Corrupted Security Groups Are Created When You Install DHCP or WINS on Multiple Domain Controllers (822048)

SYMPTOMS

When you install the Dynamic Host Configuration Protocol (DHCP) networking component or the Windows Internet Naming Service (WINS) networking component on multiple domain controllers, corrupted objects may be created in the Microsoft Active Directory directory service for the following security groups:

DHCP Administrators
DHCP Users
WINS Users

If you remove one or more of these objects from a domain controller where you installed the DHCP component or the WINS component, the rights that are associated with that object are also removed. This causes permissions issues for members of the groups that were previously listed.

CAUSE

This issue may occur if all the following conditions are true:

You install the DHCP component or the WINS component on a domain controller.

-and-
The domain controller has not successfully replicated the changes throughout Active Directory.

-and-
You install the DHCP component or the WINS component on a second domain controller.

When you install the DHCP component or the WINS component, the corresponding service searches the local Security Accounts Manager (SAM) database for the following security groups (if applicable):

DHCP Administrators
DHCP Users
WINS Users

If these groups do not exist, they are created. When you install these components on a domain controller, the same process occurs. However, if the component is installed on more than one domain controller, and replication has not yet occurred, the security groups are created on each of the domain controllers. After replication completes between the domain controllers, the duplicate groups that are created cause corrupted objects to be created in Active Directory.

RESOLUTION

To resolve this issue, when you install the DHCP component or the WINS component on a domain controller, allow sufficient time for domain controller replication to complete before you install the component on a second domain controller.

WORKAROUND

To work around this issue:

Remove the corrupted security group (or groups) from the domain controller where you installed the DHCP component or the WINS component.

Note You can also remove the uncorrupted security group (or groups) and rename the corrupted groups with their correct names.
On the domain controller where you removed the security group (or groups), remove and then reinstall the DHCP networking component or the WINS networking component.

MORE INFORMATION

When the issue described in the "Symptoms" section of this article occurs, the corrupted object that is created in Active Directory represents the Domain Local security group for one of the following groups (depending on the services that are installed):

DHCP Administrators
DHCP Users
WINS Users

Because "duplicate" copies of these security groups are created in the domain, and each group has a unique security identifier (SID), the rights that are assigned to members of the group (or groups) are not consistent throughout the domain. The DHCP service or the WINS service uses the group on the domain controller where it was installed when it determines permissions.

When you remove the corrupted group (or remove the original group and rename the corrupted group), there is no longer a group that the server can determine permissions for these services from. You must remove and reinstall the service (DHCP or WINS, where applicable). Because the security groups are already present in Active Directory when you reinstall the service, they are used by that service and are not re-created.