Just recently I ran into an error during initial setup of Exchange 2016 on a newly installed Windows Server 2012 R2 stating: “Service ‘MpsSvc’ failed to reach status ‘Running’ on this server“. Further down the troubleshooting road I found out that this quite common error of not being able to start the Windows Firewall service is not Exchange Server specific.

Symptoms

During initial setup the installation seems to freeze at 25% of running the Readiness Checks and Configuring Prerequisites:

Setup seems to take ages while staying at 25% progress. A look into the corresponding ExchangeSetup.log (which can be found in C:\ExchangeSetupLogs) reveals, that Setup is trying to start the Windows Firewall service (MpsSvc) and failes to do so. The ExchangeSetup.log states:

[01.09.2018 13:22:39.0123] [2] Active Directory session settings for ‘start-SetupService’ are: View Entire Forest: ‘True’, Configuration Domain Controller: ‘NBG-DC-12.ctlm.de’, Preferred Global Catalog: ‘NBG-DC-12.ctlm.de’, Preferred Domain Controllers: ‘{ NBG-DC-12.ctlm.de }’

[01.09.2018 13:22:39.0123] [2] User specified parameters: -ServiceName:’MpsSvc’
[01.09.2018 13:22:39.0123] [2] Beginning processing Start-SetupService
[01.09.2018 13:22:39.0123] [2] [WARNING] Service checkpoint has not progressed. Previous checkpoint=’0′- Current checkpoint=’0′.
[01.09.2018 13:22:39.0138] [2] Previous service status query time is ‘09.01.2018 14:22:39’.
[01.09.2018 13:22:39.0138] [2] Current service status query time is ‘09.01.2018 14:22:39’.
[01.09.2018 13:22:39.0138] [2] Will wait ‘2000’ milliseconds for the service ‘MpsSvc’ to reach status ‘Running’.
[01.09.2018 13:22:41.0260] [2] Service ‘MpsSvc’ failed to reach status ‘Running’ on this server after waiting for ‘2000’ milliseconds.
[01.09.2018 13:22:41.0260] [2] [WARNING] Service checkpoint has not progressed. Previous checkpoint=’0′- Current checkpoint=’0′.
[01.09.2018 13:22:41.0260] [2] Previous service status query time is ‘09.01.2018 14:22:39’.
[01.09.2018 13:22:41.0260] [2] Current service status query time is ‘09.01.2018 14:22:41’.
[01.09.2018 13:22:41.0260] [2] Will wait ‘25000’ milliseconds for the service ‘MpsSvc’ to reach status ‘Running’.
[01.09.2018 13:23:06.0494] [2] Service ‘MpsSvc’ failed to reach status ‘Running’ on this server after waiting for ‘25000’ milliseconds.
[01.09.2018 13:23:06.0494] [2] [WARNING] Service checkpoint has not progressed. Previous checkpoint=’0′- Current checkpoint=’0′.
[01.09.2018 13:23:06.0494] [2] Previous service status query time is ‘09.01.2018 14:22:41’.
[01.09.2018 13:23:06.0494] [2] Current service status query time is ‘09.01.2018 14:23:06’.
[01.09.2018 13:23:06.0494] [2] Will wait ‘25000’ milliseconds for the service ‘MpsSvc’ to reach status ‘Running’.

Setup is trying to start the Windows Firewall service for quite some time until it finally gives in and throws the following error message:

Error:
The following error was generated when “$error.Clear();
if (Get-Service MpsSvc* | ?{$_.Name -eq ‘MpsSvc’})
{
Set-Service MpsSvc -StartupType Automatic
Start-SetupService -ServiceName MpsSvc
}
” was run: “Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException: Service ‘MpsSvc’ failed to reach status ‘Running’ on this server.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Tasks.ManageSetupService.WaitForServiceStatus(ServiceController serviceController, ServiceControllerStatus status, Unlimited1 maximumWaitTime, Boolean ignoreFailures, Boolean sendWatsonReportForHungService)
at Microsoft.Exchange.Management.Tasks.ManageSetupService.StartService(ServiceController serviceController, Boolean ignoreServiceStartTimeout, Boolean failIfServiceNotInstalled, Unlimited
1 maximumWaitTime, String[] serviceParameters)
at Microsoft.Exchange.Management.Tasks.ManageSetupService.StartService(String serviceName, Boolean ignoreServiceStartTimeout, Boolean failIfServiceNotInstalled, Unlimited`1 maximumWaitTime, String[] serviceParameters)
at Microsoft.Exchange.Management.Tasks.StartSetupService.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

