Windows Server Essentials – Configuration Troubleshooter

powershell2xa4I had a support case this week where it became apparent to me that there is no quick and easy way to test Essentials Servers for Configuration errors. Manually working through IIS or Certificates is prone to human error, as was proved to me, by me missing certain key things.

Uncharacteristically i decided to write a PowerShell script to save me from this sort of embarrassment in the future, and make me look really good next time i need to troubleshoot an Essentials Server.

You can download the tool from here, and am very interested to hear how it works for you.

If you have already downloaded it, i have updated the tool so you should download it again!

What does the tool do?

Well, it checks a number of things that i have found are the key things that make an Essentials Server tick. That is IIS and MOST IMPORTANTLY, Certificate Services.

I knew that the CA was pretty significant to an Essentials Server, but i didn’t know just how deep that significance went. In your Local Machine Certificate Store you have a number of Certificates, perhaps the most important file on the whole server (aside from perhaps ntds.dit) is your Certificate Authority Root Certificate. Without that, you cannot correctly reinstall the CA, and without that CA, you can’t do anything. It is not just a case that you cant reinstall the CA, you can. The CA requires a specific name, and if you reinstall and generate a new key, the name is not likely to remain correct.

There may well be a way to get around even that scenario by hacking the crap out of AD, but honestly, i think i might take a reinstall over that.

That was a bit of a side track, so, again, what does this tool do?

Firstly it will decide if you are running on Essentials 2011, 2012 or 2012 R2.

It will then give you the choice of testing IIS or your CA. If you choose to test your IIS Configuration, it will inspect your Web Site Configuration, your Application Pools, Virtual Directories and ISAPI filters as well as your Web Site Bindings.

When you check the CA, it will check that the CA is available, that it has the right name (that is important), that the certificate set in the Registry for the Dashboard matches what you have in your Local Machine Store, it will even download a copy of the CRL from your server and test that it is publishing the right information.

Essentials Configuration Tool

It compares all of this information to ‘’Defaults’ and lets you know where you may have problems.

Essentials Configuration Tool Errors

I have run it against SBS 2011 Essentials, Essentials 2012, and R2, and it has identified the deliberate errors i have introduced and reported back correctly once those have been repaired.

Essentials Configuration Tool Results

i haven’t made it to be an exhaustive tool of everything that could possibly go wrong on an Essentials Server, it really is just focussed on IIS and the CA,  even then it may not cover every scenario. Hopefully if you do come across a broken Essentials Server using this will do enough to point you to the fix, or at least help to rule some things out.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

119 Responses to Windows Server Essentials – Configuration Troubleshooter

  1. Just came across this tool, after having issues with a brand new server Essentials…

    I get a ton of errors when running the CA tests….any idea where to start looking/reading to fix these?

    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
    At C:\users\gregh\downloads\EssentialsTester.ps1:800 char:17
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    Get-ItemProperty : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
    At C:\users\gregh\downloads\EssentialsTester.ps1:801 char:32
    + $CRLDownload = Get-ItemProperty $destination
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Get-ItemProperty], ItemNotFoundExcepti
    on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

    CRL Download : OK
    Remove-Item : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
    At C:\users\gregh\downloads\EssentialsTester.ps1:803 char:17
    + Remove-Item $destination -Force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    Testing CRL Distribution Configuration..
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : Error
    Dashboard Certificate : OK
    Dashboard Certificate : Error
    Dashboard Certificate : Error
    Dashboard Certificate : Error

  2. Alan Pendlebury says:

    Hey Robert thank you for your post, I am 99% done with this configuration, but when i ran your tool I got this message, any idea where to start looking at this.

    ************************************************
    * Essentials Server 2012, Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Standard

    This tool will check your current Configuration against known Essentials 2012 Values.
    Written by Robert Pearman (TitleRequired.com) February 2014

    Version Info: Version: 1.7

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..
    2
    Testing CA Name..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Download : OK

    Testing CRL Distribution Configuration..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server 2012, Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Standard

    This tool will check your current Configuration against known Essentials 2012 Values.
    Written by Robert Pearman (TitleRequired.com) February 2014

    Version Info: Version: 1.7

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..

    • Is the Dashboard opening ok?

