Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748)
[Today's post comes to us courtesy of John Bay, Damian Leibaschoff, Justin Crosby and Chris Puckett]
Some customers have reported seeing random problems with services after installing MS08-037. In one case, Exchange Always Up To Date notifications for activesync were failing and in other cases the IPSEC or the IAS services were failing to start.
In the case of the AUTD issue, you will see events similar to the following in the application event log:
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3015
Date: 7/12/2008
Time: 6:38:34 PM
User: N/A
Computer: SERVER
Description: IP-based AUTD failed to initialize because the processing of notifications could not be setup. Error code [0x80004005]. Verify that no other applications are currently bound to UDP port [2883], or try specifying a different port number.
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3024
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description: IP-based AUTD failed to initialize. Error code: [0x80004005].
In the case of the IPSEC Service failing you start, you will see the following events logged in the system event log:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description: The IPSEC Services Service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.Event Type: Error
Event Source: IPSec
Event Category: None
Event ID: 4292
Date: 7/15/2008
Time: 2:53:14 PM
User: N/A
Computer: SERVER
Description: The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.
If the IPSEC service fails to start, the server will be running in Block mode and it will block all network connectivity to the server.
In the case of the IAS Service failing to start, you will see the following event logged in the system event log:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description: The Internet Authentication Service Service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.
MS08-037 is a security update designed to prevent DNS spoofing. The update is described by article 953230 MS08-037: Vulnerabilities in DNS could allow spoofing: https://support.microsoft.com/default.aspx?scid=kb;EN-US;953230
The update changes the way the DNS server allocates the UDP source port for DNS queries. On an SBS server by default we set the MaxUserPort value in the registry to 60000 or 65536 depending on the version of SBS. The MaxUserPort value causes the DNS server to pick UDP source ports in the range of 1024 to 60000, or 65536. The MaxUserPort is set on the SBS server by Exchange and ISA server. DNS by default will randomly pick 2500 ports when the service starts up, a port conflict will occur if the DNS server allocates a port that is required by another service and that service will fail once it requests that static UDP port. So far we have seen issues with AUTD, IPSEC, and IAS but there may be other services that will have a conflict.
The ReservedPorts registry key can be used to exclude ports from the pool the DNS server uses. The reservedports registry key is described in 812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
Here is the list of ports that we have seen conflicts with services on the machine.
- 1645-1646 - Used by IAS
- 1701-1701 - Used by L2TP
- 1812-1813 - Used by IAS
- 2883-2883 - Used by AUTD
- 4500-4500 - Used by IPSEC
For now we are suggesting customers be proactive and modify the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts
We suggest you add these port numbers to the current values set in the ReservedPorts registry key. Do not replace the values currently there with these values but simply add these additional values.
When you click OK you may get the following warning message:
This warning is OK and you can click OK on it.
Once you modify the ReservedPorts key you will have to reboot the server to make the change effective.
If you are using any third party applications on your SBS server that might require the use of a static UDP port higher than port 1024, you should also add it to the list of reserved ports.
If you have any other issue after installing 951746 and 951748 that is resolved by uninstalling these updates, try setting the ReservedPorts registry value and rebooting the server. Then reinstall the 951746 and 951748 updates.
Regardless of any other issues you might encounter with these updates (see below), once the updates are installed, you should have the ReservedPorts updated to prevent unexpected failures on server reboot.
Remember that the 951748 and 951746 updates may also cause a loss of Internet Connectivity in conjunction with 3rd party firewall products. For more information on that issue see: https://blogs.technet.com/sbs/archive/2008/07/11/loss-of-internet-connectivity-after-installing-951748-and-951746.aspx
Furthermore, a third type of issue has been seen where the DNS Server service fails to start with the following error:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/15/2008
Time: 5:12:05 PM
User: N/A
Computer: Server
Description:
The DNS Server service terminated with the following error:
Not enough storage is available to complete this operation.
On the servers that we have this problem on we have seen signs of incomplete installations of Windows Server 2003 Service Pack 2. Uninstall both updates (951748 and 951746) and verify that Service Pack 2 is properly installed (You will most likely need to re-install it, check the following link for Best Practices <https://blogs.technet.com/sbs/archive/2007/06/30/new-best-practices-for-sp2-kb.aspx>).
Update:
This issue is further discussed in these two new KB articles:
Comments
Anonymous
January 01, 2003
At this time, please do not remove the MaxUserPort registry key. Before this update, if you did not have the MaxUserPort registry key, the dynamic port range was from 1024 to 5000. With this update, and without the MaxUserPort registry key, the dynamic port range is now from 49152 to 65535. The MaxUserPort is set by Exchange (to 60000) and by ISA (to 65535) and this would set the effective dynamic range from 1024 to MaxUserPort (with or without the update). As you can see, those two products are setting the server up for many more dynamic ports than the ~16000 that you would get when the registry key is not present. Regards, SBSAnonymous
January 01, 2003
Good catch, we fixed the link, it now points to http://support.microsoft.com/default.aspx?scid=kb;EN-US;812873, thanks. SBSAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Hi, The screen shot shows the ReservedPorts value from an SBS server with ISA installed. ISA adds a few values to the key on its own. You should just need to add the 5 ranges to your current ReservedPort values. Again, the values to add are: 1645-1646 - Used by IAS 1701-1701 - Used by L2TP 1812-1813 - Used by IAS 2883-2883 - Used by AUTD 4500-4500 - Used by IPSEC Regards, SBSAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Direct copy from the SBS Blogpost here . One important comment to note is that the MaxUserPort registryAnonymous
January 01, 2003
[Today's post comes to us courtesy of Damian Leibaschoff] On August 12 th , Microsoft will release severalAnonymous
January 01, 2003
Two new KB articles have been released that discuss the issue we first spoke about in our blog post entitledAnonymous
January 01, 2003
PingBack from http://blogs.technet.com/sbs/archive/2008/07/11/loss-of-internet-connectivity-after-installing-951748-and-951746.aspxAnonymous
January 01, 2003
If your SBS server also tuns ISA Server, then DO NOT change the MaxUserPorts registry value. The ISA installer sets this to 65535 to provide the maximum number of ports possible.Anonymous
July 17, 2008
Can you please clearify is we need to add just the 5 ranges you listed in text or the 10 ranges in the screen shot?Anonymous
July 17, 2008
Some are suggesting removing the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersMaxUserPort registry entry as a fix. Is this also recommended?Anonymous
July 18, 2008
Thank you so much for this info! This stopped IAS from starting which in turn stopped RRAS from starting. Applied the registy edit and IAS could start straight away but RRAS required server reboot.Anonymous
July 18, 2008
The link to kb article 812873 seems to be pointing to an internal MS alias.Anonymous
July 23, 2008
Cured my "AUTD failed to initialize" woes. Thanks!Anonymous
July 27, 2008
I believe this issue also occurs on Windows Server 2003 with ISA installed and is not just restricted to SBS.Anonymous
July 28, 2008
Great article. Thank you very much! You saved me from a major headache. Our SBS was randomly unable to connect to the network after our nightly backup (thanks to the IPSec port conflict). Much appreciated!Anonymous
July 29, 2008
I imagine SBS means Small Business Server. Does this blog entry also pertain to non Small Business Servers such as Server 2003 Standard, Enterprise, etc.?Anonymous
August 01, 2008
The comment has been removedAnonymous
August 04, 2008
I think this is the problem that I have. But in my case its a bit worse. I have done what the article suggests, but I can not reinstall SP2 since the "Cryptographic service" also is stopped. Neither can I uninstall SP2, I get a message "File not found". Any advice?