Video Screencast Help

Uninstall SEP on SBS 2003 server breaks RRAS and ISA 2004

Created: 29 Dec 2007 • Updated: 21 May 2010 | 20 comments
Thanks to KJKaminski and the thread at https://forums.symantec.com/syment/board/message?board.id=endpointcust&message.id=1265 for saving the day! I thought this was important enough to file under a new thread.
 
I spent almost 6 hours with support in India yesterday trying to sort out all the problems with SEP 11.0 on my SBS 2003 network. When we uninstalled SEP on the server and rebooted to solve a group enrollment problem I lost all access to the Internet because ISA wasn't working (Note: I use 2 NIC's, one for the inside LAN and the other for the Internet). Later I tried to uninstall ISA and use RRAS but it wouldn't work either. Here is my collection of error messages encountered along the way for those of you who are Googling for a solution:
 
Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20151
Date:  12/28/2007
Time:  2:21:26 PM
User:  N/A
Computer: SBS1
Description:
The Control Protocol EAP in the Point to Point Protocol module C:\WINDOWS\System32\rasppp.dll returned an error while initializing. The specified module could not be found.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7e 00 00 00               ~...   
Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Date:  12/28/2007
Time:  2:21:26 PM
User:  N/A
Computer: SBS1
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7e 00 00 00               ~...   
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date:  12/28/2007
Time:  3:48:09 PM
User:  N/A
Computer: SBS1
Description:
The Remote Access Connection Manager service terminated with the following error:
The specified module could not be found.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20070
Date:  12/28/2007
Time:  3:46:45 PM
User:  N/A
Computer: SBS1
Description:
Point to Point Protocol engine was unable to load the C:\Program Files\SAV\SymRasMan.dll module. The specified module could not be found.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7e 00 00 00               ~...   
 
The support rep had no idea what to do but waited patiently while I attempted to solve the problem with Microsoft's software. I finally ended the call and resumed on my own later. After three hours of Googling I found the hint of a solution above. I agree with KJKaminski that Symantec are replacing MS DLL's with their own.
 
I believe this should be documented and the uninstall should restore the original functionality. Unfortunately it appears that RRAS cannot be reinstalled on Windows 2003 so it appears I may have to reinstall SEP until I can find a way to find a way to fix the registry - not a problem unless I decide that SEP isn't worth the trouble! At this point I have reinstalled SEP and RRAS now works. Next step is to restore ISA and see if my other SEP problems are behind me.
 
In case I decide to revert back to SAV 10 until all SEP's problems are sorted out it would be greatly appreciated if someone knows an easy way to restore RRAS functionality on Windows 2003 and post it here. Thanks in advance.

Comments 20 CommentsJump to latest comment

Paul Murgatroyd's picture
thanks for the post Brian, in order to provide our Transparent NAC solution we need to hook our own dll's into Microsoft's implementation of 802.1x - we don't physically delete or remove their dll's, we just add ours into the mix and redirect anything else back to theirs.
 
Can you please take a look on your server, under the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP
 
you should see several folders.  In 13, 25 and 88 you should see references to our NAC dll's.  What you should also see there is the original Microsoft dll references with the word "Backup" added to their name.  It would appear that on some systems when we remove SEP we don't revert these keys (I've tested many times and its always worked for me) - you can however manually change these back and that will restore ISA and RRAS functionality.
 
hth, please shout if I can help with anything else
 
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Brian Stevens's picture
Thanks for your reply. Yes I see. Things like:
 
ConfigUiPathBackup = C:\Program Files\SAV\SymRasMan.dll
IdentityPathBackup = C:\Program Files\SAV\SymRasMan.dll
 
which I never noticed before. I assume they should read:
 
ConfigUiPathBackup = C:\Windows\System32\RasMan.dll
IdentityPathBackup = C:\Windows\System32\RasMan.dll
 
I installed SEP with the wrong options and then I think I over-installed with the correct options. That is probably why my Backup registry entries are wrong. I still think it would be a good idea for Symantec to document what they should be for the record.
 
I have already wasted 2 days on this mission. I now have SEP reinstalled properly with ISA and RRAS working. Unfortunately I am unable to load a recent export of my extensive ISA firewall rules likely due to some difference in the new configuration or service pack level so I am still not a happy camper about all the problems Symantec has caused me.
Paul Murgatroyd's picture
Hi Brian,
 
Thanks for the info... it would appear we are doubly backing up keys and overwriting the backups we have already made.  I can reproduce this and will be logging a defect for this issue.  For the record, with SEP installed, the registry keys should look like this:
 
 
 
hth
 
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

johan 2's picture
Is there an resolution for this problem, e.g. can I edit the registry to manually point tot the right ms files?
 