      • Alan Pendlebury says:

        Yes it opens ok. I can go to the domain name internally, but I cannot get it to render by dns or IP externally. I can also get to the connect page to download the connector internally but not externally. The configuration wizard, gives me the error saying Anywhere access to your server is blocked, that port 80 and 443 are blocked, but they are open on the firewall. It also tells me that Port forwarding is not configured correctly on your router, which it is. I read some more on these errors on Microsoft partner network, and they said that they can be ignored. I think I have a cert or a routing issue. The cert is installed correctly, at least I think, though I do not know what I am missing on the routing, cause I thought I covered everything.
        Thank you,
        Alan

      • Sounds like you have not opened the ports on your router, given that it is not working externally and you have those errors. At the very least confirm your servers internal IP and check port forwarding on your router. It is also possible your ISP are blocking these ports. If the dashboard opens you may be able to discard the certificate error in the tool.

      • Alan Pendlebury says:

        Hey Robert,
        It was a firewall issue, the firewall rules were in place, but not working cause the firewall needed a firmware update. Once I updated the firmware on the firewall, then everything worked.

        Alan

  3. Susan E Russel says:

    Thanks so much for this tester. I get four errors:

    1. Certificate Authority Name: Name Error
    2. Dashboard Certificate: Error
    3. WSS Initialization Service: Stopped (Which I can start)
    4. TCP Port 65500 (Used for CA Websites): Error (I use 65510)

  4. Ken says:

    I received a 403. Great tool, BTW. I’m just trying to figure out how to re-test the HTTP request. One thing I like to do in my scripting is to echo the call if it returns an error. All we see below is that it happened, and roughly where, but we can’t see the HTTPS call it made.

    Testing CRL Download..
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (403) Forbidden.”
    At C:\Users\administrator.THETECHGUYS\Downloads\EssentialsTester.ps1:802 char:17
    + $wc.DownloadFile($source,$destination)

  5. birdman895 says:

    I do not have much experience in the area’s of scripts and powershell. I am having an issue with multiple client pc’s losing the Trust Relationship with the domain. After searching the forums and TechNet for information I found some references to your script , but… No matter what I do I keep getting this error

    I followed instructions to change the execution policy;

    PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

    And then ran the script

    PS C:\Windows\system32> F:\ServerFolders\Networking\EssentialsTester.ps1
    F:\ServerFolders\Networking\EssentialsTester.ps1 : File F:\ServerFolders\Networking\EssentialsTester.ps1
    cannot be loaded. The file F:\ServerFolders\Networking\EssentialsTester.ps1 is not digitally signed. The
    script will not execute on the system. For more information, see about_Execution_Policies at
    http://go.microsoft.com/fwlink/?LinkID=135170.
    At line:1 char:1
    + F:\ServerFolders\Networking\EssentialsTester.ps1
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

    what am I doing wrong?
    Alan

    • Right click the downloaded ps1 file, go to properties and make sure you click Unblock.

      I am not sure this script will be much help to diagnose Trust issues. Do you have a thread open on the TechNet forum?

      • birdman895 says:

        Thanks for answering. Yes I do have a thread on the Windows Server 2012 Essentials forum. But, I came in this morning and those 3 client pc’s with the trust issue, are able to log in to the domain WITHOUT the trust issue. Don’t want to “look a gift horse in the mouth” but would llike to know why:\. Only thing that changed was more windows updates being installed.
        Alan

      • Link to the thread?
        Difficult to say really, I have seen inexplicable trust issues on Windows 7 clients on a number of domains.

  6. birdman895 says:

    Also, I did “Unblock” your file and it is running just fine.
    Thanks

  7. alerosmile says:

    Hi,
    Can you tell me why the name of the CA is important?
    Thanks

  8. James Brewster says:

    Hi Robert,
    I ran the test and the WSS Cert Server was showing Red status. I did a test in IIS Mgr in the Basic Settings Properties and the Pass-Thru authentication failed on the WSS Cert. Server Service folder? I replaced the Owner and amended permissions on the Folder and it still fails. If I change the Authentication to a specific user it works, but Connector Tool still does not? Any help appreciated.

    • I think those settings are as they should be, and if I remember correctly that test will fail.

      Can you put those settings back as they were and then rerun the test and post a screen shot?

