Always On VPN Routing Issues

June 28, 2018, 12:38 pm

≪ Previous: Single Label Domain, DNS, and DHCP

We are evaluating Always On VPN for our off-band laptops/users, and we are running into a routing issue with it.

Our corporate campus utilizes many 23-bit subnets under 10.x.x.x, and there are no issues with the VPN clients accessing any of these resources. Things work fantastically!

We also have several global branch locations that are all under 172.x.x.x subnets. We have no issues connecting to these resources from within the network, but VPN clients cannot connect to any resources on the 172.x.x.x subnets.

I have tried adding a static route to the RRAS (VPN) server (172.0.0.0/255.0.0.0), but that does not seem to have helped. The IP addresses resolve by DNS name, but no connections to these resources can be made by VPN clients.

I would appreciate any input or ideas on how to resolve this issue.

↧

Service with internal windows

July 26, 2018, 11:07 am

≫ Next: schannel 36881

≪ Previous: Always On VPN Routing Issues

Hello guys,

I have got a problem with a Windows Service, I have already created.

The service is listening to a special port, and for each connect it is creating an instance (COM executable), and duplicating the socket handle to this instances.

These instances are creating several windows (TCP async communication, application windows) which stay invisible in service, but necessary for execution.

The whole stuff is running well, but I have recognized after a couple of parallel running instances the creation of new instances fails. It seems it depends on the amount of simultaneously opened internal windows of the master process (this is the listener service).

With a small amount of opened internal windows per child process, I am able to run about50 parallel child processes hosting the TCP connections. If more internal windows are opened by the child processes the amount of possible child processes is less then 15.

I got no problems if TCP listener service is running as a desktop process. I can start more than100 parallel child processes in that case, and it seems there is no limit anyhow.

How does Windows Server work? I did not wrote an invalid application, which will never run as service, because I get service running and more than 15 parallel running child processes. How can I configure Windows Server to allow as much internal windows as possible for my Windows service?

René Rössler

↧

schannel 36881

July 26, 2018, 1:29 pm

≫ Next: Is KB4338818 causing any issues after patch install on Windows 7 and 2008 R2 systems?

≪ Previous: Service with internal windows

"The certificate received from the remote server has either expired or is not yet valid. The TLS connection request has failed. The attached data contains the server certificate."

I have servers getting this message, trying to connect to my domain controllers. I don't know if it is causing a problem or not, but would like to get rid of this meesage from the system eventlog of my servers to eliminate it as being a problem. How can I address this error?

To be more specific, one server getting this message trying to connect to my DC is an sql/ERP server. Another server is a citrix xenapp vda server. I think the connections have to do with ldap. Any assistance is appreciated.

capitan

↧

Is KB4338818 causing any issues after patch install on Windows 7 and 2008 R2 systems?

July 11, 2018, 2:12 am

≫ Next: In place upgrade repair for Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600

≪ Previous: schannel 36881

Is KB4338818 causing any issues after patch install on Windows 7 and 2008 R2 systems?

↧

In place upgrade repair for Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600

July 26, 2018, 3:32 pm

≫ Next: Active Directory Web Services on Windows Storage Server 2016 Standard

≪ Previous: Is KB4338818 causing any issues after patch install on Windows 7 and 2008 R2 systems?

For Windows 10 if there are problems with dism restorehealth this can often be fixed by performing an in place upgrade repair using a Windows 10 iso.

https://www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

Is there a Windows iso for: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600

Is it possible to perform a repair install with an in place upgrade repair for this Microsoft operating system?

↧

Active Directory Web Services on Windows Storage Server 2016 Standard

July 26, 2018, 5:52 pm

≫ Next: WER in Windows Server 2016 where are you?

≪ Previous: In place upgrade repair for Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600

We have a workgroup server running Storage Server 2016 Standard. When I install Active Directory Lightweight Directory Services I get an error that it can't start Active Directory Web Services. Everything I read says that Active Directory Web Services is automatically installed with Active Directory Lightweight Directory Services but the service does not exist and there isn't an entry in the features to add it. With out it I get errors when I try to use Powershell. Am I missing something or is ADWS not included with Storeage Server 2016?

↧

WER in Windows Server 2016 where are you?

February 15, 2018, 11:57 pm

≫ Next: Cannot RDP to Server. "This computer can't connect........"

≪ Previous: Active Directory Web Services on Windows Storage Server 2016 Standard

I can find it in WS2012 R2 in Server Manager -> Local Server -> Windows Error Reporting, it's OK. But where is such settings in Windows Server 2016? I need to get dumps file for my crashed IIS worker process.

↧

Cannot RDP to Server. "This computer can't connect........"

July 24, 2018, 2:03 am

≫ Next: RID Master is offline error when running dcpromo.exe

≪ Previous: WER in Windows Server 2016 where are you?

Can't RDP to one of our server. Win 2008 R2 standard.

During attempt to connect by RDP, event log records this :

Schannel Event ID 36888 - The following fatal alert was generated: 10. The internal error state is 1203.

I've search the net and found some workarounds but nothing solved the issue. I also followed this KB article for checking but no luck.

https://support.microsoft.com/en-hk/help/2477176/troubleshoot-remote-desktop-disconnected-errors-in-windows-server-2008

Anyone have any idea? Thanks.

↧

RID Master is offline error when running dcpromo.exe

August 23, 2010, 11:13 am

≫ Next: How can i be sure that "repaired" domain is not corrupted anymore and its replication works OK and with GOOD dc directions.

≪ Previous: Cannot RDP to Server. "This computer can't connect........"

I am trying to add a new 2008R2 DC to an existing domain. Adprep has been run to extend the schema, and the object version is at 47. When I select the domain to add the DC to I get an error message that says "You will not be able to install a writable replica domain controller at this time because the RID master DC01.domain.com is offline." I am able to do an nslookup and ping DC01.domain.com. Any ideas as to why dcpromo cannot see it?

Thanks,

↧

How can i be sure that "repaired" domain is not corrupted anymore and its replication works OK and with GOOD dc directions.

July 27, 2018, 4:08 am

≫ Next: Windows Server 2012 R2 Foundation error when updating the monthly cumulative security update rollup

≪ Previous: RID Master is offline error when running dcpromo.exe

Hi all, i took a domain on test env and had task to repair it if possible, without any backups.
I eliminated errors (by re creating kebreros passwords between DCs, rebuilding SYSVOL and NETLOGON and GCs) and it stopped logging any errors in all logs in eventwv.

But i do not really understand how it is with USN numbers. I do not know what happened with this environment before, when and who did what on dcs but i have own calculation that somebody tried to restore one DC from backup and he did it wrong.
I can give you all information u need but mainly i would like to ask about this:
repadmin showutdvec - what it exactly shows? As i think numbers between 2 dcs should never be with such a big difference. If it really understand what it means tell me please, should i and, HOW can i sync this numbers to be the latest numbers on both controllers. Now as i think i should remove this DC with less numbers (its DC which has all FSMO roles), make new one and add it as a second DC in env. Is it good plan? What if i got nothink with bad usns in logs, why? What will happen if i do not do anythink with this DCs?
Or maybe im wrong and all looks good here?

3277f722-fa53-4ce9-97b3-xxxxxxxxxx @ USN 32871 @ Time 2009-06-30 16:59:42
0793e088-f5d1-46bd-8a25-xxxxxxxxxx @ USN 16950 @ Time 2009-07-07 17:17:20
9c9d2645-7584-475d-b33f-xxxxxxxxxx @ USN 45437653 @ Time 2017-11-23 12:59:18
a32fc42c-9ced-4907-9e82-xxxxxxxxxx @ USN 60720266 @ Time 2017-11-24 15:28:43
Default-First-Site-Name\DC1 (retired) @ USN 126979 @ Time 2018-03-07 08:35:53
Default-First-Site-Name\DC2 (retired) @ USN 7970843 @ Time 2018-03-07 09:35:28
Default-First-Site-Name\DC2 @ USN 8025682 @ Time 2018-07-27 12:03:55
Default-First-Site-Name\DC1 @ USN 189245 @ Time 2018-07-27 12:44:47

↧

Windows Server 2012 R2 Foundation error when updating the monthly cumulative security update rollup

July 17, 2018, 8:00 am

≫ Next: Server 2016

≪ Previous: How can i be sure that "repaired" domain is not corrupted anymore and its replication works OK and with GOOD dc directions.

