SBS Services failing after MS08-037 – KB951746 and 951748

Direct copy from the SBS Blogpost here.   One important comment to note is that the MaxUserPort registry key should NOT be removed.

From the Official SBS Blog:

[Today’s post comes to us courtesy of John Bay, Damian Leibaschoff, Justin Crosby and Chris Puckett]

Some customers have reported seeing random problems with services after installing MS08-037.   In one case, Exchange Always Up To Date notifications for activesync were failing and in other cases the IPSEC or the IAS services were failing to start. 

In the case of the AUTD issue, you will see events similar to the following in the application event log:

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3015
Date: 7/12/2008
Time: 6:38:34 PM
User: N/A
Computer: SERVER
Description:  IP-based AUTD failed to initialize because the processing of notifications could not be setup. Error code [0x80004005]. Verify that no other applications are currently bound to UDP port [2883], or try specifying a different port number.

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3024
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description:  IP-based AUTD failed to initialize. Error code: [0x80004005].

In the case of the IPSEC Service failing you start, you will see the following events logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description:  The IPSEC Services Service terminated with the following error:  Only one usage of each socket address (protocol/network address/port) is normally permitted.

Event Type: Error
Event Source: IPSec
Event Category: None
Event ID: 4292
Date: 7/15/2008
Time: 2:53:14 PM
User: N/A
Computer:    SERVER
Description:  The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer.  For detailed troubleshooting information, review the events in the Security event log.

If the IPSEC service fails to start, the server will be running in Block mode and it will block all network connectivity to the server. 

In the case of the IAS Service failing to start, you will see the following event logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description:  The Internet Authentication Service Service terminated with the following error:  Only one usage of each socket address (protocol/network address/port) is normally permitted.

MS08-037 is a security update designed to prevent DNS spoofing.  The update is described by article 953230       MS08-037: Vulnerabilities in DNS could allow spoofing: http://support.microsoft.com/default.aspx?scid=kb;EN-US;953230

The update changes the way the DNS server allocates the UDP source port for DNS queries.  On an SBS server by default we set the MaxUserPort value in the registry to 60000 or 65536 depending on the version of SBS.  The MaxUserPort  value causes the DNS server to pick UDP source ports in the range of 1024 to 60000, or 65536.  The MaxUserPort is set on the SBS server by Exchange and ISA server.  DNS by default will randomly pick 2500 ports when the service starts up, a port conflict will occur if the DNS server allocates a port that is required by another service and that service will fail once it requests that static UDP port.  So far we have seen issues with AUTD, IPSEC, and IAS but there may be other services that will have a conflict. 

The ReservedPorts registry key can be used to exclude ports from the pool the DNS server uses.  The reservedports registry key is described in 812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server

Here is the list of ports that we have seen conflicts with services on the machine.

  • 1645-1646 – Used by IAS
  • 1701-1701 – Used by L2TP
  • 1812-1813 – Used by IAS
  • 2883-2883 – Used by AUTD
  • 4500-4500 – Used by IPSEC

For now we are suggesting customers be proactive and modify the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersReservedPorts

We suggest you add these port numbers to the current values set in the ReservedPorts registry key.  Do not replace the values currently there with these values but simply add these additional values. 

clip_image001

When you click OK you may get the following warning message:

clip_image002

This warning is OK and you can click OK on it.

Once you modify the ReservedPorts key you will have to reboot the server to make the change effective. 

If you are using any third party applications on your SBS server that might require the use of a static UDP port higher than port 1024, you should also add it to the list of reserved ports.

If you have any other issue after installing 951746 and 951748 that is resolved by uninstalling these updates, try setting the ReservedPorts  registry value and rebooting the server.  Then reinstall the 951746 and 951748 updates. 

Regardless of any other issues you might encounter with these updates (see below), once the updates are installed, you should have the ReservedPorts updated to prevent unexpected failures on server reboot.

Remember that the 951748 and 951746 updates may also cause a loss of Internet Connectivity in conjunction with 3rd party firewall products.  For more information on that issue see: http://blogs.technet.com/sbs/archive/2008/07/11/loss-of-internet-connectivity-after-installing-951748-and-951746.aspx

Furthermore, a third type of issue has been seen where the DNS Server service fails to start with the following error:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/15/2008
Time: 5:12:05 PM
User: N/A
Computer: Server
Description:
The DNS Server service terminated with the following error:
Not enough storage is available to complete this operation.

On the servers that we have this problem on we have seen signs of incomplete installations of Windows Server 2003 Service Pack 2. Uninstall both updates (951748 and 951746) and verify that Service Pack 2 is properly installed (You will most likely need to re-install it, check the following link for Best Practices <http://blogs.technet.com/sbs/archive/2007/06/30/new-best-practices-for-sp2-kb.aspx>).

  9 Replies to “SBS Services failing after MS08-037 – KB951746 and 951748”

  1. July 18, 2008 at 11:23 am

    Nick, are you finding this on SBS boxes with just ISA or both with/without ISA?

    Thank you Nick,
    Brian Williams

  2. July 20, 2008 at 9:05 am

    There are no ISA services listed here.
    So far, we have only anecdotal evidence of impact to ISA Servers.
    If you know of any, PLEASE send them to CSS and MSRC immediately.
    We’re trying to understand the scope of impact to any ISA installation.

  3. July 20, 2008 at 11:12 am

    Thanks for answering there Jim.

    I have very few ISA installations on our own client sites as I tend to install hardware firewall at the perimeter.

  4. naeem
    August 8, 2008 at 7:16 am

    The new dns opens loads of ports on 0.0.0.0 .. local ports range 50000 plus on udp 53 all listening .. 900 or so of them. starts with 76 udp ports listening without dns on and then when you turn dns on, 978 UDP ports are listening. This causes my tiny personal firewall to fire an error every 1 second with a dialog box “Unable to get statistics from driver- eror 234 (whatever that means). I mean I have to turn this dns off and rely on my old NT DNS to serve all the office. This is seriously ridiculous.

  5. Greg
    August 13, 2008 at 5:36 pm

    We have just seen IPSEC conflict and go into blocking mode on our DC/Exchange server off the network. We are NOT an SBS site.

  6. October 25, 2008 at 9:43 pm

    Just ran acroos this IAS port/socket outage/conflict issue and appreciate that you documented this information. After adding the recommended reserved ports to the registry I have been able to start IAS and it stays running without error. This is a SBS 2003 Premium box with ISA 2004.

  7. Ben
    December 10, 2008 at 1:18 pm

    The only times I’ve had to add these ports is when ISA fails to remain started due to port conflicts.

  8. Janel
    January 16, 2009 at 8:34 am

    The Windows xp security update KB951748 was affecting my Internet Explorer from working. I used Add and Remove Programs to remove this update and when I restarted the computer everything was fine. My problem is, when I shut down the computer the update reinstalls and I have to go through the whole process again each time I get on the computer. It is very annoying. How do I prevent this update from reinstalling after I have removed it? I alreay turn the “Notify Me First” option on my security rather than “Automatic” and it does not help.

  9. Lawremce
    September 2, 2009 at 9:04 pm

    This happened to use last year. Since then I have had the same problem happen on machines without these updates in the last 2 weeks. I think MS has rolled this in to another update and the glitch is still there. Make sure you put the IPSec ports in to the reserved ports otherwise you will lose all network connectivity.

Leave a Reply to Brian Williams Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.