After DNS update: critical services being blocked from listening onstandard TCP/IP ports

Since last Tuesday's update, I believe I'm having problems with the
DNS service listening on ports that other services require.

My SBS2003 (non-R2) server has rebooted three times since the update
(including the time to apply the patch). The first time, the IPSEC
service failed to start. I didn't find out what caused the problem -
I ran the CEICW and when that didn't fix it I rebooted the server and
all seemed fine. However yesterday I had to reboot to fix a stuck fax
service, and this time the IAS service failed to start.

Every time I tried to start the IAS service, the Event viewer showed
that event 7023 was logged in "sytem" by the service control manager -
"Only one usage of each socket address (protocol/network address/port)
is normally permitted." Checking further back, I noticed this is the
same eventid and error message given for the IPSEC service to fail
earlier.

Using sysinternals tcpview, I noticed that port 1812 was taken by
DNS.exe - so I stopped the dns service, started IAS, then started the
DNS service again, everything worked.

However, I'm worried about the next time the server needs to restart.
IPSEC in particular is a bad service to not have running. What should
I do to try and fix this? According to TCPView, DNS is currently
using over 2500 ports most with a remote of *.* and no state, is that
normal?

rkand@hotmail.com wrote:

> Since last Tuesday's update, I believe I'm having problems with the
> DNS service listening on ports that other services require.
>
> My SBS2003 (non-R2) server has rebooted three times since the update
> (including the time to apply the patch). The first time, the IPSEC
> service failed to start. I didn't find out what caused the problem -
> I ran the CEICW and when that didn't fix it I rebooted the server and
> all seemed fine. However yesterday I had to reboot to fix a stuck fax
> service, and this time the IAS service failed to start.
>
> Every time I tried to start the IAS service, the Event viewer showed
> that event 7023 was logged in "sytem" by the service control manager -
> "Only one usage of each socket address (protocol/network address/port)
> is normally permitted." Checking further back, I noticed this is the
> same eventid and error message given for the IPSEC service to fail
> earlier.
>
> Using sysinternals tcpview, I noticed that port 1812 was taken by
> DNS.exe - so I stopped the dns service, started IAS, then started the
> DNS service again, everything worked.
>
> However, I'm worried about the next time the server needs to restart.
> IPSEC in particular is a bad service to not have running. What should
> I do to try and fix this? According to TCPView, DNS is currently
> using over 2500 ports most with a remote of *.* and no state, is that
> normal?

I also observed this behaviour on our SBS after the July DNS updates,
where IAS failed to start on the following reboot because of the same
port clash.

Looking at MS08-037 (http://support.microsoft.com/kb/953230), the DNS
server will now use ports from the range 49152 - 65535, *unless the
'MaxUserPort' registry value is set* (see:

http://www.microsoft.com/technet/pro...mspx?mfr=true).

In that case, it will use ports in the range 1024 to the value of
MaxUserPort. I saw that our SBS had the registry value set to 65535 -
in which case DNS could use any ports at all over 1024, and cause the
problem we saw. I have now removed the MaxUserPort value and restarted
the DNS server service. Hopefully this will deal with the issue.

There is also a ReservedPorts registry value (see
http://support.microsoft.com/kb/812873/) that can be used to prevent
the DNS server (and others) using allocated ports, but after deleting
the MaxUserPort value there won't normally be a need for this, I
suggest.

All of this said, IMO the MS08-037 update should really have deleted
the MaxUserPort value automatically, avoiding all of this.

--
Steve.
MCP - Small Business.

