构建了新的2012 R2服务器,添加了以下软件(labtech,appassure,eset A / V和Teamviewer).它激活,似乎工作正常.我添加了Active Directory域服务角色,并完成了配置(域/林准备和DC升级).一切似乎进展顺利.我重新启动了服务器,这就是奇怪的东西开始的地方.我注意到服务器表明它需要再次激活;但不接受钥匙.我确认钥匙很好.那时我注意到软件保护服务(以及许多其他核心服务 – 基本过滤引擎,DHCP客户端,防火墙等)无法启动.所有这些错误消息都是“拒绝访问”.
我打电话给MS,他们想要在服务级别进行故障排除.他们的解决方法是使用procmon并识别需要权限的资源(注册表项,文件或文件夹)并添加具有完全控制权的“everyone”.这使服务开始;但重启后问题再次出现.
考虑到在推广过程中可能存在反病毒软件包的问题,我从头开始重建DC并从AD中删除元数据(因为我无法将机器降级为“rpc server unavailble”).
我试图再次推广新建的机器.全新机器的唯一变化是关键更新.促销似乎再次正常;但是在重新启动(并且等待很长时间以允许复制)时,类似的问题开始重新出现.
我已经验证架构更新是正确的(架构版本是69 – 对于Windows 2012 R2).
我通过自己的搜索找不到这个问题,所以我想我会发布这个问题,看看是否有其他人看过类似的东西……
We found that the issue was caused due to a number of file system and registry permissions settings defined in the Default Domain Controllers Policy. While no one can seem to explain why these settings were in that GPO,this does help explain why a 2012 R2 member server would run just fine; but begin to have issues after being promoted. We ended up having to reset this policy to defaults (with the help of MS Support). It took quite a bit of time to get reg key & directory permissions back to the point where all of the services would start. – Cybersylum Jun 23 ’14 at 11:38