The DHCP Client service does not start after you upgrade a Windows 2000 Server-based domain controller to Windows Server 2003 (895149)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

After you upgrade a Microsoft Windows 2000 Server-based domain controller to Microsoft Windows Server 2003, you may experience the following symptoms:
  • The upgraded server does not obtain an IP address from a Dynamic Host Configuration Protocol (DHCP) server.
  • The following event appears in the System log in Event Viewer:
    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7023
    Date: Date
    Time: Time
    User: N/A
    Computer: ServerName
    Description: The DHCP Client service terminated with the following error: Access is denied.
  • When you click Start, point to Administrative Tools, and then click Services, you notice that the DHCP Client service does not start. If you try to start the DHCP Client service, you receive the following error message:

    Could not start the DCHP Client service on Local Computer.
    Error 5: Access is denied.

CAUSE

This problem occurs because the Network Service account does not have sufficient permissions to access the following registry subkeys when you upgrade to Windows Server 2003:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

This problem may also occur when you modify the Windows 2000 Group Policy security settings, and the following conditions are true:
  • You modify the security settings by applying the domain controller default security template (DC Security.inf) to the Windows 2000 Server-based domain controller.
  • You apply the template before you upgrade the domain controller to Windows Server 2003.

RESOLUTION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem, assign the Network Service account Full Control access to the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

To do this, use one of the following methods:

Method 1: Use Registry Editor

To use Registry editor to resolve this problem, follow these steps:
  1. On the upgraded Windows Server 2003-based domain controller, click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

  3. Click Permissions, click Add, type network service, and then click OK.
  4. Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.
  5. Locate and then right-click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

  6. Click Permissions, click Add, type network service, and then click OK.
  7. Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.

Method 2: Use Group Policy

To use Group Policy to resolve this problem, follow these steps:
  1. On the upgraded Windows Server 2003-based domain controller, open Active Directory Users and Computers.
  2. Expand your domain, right-click the Domain Controllers organizational unit, and then click Properties.
  3. Click the Group Policy tab, click New, type a descriptive name for this new policy, and then press ENTER.
  4. Click Properties, and then click the Security tab.
  5. In the Group or user names list, click ENTERPRISE DOMAIN CONTROLLERS.
  6. In the Allow column of the Permissions for ENTERPRISE DOMAIN CONTROLLERS box, click to clear the Read check box, and then click OK.
  7. Click Add, click your domain in the Look in list, click the Windows Server 2003-based domain controller in the Domains, OUs and linked Group Policy Objects list, and then click OK
  8. In the Domains, OUs and linked Group Policy Objects list, click the new policy that you created in step 3, and then click OK.
  9. Click Properties, and then click the Security tab.
  10. In the Group or user names list, click the Windows Server 2003-based domain controller that you added in step 7.
  11. In the Allow column of the Permissions box, click to select the following check boxes:
    • Read
    • Apply Group Policy
  12. Click Apply, and then click OK.
  13. Click Edit.
  14. Under Computer Configuration, expand Windows Settings, expand Security Settings, right-click Registry, and then click Add Key.
  15. In the Registry list, expand MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, click Dhcp, and then click OK.
  16. Click Add, type network service, and then click OK.
  17. Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.
  18. In the Add Object dialog box, keep the original settings, and then click OK.
  19. Under Computer Configuration, expand Windows Settings, expand Security Settings, right-click Registry, and then click Add Key.
  20. In the Registry list, expand MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, click Tcpip, and then click OK.
  21. Click Add, type network service, and then click OK.
  22. Click to select the Full Control check box in the Allow column of the Permissions for NETWORK SERVICE box, and then click OK.
  23. In the Add Object dialog box, keep the original settings, and then click OK.
Modification Type:MinorLast Reviewed:3/14/2005
Keywords:kbtshoot kbprb KB895149 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.