Dependence of DCPROMO on Remote Registry Service

Just wanted to add a note about DCPROMO (the program that “promotes” a server to become an Active Directory Domain Controller) and the need to have Remote Registry service enabled for it to succeed.  Generally, you wouldn’t expect DCPROMO to be dependent on such a service but the reality is that there is a dependency and the process will fail with a completely irrelevant message if you do try it with the service disabled.

A bit of background: We have an automated and  “hardened” Windows build, that builds servers based on answer files and customises them via scripts that run automatically soon after the install.  Amongst other things, our hardening includes disabling of any services that we think aren’t necessary for general builds and in our case, Remote Registry service is one of the services we disable.  Traditionally, the idea has been to disable any remoting technologies to keep bad people away from servers via remote mechanisms.  That said, one might argue that these services only provide access if you have administrative rights to the machine in question and if one gets hold of those rights, you won’t be able to keep that person off the machine anyway.

Another point is that in recent years, Microsoft processes have become more dependent on remoting technologies, especially since the introduction of PowerShell.  A lot of Microsoft processes now connect to other processes as if they’re remote (even if they’re running local).  Logic being that if you have to provide remote capabilities, having just the remote connectivity option saves on coding by having just one mechanism to deal with.  This, however, increases the dependency of processes on remoting technologies and you cannot assume anymore that these technologies can just be disabled.

So, when writing the processes for creating a new forest for my organisation recently, I hit the problem mentioned above which was solved by enabling the Remote Registry service.  You might still want to disable the service after the install is done but due to the arguments presented above, it might cause you more issues with future installs/administration than it’s worth!

By | 2016-12-11T15:25:08+00:00 June 27th, 2011|Active Directory, Strategy|1 Comment

About the Author:

One Comment

  1. brico depot pdf November 2, 2014 at 4:42 AM - Reply

    brico depot pdf

    Ather Beg’s Useful Thoughts – Dependence of DCPROMO on Remote Registry Service

Leave A Comment

%d bloggers like this: