Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- From: "Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx>
- Date: Mon, 14 Jul 2008 16:37:09 -0600
My SBS2003 has this MaxUserPort=65535 key as well. I haven't installed the
updates yet but thanks for the heads up.
I don't see this issue mentioned in the SBS blog. I wonder if this key is
standard in SBS setups? (I don't remember adding it...)
--
Allan Williams
<SteveM> wrote in message news:xn0fsogaokz4jc000@xxxxxxxxxxxxxxxxxxxxx
rkand@xxxxxxxxxxx wrote:
Since last Tuesday's update, I believe I'm having problems with the
DNS service listening on ports that other services require.
My SBS2003 (non-R2) server has rebooted three times since the update
(including the time to apply the patch). The first time, the IPSEC
service failed to start. I didn't find out what caused the problem -
I ran the CEICW and when that didn't fix it I rebooted the server and
all seemed fine. However yesterday I had to reboot to fix a stuck fax
service, and this time the IAS service failed to start.
Every time I tried to start the IAS service, the Event viewer showed
that event 7023 was logged in "sytem" by the service control manager -
"Only one usage of each socket address (protocol/network address/port)
is normally permitted." Checking further back, I noticed this is the
same eventid and error message given for the IPSEC service to fail
earlier.
Using sysinternals tcpview, I noticed that port 1812 was taken by
DNS.exe - so I stopped the dns service, started IAS, then started the
DNS service again, everything worked.
However, I'm worried about the next time the server needs to restart.
IPSEC in particular is a bad service to not have running. What should
I do to try and fix this? According to TCPView, DNS is currently
using over 2500 ports most with a remote of *.* and no state, is that
normal?
I also observed this behaviour on our SBS after the July DNS updates,
where IAS failed to start on the following reboot because of the same
port clash.
Looking at MS08-037 (http://support.microsoft.com/kb/953230), the DNS
server will now use ports from the range 49152 - 65535, *unless the
'MaxUserPort' registry value is set* (see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58791.mspx?mfr=true).
In that case, it will use ports in the range 1024 to the value of
MaxUserPort. I saw that our SBS had the registry value set to 65535 -
in which case DNS could use any ports at all over 1024, and cause the
problem we saw. I have now removed the MaxUserPort value and restarted
the DNS server service. Hopefully this will deal with the issue.
There is also a ReservedPorts registry value (see
http://support.microsoft.com/kb/812873/) that can be used to prevent
the DNS server (and others) using allocated ports, but after deleting
the MaxUserPort value there won't normally be a need for this, I
suggest.
All of this said, IMO the MS08-037 update should really have deleted
the MaxUserPort value automatically, avoiding all of this.
--
Steve.
MCP - Small Business.
.
- Follow-Ups:
- References:
- Prev by Date: Re: SBS 2003 fax clients
- Next by Date: Re: Cannot connect to lan on SBS 2003 after Windows Update this Weeken
- Previous by thread: Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- Next by thread: Re: After DNS update: critical services being blocked from listening on standard TCP/IP ports
- Index(es):
Relevant Pages
|
