Solved

DHCP access denied.

Posted on 2004-10-11
14
1,998 Views
Last Modified: 2011-10-03
I recently installed a Win2K3 member server into a Win2K controlled domain.  I have a static IP set but am getting an annoying DHCP error similar to a previous thread: DHCP Client service, Access is denied. on the new member server.  I disabled the DHCP client service on the new server, and am not getting errors,but may one day want to allow the machine to use DHCP.  The previous thread had the following solution..

The solution was as follows:

 My problem was solved by granting the network services account full control to the
     hkey_local_machine\system\currentcontrolset\services\dhcp &
     hkey_local_machine\system\currentcontrolset\services\tpip registry keys on the updated server.
     ......

Although I realize this is a reg hack and doesn't really explain why the error occurs, I would like to get rid of the pesky errors in the event log when I enable DHCP client.

OK, so my question is -- to accomplish this, do I just need to add a new

string value: Object name
Value data: NT AUTHORITY\Network Service

to the registry under hklm\system\ccs\services\dhcp and tcpip?

I'm not quite sure if this is how to give the network services account full control.

TIA
0
Comment
Question by:blueoakmo
  • 6
  • 5
14 Comments
 
LVL 18

Expert Comment

by:crissand
ID: 12278634
The member server is joined to the domain?

Also, can you write here the eventid error from logs?
0
 

Author Comment

by:blueoakmo
ID: 12279178
Event ID 7023 in the System Log:

"The DHCP Client service terminated with the following error:
Access is denied.

But don't bother with Microsoft KB, it was no help.  This is a glitch I've discovered has happened to a few others, but no one seems to know exactly what caused the problem.

This is the interesting part -- the new server was initially setup to use DHCP and joined the domain fine the first time.  However, after a restart it can't join it that configuration - access to the DHCP server is denied.  I setup the system to have a static IP and it joins the domain fine and all is functioning well, including using GP on the domain, but throws off the error.

I'm really more interested in the registry info and if that is the best (only?) way to give the network services account control.
0
 
LVL 18

Expert Comment

by:crissand
ID: 12285808
I've seen that error when date and time on dc and the other machine was'n't synchronized. But there must be some warnings in errror log stating that.
0
 
LVL 21

Expert Comment

by:marc_nivens
ID: 12307722
A little off topic but worth mentioning.... if the DHCP client service is shut off then dynamic DNS registration will fail.   I know it sounds wierd, but the DHCP client service is responsible for client side dynamic DNS registration.
0
 

Author Comment

by:blueoakmo
ID: 13028125
Gonna request a cleanup of this question.  Seems this has been encountered by others but no solution has been found.

THanks all.
0
 
LVL 18

Expert Comment

by:crissand
ID: 13034020
Is a dhcp server on the domain controller? The new dhcp server has been authorized in active directory. The w2k3 server has been joined to the domain? The addresses of the dc and w2k3 server are outside the dhcp pool?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:blueoakmo
ID: 13037031
Yes to all.  The thing is, all of the other servers and workstations are working fine and when assigning a static address, connectivity is good.  It's only if I leave the DHCP Client service enabled and started that I get error messages or if I try to dynamically set the IP on this server.  
0
 
LVL 18

Expert Comment

by:crissand
ID: 13043412
You can't have two dhcp servers for with the same address pool.
0
 

Author Comment

by:blueoakmo
ID: 13045302
?????

Hmm, not sure how you got the impression that there were 2 dhcp servers?

There is one dhcp server located on the DC.  THe member server that is having the issue is having issues with the Dhcp client (acquiring an address dynamically).
0
 
LVL 18

Expert Comment

by:crissand
ID: 13045790
It seems the answer was to another question. :-)

Let's go back to this question... Error 7023 is a service manager error. It must be another error around.

Verify first if you have free addresses in the address pool.
0
 

Author Comment

by:blueoakmo
ID: 13053757
Actually, since I posted the original question, I believe I discovered that the problem may be related to group policy.  When I initially set up the server, it was set to use DHCP to obtain an address.  It would get an address, but after a period of time, access would be denied to the domain controller.  I haven't spent any time specifically on this, but think that maybe when GP refreshes, the security settings are denying the DHCP client service from working correctly.

This is a very oddball problem that I haven't run into before.  I found a few snippets around that indicated a few others ran into the same thing, but no solution was ever posted.  This may be because most people --including myself-- use static addresses for servers anyway and just disable the DHCP client on the nuisance machine.

The client at this location actually found the problem initially when installing Win2K server on the same machine and contacted Microsoft, to no avail.  We did a clean install on Win2K3 and found we had the same issue.

Very strange......
0
 
LVL 18

Accepted Solution

by:
crissand earned 250 total points
ID: 13064520
I use static addresses for member servers, but DHCP client it isn't stopped. The environment is the same: w2k domain controller and w2k3 member server. DHCP client depend on Ipsec driver, but Ipsec is configured to permit all. Verify the Dns suffix for this connection in nic's TCP/IP advanced properties.

Before that configuration I used to have one fixed addres on one nic and one dhcp address on the other with no problems at all.

The authorization problems can be related to date and time of the member server. I guess joining the domain worked flawlessly.

I don't remember any references in Group policy to dhcp in Windows 2000 environment.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now