Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

ISA Server does not start and logs Event 7023 and Event 11009


View products that this article applies to.

Symptoms

If you use the Active Directory-based version of Internet Security and Acceleration (ISA) Server 2000 (this is the Enterprise Edition of ISA Server 2000), the ISA Server services may not start, and the following entries may be logged:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Computer: computername
Description:
The Microsoft Firewall service terminated with the following error: The server is not operational.

Event Type: Error
Event Source: Microsoft ISA Server Control
Event ID: 11009
Computer: computername
Description:
Microsoft ISA Server Control failed to start......
These entries appear on ever ISA Server array member.

Note that the globally unique identifiers (GUIDs) that are specified in these error entries may vary.

↑ Back to the top


Resolution

To resolve this issue, use either of the following methods:
  • Change the relevant attribute in Active Directory by using the ADSI Edit tool.

    Warning If you use the ADSI Edit snap-in and incorrectly modify the attributes of Active Directory objects, you can cause serious problems that may require you to reinstall Microsoft Windows 2000 Server or ISA Server 2000. Microsoft cannot guarantee that problems that result from the incorrect modification of Active Directory object attributes can be solved. Modify these attributes at your own risk. If you are running Microsoft Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

    1. Expand the Domain NC container.
    2. Right-click DC=[your domain], DC=[root domain], and then select Properties.
    3. Click the Security tab.
    4. Click Advanced.
    5. On the Permissions tab, click Authenticated Users and then click View/Edit.
    6. Make sure the Apply onto drop-down box is set to This object only.
    7. In the Permissions list, make sure the following items are set to Allow:
      • List Contents
      • Read All Properties
      • Read Permissions
      -
    8. Wait until replication is performed for all domain controllers in the domain.
  • Determine whether the relevant permission is enabled on array itself. To do this, open the array node properties in the ISA Management console, and then check the security tab.
Note that the Authenticated Users group is a built-in group (the SID is S-1-5-11). Any account in the server's domain (or in any domain that is trusted by the server's domain) that opens an authenticated network connection is identified as an authenticated user. Because the ISA Server services run under the local system account, a service's connection to a domain controller is also identified as member of the Authenticated Users group. Therefore, it is important to give Read permission to this group on the system node (which is the parent node of the ISA Server configuration) and on all of the ISA Server nodes.

↑ Back to the top


References

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
243330 Well Known Security Identifiers in Windows Server Operating Systems

↑ Back to the top


Keywords: KB317413, kbprb, kbnofix, kbfaq, kberrmsg

↑ Back to the top

Article Info
Article ID : 317413
Revision : 5
Created on : 4/15/2005
Published on : 4/15/2005
Exists online : False
Views : 344