Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 833
  • Last Modified:

Windows 2008 Server BFE

I have recently set up 4 Hyper-V machines with 2008 Server 32 bit on each.  On V1 I have set it up to accept VPNs through RAS.  

On some frequencey (usually about once a day) the BFE service stops and sets itself to "Disabled".  RAS is dependent on BFE so then my users can't get connected.  I can reset the BFE service to "Auto" and start it, and it will work fine for 6 to 48 hours before it gets disabled again.

I don't see any errors in event log relating to BFE or RAS.  This box is also an AD server if that makes any difference.  I have turned on/off windows firewall because there have been discussions about how it is related to BFE, but that seems to have no effect.  I don't think I need BFE specifically, but I DO need RAS.

Any ideas out there?
0
jdcodding
Asked:
jdcodding
  • 4
  • 3
1 Solution
 
jdcoddingAuthor Commented:
Update.  About 10 minutes ago the service stop / disabled again.  I did receive an event 7040 that the service was changing state with no indication why.  There is nothing (that I know of) that the server was doing at the time and there are no other events that indicate why this is happening.  

As stated before, the sevice and be re "Autoed" and started without a problem and I suspect it will be fine for a number of hours now.
0
 
arnoldCommented:
Prior to configuring the services, did you disable UAC?  OR when configuring specify to run as Administrator.
It may run it for a while until the security policy kicks in and reverts the setup.
0
 
jdcoddingAuthor Commented:
I haven't done anything (that I know of) in the UAC area.  This entire install is a migration from a 2000 AD server (that was origianlly an NT4 PDC) to thw 2008 Hyper-V.  Since this was my first look at Hyper-V, there was a number of configuration setting that were made before I made the jump to having this be my sole AD Domain server.  

The BFE service disabled itself again at 4:03AM this morning.  The next earliest log of any kind is at 3:18am when the box finished it daily update check.

I just turned off UAC to see if that make a difference

The BFE's logon account is NOT "Local System Account" and is forced to "This Account"  'Local Service'.  Should it be a "Local System Account"?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
arnoldCommented:
While the UAC is turned off, reconfigure the service enabling it.  Then you can reactivate the UAC and it should be fine from that point on.
It sounds as though the daily check was reverting "unapproved" changes.
0
 
jdcoddingAuthor Commented:
Arnold,  Thank you.  I have reactivated UAC and I'll let you know.  I was not aware that could "undo" previous settings.
0
 
arnoldCommented:
Not sure what you mean.  I think UAC maintains a "snapshot" of the system.  And enforces that snapshot on some kind of schedule.  I.e. through some means you enabled the service, but the "snapshot" UAC references was not.  UAC maintains the system state based on the "snapshot".
0
 
jdcoddingAuthor Commented:
The service stopped again last night at 8:00 pm.  I did find another related event in the "Applications" portion of event viewer.  Event 1704 "Security policy in the Group policy objects has been applied successfully" processed immediately before BFE went to a Disabled state.  I went to GPM and there are two GPOs  "Default Domain Controllers Policy" and "Default Domain Policy".  Under my domain there is only a single link to Default Domain Policy.

It would seem that GP is my culprit. I Edited the Default Domain Controllers Policy and found
Computer Configuration / Policies / Windows Settings / Security Settings / System Services / Base Filtering Engime was Defined and set to "Disable".   I set that to "Not Defilned"
I guess we wait and see again.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now