Windows Server Essentials – Configuration Troubleshooter
February 14, 2014 225 Comments
I had a support case this week where it became apparent to me that there is no quick and easy way to test Essentials Servers for Configuration errors. Manually working through IIS or Certificates is prone to human error, as was proved to me, by me missing certain key things.
Uncharacteristically i decided to write a PowerShell script to save me from this sort of embarrassment in the future, and make me look really good next time i need to troubleshoot an Essentials Server.
You can download the tool from here, and am very interested to hear how it works for you.
If you have already downloaded it, i have updated the tool so you should download it again!
What does the tool do?
Well, it checks a number of things that i have found are the key things that make an Essentials Server tick. That is IIS and MOST IMPORTANTLY, Certificate Services.
I knew that the CA was pretty significant to an Essentials Server, but i didn’t know just how deep that significance went. In your Local Machine Certificate Store you have a number of Certificates, perhaps the most important file on the whole server (aside from perhaps ntds.dit) is your Certificate Authority Root Certificate. Without that, you cannot correctly reinstall the CA, and without that CA, you can’t do anything. It is not just a case that you cant reinstall the CA, you can. The CA requires a specific name, and if you reinstall and generate a new key, the name is not likely to remain correct.
There may well be a way to get around even that scenario by hacking the crap out of AD, but honestly, i think i might take a reinstall over that.
That was a bit of a side track, so, again, what does this tool do?
Firstly it will decide if you are running on Essentials 2011, 2012 or 2012 R2.
It will then give you the choice of testing IIS or your CA. If you choose to test your IIS Configuration, it will inspect your Web Site Configuration, your Application Pools, Virtual Directories and ISAPI filters as well as your Web Site Bindings.
When you check the CA, it will check that the CA is available, that it has the right name (that is important), that the certificate set in the Registry for the Dashboard matches what you have in your Local Machine Store, it will even download a copy of the CRL from your server and test that it is publishing the right information.
It compares all of this information to ‘’Defaults’ and lets you know where you may have problems.
I have run it against SBS 2011 Essentials, Essentials 2012, and R2, and it has identified the deliberate errors i have introduced and reported back correctly once those have been repaired.
i haven’t made it to be an exhaustive tool of everything that could possibly go wrong on an Essentials Server, it really is just focussed on IIS and the CA, even then it may not cover every scenario. Hopefully if you do come across a broken Essentials Server using this will do enough to point you to the fix, or at least help to rule some things out.
Just came across this tool, after having issues with a brand new server Essentials…
I get a ton of errors when running the CA tests….any idea where to start looking/reading to fix these?
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : Errors Detected – Local Machine Store
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
At C:\users\gregh\downloads\EssentialsTester.ps1:800 char:17
+ $wc.DownloadFile($source,$destination)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
Get-ItemProperty : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
At C:\users\gregh\downloads\EssentialsTester.ps1:801 char:32
+ $CRLDownload = Get-ItemProperty $destination
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Get-ItemProperty], ItemNotFoundExcepti
on
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
CRL Download : OK
Remove-Item : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
At C:\users\gregh\downloads\EssentialsTester.ps1:803 char:17
+ Remove-Item $destination -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Remove-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand
Testing CRL Distribution Configuration..
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Dashboard Certificate : Error
Dashboard Certificate : OK
Dashboard Certificate : Error
Dashboard Certificate : Error
Dashboard Certificate : Error
sorry for slow response. you need to look at the CA and see if it is running. are you able to open the dashboard?
Robert,You completely rock! I appreciate your test tool as it helped me find an issue, but perhaps I can make a suggestion for the next edit? The server has a name and usually, at least for the WSS web sites the cert name needs to match the server name, but from the outside, if you’re using remote web anywhere, it’s possible that you have created a new name in the remotewebaccess.com domain courtesy of MS. So, while it may be different than the server name, it might not really be an error. I would suggest flagging it, but not making it RED, and if there is a way to review the dashboard’s settings for RWA, then if the cert matched the dashboard for RWA, then you could not flag it at all. Make sense?
Thanks for the comments but I don’t update this tool anymore.
Hi mate. Did you ever resolve the issue with Dashboard Certificates without formatting and starting again?
Cheers. James
I have run the tester and got a similar outcome.
Do you want to email me a screen shot of the output?
Hi Robert. thanks for a prompt reply. I have 2 extracts to email. The CA and the IIS tests. What is your email?
Hi,
I hope these files find their way to you. Any help is greatly appreciated.
Regards,
James
On 2 Jun 2014, at 10:47, Title (Required) wrote:
Not seen them yet,
rob @ titlerequired
Hey Robert thank you for your post, I am 99% done with this configuration, but when i ran your tool I got this message, any idea where to start looking at this.
************************************************
* Essentials Server 2012, Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2012 R2 Standard
This tool will check your current Configuration against known Essentials 2012 Values.
Written by Robert Pearman (TitleRequired.com) February 2014
Version Info: Version: 1.7
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
2
Testing CA Name..
437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : Errors Detected – Local Machine Store
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Download : OK
Testing CRL Distribution Configuration..
437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Dashboard Certificate : OK
Review your results, items in red should be investigated.
************************************************
* Essentials Server 2012, Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2012 R2 Standard
This tool will check your current Configuration against known Essentials 2012 Values.
Written by Robert Pearman (TitleRequired.com) February 2014
Version Info: Version: 1.7
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
Is the Dashboard opening ok?
Yes it opens ok. I can go to the domain name internally, but I cannot get it to render by dns or IP externally. I can also get to the connect page to download the connector internally but not externally. The configuration wizard, gives me the error saying Anywhere access to your server is blocked, that port 80 and 443 are blocked, but they are open on the firewall. It also tells me that Port forwarding is not configured correctly on your router, which it is. I read some more on these errors on Microsoft partner network, and they said that they can be ignored. I think I have a cert or a routing issue. The cert is installed correctly, at least I think, though I do not know what I am missing on the routing, cause I thought I covered everything.
Thank you,
Alan
Sounds like you have not opened the ports on your router, given that it is not working externally and you have those errors. At the very least confirm your servers internal IP and check port forwarding on your router. It is also possible your ISP are blocking these ports. If the dashboard opens you may be able to discard the certificate error in the tool.
Hey Robert,
It was a firewall issue, the firewall rules were in place, but not working cause the firewall needed a firmware update. Once I updated the firmware on the firewall, then everything worked.
Alan
Thanks so much for this tester. I get four errors:
1. Certificate Authority Name: Name Error
2. Dashboard Certificate: Error
3. WSS Initialization Service: Stopped (Which I can start)
4. TCP Port 65500 (Used for CA Websites): Error (I use 65510)
Have you reinstalled Certificate Services?
Do I have to uninstall and reinstall the CA Role? Is that what you mean?
No I am asking if you have already at some point.
No, I have not reinstalled Certificate Services
OK, that is strange that it would report the CA name is incorrect then.
What problems are you having with the server – perhaps I can suggest opening a thread on the TechNet forum where it is easier to provide answers.
Thank you so much for your help.
My only problem is with the internal WSS Certificate Web Server. I get Parsing Errors when I go to http://servername/connect. Obviously this is very bad as I cannot join new computers to the SBS.
I have posted to TechNet here:
https://social.technet.microsoft.com/Forums/en-US/0b78f5e7-1d19-4cff-8857-4d77071ed1b0/parsing-error-when-trying-to-connect-to-httpservernameconnect?forum=smallbusinessserver2011essentials#0b78f5e7-1d19-4cff-8857-4d77071ed1b0
I received a 403. Great tool, BTW. I’m just trying to figure out how to re-test the HTTP request. One thing I like to do in my scripting is to echo the call if it returns an error. All we see below is that it happened, and roughly where, but we can’t see the HTTPS call it made.
Testing CRL Download..
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (403) Forbidden.”
At C:\Users\administrator.THETECHGUYS\Downloads\EssentialsTester.ps1:802 char:17
+ $wc.DownloadFile($source,$destination)
I have re-written that bit just now because looking back at it, it seems a bit backwards.
What you could do is manually do the http test in a browser – you are essentially going to:
http://servername/CertEnroll/CAName.CRL
I do not have much experience in the area’s of scripts and powershell. I am having an issue with multiple client pc’s losing the Trust Relationship with the domain. After searching the forums and TechNet for information I found some references to your script , but… No matter what I do I keep getting this error
I followed instructions to change the execution policy;
PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
And then ran the script
PS C:\Windows\system32> F:\ServerFolders\Networking\EssentialsTester.ps1
F:\ServerFolders\Networking\EssentialsTester.ps1 : File F:\ServerFolders\Networking\EssentialsTester.ps1
cannot be loaded. The file F:\ServerFolders\Networking\EssentialsTester.ps1 is not digitally signed. The
script will not execute on the system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ F:\ServerFolders\Networking\EssentialsTester.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
what am I doing wrong?
Alan
Right click the downloaded ps1 file, go to properties and make sure you click Unblock.
I am not sure this script will be much help to diagnose Trust issues. Do you have a thread open on the TechNet forum?
Thanks for answering. Yes I do have a thread on the Windows Server 2012 Essentials forum. But, I came in this morning and those 3 client pc’s with the trust issue, are able to log in to the domain WITHOUT the trust issue. Don’t want to “look a gift horse in the mouth” but would llike to know why:\. Only thing that changed was more windows updates being installed.
Alan
Link to the thread?
Difficult to say really, I have seen inexplicable trust issues on Windows 7 clients on a number of domains.
Also, I did “Unblock” your file and it is running just fine.
Thanks
Here’s the link; https://social.technet.microsoft.com/Forums/en-US/2ead3bb6-1212-4a22-a62a-b90841667f68/problem-with-clients-losing-the-trust-relationship-with-the-domain?forum=winserveressentials.
All these clients are Windows 7 Pro, very interesting
Hi,
Can you tell me why the name of the CA is important?
Thanks
Hi Robert,
I ran the test and the WSS Cert Server was showing Red status. I did a test in IIS Mgr in the Basic Settings Properties and the Pass-Thru authentication failed on the WSS Cert. Server Service folder? I replaced the Owner and amended permissions on the Folder and it still fails. If I change the Authentication to a specific user it works, but Connector Tool still does not? Any help appreciated.
