Solved

Server 2008 R2 upgrade from Server 2003 won't accept connections

Posted on 2010-09-14
11
1,024 Views
Last Modified: 2012-05-10
I upgraded a Server 2003 64bit box to Server 2008 R2 standard.  The server is part of a domain and is not the domain controller.  The network works-- I can login at the console and see the internet.  However, XP workstations and other Server 2008 boxes can't access shares on the new server.  MS SQL 2008 (SP2) running on the server is up (works fine from console), but it too is rejecting all external windows authenticated connections.  Pings to the box are also lost.

It looks like the new box came up with a very tight firewall running, but as far as I can see, firewall is disabled.

Further background-- the domain controller is a Server 2003 box (tree has been maximally upgraded) and it has no problems with other 2008 R2 boxes.  
0
Comment
Question by:dakota5
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 3

Expert Comment

by:DeltaR7
ID: 33671750
Have you checked & disabled the firewall for all 3 zones?
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 125 total points
ID: 33671837
Check whic policies are being applied, remember the DC's wil have the domain controller GPO applied, the server you have installed will have the default domain policy. Check as (DeltaR7) suggests that there are no firewall's enabled - that would have been my first guess to - check the event logs for any security errors suggesting why connections are being stopped.
0
 
LVL 6

Assisted Solution

by:Froggy_chris
Froggy_chris earned 125 total points
ID: 33672121
As DeltaR7 mentionned. This is due to the Windows firewall with Advanced Security.

the firewall is on by default set allow outgoing traffic while blocking incoming traffic that is not explicitly allowed.

ICMP as SQL are not protocol "explicitly allowed" by default, you must create (or enable) the needed rules. I would not advice to disable the firewall for any other reason that test (eg: If you disable it and it's working, then you know that the Firewall is guilty. Create the rule you need).

The config step would be to configure the Firewall to log its activity, allowing you to monitor.


the shares not being accessilble will be solved by setting up the File Server role (this will set the firewall for you)
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 33672540
Disable the firewall for testing by running the command in this link.

http://blogs.techrepublic.com.com/datacenter/?p=480
0
 

Author Comment

by:dakota5
ID: 33672661
I think these answers are correct, but the Windows Firewall service won't load.
error 1608  dependency service or group failed to start.
This prevents me from making changes.  But it does seem like the firewall is blocking inbound traffic.


There are two dependencies for this service:
Base Filtering Engine

Windows Firewall Authentication Driver

These dependencies are not services-- I don't know how to debug them.
Ideas?

There was no issue with the Windows Firewall when the OS was 2003 prior to upgrade.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 6

Expert Comment

by:Froggy_chris
ID: 33672690
check the event log under Microsoft folders (I believe you'll find a Firewall folder somewhare)
0
 

Author Comment

by:dakota5
ID: 33672821
Yes.  Logs | windows logs | system

Windows Firewall failed to load because the
Base Filtering Engine Service failed to load with an
access is denied

The Base Filtering Engine Service has a dependency on the Remote Procedure CAll (but RPC is running)

Thanks for the lead, but this is still beyond my skill set.  Any ideas about how to get Base Filtering Engine Service to load?



0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672869
Go to the properties add the Local Service username to the Service leave  the password blank then try to start
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672901
Remove any AV you have install as well. You shoud have removed any AV before upgrade
0
 

Author Comment

by:dakota5
ID: 33673533
Local Service username is already there.  Looks like this is a known issue.
Extremely complex.

ID:26191452

Relates to Base Filtering Engine not starting because of GPO permissions on IPsec Policies Agent service

0
 

Author Comment

by:dakota5
ID: 33721939
Quite Complex.  Microsoft has been working on this for days.  Base filtering engine won't start because of permission issues.  This forces the Firewall to enter a locked-down mode, rejecting all incoming traffic.

A temporary work-around is to disable the  Windows Firewall.  This prevents it from partially starting and going into a lock-down mode. (Might also need to disable  IPSec Policy Agent, and the Base Filtering agent.)

Technet blog describes fixing the Discretionary Access Control List (DACL).  Base Filtering agent fails because it does not have DACL controlled access to query the configuration of one or more services that are running.  This, in turn, prevents the firewall from starting correctly.  

See  http://blogs.technet.com/b/rspitz/archive/2010/09/19/quot-access-is-denied-quot-when-you-attempt-to-start-the-base-filtering-engine-service-after-upgrading-from-windows-server-2003-to-windows-server-2008-r2.aspx
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD Replications issues 12 84
sccm report 1 38
Sweet32 Vulnerability in Microsoft IIS7.5 6 22
No login server available 4 15
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now