Solved

Server 2008 R2 upgrade from Server 2003 won't accept connections

Posted on 2010-09-14
11
1,027 Views
Last Modified: 2012-05-10
I upgraded a Server 2003 64bit box to Server 2008 R2 standard.  The server is part of a domain and is not the domain controller.  The network works-- I can login at the console and see the internet.  However, XP workstations and other Server 2008 boxes can't access shares on the new server.  MS SQL 2008 (SP2) running on the server is up (works fine from console), but it too is rejecting all external windows authenticated connections.  Pings to the box are also lost.

It looks like the new box came up with a very tight firewall running, but as far as I can see, firewall is disabled.

Further background-- the domain controller is a Server 2003 box (tree has been maximally upgraded) and it has no problems with other 2008 R2 boxes.  
0
Comment
Question by:dakota5
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 3

Expert Comment

by:DeltaR7
ID: 33671750
Have you checked & disabled the firewall for all 3 zones?
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 125 total points
ID: 33671837
Check whic policies are being applied, remember the DC's wil have the domain controller GPO applied, the server you have installed will have the default domain policy. Check as (DeltaR7) suggests that there are no firewall's enabled - that would have been my first guess to - check the event logs for any security errors suggesting why connections are being stopped.
0
 
LVL 6

Assisted Solution

by:Froggy_chris
Froggy_chris earned 125 total points
ID: 33672121
As DeltaR7 mentionned. This is due to the Windows firewall with Advanced Security.

the firewall is on by default set allow outgoing traffic while blocking incoming traffic that is not explicitly allowed.

ICMP as SQL are not protocol "explicitly allowed" by default, you must create (or enable) the needed rules. I would not advice to disable the firewall for any other reason that test (eg: If you disable it and it's working, then you know that the Firewall is guilty. Create the rule you need).

The config step would be to configure the Firewall to log its activity, allowing you to monitor.


the shares not being accessilble will be solved by setting up the File Server role (this will set the firewall for you)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 33672540
Disable the firewall for testing by running the command in this link.

http://blogs.techrepublic.com.com/datacenter/?p=480
0
 

Author Comment

by:dakota5
ID: 33672661
I think these answers are correct, but the Windows Firewall service won't load.
error 1608  dependency service or group failed to start.
This prevents me from making changes.  But it does seem like the firewall is blocking inbound traffic.


There are two dependencies for this service:
Base Filtering Engine

Windows Firewall Authentication Driver

These dependencies are not services-- I don't know how to debug them.
Ideas?

There was no issue with the Windows Firewall when the OS was 2003 prior to upgrade.
0
 
LVL 6

Expert Comment

by:Froggy_chris
ID: 33672690
check the event log under Microsoft folders (I believe you'll find a Firewall folder somewhare)
0
 

Author Comment

by:dakota5
ID: 33672821
Yes.  Logs | windows logs | system

Windows Firewall failed to load because the
Base Filtering Engine Service failed to load with an
access is denied

The Base Filtering Engine Service has a dependency on the Remote Procedure CAll (but RPC is running)

Thanks for the lead, but this is still beyond my skill set.  Any ideas about how to get Base Filtering Engine Service to load?



0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672869
Go to the properties add the Local Service username to the Service leave  the password blank then try to start
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33672901
Remove any AV you have install as well. You shoud have removed any AV before upgrade
0
 

Author Comment

by:dakota5
ID: 33673533
Local Service username is already there.  Looks like this is a known issue.
Extremely complex.

ID:26191452

Relates to Base Filtering Engine not starting because of GPO permissions on IPsec Policies Agent service

0
 

Author Comment

by:dakota5
ID: 33721939
Quite Complex.  Microsoft has been working on this for days.  Base filtering engine won't start because of permission issues.  This forces the Firewall to enter a locked-down mode, rejecting all incoming traffic.

A temporary work-around is to disable the  Windows Firewall.  This prevents it from partially starting and going into a lock-down mode. (Might also need to disable  IPSec Policy Agent, and the Base Filtering agent.)

Technet blog describes fixing the Discretionary Access Control List (DACL).  Base Filtering agent fails because it does not have DACL controlled access to query the configuration of one or more services that are running.  This, in turn, prevents the firewall from starting correctly.  

See  http://blogs.technet.com/b/rspitz/archive/2010/09/19/quot-access-is-denied-quot-when-you-attempt-to-start-the-base-filtering-engine-service-after-upgrading-from-windows-server-2003-to-windows-server-2008-r2.aspx
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question