  9. Hi Robert,

    I have a client that runs Server 2012 R2 Essentials server. After the initial client machines were connected and configured, the client wanted to set up Anywhere Access with a self signed cert, and tried various methods of installing the cert using IIS, all of which failed. Later, they installed a commercial cert. All original certs were left in the server. Anywhere access and every part of the network works fine, however, when you attempt to connect a new computer using the Essential Connector application (https:///connect ), it fails to run successfully.

    The connector page shows, and the connector tool downloads fine, but when it runs, it says it can’t find the Essentials server. If I point it to the correct server, it says it can’t get the information from the Essentials server. I have run Robert Pearman’s EssentialsTester.ps1 script, and it indicates the following problem:

    Testing CRL Download..
    CRL Location : http://serverxxx/CertEnroll/XXXX-serverxxx-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
    At C:\users\admin\Documents\EssentialsTester.ps1:849 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
    CRL Download : Failed

    All other aspects of the tester seem to pass successfully. Any advice on how to resolve this issue? All help would be greatly appreciated.

    Brian

    • If you go to that URL in a browser, does it download the file or give an error?

      • If I go to https://servername/connect, it downloads the file. The file will start, but doesn’t “find” the essentials server. It defaults to the second option on the screen that asks what server, using the IP address. I can have it find the correct server in the first (top) option, but it says it can’t get the information it needs from the server and to contact the administrator.

      • Perhaps, I misunderstood with my earlier reply. Did you mean the URL for the connector, for the CRL Location, or the CRLDestination?

      • Brian Weinberg says:

        The CRL Location URL fails with a 404 error, when accessed from the client PC.

    • Also, if you could, please edit my original post to change the initial part of the .crl name to be XXXXX. I would appreciate it. Same with the username. Thanks. Your blog doesn’t allow me to edit the original post.

      • Did you reinstall Certificate services at all?
        It sounds like the CRL is either not being published correctly in CA, or the file is there but IIS is blocking it.

        If you go into IIS can you see the virtual directory for CertEnroll?

  10. Brian Weinberg says:

    I can’t say what was done prior in any detail regarding trying to use the self-signed cert, other than what I outlined above. I do know that they tried using the IIS tools to set up the self signed cert, as opposed to the Essentials wizard for installing a commercial cert using the Anywhere Access wizard. I have since run the Anywhere Access wizard to install a commercial cert.

    I do see the virtual directory for CertEnroll in IIS.

  11. I do have four files listed. Two CRL files, one .asp, and one .crt.

    The 404 page says: Not Found. HTTP Error 404. The requested resource is not found.

    • Not sure how much more help I can be through forum type support, id offer to logon and take a look if that is something you are interested in.

      • That could work. How do you propose we arrange this?

      • Drop me an email.

      • Brian Weinberg says:

        Forgive me, Robert, but I can’t find your email anywhere on your site. You have mine, included in the post information, if you can shoot me an email, we can set something up. Thanks so much!

        Brian

      • Due to Robert’s brilliant help on this, we tracked the problem down to two things. Not only was the wrong cert being used, but, the HTTP: binding for the default site had somehow had the Host Name field filled with “Default Web Site,” which prevented all access to the crl. Once the field was made blank, and the correct cert in place, restarting the IIS services enabled everything to work correctly.

        Robert, I can’t thank you enough for this!

  12. irishtechnomonster says:

    Hi Robert, I’m a bit of a novice when it comes to Windows Server 2012 but I’m having an issue where none of the client computers are backing up. I’m seeing a NotConfigured error in the event logs on the client machines although from what I can see it is configured correctly. There is very little info on this problem in google land but I came across this site on my travels. I ran the configuration tool on the server with no errors but I got a ‘Client DNS Server’ error when I ran it on one of the clients. Problem is I’m not sure how to troubleshoot that or even if it is related to the backup issue. Any help you could offer would be greatly appreciated!

    • The client should use the servers IP as a static dns entry.

      What do they have?

      • irishtechnomonster says:

        Hi Robert, thanks for the reply! Sorry I didn’t see it until now. I checked the ipv4 properties in adapter settings on the client and it’s set to obtain DNS server address automatically. Should I set this to the server’s IP?

      • irishtechnomonster says:

        I ran your essentials tester script on the client and am getting an error for the Client DNS Server. I tried setting the DNS IP to the server’s IP but I get the same result.