On Jul 14, 3:04*pm, "SteveM" <> wrote:
> rk...@hotmail.com wrote:
> > Since last Tuesday's update, I believe I'm having problems with the
> > DNS service listening on ports that other services require.
>
> > My *SBS2003 (non-R2) server has rebooted three times since the update
> > (including the time to apply the patch). *The first time, the IPSEC
> > service failed to start. *I didn't find out what caused the problem -
> > I ran the CEICW and when that didn't fix it I rebooted the server and
> > all seemed fine. *However yesterday I had to reboot to fix a stuck fax
> > service, and this time the IAS service failed to start.
>
> > Every time I tried to start the IAS service, the Event viewer showed
> > that event 7023 was logged in "sytem" by the service control manager -
> > "Only one usage of each socket address (protocol/network address/port)
> > is normally permitted." *Checking further back, I noticed this is the
> > same eventid and error message given for the IPSEC service to fail
> > earlier.
>
> > Using sysinternals tcpview, I noticed that port 1812 was taken by
> > DNS.exe - so I stopped the dns service, started IAS, then started the
> > DNS service again, everything worked.
>
> > However, I'm worried about the next time the server needs to restart.
> > IPSEC in particular is a bad service to not have running. *What should
> > I do to try and fix this? *According to TCPView, DNS is currently
> > using over 2500 ports most with a remote of *.* and no state, is that
> > normal?
>
> I also observed this behaviour on our SBS after the July DNS updates,
> where IAS failed to start on the following reboot because of the same
> port clash.
>
> Looking at MS08-037 (http://support.microsoft.com/kb/953230), the DNS
> server will now use ports from the range 49152 - 65535, *unless the
> 'MaxUserPort' registry value is set* (see:
>
> http://www.microsoft.com/technet/pro...v/reskit/r...)..
>
> In that case, it will use ports in the range 1024 to the value of
> MaxUserPort. I saw that our SBS had the registry value set to 65535 -
> in which case DNS could use any ports at all over 1024, and cause the
> problem we saw. I have now removed the MaxUserPort value and restarted
> the DNS server service. Hopefully this will deal with the issue.
>
> There is also a ReservedPorts registry value (seehttp://support.microsoft..com/kb/812873/) that can be used to prevent
> the DNS server (and others) using allocated ports, but after deleting
> the MaxUserPort value there won't normally be a need for this, I
> suggest.
>
> All of this said, IMO the MS08-037 update should really have deleted
> the MaxUserPort value automatically, avoiding all of this.
>
> --
> Steve.
> MCP - Small Business.- Hide quoted text -
>
> - Show quoted text -

Steve,

Thanks for your help. I'm sure this will solve the problem for me
also. All the information was in MS's KB for the update - I guess I
should have checked there first.

My SBS2003 has this MaxUserPort=65535 key as well. I haven't installed the
updates yet but thanks for the heads up.

I don't see this issue mentioned in the SBS blog. I wonder if this key is
standard in SBS setups? (I don't remember adding it...)

--
Allan Williams



<SteveM> wrote in message news:xn0fsogaokz4jc000@news.microsoft.com...
> rkand@hotmail.com wrote:
>
>> Since last Tuesday's update, I believe I'm having problems with the
>> DNS service listening on ports that other services require.
>>
>> My SBS2003 (non-R2) server has rebooted three times since the update
>> (including the time to apply the patch). The first time, the IPSEC
>> service failed to start. I didn't find out what caused the problem -
>> I ran the CEICW and when that didn't fix it I rebooted the server and
>> all seemed fine. However yesterday I had to reboot to fix a stuck fax
>> service, and this time the IAS service failed to start.
>>
>> Every time I tried to start the IAS service, the Event viewer showed
>> that event 7023 was logged in "sytem" by the service control manager -
>> "Only one usage of each socket address (protocol/network address/port)
>> is normally permitted." Checking further back, I noticed this is the
>> same eventid and error message given for the IPSEC service to fail
>> earlier.
>>
>> Using sysinternals tcpview, I noticed that port 1812 was taken by
>> DNS.exe - so I stopped the dns service, started IAS, then started the
>> DNS service again, everything worked.
>>
>> However, I'm worried about the next time the server needs to restart.
>> IPSEC in particular is a bad service to not have running. What should
>> I do to try and fix this? According to TCPView, DNS is currently
>> using over 2500 ports most with a remote of *.* and no state, is that
>> normal?
>
> I also observed this behaviour on our SBS after the July DNS updates,
> where IAS failed to start on the following reboot because of the same
> port clash.
>
> Looking at MS08-037 (http://support.microsoft.com/kb/953230), the DNS
> server will now use ports from the range 49152 - 65535, *unless the
> 'MaxUserPort' registry value is set* (see:
>
> http://www.microsoft.com/technet/pro...mspx?mfr=true).
>
> In that case, it will use ports in the range 1024 to the value of
> MaxUserPort. I saw that our SBS had the registry value set to 65535 -
> in which case DNS could use any ports at all over 1024, and cause the
> problem we saw. I have now removed the MaxUserPort value and restarted
> the DNS server service. Hopefully this will deal with the issue.
>
> There is also a ReservedPorts registry value (see
> http://support.microsoft.com/kb/812873/) that can be used to prevent
> the DNS server (and others) using allocated ports, but after deleting
> the MaxUserPort value there won't normally be a need for this, I
> suggest.
>
> All of this said, IMO the MS08-037 update should really have deleted
> the MaxUserPort value automatically, avoiding all of this.
>
> --
> Steve.
> MCP - Small Business.

