Our crack team of engineers here at Architel uncovered a new new bug in Microsoft Server 2003 when we were deploying Live Communications Server. Working directly with Microsoft for over 18 hours, Microsoft acknowledged the bug and created a fix (they even refunded our money as payment for our work helping them debug). Here are the details:FYI, “R2″ is the new version of Server 2003 that is shipping – it’s preloaded w/SP1 and Microsoft is no longer shipping the previous version. Additionally, you can’t use an R2 VLK on the old server 2003.

There were 6 distinct issues which held up the Client servers. SMB signing, MSDTC registry permissions, Intersite messaging service disabled, MTU, kerberos TCP.

SBS disabled Intersite messaging (Event IDs 1030, 1058, and 1097)
SBS server, by default, has the Intersite Messaging service disabled. This caused site-to-site communication issues.

SMB signing enabled during dcpromo (Event IDs 1030, 1058, and 1097)
When running dcpromo on the R2 servers, enablesecuritysignature and requiresecuritysignature are set for the lanmanserver and cleared for lanmanworkstation. This causes the DC to not be able to talk to itself – you have to manually edit the register and set requiresecuritysignature to 0 for both lanmanserver and lanmanworkstation. I would assume the exception to be when you are already running in an environment of which all existing DCs have enablesecuritysignature set.

MTU size
Intra-Op has a decent size AD b/c of all of the group policies and OUs created by SBS. IPSec links chop off a little bit of the MTU for packets and this affects AD replication. Setting the mtu size on one server fixes things up. This fix requires microsoft patch “898060″ and a registry setting.

Kerberos UDP
Again, b/c of the reduced MTU and large AD, Kerberos is affected as well. Setting MaxPacketSize for the lsa->kerberos-parameters registration key resolves this.

MSDTC registry permissions (Event ID 53258)
I am not sure, however I believe the problematic dcpromo process causes the MSDTC 53258 event ids. Microsoft had an internal memo on this for which the fix is to give “Network Service” create subkey and set value permission for the HKLM\Software\Microsoft\MSDTC registry key.

DNS server required on DC (Event IDs 1030, 1097)
I’m not sure if this is R2 or SP1, but on a DC – during bootup – the AD service will sometimes try and startup before the network stack is up. The result is if you don’t have DNS installed on the DC you’ll get event ids 1030 and 1097 on startup.

Here are all the related MS KB articles:
How to Troubleshoot Black Hole Router Issues.

http://support.microsoft.com/?kbid=3D314825

How to force Kerberos to use TCP instead of UDP in Windows Server 2003

http://support.microsoft.com/?kbid=3D244474

Applying Group Policy causes Userenv errors and events to occur

http://support.microsoft.com/?kbid=3D887303

You cannot open file shares or Group Policy snap-ins when you disable SMB signing for the Workstation or Server service on a domain controller.

http://support.microsoft.com/?kbid=3D839499

How to troubleshoot Event ID 1311 messages on a Windows 2000 domain

http://support.microsoft.com/kb/307593/en-us

DNS, Intersite Messaging, Global Catalog, NTFRS, and “Invalid Credentials” Error Messages on Domain Controller

http://support.microsoft.com/kb/305837/en-us

The fix from Doug Martin at Microsoft: Lets load the mmc and snap in the lcs admin console. Then save the console as wrtcsnap2.msc. Rename the wrtcsnap2.msc in the %windir%\system32 folder wrtcsnap2.old and copy in the newly created one.Â

And it worked…