As of May, you can not install the monthly update of the security update rollup in the Windows Server 2012 R2 Foundation (May, June, July).Error 80073701. All other fixes are installed without any problem. Can anyone meet a similar problem?I request information.

↧

Server 2016

July 27, 2018, 7:58 am

≫ Next: Windows Server 2019 GUI?

≪ Previous: Windows Server 2012 R2 Foundation error when updating the monthly cumulative security update rollup

Per MS Documentation, Server 2016 CALS are required on a per core basis. The server in question has 4 cores, but server 2016 comes with 16 cores. The server will be a file and print server. Would core CALS cover the licensing needs? Would the requirement be 4, 16, or 20? Would user CALS still be required?

↧

Windows Server 2019 GUI?

March 29, 2018, 10:53 am

≫ Next: 8dot3 Performance Gains

≪ Previous: Server 2016

Hello!

Just downloaded Windows Server 2019 Preview, and booted it up in a virtual machine, just to try it. But, there is no GUI. Is there a way to enable it, or does the Preview of 2019 not feature one?

↧

8dot3 Performance Gains

July 27, 2018, 10:49 am

≫ Next: Forum FAQ: How to configure a schedule task which is triggered by an event?

≪ Previous: Windows Server 2019 GUI?

We use a file server here that runs Server 2008 R2. It hosts close to 500,000 files and we still have 8dot3 short names turned on the drive. I've read about the performance gains by turning that off, but I don't know how much of an improvement we'd see or where. Is it faster when creating a single file? Would we only see gains when doing bulk file/folder manipulations? Since it's possible something somewhere might not work if I turn it off, I'm wondering how much gain I'd likely see. Can anyone provide some insight? Thanks.

↧

Forum FAQ: How to configure a schedule task which is triggered by an event?

February 21, 2010, 10:15 pm

≫ Next: Granting share/NTFS permission on shared folder

≪ Previous: 8dot3 Performance Gains

Question

System administrators may frequently encounter a situation where you would like to start a task when an event appears. For example, when an event error is logged you may want to start Network Monitor to capture a network trace to analyze the issue further. How can you start a task which is triggered by an event?

Answer

In the past, we can use EventMon with custom script to achieve the goal; however, the steps are very complex. Since Vista and Windows Server 2008, Task Scheduler provides the ability to start a task which is triggered by an event. To do so, you can perform the following steps:

1. OpenTask Scheduler and click Create Task….

2. On theGeneral tab, fill-in the name and configure other settings.

3. On theTriggers tab, click New.

4. SelectOn an event in the Begin the task list box. The following window will be displayed:

5. On theActions tab, you can create corresponding tasks.

When defining event trigger filters, theBasic option is selected by default. You can configure the eventLog, Source and Event ID based on requirement. If the basic event filter option does not meet the requirement, you can chooseCustom and then New Event Filter to configure advanced event filter settings.

If the UI of theFilter tab can still not filter the event accurately, you can use theXML tab to provide an event filter in XPath form.

For example, you have the following event and you only want to trigger the task when the eventTaskName contains value “\CAO updates”.

- <System>

<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>

<Computer>HVDSRV04.vdhvd.nl</Computer>

</System>

- <EventData Name="ActionSuccess">

<Data Name="TaskName">\CAO updates</Data>

<Data Name="ActionName">D:\AFAS Windows\Kernel\Bin\afascmd.exe</Data>

</EventData>

</Event>

You can specify the following event filter query:

<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (Level=4 or Level=0) and (EventID=201)]] and *[EventData[Data[1]='\CAO updates']]</Select>

</Query>

</QueryList>

More Information

EventMon: Stopping a Capture Based on an EventLog Event

http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx

Applies to

Windows Server® 2008 operating system
Windows Server® 2008 R2 operating system

↧

Granting share/NTFS permission on shared folder

July 20, 2018, 9:45 pm

≫ Next: Lost trust relationship

≪ Previous: Forum FAQ: How to configure a schedule task which is triggered by an event?