I think those settings are as they should be, and if I remember correctly that test will fail.
Can you put those settings back as they were and then rerun the test and post a screen shot?
Hi Robert,
I have a client that runs Server 2012 R2 Essentials server. After the initial client machines were connected and configured, the client wanted to set up Anywhere Access with a self signed cert, and tried various methods of installing the cert using IIS, all of which failed. Later, they installed a commercial cert. All original certs were left in the server. Anywhere access and every part of the network works fine, however, when you attempt to connect a new computer using the Essential Connector application (https:///connect ), it fails to run successfully.
The connector page shows, and the connector tool downloads fine, but when it runs, it says it can’t find the Essentials server. If I point it to the correct server, it says it can’t get the information from the Essentials server. I have run Robert Pearman’s EssentialsTester.ps1 script, and it indicates the following problem:
Testing CRL Download..
CRL Location : http://serverxxx/CertEnroll/XXXX-serverxxx-CA.crl
CRL Destination : c:\windows\temp\crl.crl
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
At C:\users\admin\Documents\EssentialsTester.ps1:849 char:9
+ $wc.DownloadFile($source,$destination)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
CRL Download : Failed
All other aspects of the tester seem to pass successfully. Any advice on how to resolve this issue? All help would be greatly appreciated.
Brian
If you go to that URL in a browser, does it download the file or give an error?
If I go to https://servername/connect, it downloads the file. The file will start, but doesn’t “find” the essentials server. It defaults to the second option on the screen that asks what server, using the IP address. I can have it find the correct server in the first (top) option, but it says it can’t get the information it needs from the server and to contact the administrator.
Perhaps, I misunderstood with my earlier reply. Did you mean the URL for the connector, for the CRL Location, or the CRLDestination?
The CRL Location URL fails with a 404 error, when accessed from the client PC.
Also, if you could, please edit my original post to change the initial part of the .crl name to be XXXXX. I would appreciate it. Same with the username. Thanks. Your blog doesn’t allow me to edit the original post.
Did you reinstall Certificate services at all?
It sounds like the CRL is either not being published correctly in CA, or the file is there but IIS is blocking it.
If you go into IIS can you see the virtual directory for CertEnroll?
I can’t say what was done prior in any detail regarding trying to use the self-signed cert, other than what I outlined above. I do know that they tried using the IIS tools to set up the self signed cert, as opposed to the Essentials wizard for installing a commercial cert using the Anywhere Access wizard. I have since run the Anywhere Access wizard to install a commercial cert.
I do see the virtual directory for CertEnroll in IIS.
and if you explorer the virtual directory, what do you see there?
If I go to advanced view, and look at the source location, the files are there, if that is what you are asking.
If you right click the Virtual Directory, then click explore, it should open up c:\windows\System32\CertSrv\CertEnroll and you should have about 4 files listed.
Do you have a screen shot of the 404 page, or the exact wording of the error?
I do have four files listed. Two CRL files, one .asp, and one .crt.
The 404 page says: Not Found. HTTP Error 404. The requested resource is not found.
Not sure how much more help I can be through forum type support, id offer to logon and take a look if that is something you are interested in.
That could work. How do you propose we arrange this?
Drop me an email.
Forgive me, Robert, but I can’t find your email anywhere on your site. You have mine, included in the post information, if you can shoot me an email, we can set something up. Thanks so much!
Brian
Due to Robert’s brilliant help on this, we tracked the problem down to two things. Not only was the wrong cert being used, but, the HTTP: binding for the default site had somehow had the Host Name field filled with “Default Web Site,” which prevented all access to the crl. Once the field was made blank, and the correct cert in place, restarting the IIS services enabled everything to work correctly.
Robert, I can’t thank you enough for this!
Hi Robert, I’m a bit of a novice when it comes to Windows Server 2012 but I’m having an issue where none of the client computers are backing up. I’m seeing a NotConfigured error in the event logs on the client machines although from what I can see it is configured correctly. There is very little info on this problem in google land but I came across this site on my travels. I ran the configuration tool on the server with no errors but I got a ‘Client DNS Server’ error when I ran it on one of the clients. Problem is I’m not sure how to troubleshoot that or even if it is related to the backup issue. Any help you could offer would be greatly appreciated!
The client should use the servers IP as a static dns entry.
What do they have?
Hi Robert, thanks for the reply! Sorry I didn’t see it until now. I checked the ipv4 properties in adapter settings on the client and it’s set to obtain DNS server address automatically. Should I set this to the server’s IP?
I ran your essentials tester script on the client and am getting an error for the Client DNS Server. I tried setting the DNS IP to the server’s IP but I get the same result.
I’ve fixed the Client DNS Server issue (had to disable ipv6) and now script returns all ok. Unfortunately, the backup issue remains…
This is a great MS Essentials tool! First and foremost, thank you. I am having an issue that I recently inherited support on. I ran the PS tool across the server b/c I am having Status and backup issues. Also clients are unable to connect to the server via the URL http://servername/connect. Below are my findings thus far:
TCP 80 (Used for Websites) : OK
TCP 443 (Used for Websites) : OK
TCP 6602 (Used for Status) : Error
TCP 8192 (Used for Backups) : Error
TCP 65520 (Used for Mac Website) : OK
TCP 65500 (Used for CA Website) : OK
Do you have third party firewall or AV on the Server?
No third party AV or FW’s are on the server. I believe that someone else has tried to fix this issue previously and has added and removed different roles from the server previously. Everything appears to be functioning as it supposed to be, just not able to join the domain via the http://servername/connect method. Although I am able to join manually via the local computers system properties. Then also their backups have been failing and the server itself is unable to see the client machines.
Can you check that the Windows firewall is enabled and has exceptions for those ports?
I went ahead and created a custom rule to allow those ports access. Unfortunately not luck, are these ports supposed to be in the bindings for IIS? If so, I am not seeing them there.
No, 6602 and 8192 are not used in IIS.
Can you see anything listenting on those ports if you do a NetStat command?
Okay, thank you for confirming the IIS portion. The findings for the NetStat are:
I see port 6602 listening in 22 different instances, but nothing for 8192
That’s a typo actually, it should be 8912 not 8192. It does test the correct port, but displays incorrectly. Will fix that.
On my server I have processes listening on both ports.
What are the settings of your custom rules?
8912 is a UDP port. 6602 is TCP.
Just reran the NetStat and 8912 is listening on 8 different instances
Given that there are instances listening, i would say go back and check your firewall config.
will do, thank you for the advice.
If I were to simply disable the FW temporarily after hours and then test. Could we eliminate that portion?
Yes that should be ok.
After hours this evening, I disabled all FW’s (local PC FW, Server FW, and Network FW) and I am unable able to telnet to those two ports 8912 and 6602. Although they report to be listening…any thoughts? I am able to connect on 443 and 80 obviously.
What does the tool report from the client now?
Test a backup, dont rely on a telnet to the port.
The client tool is still unable to connect with all firewalls disabled. I also went ahead and tried the http://servername/connect method and the error message “An unexpected error has occurred. To resolve this issue, contact the person responsible for your network”….unfortunately that is me, and I am unsure of the solution. Then I did run your PS tool and it claimed that there are errors on those ports. Any other suggestions?
Robert, I just did a brand new installation of Server Essentials Experience on a Server 2012 R2 box. I ran the tool, and an error was generated on the CRL Destination check. It returned the error (503) Server Unavailable. I hopped over to IIS to check the bindings, and things appear to be fine. Do you have any suggestions on what else to check? I tried navigating to http://servername/connect, and it is also giving the 503 Server Unavailable error.
That was the only error?
Hi, thank you for the useful Tool.
Im Stuck with following Error
Testing CA Name..
Certificate Authority Online : Error
Certificate Authority Name : OK
Certificate Authority Cert : OK
Where should I look first?
My Main Problem is i can’t join new Computers to the Domain because the Connector Website is not accessible anymore.
Sounds like your Certificate Authority is not running, is the service running?
I am getting a 403 Forbidden (You do not have permission to view this directory or page using the credentials that you supplied) when trying to connect a new client to an existing Essentials 2012 R2 server. Running EssentialsTester.ps1 shows a failure on CRL Download and 3 tests on Dashboard Certifcate with 1 OK and 2 Errors.
I am at a loss on where to correct this, and I am certain it has something to do with my attempts to set up Anywhere Access several months ago (this is the first client I’ve tried to add since then).
Any insight would be appreciated.
Go to http://titlerequired.com/support and send over your results from the tester.
This was ultimately fixed with your help! After we got rid of the extra console certificates, the rest of the problem was fixed by unchecking “Use SSL” from the default web site under IIS (I’m sure I toggled that either in troubleshooting myself or when I set up Remote Access a few months ago.
Thanks!
If you could please edit the server name to something anonymous, I would appreciate it. :)
You should start by checking how many certificates you have for the server in the local machine store – it appears you have 3 and you should only have 1.
If you go to HKLM:>Software\Microsoft\Windows Server\Identity
I think the String is for LocalMachineCert – this is a thumbprint ID. and it should match one of the certs in the local machine store. You should remove the other two.
I’ve identified the correct certificate. Can you provide instruction on removing the others?
Also, any chance of removing my server name above in the test results?
I unpublished the comment so it should no longer be visible.
Just right click and hit delete.
Okay, just deleted the 2 extra certificates with not matching the thumbprint from LocalMachineCert.
Now the EssentialsTester does one “Dashboard” check and it passes. However, there is still a CRL download failure, as I’m sure would be expected at this point.
IIS test returns the same, it appears.
This was ultimately fixed with your help! After we got rid of the extra console certificates, the rest of the problem was fixed by unchecking “Use SSL” from the default web site under IIS (I’m sure I toggled that either in troubleshooting myself or when I set up Remote Access a few months ago.
Also, I have 3 other certifcates showing as follows:
–CA
..local
Are these okay to leave in?
Yes leave those.
Go to IIS.
Expand Sites.
Click on Default Web Site. On the right, find Authentication. What is Enabled?
Click on WSS Cert Web Site, On the right, find Authentication. What is Enabled?
Default Web Site: Only “Anonymous Authentication” is enabled.
WSS Cert. Web Site: Only “Anonymous Authentication” is enabled.
OK good.
Under Default website, move to the ‘CertEnroll’ directory. What authentication is enabled?
