What’s changed in Windows Essentials 2019

Posted on by Glenn

Good afternoon. Longtime readers of this blog likely figured out that I work quite a bit with Essentials. I wanted to take a few minutes to go over the changes good and bad and my views on why we see are seeing them. I have heard a lot of grumbling over the removal of some features. This article will attempt to take a more unbiased review of the situation. Just a couple disclaimers first though. I do not work for Microsoft and my views here are my own.

Let’s tackle the elephant in the room first. The removal of the essentials experience. This includes the dashboard, connector software, remote web access and client PC backup. Based on my interactions, most people I talk to see this in a negative light. I tend to view this as business as usual.
I say this as I have been supporting Microsoft small business products for about 15 years now. I started out supporting SBS 2003. I watched that product mature into SBS 2008 and then peak with SBS 2011. Unfortunately due to the all interactions between the different software packages, SharePoint, Exchange, Active Directory, etc… it meant that putting out SBS 2014 was not going to happen. This is why I believe Microsoft decided to re-badge Windows Home Server as Windows Server Essentials edition. The product was changed some, but when first released was about 98% the same. Windows Server Essentials then matured into Essentials 2012, then 2012 R2 and finally peaked with 2016. While Essentials has been great in the past, the number of issues has been steadily creeping up. There are two that I believe contributed to the demise of Essentials. The first is the client PC backup feature. This feature, while great for a few workstations, does not scale well. The second problem though is likely a bigger part of why the Essentials experience was removed. Within the last few years the client connector software has become more troublesome to maintain. This seems likely due to the change in how updates are packaged for Windows 10. I have seen many workstations that required a reinstall of the connector software after an update. It’s not all bad though. I have seen quite a few Essentials environments that have been working great. These environments tend to run Windows 7 for the workstations, and have fewer than 10 workstations and/or users.

So were the building problems the only reason that the essentials experience was removed? I don’t think so. There is a lot of grumbling that Microsoft has removed the essentials experience to drive more customers to their hosted services. While there is likely some truth to this, I don’t believe it is the primary reason. It is more likely that the segment of the market that the essentials experience serves has shrunk to the point it is no longer profitable to continue development and support of the product. If it were, then Microsoft would devote more resources to the problems with the essentials experience.

So I like to consider myself an optimist and look at the bright side. There is definitely a silver lining here if you look closely. Through testing of Windows Server 2019 Essentials edition I have found several positive points. The first is the removal quite a few of the restrictions placed on previous Essentials editions. It is no longer a hard requirement to have an Active Directory domain in place. The licensing compliance checks will pass without problems if the server is left in a workgroup. This is a huge win for a lot of small businesses as it brings down the IT cost of maintaining and setting up a server. The server can simply be managed as a workstation would be. Another positive is that CALs (Client Access Licenses) are still included with the Essentials edition. While the 25 user limit is still in place, all 25 users are licensed without additional cost. Finally the cost of Essentials edition has remained largely unchanged. For less than half the cost Standard edition you get a server class OS with 95% of the features and very few restrictions*.

I hope you have found this informative. If you have an opinion on the subject or have another viewpoint please feel free to comment below.

*Remote Desktop Services and Data Deduplication have been removed from Windows Server 2019 Essentials edition. This is not really a change from 2016 Essentials edition as Remote Desktop Services, while there, did not function properly.

Windows Server Essentials Configuration Troubleshooter

Posted on by Glenn

Good morning,
It has been a little while since I last posted, so I figured it was time to share a little gem.  My team had a case that had us scratching our heads.  I had previously seen the error, but the solution that worked several times before did not work.  In case you are curious here is the error we were seeing:
web server settings error

(There is an error in your Web server settings)

we opted to engage Microsoft support.  The support engineer had a trick up his sleeve and was able to resolve the issue quickly.  After doing some preliminary checking, he ran the configuration troubleshooter.  The tool pointed at a path issue with the RemoteAppPool application pool in IIS.  After fixing the path the errors were resolved.

I tried out this tool and it works great at verifying settings are correct.  The tool can be used to test IIS settings, the certificate authority, Essentials services, and whether ports for Essentials are open.  I am definitely adding this to my tool belt as it will significantly speed up troubleshooting.  You can find the tool here.  Below is a screenshot.  I just ignored the error as it did not seem to impact functionality.

Windows ESS Config Troubleshooter

I hope you found this post useful.  What is your favorite troubleshooting tool for Essentials?  Put the answer in the comments section below.

