Solved

Since making my 2003R2 server an AD Global Catalog I can no longer access the Virtual Server Administration page?

Posted on 2006-06-08
22
347 Views
Last Modified: 2013-11-15
Trying to give enough information here to allow for someone to determine the issue... Sorry if there is some unnecessary info...

I had/have a Windows 2000 DC that I'm trying to replace.

I've installed a Windows 2003 R2 server and made it a DC as well.  This server also has 2 virtual machines (another 2003R2 and a 2003 web server) through Virtual Server 2005.  While trying to solve an issue with being unable to RDP to one of the virtual machines I made the 2003 R2 AD server a Global Catalog and since the reboot when I try to access the virtual server administration page I get the error:

You are not authorized to view this page...

As an aside I tried to add the "Remote Desktop Users" group in as well as it didn't exist ( I thought that was a built-in?) to try and solve my issue about RDP'ing to the 2003 Virtual machine.  I mention this only because that was the only other change I made before the reboot and now failure...

Thanks in advance.

0
Comment
Question by:techeez
  • 10
  • 5
  • 5
22 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16867600
Hi techeez,

check your IIS settings make sure your authentication hasnt gone messy
0
 
LVL 1

Author Comment

by:techeez
ID: 16867613
Hey JJ,

Thanks for the quick response... Not entirely clear on what settings to check but I did have a look and everything looks ok to me in IIS :(
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16867625
no problem

i havent got virtual server installed at the moment as i am running vmware now,

is there a site for it under IIS? if yes make sure that windows authentication is ticked under the site properties - security - authentication methods
0
 
LVL 1

Author Comment

by:techeez
ID: 16867683
Ok... Checked that... Intergrated Windows Authentication is selected.
0
 
LVL 1

Author Comment

by:techeez
ID: 16872188
Just realized that my last post sort of implied that this was fixed... that is not the case.  The correct auth settings appear to be on the site, and it's NOT working :(
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16879411
can you check your event log for me, anything relating to VS?
0
 
LVL 1

Author Comment

by:techeez
ID: 16891714
Hey JJ,

I checked the event log.. application/security/system/virtual server... I can't see anything that looks appropriate.  However I discussed this with a friend who admins a VIrtual Server as well and he had a similar problem.  I now have a suspicion that my problem occurred right after a made the actual Virtual Server an AD controller not making it the GC.  It looks like VS saves it's 'admin' credentials separately and I used the administrator/password combo originally when I installed it.  Then when I made it a DC by adding it to an existing Domain the original machines' admin username/password is different.  I can only think of two things to try... changing the administrator password to match my original on that machine (which I can't do without informing the users), or remove and reinstall VS.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16891718
hmm i havent had a whole load of experince with VS, so if your friend who has, gives you those options then i would listen to him!
0
 
LVL 1

Author Comment

by:techeez
ID: 16906585
Removing and Reinstalling VS did nothing.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16913219
     
Comment from GinEric
Date: 06/14/2006 03:42AM PDT
      Your Comment       

Once you add the Domain Controller role, the default is nobody else is allowed to launch applications.  This is a major problem with current Windows releases.

The extremely paranoid settings of Windows Server utilize all of the Data Execution Prevention [DEP] and other integrated security to default a basic state of disallowing anything outside of critical system components from launching or starting any application.

I don't think Microsoft was quite prepared when this feature was incorporated and release went on without the benefit or either a study of the consequences or any documentation of switching to this mode.

Currently, the best description is a mish mosh of analyzed failures that have not, as yet, identified the basic problem: too much was turned off to fast.  Some pertinent discussion:

http://support.microsoft.com/kb/913119/en-us
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21870899.html#16829874

I haven't quite completed the write up yet, but the basics are that once you make the server a domain controller, it resets all previous base level stuff to Launch Permission Denied.

COM, DCOM, and even permissions in services and users and applications are all affected, since the permissions were not consulted before the server became a domain controller [the feature was not installed], but now are.

The lovely of it is that I am still laughing over having been ridiculed and badmouthed for posting the first question that asked about this problem.