As with the others, only “Anonymous Authentication” is enabled.
Now something odd has occurred. The WSE Dashboard says there are ZERO computers attached. Before, as in this morning, there were 7 including the server.
I’m wondering if removing those “extra” certificates had something to do with it, but I don’t know.
I’m assuming that client computer backups won’t take place now, which is a Bad Thing.
Assuming you deleted the correct certificate this would have been ok. If you have a backup of the server I can explain how to recover them. Can you confirm at least that the remaining ‘server’ certificate has a thimbprint that matches the registry entry?
I can confirm the thumbprint matches the registry key.
Id be inclined to crack on then and not worry about the other certs currently. Fixing the auth issue should rule out a lot of issues and get connect working again. I will be back in the office tomorrow and can compare my lab settings to yours.
Also I have backups (twice a day).
Sounds fine…a little worried I won’t get our desktop backups, but that’s me being overly uptight. :)
I, too, suspect the connect site issue will fix all. I assume once that’s going, I can just run connect again and all will be well..
Sidebar: I’m in the process of migrating the WSE2012R2 server to new hardware, but have only gotten so far as creating a new replica domain controller; I haven’t moved the FMSO roles or promoted the new box to a domain controller. Hopefully that doesn’t impact what we’re doing here directly. That happens in a couple of days, but I would like to get this healthy again before I press on.
If you are migrating, you will have to reinstall the connector software anyway, and will be starting with fresh backups of your PCs. It may be just as well to finish your migration than spend time troubleshooting here.
That makes sense and I had considered that option, however I would like to understand what is broken here if possible. It’s obvious I created the issue, and I’d like to know what to avoid in the future. Furthermore, having everything healthy before I take the next migration step would ease my mind a bit. :)
I also don’t want to impose on you unnecessarily. If this is something I can figure out in one or two more steps, fantastic! If it’s going to be a long, drawn-out detective process, I may have a change of heart.
I understand what you mean. It is difficult to say how long it would take to resolve, hopefully not too long.
I suspect you have tweaked IIS to get Anywhere Access working, and with Essentials the last thing you want to do is tweak iis, or play with the certificates.
Can you tell me what authentication settings you have on… Default Web Site\CertSrv and \Connect
\CertSrv: All disabled except “Windows Authentication”
\Connect: All disabled except “Anonymous Authentication”
Can you send a screen shot of the 403 Error for /Connect ?
Here’s the full text (don’t know how to post a screenshot here) upon opening http://(servername)/connect:
Server Error
403 – Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Also, WSE Best Practices Analyzer complains “Certificate subject does not match the name configured by the Domain Name wizard.” I’m only including that in case it helps narrow things down.
Just realised you installed Wsus. Did you install that to its own website or under default website?
WSUS Administration is at the same “level” as Default Web Site, Mac Web Service and WSS Certificate Website.
Hi Robert,
First of all, thank you very much for this amazing script, I have been slowly unwinding the results of a failure caused by using the “Use Express Instalation Files” feature in WSUS.
After going through all the .config files, I have successfully removed a reference to
I have been using your EssentialsTester.ps1 file to slowly get back to normalcy, and I am at the point where Options 2,3,4 run without any errors :O)
However, when running option 1, there is only one item left, which I have been wracking my brains out on.
Checking IIS Bindings..
Binding Missing : Default Web Site
I have been looking at many different things and this is the only thing I can’t resolve at this point.
My current bindings when I have “Default Web Site” selected and I use the right side Actions menu and select bindings are:
type: http hostname: {blank} Port: 80 IP Address: * Binding Information: {blank}
type: https hostname: {blank} Port: 443 IP Address: * Binding Information: {blank}
What am I missing? Any help you can provide is appreciated!
Thank you,
Alex
Ah yes that last one is tricky.
Go into Powershell (elevated)
New-WebBinding "Default Web Site" -IPAddress * -Protocol HTTPS -HostHeader yourservername -SSLFlags 1
for example,
New-WebBinding "Default Web Site" -IPAddress * -Protocol HTTPS -HostHeader Essentials01 -SSLFlags 1
Thanks for that! It ended up solving my bindings issue. Funny thing with my setup, is what messed everything up originally was enabling “Use Express Installation Files” for WSUS. Once I removed WSUS, that un-install failed or errored out somehow and I was left with the IIS Scheme for “xpress” in my system (applicationHost.config) as follows:
This setting was propagating to all the other AppPools and kept repopulating everytime I restarted the Windows Process Activation service.
Running this command, removed the scheme and once again allowed everything to run as it should!
appcmd.exe set config -section:system.webServer/httpCompression /-[name=’xpress’]
that led to this message and finally fixed! thanks for your help! and that amazing EssentialsTroubleshooter powershell, it really led me back to a working system!
Applied configuration changes to section “system.webServer/httpCompression” for “MACHINE/WEBROOT/APPHOST” at configuration commit path “MACHINE/WEBROOT/APPHOST”
Hi Robert,
I have a Windows Server 2012 Essentials R2 installation that is having some troubles. http:///connect is not working and giving 500 Internal Server Errors. I have a suspicion that it is a certificate issue but I do know know enough to trouble shoot. I downloaded and ran your PowerShell script (thank you by the way for providing this!). I only get an error when running the Test CA Infrastructure portion as follows:
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server Error.”
At C:\users\\desktop\EssentialsTester.ps1:1160 char:9
+ $wc.DownloadFile($source,$destination)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
CRL Download : Failed
When I try browsing the Default Website from IIS I get:
“HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Most likely causes:
The worker process is unable to read the applicationhost.config or web.config file.
There is malformed XML in the applicationhost.config or web.config file.
The server cannot access the applicationhost.config or web.config file because of incorrect NTFS permissions.
Things you can try:
Look in the event logs for information about why the configuration files are not readable.
Make sure the user identity specified for the application pool, or the authenticated user, has the required permissions to access the web.config file.
Detailed Error Information:
Module DynamicCompressionModule
Notification SendResponse
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8007007e
Requested URL http://localhost:80/
Physical Path C:\Program Files\Windows Server\Bin\WebApps\Site
Logon Method Anonymous
Logon User Anonymous
Request Tracing Directory C:\inetpub\logs\FailedReqLogFiles”
Any help would be greatly appreciated!
Thanks,
Dan
Robert
I’ve downloaded your splendid script and run it against a new 2012 R2 WSE role without error.
However, the reason for me coming across your site is that I cannot get Anywhere Access to configure. I get the dreaded errors:
Anywhere Access to your server is blocked.
and
There may be more than one router on your network.
This is my 3rd installation of WSE on 2012 R2 in the last couple of months and the 1st 2 worked like a dream :-(.
This installation has a Meraki MX64 WAN Security Device and a Meraki MR34 WAP. I have a VPN set up between this site and HQ across the Meraki network and a two-way Domain Trust is in place.
I’d appreciate it if you could offer any advice to fix this.
Regards
Brian
Have you confirmed the ports are open correctly and accessible from outside?
Some routers are not comfortable doing nat loopback which is essentially how the AA wizard tries to verify external connectivity.
I guess your setup is similar to the other installs you did – what is different here, ISP? Router?
Robert
I have one site connecting through a Meraki MX 80 using NAT, but this site is just using a port forwarding rule through the MX64 for 443 and 80.
I’ve done a test for 443 and 80 externally and it is reporting that they are blocked, so I’ve asked the IT guy there to investigate if the ISP has them blocked by default.
I’m also looking to put WSE AA onto its own external WAN IP so I can use NAT.
Very many thanks for your swift response.
Regards
Brian
Robert
An update.
Turns out there are some issues port forwarding 80,443 on a Meraki MX64 which I am investigating at the moment. Best to use 1:1 NAT, which leads me onto….
This site only has a single WAN IP address so I’m looking into upgrading (hopefully will not cost too much) to multiple so I can assign Anywhere Access to its own WAN IP and use NAT.
Thanks again
Brian
I ran this tool and now my connector doesn’t work. When I try to launch the connector from a client it says “Your server cannot be located. Enter Server’s name or IP address to proceed”. It doesn’t see the server if I enter Name or IP address. I can add the machines to the domain manually. Do you know if the script changed anything that may have caused the connector to stop working?
The script makes no changes to any settings, it only reads the current configuration and compares it to known defaults.
Thank you.
Hi Rob can you help with my issues?
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Checking Virtual Directories..
Virtual Directory : /CertSrv
Application Pool : RootApp
Content Path : C:\Windows\system32\CertSrv\en-US
Checking AppPools..
Checking ISAPI Filters..
Checking IIS SSL..
Checking IIS Bindings..
Checking IIS Authentication..
Site : Default Web Site\RDWeb\FeedLogin
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\RDWeb\Pages
Authentication : digestAuthentication
Enabled : False
Review your results, items in red should be investigated.
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : Errors Detected – Local Machine Store
Testing /Connect Certificate Package..
Connect Computer Certificate : Errors Detected – ProgramData
Testing CRL Download..
CRL Location : http://SERVER02/CertEnroll/ew-SERVER02-CA-Xchg!00282!0029.crl
CRL Destination : c:\windows\temp\crl.crl
CRL Download : OK
Testing CRL Distribution Configuration..
Get-CACrlDistributionPoint : CCertAdmin::GetConfigEntry: The parameter is incorrect. 0x80070057 (WIN32: 87
ERROR_INVALID_PARAMETER)
At C:\users\localadmin\desktop\EssentialsTester.ps1:1186 char:23
+ $CDPS = ( Get-CACrlDistributionPoint | where-object { $_.Uri -like ” …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CACrlDistributionPoint], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.CertificateServices.Administration.Commands.CA.GetCrl
DistributionPointCommand
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
Testing Dashboard Certificate..
Dashboard Certificate : OK
Review your results, items in red should be investigated.
Thank You in advanced!
Gareth
There should be a log in the %appdata% folder for the script. Can you send me that?
It looks to me like you have a CA issue, have you changed anything CA related – uninstalled/reinstalled?
Thanks for your reply, yes the “Active Directory Certificate Services” wasn’t installed as i had to remove it to migrate from anther server. I have since installed it back on. Regrading Log these isn’t any logs in the folder is it in a subfolder? C:\Users\Localadmin\AppData\Roaming
Depending on your position, you may find it easier to remove the Essentials role and CA and reinstall it.