Hi,

Granting shared/security permission could be tricky sometimes.

I need a guidance to do this properly. Share permission layout can be described as:

Scenario:

User is mapped to the share "\\server\ShareA" as W: drive via logon script.

So they see W: drive in their Computer.

Let say I'm grouping users into AD Group named "DOMAIN\Dept-A", what kind of permission should be assigned to the share and/or Security tab for this folder, so the user can see W: drive, and have Read+Write permission on their dept. folder"Dept-A"?

W: drive should be accessible across departments groups e.g "DOMAIN\Dept-B" and "DOMAIN\Dept-C" too, but they should be allowed to list folders in W: drive but denied access on "Dept-A" folder?

---Pat

↧

Lost trust relationship

July 28, 2018, 1:19 am

≫ Next: Disable user from csv file.

≪ Previous: Granting share/NTFS permission on shared folder

Dear All,

I came across an unusual situation and count on your help since I cannot resolve it.

Scenario: Domain network with W2012R2 server as a DC, a spare DC and several other servers both virtual and physical. Several dozen workstations.

One of the workstations (W7pro-64) got a failure with cyclic BSOD. Disk C: was restored from the 24-hour-old backup. After that the trust relationship was with the domain was broken with the following symptoms:

1. Login not possible with network cable plugged.

2. RDP connections to the workstation fail.

3. Impossible to connect to MS Exchange.

Additional information:

Domain Member

Policy	Setting	Winning GPO
Domain member: Maximum machine account password age	999 days	Default Domain Policy

What I tried:

1. Nltest query

C:\>nltest /query
Flags: 0
Connection Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET
The command completed successfully

2. Nltest reset

C:\>nltest /sc_reset:<DOMAIN>
I_NetLogonControl failed: Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET

3. Netdom reset

Also no luck - access denied.

4. Netsh

netsh winsock reset

netsh int ip reset

and attempt to join the domain with the wizard. No luck.

5. Multiple attempts to unjoin the domain.

Every possible combination. Under domain users with administrative rights, under enabled local admin account. With network cable plugged and unplugged. The result is the same - ACCESS DENIED.

6. wmic

start /B /W wmic.exe /interactive:off ComputerSystemWhere"Name='%computername%'"CallUnJoinDomainOrWorkgroupFUnjoinOptions=0

No result at all.

All the methods I tried have one symptom in common - access is denied.

The only idea I have at the moment that some domain policy prohibits unjoining the domain and/or other actions. I've done gpresult /h result.html, but cannot identify the problem.

Please, advise how to resolve the problem.

↧

Disable user from csv file.

July 29, 2018, 7:11 am

≫ Next: windows activation process service not started up

≪ Previous: Lost trust relationship

Hi,

We use Windows Server 2008 R2 Standard DC.

We need to disable all the users in a CSV file. The CSV file contains display name of the users. Please let me know the steps.

↧

windows activation process service not started up

October 11, 2017, 3:21 am

≫ Next: Remote Desktop Certificate 2008 R2

≪ Previous: Disable user from csv file.

hii,

iis not working in windows server 2008 r2 std sp1,

& its dependent service called windows process activation service could not start.

Its showing error:

widows could not start the windows process activation service serivce on local computer.

Error 2: the system cannot find the file specified

Please help!

↧

Remote Desktop Certificate 2008 R2

July 2, 2018, 4:55 am

≫ Next: Windows Server 2012 Event ID 4231

≪ Previous: windows activation process service not started up

Can someone tell me which KB update enables sha256 on server 2008 R2 for the RDP certificate or if a registry entry needs to be changed. Found a few articles online and tested installs of various kb's mentioned but nothing seems to change the default from sha1.

Alternatively if someone can point me to a good guide on how to use an internal CA to generate a replacement certificate which can be placed on workgroup only servers in our DMZ and replace the self-signed one?

Thanks

↧