Troubleshooting

Trying to manually start the Windows Firewall service within the Services MMC failes with the following error:

Windows could not start the Windows Firewall on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, an refer to service-specific error code 5.

An Event entry with ID 7024 is logged once more.

The System Event Log shows an Event ID 7024, Source: Service Control Manager:

The Windows Firewall service terminated with the following service-specific error:
Access is denied.

Someone suggested opening  a command prompt and executing sc sdshow MpsSvc , which shows:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Well, quite cryptic and not really helpful, at least for me in the first place. I tried to compare it to working Windows Server 2012 R2 servers, but to no prevail. More information on how to interpret, verify, build your own security subscriptors and set permissions on Windows services via command line can be found here:

To make a long story short: missing or wrong permissions on either Registry and/or Windows Services are not the issue here. 

Solution

Searching the Internet I came across this Microsoft TechCommunity’s thread, mentioning something in terms of setting up Exchange 2016 on a Windows Server Insider Build:

Exchange 2016 requires the full installation of Windows Server (in 2016, it’s called Desktop Experience), and isn’t explictly supported for installation on Server Core.

Alas, finally that rang some bells as I previously struggled with enabling all required Windows Features in order to install Exchange 2016 on a Windows Server 2012 R2, in particular:

  • Desktop Experience
  • Ink and Handwriting Services
  • Media Foundation

Issues posed by the TrustedInstaller service prohibited an successful installation of the aforementioned Windows Features, always reverting to the previous state of my Windows Features set upon reboot:

The Desktop-Experience Windows Feature simpy refused to stay installed:

Due to some Windows Server hardening settings applied via GPO in the affected domain, TrustedInstaller had some issues. I had to install Desktop Experience on a step-by-step basis while disabling the TrustedInstaller service temporarily (as removing the GPO responsible in the first place was not an option). Details on this procedure can be found here and here:

  1. Add-WindowsFeature InkAndHandwritingServices
  2. Reboot
  3. Add-WindowsFeature Server-Media-Foundation
  4. Reboot
  5. Add-WindowsFeature Desktop-Experience
  6. Set-Service -name TrustedInstaller -startupType Disabled
  7. Reboot

Verify that all required Windows Features are still installed:

  1. Get-WindowsFeature InkAndHandwritingServices
  2. Get-WindowsFeature Server-Media-Foundation
  3. Get-WindowsFeature Desktop-Experience
  4. Set-Service -name TrustedInstaller -startupType Automatic
  5. Reboot

Quite tedious, but it seemed to work.

Verdict

After having successfully installed all the required Windows Features, in particular Desktop-Experience, I was able to start the Windows Firewall service and install Exchange 2016 as well. Somewhere, somehow, there seems to be some kind of dependency between those two components. I did some further searching and came up with this thread in the Microsoft TechNet Forums, and it looks like there actually is a connection! This is strange as it never happened before with any of my previous Exchange installations. And even more strange is the fact, that I always disable the Windows Firewall service prior to installing Exchange Server, and it never posed a problem. Seems like Exchange Setup enables and starts the Windows Firewall service on its own accord and does its magic silently in the background. Strange as there even are some articles out there that actually recommend disabling the Windows Firewall service as well as articles stating quite the opposite, especially Paul Cunningham’s own Beware of Bad Advice About Exchange Servers and Windows Firewall. A proposed solution (and not tested by myself) in that case could be:

We’ve seen the similar symptons. Please try manually create the following registry key, and then test to see if Windows Firewall can be started.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\ACService

Further reading:

Exchange 2016 – Setup fails with error “Service ‘MpsSvc’ failed to reach status ‘Running’ on this server”
Tagged on:             

Leave a Reply