At WPC we announced November 12^th 2008 as the official launch date for Windows Small Business Server 2008 and Windows Essential Business Server 2008.  Activities that day will signal general availability of both products in most markets and via most channels, and will kick off launch efforts worldwide. More information about specific launch activities will be communicated in the future.  Code completion of both products and release to manufacturing (RTM)  - hand off to our partners and distributors - will occur prior to the November 12 launch.

Two new KB articles have been released that discuss the issue we first spoke about in our blog post entitled Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748).  Please read these KB articles if you would like to know more about this issue:

• http://support.microsoft.com//kb/956189
• http://support.microsoft.com/kb/956188

[Today's post comes to us courtesy Justin Crosby and Peter Gallagher]

Peter Gallagher, Charles VanHuesen (of Microsoft’s TS2 team and founding members of DFW-SBS), Eriq Neale (resident SBS MVP and owner of EON Consulting, author of SBS 2003 SP1 Unleashed) and Wade DeVore (owner of NetVision Consulting, TAP participant for both SBS 2008 and Server 2008, White Paper King) will all be giving you their take on both Vista and SBS 2008.

This event occurs on 7/26/2008 from 8:30 AM to 2:30 PM at the Microsoft site in Irving (Las Colinas) Texas.

Follow this link for more details and to register for the event: https://www.clicktoattend.com/invitation.aspx?code=129929

[Today's post comes to us courtesy of John Bay, Damian Leibaschoff, Justin Crosby and Chris Puckett]

Some customers have reported seeing random problems with services after installing MS08-037.   In one case, Exchange Always Up To Date notifications for activesync were failing and in other cases the IPSEC or the IAS services were failing to start. 

In the case of the AUTD issue, you will see events similar to the following in the application event log:

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3015
Date: 7/12/2008
Time: 6:38:34 PM
User: N/A
Computer: SERVER
Description:  IP-based AUTD failed to initialize because the processing of notifications could not be setup. Error code [0x80004005]. Verify that no other applications are currently bound to UDP port [2883], or try specifying a different port number.

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3024
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description:  IP-based AUTD failed to initialize. Error code: [0x80004005].

In the case of the IPSEC Service failing you start, you will see the following events logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description:  The IPSEC Services Service terminated with the following error:  Only one usage of each socket address (protocol/network address/port) is normally permitted.

Event Type: Error
Event Source: IPSec
Event Category: None
Event ID: 4292
Date: 7/15/2008
Time: 2:53:14 PM
User: N/A
Computer:    SERVER
Description:  The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer.  For detailed troubleshooting information, review the events in the Security event log.

If the IPSEC service fails to start, the server will be running in Block mode and it will block all network connectivity to the server. 

In the case of the IAS Service failing to start, you will see the following event logged in the system event log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/12/2008
Time: 6:38:37 PM
User: N/A
Computer: SERVER
Description:  The Internet Authentication Service Service terminated with the following error:  Only one usage of each socket address (protocol/network address/port) is normally permitted.

MS08-037 is a security update designed to prevent DNS spoofing.  The update is described by article 953230       MS08-037: Vulnerabilities in DNS could allow spoofing: http://support.microsoft.com/default.aspx?scid=kb;EN-US;953230

The update changes the way the DNS server allocates the UDP source port for DNS queries.  On an SBS server by default we set the MaxUserPort value in the registry to 60000 or 65536 depending on the version of SBS.  The MaxUserPort  value causes the DNS server to pick UDP source ports in the range of 1024 to 60000, or 65536.  The MaxUserPort is set on the SBS server by Exchange and ISA server.  DNS by default will randomly pick 2500 ports when the service starts up, a port conflict will occur if the DNS server allocates a port that is required by another service and that service will fail once it requests that static UDP port.  So far we have seen issues with AUTD, IPSEC, and IAS but there may be other services that will have a conflict. 

The ReservedPorts registry key can be used to exclude ports from the pool the DNS server uses.  The reservedports registry key is described in 812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server

Here is the list of ports that we have seen conflicts with services on the machine.

• 1645-1646 - Used by IAS
• 1701-1701 - Used by L2TP
• 1812-1813 - Used by IAS
• 2883-2883 - Used by AUTD
• 4500-4500 - Used by IPSEC

For now we are suggesting customers be proactive and modify the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ReservedPorts

We suggest you add these port numbers to the current values set in the ReservedPorts registry key.  Do not replace the values currently there with these values but simply add these additional values. 

When you click OK you may get the following warning message:

This warning is OK and you can click OK on it.

Once you modify the ReservedPorts key you will have to reboot the server to make the change effective. 

If you are using any third party applications on your SBS server that might require the use of a static UDP port higher than port 1024, you should also add it to the list of reserved ports.

If you have any other issue after installing 951746 and 951748 that is resolved by uninstalling these updates, try setting the ReservedPorts  registry value and rebooting the server.  Then reinstall the 951746 and 951748 updates. 

Regardless of any other issues you might encounter with these updates (see below), once the updates are installed, you should have the ReservedPorts updated to prevent unexpected failures on server reboot.

Remember that the 951748 and 951746 updates may also cause a loss of Internet Connectivity in conjunction with 3rd party firewall products.  For more information on that issue see: http://blogs.technet.com/sbs/archive/2008/07/11/loss-of-internet-connectivity-after-installing-951748-and-951746.aspx

Furthermore, a third type of issue has been seen where the DNS Server service fails to start with the following error:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 7/15/2008
Time: 5:12:05 PM
User: N/A
Computer: Server
Description:
The DNS Server service terminated with the following error:
Not enough storage is available to complete this operation.

