Yeah, ok today is not an OpsMgr post but about “Microsoft Forefront Threat Management Gateway server” (TMG). Because there is almost nothing known about this strange issue I described the steps which I did to solve the case.
I had 6 Windows 2008 R2 server (for TMG) deployed in a ESX environment in which I have installed TMG with a single adapter. I was successful in installing TMG, defining the internal network etc, however when I restart the server for the first time after initial configuration, it takes approx. 16 minutes at the “Applying Computer Settings” which is very slow. After these 16 minutes I can login but the TMG Services are stopped.
- The following service is taking more than 16 minutes to start and may have stopped responding: Microsoft Forefront TMG Control - The following service is taking more than 16 minutes to start and may have stopped responding: SQL Server Reporting Services (ISARS) - The Microsoft Forefront TMG Control service terminated with service-specific error The wait operation timed out.. - The SQL Server Reporting Services (ISARS) service hung on starting. - The Microsoft Forefront TMG Firewall service depends on the Microsoft Forefront TMG Control service which failed to start - The Microsoft Forefront TMG Managed Control service depends on the Microsoft Forefront TMG Control service which failed to start - The Microsoft Forefront TMG Job Scheduler service depends on the Microsoft Forefront TMG Control service which failed to start
I noticed that the issue happens circa 70% of the Windows servers; the other ones where functioning ok. I had the option of manually starting the services after the reboot and everything works 100%. Until a new reboot the issue came back.
After this I applied the following steps; Checked the following settings: - IP configuration - DNS configuration - Windows Setup - Ran the BPA; found nothing strange All settings where ok
Installed the following updates:- Service pack 1 for TMG 2010 - Software Update 1 for TMG 2010 - Software Update 2 for TMG 2010 (Hotfix) Rebooted the server but no luck
Server dependenciesThen I checked the service startup dependencies comparing the working servers against the nonworking servers; I found out that the servers where the 16 minutes delay happens the dependencies where not setup properly. Changed the startup dependencies according to the succesfull servers (default+http+keyiso) with the following command:
Rebooted the machine and it started up within 3 minutes without any errors. Contacted Microsoft about this and they stated it is a known issue. They did not have an explanation why it does not happen all the time. They confirmed it was a bug and the command I ran solved the issue.
Cause: The issue is that while the Control service is starting (has not reported the started state back to SCM), its actions might require to start additional service(s). This causes a Service Control Manager deadlock due to which services cannot start right on time. This causes the “slow boot” behavior. Therefore, we added the dependencies, so that the required services are started before the control service. This way we avoid the above problem.