Hi,all; Has anyone else had serious trouble after applying Security rollup patch for w2k server sp4? Immediately after applying patch, DNS zones disappeared and all file replication between DCs was terminated. Enforced replication was prevented with "Access denied" message. DCs just stopped talking to each other. Appears to be a Kerberos problem. I guess this puts a new definition to the term "ROLLUP". ONLY solution thus far is to do an FSMO role seize off all DCs other than one DC running DNS (very difficult because of "Access denied " status). Then each stripped DC, which will only respond to the Dcpromo /forced, is demoted to standalone status (Dcpromo for demotion will not work). Have to use "ADSI edit" and "Metadata cleanup" to purge Active Directory of references to former DCs. Stripped all former DCs and rebuilt, then rejoined the domain and ran Dcpromo on all. MSFT assisted in the recovery. Noone seems to know what happened, but we can damn close to a total network loss due to one patch. They tried regenerating Kerberos tickets and reestablishing the secure channel...no luck..."Access denied" was the only response. The only thing I saw out of the ordinary was after applying the patch and rebooting, about 5 minutes later the DC which was the DNS server spontaneously rebooted. No core dump, just a mystery reboot. When it can back up, the Network was hosed. I have avoided all prior snafus with MSFT service packs and patches since the days of NT3.5 by hanging back a little and watching for warnings on Bugtrac. Got nailed good this time. So this is my turn to sound the warning and give payback to all who have kept me out of trouble in the past by taking the time in the midst of a crisis to post. Lesson learned: when dealing with MSFT, there is no such thing as a trivial service pack or patch. I guess that's why they pay us the big bucks...to recover from what hackers, users, power surges, or vendors (and even sometimes ourselves ;--) do to our networks. Ya gotta love this job! gerald
