Solved

Server 2008 R2 upgrade from Server 2003 won't accept connections

Posted on 2010-09-14
11
1,023 Views
Last Modified: 2012-05-10
I upgraded a Server 2003 64bit box to Server 2008 R2 standard.  The server is part of a domain and is not the domain controller.  The network works-- I can login at the console and see the internet.  However, XP workstations and other Server 2008 boxes can't access shares on the new server.  MS SQL 2008 (SP2) running on the server is up (works fine from console), but it too is rejecting all external windows authenticated connections.  Pings to the box are also lost.

It looks like the new box came up with a very tight firewall running, but as far as I can see, firewall is disabled.

Further background-- the domain controller is a Server 2003 box (tree has been maximally upgraded) and it has no problems with other 2008 R2 boxes.  
0
Comment
Question by:dakota5
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 3

Expert Comment

by:DeltaR7
ID: 33671750
Have you checked & disabled the firewall for all 3 zones?
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 125 total points
ID: 33671837
Check whic policies are being applied, remember the DC's wil have the domain controller GPO applied, the server you have installed will have the default domain policy. Check as (DeltaR7) suggests that there are no firewall's enabled - that would have been my first guess to - check the event logs for any security errors suggesting why connections are being stopped.
0
 
LVL 6

Assisted Solution

by:Froggy_chris
Froggy_chris earned 125 total points
ID: 33672121
As DeltaR7 mentionned. This is due to the Windows firewall with Advanced Security.

the firewall is on by default set allow outgoing traffic while blocking incoming traffic that is not explicitly allowed.

ICMP as SQL are not protocol "explicitly allowed" by default, you must create (or enable) the needed rules. I would not advice to disable the firewall for any other reason that test (eg: If you disable it and it's working, then you know that the Firewall is guilty. Create the rule you need).

The config step would be to configure the Firewall to log its activity, allowing you to monitor.


the shares not being accessilble will be solved by setting up the File Server role (this will set the firewall for you)
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 33672540
Disable the firewall for testing by running the command in this link.

http://blogs.techrepublic.com.com/datacenter/?p=480
0
 

Author Comment

by:dakota5
ID: 33672661
I think these answers are correct, but the Windows Firewall service won't load.
error 1608  dependency service or group failed to start.
This prevents me from making changes.  But it does seem like the firewall is blocking inbound traffic.


There are two dependencies for this service:
Base Filtering Engine

Windows Firewall Authentication Driver

These dependencies are not services-- I don't know how to debug them.
Ideas?

There was no issue with the Windows Firewall when the OS was 2003 prior to upgrade.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 6

Expert Comment

by:Froggy_chris
ID: 33672690
check the event log under Microsoft folders (I believe you'll find a Firewall folder somewhare)
0
 

Author Comment

by:dakota5
ID: 33672821
Yes.  Logs | windows logs | system

Windows Firewall failed to load because the
Base Filtering Engine Service failed to load with an
access is denied

The Base Filtering Engine Service has a dependency on the Remote Procedure CAll (but RPC is running)

Thanks for the lead, but this is still beyond my skill set.  Any ideas about how to get Base Filtering Engine Service to load?



0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672869
Go to the properties add the Local Service username to the Service leave  the password blank then try to start
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672901
Remove any AV you have install as well. You shoud have removed any AV before upgrade
0
 

Author Comment

by:dakota5
ID: 33673533
Local Service username is already there.  Looks like this is a known issue.
Extremely complex.

ID:26191452

Relates to Base Filtering Engine not starting because of GPO permissions on IPsec Policies Agent service

0
 

Author Comment

by:dakota5
ID: 33721939
Quite Complex.  Microsoft has been working on this for days.  Base filtering engine won't start because of permission issues.  This forces the Firewall to enter a locked-down mode, rejecting all incoming traffic.

A temporary work-around is to disable the  Windows Firewall.  This prevents it from partially starting and going into a lock-down mode. (Might also need to disable  IPSec Policy Agent, and the Base Filtering agent.)

Technet blog describes fixing the Discretionary Access Control List (DACL).  Base Filtering agent fails because it does not have DACL controlled access to query the configuration of one or more services that are running.  This, in turn, prevents the firewall from starting correctly.  

See  http://blogs.technet.com/b/rspitz/archive/2010/09/19/quot-access-is-denied-quot-when-you-attempt-to-start-the-base-filtering-engine-service-after-upgrading-from-windows-server-2003-to-windows-server-2008-r2.aspx
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now