Problems with BFE on Windows 2008 Server


Links:

http://social.technet.microsoft.com/forums/en-US/itprovistanetworking/thread/5744a4b6-31a2-4f2e-b27e-e99627be5aba
http://social.technet.microsoft.com/Forums/en/itprovistanetworking/thread/0db5ff78-2ba5-480e-8ee2-9a6c65e927bd 

In essence even paid M$ Support will struggle with this problem. In our call the tech had never seen this issue on Server 2008, though it is a bit more common on Vista and pre-release Windows 7.

What happens is that a number of services including Windows Firewall, Baseline Filtering Engine, DHCP client, and/or Server may simply stop working. You may also receive notice in the task bar that your system cannot connect to a network. (Sometimes you will have internet Connectivity).

On a Domain Controller under Windows 2008 additional problems will be that the system cannot provide DHCP acks, Network Connectivity may be limited or offline on the Server. You may also find that pinging the server fails. If the server is a DNS Server (AD DC or not) then DNS resolution for clients will also fail.

You may see services, in particular Windows Firewall Service throw Error 5 (Access Denied) which is a classic symptom of this problem. Other Event ID's may include: 

  • Event 7023, Service Control Manager Eventlog Provider - The Diagnostic Policy Service service has terminated with the following Error: Access Denied
  • Event 1055, GroupPolicy - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
  • Event 7024, Service Control Manager Eventlog Provider - The Network Location Awareness service terminated with service-specific error 3221226008 (0xC0000218).
  • Event 7001, Service Control Manager Eventlog Provider - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The operation completed successfully.
  • Event 7001, Service Control Manager Eventlog Provider - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
  • Event 7023, Service Control Manager Eventlog Provider - The DHCP Client service terminated with the following error: Access is denied.
  • Event 7023, Service Control Manager Eventlog Provider -  The Base Filtering Engine service terminated with the following error: Access is denied.
  • Event 7023, Service Control Manager Eventlog Provider - The Diagnostic Policy Service service terminated with the following error: Access is denied.
  • Event ID 1129, Group Policy - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
The links above provide some granular ideas, but in the end be SURE that
  • Each Service runs under the Local Service (type it in, don't click the radio button in service logon)
  • Be sure that Local Service has FULL permissions on HKLM\Services - IF you need to drill down, then be sure that these permissions are set AT LEAST
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip "Local service" Full, Read (add this permission) Remember to Select the LOCAL server for the security context, not "Entire Network" or you will have trouble. This applies to sections below as well.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE "NT Service\BFE" Full, Read (add this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS "NT Service\Trustedinstaller" Full, Read (add this permission)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc "NT Service\NlaSvc" Full, Read (add this permission)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "NT Service\MpsSvc" Query, Set Value (add this permission)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy "NT Service\MpsSvc" Full, Read (add this permission)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy "NT Service\MpsSvc" Full, Read (add this permission)
  • Be sure to reboot the server afterwards. Then try to start the BFE and Windows Firewall Services from Services msc snap in. (click on Start, Administrative Tools, Services)
  • IF this does not work, then Add the Local Service AND Network Service with FULL permissions to the HKLM\Services (again be sure "context" is local server when trying add the "user")
  • IF this does not work, then Add Everyone with full permissions to HKLM\Services
  • IF this still does not work then Add Everyone with full permissions to HKLM\System  - this may error and will certainly be quite permissive, so try all above prior to just opening up this section of the registry.

 


Comments

Please login to comment