      • irishtechnomonster says:

        I’ve fixed the Client DNS Server issue (had to disable ipv6) and now script returns all ok. Unfortunately, the backup issue remains…

  13. Benjamin Cripe says:

    This is a great MS Essentials tool! First and foremost, thank you. I am having an issue that I recently inherited support on. I ran the PS tool across the server b/c I am having Status and backup issues. Also clients are unable to connect to the server via the URL http://servername/connect. Below are my findings thus far:
    TCP 80 (Used for Websites) : OK
    TCP 443 (Used for Websites) : OK
    TCP 6602 (Used for Status) : Error
    TCP 8192 (Used for Backups) : Error
    TCP 65520 (Used for Mac Website) : OK
    TCP 65500 (Used for CA Website) : OK

    • Do you have third party firewall or AV on the Server?

      • Benjamin Cripe says:

        No third party AV or FW’s are on the server. I believe that someone else has tried to fix this issue previously and has added and removed different roles from the server previously. Everything appears to be functioning as it supposed to be, just not able to join the domain via the http://servername/connect method. Although I am able to join manually via the local computers system properties. Then also their backups have been failing and the server itself is unable to see the client machines.

      • Can you check that the Windows firewall is enabled and has exceptions for those ports?

  14. Benjamin Cripe says:

    I went ahead and created a custom rule to allow those ports access. Unfortunately not luck, are these ports supposed to be in the bindings for IIS? If so, I am not seeing them there.

  15. Benjamin Cripe says:

    Okay, thank you for confirming the IIS portion. The findings for the NetStat are:
    I see port 6602 listening in 22 different instances, but nothing for 8192

  16. Benjamin Cripe says:

    will do, thank you for the advice.

  17. Benjamin Cripe says:

    If I were to simply disable the FW temporarily after hours and then test. Could we eliminate that portion?

  18. Benjamin Cripe says:

    After hours this evening, I disabled all FW’s (local PC FW, Server FW, and Network FW) and I am unable able to telnet to those two ports 8912 and 6602. Although they report to be listening…any thoughts? I am able to connect on 443 and 80 obviously.

  19. Benjamin Cripe says:

    The client tool is still unable to connect with all firewalls disabled. I also went ahead and tried the http://servername/connect method and the error message “An unexpected error has occurred. To resolve this issue, contact the person responsible for your network”….unfortunately that is me, and I am unsure of the solution. Then I did run your PS tool and it claimed that there are errors on those ports. Any other suggestions?

  20. Bryan Wong says:

    Robert, I just did a brand new installation of Server Essentials Experience on a Server 2012 R2 box. I ran the tool, and an error was generated on the CRL Destination check. It returned the error (503) Server Unavailable. I hopped over to IIS to check the bindings, and things appear to be fine. Do you have any suggestions on what else to check? I tried navigating to http://servername/connect, and it is also giving the 503 Server Unavailable error.

  21. Halit says:

    Hi, thank you for the useful Tool.

    Im Stuck with following Error

    Testing CA Name..
    Certificate Authority Online : Error
    Certificate Authority Name : OK
    Certificate Authority Cert : OK

    Where should I look first?

    My Main Problem is i can’t join new Computers to the Domain because the Connector Website is not accessible anymore.

  22. GrantD. says:

    I am getting a 403 Forbidden (You do not have permission to view this directory or page using the credentials that you supplied) when trying to connect a new client to an existing Essentials 2012 R2 server. Running EssentialsTester.ps1 shows a failure on CRL Download and 3 tests on Dashboard Certifcate with 1 OK and 2 Errors.

    I am at a loss on where to correct this, and I am certain it has something to do with my attempts to set up Anywhere Access several months ago (this is the first client I’ve tried to add since then).

    Any insight would be appreciated.

  23. GrantD. says:

    If you could please edit the server name to something anonymous, I would appreciate it. :)

    • You should start by checking how many certificates you have for the server in the local machine store – it appears you have 3 and you should only have 1.
      If you go to HKLM:>Software\Microsoft\Windows Server\Identity
      I think the String is for LocalMachineCert – this is a thumbprint ID. and it should match one of the certs in the local machine store. You should remove the other two.

