Windows 2003 Security in 2000 Active Directory

[Scott LePere - ORI.NET]

I have a Win2000 Active Directory all DC's are at SP4 and I am trying to add
a Win2003 member servers in to our AD. I have a Domain Security Policy
setup and it has been working fine for a long time. The Policy gets applied
to our 2003 server when we joined the domain which is good. The problem is
that our Win2003 box is running IIS6 and we can't get the Application Pools
to work with our policy, we get a Service Unavailable Error Message in the
browser and System Event IDs 1002, 1009, App Event Id 2269 also. We can
change the IIS setting to version 5 mode and everything works. I can remove
2003 from the domain and restore the default policy and IIS6 mode works.

I have found that some of the built-in accounts in Win 2003 are not the same
as 2000's such as NETWORK vs. NETWORK SERVICE, SYSTEM vs. LOCAL SYSTEM and
these differences are the cause of my problems. I think I need to add the
local user/groups to the local machine policy, but when I try to add
additional user rights in the Win2003 Local Policy area the add/remove
buttons are grayed out. I think Windows 2000 will allow additional local
policies while using a domain policy why not win2003? Any ideas how to
get my IIS6 working with Application pools??

Scott LePere
(e-mail address removed)
On-Ramp Indiana, Inc.
www.ori.net

 

[Roger Abell [MVP]]

I have a Win2000 Active Directory all DC's are at SP4 and I am trying to add
a Win2003 member servers in to our AD. I have a Domain Security Policy
setup and it has been working fine for a long time. The Policy gets applied
to our 2003 server when we joined the domain which is good. The problem is
that our Win2003 box is running IIS6 and we can't get the Application Pools
to work with our policy, we get a Service Unavailable Error Message in the
browser and System Event IDs 1002, 1009, App Event Id 2269 also. We can
change the IIS setting to version 5 mode and everything works. I can remove
2003 from the domain and restore the default policy and IIS6 mode works.

I have found that some of the built-in accounts in Win 2003 are not the same
as 2000's such as NETWORK vs. NETWORK SERVICE, SYSTEM vs. LOCAL SYSTEM and
these differences are the cause of my problems. I think I need to add the
local user/groups to the local machine policy, but when I try to add
additional user rights in the Win2003 Local Policy area the add/remove
buttons are grayed out. I think Windows 2000 will allow additional local
policies while using a domain policy why not win2003? Any ideas how to
get my IIS6 working with Application pools??

Scott LePere
(e-mail address removed)
On-Ramp Indiana, Inc.
www.ori.net

I think Windows 2000 will allow additional local policies while
using a domain policy why not win2003? Any ideas how to
get my IIS6 working with Application pools??

Is an incorrect assumption if you mean local can override domain
policy when there is a conflict.
It sounds to me as if from GPO you are either controlling user rights,
such as log on, run as service, etc., and/or you are using restricted
groups, and the settings that work fine for W2k and IIS 5 are not
taking into account the new Local Service and Network Service
principals. You will need to modify the policies in order to have
IIS 6 run natively with success or weaken IIS 6 security by having
it run as Local System (not advised).

 

[Scott LePere - ORI.NET]

Is an incorrect assumption if you mean local can override domain
policy when there is a conflict.
It sounds to me as if from GPO you are either controlling user rights,
such as log on, run as service, etc., and/or you are using restricted
groups, and the settings that work fine for W2k and IIS 5 are not
taking into account the new Local Service and Network Service
principals. You will need to modify the policies in order to have
IIS 6 run natively with success or weaken IIS 6 security by having
it run as Local System (not advised).

You are correct, we are controlling User Rights Assignments with our GPO and
the GPO does not contain the new security principals for Win2003 since it is
created on a Windows 2000 Domain. When I try to add them, they are not
listed in my AD. My question is how do I add the new Local Service and
Network Service principals to my Win2K AD Domain?

ps. I am able to get IIS6 working with a non-privliged domain user but I
would like to use the Network Service also which is the default setting in
IIS6.

Thanks in Advance,

Scott LePere
(e-mail address removed)
On-Ramp Indiana, Inc.
www.ori.net