You may encounter an issue with servers running both the DNS and IAS services that have installed update MS08-037 (Vulnerabilities in DNS could allow spoofing – 953230). The IAS services will fail to start and any authentication that relies on IAS (such as VPNs) will fail.
When connecting to the IAS server with the IAS management console the following errors may appear:
Event ID 7023 will appear in the System event log of the IAS server.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Time: 9:15:17 AM
The Internet Authentication Service service terminated with the following error:
Only one usage of each sock address (protocol/network address/port) is normally permitted.
The cause of the issue is explained in KB956188:
You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
This issue occurs because the service cannot obtain the port that it requires to function correctly. This issue occurs because of changes to the port allocation in the DNS Service after security update 953230 is installed.
The solution is to reserve the IAS ports from the ephemeral port range to ensure that the DNS Server service does not dynamically allocate those ports to itself. To determine which ports are being used by IAS open the IAS management console, right-click the server name and select Properties.
Navigate to the Ports tab and note the port numbers in use.
Follow the instructions in KB812873 (How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003) and enter the correct ports in the registry key like this.
The server must be restarted for the change to take effect. After the restart the DNS Server will no longer allocate the IAS ports to itself, which will allow IAS to start properly.