      • GrantD. says:

        I’ve identified the correct certificate. Can you provide instruction on removing the others?

        Also, any chance of removing my server name above in the test results?

      • I unpublished the comment so it should no longer be visible.

        Just right click and hit delete.

      • GrantD. says:

        Okay, just deleted the 2 extra certificates with not matching the thumbprint from LocalMachineCert.
        Now the EssentialsTester does one “Dashboard” check and it passes. However, there is still a CRL download failure, as I’m sure would be expected at this point.
        IIS test returns the same, it appears.

      • GrantD. says:

        This was ultimately fixed with your help! After we got rid of the extra console certificates, the rest of the problem was fixed by unchecking “Use SSL” from the default web site under IIS (I’m sure I toggled that either in troubleshooting myself or when I set up Remote Access a few months ago.

  24. GrantD. says:

    Also, I have 3 other certifcates showing as follows:
    –CA
    ..local

    Are these okay to leave in?

  25. GrantD. says:

    Now something odd has occurred. The WSE Dashboard says there are ZERO computers attached. Before, as in this morning, there were 7 including the server.
    I’m wondering if removing those “extra” certificates had something to do with it, but I don’t know.
    I’m assuming that client computer backups won’t take place now, which is a Bad Thing.

    • Assuming you deleted the correct certificate this would have been ok. If you have a backup of the server I can explain how to recover them. Can you confirm at least that the remaining ‘server’ certificate has a thimbprint that matches the registry entry?

      • GrantD. says:

        I can confirm the thumbprint matches the registry key.

      • Id be inclined to crack on then and not worry about the other certs currently. Fixing the auth issue should rule out a lot of issues and get connect working again. I will be back in the office tomorrow and can compare my lab settings to yours.

      • GrantD. says:

        Also I have backups (twice a day).

      • GrantD. says:

        Sounds fine…a little worried I won’t get our desktop backups, but that’s me being overly uptight. :)

        I, too, suspect the connect site issue will fix all. I assume once that’s going, I can just run connect again and all will be well..

        Sidebar: I’m in the process of migrating the WSE2012R2 server to new hardware, but have only gotten so far as creating a new replica domain controller; I haven’t moved the FMSO roles or promoted the new box to a domain controller. Hopefully that doesn’t impact what we’re doing here directly. That happens in a couple of days, but I would like to get this healthy again before I press on.

      • If you are migrating, you will have to reinstall the connector software anyway, and will be starting with fresh backups of your PCs. It may be just as well to finish your migration than spend time troubleshooting here.

      • GrantD. says:

        That makes sense and I had considered that option, however I would like to understand what is broken here if possible. It’s obvious I created the issue, and I’d like to know what to avoid in the future. Furthermore, having everything healthy before I take the next migration step would ease my mind a bit. :)
        I also don’t want to impose on you unnecessarily. If this is something I can figure out in one or two more steps, fantastic! If it’s going to be a long, drawn-out detective process, I may have a change of heart.

      • I understand what you mean. It is difficult to say how long it would take to resolve, hopefully not too long.
        I suspect you have tweaked IIS to get Anywhere Access working, and with Essentials the last thing you want to do is tweak iis, or play with the certificates.

        Can you tell me what authentication settings you have on… Default Web Site\CertSrv and \Connect

      • GrantD. says:

        \CertSrv: All disabled except “Windows Authentication”
        \Connect: All disabled except “Anonymous Authentication”

      • Can you send a screen shot of the 403 Error for /Connect ?

      • GrantD. says:

        Here’s the full text (don’t know how to post a screenshot here) upon opening http://(servername)/connect:

        Server Error

        403 – Forbidden: Access is denied.
        You do not have permission to view this directory or page using the credentials that you supplied.

      • GrantD. says:

        Also, WSE Best Practices Analyzer complains “Certificate subject does not match the name configured by the Domain Name wizard.” I’m only including that in case it helps narrow things down.

    • Just realised you installed Wsus. Did you install that to its own website or under default website?

      • GrantD. says:

        WSUS Administration is at the same “level” as Default Web Site, Mac Web Service and WSS Certificate Website.

  26. Alex T. says:

    Hi Robert,

    First of all, thank you very much for this amazing script, I have been slowly unwinding the results of a failure caused by using the “Use Express Instalation Files” feature in WSUS.