On Jul 14, 6:37*pm, "Al Williams" <donotreplydir...@usenewsgroup.com>
wrote:
> My SBS2003 has this MaxUserPort=65535 key as well. *I haven't installed the
> updates yet but thanks for the heads up.
>
> I don't see this issue mentioned in the SBS blog. *I wonder if this keyis
> standard in SBS setups? (I don't remember adding it...)
>
> --
> Allan Williams

I'm sure I didn't add it. I manage 2 SBS installations, the older one
(upgraded from SBS 2000 and before) was set to 65535, the other is a
relatively untouched 1-year old SBS 2003 R2 clean install which was
set to 60000.

I've noticed that when I deleted the registry key and restarted the
DNS service, the low ports were still being used by DNS. I haven't
rebooted yet to see if DNS behaves then, I assume (hope) it will.

rkand@hotmail.com wrote:

> I've noticed that when I deleted the registry key and restarted the
> DNS service, the low ports were still being used by DNS. I haven't
> rebooted yet to see if DNS behaves then, I assume (hope) it will.

After removing the MaxUserPort key and rebooting here, I see the DNS
service is using TCP ports 1041 (for to localhost:ldap) and 1043 (to
myserver:0), but otherwise all the ephemeral UDP ports it is using are
in the (new) high range as they should be.

--
Steve.
MCP - Small Business.

FYI: The proper fix is posted on http://blogs.technet.com/sbs

They don't want us to remove the MaxUserPort key, I asked - check the blog
comments.

--
Allan Williams



<SteveM> wrote in message news:xn0fspor313upg000@news.microsoft.com...
> rkand@hotmail.com wrote:
>
>> I've noticed that when I deleted the registry key and restarted the
>> DNS service, the low ports were still being used by DNS. I haven't
>> rebooted yet to see if DNS behaves then, I assume (hope) it will.
>
> After removing the MaxUserPort key and rebooting here, I see the DNS
> service is using TCP ports 1041 (for to localhost:ldap) and 1043 (to
> myserver:0), but otherwise all the ephemeral UDP ports it is using are
> in the (new) high range as they should be.
>
> --
> Steve.
> MCP - Small Business.

FYI: The proper fix is posted on http://blogs.technet.com/sbs

They don't want us to remove the MaxUserPort key, I asked - check the blog
comments.

--
Allan Williams



<rkand@hotmail.com> wrote in message
news:f00fd832-37dd-4199-aee0-c080ed7298ca@w7g2000hsa.googlegroups.com...
On Jul 14, 6:37 pm, "Al Williams" <donotreplydir...@usenewsgroup.com>
wrote:
> My SBS2003 has this MaxUserPort=65535 key as well. I haven't installed the
> updates yet but thanks for the heads up.
>
> I don't see this issue mentioned in the SBS blog. I wonder if this key is
> standard in SBS setups? (I don't remember adding it...)
>
> --
> Allan Williams

I'm sure I didn't add it. I manage 2 SBS installations, the older one
(upgraded from SBS 2000 and before) was set to 65535, the other is a
relatively untouched 1-year old SBS 2003 R2 clean install which was
set to 60000.

I've noticed that when I deleted the registry key and restarted the
DNS service, the low ports were still being used by DNS. I haven't
rebooted yet to see if DNS behaves then, I assume (hope) it will.

Al Williams wrote:

> FYI: The proper fix is posted on http://blogs.technet.com/sbs
>
> They don't want us to remove the MaxUserPort key, I asked - check the
> blog comments.

While MS have suggested using ReservedPorts as a workaround, IMO this
introduces administrative complexities - you will need to revisit the
ReservedPort settings every time you install a internet-facing app on
your SBS. Admittedly this shouldn't be very often, but why add the
error-prone overhead?

Susan Bradley has picked up on MS's post with her blog article here:
http://msmvps.com/blogs/bradley/arch...delete-maxuser
port.aspx. I'm with Chris Knight on this one, though (see his comment
at the foot of Susan's article).

--
Steve.
MCP - Small Business.

On Jul 21, 4:32*am, "SteveM" <> wrote:
> Al Williams wrote:
> > FYI: The proper fix is posted onhttp://blogs.technet.com/sbs
>
> > They don't want us to remove the MaxUserPort key, I asked - check the
> > blog comments.
>
> While MS have suggested using ReservedPorts as a workaround, IMO this
> introduces administrative complexities - you will need to revisit the
> ReservedPort settings every time you install a internet-facing app on
> your SBS. Admittedly this shouldn't be very often, but why add the
> error-prone overhead?
>
> Susan Bradley has picked up on MS's post with her blog article here:http://msmvps.com/blogs/bradley/arch...delete-maxuser
> port.aspx. I'm with Chris Knight on this one, though (see his comment
> at the foot of Susan's article).
>
> --
> Steve.
> MCP - Small Business.

