Blog (at) Mreza.Info

I noticed that some of the users are running Exchange Server 2007 Edge and public DNS Server on the same server.

Problem

There are some issues with services failing at start up if following is true:

• Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2010 (Edge Role).
• Windows Server 2003, Windows Server 2008, Windows Server 2008 R2.
• DNS Server role is installed.
• Hotfix KB951746 is installed.

You receive following error and all Exchange services are stopped.

Log Name:      System
Source:        Service Control Manager
Date:          14.7.2009 10:19:36
Event ID:      7023
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      EDGE.exchange.pri
Description:
The Microsoft Exchange ADAM service terminated with the following error:
An attempt was made to access a socket in a way forbidden by its
access permissions.

So let’s start troubleshooting… ;-)

If we take a look with netstat we can see that DNS Service (dns.exe) is using 50636 port.

Exchange Server uses Active Directory Lightweight Directory Services (AD LDS), previous known as Active Directory Application Mode (ADAM), for storing Exchange (Organization)configuration. By default, the Edge Transport server uses the non-standard port 50636 for EdgeSync (Secure LDAP). We can check that with dsdbutil.

• Open cmd.exe, type dsdbutil and press Enter.
• Type list instances and press Enter.

Issue is with hotfix KB951746 (MS08-037: Description of the security update for DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server (DNS server-side): July 8, 2008).

After security update KB951746 is installed on Windows Server 2008 (RTM/SP2), this issue occurs because the DNS server’s method of port allocation changes, and this change could prevent AD LDS from obtaining the port that it requires to function correctly.

By default, after security update KB951746 is installed, the DNS server randomly allocates 2,500 UDP ports in the ephemeral port range. This is new behavior that is introduced by this update. A conflict may occur if one of these randomly allocated ports is a port that an AD LDS instance has to use.

We can check the size of socket pool with dnscmd:

Background information

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535.

We can check ephemeral port range in Windows Server 2008 witch netsh.

This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.

In Windows Server 2003 or in Windows 2000 Server, the value of the MaxUserPort registry entry defines the ephemeral port range. The range is from 1024 to the value that is defined by the MaxUserPort registry entry.
After you install security update 953230 on Windows Server 2003 and down-level platforms, the following conditions are true:

• If the value of the MaxUserPort registry entry is set, the ports are allocated randomly from the [1024, MaxUserPort] range.
• If the value of the MaxUserPort registry entry is not set, the ports are allocated randomly from the [49152, 65535] range.

In Windows Server 2008:

• Ephemeral port allocation and the MaxUserPort registry entry:
  In Windows Server 2008 or in Windows Vista, the value of the MaxUserPort registry entry signifies the number of ephemeral ports. The range is from the [start port, start range + MaxUserPort]. The default start port is port 49152.
• Effective ephemeral port range:
  Ephemeral port allocation occurs in the [49152-65535] port range before you install security update 953230 on Windows Server 2008. This port allocation behavior does not change after you install security update 953230.

Solution for Windows Server 2003

We need to reserve Ephemeral port range for Exchange Server 2007 Edge AD LDS instance. We need to specify reserved ports in registry.

• Start regedit.exe
• Locate following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
• Create New Multi-String Value with name ReservedPorts
• Enter following values for EDGE Ports that we want to exclude:
  50389-50389
  50636-50636 
  
  
     
  
   
• Reboot server

Solution for Windows Server 2008

Although we can change port range in Windows Server 2008 there is simple trick that does the job. We can change DNS Server service startup type to Automatic (Delayed Start).

Solution for Windows Server 2008 R2

Windows Server 2008 R2 DNS Server provides SocketPoolPortExclusionList that would allow us to exclude certain ports from DNS Server.

Dnscmd /Config /SocketPoolPortExclusionList

Exchange Server 2007 & Windows Server 2008 R2?

I was warned that mentioning Windows Server 2008 R2 in post of Exchange Server 2007 could be misleading (Thanks to Miha Pihler!). Some quick facts about Exchange Server 2007 and Windows Server 2008 R2:

• Exchange Server 2007 is NOT supported on Windows Server 2008 R2
• You need to deploy Update Rollup 9 for Exchange Server 2007 SP1 or SP2 for Exchange Server 2007 if you intend to run DC/GC servers on Windows Server 2008 R2
  
  

Links

• KB929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
• KB956188 - You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
• KB959215 - AD LDS service start fails with error "setup could not start the service..." + error code 8007041d
• KB812873 - How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
• MS08-037: Description of the security update for DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server (DNS server-side)
• KB929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

This update adds support for the following Advanced Encryption Standard (AES) cipher suites in the Schannel.dll module for Windows Server 2003:

• TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
• TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

Note: These cipher suites are based on the RC4 algorithm.

