Announcement

Collapse
No announcement yet.

New Windows 2003 R2 DC failes to start IPSEC Service

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New Windows 2003 R2 DC failes to start IPSEC Service

    Recently had to build a replacement DC as the DC at one of our sites is a bit unstable. Build DC (Windows 2003 R2 fully patched) in our ESX 3.5 environment with DNS and DHCP. Promoted DC and transfered FSMO roles to it and migrated DHCP scopes across. After rebooting the DC the IPSEC Service fails to start with the following:

    "
    The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions.
    "

    Followed instructions are per:

    http://support.microsoft.com/kb/912023/en-us

    Ended up having to delete the VM, seize the FSMO roles back to the original DC, clear up the AD and activate the DHCP service on the original server.

    Strangely enough, I recently tried to install SP2 on two other 2003 DC's a few weeks back and after installing the service pack they both failed with the same error message. To get them up and running I had to uninstall the Service Pack. We currently have two DC's that are running fine with SP2 so I don't know why they suddently start failing.

    Anyone any ideas?

    I'm going to build a fresh 2003 VM (Not imaged) and reboot it after every task to see where it suddently starts to struggle.

    Thanks

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: New Windows 2003 R2 DC failes to start IPSEC Service

    Anyone had any issues with the following:

    http://support.microsoft.com/kb/930220

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: New Windows 2003 R2 DC failes to start IPSEC Service

      I'm pretty sure this is related to a DNS server update which reserves x amount of ports. What's happened is it's reserved an IPSec port so for security it disables all inbound/outbound traffic.

      On a short fix I've noticed you can restart the IPSec service and it'll then allow connections to flow, but you might want to do some further reading:

      http://support.microsoft.com/default.aspx/kb/956188

      http://blogs.technet.com/sbs/archive...nd-951748.aspx

      http://support.microsoft.com/?id=951748

      Comment


      • #4
        Re: New Windows 2003 R2 DC failes to start IPSEC Service

        When you attempt to restart the IP SEC service you get the following message:

        "
        error 1899 the endpoint mapper database entry could not be created.
        "

        Thanks, i'll take a look at the links anyway.

        Michael
        Last edited by m80arm; 28th September 2009, 10:00.
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: New Windows 2003 R2 DC failes to start IPSEC Service

          Might be worth a look:

          http://relatedterms.com/ViewThread.aspx?t=225172

          http://msexchangeteam.com/archive/20...18/446400.aspx

          Comment


          • #6
            Re: New Windows 2003 R2 DC failes to start IPSEC Service

            I'll take a look as those as well.

            Thanks
            Ethos.

            Michael
            Michael Armstrong
            www.m80arm.co.uk
            MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            Comment


            • #7
              Re: New Windows 2003 R2 DC failes to start IPSEC Service

              Issue resolved:

              http://chapmans.spaces.live.com/blog...BC84!885.entry

              Added the account into the Domain Contrllers Group Policy but the DC would not pick up the setting before network connectivity was lost. Had to change the RPC service to run as the localsystem, reboot the server and allow it to pick up the GP change and then change it back Network Service account.

              All DC's should now pick up the policy and should hopefully not cause any issues when upgrading to SP2

              Michael
              Michael Armstrong
              www.m80arm.co.uk
              MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment

              Working...
              X