International Man of Awesome's Blog – When Too Much Awesome Isn't Enough

February 3, 2011

Exchange 2007 Management Console error on Windows 2008 R2 post installation

Filed under: Exchange, Firewalls, Microsoft, Windows 2008 R2 — internationalmanofawesome @ 2:24 pm

We are currently migrating from a single server Exchange 2003 setup to multi server Exchange 2007 SP3 system. When using the EMC 2007 application, selecting the servers in either the Organisation or Server Configuration displayed an error which started as such;

Microsoft Exchange Warning
The following warning(s) were reported while loading topology information:


Extended protection has not been enabled.  Install the operating system update specified in KB968389 onto server “servernamehere” and try again.

Now that KB does not relate to Windows 2008 R2, so it can’t be applied.

The fix is to add a registry entry that sets the RPC  port for the Application Host Administration (AHADMIN) which is used by EMC, then allow that port through the Windows firewall.

To add the registry entry requires a change to the permissions of the registry key. Only the TrustedInstaller process has read\write permissions, so you need to take ownership of teh key in question, then change the permissions that would allow you to make the change. In my case, as I was a local admin on the server in question, I added the local Administrator group. Once the permissions are change you perform the following;

1. Open an administerative command box

2. Type without the quotes “REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9fa5c497-f46d-447f-8011-05d03d7d7ddc} /v EndPoints /d “ncacn_ip_tcp,0,7000” /t REG_MULTI_SZ /f” and press enter

3. Type “NETSH” and press enter

4. Type “ADV FIR” and press enter

5. Enter the following. Note that you can and should change the Scope of the firewall rule from being remoteip=any to remoteip=your.ip.range(s).here

add rule name=”RPC Mapper” dir=in action=allow remoteip=any protocol=tcp localport=135 service=rpcss
add rule name=”AHADMIN Fixed Endpoint” dir=in action=allow remoteip=any protocol=tcp localport=7000 program=%windir%\system32\dllhost.exe
add rule name=”AHADMIN Fixed Endpoint” dir=in action=allow remoteip=any protocol=tcp localport=rpc program=%windir%\system32\dllhost.exe

6. Check the Windows Firewall with Advanced Security that teh firewall rules have been entered correctly.

That’s it, you will no longer get the error! Awesome!


For more info, you can see this blog post by Mike Volodarsky at

Blog at