    After going through all the .config files, I have successfully removed a reference to

    I have been using your EssentialsTester.ps1 file to slowly get back to normalcy, and I am at the point where Options 2,3,4 run without any errors :O)

    However, when running option 1, there is only one item left, which I have been wracking my brains out on.

    Checking IIS Bindings..
    Binding Missing : Default Web Site

    I have been looking at many different things and this is the only thing I can’t resolve at this point.

    My current bindings when I have “Default Web Site” selected and I use the right side Actions menu and select bindings are:

    type: http hostname: {blank} Port: 80 IP Address: * Binding Information: {blank}
    type: https hostname: {blank} Port: 443 IP Address: * Binding Information: {blank}

    What am I missing? Any help you can provide is appreciated!

    Thank you,

    Alex

    • Ah yes that last one is tricky.

      Go into Powershell (elevated)
      New-WebBinding "Default Web Site" -IPAddress * -Protocol HTTPS -HostHeader yourservername -SSLFlags 1

      for example,

      New-WebBinding "Default Web Site" -IPAddress * -Protocol HTTPS -HostHeader Essentials01 -SSLFlags 1

      • Alex T. says:

        Thanks for that! It ended up solving my bindings issue. Funny thing with my setup, is what messed everything up originally was enabling “Use Express Installation Files” for WSUS. Once I removed WSUS, that un-install failed or errored out somehow and I was left with the IIS Scheme for “xpress” in my system (applicationHost.config) as follows:

        This setting was propagating to all the other AppPools and kept repopulating everytime I restarted the Windows Process Activation service.

        Running this command, removed the scheme and once again allowed everything to run as it should!

        appcmd.exe set config -section:system.webServer/httpCompression /-[name=’xpress’]

        that led to this message and finally fixed! thanks for your help! and that amazing EssentialsTroubleshooter powershell, it really led me back to a working system!

        Applied configuration changes to section “system.webServer/httpCompression” for “MACHINE/WEBROOT/APPHOST” at configuration commit path “MACHINE/WEBROOT/APPHOST”

  27. Dan Johnson says:

    Hi Robert,

    I have a Windows Server 2012 Essentials R2 installation that is having some troubles. http:///connect is not working and giving 500 Internal Server Errors. I have a suspicion that it is a certificate issue but I do know know enough to trouble shoot. I downloaded and ran your PowerShell script (thank you by the way for providing this!). I only get an error when running the Test CA Infrastructure portion as follows:

    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server Error.”
    At C:\users\\desktop\EssentialsTester.ps1:1160 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    CRL Download : Failed

    When I try browsing the Default Website from IIS I get:

    “HTTP Error 500.19 – Internal Server Error
    The requested page cannot be accessed because the related configuration data for the page is invalid.

    Most likely causes:
    The worker process is unable to read the applicationhost.config or web.config file.
    There is malformed XML in the applicationhost.config or web.config file.
    The server cannot access the applicationhost.config or web.config file because of incorrect NTFS permissions.

    Things you can try:
    Look in the event logs for information about why the configuration files are not readable.
    Make sure the user identity specified for the application pool, or the authenticated user, has the required permissions to access the web.config file.

    Detailed Error Information:
    Module DynamicCompressionModule
    Notification SendResponse
    Handler ExtensionlessUrlHandler-Integrated-4.0
    Error Code 0x8007007e
    Requested URL http://localhost:80/
    Physical Path C:\Program Files\Windows Server\Bin\WebApps\Site
    Logon Method Anonymous
    Logon User Anonymous
    Request Tracing Directory C:\inetpub\logs\FailedReqLogFiles”

    Any help would be greatly appreciated!

    Thanks,
    Dan

  28. Brian Perks says:

    Robert

    I’ve downloaded your splendid script and run it against a new 2012 R2 WSE role without error.

    However, the reason for me coming across your site is that I cannot get Anywhere Access to configure. I get the dreaded errors:

    Anywhere Access to your server is blocked.

    and

    There may be more than one router on your network.

    This is my 3rd installation of WSE on 2012 R2 in the last couple of months and the 1st 2 worked like a dream :-(.

    This installation has a Meraki MX64 WAN Security Device and a Meraki MR34 WAP. I have a VPN set up between this site and HQ across the Meraki network and a two-way Domain Trust is in place.

