Solved

Base Filtering Engine (and Firewall) fails after upgrade to Server 2008 from 2003

Posted on 2010-09-14
1
2,366 Views
Last Modified: 2012-05-10
After an upgrade of Server 2003 to server 2008 R2, the server can not accept connections, (but can connect outbound to other servers and the internet) because the Firewall is blocking inbound connections.

I've traced this down to the Base Filtering Engine failing due to "access denied".

There is a thread here in EE  ID:26191452 about permissions to start the BFE service being inadequate after an upgrade from 2003 to 2008.  Quite complex, but I've made the registry changes that were recommended.
BFE and Windows Firewall still won't start.

Any super experts who know how to debug this?

0
Comment
Question by:dakota5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
dakota5 earned 0 total points
ID: 33721963
Quite Complex.  Microsoft has been working on this for days.  Base filtering engine won't start because of permission issues.  This forces the Firewall to enter a locked-down mode, rejecting all incoming traffic.

A temporary work-around is to disable the  Windows Firewall.  This prevents it from partially starting and going into a lock-down mode. (Might also need to disable  IPSec Policy Agent, and the Base Filtering agent.)

Technet blog describes fixing the Discretionary Access Control List (DACL).  Base Filtering agent fails because it does not have DACL controlled access to query the configuration of one or more services that are running.  This, in turn, prevents the firewall from starting correctly.  

See  http://blogs.technet.com/b/rspitz/archive/2010/09/19/quot-access-is-denied-quot-when-you-attempt-to-start-the-base-filtering-engine-service-after-upgrading-from-windows-server-2003-to-windows-server-2008-r2.aspx
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question