Some services may not start or may not work correctly on a computer that is running Windows SBS after you install the DNS Server security update 953230 (MS08-037)

Article translations Article translations
Article ID: 956189 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You may experience many network-related problems after you install the Domain Name System (DNS) security update 953230 (MS08-037) on a computer that is running Windows Small Business Server (SBS), and then you restart the computer.

For example, you may experience any of the following problems.

Problem 1

The Internet Authentication Service (IAS) does not start, and an Error event that resembles the following is logged in the System event log:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: Date
Time: Time
User: N/A
Computer: Server_name
Description: The Internet Authentication Service service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.

Problem 2

Microsoft Exchange Server Always Up To Date (AUTD) notifications for ActiveSync fail, and Error events that resemble the following are logged in the Application event log:
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3015
Date: Date
Time: Time
User: N/A
Computer: Server_name
Description: IP-based AUTD failed to initialize because the processing of notifications could not be set up. Error code [0x80004005]. Verify that no other applications are currently bound to UDP port [2883], or try specifying a different port number.
Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3024
Date: Date
Time: Time
User: N/A
Computer: Server_name
Description: IP-based AUTD failed to initialize. Error code: [0x80004005].

Problem 3

The IPSEC Services service does not start, and Error events that resemble the following are logged in the System event log:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: Date
Time: Time
User: N/A
Computer: Server_name
Description: The IPSEC Services service terminated with the following error: Only one usage of each socket address (protocol/network address/port) is normally permitted.
Event Type: Error
Event Source: IPSec
Event Category: None
Event ID: 4292
Date: Date
Time: Time
User: N/A
Computer: Server_name
Description: The IPSec driver has entered Block mode. IPSec will discard all incoming and outgoing TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.

CAUSE

This problem occurs because the DNS Server service is listening on the UDP port that is required by another service. This problem occurs when the MaxUserPort registry entry is present. This registry entry is located in the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
By default, the MaxUserPort registry entry is installed by the following programs together with the following values:
Collapse this tableExpand this table
ProgramDefault value for the MaxUserPort registry entry
Microsoft Exchange Server 2003 60000
Microsoft Internet Security and Acceleration (ISA) Server65535
Windows Small Business Server 200360000
Windows Small Business Server 2003 with Exchange Server 2003 or with ISA Server installed65535

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this problem, add the port that is needed by the service to the ReservedPorts registry value. This prevents the DNS Server service from listening on that port. The following ports are known to cause conflicts:
Collapse this tableExpand this table
PortsProgram that uses the ports
1645-1646IAS
1701-1701L2TP
1718-1719H.323 Gatekeeper (ISA 2000 only)
1745-1745ISA Server 2000 or ISA Server 2004
1812-1813IAS
2883-2883AUTD
3500-3619ISA Server 2000 only
4500-4500IPSEC
To configure the ReservedPorts registry value, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. Right-click ReservedPorts, and then click Modify.
  4. Type the range of ports that you want to reserve.

    Notes
    • You must type the range of ports in the following format:
      xxxx-yyyy
    • Do not replace the existing values. Instead, add the additional values.
    • To specify a single port, use the same value for x and for y. For example, to specify port 4000, type 4000-4000.
    • If you specify the continuous ports separately and if one port is reserved and is not used, the next port is not reserved correctly, and the port is used.
    • ISA Server settings only apply to Small Business Server 2000 or to Windows Small Business Server 2003 Premium Edition.
  5. Click OK.

    Note If you receive the following warning message, click OK
    Warning:
    Data of type REG_MULTI_SZ cannot contain empty strings.
    Registry Editor will remove the empty string found.
  6. Exit Registry Editor, and then restart the computer.
Notes
  • You must restart the computer after you make these changes for the changes to take effect.
  • If you are using any third-party applications on the server that might require you to use a static UDP port that is higher than port 1024, you should also add it to the list of reserved ports.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information, click the following article numbers to view the article in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing
812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server

Properties

Article ID: 956189 - Last Review: July 25, 2008 - Revision: 1.1
APPLIES TO
  • Microsoft Windows Small Business Server 2003 R2 Premium Edition
  • Microsoft Windows Small Business Server 2003 R2 Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Small Business Server 2000 Standard Edition
Keywords: 
kbregistry kbprb kbtshoot kbexpertiseinter KB956189

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com