Windows Server Essentials wizard failing at 16%

Posted on by Glenn

Good morning.  I wanted to document an issue I have seen several times.  The fix for this problem is pretty easy in PowerShell, but would take quite a bit of time using Server Manager.  The reason for the wizard is failing at 16% is due to the inability to connect to a domain controller in the domain.  This failure to connect is due to none of the roles being installed and therefore the server not being promoted to a domain controller.  This can all be discovered from the Essentials deployment logs in the C:\ProgramData\Microsoft\WindowsServer\Logs folder.

As I stated above the fix is pretty easy.  Run the three PowerShell commands below, changing domainname to the name you want for your domain and the P@ssW0rD! to a password of your choosing.  Keep in mind this password must meet complexity requirements with a length of at least 8 characters and 3 of 4 character types; capital letter, lowercase letter, number, special character.

NOTE: If you do not want the default computer name of WIN-<random string>, then you should change the computer name via the sysdm.cpl application or use netdom.
Also, change domainname.local to a domain name of your choice that ends in .local.  For instance tailspintoys.local or contoso.local.  You will not be able to change the computer or domain name after completing the wizard.

Install-WindowsFeature AD-Domain-Services,DNS,FileAndStorage-Services,File-Services,FS-FileServer,FS-BranchCache,FS-DFS-Namespace,Storage-Services,NPAS,RemoteAccess,DirectAccess-VPN,Remote-Desktop-Services,RDS-Gateway,Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-IP-Security,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-ASP,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Web-Scripting-Tools,ServerEssentialsRole,NET-Framework-45-Features,NET-Framework-45-Core,NET-Framework-45-ASPNET,NET-WCF-Services45,NET-WCF-HTTP-Activation45,NET-WCF-TCP-PortSharing45,BranchCache,GPMC,RSAT,RSAT-Role-Tools,RSAT-AD-Tools,RSAT-AD-PowerShell,RSAT-ADDS,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,RSAT-ADCS,RSAT-ADCS-Mgmt,RSAT-DNS-Server,RSAT-NPAS,RSAT-RemoteAccess,RSAT-RemoteAccess-PowerShell,RPC-over-HTTP-Proxy,FS-SMB1,Windows-Defender-Features,Windows-Defender,Windows-Defender-Gui,Windows-Internal-Database,WAS,WAS-Process-Model,WAS-Config-APIs,Search-Service,Windows-Server-Backup,WoW64-Support

$Password = ConvertTo-SecureString “P@ssW0rD!” -AsPlainText -Force

Install-ADDSForest -DomainName “domainname.local” -SafeModeAdministratorPassword $Password -Force

After the above commands complete the server will automatically restart and the deployment wizard should complete without further errors.  If it is failed, then click Retry.  I have seen a few instances where a retry is necessary.

I hope you found this post helpful.  If you have anything to add, please do so in the comment section below.

How to re-deploy VPN in 2016 Essentials in legacy mode.

Posted on by Glenn

This is the third article in a series of articles covering VPN in Windows Essentials.  In the first article I covered an issue with VPN and DHCP.  In the second article I covered how to re-deploy VPN with PowerShell in 2016 Essentials.  In this article I will cover how to re-deploy VPN in legacy mode.

  1. First we must clear the configuration. Launch a PowerShell session as administrator.
  2. Run Uninstall-RemoteAccess.  Hit enter when prompted.
  3. Install the RRAS (Routing and Remote Access Service) console by running the following command: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
  4. Run rrasmgmt.msc to launch the RRAS console.
  5. Right-click on the server name and choose “Configure and Enable Routing and Remote Access”
    RRAS 1
  6. Click Next.
  7. Ensure the Custom configuration radio button is selected and click Next.
    RRAS 2
  8. Check the box for VPN and click Next.
    RRAS 3
  9. Click Finish to complete the initial configuration.  You will get a popup indicating a policy was created.  Click OK to continue.
    RRAS 4
  10. When prompted to start the service, click Start service.
  11. RRAS is now running, but there are two more required steps to complete the configuration.  Right-click the server name and choose Properties.
    RRAS 5
  12. Click on the Security tab.  At the bottom of the screen, choose the correct certificate and click Apply.  Click Yes to restart RRAS.
    RRAS certificate
  13. Click the IPv4 tab.  Click the radio button for Static address pool and click the Add button.  Fill in the start IP address and end IP address and click OK twice.
    RRAS static pool
  14. Restart the RRAS service.

At this point RRAS should be configured properly.  Optionally you can disable the unused protocols in RRAS.  To do so right-click on Ports and click Properties.
RRAS ports

Only SSTP is used in Essentials by default, so the other protocols can be removed/minimized.  Highlight IKEv2 and click Configure.  Change the maximum ports to 0 (zero) and click OK.  Click Yes on the popup.  Repeat this with L2TP and GRE.  For PPTP you cannot reduce to zero, but you can reduce to 1 (one).  I also like to reduce the number of ports to match the number of IP addresses in the static pool.  This is to ensure that all connections get a valid IP address.  So I limited the ports to 20 for SSTP.  When complete it should look something like below.
RRAS ports limited

I hope you found this article informative.  If you have anything to add or just want to comment, please do so below.

