Wednesday, January 28, 2015

DHCP Server on Windows Server 2012 R2

In this post I'll write about error (warning) events I have experienced during replacement of DHCP server from Windows Server 2003 to Windows Server 2012 R2.
 
For DHCP database migration I was using netsh dhcp server export (import) option. Running Netsh dhcp server import command on Windows Server 2012 R2 has added the running command user account into HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl which produced Warning Events into Application Event log from VSS source with event id 8230:
Log Name:      Application
Source:        VSS
Date:          Date
Event ID:      8230
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Computer Name
Description:
Volume Shadow Copy Service error: Failed resolving account account name with status 1376. Check connection to domain controller and VssAccessControl registry key. 
Deleting this user account from HKLM\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl has resolved these warning events, and these warning events were not logged into application event log any more.
 
Another issue during this DCHP replacement "project" is that during installation of DHCP role, the installation process will change permissions on following registry key HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag . This registry key has block inheritance enabled and before installation of DHCP service role SDDL for this registry key looks like this:
 
Sddl : O:SYG:SYD:PAI(A;CIIO;RC;;;OW)(A;;KA;;;SY)(A;CIIO;GA;;;SY)(A;;CCDCLCSWRPSDRC;;;LS)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS
       )(A;;CCDCLCSWRPSDRC;;;NS)(A;;KA;;;BA)(A;CIIO;GA;;;BA)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BO)(A;;CCDCLCSWRPS
       DRC;;;BO)

 
From D part of the sddl string D:PAI can be confirmed that block inheritance is enabled, and also Network Service has permission on this registry key from following entries (A;CIIO;GA;;;NS)(A;;CCDCLCSWRPSDRC;;;NS).
 
After DHCP role installation in permission entries for HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag, permission for DHCP server can be found represented as (A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191). Also, the other permissions are not the same as before, but are inherited from the parent HKLM\SYSTEM\CurrentControlSet\Services\VSS, and the sddl now look like this:

Sddl : O:SYG:SYD:AI(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)(A;ID;KR;;;AU)(A;CIIOID;GR;;;AU)(A;ID;CCDCLCSWRPSDRC;;;SO)(A;CIIOID;SDGWGR;;;SO)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)
 
From D part of the sddl (D:AI) can be confirmed that permissions are inherited, and Network Service does not have any permission. This situation will result in generating error event with id 8193 from VSS source in Application event log:
Log Name:      Application
Source:        VSS
Date:          Date
Event ID:      8193
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer name
Description:
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
This behavior was also noted with Windows Server 2008 R2 and published in following Microsoft article http://support.microsoft.com/kb/2298620 .
In order to resolve this situation I've delegated Network Service permissions as were before installation of DHCP server role, and the error event 8193 from VSS was not logged any more.
Here is GUI overview of the Network Service permissions for HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag:
 

 
For more info about sddl check MSDN https://msdn.microsoft.com/en-us/library/aa379567(v=vs.85).aspx .
 

1 comment:

  1. Hi, bro! I encountered the event ID 8193 with "Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW". Your post was most useful for getting rid of the error. I'd suggest adding one more screenshot that will explain that you have to add two permission entries for NETWORK SERVICE: https://goo.gl/xcCQp4 (I was confused about this at first sight).

    ReplyDelete