justin ho

Event Type: Error
Event Source: Microsoft Firewall
Event Category: Log
Event ID: 7
User:  N/A

Description:
The Microsoft Firewall was unable to open ADO connection. The MSDE Error description is: Invalid connection string attribute, [DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error..

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 40 00 80               .@.€   

Cause:

A SSL certificate was installed, and MSDE is attempting to use it.  As a result, the Microsoft Firewall Service is unable to connect to MSDE.  Remove the certificates and reboot the machine.

• http://www.dbforums.com/showthread.php?t=1192105
• http://support.microsoft.com/?id=309398

Abstract:

Windows Server 2008 introduces a DNS block feature that may affect the ISA Server automatic discovery mechanism when implementing WPAD using a Windows Server 2008 DNS Server.  Therefore, additional configuration steps are necessary to get WPAD to work, when clients are running against a 2008 DNS server.

Details:

The block feature provides a global query block list to reduce vulnerability associated with dynamic DNS updates. Dynamic update makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name.  This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address. This convenience comes at a cost, however, because an authorized client can register any unused host name, even a host name that might have special significance for certain applications. This can allow a malicious user to "hijack" a special name and divert certain types of network traffic to that user's computer. WPAD is a commonly deployed protocol vulnerable to this type of hijacking, and by default WPAD look up is disabled by the blocking mechanism.

If you want to use WPAD with a Windows Server 2008 DNS, note the following behavior:

• If WPAD entries are configured in DNS before the DNS server is upgraded to Windows Server 2008, no action is required.
• If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.
• To update the block list, use the dnscmd command-line tool. Open a command line prompt, and do the following:
• To check whether the global query block is enabled, type:
  dnscmd /info /enableglobalqueryblocklist. A value of 1 is returned if the block list is enabled.
• To display the host names in the current block list, type:
  dnscmd /info /globalqueryblocklist
• To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type:
  dnscmd /config /enableglobalqueryblocklist 0
• To remove all names from the block list, type:
  dnscmd /config /globalqueryblocklist

Further reading:

   "DNS Server Global Query Block List" from TechNet at http://technet.microsoft.com/en-us/network/bb629410.aspx.

Source:

http://blogs.technet.com/isablog/archive/2008/02/19/windows-server-2008-dns-block-feature.aspx

What will support Windows Server 2008 at RTM?

• .NET Framework 2.0 (installed)
• .NET Framework 3.0 SP1 ( part of Application Server role )
• .NET Framework 3.5
• Dynamics CRM 4.0
• Exchange Server 2007 SP1
• Forefront Security Server 1.0
• MOSS SP1 ( installation notes for Windows Server 2008)  http://support.microsoft.com/kb/936988
• SQL Server 2005 SP2
• System Center Data Protection Manager 2007
• System Center Configuration Manager 2007 (Formerly SMS)
• System Center Operations Manager 2007
• Windows Sharepoint Services 3.0 SP1 ( installation notes for Windows Server 2008 ) http://support.microsoft.com/kb/936988
• Visual Studio 2008
• WSUS 3.0 SP1

What are we planning to support in the first half of 2008?

• We will ship the Hyper-V technology 180days after RTM
• Dynamics AX 2009
• MOM SP1
• SCCM 2007SP1
• System Center Essentials 2001
• Forefront Client Security SP1

What are we planning to support in the second half of 2008?

• Application Virtualization 4.5
• Commerce Server 2007 SP2
• HIS 2006 SP1
• MOM 2005 SP1
• SQL Server 2008
• System Center Essentials 2001
• Windows System Center VMM 2.0
• Windows Essential Business Server
• Windows Home Server vNext
• Windows HPC Server 2008

So what will not be supported?

• SMS 2003
• System Center Reporting Manager
• Internet Security and Acceleration Server 2006 and earlier

Source:

http://blogs.msdn.com/neilhut/archive/2008/02/07/microsoft-server-and-tools-support-for-windows-server-2008.aspx

Problem:

ISA Server 2006 EE on Windows 2003 R2 server stops routing traffic.

Event Log:

Event Type: Error
Event Source: ADAM [ISASTGCTRL] General
Event Category: Internal Processing
Event ID: 2537
Date:  9/22/2007
Time:  10:22:29 PM
User:  NT AUTHORITY\ANONYMOUS LOGON
Description:
The directory server has failed to create the ADAM serviceConnectionPoint object in the Active Directory. This operation will be retried.
 
Additional Data
SCP object DN:
CN={GUID removed},CN=SERVERNAME,OU=SomeOUName,DC=domain,DC=name,DC=com
Error value:
5 Access is denied.
Server error:
00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 
Internal ID:
3390387
ADAM service account:
NT AUTHORITY\NETWORK SERVICE
 
User Action
If ADAM is running under a local service account, it will be unable to update the data in the Active Directory. Consider changing the ADAM service account to either NetworkService or a domain account.
 
If ADAM is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object.
 
ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.

Solution:

http://www.microsoft.com/technet/isa/2004/plan/ts_css.mspx says:
Verify that required Service Principle Names (SPNs) are properly registered. SPNs get created when ADAM service starts, and are created as an attribute on the User account running the ADAM service. For instructions see Administering ADAM service principal names topic in ADAM.chm help file located in %windir%\help folder on the Configuration Storage server computer.

In order to do this, go into %Program Files%\Microsoft ISA Server\ADAMData and look for a .bat file that is named the same as your domain.  Run it as a domain and schema/enterprise administrator.

Alternatively, fire up ISA 2006 set up (you don't have ISA running on a DC, right?) and repair the install.

Reboot the server.