Event 1202 with status 0x534 logged on Windows Server 2008 R2 domain controllers after modifying security policy

When modifying any security setting in the Default Domain Controllers Policy using the Group Policy Management Console (GPMC) from the console of a Windows Server 2008 R2 domain controller, GPMC incorrectly translates the SID for the Wdiservice account in the policy to a user name which is not recognized by the local machines where the policy is enforced.

This issue also occurs when a Windows 7 or Windows Server 2008 R2 member computer modifies any security setting in the Default Domain Controllers Policy on a Windows Server 2008 R2 domain controller.

Edit the %SystemRoot%\Sysvol\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GPTTMPL.INF file:

Replace the value of a SeSystemProfilePrivilege: *S-1-5-32-544,NT Service\WdiServiceHost (initial value: *S-1-5-32-544,WdiServiceHost).

If you use IIS on server:
Add the “IIS AppPool\” prefix to ‘DefaultAppPool’ and ‘Classic .NET AppPool’ object.

Upgrading Windows Server 2008 R2 without media

The supported upgrade paths are:

  • Windows Server 2008 R2 Standard -> Windows Server 2008 R2 Enterprise -> Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard Server Core -> Windows Server 2008 R2 Enterprise Server Core -> Windows Server 2008 R2 Datacenter Server Core
  • Windows Server 2008 R2 Foundation -> Windows Server 2008 R2 Standard

To determine the installed edition, run:

DISM /online /Get-CurrentEdition

To check the possible target editions, run:

DISM /online /Get-TargetEditions

Finally, to initiate an upgrade, run:

DISM /online /Set-Edition:EDITION_ID /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

WARNING: One important note, is that the server can’t be a DC at the time of upgrade. If you demote a DC using dcpromo, you can upgrade, then re-promote it (you may need to migrate FSMO roles, etc, in order to succesfully demote.)
General usage of DISM: http://technet.microsoft.com/en-us/library/dd744380(WS.10).aspx

Update:

KMS Client Setup Keys

Windows Server 2008 R2 Datacenter 74YFP-3QFB3-KQT8W-PMXWJ-7M648
Windows Server 2008 R2 Enterprise 489J6-VHDMP-X63PK-3K798-CPX3Y

 

Operations Manager 2007 R2 : DNS 2008/R2 Forwarder Availability Alert

Eeither changing it to a NS for microsoft.com or making it an A record for www.microsoft.com for instance would work. If of course this dns server is allowed to run the external dns resolving queries. If you are not interested in this you can either use an A record and point to internal resource name or turn it off.