Why I am unable to access any resources on my Essentials VPN?

Posted on by Glenn

Windows Server Essentials is a great product.  Easy to configure and it uses the existing network infrastructure to save money and resources. There is a situation that I see fairly regularly with the VPN (Virtual Private Network) on Essentials though.  I have seen this issue on all versions of Essentials from 2011 to 2016.

My customer will setup the VPN using the anywhere access wizard and it completes without any errors.  He/she will then test the connection with a client.  The client connects without a problem, but is unable to access any resources on the Essentials network.

The problem is that RRAS (Routing and Remote Access), the VPN server in Windows, is not able to lease an IP from the DHCP server running on the router.  Failing to lease an IP, Windows reverts to using an APIPA (Automatic Private IP Addressing) address.  This will be an IP in the 169.254.0.0/16 subnet.  More likely than not this is on a different subnet than the rest of the Essentials network.  This effectively isolates the VPN client from the Essentials network.

The fix is quite easy on Essentials 2011, 2012, and 2012 R2.  Simply add a static pool to the VPN server configuration.  Here are the steps:

  1. Install the RRAS management console, if not installed.
    • Run Windows PowerShell as administrator
    • Run the following command: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
  2. Run rrasmgmt.msc to launch the RRAS console
  3. Right-click on the server name and choose properties
    static pool
  4. Click on the IPv4 tab
  5. Click the radio button for “Static address pool”
  6. Click the “Add” button
  7. Fill in the start and end IP address for the pool.  This should be a range that is not included in the router’s DHCP (Dynamic Host Control Protocol) range, but that is part of the same subnet.
  8. Click OK twice.
  9. Restart the Routing and Remote Access service. PowerShell: Restart-Service RemoteAccess

For Essentials 2016 the fix is a bit more involved.  Unfortunately the RRAS configuration cannot be edited in the RRAS console to add a static pool.  The anywhere access wizard in 2016 uses PowerShell to configure RRAS and disables the RRAS console.  The PowerShell command is:

Set-VpnIPAddressAssignment -IPAssignmentMethod “StaticPool” -IPAddressRange “192.168.1.200”, “192.168.1.220” -PassThru

The IP addresses in the command are the start and stop IP address for the range, respectively.  They should be changed the match the subnet the server is on.

Thanks to Mark over at Mcbsys for the tip on this.

I hope this article has been informative.  If you have any comments or suggestions, please post them below.

How to upgrade Windows Server Essentials to Standard edition

Posted on by Glenn

Time for another quick tip.  In case you hadn’t guessed already, I really like Essentials.  You get quite a few features for a much better price than Standard edition.  There are some limitations though with Essentials.  The good news is that the server can later be upgraded to Standard and the process only takes a few minutes.  On the flip side, a standard license has to be purchased.

Let’s walk through the upgrade process.

  1. Purchase a Windows Server Standard license
  2. Open an administrative PowerShell command
  3. Run the following command to verify the target edition:
    dism /online /Get-TargetEditions
    You should see Target Edition : ServerStandard or something similar
  4. Run the following command to complete the upgrade:
    dism /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula
    Change the edition and product key to match the ones you have.

You should see output similar to below.  Reboot when prompted.  (I have updated this picture.  It is 2019 Essentials.)

2019 Essentials upgrade to Standard

I hope you found this informative.  If you have any comments or suggestions, please leave them below.

Windows Server 2016 Essentials and Remote Desktop Services, the untold story

Posted on by Glenn

Good morning.  Time for another installment.  Today I wanted to talk about 2 of my favorite Microsoft technologies in one article; RDS (Remote Desktop Services) and the Essentials experience.

Recently I have seen a rise in the deployment of RDS, specifically Session Host, on Windows Server 2016 Essentials.  While this seems like the perfect money saving combination, Essentials is about $200-300 cheaper than the Standard SKU, it is not.  While not well documented, this configuration is not supported by Microsoft*.  This may not deter some admins.  However, it also will not work properly.  While I have seen this issue on several occasions in customer environments, I figured I would reproduce this.  Below is the documentation of that process.

