Archive

Posts Tagged ‘2016 Essentials’

Windows Essentials Connector “Server is Not Available”

2023/09/18 Leave a comment

After an Essential Server migration (from 2012R2 to 2016 Essentials) I was moving my client machines to add them to the Essentials Dashboard on the new server using the Connector application. I had already removed the Essentials role from the old server – meaning it was no longer a domain controller either.

I found when running the connector the above error message kept showing up. I rebooted the server, disabled the firewall, cleaned out DNS entries of old DC/Essentials server and tried a host of other tricks found on the web – nothing worked.

Finally I found a site that suggested the workstations in the domain needed to have their secure channel reset with the new domain controller – huh – who ‘da thought that would be the case since they were authenticating and users were able to logon to their workstations just fine… That’s so weird.

To stop the above error message, all I had to do was run: nltest /sc_reset:<domain.local> (pointing to internal FQDN name of my domain). Ran this in Admin cmd prompt (or powershell)… after doing so running the connector worked!! Success.. Wished I had the link where I found this solution to provide recognition here. This also explains why the solution of disjoining workstations to domain and rejoining would work but that is a bit drastic when above command does the trick. (Another solution was to remove and re-add Essentials Experience to the server – also drastic and not necessary!).

Another thing I did was push out via my RMM the registry key to tell each system to skip domain join since they were already part of the domain. The command is the following:

reg add “HKLM\SOFTWARE\Microsoft\Windows Server\ClientDeployment” /v SkipDomainJoin /t REG_DWORD /d 1

Thanks for reading and hope above solution helps you!

Categories: Active Directory Tags: ,

2016 Essentials Remote VPN Alternative

2023/09/17 3 comments

Most know this error message below quite well as it happens from time to time when Windows Live either isn’t working to register the “*.remotewebaccess.com” domain name. Microsoft is pushing this wonderful feature away and don’t think it’ll be supported much longer. The result is to find an alternative solution using your Server’s Certificate Authority Role or purchase an outside Certificate. This post will be providing instructions for how to create your own Remote VPN Certificate from the Certificate Authority role on the Essentials server (or any Windows Server version 2016 and above) to use for the remote connection to the Office.

A previous post here “2016 Essentials – Anywhere Access setup fails” talks about the solutions to the above error message. Most of the time adding the registry keys and rebooting the server fixes the problem. Recently this hasn’t been the case.

The SOLUTION is to use the Certificate Authority role on the Windows Server to create a “RemoteVPN.domain.com” certificate to use with the Anywhere Access Wizard. There are a few gotcha’s with this process so please read steps below carfefully, even if you feel you’re an expert with Essentials and Certificates etc. 

The Problem

Each time running the Anywhere wizard the above picture error would show. Adding all the registry hacks to fix – multiple reboots – did not fix issue.

From the Dashboard logs under “C:\ProgramData\Microsoft\Windows Server\Logs”: “SharedServiceHost-ManagementServiceConfig.log” – This error happening each time the Wizard was run: “DomainManagerFault:[Reason:CommunicationFailure, Message:GetUserDomainNames failed, Detail:Could not establish trust relationship for the SSL/TLS secure channel with authority ‘dyndns.domains.live.com‘. – indicating that live.com wasn’t accepting new registrations for remotewebaccess.com domains!

Alternative Solution: Setup external DNS address & Create own RWA certificate

Below are steps to followto implement this solution. Pre-reqs: Router is forwarding Port 80 and 443 to the Server; Make sure NPS Policy Server is installed; Create a “remotevpn.domain.com” DNS entry for the domain zone you have for your client.

Create Certifcate on Server:

  1. Use Internet Information Serices (IIS) console to create a domain certificate; Export Certificate to pfx with password to c:\temp folder. This cert will be used for the https://remotevpn.domain.com Remote website.
  2. Open IIS console, click on the server on left side (root)… on right side, click on Server Certificates.
    • Click on Create Domain Certificate request.
      • Common Name – this is the remotevpn.domain.com name for the primary cert name
      • Organization – the company name
      • Org Unit – can leave blank
      • City – enter city
      • State – enter your state
      • Click Next
    • Next page will ask to specify the Online Certificate Authority… – click Select to specify the Root CA server (Windows Server CA role).
    • For Friendly Name type something like: Anywhere Access VPN; click Finish
    • Next click on the new certifcate in the list of certs.. right click to export
      • Export to – click the button to create path c:\temp\remotevpn.pfx
      • Enter password you can remember.

Setup Anywhere Access using new Certificate

  1. Open the Anywere Access window – from Dashboard console, Settings, Anywhere access.
  2. Click on the option to Setup own domain.
  3. Select I want to use a domain I already own.
  4. Type in domain name: remotevpn.domain.com; Click Next
  5. Select – Set up my domain manually; Click Next
  6. Type in the url – https://remotevpn.domain.com. If your domain name is different, click on the change button.
  7. Click on I want to use an existing SSL certficate; click next
  8. Check box at bottom: I have manually configured my domain name; click next
  9. Import the trusted Certificate
    • Browse to file: c:\temp\remotevpn.pfx
    • Type in password you used; Click next
  10. This should now run through wizard to install Remote Web Access & VPN Connections.
  11. This should complete the process.

You can now open: https://remotevpn.domain.com/remote web page and sign in with domain account to view the devices and folders the user has access to.

Note: Domain joined machines automatically get the Root CA certificate added to the Trusted Root Certification Authorities Store.

Setup VPN for non-domain joined PC

If you have an outside PC you want to use the VPN to connect, then open the IIS console again, go back to Server Certificates.

  1. Find the Root CA certificate – typical name will be Domain-servername-CA – open the cert
  2. click Details tab, then copy to file; click Next
  3. Select “No, do not export the private key”; click next
  4. select Base-64 encoded .cer
  5. specify file name: c:\temp\rootca.cer; Next and Finish
  6. Copy this file to outside computer you want to setup the VPN connection.
  7. Install Certificate, be sure to select the store you want to install it – select Trusted Root Certification Authorities.

Note if you use the “remotevpn.domain.com/connect” page to install the Essentials connector, it will install the VPN solution for your and you don’t need to do anything further – but it will also join your PC to the domain. If you don’t want that, then follow setps below to create own VPN connection. 

Steps for manual installation of VPN to remotevpn.domain.com

Set the No Certificate Revocation Check on Computer

  1. On PC, open regedit.exe, browse to this location – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters
  2. Right-click on Parameters, click new REG_DWORD, paste in: NoCertRevocationCheck
  3. Open the REG_DWORD and set value to 1.
  4. Close registry editor.
  5. or from Elevated command prompt,Type:
  6. reg add HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v NoCertRevocationCheck /t REG_DWORD /D 0x1 /f

Create the VPN connection on PC

  1. Open Network and Sharing Center from Control Panel.
  2. Click on link to “Set up a new connection or network
  3. Click on “Connect to a workplace (VPN)“; click next
  4. Choose option for “No, create a new connection
  5. Select top option – Use my internet connection (VPN)
  6. Internet Address: remotevpn.domain.com; Change name to Client-VPN (or whatever you wish)
  7. Since setting up manually, do not select option to Remember credentials. 
  8. Now back in Network and Sharing Center: Click on menu to change adapter settings.
  9. Open the VPN connection Properties you just created.
  10. Click Security Tab and chose options below
    • Type of VPN – SSTP
    • Data Encryption – Require encryption.
    • Under Authentication – click on Allow these protocols
    • Select only the Microsoft Chap Version 2.
  11. Now you’re ready to make the connection from your PC to the office VPN.
  12. Open the connection and type in credentials and it should connect you to the office network.

Note: During my extensive troubleshooting, I tinkered with NPS Policy Server policies to make things work, however, all this was moot and unnecessary. The KEY was to change the VPN connection to only use MS-CHAPv2 as that matches the NPS policy settings.

The caveat to this option is of course the autorenewal of the remotevpn.domain.com certificate when it expires. This will need to be a manual process.

Another Certificate option was to download Certifytheweb.com application to use Let’s Encrypt to create free certs that will of course autorenew and have all the trusted root certs already be trusted on any workstation. This is on the list to test out in near future.

Thanks for reading. Comments are welcome!

References:

Office Maven – Essentials software for future Windows Server Standard OS versions.

Categories: Windows Server Essentials Tags: , ,

2016 Essentials – Anywhere Access setup fails

2022/01/02 11 comments

When setting up new 2016 Essentials or really any version of Essentials and you’re trying to create/add a domain to append to the remotewebaccess.com domain name the UI wizard fails with this error window:

An error occurred while setting up your domain name: The domain name was not setup for your server. Wait a few minutes and run the wizard again. An unknown error occurred.

No matter how much time you wait, the same error pops up each time. The problem isn’t DNS, or the server itself but rather the Cert revocation checks for .Net Framework!!

To fix this you have to create a .reg file (call it what you want but it has to include the following settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

After making the reg file, merge, REBOOT the server or the Anywhere access wizard may still show above error message. After reboot, open Essentials Console and re-rerun the Anywhere Access wizard, user a Hotmail account to create the domain <customer>.remotewebaccess.com. Then click the wizard to install VPN and Remote Desktop Make sure the router and ISP are forwarding port 443 to the Essentials server.

UPDATE: December 5, 2022.

Tonight after having a similar issue with a 2016 Essentials server and Devices all turning to gray (Offline state) after installing the Anywhere Access to the server. (Had to manually install RRAS for Direct Access and VPN before the Anywhere Access wizard would install successfully – but that’s another blog I need to write). Installing the Direct Access role disconnected all the clients from the dashboard and no matter what we tried to “fix” the client nothing worked. argh!!