On the servers that we have this problem on we have seen signs of incomplete installations of Windows Server 2003 Service Pack 2. Uninstall both updates (951748 and 951746) and verify that Service Pack 2 is properly installed (You will most likely need to re-install it, check the following link for Best Practices <http://blogs.technet.com/sbs/archive/2007/06/30/new-best-practices-for-sp2-kb.aspx>).

Update:

This issue is further discussed in these two new KB articles:

• http://support.microsoft.com/kb/956189
• http://support.microsoft.com/kb/956188

[Today's post comes to us courtesy of Damian Leibaschoff and Justin Crosby]

SharePoint users who upgraded from SQL Server 2000 Desktop Engine (WMSDE) to any other edition of SQL Server 2000 (for example, SQL Server 2000 Standard Edition) may be incorrectly offered a WMSDE update for 948110. This problem can occur if the SQL Server 2000 edition is not patched correctly with SQL Server 2000 Service Pack 4 after the upgrade from WMSDE. The WMSDE update may cause SharePoint to stop working.  The issue we are discussion does not apply to SBS 2003 R2 users that migrated to SQL 2005 Workgroup Edition.

The symptoms the you will notice is that the service instance (e.g. mssql$Sharepoint) will start and then immediately stop.

In the C:\Program Files\Microsoft SQL Server\MSSQL$Sharepoint\Log\errorlog file you will see the following:

2008-07-09 09:38:33.30 spid2     Skipping startup of clean database id 4
2008-07-09 09:38:33.30 spid2     Skipping startup of clean database id 6
2008-07-09 09:38:33.30 spid2     Starting up database 'STS_Config'.
2008-07-09 09:38:33.38 spid5     Clearing tempdb database.
2008-07-09 09:38:33.41 spid5     Starting up database 'tempdb'.
2008-07-09 09:38:33.44 spid2     Recovery complete.
2008-07-09 09:38:34.35 spid2     Database 'master' has invalid schema.  <==Notice the invalid schema. 

The Windows Update detection logic is being fixed and this update should not be offered incorrectly to non-qualifying products, this change is still pending and should happen at any time now.

If you are not sure if you have SharePoint was upgraded to SQL 2000, you need to check the ERRORLOG files prior to the update being installed and review the versions reported there. The log files are usually found in C:\Program Files\Microsoft SQL Server\MSSQL$SharePoint\Log\, if you cannot find an ERRORLOG.n file that is older than the time of when the update was installed, try to get an older ERRORLOG from backup or shadow copy.

The CURRENT ERRORLOG will say:

2008-07-09 09:38:32.94 server    Microsoft SQL Server  2000 - 8.00.2050 (Intel X86)
Mar  7 2008 21:29:56
Copyright (c) 1988-2003 Microsoft Corporation
Desktop Engine (Windows) on Windows NT 5.2 (Build 3790: Service Pack 2)

While the older ERRORLOGs should say:

2008-06-17 09:53:09.12 server    Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
May  3 2005 23:18:38 
Copyright (c) 1988-2003 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

If this is your case, then you must properly update the instance back to SQL 2000 standard to regain functionality:

1. Perform the upgrade again to SQL Server 2000.
   Note You must use the same media that was previously used to perform the upgrade to SQL Server 2000.
   Please refer to the Premium Installation Step that shipped with your version of SBS 2003.  This can be found in the root of the Premium Technologies CD.
2. Restart the server instance. The server instance should start as the upgraded version.
3. Apply SQL Server 2000 Service Pack 4.
   Note Make sure that you apply the SQL Server 2000 Service Pack 4 and not the MSDE SP4 or WMSDE SP4 updates.
   For more information about how to obtain SQL Server 2000 Service Pack 4, visit the following Microsoft Web page: http://www.microsoft.com/downloads/details.aspx?FamilyID=8e2dfc8d-c20e-4446-99a9-b7f0213f8bc5&displaylang=en
4. Manually apply sp4_serv_uni.sql from the Install folder. To do this, type the following command at a command prompt:
   
   osql -n -b -d master -Slpc:%computername%\SHAREPOINT -i "%programfiles%\Microsoft SQL Server\MSSQL$SHAREPOINT\Install\sp4_serv_uni.sql" -o "%programfiles%\Microsoft SQL Server\MSSQL$SHAREPOINT\Install\sp4_serv_uni.out" -E
   
   Note These steps assume that the WMSDE installation folder is in the default location. If you are using a custom installation, you must adjust the path accordingly in the command.  Also note that this is a single command that has been wrapped for readability.

You do not need to re-apply the security update on this scenario. If you have already rolled back the BINN folder, you will be presented with the option to install the update again. Until the MU detection logic is fixed, make sure you are using Microsoft Update and not Windows Update and select the SQL update (not the Windows update that references WMSDE) (The bottom one on this screenshot)

Note: You may also receive the errors described above if your MSDB database is damaged, this will also cause the upgrade failure. The reason is that the setup needs to apply scripts that use MSDB stored procedures.  This is an uncommon scenario, most servers will not experience this scenario. This is not a problem with the security update per se, rather a latent problem in the instance itself. Any version of SQL can be affected by this behavior. If you are experiencing this scenario please contact support for further options <Link to CSS Support site> .

We have received reports of customers loosing Internet connectivity after installing MS08-037 (951748 and 951746).  This issue can occur on both the server and the clients.  This issue may occur when customers are running ZoneAlarm or Check Point Endpoint Security (previously named Check Point Integrity).  Our investigation so far has shown that no other customers are affected by this issue.

If you are encountering this issue please review the following:

• http://blogs.technet.com/msrc/archive/2008/07/10/revision-for-ms08-037.aspx
• http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
• https://supportcenter.checkpoint.com/supportcenter/index.jsp

Watch the post for updates as we uncover more information.

Update: Please see the following post with newly discovered information that could affect your SBS servers

http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx