If you install DHCP or WINS on a domain controller, and you do NOT allow sufficient time for domain controller replication to complete before you install these components on another domain controller, you will experience corruption of one or more of the following security groups:
The problem occurs if the security groups don't exist. The groups are created with their own unque SID, instead of the common SID that replication enables.
To resolve this behavior:
1. Remove the security groups from the domain controllers where you added DHCP and/or WINS.
2. Uninstall the networking component(s) that you added, DHCP and/or WINS.
3. Install the networking components on one domain controller.
4. After replication of the security groups has completed, install the networking component(s) on the additional domain controller(s).