Category: Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Swapnil Rane from Commercial Technical Support]

This post will reduce your efforts to identify which log to refer to and where to find it. This can be very useful when you are troubleshooting issues on an Essentials server. We have compiled a list of important logs and their associated wizards below. There can be issues where we may have to refer to multiple logs.

Server-side Logs:

In Windows Server Essentials 2012 and 2012 R2, the location of the log files is under %programdata%MicrosoftWindows ServerLogs.

Service Integration Log Files:

O365/On-Premise Exchange/Intune

 

SharedServiceHost-EmailProviderServiceConfig.log

Windows Azure Backup

 

OnlineBackupGettingStartedWizard.log

Backup Log Files:

Server Backup Configuration wizard

SBCW.log

Server Backup restore wizard

ServerFFR.log

Client Backup Feature server side log

Backup-<date>.log

Client backup database cleanup

RunTask-BackupCleanup.log

Client backup database checker

RunTask-Consistency check

Storage and Devices Log Files:

User/Device management feature

SharedServiceHost-ManagementServiceConfig.log

Storage features

Storageservice.<date>.log

Storage related feature

Storageutil.<date>.log

Azure Backup Log Files:

Location: C:Program FilesWindows Azure Backup AgentTemp

Azure Backup Logs

CBEngineCurr.errlog

Failed Azure Backup Logs

LastBackupFailedFile#####.txt

Other Helpful Log Files:

DC Promo

DCPromo_date.log

Health evaluation schedule task

RunTask-AlertEvaluation.log

Macintosh Clients Status update

RunTask-MacintoshStatusReport.log

Server DNS status

ServerBeacon.log

Customer Experience Improvement

RunTask-SaveCustomerExperienceImprovementProgramData.log

Program and Service Quality Measurement Log Files:

CA Role installation

CA_ROLE_INSTALL.log

Media pack installation (2012 R2)

MediaPackInstalltionWizard.xxxx.log

Media Service (Specially with RWA)

MediaStreamingProvider.log

O365 (Assign/Un-assign Accounts)

TaskStatus-OIMAddin.log

 

Client-side Logs:

The client-side log files are located in the folder %programdata%MicrosoftWindows Serverlogs. They are as:

Client Deployment

ClientDeploy.log

Client package installation Failures

ComputerConnector.log

Client backup restore mount driver

BackupDriverInstaller.log

Client operation for File history Sync

ClientOperator.log

Main log for client launch pad

LaunchPad.log

Password synchronization feature in AAD   

PasswordSyncClientAlerts.log

Add-in feature on client

RunTask-Add-in Management.log

Health evaluation schedule task

RunTask-AlertEvaluation.log

Client Backup scheduled task

RunTask-ClientComputeBackkup.log

Connector uninstall cleanup task

RunTask-Connector cleanup.log

Update health definition file from server to client task

RunTask-HealthDefinitionUpdate.log

RDP feature for RWA

RunTask-RDP Group Configuration.log

Client VPN connectivity issues

RunTask-VPN Routes Repair.log

Client network status update

ServerLocator-<date>.log

Client deployment API call (Client deployment fails)

Setupapi.dev.log

Health alert feature

SharedServiceHost-HealthServiceConfig.log

The above logs should be able to guide you through the process of troubleshooting effectively on Essentials relevant issues.

In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials. 

I am happy to announce the re-release of the Windows August Update which was originally released on (8/12/2014, PST). This update adds support for both Azure Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.

For more information, please go to http://support.microsoft.com/kb/2974308

[This post comes to us courtesy of Swapnil Rane and Rituraj Choudhary from Global Business Support]

This post explains how to increase the logging level for the individual components of Server Essentials role for troubleshooting purposes. In order to accomplish this, we need to modify the Logging.config file. This file can be located at C:Program FilesWindows ServerBin on a Windows Server 2012 Essentials machine. On a Windows Server 2012 R2 Essentials this file is present at C:WindowsSystem32Essentials.

Make sure to save a backup copy of the file before modifying it. You need to change the ownership of Logging.configfile and give the user adequate permissions to save any modifications to it. You may use the following commands on an elevated Command Prompt to make modifications to the file:

For Windows Server 2012 R2 Essentials:

takeown /f C:WindowsSystem32EssentialsLogging.config
icacls C:WindowsSystem32EssentialsLogging.config /grant administrators:F
icacls C:WindowsSystem32EssentialsLogging.config /setowner "NT ServiceTrustedInstaller"
notepad C:WindowsSystem32EssentialsLogging.config

For Windows Server 2012 Essentials:

takeown /f "C:Program FilesWindows ServerBinLogging.config"
icacls "C:Program FilesWindows ServerBinLogging.config" /grant administrators:F
icacls "C:Program FilesWindows ServerBinLogging.config" /setowner "NT ServiceTrustedInstaller"
notepad "C:Program FilesWindows ServerBinLogging.config"

The file Logging.config is now ready for editing. Search for the string level= and replace the string next to level= to All if it is set otherwise. For example:

<add level="Warning" name="ProviderFramework">
<listeners>
<add name="DefaultTraceListener" />
</listeners>
</add>

Change it as:

<add level="All" name="ProviderFramework">
<listeners>
<add name="DefaultTraceListener" />
</listeners>
</add>

Changing the level to Allenables verbose logging. There are other values that the level can be set to, but mostly verbose logging is preferred, and can be achieved as mentioned above.

When the issue is reproduced subsequently, the logs at C:ProgramDataMicrosoftWindows ServerLogsfolder should now contain verbose information.

Note: You may use the same procedure to enable verbose logging on the Essentials clients.

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support]

In our previous post, we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment.

In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected.

To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command:

Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT

Let us now discuss some common issues with VPN connection.

Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer.

clip_image001

If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes.

clip_image002

You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced.

clip_image003

Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network.

image

That should ensure that the network and internet connection are up and running.

Let’s look at another error.

Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

clip_image005

The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port.

You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not.

To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site.

clip_image006

On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit.

clip_image007

On the Edit Site Binding page, click View.

clip_image008

On the Certificate window, chose Details and make a note of the Thumbprint of the certificate.

clip_image009

Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site:

Get-WebBinding | Where-Object {$_.bindinginformation -eq "*:443:"} | fl certificateHash

Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well.

image

If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service:

reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA1CertificateHash /t REG_BINARY /<thumbprint recorded from previous step> /f

Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of.

Let’s look at the next error.

Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.

clip_image011

If VPN client is unable to obtain an IP address from the VPN server, you may see this error.

In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties.

clip_image012

On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope.

clip_image013

On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%tracing directory.

clip_image014

Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer.

clip_image015

These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.

[This post comes to us courtesy of Harshal Charde, Kriti Thakral and Sandeep Biswas from Global Business Support]

In this post we will discuss about configuring Health Report email notification using O365 in Windows Server 2012 R2 Essentials.

The Health Report for Windows Server 2012 R2 Essentials provides you with consolidated information about the Windows Server Essentials network and enables you to distribute this information to intended recipients via emails. This information can be viewed on the Health Reports tab of the Dashboard on Windows Server 2012R2 Essentials. We can generate a report on demand or on schedule, customize the content of the report and send them through emails.

Reading the Health Reports on the Windows Server Essentials Dashboard may be time consuming. With the email feature, after a report is generated, an email will be sent to a list of specified email addresses with the content of the report. The administrator can easily view this report from any device or any client application, and ensure that the server is running at its best state.

In the following example we have used an Office 365 account to configure Health Report email notifications. You may log in and view the SMTP server details of O365 account as follows:

1. Click Outlook tab, click Settings icon image  and then click Options.

image

2. On the next page click account and then click Settings for POP or IMAP access

image

3. Make a note of the SMTP setting and then click close.

image

To configure the health report on the Window Server 2012 R2 Essentials, open the Windows Server Essentials Dashboard, click the Health Report page on the HOME tab and click Customize Health Report settings.

image

Click the Schedule and Email tab, click to select Generate a health report as its scheduled time check box (customize the recurrence as per your preference) and then click Enable.

image

Type the email address of your O365 mail account, the SMTP server name and the SMTP port. Click to select This server requires a secure connection (SSL) and This server requires authentication check boxes and type the username & password of your O365 account and click OK.

image

On the next page, type the email address of the person that you would like to receive alert notification by email and click OK. If you wish to add multiple email addresses ensure that you separate each email address with a semicolon (;).

image

Alternatively, if you prefer commands over the GUI, there are PowerShell commands built-in to the WssCmdlets module to configure the Health Report:

Set-WssReportEmailSetting -Enable -From "healthreport@mysbs.onmicrosoft.com" -SMTPServer "smtp.office365.com" -Port 587 -UseSsl -To MyEssentials@outlook.com -UseAuthentication –Credential (Get-Credential)
Set-WssReportSchedule -Enable -Daily -At 16:00

The above commands would take care of the email account configuration and the schedule of the health report.

There are additional commands to generate a new report (New-WssReport), and send an email with the health report (Send-WssReport) that you can utilize too. You can find a list of all the commands of the WssCmdlets module here.

Once the configuration is completed, you can click Generate a health report which will automatically send an email notification to the external user mailbox. You can also send an existing report by selecting it and clicking Email the health report.

image

Here is a sample of the email received:

image

You are now ready to receive the Health Report notifications on email. Logon to the subscribed user’s mailbox to verify the receipt of email.

Contact

mattdubois.com Contact Form

Name
Email
Message

Yay! Message sent.
Error! Please validate your fields.
Updated August 2016 - Matt Dubois