Kind regards,
Johan Caljé
Stephen McLoughlin's picture

Hi

Just adding a note that I experienced the exact same problem with a SBS2003 machine today which removed internet access for all client machines for almost 2 hours. So Brian's issue isn't a one-off. I uninstalled EndPoint because it emerged that the server had nowhere near enough RAM to cope with it, and was for holding off the re-install until I upgraded the RAM. Anyhow, doing so removed the references to c:\windows\system32\rastls.dll in both the 13 and 25 subfolders in the EAP registry location. There were not even any backup keys to be seen - just ConfigPath, IdentityPath and InteractiveUIPath which all contained SymRasMan.dll. I reverted these back, started the Remote Access Connection Manager and Routing And Remote Access Services, re-ran the SBS net connection wizard (this was required too, as it seemed to have lost the port mappings I originally had set up) and all was fine.

I'm glad Brian Stevens ran across this problem before me and I was able to find this thread after only half an hour of searching, and also that the problem was able to be fixed without restarting the server altogether. But something should definitely be looked into regarding EndPoint's uninstall procedure - I've no doubt this is happening other guys out there who aren't quite fortunate enough to be stumbling across this thread.

xene97's picture
I too am having the same problem.  I had to uninstall SEP and revert back to my old SAV 10.1 w/Groupware because nothing functioned correctly as long as SEP was installed.  Now I have absolutely no connectivity to and from the server.
 
Like Brian, I had backup keys.
 
Now I'm on the phone with Microsoft attempting to revive my server.  With their blessing, I'll attempt the fix suggested by Paul Murgatroyd.
cddefo's picture
Did microsoft confirm, just use the backup keys?   Do you need to regidter the dll's again?
 
What is the answer?  
 
Thanks
jdl's picture
I am also running an SBS2003 server but my files are located in different folders.  Any one who upgraded from SBS2000 would have system files in C:\WINNT\system32.  Only servers that we new installs of SBS2003 will be in the C:\WINDOWS\System32 directory.  Also my "Backup" entries are the same as my current entries, so following these instructions would lead to more headaches.  You should check to see where your RRAS dlls are before making these changes. 
 
jdl
jdl's picture
This seems to have fixed A LOT of my problems.  I reverted back the the ms dll's and ran the RRAS config wizard that is part of the SBS2003 setup task list. 
 
netdiag passes all tests now and I can:
 
Ping my DC server
Reach my WINS server
Update my Group Policy on clients
See my computers and servers in the network browse
Many of my Event Viewer errors have disappeared
 
I will check, but hopefully this will also solve my VPN problems since installing SEP 11MR1.
 
Thanks to all for posting. 
 
 
Tyrel's picture
I had the same problem when I installed and uninstalled SEP on an SBS  2003 server. As a result of uninstalling SEP I am now unable to:
1. Browse to the server from the network or even browse the network from the server.
2. RRAS service cannot start giving the same errors in the event viewer as everyone else
3. VPN does not work.
 
After following the instructions given by Paul Murgatroyd https://forums.Symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=1131#M1131) and instruction on how to remore SEP completely from the registry, I am now able to at least browse to the server via \\servername\sharename format. I am still not able to see the server via network browsing.
 
Also when I try to change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP registry values to the Microsoft RRAS DLLs the RRAS service starts which is good. But now internet is not working, users roaming profiles are not working, logging onto the domain as slowed down considerably and logon scripts are not working either.
 
If I revert registry values back to the SEP vaules (e.g. IdentityPathBackup = C:\Program Files\SAV\SymRasMan.dll) the above mentioned problems are gone but I am back to square one where I am still unable to get the RRAS service to start, VPN to work and browse the server via the network.

I need help ASAP...I am out of ideas on how to fix this problem.
jdl's picture
UPDATE:
 
Reverting back to ms dll's has also fixed my VPN problems.  Again, I ran the RRAS wizard in SBS2003 after changing the dll's back.
Tyrel's picture
I just tried reverting back to MS DLLs and ran the RRAS wizard and I am still unable to gain internet access or browse to the server from client workstations or gain access to the server period. As soon as I stop the RRAS service and put back the Symantec DLLs entries in the registry everything works again and I am back to square one.
 
