Some services may not start or may not work correctly on a computer that is running Windows SBS after you install the DNS Server security update 953230 (MS08-037)

You may experience many network-related problems after you install the Domain Name System (DNS) security update 953230 (MS08-037) on a computer that is running Windows Small Business Server (SBS), and then you restart the computer.

For example, you may experience any of the following problems.

Problem 1

The Internet Authentication Service (IAS) does not start, and an Error event that resembles the following is logged in the System event log:

Problem 2

Microsoft Exchange Server Always Up To Date (AUTD) notifications for ActiveSync fail, and Error events that resemble the following are logged in the Application event log:

Problem 3

The IPSEC Services service does not start, and Error events that resemble the following are logged in the System event log:

This problem occurs because the DNS Server service is listening on the UDP port that is required by another service. This problem occurs when the MaxUserPort registry entry is present. This registry entry is located in the following subkey in the registry: By default, the MaxUserPort registry entry is installed by the following programs together with the following values:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: To resolve this problem, add the port that is needed by the service to the ReservedPorts registry value. This prevents the DNS Server service from listening on that port. The following ports are known to cause conflicts: To configure the ReservedPorts registry value, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. Right-click ReservedPorts, and then click Modify.
4. Type the range of ports that you want to reserve.
   
   Notes
   • You must type the range of ports in the following format:
     xxxx-yyyy
   • Do not replace the existing values. Instead, add the additional values.
   • To specify a single port, use the same value for x and for y. For example, to specify port 4000, type 4000-4000.
   • If you specify the continuous ports separately and if one port is reserved and is not used, the next port is not reserved correctly, and the port is used.
   • ISA Server settings only apply to Small Business Server 2000 or to Windows Small Business Server 2003 Premium Edition.
5. Click OK.
   
   Note If you receive the following warning message, click OK
   Warning:
   Data of type REG_MULTI_SZ cannot contain empty strings.
   Registry Editor will remove the empty string found.
6. Exit Registry Editor, and then restart the computer.

Notes

• You must restart the computer after you make these changes for the changes to take effect.
• If you are using any third-party applications on the server that might require you to use a static UDP port that is higher than port 1024, you should also add it to the list of reserved ports.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information, click the following article numbers to view the article in the Microsoft Knowledge Base: