Group Policy and the case of the missing permission.

Posted on by Glenn

Good morning.  I had a case yesterday that yielded several interesting article ideas.  This is probably the most interesting one, and I have seen this very issue on at least three occasions.  The issue started on a domain rename.  If you have ever done a domain rename, you know there are quite a few steps.  After doing some checks and making some corrections we were able to complete the domain rename.  My customer then advised that his Folder Redirection policy was not applying on any workstations.  So in this article I am going to cover how to troubleshoot a group policy not applying and the specific fix for the situation I ran into yesterday.

The first step when troubleshooting just about any group policy issue is to pull a group policy report from a client that should be getting the policy.  My preferred method is to go to a command prompt and run the following commands:

gpresult /h report.htm
report.htm

This will run the report and save it to a file called report.htm.  The second line then opens that report in a web browser.

When troubleshooting an issue where a policy is not applying I like to focus on the denied sections.  In our case folder redirection is a user policy, so I checked there.  Below is similar to what I found.
gpo-inaccessible

There were two clues as to what the issue was here.  The first clue is that the policy name is not being displayed.  Instead we just see the GUID (Globally Unique Identifier).  The second clue is the reason denied.  We can see it was denied because the policy is inaccessible, empty or disabled.

The next step was to check to see if the policy was accessible in the SYSVOL share.  In our case we had no problem accessing the files.  We then checked in the group policy management console.  We verified the policy was not empty or disabled.  So it would appear that we have eliminated all possible issues.  However there is another set of permissions.

delegation-tab

This was the set of permissions that were not correct in our case.  The Authenticated Users group was missing.  I have seen this issue on several occasions when one of my customers is trying to “lock down” the server.  Even if you add in another group, for instance Domain Users, and the user and/or computer is a member of that group, the GPO (Group Policy Object) will still fail to apply.  The fix is quite simple.  Add back the Authenticated Users group and give it read permissions.  After adding back Authenticated Users and running a gpupdate /force on the client the policy applied without issue.

I hope you have found this informative.  If you have anything to add or just want to comment, please do so below.

Advertisement

SMB 1 in Windows 10

Posted on by Glenn

Today we have a quick tip from Luis, one of my partners in crime.  He had a customer that was experiencing poor file sharing performance with Windows 10 clients.  After replicating the environment Luis discovered the issue was due to the SMB (Server Message Block) version being used.  He was able to increase the performance by forcing a lower version of SMB to be used.  He discovered though that SMB version 1 is no longer supported by default in Windows 10.  He found a way to turn it back on.

I wanted to share that with you as it can be useful in a situation where there is an older file server.  When I say older, think Windows 2003 or Windows XP.  So it is no wonder than Microsoft has decided not to allow SMB 1 by default.  I don’t recommend following this procedure simply to increase performance as the trade-off is less security and fewer features.  Also following the below process will not by itself increase speed, as the highest version of SMB will be negotiated*.  This process will allow a Windows Server 2016 or Windows 10 client to connect to an older Windows system hosting a file share.

To enable SMB 1 do the following on the Windows Server 2016 or Windows 10 client.

  1. Open the registry editor and navigate to the following key:
    HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  2. Open the DependOnService key.
    default
  3. Add MRxSmb10 to the list below MRSmb20 entry and click OK.
    new
  4. Close the registry editor and restart the Workstation service.

 

I hope you enjoyed this article and found it informative.  If you have anything to add or just want to comment, please feel to do so below.

 

*If you are dead-set on running SMB 1 to improve performance have a look at this Microsoft article.

The machine attempted to join the domain but failed. The error code was 2700.

Posted on by Glenn

Good morning.  I ran into an interesting issue a couple of weeks ago.  I had a customer that was not able to join any of their client systems to a newly created Windows Essentials domain.  When running the domain join wizard they were receiving a generic error.  When digging into the event log we were able to find an error code in the following event.

Event ID: 4097
Source: NetJoin
Type: Error
Description:
The machine <server name> attempted to join the domain <domain name> but failed. The error code was 2700.

