I built 3 new 2008 standard domain controllers from scratch. All are virtual machines on VMWare. On each server after adding the DC role, dcpromo, etc. and then running Windows updates a bunch of services fail to start due to access denied.
Base Filtering Engine (BFE)
IPSec Policy Agent
IKE and AuthIP IPSec Keying Modules
Distributed Transaction Coordinator (DTC)
Network List Service
Network Location Awareness
I had an email ticket with Microsoft on this and wasted 2 weeks of time. They kept focusing on the permissions on the BFE service. The neccessary permissions that were NOT in place were for the NETWORK SERVICE and LOCAL SERVICE. I eventually found a link to an article on this very problem. http://techruckus.com/forum/vista-dhcp-base-filtering-service-access-denied-t-t91.html
I followed the instructions and it fixed the problem. Basically, you install the SubInACL and run a script which recreates all the permissions and then the services start.
Now, the problem....this problem has reappeared on each of these 3 DCs. I've had to rerun this script now a second time on each DC. I don't think it is a group policy problem because after a reboot all the services still are ok. It's at some point a few days later that the services fail or stop and can't start because these NETWORK SERVICE LOCAL SERVICE accounts don't have access. The accounts just aren't even there. So, I have to rerun the script and that fixes it.
I'm very concerned about this as when these services are stopped it causes problems in DC replication and Exchange!
Any thoughts on why these permissions keep being removed?