Windows Server Essentials – Configuration Troubleshooter

powershell2xa4I had a support case this week where it became apparent to me that there is no quick and easy way to test Essentials Servers for Configuration errors. Manually working through IIS or Certificates is prone to human error, as was proved to me, by me missing certain key things.

Uncharacteristically i decided to write a PowerShell script to save me from this sort of embarrassment in the future, and make me look really good next time i need to troubleshoot an Essentials Server.

You can download the tool from here, and am very interested to hear how it works for you.

If you have already downloaded it, i have updated the tool so you should download it again!

What does the tool do?

Well, it checks a number of things that i have found are the key things that make an Essentials Server tick. That is IIS and MOST IMPORTANTLY, Certificate Services.

I knew that the CA was pretty significant to an Essentials Server, but i didn’t know just how deep that significance went. In your Local Machine Certificate Store you have a number of Certificates, perhaps the most important file on the whole server (aside from perhaps ntds.dit) is your Certificate Authority Root Certificate. Without that, you cannot correctly reinstall the CA, and without that CA, you can’t do anything. It is not just a case that you cant reinstall the CA, you can. The CA requires a specific name, and if you reinstall and generate a new key, the name is not likely to remain correct.

There may well be a way to get around even that scenario by hacking the crap out of AD, but honestly, i think i might take a reinstall over that.

That was a bit of a side track, so, again, what does this tool do?

Firstly it will decide if you are running on Essentials 2011, 2012 or 2012 R2.

It will then give you the choice of testing IIS or your CA. If you choose to test your IIS Configuration, it will inspect your Web Site Configuration, your Application Pools, Virtual Directories and ISAPI filters as well as your Web Site Bindings.

When you check the CA, it will check that the CA is available, that it has the right name (that is important), that the certificate set in the Registry for the Dashboard matches what you have in your Local Machine Store, it will even download a copy of the CRL from your server and test that it is publishing the right information.

Essentials Configuration Tool

It compares all of this information to ‘’Defaults’ and lets you know where you may have problems.

Essentials Configuration Tool Errors

I have run it against SBS 2011 Essentials, Essentials 2012, and R2, and it has identified the deliberate errors i have introduced and reported back correctly once those have been repaired.

Essentials Configuration Tool Results

i haven’t made it to be an exhaustive tool of everything that could possibly go wrong on an Essentials Server, it really is just focussed on IIS and the CA,  even then it may not cover every scenario. Hopefully if you do come across a broken Essentials Server using this will do enough to point you to the fix, or at least help to rule some things out.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

215 Responses to Windows Server Essentials – Configuration Troubleshooter

  1. Just came across this tool, after having issues with a brand new server Essentials…

    I get a ton of errors when running the CA tests….any idea where to start looking/reading to fix these?

    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
    At C:\users\gregh\downloads\EssentialsTester.ps1:800 char:17
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    Get-ItemProperty : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
    At C:\users\gregh\downloads\EssentialsTester.ps1:801 char:32
    + $CRLDownload = Get-ItemProperty $destination
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Get-ItemProperty], ItemNotFoundExcepti
    on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

    CRL Download : OK
    Remove-Item : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
    At C:\users\gregh\downloads\EssentialsTester.ps1:803 char:17
    + Remove-Item $destination -Force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    Testing CRL Distribution Configuration..
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : Error
    Dashboard Certificate : OK
    Dashboard Certificate : Error
    Dashboard Certificate : Error
    Dashboard Certificate : Error

    • sorry for slow response. you need to look at the CA and see if it is running. are you able to open the dashboard?

      • ATechGuy says:

        Robert,You completely rock! I appreciate your test tool as it helped me find an issue, but perhaps I can make a suggestion for the next edit? The server has a name and usually, at least for the WSS web sites the cert name needs to match the server name, but from the outside, if you’re using remote web anywhere, it’s possible that you have created a new name in the remotewebaccess.com domain courtesy of MS. So, while it may be different than the server name, it might not really be an error. I would suggest flagging it, but not making it RED, and if there is a way to review the dashboard’s settings for RWA, then if the cert matched the dashboard for RWA, then you could not flag it at all. Make sense?

      • Thanks for the comments but I don’t update this tool anymore.

    • James says:

      Hi mate. Did you ever resolve the issue with Dashboard Certificates without formatting and starting again?
      Cheers. James
      I have run the tester and got a similar outcome.

  2. Alan Pendlebury says:

    Hey Robert thank you for your post, I am 99% done with this configuration, but when i ran your tool I got this message, any idea where to start looking at this.

    ************************************************
    * Essentials Server 2012, Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Standard

    This tool will check your current Configuration against known Essentials 2012 Values.
    Written by Robert Pearman (TitleRequired.com) February 2014

    Version Info: Version: 1.7

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..
    2
    Testing CA Name..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Download : OK

    Testing CRL Distribution Configuration..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server 2012, Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Standard

    This tool will check your current Configuration against known Essentials 2012 Values.
    Written by Robert Pearman (TitleRequired.com) February 2014

    Version Info: Version: 1.7

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..

    • Is the Dashboard opening ok?