So what does error code 2700 mean anyway.  I did some checking and could not find a good answer.  I dug into the clientsetup.log and found the following line that gave me the answer I was looking for.

[3156] 170119.143840.1334: ClientSetup: nativeNetJoinDomain returned ErrCode=2700
[3156] 170119.143840.1334: ClientSetup: Join domain fails on the first time, exception: System.ComponentModel.Win32Exception (0x80004005): This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school

This makes sense as a client cannot be connected to two domains at the same time.

Now that we know what the issue, here is the fix.

  1. Open the settings menu in Windows.  This can be done by clicking start icon and choosing Settings.  Choose the Accounts option.
    1-settings
  2. Pick the Access work or school option.
    2-access-work-or-school
  3. Click on the Azure connection to bring up the option to disconnect.
    3-disconnect
  4. When you click on Disconnect, you will get a prompt.  Click Yes.
    4-disconnect-yes
  5. You will get another prompt.  Choose Disconnect again.
    5-disconnect-are-you-sure
  6. Enter alternate account information and click OK.
    6-enter-alt-contact-information
  7. Finally choose the option to Restart now.
    7-restart

After restarting you should now not have any issues joining the Windows domain.

I hope you found this article informative.  If you have anything to add or want to comment, please do so below.

 

 

 

 

 

 

How to run Windows Foundation edition as a Hyper-V virtual machine.

Posted on by Glenn

I recently needed to reproduce a customer issue in my lab environment.  My lab is a Windows 10 workstation with the Hyper-V role installed.  Part of reproducing the issue involved building out a Windows Server 2012 R2 Foundation virtual machine. I figured this would not be a problem as 2012 R2 runs fine as a virtual machine.  This was not the case though.  I ran into a major hurdle with the integration tools.  I will describe the process I went through to get a Windows Server 2012 R2 Foundation virtual machine running smoothly.

Now before anyone goes out and tries the below procedure for a production system, please understand that running Foundation edition as a virtual machine is not supported by Microsoft.  Also it will likely violate the EULA (End User License Agreement).  Typically Foundation edition is only sold with an OEM license.  That means it comes pre-installed on hardware and must remain on that hardware.  So in order to do this, and not violate the EULA, a non-OEM license is required.  I have a MSDN subscription and thus have a valid license.  Additionally, I am not running the server for any type of production workload.

I started the process by creating a generation 2 VM (virtual machine).  Unfortunately I found out this will not work as the VM bugchecked during setup.  I deleted that VM and created a generation 1 VM.  I was then able to get the Windows loaded.  This is when I discovered the major hurdle I mentioned above.  The VM responded very slowly to mouse and keyboard input.  I also noticed severely degraded performance.  This was to the point of the VM almost being unusable.  The VM behaved as if none of the integration services drivers were installed.  Unfortunately Windows 10/2016 do not have the option to insert the integration disk.  I was able to get the vmguest.iso from a 2012 R2 hyper-v host.  However when I tried to run the setup I was informed that the latest integration services were already installed.

At this point I realized this was not going to be easy, but I enjoy a challenge.  I browsed the vmguest.iso inside the Foundation VM.  I extracted the following file: D:\support\amd64\Windows6.2-HyperVIntegrationServices-x64.cab.  I then went into device manager.  I noticed quite a few, a dozen or so, unknown devices.
unknown-devices

I then tried to manually load the drivers from the extracted cab file.  While the driver was found, it was not signed.  I figured no sweat, just disable driver signing requirement in the BCD (Boot Configuration Data).  Yet another roadblock.  It is no longer possible to permanently disable driver signature enforcement.  I was able to boot into driver signature enforcement disabled mode.  I then manually loaded drivers for all the Unknown devices.  This corrected the input and performance issues, at least for that boot.  Booting into normal mode caused all the issues to return.

f8-boot-menu

Getting the drivers to load each time Windows booted was the final step in getting the virtual machine to run properly.  I looked into the bcdedit command line options and was not able to find an option to boot to driver signing disabled mode.  What I ended up doing was to add a dummy entry to the boot list and set the timeout to 30 seconds with the following commands.

bcdedit /copy {current} /d "Dummy Entry"
bcdedit /timeout 30

 

dummy

Presently, on each boot I press F8 to get the boot options.  I then select Disable Driver Signature Enforcement.  Now the VM runs with all guest integration services.

If you have been able to find a better way to do this I would like to hear about it in the comments below.

 

Windows Foundation Edition and Single Label domains

Posted on by Glenn

Good morning.  I had an interesting issue a couple of days ago I wanted to cover in depth.  I had a customer with a 2003 single label domain.  He was migrating to 2012 R2 Foundation.  He had added the Foundation server as a peer domain controller to the 2003 domain.  The problems came up when he shutdown the 2003 domain controller.  He would receive errors in the silsvc (Server Infrastructure License service) log.  Initially I was under the impression that that Foundation edition does not support single label domains and this is what I told him.  For my customer he preferred running in a workgroup configuration and so he removed active directory from the server.  I wanted to duplicate this environment in my lab to see if I could determine the root cause of the errors and if it was possible to eliminate them.

My test environment consisted of a 2003 R2 virtual machine that was cleanly loaded.  On that server, I setup a single label domain named “mydomain”.  I then installed a 2012 R2 Foundation virtual machine.  This was a significant challenge in itself.  Look for another blog post on getting 2012 R2 Foundation working in a virtual machine.  These virtual machines were linked by a private virtual switch.  Once the virtual machines were setup, I joined the 2012 R2 Foundation server to the 2003 single label domain.  I then promoted the 2012 R2 Foundation as a domain controller.  Finally I verified that replication was working and that the DNS (Domain Name System) zones were present on the 2012 R2 Foundation server.

At this point I checked the silsvc log.  All tests were passing without issue.  I then shutdown the 2003 server.  This was where things went awry.  On the next check done by silsvc the following popup was received.
popup-error

Checking the silsvc log showed two errors.  The first was an event ID 2 that stated: “The Forest Trust Check in the Licensing component did not pass because error 0x8007054B occurred in function f1 [PHQG].  The specified domain either does not exist or could not be contacted.”  This error is identical to the one I saw with my customer.  Additionally I received an event ID 38 that stated: “The Forest Trust Check detected a condition in your environment that is out of compliance with the licensing policy.  This server will be automatically shut down if the issue is not corrected in x day(s) x hour(s) x minute(s).”

forest-trust-check-failed

I then did some digging around to determine if any of the active directory tools were affected.  Everything seemed to work fine with the exception of the Active Directory Domains and Trusts.  When launching that MMC (Microsoft Management Console) I received the following error: “You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted.  Please verify that the PDC emulator for the current domain and the network are both online and functioning properly.”
pdc-emulator

This explains why turning off the 2003 domain controller caused the forest trust check to fail.  The silsvc needs to be able to contact the PDC emulator to check for trusts.  If it cannot, then the check fails.  I powered up the 2003 domain controller and transferred the FSMO (Flexible Single Master Operations) roles to the Foundation server.  I was then able to shutdown the 2003 server without receiving any errors.

I hope you found this article informative.  If you have any comments or suggestions please leave them below.

 

Registry bloat and SBS

Posted on by Glenn

Good morning.  I wanted to cover a strange issue I ran into yesterday.

error

When going to the Computers tab within the Network tab we would receive a popup with the error “The server cannot query power management configuration.”  I did some checking on this and found that if the Windows 7 and Vista GPO (Group Policy Object) was missing that it could cause this issue.  I checked and that GPO was present.  It also had the default settings.