If that is not an option, follow this guide. https://support.microsoft.com/en-us/kb/2795825
Although some of the components you need to ‘repair’ your CA may not be present, meaning you will be looking at using more creative methods to repair the server!
Sorry my mistake, the log file is actually in %temp% (c:\users\user\appdata\local\temp)
Thanks Robert the Reinstall of CA Role fixed it :)
Hi Robert,
I’m having IIS Cert issues and I hope you can help. Here are the results from tests 1 & 2:
Version Info: Version: 2.04
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Connect Website : Error : 500
Checking Virtual Directories..
Checking AppPools..
Checking ISAPI Filters..
get-webconfiguration : Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 207
Error: Can not log on locally to C:\Program Files\Windows Server\Bin\WebApps\Site as user admin with virtual directory
password
At D:\_IT archive\EssentialsTester.ps1:420 char:17
+ $isapif = (get-webconfiguration -pspath iis:\sites\* -filter “/system.webse …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WebConfiguration], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.IIs.PowerShell.Provider.GetConfigu
rationCommand
Checking IIS SSL..
Website Name : Mac Web Service *:65520:
SSL Certificate : Error: Does not match Dashboard Certificate
Checking IIS Bindings..
Binding Missing : Default Web Site
Checking IIS Authentication..
Review your results, items in red should be investigated.
Version Info: Version: 2.04
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Location : http://SERVER2012/CertEnroll/CDG-SERVER2012-CA.crl
CRL Destination : c:\windows\temp\crl.crl
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server
Error.”
At D:\_IT archive\EssentialsTester.ps1:1196 char:9
+ $wc.DownloadFile($source,$destination)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
CRL Download : Failed
Testing CRL Distribution Configuration..
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Dashboard Certificate : OK
Dashboard Certificate : Error : 84435D4ACBA26DFAEC7CDBE281900C6D1CB32152
Dashboard Certificate : Error : 3DB7B9EE73BF39562073BDD512DF55891BD1BE69
Dashboard Certificate : Error : 1E417FD2362556FC6BD1C81936EBC5826FAB4BBB
Review your results, items in red should be investigated.
Hi Peter,
So we have a couple of issues here.
I would fix the Dashboard certificate first as that is likely to be easiest.
You need to work out which certificate is correct. To do that, you need to check the registry.
HKLM>Software>Microsoft>Windows Server>Identity there will be a RE here with a thumbprint ID. It should match one of the certificates in your local machine personal store.
It looks like you currently have four certificates in the store, three of which show as errors above.
Once you have identified the correct one, remove the others.
Next, IIS.
Can you go to http://server/connect and get the full error message displayed? This will help troubleshoot further.
Robert,
I was able to remove the unneeded certificates.
The error message when browsing to https://server/connect is as follows:
——————————————————————————————————————————–
HTTP Error 500.19 – Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.Detailed Error Information:
Module IIS Web Core
Notification Unknown
Handler Not yet determined
Error Code 0x8007052e
Config Error Can not log on locally to C:\Program Files\Windows Server\Bin\WebApps\Site as user admin with virtual directory password
Config File \\?\C:\inetpub\temp\apppools\Client_App\Client_App.config
Requested URL https://server2012:443/connect
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
Config Source:
89:
90:
91:
————————————————————————————————————————-
Also, I am now receiving different errors when running the EssentialsTester:
Version Info: Version: 2.04
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Connect Website : Error : 500
Checking Virtual Directories..
Checking AppPools..
Checking ISAPI Filters..
get-webconfiguration : Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 207
Error: Can not log on locally to C:\Program Files\Windows Server\Bin\WebApps\Site as user admin with virtual directory
password
At D:\_IT archive\EssentialsTester.ps1:420 char:17
+ $isapif = (get-webconfiguration -pspath iis:\sites\* -filter “/system.webse …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WebConfiguration], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.IIs.PowerShell.Provider.GetConfigu
rationCommand
Checking IIS SSL..
Website Name : Mac Web Service *:65520:
SSL Certificate : Error: Does not match Dashboard Certificate
Checking IIS Bindings..
Binding Missing : Default Web Site
Checking IIS Authentication..
Review your results, items in red should be investigated.
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2012 Essentials
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (TitleRequired.com) February 2016
Version Info: Version: 2.04
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Location : http://SERVER2012/CertEnroll/SERVER2012-CA.crl
CRL Destination : c:\windows\temp\crl.crl
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server
Error.”
At D:\_IT archive\EssentialsTester.ps1:1196 char:9
+ $wc.DownloadFile($source,$destination)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
CRL Download : Failed
Testing CRL Distribution Configuration..
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Dashboard Certificate : OK
————————————————————————————————————————-
Thank you very much for your help,
Peter
Can you confirm that the IIS_IUSRS group has read permission to C:\inetpub\temp\apppools\Client_App\Client_App.config
Can you confirm what Identity the Client_App AppPool is running under?
The Client_App AppPool is running under the NetworkService identity.
The IIS_IUSRS group does not have any explicit permissions on the Client_App.config file. The owner of the file is the Domain Administrators group; SYSTEM and Domain Administrators groups have Full Control, the Client_App group has Read access.
On my lab system that group does have permissions on that folder. Can you set it to have Read&Execute? then probably reboot the server is best.
I was looking at the permissions to the file Client_App.config instead of looking at the permissions for the folder. The folder from which that file perhaps inherits its permissions, C:\inetpub\temp\apppools\Client_App\ does have the IIS_IUSRS group listed. That group has Read, Read & Execute, and List Folder Contents.
I have rebooted the server. Unfortunately I’m getting the same error when browsing to http://server/connect
If you drill down all the way to the Client_App.config file, the ‘Client_App’ user account should have Read access. Can you confirm that?
Yes, that’s exactly what I see when I view the properties of the Client_App.config file.
Robert,
I thought I’d follow up with you to let you know how I fixed the permissions issue.
IIS
Sites
Default Web Site
Right Click
Manage website
Advanced Settings
Physical Path Credentials ( click on …)
Specific User (Click on set button)
Type in user name and current password
Hi there. Since I upgraded my Window8 machines (about a year ago) join them to Windows Essentials 2012 R2 server as managed devices (to enable automatic backups). When I initially researched this, Microsoft said that the Essentials connector was not supported on Windows10 yet and it would be released in a few months. Now, I’ve manually installed the connectors on two different Windows 10 machines and am still unable to connect and after researching it online, I checked ClientDeploy.log which shows a certificate error. After further research, I stumbled onto your very helpful script! When I run it, Test IIS shows no errors. However, Test CA Infrastructure, shows the following error:
Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.
Do you have suggestions on how to fix this? Thank you!
Can you manually confirm if that file exists?
I believe you can simply export the CARoot Certificate (in cer format) and place it in there, make sure to name it correctly.
Hello there. Thank you for developing this useful tool! I ran it to try to figure out why my Windows 10 clients are unable to connect to my Windows Essentials 2012 R2 server. On the server, the tool reports the following error:
Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.
At C:\users\SankulaAdmin\EssentialsTester.ps1:1120 char:17
+ $cert = Get-Item “C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.ce …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\ProgramData\…Data\CAROOT.cer:String) [Get-Item], ItemNotFoundExcep
tion
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand
Exception calling “Import” with “1” argument(s): “Array may not be empty or null.
Parameter name: rawData”
At C:\users\SankulaAdmin\EssentialsTester.ps1:1122 char:9
+ $certPrint.Import($cert)
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException
Any ideas on how to fix this? Thank you again!
Sorry for delayed response, I have been unwell!
Robert, thanks for this tool! It has found my config problem; now if only I what to do to fix it!
I have a 2012 R2 server, and am trying to add a Windows 10 client. The computerConnector fails during the configuration, and by browsing logs I saw that I’m having cert problems.
History: When server was setup it had domain name of company.com, then after setup, in the midst of trying to get anywhere access working, the domain name was changed to zone.company.com. That was 7 months ago. Server works well, except for anywhere access and, of course, ability to add new clients. The ca-name is company-server3-ca, when apparently it wants to be zone-server3-ca.
Can you point me to guidance on clearing up my mess?
Thanks a million!
You renamed the internal domain name?
What does the config tester suggest is wrong?
What does it say the problem is?
Did you rename your internal domain name?
The Config Tester , in the CA Infrastructure test, reports:
Certificate Authority Online : OK
Certificate Authority Name : Name Error
Certificate Authority Cert : OK
The server started life as server3.company.com, and later was renamed to be server3.home.company.com (with home.company.com being my home network where Server Essentials lives, and company.com being hosted elsewhere with a DNS pointer to this server for this subdomain).
So you renamed the Domain?
I’m not sure of a way out of that.
You will probably have to uninstall the Essentials Role and CA, then reinstall the Essentials Role which should build a new CA for you with the correct name.
But of course doing this will mean you lose client backup history and will have to reinstall the connector on the computers.
Not the best word to hear, but not the end of the world, either. There are only a few client computers involved, so the re-connects won’t be too bad. As long as storage pools and network/DNS configuration is preserved on the server I can weather the loss of backup history. Step 1 is ensuring a good backup of server before starting remediation.
Thanks, Robert, for your insight. And for the tool that started this discussion.
You are a life-saver. I have been debugging an issue where I could not connect clients to an Essentials server. I had tried everything but your script pointed me towards the CA being the problem (“Certificate Authority Online : Error”). It turned out that Active Directory Certificate Services would not start due to a corrupted log. I restored it from backup and now it works great.
Thanks, this saved me from having to rebuild this server.
Hello Robert,
I di d run your script and found 7 errors. I’ve never work with power shell or that setting up servers like that. I’m running Server Essential 2012 and currently I started to have a problem with joining to domain.
Here is my report from your script:
Pool Name : WebPortalAppPool
Enabled 32bit Apps : True
.NET Version : v2.0
State : Started
Checking ISAPI Filters..
Checking IIS SSL..
Website Name : WSS Certificate Web Service *:65500:
SSL Certificate : Error: Does not match Dashboard Certificate
Website Name : Mac Web Service *:65520:
SSL Certificate : Error: Does not match Dashboard Certificate
Checking TLS Version 1.0
Checking IIS Bindings..
