Service startup fails with "Access Denied" after Win2K3 domain joi

[Guest]

I have a clean install of RC1 Ultimate on a test workstation. Everything was
working fine until I joined it to our Win2K3 domain. Now, several services
fail to start with "Access Denied" errors -- removing Network Access, Windows
Audio, Etc. I experienced a similar problem with Pre-RC1 (Build 5536) which
is why I tried a clean install instead of an upgrade to RC1.

Any thoughts/guidance would be greatly appreciated!

 

[Prashanth Prahalad [MSFT]]

Can you be more specific about what services are not getting started ? Is it
lanmanserver, browser, netlogon etc ? Can you post the output of sc query
<servicename> ?

Also, please check the event-log if there is anything which stands out as
out-of-the-ordinary and post it back.

Thanks ~
Prashanth

 

[Guest]

Thank you for the reply!

:
Can you be more specific about what services are not getting started ? Is it
lanmanserver, browser, netlogon etc?

The following "automatic" services fail at startup:
Base Filtering Engine
DHCP Client
Diagnostic Policy Service
IKE and AuthIP IPsec Keying Modules
IPsec Policy Agent
Network Service List
Network Location Awareness
Thread Ordering Server
Windows Audio
Windows Firewall
Windows Time
Windows Media Center Service Launcher
Windows Media Player Network Sharing Service

Can you post the output of sc query <servicename>?

Is there a particular service (or list of services) you would like the
results posted for? The output of "sc query" only shows the running
services. Please advise.

Also, please check the event-log if there is anything which stands out as
out-of-the-ordinary and post it back.

Following is the list of (unique) errors / warnings in the system log:
DHCP Client terminates with "Access Denied"
Windows Time service terminates with "Access Denied"
Resource Publication Service fails
DCOM netprofm 1068 Error
Group Policy results warning
DNS registration warning
Thread Ordering Server service terminates with "Access Denied"
Windows Audio service fails Thread Ordering Server dependency
Base Filtering Engine service terminates with "Access Denied"
Windows Firewall service fails Base Filtering Engine dependency
IKE and AuthIP IPSec Keying service fails Base Filtering Engine
dependency
Diagnostic Policy Service terminates with "Access Denied"
Network Location Awareness service terminates with error 3221226008
IPsec Policy Agent service fails Base Filtering Engine dependency
Network List Service fails Network Location Awareness dependency
WMPNetworkSvc fails with registry error 0x80070006
BITS Client fails firewall state set with error 2147944153
WinHTTP Web Proxy Auto-Discovery Service fails DHCP Client dependency

The above list is in chronological order. I have filtered and saved the
full system log from a fresh boot and would be happy to provide that to you
if it would help.

 

[Guest]

Hello, McFly?

 

[Guest]

I am having the exact same error when joining a domain. It is the same with a
fresh install or and upgrade on two different machines.

Lee

 

[Guest]

I have having the exact same issue, it happens with a fresh install or a
upgrade on two differnt machines.

 

[Robert L [MVP - Networking]]

Thank you for sharing your experience with us.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

Hello all!
I had the same problem an hour ago But i`ve found how to fix it for
me.
When BFE service starts it also start a group of dependent services
(you can see them on Dependencies tab in service props) with "IPSec
policies agent" service as one of them.
In my case the problem was that "IPSec policies agent" service was set
to auto startup via domain GPO. There also were set default permissions
in GPO for this service - SYSTEM - full control, Administrators - Full
control, INTERACTIVE - read. I`ve had to turn on object auditing to
find out what user account is trying to start BFE. In Security logs
i`ve found records saying that sc (service control) is trying to start
service under LOCAL SERVICE account!!! As I later understood - BFE
could not start itself because it could not start a dependent service
IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS
tab in BFE service we will find out that it is starting under LOCAL
SERVICE account! And in my GPO ipsec service has permissions on it to
be started only by SYSTEM and Administratos.
As you understand, the decision was to modify GPO and to give full
control permission to LOCAL SERVICE account on IPSec Policies agent
service.
Now it works!
Hope This HELPS! And good luck!


From BELARUS