How to re-deploy VPN in 2016 Essentials in legacy mode.

This is the third article in a series of articles covering VPN in Windows Essentials.  In the first article I covered an issue with VPN and DHCP.  In the second article I covered how to re-deploy VPN with PowerShell in 2016 Essentials.  In this article I will cover how to re-deploy VPN in legacy mode.

  1. First we must clear the configuration. Launch a PowerShell session as administrator.
  2. Run Uninstall-RemoteAccess.  Hit enter when prompted.
  3. Install the RRAS (Routing and Remote Access Service) console by running the following command: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
  4. Run rrasmgmt.msc to launch the RRAS console.
  5. Right-click on the server name and choose “Configure and Enable Routing and Remote Access”
    RRAS 1
  6. Click Next.
  7. Ensure the Custom configuration radio button is selected and click Next.
    RRAS 2
  8. Check the box for VPN and click Next.
    RRAS 3
  9. Click Finish to complete the initial configuration.  You will get a popup indicating a policy was created.  Click OK to continue.
    RRAS 4
  10. When prompted to start the service, click Start service.
  11. RRAS is now running, but there are two more required steps to complete the configuration.  Right-click the server name and choose Properties.
    RRAS 5
  12. Click on the Security tab.  At the bottom of the screen, choose the correct certificate and click Apply.  Click Yes to restart RRAS.
    RRAS certificate
  13. Click the IPv4 tab.  Click the radio button for Static address pool and click the Add button.  Fill in the start IP address and end IP address and click OK twice.
    RRAS static pool
  14. Restart the RRAS service.

At this point RRAS should be configured properly.  Optionally you can disable the unused protocols in RRAS.  To do so right-click on Ports and click Properties.
RRAS ports

Only SSTP is used in Essentials by default, so the other protocols can be removed/minimized.  Highlight IKEv2 and click Configure.  Change the maximum ports to 0 (zero) and click OK.  Click Yes on the popup.  Repeat this with L2TP and GRE.  For PPTP you cannot reduce to zero, but you can reduce to 1 (one).  I also like to reduce the number of ports to match the number of IP addresses in the static pool.  This is to ensure that all connections get a valid IP address.  So I limited the ports to 20 for SSTP.  When complete it should look something like below.
RRAS ports limited

I hope you found this article informative.  If you have anything to add or just want to comment, please do so below.

Advertisements

How to re-deploy VPN in 2016 Essentials with PowerShell

In my previous article I discussed an issue I see commonly with VPN in Essentials.  In that article I gave the fix for all versions of Essentials except 2016.  In this article I will cover the fix for 2016 Essentials.

As stated previously, 2016 Essentials uses PowerShell to configure the VPN.  Here is what the default configuration looks like:

RemoteAccess Default

If you try to manage it in the RRAS (Routing and Remote Access Server) console, you will see this:

legacy mode

The message would imply that you could turn on legacy mode.   This is true, but to turn on legacy mode requires clearing the configuration from RRAS.  Clearing the configuration must be done with PowerShell.  Re-deploying the VPN can be done with both PowerShell and the RRAS console.  Below are the PowerShell commands.

  1. Launch a PowerShell session as administrator.
  2. Run Uninstall-RemoteAccess.  Hit enter when prompted
  3. Run Install-RemoteAccess -VpnType Vpn -IPAddressRange 192.168.16.100,192.168.16.120
    Change the ip addresses to match the range you want to use.  In the command above the start IP address is 192.168.16.100 and the end IP is 192.168.16.120.
  4. It may be necessary to modify the SSL certificate.  To check this run Get-RemoteAccess.  If the SSL certificate matches the one installed by the Essentials anywhere wizard, then you are done.  If not, please proceed to the next step.
  5. Run Set-Location Cert:\LocalMachine\My; Get-ChildItem | Subject,Thumbprint
    You should see output similar to the following:
    certificate 1
  6. Make note of the Thumbprint for the certificate that was created in the anywhere access wizard.
  7. Next assign the certificate to the VPN with the following command:
    Get-ChildItem | ? Thumbprint -eq “C39ED8D5ADC2F73A05A909BE9C4692B43B963FB2” | Set-RemoteAccess
  8. Finally verify the correct certificate is assigned to the VPN with the command:
    Get-RemoteAccess
    RemoteAccess fixed

Clients should be able to connect and access resources via the VPN now.

I hope you found this article informative.  If you have any suggestions or comments please leave them below.

Why I am unable to access any resources on my Essentials VPN?

Windows Server Essentials is a great product.  Easy to configure and it uses the existing network infrastructure to save money and resources. There is a situation that I see fairly regularly with the VPN (Virtual Private Network) on Essentials though.  I have seen this issue on all versions of Essentials from 2011 to 2016.

My customer will setup the VPN using the anywhere access wizard and it completes without any errors.  He/she will then test the connection with a client.  The client connects without a problem, but is unable to access any resources on the Essentials network.

The problem is that RRAS (Routing and Remote Access), the VPN server in Windows, is not able to lease an IP from the DHCP server running on the router.  Failing to lease an IP, Windows reverts to using an APIPA (Automatic Private IP Addressing) address.  This will be an IP in the 169.254.0.0/16 subnet.  More likely than not this is on a different subnet than the rest of the Essentials network.  This effectively isolates the VPN client from the Essentials network.

