SBS: Some services fail to start or may not work with MS08-037 (KB951746 and KB951748)

Incase, if you’ve not installed yet, please note, it has been reported seeing random problems with services after installing MS08-037 (KB951746 and KB951748). In one case, Exchange Always Up To Date notifications for activesync were failing and in other cases the IPSEC or the IAS services were failing to start. MS08-037 is a security update designed […]

Incase, if you’ve not installed yet, please note, it has been reported seeing random problems with services after installing MS08-037 (KB951746 and KB951748). In one case, Exchange Always Up To Date notifications for activesync were failing and in other cases the IPSEC or the IAS services were failing to start.

MS08-037 is a security update designed to prevent DNS spoofing.  The update is described by article 953230       MS08-037: Vulnerabilities in DNS could allow spoofing: http://support.microsoft.com/default.aspx?scid=kb;EN-US;953230

The update changes the way the DNS server allocates the UDP source port for DNS queries.  On an SBS server by default we set the MaxUserPort value in the registry to 60000 or 65536 depending on the version of SBS.  The MaxUserPort  value causes the DNS server to pick UDP source ports in the range of 1024 to 60000, or 65536.  The MaxUserPort is set on the SBS server by Exchange and ISA server.  DNS by default will randomly pick 2500 ports when the service starts up, a port conflict will occur if the DNS server allocates a port that is required by another service and that service will fail once it requests that static UDP port.  So far we have seen issues with AUTD, IPSEC, and IAS but there may be other services that will have a conflict. 

The ReservedPorts registry key can be used to exclude ports from the pool the DNS server uses.  The reservedports registry key is described in 812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server.

Full Article