Binding Missing : Default Web Site
Checking IIS Authentication..
Site : Default Web Site\PDMWeb
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\PDMWSearch
Authentication : digestAuthentication
Enabled : False
Site : Default Web Site\PDMWSearch
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\Remote
Authentication : digestAuthentication
Enabled : False
Great tool Robert. I’m running 2016 Standard with Essentials Experience installed. I had to add the following code snippet to get it to recognize that (after the test for “Essentials” since my configuration returns “Microsoft Windows Server 2016 Standard”)
$checkOS = $os.Contains(“2016”)
if (($checkOS) -eq “True”)
{
Import-Module WebAdministration
$Global:OS = “Essentials2016”
Menu
}
I thought i had done that already (version 2.07) may not have published it though.
Thanks for sharing.
Hi,
Your tool has been really helpful in trying to resolve our issue but I am stuck at a point, our server has been migrated from SBS 2011, I didn’t build it and whoever did missed out the CA so I have added that back in which resolved the IIS issues found in step one but now I have issues in step 2, can you help me?
I am getting errors in
“testing /connect certificate package..
Connect computer certificate : Errors detected – ProgramData”
and
“Testing Dashboard certificate..
Dashboard certificate : Error : (String Value)
Dashboard certificate : OK”
Any help much appreciated.
Cheers
Can you share a bit more about the environment? Version of Essentials? Client computers? Status of the Essentials install?
I am migrating from SBS2011 (using your excellent guide) to a 2016 server with the essentials experience add-in. It has been a painful experience because various users need to be allowed to add-in as a service / batch job. There seems to be no definitive documentation on what those are. Since the (eg, Anywhere Access) wizards give no clue as to what the problem is and, as the log files are hard to find, voluminous and impenetrable, it makes for a lengthy journey.
I’ll give this tool a whirl to see whether everything is settled.
Hi Robert,
Running into an issue were clients are indicating offline, failed backup status. Appears to have started after failed attempt to implement direct access.
Connect website returns 403 forbidden on http and certificate error on https.
Results of test tool.
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Checking Virtual Directories..
Checking AppPools..
Checking ISAPI Filters..
Checking IIS SSL..
Checking TLS Version 1.0
Checking IIS Bindings..
Website Name : Default Web Site
Binding : https[fd37:f6ae:b62e:3333::1]:62000:0
Website Name : Default Web Site
Binding : https10.58.168.1:62000:0
Website Name : Default Web Site
Binding : https[fd37:f6ae:b62e:1:0:5efe:10.58.168.1]:62000:0
Checking IIS Authentication..
Site : Default Web Site\RDWeb\FeedLogin
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\RDWeb\Pages
Authentication : digestAuthentication
Enabled : False
Review your results, items in red should be investigated.
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2016 Essentials
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (TitleRequired.com) August 2016
Version Info: Version: 2.07
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Location : http://VHSERVER-1/CertEnroll/VHS-INC-VHSERVER-1-CA.crl
CRL Destination : c:\windows\temp\crl.crl
Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (403)
Forbidden.”
At C:\Users\VHS-ADMIN\Downloads\EssentialsTester.ps1:1215 char:9
+ $wc.DownloadFile($source,$destination)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
CRL Download : Failed
Testing CRL Distribution Configuration..
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoi
nt)
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Dashboard Certificate : OK
Review your results, items in red should be investigated.
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2016 Essentials
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (TitleRequired.com) August 2016
Version Info: Version: 2.07
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
4
Testing Service Ports on : VHSERVER-1
TCP 80 (Used for Websites) : OK
TCP 443 (Used for Websites) : OK
TCP 6602 (Used for Status) : Error
TCP 8912 (Used for Backups) : Error
TCP 65520 (Used for Mac Website) : OK
TCP 65500 (Used for CA Website) : OK
Review your results, items in red should be investigated.
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2016 Essentials
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (TitleRequired.com) August 2016
Version Info: Version: 2.07
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
Thanks Tim
I couldn’t get the connector software to install on windows 10 Pro connecting to Server 2016. Kept giving me ‘server not available’ after entering the credentials. I used your Powershell program and the only thing is error was TLS1.0. Been trying to get the connector to work for months. I had changed my IIS settings to only use TLS1.2, but it seems the connector only works with TLS1.0 (I know.. right?). I had to disable TLS1.2 and TLS1.1 and enable TLS1.0 in IIS registry to get connector to install.
Hope this helps others out there.
You should be able to have all three enabled, but yes stupid and annoying that it still requires tls1
At home I have a Windows Server 2012 Essentials server (not R2) and I have installed the connector software for Windows Server Essentials on al my PC’s and portables. I think that at the time all my workstations were on Windows 7 and Windows 8 and there was no problem connecting the workstations.
Now i want to connect my first Windows 10 Pro PC but the connector software keeps failing and i cannot connect this PC to my server.
The connector seems to be working because i get several screens (finding server, getting started, username and password selection) but after i have entered a username and password i get the following error: Cannot connect this computer to the network. The server is not available. Try connecting this computer again, or for more information, see Troubleshoot connecting computers to the server.
I have run the troubleshooter and that says that the binding is missing on the default web site.
I don’t know if there is a link between this problem and the connector that’s not working.
But how can i fix the missing binding error?
What bindings do you have on the default website?
Where can i find this?
In iis, under default website.
2 bindings
1.
Type: http
IP address: All Unassigned
Port: 80
Host name:
2.
Type: https
IP address: All Unassigned
Port: 443
Host name:
Require Server Name Indication: UNchecked
SSL certificate: HPMICROSERVER
You have an https binding missing.
There is a comment about half way up the page for New-WebBinding that has some PowerShell syntax that may help. (October 27th 2015)
I have followed the instructions above resulting in these 3 bindings:
1.
Type: http
IP address: All Unassigned
Port: 80
Host name:
2.
Type: https
IP address: All Unassigned
Port: 443
Host name:
Require Server Name Indication: UNchecked
SSL certificate: HPMICROSERVER
3.
Type: https
IP address: All Unassigned
Port: 443
Host name: HPMICROSERVER
Require Server Name Indication: CHECKED
SSL certificate:
When i run your troubleshooter i get the following error:
Checking IIS SSL
Website Name: Default Web Site *:443:HPMICROSERVER
SSL Certificate: Error: Does not match dashboard certificate
I have added the HPMICROSERVER certificate resulting in these 3 bindings:
1.
Type: http
IP address: All Unassigned
Port: 80
Host name:
2.
Type: https
IP address: All Unassigned
Port: 443
Host name:
Require Server Name Indication: UNchecked
SSL certificate: HPMICROSERVER
3.
Type: https
IP address: All Unassigned
Port: 443
Host name: HPMICROSERVER
Require Server Name Indication: CHECKED
SSL certificate: HPMICROSERVER
Now your troubleshooter does not give any errors anymore.
But my original problem (see comment September 18, 2017 at 9:49 am) still exists,
When I try to connect a Microsoft Surface 3 with Windows 10 Pro to the Windows Server 2012 Essentials server (not R2) with the connector software i get the following error: Cannot connect this computer to the network. The server is not available. Try connecting this computer again, or for more information, see Troubleshoot connecting computers to the server.
Any idea?
Have you disabled tls 1.0 on the server or client?
When I run your troubleshooter “Checking TLS Version 1.0” does not give an error. Is that enough to be sure that tls 1.0 is enabled or do I have to check elsewhere?
Can you upload the logs from the windows 10 machine?
How can I upload the logs?
One drive? Dropbox? The choice is yours!
I have shared the logs on my OneDrive: https://1drv.ms/u/s!At-A7Tk_voOS0_kvzA1R-IbvmmdUnA
Hi Robert,
I have a Windows Server 2016 Standard DC that has the Essential Role installed. It was brought up to replace an SBS 2011 server that has since been removed, I ran your script and I get the following errors:
IIS
Checking Virtual Directories..
Content Path : C:\Program Files\Windows Server\Bin\WebApps\Site
Checking AppPools..
Pool Name : ConnectivityAppPool
Enabled 32bit Apps : False
.NET Version : v4.0
State : Stopped
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : Name Error
Certificate Authority Cert : Errors Detected – Local Machine Store
Testing /Connect Certificate Package..
Connect Computer Certificate : Errors Detected – ProgramData
Everything else checks out..when running the connector on PC’s (Windows 10) I get the error that the server is not available. Any suggestions?
Regards,
Jim
Looks like a few issues there, can you say what the history of the box is?
Hi Robert,
It is a new VM server, we just migrated from SBS 2011, I believe the CA was moved from the SBS server.
Jim
Hi Robert,
I’m seeing similar errors:
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : Name Error
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : Errors Detected – ProgramData
My box was a SBS 2011 to Essentials 2016 transfer, I can’t find any information on Connect certificate, but I’m thinking it’s trying to use the certificate from SBS 2011 and that’s why it’s failing.
Do you have any ideas on how to rectify this?
Thanks
Mike
Hi Mike, would need more info. Can contact me via https://windowsserveressentials.com/support
Thanks Robert,
Script worked well in identifying my issues.
I ran the script to check the install after we set the system up and no errors, very please man on this end!
I had a bunch of things we planned so started on the list….Started trying to connect a NAS to my domain and installed iSCSI to services be able to integrate. This did not work and I decided to remove the role from my WSE 2016 – bad mistake!
The removal trashed the setup and it was so bad that I could not get the dashboard to start fixing the mess. After looking at the avalanche of error messages I decided to roll back the server state.
This has brought stability to the place but clients are faster at getting their data from the web through OneDrive than from the shared drives or folders.
I ran your tool again and the ONLY outstanding issue is that it cannot find the CAROOT.cer file on the server – it is not there.
Are these two issues related?
Thanks,
Rudd
It shouldn’t affect file access speed that may be more down to NIC Config/Drivers. Did you also benchmark that before?
Ok, my dashboard is NOT opening..I assume it is due to multiple certs being in here? and if so how do I delete the baddies?
Testing Dashboard Certificate..
Current Dashboard Certificate : AB9352214B81B873861C309BA6D579FFCF638D0C A6861BA04608F5DF70226705E38806F628BD02E5 2C802A
342F40CC6BA9DDD41A2E4061A40821752A
Dashboard Certificate : ErrorAB9352214B81B873861C309BA6D579FFCF638D0C
Dashboard Certificate : ErrorA6861BA04608F5DF70226705E38806F628BD02E5
Dashboard Certificate : OK
Review your results, items in red should be investigated.