This situation sucks all around. First the patch should have been
tested properly. Secondly they should be working on a patch to map
the ports as 2008 does. Finally, in the meantime, they should have
real info from the Exchange team on how deleting the maxuserport key
will affect us.

"Add any ports used by 3rd party progams to the reserved list" doesn't
sound like it came from the same team that decided to make a wizard to
add users because it is just too complex a task without for the
average SBS administrator.

If I go by the MS recommended route, it will probably require getting
in contact with tech support of at least 10 different companies
(including microsoft) to find out which ports require reserving. Even
if I do all that work, chances are ports will be missed and critical
services will be blocked a few times in the months ahead, and I'll be
left with trying to figure it out from ludicrous error messages in the
event viewer (Yes, I'm looking at you RIM). Just one server I've
checked has over 50 UDP ports in use, including some used by my
favourite process, svchost.

For now I have the MaxUserPort key back in, and plan on waking up
early every time the server needs to restart. Thanks, MS.

Prob is that I installed that early on and never saw the issue, it was
REAL random.

It's hard to "test properly". I know, I do it first myself before I
roll it out and never saw this myself.

The probability is high during their testing it didn't come to light as
well.

rkand@hotmail.com wrote:
> On Jul 21, 4:32 am, "SteveM" <> wrote:
>> Al Williams wrote:
>>> FYI: The proper fix is posted onhttp://blogs.technet.com/sbs
>>> They don't want us to remove the MaxUserPort key, I asked - check the
>>> blog comments.
>> While MS have suggested using ReservedPorts as a workaround, IMO this
>> introduces administrative complexities - you will need to revisit the
>> ReservedPort settings every time you install a internet-facing app on
>> your SBS. Admittedly this shouldn't be very often, but why add the
>> error-prone overhead?
>>
>> Susan Bradley has picked up on MS's post with her blog article here:http://msmvps.com/blogs/bradley/arch...delete-maxuser
>> port.aspx. I'm with Chris Knight on this one, though (see his comment
>> at the foot of Susan's article).
>>
>> --
>> Steve.
>> MCP - Small Business.
>
> This situation sucks all around. First the patch should have been
> tested properly. Secondly they should be working on a patch to map
> the ports as 2008 does. Finally, in the meantime, they should have
> real info from the Exchange team on how deleting the maxuserport key
> will affect us.
>
> "Add any ports used by 3rd party progams to the reserved list" doesn't
> sound like it came from the same team that decided to make a wizard to
> add users because it is just too complex a task without for the
> average SBS administrator.
>
> If I go by the MS recommended route, it will probably require getting
> in contact with tech support of at least 10 different companies
> (including microsoft) to find out which ports require reserving. Even
> if I do all that work, chances are ports will be missed and critical
> services will be blocked a few times in the months ahead, and I'll be
> left with trying to figure it out from ludicrous error messages in the
> event viewer (Yes, I'm looking at you RIM). Just one server I've
> checked has over 50 UDP ports in use, including some used by my
> favourite process, svchost.
>
> For now I have the MaxUserPort key back in, and plan on waking up
> early every time the server needs to restart. Thanks, MS.

Prob is that Exchange and ISA server aren't supported without this setting.

They are setting the support policy here.

SteveM wrote:
> Al Williams wrote:
>
>> FYI: The proper fix is posted on http://blogs.technet.com/sbs
>>
>> They don't want us to remove the MaxUserPort key, I asked - check the
>> blog comments.
>
> While MS have suggested using ReservedPorts as a workaround, IMO this
> introduces administrative complexities - you will need to revisit the
> ReservedPort settings every time you install a internet-facing app on
> your SBS. Admittedly this shouldn't be very often, but why add the
> error-prone overhead?
>
> Susan Bradley has picked up on MS's post with her blog article here:
> http://msmvps.com/blogs/bradley/arch...delete-maxuser
> port.aspx. I'm with Chris Knight on this one, though (see his comment
> at the foot of Susan's article).
>

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> Prob is that Exchange and ISA server aren't supported without this
> setting.
>
> They are setting the support policy here.

Really? Where do they say this? According to the MS blog post, the
ReservedPorts workaround is 'suggested'.

--
Steve.
MCP - Small Business.