Source:

KB948963 - An update is available to adds support for the TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and the TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES cipher suites in Windows Server 2003

Is Bash better than Windows PowerShell? Is Windows PowerShell better than Bash? Well... It depends on your needs and system you are administering. I just found first good comparison of both products.

Marcus Nasarek wrote great comparison article of Bash vs. Windows Powershell for Linux Magazine!

You probably already know that you do not need to activate Windows Server 2008 for 60-days evaluation period. In most cases 60-days default evaluation period will be just fine. It is possible to reset 60-day evaluation period up to three times for total evaluation period by up to 240 days. Cool right? ;-)

Article ID: 948472 How to extend the Windows Server 2008 evaluation period

This is one "simple" error I come across when installing on Windows Server 2008 RC1.

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1976). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

In my case solution was really simple. Between the tests I disabled IPv6 support on network card. I enable it back, re-run setup and everything was fine...

Microsoft announced Windows Essential Business Server (previously code-named "Centro"), a new integrated multiserver solution designed for midsize businesses with sophisticated IT needs which offers integrated security, simple administration with unified management console and just like in Small Business edition integrated multiple products which are normally cheaper than if you buy separate licenses.

In Standard Edition you will get:

• Windows Server 2008 with Active Directory Domain Services
• Microsoft System Center Essentials
• Microsoft Exchange Microsoft Forefront Security for Exchange Server
• Next version of Microsoft Internet Security and Acceleration Server (ISA Server)

In Premium Edition you will also get Microsoft SQL Server 2008 Standard Edition.

If I`m honest I never liked idea of Small Business Server. Why? On one side you have best practices which says that you should not put for example Domain Controller and Exchange Server on one box. On the other side you have product which have everything together. On one or on two servers. So I have the same opinion about Windows Essential Business Server. I sure hope that you will be able to install it to separate servers.

But it also has good side. It cost less than separate products so it`s great for small companies with low budget for IT.

Source: Windows Essential Business Server Overview (A New Server Solution for Midsize Businesses)

• Windows Server 2008 RC0 Standard Edition
• Windows Server 2008 RC0 Enterprise
• Windows Media Services for Windows Server 2008 RC0
• Windows Server 2008 RC0 Datacenter
• Windows Web Server 2008 RC0
• Windows Server 2008 RC0 for Itanium-based Systems

And some reading:

• Windows Server 2008 Technical Overviews
• Windows Server 2008 Step-by-Step Guides
• Release Notes for this Release of Windows Server Virtualization
• System Requirements and Installation Documentation for Windows Server 2008 Release Candidate

These step-by-step guides help IT Professionals learn about and evaluate Windows Server 2008.
These documents are downloadable versions of guides found in the Windows Server 2008 Technical Library. (http://go.microsoft.com/fwlink/?LinkId=86808).

Source: Windows Server 2008 Step-by-Step Guides

This document describes new features and technologies, which were not available in Windows Server 2003 with Service Pack 1 (SP1), that will help to increase the security of computers running Windows Server 2008, increase productivity, and reduce administrative overhead.

These topics apply to the next release of Windows Server 2008, based on the functionality expected to be included in the Beta releases in 2007. They do not describe all of the changes that are included in Windows Server 2008. Instead, they highlight changes that will potentially have the greatest impact on your use of Windows Server 2008 and provide references to additional information.

Source: Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008

After a Windows Vista-based computer has been running for an extended period of time, the desktop screen may stop updating correctly. For example, you may experience any of the following symptoms:

• Parts of the screen may go black.
• Parts of the screen may become transparent.
• The toolbar may disappear.
• The toolbar may appear at the top of the screen instead of at the bottom of the screen.

KB932406 - The Windows desktop may stop updating correctly after a Windows Vista-based computer has been running for an extended period of time

Now my problems with transparent or black parts of screen are gone. :)