I started by installing Windows Server 2016 Essentials into a generation 2 VM (Virtual Machine).  I ran the initial configuration wizard to complete setup.  I verified that only 2 simultaneous interactive logon sessions would work.  See the screen capture below.

too-many-users

I then shutdown the server and took a checkpoint.  After booting the VM back up, I installed RDS via the installation wizard.  The roles installed properly, but I received an error when creating the session collection.  After a reboot the session collection did show up.  This seemed odd to me, but upon checking Server Manager all seemed to be normal.  I then tested the number of simultaneous connections again.  I ran into the same 2 user limit.

Maybe this is due to RDS licensing not being installed or configured?  I then installed and activated a license server on the same machine.  I added a 50 pack of user CALs.  Finally, I added the license server and the network service account to the Terminal Server License Servers group in AD.  After a restart, RD Licensing manager is reporting all green checks.  However RD Licensing Diagnoser is reporting it is not configured with a license server.  See the screenshots below.  This led me to check the deployment properties and I found it was configured for Per User mode with the correct server.

rd-licensing-happy

rd-licensing-diagnoser

At this point it is pretty clear this is not going to work properly, but I wanted to dig a little deeper and find out why.  Time to break out the PowerShell.  I ran the following commands to manually configure Session Host via PowerShell:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting$obj.ChangeMode(4)

Upon running the last command I receive an error indicating the method is not specified, meaning the parameter doesn’t exist.  This led me to output all parameters from the Win32_TerminalServiceSetting object.  This is how I discovered the root cause for the limitation.  It appears that even though I have install Session Host, the server is still in Remote Desktop for Administration mode.  In this mode it is not possible to specify a license server or licensing mode.  Also there is the limitation of two simultaneous interactive logon sessions.

powershell-output

So is it possible to get around this or correct it?  The good news is that the process is fairly easy.  The bad news is that an upgrade to standard edition is required.  A walk-through of the upgrade process can be found here.  I went through this process in my test environment.  After reactivating my license server and updating the licensing mode in the deployment properties, my RD Licensing Diagnoser reported no issues.  Also for curiosity sake, below is a screenshot of the same PowerShell output after upgrading to Standard.

powershell-output-after-upgrading

So the moral of the story is if you need RDS in Windows Server 2016 you will need Standard edition or higher.  I hope this has been informative for you.  If you have any comments or suggestions, please leave them below.

 

 

*There is only one reference, that I could find, to the supportability of RDS on the Essentials SKU.  It is in the Windows Server 2012 R2 Licensing Datasheet.  On page 5, look for footnote 8.

The DNS management console fails to update or gets “stuck”

Posted on by Glenn

Another quick tip here.  I recently had a DNS (Domain Name System) console that was failing to update.  I knew that DNS was functioning properly and that all the records were there.  They were just not showing up on this particular server.  This is actually a pretty easy fix.

To reset the DNS console, or most mmc consoles, you just need to delete the settings file.  There is a settings file for each user that has logged in.  This file is located at C:\Users\<username>\AppData\Roaming\Microsoft\MMC\dnsmgmt.  You may notice other files in this directory.  Those files are the settings files for their respective mmc consoles.

License compliance checking in Windows Essentials and Foundation

Posted on by Glenn

Good morning.  I figured it was time for another post on Essentials.  Some parts of this article also apply to Foundation edition.

Let’s start off with a little background on Essentials edition.  Windows Server Essentials edition is designed for a small to medium sized business.  It is a very good option for a small to medium sized business with less than 25 users/computers.  Here are a few of the advantages to running Essentials.

  • It is less expense than standard edition.  Typically by $200-300.
  • There are no additional CALs (Client Access Licenses) to purchase.  Twenty five user CALs are included.
  • Can be easily upgraded to standard edition with a single command.
  • Client PC Backup is builtin.  This feature automatically backs up client PCs to the server
  • Anywhere access is available.  This is a feature that was first introduced in SBS (Small Business Server)  It allows a user to remotely access computers and file shares.  It also allows the administrator to access the Dashboard from anywhere.  Additionally the administrator can setup a SSTP (Secure Socket Tunneling Protocol) VPN (Virtual Private Network) via a wizard.
  • Easy integration with Microsoft cloud solutions.

 

What’s the catch?  There is always a catch.  Windows Essentials edition is no exception.  Below are the limitations imposed by running Essentials.

  • The Essentials server MUST be a domain controller.
  • The Essentials server must hold all the FSMO (Flexible Single Master Operation) roles.  If you want to learn more about the FSMO roles here is a good article.
  • Only one domain is permitted in the forest where the Windows Essentials edition server resides.
  • No forest/domain trusts are permitted.
  • The Remote Desktop Session Host role feature is not supported and typically will not function.