So what could possibly be causing this then?  Anytime there is an error in the SBS (Small Business Server) console the console.log or console2.log should be reviewed.  This log can be found in the C:\Program Files\Windows Small Business Server\Logs directory.  When I checked that log I found this exception:

[45636] 170118.101919.9681: ClientSetup: Handled exception: ErrorCode:0
BaseException: Microsoft.WindowsServerSolutions.ClientSetup.PowerUtilityException: QuerySleepTimeoutOnAC —> Microsoft.WindowsServerSolutions.Common.GroupPolicy.GPOException: GPOperation.OpenDSGPO —> System.Runtime.InteropServices.COMException: Insufficient system resources exist to complete the requested service. (Exception from HRESULT: 0x800705AA)

Now I have the exception code and message.  Insufficient system resources exist to complete the requested service. (Exception from HRESULT: 0x800705AA).  I have seen these types of issues before in SBS, Essentials and Foundation, so I figured we were running out of heap or nonpaged pool memory.  A telltale sign of this is when the SILSVC (Software Infrastructure License service) fails due to a resource issue.  I checked the log for SILSVC and all checks were passing.  I then did some more searching and found that this error is linked to the SOFTWARE registry hive exceeding the size limit of 2GB.  I checked C:\Windows\System32\config and found that the SOFTWARE registry hive was 2,050,657 KB, which is just over 2GB.

With the issue now identified, I figured a fix should be pretty straightforward.  Unfortunately this was not the case.  The registry hive cannot be compacted while it is in use.  Also Microsoft does not have a tool to trim down the size of the registry.  To make matters worse, the latest backup of the registry hives was 3 years old.  So in this case we decided to try a 3rd party registry cleaning utility to trim down the size of the registry and this is where I left the issue.  With any luck my customer will be able to trim down the size of the registry hive.

I hope you found this informative.  If you have any comments or suggestions, please leave them in the comments below.

The Software Protection Service, part 2

Posted on by Glenn

Good morning.  I ran into an interesting issue this morning that I wanted to share.  I have seen this particular problem on several occasions, but a Google search comes up empty.  So I had a customer this morning that was seeing activation issues in 2012 R2.  More specifically, he was unable to make any changes with slmgr.vbs.  In case you were not aware, slmgr.vbs is the command line tool to enter/remove product keys and get information about activation status.

I started troubleshooting this by running the MGADiag (Microsoft Genuine Advantage Diagnostic) tool*.  I was specifically looking for this line: OEMID and OEMTableID Consistent: yes.  This indicates that the server can use an OEM SLP key.  So that ruled out that as a possible issue.

I then wanted to find out why the Software Protection Service was reporting Windows is not activated.  I ran the command: slmgr /dlv.  This command will display licensing information with full verbosity.  The command threw an error though.
slmgr-dlv-error

When running slue.exe 0x2a 0x8007041D, I received the following message:
slmgr-dlv-error-extended

So it appears that the Software Protection Service is not starting.  I confirmed this in the System Event log.
spp-not-starting

Now the big question.  Why is the Software Protection Service not starting?  To determine this I ran a filter on the event viewer to only show me event ID 7000 errors.  I then scrolled to the first event.  In this case the event was first recorded on 12/5/2016.  My next stop was Programs and Features.  It was no surprise that installed on the same day the problem started was SEP (Symantec Endpoint Protection).  I say this as I have seen SEP cause a multitude of issues on server operating systems.  I point out SEP because it is the most common.  I have also seen numerous other security software packages cause problems.  In our case we removed SEP and rebooted.  After the reboot Windows is now reporting that it is activated.

I hope this post has been informative for you.  If you have anything to add or you see any errors please post in the comments below.

 

*I ran into a really good blog article after working on this issue.  It turns out the MGADiag tool is only designed for Windows 7/2008R2.  While it will run on higher version of OSes, there is now a built-in tool.  Thanks to John D over at johndstech.com for posting this.

 

How to upgrade Windows Server Essentials to Standard edition

Posted on by Glenn

Time for another quick tip.  In case you hadn’t guessed already, I really like Essentials.  You get quite a few features for a much better price than Standard edition.  There are some limitations though with Essentials.  The good news is that the server can later be upgraded to Standard and the process only takes a few minutes.  On the flip side, a standard license has to be purchased.

Let’s walk through the upgrade process.

  1. Purchase a Windows Server Standard license
  2. Open an administrative PowerShell command
  3. Run the following command to verify the target edition:
    dism /online /Get-TargetEditions
    You should see Target Edition : ServerStandard or something similar
  4. Run the following command to complete the upgrade:
    dism /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula
    Change the edition and product key to match the ones you have.

You should see output similar to below.  Reboot when prompted.  (I have updated this picture.  It is 2019 Essentials.)

2019 Essentials upgrade to Standard

I hope you found this informative.  If you have any comments or suggestions, please leave them below.

Windows Server 2016 Essentials and Remote Desktop Services, the untold story

Posted on by Glenn

Good morning.  Time for another installment.  Today I wanted to talk about 2 of my favorite Microsoft technologies in one article; RDS (Remote Desktop Services) and the Essentials experience.

Recently I have seen a rise in the deployment of RDS, specifically Session Host, on Windows Server 2016 Essentials.  While this seems like the perfect money saving combination, Essentials is about $200-300 cheaper than the Standard SKU, it is not.  While not well documented, this configuration is not supported by Microsoft*.  This may not deter some admins.  However, it also will not work properly.  While I have seen this issue on several occasions in customer environments, I figured I would reproduce this.  Below is the documentation of that process.

I started by installing Windows Server 2016 Essentials into a generation 2 VM (Virtual Machine).  I ran the initial configuration wizard to complete setup.  I verified that only 2 simultaneous interactive logon sessions would work.  See the screen capture below.

too-many-users

I then shutdown the server and took a checkpoint.  After booting the VM back up, I installed RDS via the installation wizard.  The roles installed properly, but I received an error when creating the session collection.  After a reboot the session collection did show up.  This seemed odd to me, but upon checking Server Manager all seemed to be normal.  I then tested the number of simultaneous connections again.  I ran into the same 2 user limit.

Maybe this is due to RDS licensing not being installed or configured?  I then installed and activated a license server on the same machine.  I added a 50 pack of user CALs.  Finally, I added the license server and the network service account to the Terminal Server License Servers group in AD.  After a restart, RD Licensing manager is reporting all green checks.  However RD Licensing Diagnoser is reporting it is not configured with a license server.  See the screenshots below.  This led me to check the deployment properties and I found it was configured for Per User mode with the correct server.

rd-licensing-happy

rd-licensing-diagnoser

At this point it is pretty clear this is not going to work properly, but I wanted to dig a little deeper and find out why.  Time to break out the PowerShell.  I ran the following commands to manually configure Session Host via PowerShell:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting$obj.ChangeMode(4)

Upon running the last command I receive an error indicating the method is not specified, meaning the parameter doesn’t exist.  This led me to output all parameters from the Win32_TerminalServiceSetting object.  This is how I discovered the root cause for the limitation.  It appears that even though I have install Session Host, the server is still in Remote Desktop for Administration mode.  In this mode it is not possible to specify a license server or licensing mode.  Also there is the limitation of two simultaneous interactive logon sessions.

powershell-output

So is it possible to get around this or correct it?  The good news is that the process is fairly easy.  The bad news is that an upgrade to standard edition is required.  A walk-through of the upgrade process can be found here.  I went through this process in my test environment.  After reactivating my license server and updating the licensing mode in the deployment properties, my RD Licensing Diagnoser reported no issues.  Also for curiosity sake, below is a screenshot of the same PowerShell output after upgrading to Standard.

powershell-output-after-upgrading

So the moral of the story is if you need RDS in Windows Server 2016 you will need Standard edition or higher.  I hope this has been informative for you.  If you have any comments or suggestions, please leave them below.

 

 

*There is only one reference, that I could find, to the supportability of RDS on the Essentials SKU.  It is in the Windows Server 2012 R2 Licensing Datasheet.  On page 5, look for footnote 8.

The DNS management console fails to update or gets “stuck”

Posted on by Glenn

Another quick tip here.  I recently had a DNS (Domain Name System) console that was failing to update.  I knew that DNS was functioning properly and that all the records were there.  They were just not showing up on this particular server.  This is actually a pretty easy fix.

To reset the DNS console, or most mmc consoles, you just need to delete the settings file.  There is a settings file for each user that has logged in.  This file is located at C:\Users\<username>\AppData\Roaming\Microsoft\MMC\dnsmgmt.  You may notice other files in this directory.  Those files are the settings files for their respective mmc consoles.