 21 Nov 2003 15:20:51 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,

         I was asked to resubmit this post with the
CASE_ID_NUM: SRX031118602169 so others
could reference it if they have similar problems.

I ended up opening a ticket with Microsoft about this issue.
They could neither confirm or deny that the patch in question
caused this issue. I was informed that a bug was the cause
of this problem and no fix existed at this time for it. Again, it
is not known whether MS03 - 048 was the catalyst for the
bug to appear.

It made a change that Dean Halter was kind enough to reply
back to me about.

>>
Just a thought, but is your security policy set to shutdown systems
when the security log becomes full? If so, check your servers to make
sure the
hkey_local_machine\system\currentcontrolset\control\lsa\crashonauditfail
is set to 1. A value of 0, I believe, means the policy is disabled. If 2,
you
will have to reset the entry to 1 and restart the box. dsh
>>

The setting above was changed to "2". However, it was more
involved than that as we spent two days on the issue.
That particular setting was the main culprit.

Here's what Microsoft said:

>>
PROBLEM:
___________________
Access is denied ad replication

RESOLUTION:
___________________

Set crashonauditfail equal to 0
and
Ran dcgpofix /target:both
and
Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg
"%SYSTEMROOT%\security\templates\securedc.inf"

We also needed to modify the default domain controller policy so that it
would not require signing between the client and the server.
>>

The only thing I know is that I am uneasy about
loading future patches on our 2003 DCs. At least
I can always contact Microsoft again about this
particular issue if it happens again.

John

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

• Previous message: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"
• In reply to: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"
• Next in thread: John G. Chang: "Re: MS03 -048 causing problems for our 2003 DCs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]