So what if the server is not a domain controller or violates one of the rules above?  This is where the Server Infrastructure License Service comes into play.  This service regularly checks the server to verify it is not violating the EULA (End User License Agreement).  If a violation is found the server will shutdown every 27.67 days (27 days, 16 hours).  Why Microsoft chose 27.67 days, I have no idea.  Before it shuts down though it will warn you.  The events will show up in the Server Infrastructure Licensing log.
Server Infrastructure Licensing Error

The next question is how do we fix these errors.  I have seen three causes for this issue.  Let’s go over each one and how to fix it.  After you believe you have fixed the issue, see the the next section for a way to confirm the issue is resolved.

  1. The first cause of this issue is also the most painful to fix.  If the server is demoted, and put into a workgroup it will cause this issue.  All checks will fail because the domain can no longer be contacted.  Unfortunately the only fix is to reinstall Windows on the server.
  2. The second reason these errors might crop up is due to the check failing due to an issue with Active Directory.  For instance, if the server is not advertising as a domain controller due a SYSVOL issue.  If an Active Directory issue is suspected, the first place to start should be to run a dcdiag.  Dcdiag will test the basic functionality and report any issues found.  As stated above, if there are SYSVOL issues, then the server will likely fail the advertising test.
  3. The last reason I have seen on more than a few occasions is the following error:

    Log Name:      Microsoft-Windows-Server Infrastructure Licensing/Operational
    Event ID:      2
    Level:         Error

    Description:The Forest Trust Check in the Licensing component did not pass because error 0x80070008 occurred in function fe1 [YJBI].
    Not enough storage is available to process this command.

    This error seems to indicate that we are low on hard drive space.  However this is not the case.  This error is actually referring to a special pool in memory (RAM, Random Access Memory) called the heap.  The heap is a finite size, regardless of how much RAM is in the system.  Normally Windows will not experience a heap exhaustion, that is where this special pool of memory is completely depleted.  However, if a program or driver is leaking memory, then the pool will eventually run out.  In case you are wondering what a memory leak is, it occurs when a program or driver allocates memory, but does not free it when complete.
    So in essence this error is caused by a malfunctioning program or driver.  The good news is that every time I have seen this issue in Essentials or Foundation it was caused by a printer driver.  There are 2 ways to fix this problem.  The first way is to simply restart the printer spooler service.  Restarting the printer spooler service unloads the printer drivers and frees all memory associated with them.  This will temporarily eliminate the issue.  A scheduled task could then be created to automatically do this on a regular basis.  The optimal solution though is to find the problem driver and either remove or update it.

So to this point we have covered some of the pros and cons of running Essentials, what happens when the EULA is violated, and some common causes for the Server Infrastructure Licensing service shutting down the server.  The last item I wanted to cover is how to force a new compliance check from the Server Infrastructure Licensing service.  This process works for both Essentials and Foundation edition.  This is useful if you are seeing compliance check errors, have taken measures to correct them, and now want to test if the issue is resolved.  It is surprisingly easy to force a compliance check.  Only one PowerShell command is required.  Ensure you run PowerShell as administrator when running this command.

Stop-Process -ProcessName silsvc -Force

The above command forces the Server Infrastructure License service process to stop.  The process will then immediately start again.  The trick here is that the Server Infrastructure License does a compliance check every time it starts.  You should see a compliance check within 2-3 minutes after the service stops.
Well, we covered a lot of ground with this post.  If you have any questions, or any suggestions please add a comment below.

10 < 6

Posted on by Glenn

It turns out when performing a WMI (Windows Management Instrumentation) query, 10 is less than 6.  The reason for this is because the version number is treated as a string and not a number.  So the 10 is actually treated as 1, and 1 is less than 6.

So why is this important?  In Windows Server 2012 Essentials folder redirection will not work for Windows 10 clients by default.  This is due to the WMI query used by the folder redirection group policy.

The fix is to edit the WMI query used by the policy.  Here is the process.

  1. Open the Group Policy Management console. (gpmc.msc)
  2. Expand Forest, then Domains, and finally the domain name.
  3. Click on the “WSE Group Policy Folder Redirection” policy.
  4. At the bottom of the Scope tab on the right, click Open in the WMI filtering section.
  5. Click the Edit Filter button.
  6. Click on Edit.
  7. Change the query to: select * from Win32_OperatingSystem where Version like “10.%” or Version >=”6.1″
  8. Click OK on the warning about the namespace.
  9. Click the Save button.
  10. Close the Group Policy Management console.

Once the WMI query is corrected, the Windows 10 client will need to be rebooted or have group policy updated.  To force group policy update on any Windows device, run gpupdate /force from a command line.

So there you have it 10 can be less than 6.

 

Source: grouppolicy.biz