The fix is quite easy on Essentials 2011, 2012, and 2012 R2.  Simply add a static pool to the VPN server configuration.  Here are the steps:

  1. Install the RRAS management console, if not installed.
    • Run Windows PowerShell as administrator
    • Run the following command: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
  2. Run rrasmgmt.msc to launch the RRAS console
  3. Right-click on the server name and choose properties
    static pool
  4. Click on the IPv4 tab
  5. Click the radio button for “Static address pool”
  6. Click the “Add” button
  7. Fill in the start and end IP address for the pool.  This should be a range that is not included in the router’s DHCP (Dynamic Host Control Protocol) range, but that is part of the same subnet.
  8. Click OK twice.
  9. Restart the Routing and Remote Access service. PowerShell: Restart-Service RemoteAccess

For Essentials 2016 the fix is a bit more involved.  Unfortunately the RRAS configuration cannot be edited to simply add a static pool.  The anywhere access wizard in 2016 uses PowerShell to configure RRAS and disables the RRAS console.  This would be fine, but Microsoft neglected to include a PowerShell command to modify the IP address management.  Since the configuration cannot be modified it must be torn down and re-deployed outside the anywhere access wizard.  I may add this to this article in the future.

I hope this article has been informative.  If you have any comments or suggestions, please post them below.

 

 

An error has occurred 0x8007….

This article is for those that don’t know that 0x80070002 is “The system cannot find the file specified.” or that 0x80070020 is “The process cannot access the file because it is being used by another process”.  It seems impossible to memorize all the error codes in Windows and what they mean.  Thankfully there is no need to do this, as there is a utility built into Windows to decode them.

To find out what an error code means launch a command window and run this command slui 0x2a <error code>.  For instance slui 0x2a 0x80070002.  You will get a popup similar to the following:

slui 0x2a

You will need to Show details.  The description is the error code text.

I hope you found this article informative.  If you have anything to add please do so in the comments below.

Can you have too many CPU cores?

As I found out today the answer is yes, if you are deploying a Windows role that requires the WID (Windows Internal Database).  Below is the scenario I ran into and how to workaround the issue.

I had a customer that was attempting to deploy RDS (Remote Desktop Services).  I say attempting as he was having no luck getting connection broker to install properly.  The connection broker, session host, and rdweb roles would install, but the session collection was not being created.  Additionally, my customer was not able to manage RDS in server manager.  After several attempts of installing and removing the RDS components I noticed that the WID service was taking a very long time to start at boot and most times it would just hang.  I figured that we might have an issue with the existing OS or possibly a GPO (Group Policy Object) , so we isolated the server in an OU (Organizational Unit) with blocked inheritance and then added the newly loaded server to the domain.  The deployment still failed.  We then reloaded Windows.  Upon our first attempt at loading RDS it failed in exactly the same way.

At this point we knew the root of the issue was with the WID.  Searching the Internet turned up an article that alluded to a possible issue with configurations over 32 CPU cores.  My customer’s server is going to be used for a very CPU intensive application, so it was configured with 48 CPU cores (96 logical cores).  Since I was fresh out of ideas on what to try next I removed the WID and RDS components.  I then limited the server to 24 CPU cores through msconfig.  After a reboot we were able to deploy RDS without any problems.  To test, we removed the limit on CPU cores and rebooted.  The WID service then behaved exactly as before.

Now that we had the issue nailed down it was time to find a more permanent fix.  Before I get into that, let me detail the symptoms that were observed.  Hopefully this should help the next person that runs into this issue.

The primary behavior we observed was the WID service hung in a starting state.

Additionally we saw the following event in the application log when the WID finally started with more than 32 cores were exposed:

Process 0:0:0 (0xee8) Worker 0x0000000000 appears to be non-yielding on Schedule 47....

Finally the SQL error log contained a similar event:

*******************************************************************************
*
* BEGIN STACK DUMP:
* 07/21/17 09:35:26 spid 4268
*
* Non-yielding Scheduler
*
* *******************************************************************************
Stack Signature for the dump is 0x000000000000009C
External dump process return code 0x20000001.
External dump process returned no errors.

Process 0:0:0 (0x780) Worker 0x0000003077802160 appears to be non-yielding on Scheduler 47. Thread creation time: 13145128446017. Approx Thread CPU Used: kernel 62171 ms, user 7281 ms. Process Utilization 4%. System Idle 96%. Interval: 70052 ms.

 

So how did we fix this?

First we limited the number of CPUs exposed to Windows.  We then loaded SQL Management Studio as my customer was going to load SQL on the server.  We then connected to the WID (\\.\pipe\MICROSOFT##WID\tsql\query).  We set the CPU affinity to only use CPU 0 and CPU 1.  Finally we allowed Windows to see all the CPUs and rebooted.

Here are the steps I would recommend taking to correct this issue.

  1. If the WID and associated roles are loaded, remove them.  This may not be required depending on the role being installed, but it is better to be safe than sorry.
  2. Limit the CPUs exposed to Windows.  The easy way to do this is through msconfig.
    1. Launch msconfig.  Start, Run, msconfig
    2. Click on the Boot tab.
    3. Click Advanced options…
    4. Check the box for Number of processors:
    5. Set the server for 16 or less.
    6. Click OK twice and reboot.
  3. Install the Windows role that requires the WID as you normally would.
  4. Add the -P2 parameter to the WID service
    1. Open the services console (start, run, services.msc)
    2. Locate the Windows Internal Database service
    3. Right-click on the Windows Internal Database service and choose properties
    4. In the Start parameters box add “-P2” without quotes and click OK.  (This will limit the WID to 2 CPUs.  If you want more, change the number.)
  5. Remove the CPU limit imposed in step 2.

 

I would like to thank my colleague Curt for the startup parameter for the WID.  Far easier than loading SQL Management Studio Express.  I hope you found this article informative.  If you have anything to add or any suggestions, please do so in the comments below.

The case of the missing domain controller…

I wanted to talk about an issue today that I see with a great deal of regularity.  Statically setting an external or public DNS (Domain Name System) server in the DNS client settings of a machine that is joined to an Active Directory domain.

external-dns-server

In the above picture we have the Active Directory domain controller as the Preferred DNS server.  However we also have one of the Google public DNS servers as the Alternate DNS server.  At first look, it appears this might be a good idea.  If the Active Directory domain controller goes down, this PC can still resolve names on the Internet. However there is a significant disadvantage to setting up the DNS client in this way.  To understand this disadvantage, we must first understand how the DNS name resolution process works in Windows.

When a Windows system, either client or server, needs to resolve a name it goes through the following process.*

  1. The client checks to see if the name queried is its own.
  2. The client queries the DNS client resolver cache.  Any entries from the hosts file are preloaded to the resolver cache.
  3. Domain Name System (DNS) servers are queried.
  4. If the name is still not resolved, the NetBIOS name resolution sequence is used.

*I have omitted WINS from the process as it is rarely used anymore.

Let’s dive a little deeper into bullet point two.  There are two important takeaways for the DNS client cache.  The first is the time limit a record or lack thereof is cached.  This is typically referred to as TTL (Time To Live).  A positive answer is cached for its TTL or 24 hours whichever is less.  A negative response, that is when the record does not exist or cannot be found, is cached for 5 minutes.  The second takeaway is that clearing the cache can only be achieved by restating the DNS client service, running ipconfig /flushdns or restarting the client.

Now on to bullet point three and our example above.  The Windows DNS client will use the Preferred DNS server first.  If that server fails to respond, even just for a second, the Windows DNS client will switch over to the Alternate DNS server.  The Windows DNS client will not switch back to the Preferred DNS server unless the alternate fails to respond.  In the case of a public DNS server this is unlikely to happen.  If the Windows DNS client does get “stuck” on the alternate server there are three ways to get it to switch back; restart the DNS client service, restart the computer, or modify the DNS client configuration.

So now we have a better understanding of how DNS name resolution and the Windows DNS client work.  Let’s go over why public DNS servers should not be used.  In most environments there will be DNS timeouts on occasion.  As we now understand a DNS timeout can cause the DNS client to switch to the next DNS server in the list.  If the DNS client switches to a public DNS server then queries for internal resources, such as domain controller service records, or other systems on the LAN (Local Area Network), will fail.  So the bottom line here is that using an external DNS server in the DNS client settings can and usually will cause unpredictable behavior.

One final thought.  The default configuration of the Microsoft DNS server will allow Internet names to be resolved.  This is accomplished using root hints.  If a public DNS server must be used for Internet queries, then a DNS forwarder can be added in the DNS server configuration.

I hope you found this article informative.  If you have anything to add or see something that needs a correction, please leave a comment below.

 

 

 

 

 

 

 

 

 

 

We couldn’t create a new partition or locate an existing one.

Good afternoon.  I ran into an issue today I have seen quite a few times.  I had a customer that was trying to load Windows 2012 on a server.  No matter what he tried he would always receive the same error.

“We couldn’t create a new partition or locate an existing one.”
partition error.png

At first glance it might seem like there is an issue with the disk.  That is not the case though.  The problem has to do with the boot priority as setup in the BIOS of the system.  In this case my customer had a Dell server with an SD card.  He had ordered the server with ESXi loaded on the SD card.  Therefore Dell had put the SD card at the top of the boot priority when it was configured at the factory.  The raid controller was second in the boot priority.  The reason this is a problem is that Windows setup needs to create or use an existing partition on the first device in the boot priority.  Compounding the issue is that, when using the setup, Windows can only be loaded on a fixed disk.  Therefore the error is due to the inability to create a system reserved partition for the boot loader files.

Keep in mind this issue can happen on any system that has more than one entry in the boot priority.  For instance, I have also seen this problem when there were multiple hard disk controllers in a server and the wrong one is at the top of the list.

The fix is quite simple.  Go into the bios and change the boot priority to put the device that will have Windows loaded on it at the top.

I hope you have found this article informative.  If you have anything to add, please use the comments section below.