Server 2008 R2 upgrade from Server 2003 won't accept connections

I upgraded a Server 2003 64bit box to Server 2008 R2 standard.  The server is part of a domain and is not the domain controller.  The network works-- I can login at the console and see the internet.  However, XP workstations and other Server 2008 boxes can't access shares on the new server.  MS SQL 2008 (SP2) running on the server is up (works fine from console), but it too is rejecting all external windows authenticated connections.  Pings to the box are also lost.

It looks like the new box came up with a very tight firewall running, but as far as I can see, firewall is disabled.

Further background-- the domain controller is a Server 2003 box (tree has been maximally upgraded) and it has no problems with other 2008 R2 boxes.  
dakota5Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Darius GhassemConnect With a Mentor Commented:
Disable the firewall for testing by running the command in this link.

http://blogs.techrepublic.com.com/datacenter/?p=480
0
 
DeltaR7Commented:
Have you checked & disabled the firewall for all 3 zones?
0
 
woolnoirConnect With a Mentor Commented:
Check whic policies are being applied, remember the DC's wil have the domain controller GPO applied, the server you have installed will have the default domain policy. Check as (DeltaR7) suggests that there are no firewall's enabled - that would have been my first guess to - check the event logs for any security errors suggesting why connections are being stopped.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Froggy_chrisConnect With a Mentor Commented:
As DeltaR7 mentionned. This is due to the Windows firewall with Advanced Security.

the firewall is on by default set allow outgoing traffic while blocking incoming traffic that is not explicitly allowed.

ICMP as SQL are not protocol "explicitly allowed" by default, you must create (or enable) the needed rules. I would not advice to disable the firewall for any other reason that test (eg: If you disable it and it's working, then you know that the Firewall is guilty. Create the rule you need).

The config step would be to configure the Firewall to log its activity, allowing you to monitor.


the shares not being accessilble will be solved by setting up the File Server role (this will set the firewall for you)
0
 
dakota5Author Commented:
I think these answers are correct, but the Windows Firewall service won't load.
error 1608  dependency service or group failed to start.
This prevents me from making changes.  But it does seem like the firewall is blocking inbound traffic.


There are two dependencies for this service:
Base Filtering Engine

Windows Firewall Authentication Driver

These dependencies are not services-- I don't know how to debug them.
Ideas?

There was no issue with the Windows Firewall when the OS was 2003 prior to upgrade.
0
 
Froggy_chrisCommented:
check the event log under Microsoft folders (I believe you'll find a Firewall folder somewhare)
0
 
dakota5Author Commented:
Yes.  Logs | windows logs | system

Windows Firewall failed to load because the
Base Filtering Engine Service failed to load with an
access is denied

The Base Filtering Engine Service has a dependency on the Remote Procedure CAll (but RPC is running)

Thanks for the lead, but this is still beyond my skill set.  Any ideas about how to get Base Filtering Engine Service to load?



0
 
Darius GhassemCommented:
Go to the properties add the Local Service username to the Service leave  the password blank then try to start
0
 
Darius GhassemCommented:
Remove any AV you have install as well. You shoud have removed any AV before upgrade
0
 
dakota5Author Commented:
Local Service username is already there.  Looks like this is a known issue.
Extremely complex.

ID:26191452

Relates to Base Filtering Engine not starting because of GPO permissions on IPsec Policies Agent service

0
 
dakota5Author Commented:
Quite Complex.  Microsoft has been working on this for days.  Base filtering engine won't start because of permission issues.  This forces the Firewall to enter a locked-down mode, rejecting all incoming traffic.

A temporary work-around is to disable the  Windows Firewall.  This prevents it from partially starting and going into a lock-down mode. (Might also need to disable  IPSec Policy Agent, and the Base Filtering agent.)

Technet blog describes fixing the Discretionary Access Control List (DACL).  Base Filtering agent fails because it does not have DACL controlled access to query the configuration of one or more services that are running.  This, in turn, prevents the firewall from starting correctly.  

See  http://blogs.technet.com/b/rspitz/archive/2010/09/19/quot-access-is-denied-quot-when-you-attempt-to-start-the-base-filtering-engine-service-after-upgrading-from-windows-server-2003-to-windows-server-2008-r2.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.