Update: September 16, 2023

Today I found that I could no longer create a new remote connection with the *.remotewebaccess.com domain name. After extensive troubleshooting, decided to just use the CA resources on the Essentials server to create my own Remote Certificate for Remote Site and VPN solution. Rather than make this blog that much longer, I created a new post here: https://jvhconsulting.com/2023/09/17/2016-essentials-remote-vpn-alternative/ where you can find all the details for performing this alternative solution.

Computers not showing up in Dashboard – Offline status

1. Uninstalled the Connector;

2. Delete Data & Logs folders from \ProgramData\Microsoft\Windows Server;

3. Open Task Scheduler, delete all tasks under: Microsoft >Windows >Windows Server Essentials. Then delete this folder.

4. Delete the VPN SSTP connector.

5. Reboot client

6. Reinstall the Client connector. For most other occasions this should fix the clients.

In tonight’s case though, messing with the client did not fix it. What did finally work is found under this Blog by ShoemakerBrian.

Not sure how he found this solution but it instantly fixed the clients Online status:

Open Admin PowerShell and run command below, changing the IP with the IP address of the Essentials server:

Set-NetNatTransitionConfiguration –IPv4AddressPortPool @(“192.168.1.10, 6001-6601”, “192.168.1.10, 6603-47000”)

Brilliant! – All clients now showed up in the Dashboard.

Hope this helps everyone that runs into this issue. It’s a frustrating one and not many solutions out there.

Categories: Active Directory Tags: ,

Remotewebaccess VPN disconnects (Error 829)

2021/11/15 Leave a comment

Client told me he couldn’t access the remotewebaccess.com vpn to the office.  Would connect and disconnect and or any connection would only last a few seconds before disconnecting. Event log errors include Error 829.

At first I thought it could be the server needed a reboot. Nope, wasn’t it.

Looked at the RWA certificates on the server and did notice that the one that was being used expired today. Hmmm. So I checked IIS and looked at the Bindings for the Default Website – but the server had already bound the new RWA certificate to it. Still clients couldn’t connect.

Looking further at the client event logs this is example of one of error messages:

CoId={3AE1BD1D-CF91-4B7B-A93F-7A59705A1EF5}: The user WIN10TEST\username dialed a connection named customerDomain.remotewebaccess.com which has terminated. The reason code returned on termination is 829. All this means is a disconnected session. Great no help there.

Searched the web and found this bit of information:

The RWA certificate set in IIS is also used by Routing and Remote Access Server Configuration – not for authentication but for maintaining secure TLS connection. So even though the IIS cert was updated, RRAS console doesn’t upgrade it automatically :(.

Solution: Go to Routing and Remote Access snap-in, right-click on the properties of your router (MACHINE-NAME (local) properties in the tree-view to the left) select the Security Tab; you will be warned that there’s no TLS certificate selected (the previous has expired in my case) and select the certificate that has the next year’s expiration date – can select and then view them prior to saving. This will force a RRAS service restart. Thereafter clients can connect and remain connected :).

For those running Windows 2016 Essentials… the Routing and Remote access console doesn’t allow you to do anything. In order to make sure the binding on the IIS certificate is the same as remote access managment console, you wil need to do it via powershell. 

PS C:\>$cert = Get-ChildItem -Path cert:\localmachine\my

PS C:\>$cert

PSParentPath: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint Subject
———- ——-
2E8C3E033E6FE206D361BD3E320069281C84DBFF CN=ClientName.remotewebaccess.com
C27BA22FB767A07BA8509ECF88E847047AB83E5F CN=DirectAccess-RADIUS-Encrypt-domain.local
In this case the 2E8C… Thumbprint is bound to the IIS Default website Bindings under :443. 

Next command:

$cert2 = Get-ChildItem -Path cert:\localmachine\my |Where-Object Thumbprint -eq 2E8C3E033E6FE206D361BD3E320069281C84DBFF

Set-RemoteAccess -SslCertificate $cert2 -Verbose. 

This will set Remote Access to same certificate Thumbprint as the IIS Default Web Site Binding certificate for 443. This will now allow your VPN clients to connect successfully. 

Second part is to make sure the Remote access management console has the same certificate set as the IIS Default website one. 

Here are commands to run in Powershell to setup static IP address pool for the Anywhere Access VPN connection:

  1. Set-VpnIPAddressAssignment -IPAssignmentMethod “StaticPool” -IPAddressRange “192.168.25.80”, “192.168.25.99” -PassThru
  2. To check the IP Assignment method without changing it:
  3. (Get-RemoteAccess).IPAssignmentMethod 
  4. Check IP Range:  (Get-RemoteAccess).IPAddressRangeList
  5. Get-RemoteAccess  – gets you complete status of Remote Access configuration
  6. After doing this, Reboot Essentials Server.  Afterwards you should be able to connect to Essentials server VPN and connect to client’s network (servers, gateway etc). 
Categories: Remote Management, Windows Server Essentials Tags: ,