Any other suggestions anyone?
jdl's picture
I had taken many steps with configuring my SEPM polices and re-installing packages etc... before I got to this point.  Are you using just the AV/AS part of the package?  Did you change your SEPM polices?  Did you reinstall client packages?  Are you still using ISA?  Do you have a 2 NIC setup?  Too much to list. 
 
jdl's picture
I have now taken a step backwards.  Everything was fine until today when I rebooted my server.  Now my RRAS will not even start and is throwing out a multitude of errors.  Below is a post of my exact problem
 
 
Any updates on this?  I have checked my dlls, they are OK.  I tried rebooting, running the wizard again and that throws out and error.  Below are my system errros
 
 
Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20071
Date:  3/4/2008
Time:  8:29:40 PM
User:  N/A
Computer: 
Description:
The Point to Point Protocol module C:\WINNT\system32\rastls.dll returned an error while initializing. The request is not supported.
 
Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20151
Date:  3/4/2008
Time:  8:29:40 PM
User:  N/A
Computer: 
Description:
The Control Protocol EAP in the Point to Point Protocol module C:\WINNT\System32\rasppp.dll returned an error while initializing. The request is not supported.

Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Date:  3/4/2008
Time:  8:29:40 PM
User:  N/A
Computer: 
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The request is not supported.
 
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date:  3/4/2008
Time:  8:29:41 PM
User:  N/A
Computer: 
Description:
The Remote Access Connection Manager service terminated with the following error:
The request is not supported.
 
This is the only this MS has on it http://support.microsoft.com/kb/823405/en-us
Stephen McLoughlin's picture

No update on this? Even maintenance release 1 doesn't fix it as I uninstalled the EndPoint client on a server today (on my last post the problem was caused by removing Endpoint Management Console), which has MR1 installed - exact same problem. I did it out of hours expecting something to go wrong, and I was indeed correct. I had to do the exact same steps as I indicated in my previous post to restore internet access to all client machines.

tekwerker's picture
Changed the registry location from the Symantec dll's to the original Windows RRAS dll's as per this thread. Now we get:
 
 
Event ID 7024: The Routing and Remote Access service terminated with service-specific error 711 (0x2C7).
 
Event ID 7023: The Remote Access Connection Manager service terminated with the following error:
The specified procedure could not be found.
 
Event ID 20063: Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified procedure could not be found.
 
Event ID 20071: The Point to Point Protocol module C:\Windows\System32\RasMan.dll returned an error while initializing. The specified procedure could not be found.
 
 
The DLL's are there. SBS CEIC Wizard fails as well as the RRAS wizard.
 
http://support.microsoft.com/kb/330163 did not work for Event ID 7024. Neither the Remote Access Connection Manager service nor the Remote Access Auto Connection Manager service will start.



-------

 

OK. Got it working. Follow:

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/51fae17d67fc09b9652573e200779f02?OpenDocument

Registry value should be: %SystemRoot%\System32\rastls.dll



Message Edited by tekwerker on 04-01-2008 12:11 PM

SKlassen's picture
Symantec does have a tool to automate the RRAS fix.
 
 
I ran into the problem the first month SEP was out and figured out the fix on my own.  I haven't tried this tool, so cannot make any claim as to its' proper function.
Mark Bouman's picture
Hi Paul,
I have the same problems.
I looked in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP
I look in folders 13 and 25 and restored the the keys to %systemroot%\system32\rastls.dll
 
This is on a Win2000 standard Domaincontroller.
 
After changing the RegKeys i still get the errors in the log. And my RAS services are not starten on this machine! We sipmply do not use them.
 
How do I stop the logentry's without restarting the server?
 
Thaxs so much for your awnser!:smileyhappy:
Thomas Condon's picture

I was having the exact same issues but noticed that there was a folder 88 which still contained some SEP settings (such as Symantec NAC Transparent Mode).  After exporting this branch, I deleted it, restarted the RRAS service and it all works great now.  The exact key I deleted is below (delete only this key and everything under it):

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\88

Burhanm's picture

We were having similar problem with our ISA2004 server on which we had installed SEP 11.0 but for some reason had to uninstall it. After uninstalling it we found that it did not removed certain registry keys which was stopping the Remote access connection manager service to start which in turn is required to start all other ISA services. Also the ISA server was not getting pinged from other computers on the network. After extensive troubleshooting and based on the reference from the above posts we found that  SEP had created registry keys in the following folder

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\

We found folder 13,25,26,4 and 88. we modified folder 13,25,26 to point it back to microsoft DLL's and deleted the other 2 folders i.e. 4 and 88 and it solved the problem for us. The remote access connection manager service was able to start and were the other ISA services.