Microsoft KB Archive/317413

= ISA Server does not start and logs Event 7023 and Event 11009 =

Article ID: 317413

Article Last Modified on 4/15/2005

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q317413



SYMPTOMS
If you use the Active Directory-based version of Internet Security and Acceleration (ISA) Server 2000 (this is the Enterprise Edition of ISA Server 2000), the ISA Server services may not start, and the following entries may be logged:

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Computer:

Description:

The Microsoft Firewall service terminated with the following error: The server is not operational.

Event Type: Error

Event Source: Microsoft ISA Server Control

Event ID: 11009

Computer:

Description:

Microsoft ISA Server Control failed to start......

These entries appear on ever ISA Server array member.

Note that the globally unique identifiers (GUIDs) that are specified in these error entries may vary.



RESOLUTION
To resolve this issue, use either of the following methods:  Change the relevant attribute in Active Directory by using the ADSI Edit tool.

Warning If you use the ADSI Edit snap-in and incorrectly modify the attributes of Active Directory objects, you can cause serious problems that may require you to reinstall Microsoft Windows 2000 Server or ISA Server 2000. Microsoft cannot guarantee that problems that result from the incorrect modification of Active Directory object attributes can be solved. Modify these attributes at your own risk. If you are running Microsoft Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

 Expand the Domain NC container. Right-click DC=[ ], DC=[ ], and then select Properties. Click the Security tab. Click Advanced. On the Permissions tab, click Authenticated Users and then click View/Edit. Make sure the Apply onto drop-down box is set to This object only.</li> In the Permissions list, make sure the following items are set to Allow: <ul> List Contents</li> Read All Properties</li> Read Permissions</li></ul>

-</li> Wait until replication is performed for all domain controllers in the domain.</li></ol> </li> Determine whether the relevant permission is enabled on array itself. To do this, open the array node properties in the ISA Management console, and then check the security tab.</li></ul>

Note that the Authenticated Users group is a built-in group (the SID is S-1-5-11). Any account in the server's domain (or in any domain that is trusted by the server's domain) that opens an authenticated network connection is identified as an authenticated user. Because the ISA Server services run under the local system account, a service's connection to a domain controller is also identified as member of the Authenticated Users group. Therefore, it is important to give Read permission to this group on the system node (which is the parent node of the ISA Server configuration) and on all of the ISA Server nodes.

<div class="references_section">