We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Windows 2008 Server BFE

Medium Priority
913 Views
Last Modified: 2012-05-06
I have recently set up 4 Hyper-V machines with 2008 Server 32 bit on each.  On V1 I have set it up to accept VPNs through RAS.  

On some frequencey (usually about once a day) the BFE service stops and sets itself to "Disabled".  RAS is dependent on BFE so then my users can't get connected.  I can reset the BFE service to "Auto" and start it, and it will work fine for 6 to 48 hours before it gets disabled again.

I don't see any errors in event log relating to BFE or RAS.  This box is also an AD server if that makes any difference.  I have turned on/off windows firewall because there have been discussions about how it is related to BFE, but that seems to have no effect.  I don't think I need BFE specifically, but I DO need RAS.

Any ideas out there?
Comment
Watch Question

Author

Commented:
Update.  About 10 minutes ago the service stop / disabled again.  I did receive an event 7040 that the service was changing state with no indication why.  There is nothing (that I know of) that the server was doing at the time and there are no other events that indicate why this is happening.  

As stated before, the sevice and be re "Autoed" and started without a problem and I suspect it will be fine for a number of hours now.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Prior to configuring the services, did you disable UAC?  OR when configuring specify to run as Administrator.
It may run it for a while until the security policy kicks in and reverts the setup.

Author

Commented:
I haven't done anything (that I know of) in the UAC area.  This entire install is a migration from a 2000 AD server (that was origianlly an NT4 PDC) to thw 2008 Hyper-V.  Since this was my first look at Hyper-V, there was a number of configuration setting that were made before I made the jump to having this be my sole AD Domain server.  

The BFE service disabled itself again at 4:03AM this morning.  The next earliest log of any kind is at 3:18am when the box finished it daily update check.

I just turned off UAC to see if that make a difference

The BFE's logon account is NOT "Local System Account" and is forced to "This Account"  'Local Service'.  Should it be a "Local System Account"?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
While the UAC is turned off, reconfigure the service enabling it.  Then you can reactivate the UAC and it should be fine from that point on.
It sounds as though the daily check was reverting "unapproved" changes.

Author

Commented:
Arnold,  Thank you.  I have reactivated UAC and I'll let you know.  I was not aware that could "undo" previous settings.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not sure what you mean.  I think UAC maintains a "snapshot" of the system.  And enforces that snapshot on some kind of schedule.  I.e. through some means you enabled the service, but the "snapshot" UAC references was not.  UAC maintains the system state based on the "snapshot".
The service stopped again last night at 8:00 pm.  I did find another related event in the "Applications" portion of event viewer.  Event 1704 "Security policy in the Group policy objects has been applied successfully" processed immediately before BFE went to a Disabled state.  I went to GPM and there are two GPOs  "Default Domain Controllers Policy" and "Default Domain Policy".  Under my domain there is only a single link to Default Domain Policy.

It would seem that GP is my culprit. I Edited the Default Domain Controllers Policy and found
Computer Configuration / Policies / Windows Settings / Security Settings / System Services / Base Filtering Engime was Defined and set to "Disable".   I set that to "Not Defilned"
I guess we wait and see again.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.