Windows 2008 server services wont start after reboot

Posted by Dark Training on June 18, 2010 tags: | windows

Recently I came across a real interesting problem with a Windows 2008 server. The server was powered down and then when it came back up it was sluggish and RDP and IIS were not working.

If you logged in as a domain user it would hang perpetually, however logging in a local admin would work.

The machine was fully patched and working completely normally prior to the reboot. However if you logged in as the local admin and looked at the services, a majority had not started yet. Oddly there were no errors in the event log to signal that anything was amiss.

The culprit turned out to be a corrupted SSL cert which locked the SCM database. A Microsoft KB (2004121) outlined this problem.

First you need to check if the SCM is in fact locked. While you are logged in as the local admin run:

sc querylock
The output below indicates that the SCM database is locked

QueryServiceLockstatus - Success
IsLocked : True
LockOwner : .\NT Service Control Manager
LockDuration : 1090 (seconds since acquired)

Following the MS steps I:

1. Open Registry Editor
2. Navigate to HKLM\CurrentControlSet\Services\HTTP and create the following Multi-string value: DependOnService
3. Double click the new DependOnService value that you created
4. Enter CRYPTSVC in the Value Data field and click OK

After you have made this change, you will need to reboot the server.

After the reboot the server was working again and I could RDP once more. The non-ssl pages would load but the SSL pages would now show a connection reset error.

I then went and backed up that new key from above, then deleted it. The permanent fix is as follows, load regedt32 and delete the following key (back it up first though):

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo

Delete the 0.0.0.0:443 member of that entry then reboot. When you reboot the system should once again load as normal. You'll need to reload the SSL cert for the web server from the backup that you hopefully have.

Re-import the PXE and CER backups then reboot once more. After this last reboot load the IIS manager and select the site or sites that you need to reassign the SSL cert to.

Inside the IIS manager, select the site then choose bindings from the left hand menu, reselect the cert from the drop down menu.

That should get you back online, if you still have trouble leave a note below and I'll see if I can help.