Yes, it is likely if you have multiple certs.
Can you send a screen shot of the errors?
When I try to open the dashboard in S2012R2 it closes immediately after it building the GUI.. with no errors on screen.. the the error logs I see this.
Application: Dashboard.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException
at System.Security.Cryptography.SHA256Managed..ctor()
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconCache.GetIconHash(System.Drawing.Icon)
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconCache.GetCachedIcon(System.Drawing.Icon)
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconProxy..ctor(System.Drawing.Icon, System.Drawing.Icon)
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconProxy.Create(System.Drawing.Icon, System.Drawing.Icon)
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.ExceptionHandler.Run[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](ProtectedCallback`1)
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.PageContent+ListPageContent`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].GetObjectIcon(System.Object)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsView.OnObjectSelected(System.Object, Microsoft.WindowsServerSolutions.Administration.ObjectModel.ObjectSelectedEventArgs)
at System.EventHandler`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Invoke(System.Object, System.__Canon)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.ConsoleUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
at System.EventHandler`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Invoke(System.Object, System.__Canon)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.ConsoleUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.OnObjectSelected(System.Object, Microsoft.WindowsServerSolutions.Administration.ObjectModel.ObjectSelectedEventArgs)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.dataBoundListView_SelectionChanged(System.Object, Microsoft.MidMarketServer.UI.ConsoleListViewItemSelectedEventArgs)
at Microsoft.MidMarketServer.UI.EventUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
at Microsoft.MidMarketServer.UI.ConsoleListView.HandleReflectionNotify(tagNMHDR*, Int32 ByRef)
at Microsoft.MidMarketServer.UI.ConsoleListView.WndProc(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
at System.Windows.Forms.UnsafeNativeMethods.SendMessage(System.Runtime.InteropServices.HandleRef, Int32, IntPtr, IntPtr)
at System.Windows.Forms.Control.SendMessage(Int32, IntPtr, IntPtr)
at System.Windows.Forms.Control.ReflectMessageInternal(IntPtr, System.Windows.Forms.Message ByRef)
at System.Windows.Forms.Control.WmNotify(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr, IntPtr, Int32, IntPtr, IntPtr)
at System.Windows.Forms.NativeWindow.DefWndProc(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
at Microsoft.MidMarketServer.UI.ConsoleListView.WndProc(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
at .SendMessageW(HWND__*, UInt32, UInt64, Int64)
at Microsoft.MidMarketServer.UI.ConsoleListView.SetItemInfo(Int32, Microsoft.MidMarketServer.UI.ConsoleListViewItem)
at Microsoft.MidMarketServer.UI.ConsoleListViewItem.set_Selected(Boolean)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView+EntitySelectorAdapter.SelectListViewIndex(Int32, Boolean)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView+EntitySelectorAdapter.SelectClosestItem(Boolean)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView+EntitySelectorAdapter.SelectEntity()
at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.EventUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.OnRefreshDataCompleted(System.Object, System.EventArgs)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.listViewWorker_WorkComplete(System.Object, Microsoft.WindowsServerSolutions.Dashboard.Forms.Work.WorkCompleteArgs)
Exception Info: System.Reflection.TargetInvocationException
at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
at System.Delegate.DynamicInvokeImpl(System.Object[])
at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry)
at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(System.Object)
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry)
at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.WndProc(System.Windows.Forms.Message ByRef)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
at Microsoft.WindowsServerSolutions.Dashboard.Program.Main(System.String[])
And then right above that error is this one:
Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18895, time stamp: 0x5a4b1cf7
Exception code: 0xe0434352
Fault offset: 0x00000000000092fc
Faulting process id: 0x3214
Faulting application start time: 0x01d3b6fc46e2ab4c
Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 8fd39ff3-22ef-11e8-80fc-44a842421510
Faulting package full name:
Faulting package-relative application ID:
Can you download the tester again, i fixed a bug in the output.
Ok, re downloaded and here is the output:
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2012 R2 Essentials
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (TitleRequired.com) January 2018
Version Info: Version: 2.10
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
0. Quit
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Location : http://SERVER/CertEnroll/WAI-WIRESERVER-CA.crl
CRL Destination : c:\windows\temp\crl.crl
CRL Download : OK
Testing CRL Distribution Configuration..
437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Current Dashboard Certificate : AB9352214B81B873861C309BA6D579FFCF638D0C A6861BA04608F5DF70226705E38806F628BD02E5 2C802A
342F40CC6BA9DDD41A2E4061A40821752A
Dashboard Certificate : ErrorAB9352214B81B873861C309BA6D579FFCF638D0C
Dashboard Certificate : ErrorA6861BA04608F5DF70226705E38806F628BD02E5
Dashboard Certificate : OK
Review your results, items in red should be investigated.
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected: Microsoft Windows Server 2012 R2 Essentials
Still shows two bad certs in the dashboard.
Strange it should only list one thumbprint under ‘current’. Would you send a screen shot rather than copy/paste?
In any case the registry value for the dashboard certificate does not match the certificates installed.
Sorry We lost power here in New England
here are the screen shots:
https://ibb.co/gU96Cn
https://ibb.co/kipTQ7
Also, we have replaced our curret cert for the recent Google cert update issue..
any ideas?
Ill drop you an email.
Robert – I have been searching everywhere to solve my Certificate Authority Cert: Errors Detected – Local Machine Store. I am still running WSE 2012 (not R2). Reading the above thread I found the Registry contains one value for the LocalMachineCert, wheras the certsrv (Certification Authority (Local)) contains a completely different one – both based on the Windows ServerSolutionsComputerCertificateTemplate. Can I just copy the one from the certsrv over the entry in the registry to make them match? I certainly don’t want to do anything that would prevent the machine from booting! THe Dashboard launches but several services that depend on Windows Server Search all fail because the search service fails immediately on launch.
You should be able to create a new one, I think it was a PowerShell command, add-wsslocalmachinecert
I’d make sure you have a good backup as well so you can always go back.
Thanks for the quick reply. I did make an image backup and then followed your recommendation. The PowerShell admin window where I typed the command stayed open for about 3 seconds and then closed. I rebooted and ran the essentialstester (7-27-18) again and it reports Binding Missing: Default Web Site and Certificate Authority Cert: Errors Detected – Local Machine Store. Under Testing Dashboard Certificate – the value remains identical to the one I found before all this in the registry and is different from the one shown in certsrv, so I’m not sure whether the command given above had any effect at all or if I made some error. To rule this out – I tried it again after a cold boot by copying and pasting the command into admin powershell – but the results are the same.
Robert – I am feeling quite silly at the moment – I looked once again to see how to verify the Local Machine Store – and after opening Certificates(Local Computer)\Personal\Certificates ASUS-P5WDH (my servername) – I find that the thumbprint of this certificate DOES MATCH the value in the registry HKLM>Software\Microsoft\Windows Server\Identity except it is listed in lowercase in the mmc snapin and as an uppercase REG_SZ in the registry. So I am now well and truly confused why the essentials tester is reporting an error in the Local Machine Store.
I apologize that I earlier confused thumbprint with serial number when trying to be sure these matched.Please advise what I must do next, thanks so much – Steve
Robert – I did some additional investigating this weekend and found that I needed to follow more closely a Technet block you published back in 2013. Once I did that, a new certificate was issued. However, new errors appeared when I ran the essentials tester after rebooting. The bindings of the web certificate and Mac websites were wrong – but I got those fixed easily enough – but – now the Errors Detected Local Machine Store include a Dashboard Certificate Error which was not present before. Checking the local machine store, the thumbprint of the new dashboard cert matches the one in the registry, and the dashboard launches ok. Below is the pintout from the IIS Test and CA Test:
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected : Microsoft Windows Server 2012 Essentials
Local IP Address : 192.168.10.10
System Type : Domain Controller
IPv4 DNS Servers : 192.168.10.10
DNS Forwarder : 192.168.10.1, 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (WindowsServerEssentials.com) July 2018
Version Info: Version: 2.22
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
5. Test Role Install
0. Quit
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Checking Virtual Directories..
Checking AppPools..
Checking ISAPI Filters..
Checking IIS SSL..
Checking TLS Version 1.0
Checking for Web.Config Corruption..
SFC Web.Config : OK
Checking IIS Bindings..
Binding Missing : Default Web Site
Checking IIS Authentication..
Review your results, items in red should be investigated.
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected : Microsoft Windows Server 2012 Essentials
Local IP Address : 192.168.10.10
System Type : Domain Controller
IPv4 DNS Servers : 192.168.10.10
DNS Forwarder : 192.168.10.1, 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (WindowsServerEssentials.com) July 2018
Version Info: Version: 2.22
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
5. Test Role Install
0. Quit
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : Errors Detected – Local Machine Store
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Location : http://ASUS-P5WDH/CertEnroll/sl-w-main-ASUS-P5WDH-CA.crl
CRL Destination : c:\windows\temp\crl.crl
CRL Download : OK
Testing CRL Distribution Configuration..
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Current Dashboard Certificate : 5B3627E2CEC61873336943E8C8F88D71CCA45472
Dashboard Certificate : Error : D8CB0F0D3765FFF0D268882BB8D35EE10E5F5E1D
Dashboard Certificate : OK
Review your results, items in red should be investigated.
I tried to resolve this by marking the original Dashboard certificate as revoked – superseded, rebooted, but the results are still the same.
Please advise what I need to do to correct. All of the services start and run as expected. The dashboard launches
Thanks –
Steve
Its just showing you, that you have another dashboard cert that may be an issue. It is only shown for informational purposes. Sounds like you have fixed your issues though.
Hi Robert, Great tool.
Having difficulty connecting a new Win 10 Client PC to our Server 2012 r2 essentials using the connector. It finds the server but cannot connect. All the following are showing red but we are not expert server administrators and would appreciate some guidance on how to fix these SSL related errors.
No other errors for all the other tasks.
Tim
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Connect Website : Error : 403
Checking IIS Authentication..