    I’d appreciate it if you could offer any advice to fix this.

    Regards

    Brian

    • Have you confirmed the ports are open correctly and accessible from outside?
      Some routers are not comfortable doing nat loopback which is essentially how the AA wizard tries to verify external connectivity.
      I guess your setup is similar to the other installs you did – what is different here, ISP? Router?

      • Brian Perks says:

        Robert

        I have one site connecting through a Meraki MX 80 using NAT, but this site is just using a port forwarding rule through the MX64 for 443 and 80.

        I’ve done a test for 443 and 80 externally and it is reporting that they are blocked, so I’ve asked the IT guy there to investigate if the ISP has them blocked by default.

        I’m also looking to put WSE AA onto its own external WAN IP so I can use NAT.

        Very many thanks for your swift response.

        Regards

        Brian

      • Brian Perks says:

        Robert

        An update.

        Turns out there are some issues port forwarding 80,443 on a Meraki MX64 which I am investigating at the moment. Best to use 1:1 NAT, which leads me onto….

        This site only has a single WAN IP address so I’m looking into upgrading (hopefully will not cost too much) to multiple so I can assign Anywhere Access to its own WAN IP and use NAT.

        Thanks again

        Brian

  29. Bob says:

    I ran this tool and now my connector doesn’t work. When I try to launch the connector from a client it says “Your server cannot be located. Enter Server’s name or IP address to proceed”. It doesn’t see the server if I enter Name or IP address. I can add the machines to the domain manually. Do you know if the script changed anything that may have caused the connector to stop working?

  30. Gareth White says:

    Hi Rob can you help with my issues?

    Enter Task..
    1
    Only Errors will be shown.

    Checking Websites..

    Checking Connect Site..

    Checking Virtual Directories..

    Virtual Directory : /CertSrv
    Application Pool : RootApp
    Content Path : C:\Windows\system32\CertSrv\en-US

    Checking AppPools..

    Checking ISAPI Filters..

    Checking IIS SSL..

    Checking IIS Bindings..

    Checking IIS Authentication..
    Site : Default Web Site\RDWeb\FeedLogin
    Authentication : windowsAuthentication
    Enabled : True

    Site : Default Web Site\RDWeb\Pages
    Authentication : digestAuthentication
    Enabled : False

    Review your results, items in red should be investigated.

    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : Errors Detected – ProgramData

    Testing CRL Download..
    CRL Location : http://SERVER02/CertEnroll/ew-SERVER02-CA-Xchg!00282!0029.crl
    CRL Destination : c:\windows\temp\crl.crl
    CRL Download : OK

    Testing CRL Distribution Configuration..
    Get-CACrlDistributionPoint : CCertAdmin::GetConfigEntry: The parameter is incorrect. 0x80070057 (WIN32: 87
    ERROR_INVALID_PARAMETER)
    At C:\users\localadmin\desktop\EssentialsTester.ps1:1186 char:23
    + $CDPS = ( Get-CACrlDistributionPoint | where-object { $_.Uri -like ” …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-CACrlDistributionPoint], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.CertificateServices.Administration.Commands.CA.GetCrl
    DistributionPointCommand

    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)

    Testing Dashboard Certificate..
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    Thank You in advanced!

    Gareth

    • There should be a log in the %appdata% folder for the script. Can you send me that?

      It looks to me like you have a CA issue, have you changed anything CA related – uninstalled/reinstalled?

      • Gareth White says:

        Thanks for your reply, yes the “Active Directory Certificate Services” wasn’t installed as i had to remove it to migrate from anther server. I have since installed it back on. Regrading Log these isn’t any logs in the folder is it in a subfolder? C:\Users\Localadmin\AppData\Roaming

      • Depending on your position, you may find it easier to remove the Essentials role and CA and reinstall it.

        If that is not an option, follow this guide. https://support.microsoft.com/en-us/kb/2795825

        Although some of the components you need to ‘repair’ your CA may not be present, meaning you will be looking at using more creative methods to repair the server!

      • Sorry my mistake, the log file is actually in %temp% (c:\users\user\appdata\local\temp)

  31. Gareth White says:

    Thanks Robert the Reinstall of CA Role fixed it :)

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 490 other followers

%d bloggers like this: