Custom Technology Solutions, Inc

Corporate Blog

Custom Technology Solutions, Inc - Corporate Blog

How to enable verbose logging for Windows Server 2012/2012 R2 Essentials

[This post comes to us courtesy of Swapnil Rane and Rituraj Choudhary from Global Business Support] This post explains how to increase the logging level for the individual components of Server Essentials role for troubleshooting purposes. In order to accomplish this, we need to modify the Logging.config file. This file can be located at C:Program FilesWindows ServerBin on a Windows Server 2012 Essentials machine. On a Windows Server 2012 R2 Essentials this file is present at C:WindowsSystem32Essentials . Make sure to save a backup copy of the file before modifying it. You need to change the ownership of Logging.config file and give the user adequate permissions to save any modifications to it. You may use the following commands on an elevated Command Prompt to make modifications to the file: For Windows Server 2012 R2 Essentials: takeown /f C:WindowsSystem32EssentialsLogging.config icacls C:WindowsSystem32EssentialsLogging.config /grant administrators:F icacls C:WindowsSystem32EssentialsLogging.config /setowner “NT ServiceTrustedInstaller” notepad C:WindowsSystem32EssentialsLogging.config For Windows Server 2012 Essentials: takeown /f “C:Program FilesWindows ServerBinLogging.config” icacls “C:Program FilesWindows ServerBinLogging.config” /grant administrators:F icacls “C:Program FilesWindows ServerBinLogging.config” /setowner “NT ServiceTrustedInstaller” notepad “C:Program FilesWindows ServerBinLogging.config” The file Logging.config is now ready for editing. Search for the string level= and replace the string next to level= to All if it is set otherwise. For example: Change it as: Changing the level to All enables verbose logging. There are other values that the level can be set to, but mostly verbose logging is preferred, and can be achieved as mentioned above. When the issue is reproduced subsequently, the logs at C:ProgramDataMicrosoftWindows ServerLogs folder should now contain verbose information. Note : You may use the same procedure to enable verbose logging on the Essentials clients.

Announcing the availability of enabling Windows Server 2012 R2 Essentials’ integration of Microsoft online services in environments with multiple…

In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials.  I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed.  This update adds support for both Azure Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server. For more information, please go to http://support.microsoft.com/kb/2974308 .

Troubleshooting Common VPN issues on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support] In our previous post , we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment. In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected. To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command: Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT Let us now discuss some common issues with VPN connection. Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer. If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes. You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced . Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network . That should ensure that the network and internet connection are up and running. Let’s look at another error. Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly. The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port. You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not. To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site . On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit . On the Edit Site Binding page, click View . On the Certificate window, chose Details and make a note of the Thumbprint of the certificate. Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site: Get-WebBinding | Where-Object {$_.bindinginformation -eq “*:443:”} | fl certificateHash Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well. If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service: reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA1CertificateHash /t REG_BINARY / /f Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of. Let’s look at the next error. Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection. If VPN client is unable to obtain an IP address from the VPN server, you may see this error. In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties . On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope. On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%tracing directory. Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer. These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.

Configuring Health Report in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Harshal Charde, Kriti Thakral and Sandeep Biswas from Global Business Support] In this post we will discuss about configuring Health Report email notification using O365 in Windows Server 2012 R2 Essentials. The Health Report for Windows Server 2012 R2 Essentials provides you with consolidated information about the Windows Server Essentials network and enables you to distribute this information to intended recipients via emails. This information can be viewed on the Health Reports tab of the Dashboard on Windows Server 2012R2 Essentials. We can generate a report on demand or on schedule, customize the content of the report and send them through emails. Reading the Health Reports on the Windows Server Essentials Dashboard may be time consuming. With the email feature, after a report is generated, an email will be sent to a list of specified email addresses with the content of the report. The administrator can easily view this report from any device or any client application, and ensure that the server is running at its best state. In the following example we have used an Office 365 account to configure Health Report email notifications. You may log in and view the SMTP server details of O365 account as follows: 1. Click Outlook tab, click Settings icon   and then click Options. 2. On the next page click account and then click Settings for POP or IMAP access 3. Make a note of the SMTP setting and then click close. To configure the health report on the Window Server 2012 R2 Essentials, open the Windows Server Essentials Dashboard , click the Health Report page on the HOME tab and click Customize Health Report settings . Click the Schedule and Email tab, click to select Generate a health report as its scheduled time check box (customize the recurrence as per your preference) and then click Enable . Type the email address of your O365 mail account, the SMTP server name and the SMTP port. Click to select This server requires a secure connection (SSL) and This server requires authentication check boxes and type the username & password of your O365 account and click OK . On the next page, type the email address of the person that you would like to receive alert notification by email and click OK . If you wish to add multiple email addresses ensure that you separate each email address with a semicolon (;). Alternatively, if you prefer commands over the GUI, there are PowerShell commands built-in to the WssCmdlets module to configure the Health Report: Set-WssReportEmailSetting -Enable -From “healthreport@mysbs.onmicrosoft.com” -SMTPServer “smtp.office365.com” -Port 587 -UseSsl -To MyEssentials@outlook.com -UseAuthentication –Credential (Get-Credential) Set-WssReportSchedule -Enable -Daily -At 16:00 The above commands would take care of the email account configuration and the schedule of the health report. There are additional commands to generate a new report ( New-WssReport ), and send an email with the health report ( Send-WssReport ) that you can utilize too. You can find a list of all the commands of the WssCmdlets module here . Once the configuration is completed, you can click Generate a health report which will automatically send an email notification to the external user mailbox. You can also send an existing report by selecting it and clicking Email the health report . Here is a sample of the email received: You are now ready to receive the Health Report notifications on email. Logon to the subscribed user’s mailbox to verify the receipt of email.