Directory : Default Web Site/Connect
SSL Settings : Ssl
Site : Default Web Site\Customization
Authentication : digestAuthentication
Enabled : False
Site : Default Web Site\RDWeb\FeedLogin
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\RDWeb\Pages
Authentication : digestAuthentication
Enabled : False
OK, go into IIS Management.
Expand Default Web Site, go to /Connect.
In the right hand side find SSL Settings.
Make sure ‘require SSL’ is unticked and the other setting, is set to ignore.
Under /Customisation, look at Authentication Settings, make sure only ‘Anonymous’ is enabled.
Have you by any chanced installed any additional features like RD Gateway Web Access?
Hi Robert, I have spent a very long time trying to connect the Win 10 client, and thanks to your help, the issue has been resolved within minutes and the new client is connected – I am very grateful.
Running the tester again on the server, the following items are showing red:
Checking IIS Authentication..
Site : Default Web Site\RDWeb\FeedLogin
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\RDWeb\Pages
Authentication : digestAuthentication
Enabled : False
To answer your other question, yes, we have installed RD Gateway Web access.
Tim
That is why those errors show as that role is not present or required by essentials.
Hi All,
I have been trying for…months! to get my connector working again. Using the Config Tester i have managed to knock off as many errors as i can but i am still getting a 401 error. All clients and ping the server, i have tested clients connecting to fresh installs of server 2016 so i know it is server side.
Checking Connect Site..
Connect Website : Error : 401
Any ideas?
Thanks
401 sounds like an authentication issue on the page. Can you post the actual error message?
Hi Robert, in the end i created a from scratch sandbox and went through every IIS setting for all sites and i think it was an windows authentication being turned on. Sadly i was at the end of my tether and at that point kept no change log but its working after a long long time so not complaining. Thanks for your really helpful tool, i had a few issues which this allowed me to work through. Thanks again :-)
Robert, How do I use the tool? I am having certificate problems with Windows Storage Server 2008 R2 after resetting the WD Sentinel DX4000 to factory settings. The name of the server changed and now I can’t access it and when I run the setup wizard i get Certificate Authenticity rejections.
Are you accessing it using the new name or the old name?
Hi Robert
Thanks for the script – a light in a very dark space
I did a migrate from an existing SBS2011 server to Windows 2016 with the Essentials role
Only two servers – the DC and the Exchange
All seems to be working – Exchange, DNS, DHCP etc but I fear the CA migrated badly.
You tool gives the all clear (as does pkiview) bar three lines but I am pretty certain are a result of the botched CA migrate
I just wondered if you could shed any light on those errors as I cannot get the Connector to work and am having some wierd errors due, I believe, to Certificate issues
the errors are:
Certificate Authority Name : Name Error
Certificate Authority Cert : Errors Detected – Local Machine Store
Testing /Connect Certificate Package..
Connect Computer Certificate : Errors Detected – ProgramData
Understand the name difference (the old CA cert was migrated) but not sure how to get over the third as I believe it is why the computer connector cannot “find” the server.
thanks in advance
Paul R
I’m surprised the Essentials role installed with those errors present. Does the dashboard open?
Yes and can be accessed both internally and externally as a remote app (I have third party FQDN SSL Certs on both Mail and Remote). Exchange Redirect in the Dashboard setup fine and is confirmed working. DNS and DHCP check out. DeltaCRL, AIA, CDP and CRT check out fine from pkiview.
The only error I get from the Connector is the “ClientSetup: Call MachineIdentityManager.GetMachineStatus General: Failed to open IDENTITY registry key” which seems to suggest a CA issue ,which is why I was interested in what your script is telling me. Obviously something is wrong but the MS tools seem to say all is good.
That key is created as part of the essentials install, it stores information about the CA (I think) and the local machine cert tied to the dashboard.
Hi Robert
Some more checking. Your script compares the $LocalCA variable to the results of get-childitem cert:\localmachine\my | where { $_.Subject -like “*-CA” }
If I eyeball the results of both, the format might be different enough to throw the error ? (see below)
> $LocalCA =get-childitem cert:\localmachine\my | where { $_.Subject -like “*-CA” } | foreach { $_.Thumbprint } | out-string > C6CD46785AE035B6AE5AD3EBB1415B0EFBF58C24 > 626CDA2CFD404ED84FEA0696EF747ED9A992916A > 1D9D482945C7E82B426A32B683C59E31711B304F > 16545BB3467F18D6CD4EAE4206ABEB172FC4678D > 0CFA37C4A64CFDE4FE88D5461CAB5710230B2080 > get-childitem cert:\localmachine\my | where { $_.Subject -like “*-CA” } > Thumbprint Subject > ———- ——- > C6CD46785AE035B6AE5AD3EBB1415B0EFBF58C24 CN=blanked-SERVER01-CA > 626CDA2CFD404ED84FEA0696EF747ED9A992916A CN=blanked-SERVER01-CA > 1D9D482945C7E82B426A32B683C59E31711B304F CN=blanked-SERVER01-CA > 16545BB3467F18D6CD4EAE4206ABEB172FC4678D CN=blanked-SERVER01-CA > 0CFA37C4A64CFDE4FE88D5461CAB5710230B2080 CN=blanked-SERVER01-CA
The CA name (because it has been migrated) is different to the machine name. AFAIK, this is not a problem but no doubt throws an error when you compare $CAName (which returns the CA Name) to $env:COMPUTERNAME (which returns the actual machine name).
As mentioned before, this seems acceptable behavior.
So both those are a bit of a furphy
However, the output of $ProgDCA is
> CD03F1486F359217266CB3D71A3DD47806D15BD4 Which matches none of the above thumbprints. So my ROOTCA.crt is registered wrongly?
At least I think I am heading in the right direction.
Hopefully the above comments on your script helps some other poor soul out there.
thanks
Paul R
I am that poor soul. Thanks to this handy tool I’ve narrowed down the issues with vpn and a client connector to the certificate server. However, since everyone is working from home I am doing all I can just to keep the VPN up (it crashed last week and then again this week – with the dreaded 443 and 80 port blocks in Anywhere Access…I think I need to rebuild my certificate authority but I don’t want to do that right now because I am afraid it might lock everyone out (again.)
I have multiple certs listed in the CertEnroll virtual directory. I think the bindings are correct because everyone (for the most part) is able to vpn in successfully. The connector is messed up because some people connect and I can see them online in the Dashboard, and some people connect and have access to network but they show as offline in the Dashboard.
Here is my test report for the CA:
Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.
At C:\Users\XXXXXX\Downloads\EssentialsTester.ps1:1121 char:17
+ … $cert = Get-Item “C:\ProgramData\Microsoft\Windows Server\Data\CA …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\ProgramData\…Data\CAROOT.cer:String) [Get-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand
Exception calling “Import” with “1” argument(s): “Array may not be empty or null.
Parameter name: rawData”
At C:\Users\XXXXXX\Downloads\EssentialsTester.ps1:1123 char:9
+ $certPrint.Import($cert)
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing CRL Download..
CRL Location : http://XXXXXXX/CertEnroll/XXXXXX-XXXXXXX-CA.crl
CRL Destination : c:\windows\temp\crl.crl
CRL Download : OK
Testing CRL Distribution Configuration..
It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
CRL Extension (CDP) : OK
CRL Extension (CRL) : OK
Testing Dashboard Certificate..
Current Dashboard Certificate : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Dashboard Certificate : OK
Any advice on how to carefully and confidently fix my trust issues welcome.
Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.
You need the CA root certificate in cer format in that folder, for one.
What other issue you have?
It existed at one time right? I went and looked and it is not there…can I pull it from backup?
Or just export it from the Certificate Authority mmc.
Hi Robert
I was pleased to find this script, so thank you.
Tool provides lots of green text and very little red for me. However my WHS-2011 dashboard still shows my computers offline and not being backed up. I can’t even connect a new computer.
Below is results of test on client and server.
CLIENT
*****************************************************************
** Essentials Server Configuration Tester (Client Version) **
*****************************************************************
OS Detected: Microsoft Windows 10 Pro
IP Address :
DNS Server :
Enter the hostname of your Essentials Server :
WHS
Connecting to.. WHS
IP Address Resolved: 192.168.232.202
Client DNS Server : Error
TCP 80 (Used for Websites) : OK
TCP 443 (Used for Websites) : OK
TCP 6602 (Used for Status) : OK
TCP 8912 (Used for Backups) : OK
TCP 65520 (Used for Mac Website) : OK
TCP 65500 (Used for CA Website) : OK
Review your results, items in red should be investigated.
SERVER
Note that I commented out line 1990 ($currentIP = get-netIPConfiguration) as get-netIPConfiguration is not supported in the powershell I am running
Test 1
************************************************
* Essentials Server Configuration Tester *
************************************************
OS Detected : Essentials2008
Local IP Address :
System Type : Member Server
IPv4 DNS Servers :
This tool will check your current Configuration against known Essentials Server Values.
Written by Robert Pearman (WindowsServerEssentials.com) July 2018
Version Info: Version: 2.22
1. Test IIS
2. Test CA Infrastructure
3. Test Services
4. Test Service Ports
5. Test Role Install
0. Quit
Enter Task..
1
Only Errors will be shown.
Checking Websites..
Checking Connect Site..
Checking Virtual Directories..
Checking AppPools..