Removing and reinstalling is no longer the solution to make this problem go away, as it has been in the past with so many seemingly failing drivers and programs, but actually solving it, usually manually, now is.

Whether it's an access permission for a user, or an access permission for the application or service, it should generate an error in EventViewer; some attempted installations will generate a dump file for analysis, which will generally say something like:

ERROR_CODE: (NTSTATUS) 0xc0000096 - {EXCEPTION}  Privileged instruction.

which means, "The CD executeable was not allowed to execute at the basic layer and has been denied launch permission."

We're getting this everywhere, from nVidia drivers and installs [motherboard] to Creative labs driver installations, video, ethernet, in fact, any card or program, just about.  It means none of the the HAL driver developers was given a sequence to enable permission to run.  Nice, huh?

The problem with paranoiaware designed for the mass user is that it becomes neuroses, then psychoses for the educated administrator and puts his server into a safe, plastic bubble, where absolutely nothing else can get in, nothing can get out, and what he has is self-made prison, made by the paranoid Operating System, where it looks like things are working "A OK," but in actuality nothing is actually running, that is, nothing is really doing anything worthwhile.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Expert Comment

by:GinEric
ID: 16913339
Still working on this.  Making a Windows Server a domain controller killed off all the previously installed drivers and other applications, upset DCOM tremendously so that thousands of DCOM errors are reported about some stringy key not having permissions and although I can find the stringy key [one of those curly braces combo of letters and number], I can't fix the permissions to what they were before server changes destroyed them.  This is because the whole security schema changed once the server became a domain controller and the new security features were installed.

Thus far, we've reinstalled the nVidia and other drivers, but that was not the problem, the problem was that some AD oriented administration uses either IIS or apache and all the permissions were altered; we had to actually rewrite some software and reconfigure entirely, often starting the process under a username in order to get it to work [you can set user permissions, but there seems to be no provision for setting the permissions of the stringy key].

Microsoft's security is disjoint; that is, it is contained in too many programs and functions and is not centralised; one hand does not know what the other is doing, up to a six-handed monster, and thus Windows is fighting itself on security.  You have to change the settings on all six hands to get it to work now.  And at that there's no guarantee that there are not even more hands.

It even took out the ATI drivers and an attempt to reinstall led to 100% cputime where you could do nothing, absolutely nothing.  Had to reboot to safe mode and remove the drivers and all ATI programs.  Reinstall of a later set seems to have worked, but some functionality seems to be missing.

Creative Labs was blitzed, especially by Vista, and neither Microsoft nor Creative Labs has a solution.  So, at least one box has no sound now after working perfectly before the Vista install.  Which says, be prepared for the whole thing to happen all over again when Vista comes out.

They missed on important thing:  No process should be allowed to exceed about 70% cputime, and the limit should be closer to 50% cputime, even for the Operating System.  Otherwise, you can't recover or fix it without going into safe mode, if that even works, and you have, basically, a dead and frozen system.

Microsoft and all the other developers overlooked one simple thing:  limit the cputime and detect endless loops!

And, they seem to have missed all the security problems which stop formerly working software from working after an install of nearly anything.
0
 
LVL 1

Author Comment

by:techeez
ID: 16915666
Hey GinEric,

Thanks for reposting this..

I've tried to resolve your comments to my situation and it doesn't appear to be my actual problem.  At least as near as I can tell.

There are no errors of any significance in the event log that I can find.  The Virtual Server Admin interface does get run through IE though...
0
 
LVL 1

Author Comment

by:techeez
ID: 16917862
Ok... now I'm really stumped.
I removed the Core server as a domain controller.
removed Virtual Server
Removed Enhanced Security for IE
Rebooted.
Reinstalled DC role.
Reinstalled Virtual Server... and lo and behold it worked.
I then rebooted and it no longer works again.  I'm back to getting the 'You are not authorized...' message when trying to run the VS admin webpage.
0
 
LVL 1

Author Comment

by:techeez
ID: 16917918
Ok so it looks like I've clearly identified the problem finally:

http://support.microsoft.com/default.aspx?scid=kb;en-us;890893

Haven't had a chance to try it yet... will post the results after.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16918197
Permissions: "This issue occurs because the Network Service account that Virtual Server uses does not have permission to write the SPNs to Active Directory"

Same problems we're seeing everywhere.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16918402
i reckon, these are popping up everywhere
0
 
LVL 1

Author Comment

by:techeez
ID: 16925653
Ok... That KB article was incorrect for my situation.  Excerpt:
"This issue occurs because the Network Service account that Virtual Server uses does not have permission to write the SPNs to Active Directory. Therefore, the SPN for vssrvc/Computer_Name and vssrvc/Fully_Qualified_Domain_Name are not registered in Active Directory."

I tried to follow the instructions... only to find the the SPN did in fact exist... So more digging.

It is in fact a permissions problem (well, duh) but after finding the blog in msdn (after exhaustive searching I might add):
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

It pointed to looking at the IIS logs which I started looking at in greater detail... the error number was specifically 403 19 1314, and a search of that took me to this website:
http://www.beamartyr.net/articles/iisperl.html

Which lead me to adding the "domain name\administrator" user id to a couple of policies... which did in fact finally work.

Now what I'm wondering is... Have I broken anything significant in terms of the security model, or I can safely use this?  Should I abandon using the Core Virtual Server as a DC as well?  What is the implications of moving/having one of my 'Virtual Machines' be a DC?  I should post these questions in another question?
0
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
ID: 16930415
How "we" got around it was by creating a chrooted jail.  That simply means we ran things under a specific username to limit the service's access to what we wanted it to be, on a per directory and/or a per object basis.  If the Network Service account is now running as Administrator, yes, you've broken some rules, but hopefully no one will be able to hijack the service.  iisperl : this is just perl under iis control.  It should mean that your cgi's, your perl scripts, don't have permission to be launched or execute by normal web visitors.  So, in general, if a Network Server doesn't have System Authority, you build a Group and create users that do, by first copying Administrator, and then fine tune down the new user's rights to where they are simply sufficient to do their job, and, where they can be constrained, but not overly constrained.

About the use of virtual servers for Windows: on one machine?  What purpose does that serve?  I could splitting it between a Windows Server and Linux Server, to have both on the same machine, usually for upgrades, migrations, maintaining some features, but I don't see the use of two or more Windows Servers on the same machine, those beyond the first running as Virtual Servers.

Stated in a few posts:  adding the role of domain controller will, by default, lock down permissions because the strict permissions did not even exist before it was given the role of domain controller.  So yes, it was when you made it a domain controller that the permissions changed.

DCOM [Distributed Component Object Model] is another field entirely and I particularly like this defintion of SPN:

SPN : Substitution Permutation Network (cryptography)  http://dict.die.net/spn/

Which just seems to be more permissions, for cryptography.
0
 
LVL 1

Author Comment

by:techeez
ID: 16939811
I've got an application running that the users all Term serv into a server for and I didn't want it to be the domain controller as well... I'm also running 2003 web edition in another virtual machine on the same box. My customer didn't want 3 physical servers but wanted everything kept seperate.  The really nice thing about the virtual machines is the ease of backup and move to another server for business continuity and disaster recovery purposes...
0
 
LVL 12

Expert Comment

by:GinEric
ID: 16950753
Okay, I can see that.  We also use Virtual Server, but for a different purpose, to run Linux and Windows on the same machine.

But we do have multiple servers for disaster recovery, redundancy and replication, across multiple domains.  Everything that doesn't work usually goes back to permissions problems on all Windows machines.  So we've figured out a few workarounds and gained some experience with these types of problems, that occur when a server role is upgraded to domain controller.  I'm not sure how the Application Server role affects permissions, but I do know that IIS [Internet Information Server] must be installed for Virtual Server under the Applications Server role.  I would think that the Core Virtual Server would be better secured as a domain controller and therefore would employ that role first.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now