Improve collaboration in small and midsize businesses solution guide now available

[This post comes to us courtesy of Kumud Dwivedi from Content Publishing] If you are a small to midsize business that is looking to enable employees and external partners to improve collaboration and securely access shared data, we now have a solution guide to address this. Windows Server 2012 R2 Essentials and Windows Server 2012 R2 provide a solution to easily collaborate with your partners or vendors. If your business has up to 25 users and 50 devices, use Windows Server 2012 R2 Essentials. For up to 100 users and 200 devices, use the Standard or Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed. To view this solution guide, see Improve collaboration in small and midsize businesses .

Understanding VPN configuration in Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Md. Sabir Chandwale and Rituraj Choudhary from Global Business Support] In this post we will discuss about Virtual Private Network feature on Windows Server 2012 R2 Essentials. Virtual Private Network can be straightforwardly installed and configured on a Windows Server 2012 R2 Essentials by running the Set up Anywhere Access wizard and selecting Virtual Private Network (VPN) option on the following screen. If you want to know about Remote Web Access, or run through the sequential screens of Anywhere Access wizard, please visit this post . When you choose to enable VPN using this wizard, the following roles/features get installed on the Essentials Server: Remote Access, DirectAccess and VPN (RAS), IP and Domain Restrictions, IIS Management Scripts and Tools, Network Policy and Access Services Tools, and Windows Internal Database. You can also enable these roles/features from the Server Manager or PowerShell command-lets, however on Windows Server Essentials we recommend enabling it using the Set up Anywhere Access wizard. It’s noteworthy that Windows Server 2012 R2 Essentials allows client machines to join their server without having to be inside the company network using a feature called Remote Domain Join . So, if VPN is enabled on Server Essentials, you may connect a remote client to the local network via VPN, run the Connect wizard from http:// /connect or http:// .remotewebaccess.com/connect URL and join the remote client to the server. The process is very simple and straightforward. As a prologue to discuss some common issues with VPN on Windows Server 2012 R2 Essentials, let us first glance through the default Routing and Remote Access (RRAS) settings. You may also find the specifics about these settings on TechNet . Note: Server Essentials automatically manages the routing for VPN, and therefore Routing and Remote Access (RRAS) UI is hidden on the server to prevent tampering of RRAS settings. As a result, to view, change or troubleshoot the Remote Access settings, you need to install Remote Access GUI and Command-Line Tools using Server Manager or the following PowerShell command: Add-WindowsFeature RSAT-RemoteAccess-Mgmt This feature enables Routing and Remote Access console and respective command-line tools to manage VPN and DirectAccess. Note that this role may not be required on the server unless you need to change the settings for VPN or DirectAccess. Default Settings of VPN on Windows Server 2012 R2 Essentials To check the default settings for the VPN, open Routing and Remote Access Manager. Right click server name , and select Properties . On the General tab, IPv4 must be enabled: The Security tab consists of the Authentication Methods… and SSL Certificate Binding : The Authentication Methods should have Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2) enabled. You can confirm it by clicking the Authentication Methods… button on the Security tab. The SSL Certificate Binding section on the Security tab displays the certificate active for VPN. This also indicates that we enable VPN on SSL and that you do not have to allow any port other than port 443. Let’s move on to the IPv4 tab. By default the VPN clients are set to receive IP from DHCP, but you may require to change it to a Static address pool for troubleshooting purposes. On the IPv6 tab, the options Enable IPv6 Forwarding and Enable Default Route Advertisement are selected by default. The IKEv2 tab consists of the default options to control the IKEv2 client connections and Security Association expiration. The PPP tab contains the settings for Point-to-Point protocol and are as follows: The Logging tab on the server properties page contains the level of logging enabled for Routing and Remote Access. To enable additional logging for the Routing and Remote Access, select the option Log additional Routing and Remote Access information . Once this option is selected additional log files are created in the %windir%Tracing directory that provide deeper insight to troubleshoot RRAS issues. Make sure to disable the additional logging once the troubleshooting is complete. You may also gather and modify information for Remote Access from an elevated Windows PowerShell terminal. Here are some common commands: Command Purpose   Get-Command -Module RemoteAccess   Displays a list of commands available with RemoteAccess module   Get-RemoteAccess   Displays the configuration of VPN and DirectAccess (DA)   Get-VpnAuthProtocol   Displays authentication protocols and parameters set on the VPN   Get-VPNServerConfiguration   Displays VPN server properties Here is a sample output: You can look at the help file of each of these commands for a detailed description. Better yet, you can use the following command to insert the help contents of each of these commands for the module RemoteAccess to a text file as: $(foreach ($command in (Get-Command -Module RemoteAccess)) {Get-Help $command.Name} ) | Out-File HELP.txt We will discuss some common issues with VPN on another post in future.

Configuring and Customizing Remote Web Access on Windows Server 2012 R2 Essentials

[This post comes to us courtesy of Maanavi Bisaria and Rituraj Choudhary from Global Business Support] We will cover the following aspects of Remote Web Access (RWA) on Windows Server 2012 R2 Essentials in this blog: Configuring Remote Web Access Customizing Remote Web Access Configuring Remote Web Access To configure RWA, open the HOME tab on the Windows Server Essentials Dashboard . On the Get Started page, click Set up Anywhere Access , and then click Click to configure Anywhere Access. This will open Set up Anywhere Access wizard. On the first screen, if you don’t have a UPnP router, you should check the option Skip router setup. I want to set up my router manually as indicated below, and then click Next . You would then see a Getting Started page. Click Next to proceed. On the following screen, check the box I want to set up a new domain name . The wizard would search for the available domain name service providers on the next screen and presents you with these two options: The first option Purchase professional domain name from a supported provider offers GoDaddy.com and eNomCentral as the supported domain name service providers. However, if you don’t intend to pay for the domain name services, choose the second option Get a personalized domain from Microsoft . Once you hit Next on this screen, you need to sign in to your Microsoft account with your Live ID. Accept the Privacy Statement and Agreement, and then type a name for your domain ( remotewebaccess.com is provided as a default domain name suffix ). Click on the Check Availability button to check the availability of the domain name. Click on Set Up when you find a suitable domain name available for use. Once your domain name has been set up, you may configure Remote Web Access. To do so, check the box Remote Web Access and click Next . You may also choose to enable VPN in this step, however, we will discuss VPN on a separate blog post. This step in the background installs and configures Network Policy Server, Remote Desktop Gateway, Client Certificate Mapping Authentication, and RPC over HTTP Proxy . You may verify these roles/features in the Server Manager. Once this is completed successfully, your Remote Web Access has been set up successfully and can be browsed at https:// .remotewebaccess.com. Customizing Remote Web Access Once the Anywhere Access Wizard has been completed, open the HOME tab on the Windows Server Essentials Dashboard . On the Get Started page, click Set up Anywhere Access , and then click Click to configure Anywhere Access . This will open the Settings page of Anywhere Access. Please note that once we have configured RWA, you can view the status of Anywhere Access at the top of this window, along with Configure and Repair options. Let’s now click Customize in the Web site settings section to see what it holds. On the Customize Remote Web Access window, you can customize the Logon page , Home page links and Server Connection options . Click on Logon page tab to customize Web site title, Background image and Web site logo . The Home page links tab offers you option of adding or removing links that appear on the RWA home page. The Server connection options page provides the way RDP connection is made to the Server. The default option is Open Dashboard (Default) . You may choose to connect to the Server normally by selecting Open Remote Desktop . To sum up, configuration and customization of Remote Web Access on Windows Server 2012 R2 Essentials is a stress-free procedure, and the result is a clutter free RWA user interface: The Devices tile group contains the computers you have rights to connect to. There are similar tiles for Shared Folders , Links and Microsoft Office 365 . If you click the user account on the top-right of the page, you have an option to change your user account password. We will discuss these features with time. In the meantime you may refer to this TechNet .