Checking ISAPI Filters..
name : ASP.Net_2.0.50727-64
path : %windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_filter.dll
enabled : True
enableCache : True
preCondition : bitness64,runtimeVersionv2.0
PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
Location :
ConfigurationPathType : Location
ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_2.0.50727-64′]
Attributes : {name, path, enabled, enableCache…}
ChildElements : {}
ElementTagName : filter
Methods :
Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema
name : ASP.Net_2.0.50727.0
path : %windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
enabled : True
enableCache : True
preCondition : bitness32,runtimeVersionv2.0
PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
Location :
ConfigurationPathType : Location
ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_2.0.50727.0′]
Attributes : {name, path, enabled, enableCache…}
ChildElements : {}
ElementTagName : filter
Methods :
Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema
name : ASP.Net_2.0_for_V1.1
path : %windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
enabled : True
enableCache : True
preCondition : runtimeVersionv1.1
PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
Location :
ConfigurationPathType : Location
ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_2.0_for_V1.1′]
Attributes : {name, path, enabled, enableCache…}
ChildElements : {}
ElementTagName : filter
Methods :
Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema
name : ASP.Net_4.0_64bit
path : C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_filter.dll
enabled : True
enableCache : True
preCondition : runtimeVersionv4.0,bitness64
PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
Location :
ConfigurationPathType : Location
ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_4.0_64bit’]
Attributes : {name, path, enabled, enableCache…}
ChildElements : {}
ElementTagName : filter
Methods :
Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema
name : ASP.Net_4.0_32bit
path : C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_filter.dll
enabled : True
enableCache : True
preCondition : runtimeVersionv4.0,bitness32
PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
Location :
ConfigurationPathType : Location
ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_4.0_32bit’]
Attributes : {name, path, enabled, enableCache…}
ChildElements : {}
ElementTagName : filter
Methods :
Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema
get-webconfiguration : Filename: \\?\C:\inetpub\FusionPBX\web.config
Error: Cannot read configuration file
At C:\Apps\EssentialsTester.ps1:420 char:17
+ $isapif = (get-webconfiguration -pspath iis:\sites\* -filter “/system.webse …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WebConfiguration], DirectoryNotFoundException
+ FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.IIs.PowerShell.Provider.GetConfigurationCommand
Checking IIS SSL..
Checking TLS Version 1.0
Checking IIS Bindings..
Checking IIS Authentication..
Site : vtiger\cron
Authentication : basicAuthentication
Enabled : True
Site : vtiger\cron
Authentication : clientCertificateMappingAuthentication
Enabled : False
Site : vtiger\cron
Authentication : windowsAuthentication
Enabled : True
Site : vtiger\data
Authentication : digestAuthentication
Enabled : False
Test 2
Enter Task..
2
Testing CA Name..
Certificate Authority Online : OK
Certificate Authority Name : OK
Certificate Authority Cert : OK
Testing /Connect Certificate Package..
Connect Computer Certificate : OK
Testing Dashboard Certificate..
Current Dashboard Certificate : 74BB8A8B9F73F65CD72820B0980F8093C1026503
Dashboard Certificate : OK
Testing CRL Download..
Unable to fully Test Certificate Authority on this Operating System.
Test 3
Enter Task..
3
Testing Services on: WHS
Active Directory Certificate Services : Running Auto
WSS Addins Infrastructure Service : Running Auto
WSS Client Computer Backup Provider Service : Running Auto
WSS Client Computer Backup Service : Running Auto
WSS Devices Provider : Running Auto
WSS Domain Name Management : Running Auto
WSS Health Service : Running Auto
WSS Identity Management Service : Running Auto
WSS Initialization Service : Stopped Auto
WSS Media Streaming and HomeGroup Service : Running Auto
WSS Networking Helper Service : Running Auto
WSS Notifications Provider Service : Running Auto
WSS Remote Web Access Administration Provider : Running Auto
WSS Server Backup Service : Running Auto
WSS Service Provider Registry : Running Auto
WSS Settings Provider : Running Auto
WSS SQM Service : Running Auto
WSS Storage Service : Running Auto
WSS UPnP Device Service : Running Auto
I started WSS Initialization Service and it runs for a short time then stops.
Test 4
Enter Task..
4
Testing Service Ports on : WHS
TCP 80 (Used for Websites) : OK
TCP 443 (Used for Websites) : OK
TCP 6602 (Used for Status) : OK
TCP 8912 (Used for Backups) : OK
TCP 65520 (Used for Mac Website) : OK
TCP 65500 (Used for CA Website) : OK
Test 5
Enter Task..
5
Checking Installed Roles..
The event viewer on the server has thousands of EventID 36878 SChannel
The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is 0x80090325. The attached data contains the client certificate.
I am out of my depth here and really appreciate some help.
Regards, Phil
After a little more digging:
I have uninstalled the connectors and removed the machines from dashboard and when I went to install the connector there was trust issues, which I overcame by importing a certificate from the server. That got the connector installed but no connections.
On the server, in a log file named SharedServiceHost-AlertServiceConfig.2.log I see many entries with:
ProviderFramework: Information: [0] : PfErrorHandler: IGNORING WCF internal exception: (SecurityNegotiationException) The remote certificate is invalid according to the validation procedure. ==> (AuthenticationException) The remote certificate is invalid according to the validation procedure.
ChainTrustCertValidator: Certificate is not supported (not rooted from service’s root cert). Expected root ca thumb=[8A5ACC7CDA0305C6D6FF7E562648990D1B396DA8], Actual = [4AE72E0721BD0831DA2D96BB7ADC03FD8E75B673]
Looking on the server at \Console Root\Certificates (Local Computer)\Personal Certificates I see 2x certificates with the server name followed by -CA
Issued to WHS-CA, Issued by WHS-CA, Expiration date 7/03/2052
Issued to WHS-CA, Issued by WHS-CA, Expiration date 25/05/2060
Details for the one with Expiration date 7/03/2052 has thumbrint of 8a 5a cc 7c da 03 05 c6 d6 ff 7e 56 26 48 99 0d 1b 39 6d a8
Details for the one with Expiration date 25/05/2060 has thumbrint of 4a e7 2e 07 21 bd 08 31 da 2d 96 bb 7a dc 03 fd 8e 75 b6 73
The 2 also appear in \Console Root\Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates
In Certificate Authority, a right click on WHS-CA and looking at the properties, under General, shows 2x CA certificates:
Certificate #0 with validity from 15/03/2012 to 7/03/2052 and thumbprint 8a 5a cc 7c da 03 05 c6 d6 ff 7e 56 26 48 99 0d 1b 39 6d a8
Certificate #1 with validity from 2/06/2020 to 25/05/2060 and thumbprint 4a e7 2e 07 21 bd 08 31 da 2d 96 bb 7a dc 03 fd 8e 75 b6 73
These are the 2 mentioned in the log file.
When I couldn’t get the connector installed on the client PC, I exported Certificate #1 to a file and then imported into the client. The connector install on the client was then successful.
Looking on the client (WIN10 Pro) at \Console Root\Certificates (Local Computer)\Personal Certificates I see a certificate with the name of the client PC
Issued to DELL, Issued by WHS-CA, Expiration date 18/08/2050
It has a thumbprint of 49a921b7c43e63e78479bf1745aacd4d8e9496a7
Looking on the client at \Console Root\Certificates (Local Computer)\Personal Certificates I see 2x certificates with the server name followed by -CA
Issued to WHS-CA, Issued by WHS-CA, Expiration date 7/03/2052
Issued to WHS-CA, Issued by WHS-CA, Expiration date 25/05/2060
Details for the one with Expiration date 7/03/2052 has thumbrint of 8a 5a cc 7c da 03 05 c6 d6 ff 7e 56 26 48 99 0d 1b 39 6d a8
Details for the one with Expiration date 25/05/2060 has thumbrint of 4a e7 2e 07 21 bd 08 31 da 2d 96 bb 7a dc 03 fd 8e 75 b6 73
That’s where I am stuck.
It seems to be a certificate issue but I have no idea on how to remedy it so looking for assistance here.
Thanks, Phil
Sorry for the delay in responding. Do you still need assistance?
Yes I would really appreciate some assistance, please.
Ok go to https://windows server essentials.com/support and drop me an email
I’m having issues, too, but the PS script isn’t helping me. It’s crashing on both the server and the client. It shows “loading…” and then crashes.
What issue are you trying to solve?
I finally got the script to work in powershell ISE administrator mode. It all works well, except the DNS server is in red. I don’t know why. I can’t get the clients to connect to the server. It’s shown as “offline” both ways. I had them connected last year and backing up and I checked the backups this week and found they haven’t worked since at least November. I can ping all clients from server and vice versa. After difficulty, I have anywhere access working again. I can view and use the files on the clients from the server and vice versa. I have tried every trick I can find to connect them. Every help article online from every source doesn’t help me. I’ve given up. My error is “the server is unavailable”
What errors are reported on the server?
I got everything to work through a fluke. I was ready to reinstall the OS just to start from scratch. Even though I have technically been having problems for a year, I only started noticing and fixing this last week. I noticed the server had (for whatever reason) only one system image, and it was for one day earlier, well into my problems. I thought, “what the hell” and used it. And then it all worked. I now have every client re-attached. I first uninstalled any WS2012R2E connectors and related software. Then I manually addressed the client using the server as the primary DNS, and the router as the secondary DNS. Then I rebooted the client and downloaded the connector from the server. After an installation, and another reboot for good measure, everything is back to square one.
Peter,
Thank you for this I have a few issues with our windows server essentials 2012 since a supplier added an internal website not sure what they did and then removed it using IIS I imagine.
I have downloaded and run all your checks the items in red are windowsAuthentication and digestAuthentication
not sure where to go with that and I have 6 missing roles
Bitlocker
Enhanced Storage
RSAT feature Tools
RSAT feature Tools Bitlocker
RSAT feature Tools Bitlocker Remote admin tool
RSAT feature Tools Bitlocker BdeAducExt
Do I need these?
Any help much apreciated
Checking IIS Authentication..
Site : Default Web Site\RDWeb\FeedLogin
Authentication : windowsAuthentication
Enabled : True
Site : Default Web Site\RDWeb\Pages
Authentication : digestAuthentication
Enabled : False
The roles no, if those authentications show as red then turn them off
The link for the EssentialsTester.ps1 script does not work any more (microsoft seem to have changed their download site)
Hi, interested in have access to this script but it seems to be no longer available from the link in your description – probably lost in the migration from TechNet to Docs by Microsoft :-( Can you make the download available again?
I’ll dig it out and put it on GitHub.
https://github.com/titlerequired/public
Thank you :-)
Hi, very nice script! I also have problems connecting a new Windows 10 machine to the connector. After I entered the username and password, the message appears that the server cannot be reached.
The log contains the information that no secure SSL / TLS connection cannot be established. Your script shows no problems with TLS 1.0. Do you have another tip?
Don’t use the connector is the best tip I have for you.
Haven’t used this script in a while as I have intentionally hardened the server to turn off TLS 1.0. I finally realized that I needed to update even a new Windows 10 computer to use more secure TLS before I could run the connector. Blogged here: https://www.mcbsys.com/blog/2022/05/cant-connect-to-essentials-2016-from-new-windows-10-machine/.