      • Alan Pendlebury says:

        Yes it opens ok. I can go to the domain name internally, but I cannot get it to render by dns or IP externally. I can also get to the connect page to download the connector internally but not externally. The configuration wizard, gives me the error saying Anywhere access to your server is blocked, that port 80 and 443 are blocked, but they are open on the firewall. It also tells me that Port forwarding is not configured correctly on your router, which it is. I read some more on these errors on Microsoft partner network, and they said that they can be ignored. I think I have a cert or a routing issue. The cert is installed correctly, at least I think, though I do not know what I am missing on the routing, cause I thought I covered everything.
        Thank you,
        Alan

      • Sounds like you have not opened the ports on your router, given that it is not working externally and you have those errors. At the very least confirm your servers internal IP and check port forwarding on your router. It is also possible your ISP are blocking these ports. If the dashboard opens you may be able to discard the certificate error in the tool.

      • Alan Pendlebury says:

        Hey Robert,
        It was a firewall issue, the firewall rules were in place, but not working cause the firewall needed a firmware update. Once I updated the firmware on the firewall, then everything worked.

        Alan

  3. Susan E Russel says:

    Thanks so much for this tester. I get four errors:

    1. Certificate Authority Name: Name Error
    2. Dashboard Certificate: Error
    3. WSS Initialization Service: Stopped (Which I can start)
    4. TCP Port 65500 (Used for CA Websites): Error (I use 65510)

  4. Ken says:

    I received a 403. Great tool, BTW. I’m just trying to figure out how to re-test the HTTP request. One thing I like to do in my scripting is to echo the call if it returns an error. All we see below is that it happened, and roughly where, but we can’t see the HTTPS call it made.

    Testing CRL Download..
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (403) Forbidden.”
    At C:\Users\administrator.THETECHGUYS\Downloads\EssentialsTester.ps1:802 char:17
    + $wc.DownloadFile($source,$destination)

  5. birdman895 says:

    I do not have much experience in the area’s of scripts and powershell. I am having an issue with multiple client pc’s losing the Trust Relationship with the domain. After searching the forums and TechNet for information I found some references to your script , but… No matter what I do I keep getting this error

    I followed instructions to change the execution policy;

    PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

    And then ran the script

    PS C:\Windows\system32> F:\ServerFolders\Networking\EssentialsTester.ps1
    F:\ServerFolders\Networking\EssentialsTester.ps1 : File F:\ServerFolders\Networking\EssentialsTester.ps1
    cannot be loaded. The file F:\ServerFolders\Networking\EssentialsTester.ps1 is not digitally signed. The
    script will not execute on the system. For more information, see about_Execution_Policies at
    http://go.microsoft.com/fwlink/?LinkID=135170.
    At line:1 char:1
    + F:\ServerFolders\Networking\EssentialsTester.ps1
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

    what am I doing wrong?
    Alan

    • Right click the downloaded ps1 file, go to properties and make sure you click Unblock.

      I am not sure this script will be much help to diagnose Trust issues. Do you have a thread open on the TechNet forum?

      • birdman895 says:

        Thanks for answering. Yes I do have a thread on the Windows Server 2012 Essentials forum. But, I came in this morning and those 3 client pc’s with the trust issue, are able to log in to the domain WITHOUT the trust issue. Don’t want to “look a gift horse in the mouth” but would llike to know why:\. Only thing that changed was more windows updates being installed.
        Alan

      • Link to the thread?
        Difficult to say really, I have seen inexplicable trust issues on Windows 7 clients on a number of domains.

  6. birdman895 says:

    Also, I did “Unblock” your file and it is running just fine.
    Thanks

  7. alerosmile says:

    Hi,
    Can you tell me why the name of the CA is important?
    Thanks

  8. James Brewster says:

    Hi Robert,
    I ran the test and the WSS Cert Server was showing Red status. I did a test in IIS Mgr in the Basic Settings Properties and the Pass-Thru authentication failed on the WSS Cert. Server Service folder? I replaced the Owner and amended permissions on the Folder and it still fails. If I change the Authentication to a specific user it works, but Connector Tool still does not? Any help appreciated.

    • I think those settings are as they should be, and if I remember correctly that test will fail.

      Can you put those settings back as they were and then rerun the test and post a screen shot?

  9. Hi Robert,

    I have a client that runs Server 2012 R2 Essentials server. After the initial client machines were connected and configured, the client wanted to set up Anywhere Access with a self signed cert, and tried various methods of installing the cert using IIS, all of which failed. Later, they installed a commercial cert. All original certs were left in the server. Anywhere access and every part of the network works fine, however, when you attempt to connect a new computer using the Essential Connector application (https:///connect ), it fails to run successfully.

    The connector page shows, and the connector tool downloads fine, but when it runs, it says it can’t find the Essentials server. If I point it to the correct server, it says it can’t get the information from the Essentials server. I have run Robert Pearman’s EssentialsTester.ps1 script, and it indicates the following problem:

    Testing CRL Download..
    CRL Location : http://serverxxx/CertEnroll/XXXX-serverxxx-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
    At C:\users\admin\Documents\EssentialsTester.ps1:849 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
    CRL Download : Failed

    All other aspects of the tester seem to pass successfully. Any advice on how to resolve this issue? All help would be greatly appreciated.

    Brian

    • If you go to that URL in a browser, does it download the file or give an error?

      • If I go to https://servername/connect, it downloads the file. The file will start, but doesn’t “find” the essentials server. It defaults to the second option on the screen that asks what server, using the IP address. I can have it find the correct server in the first (top) option, but it says it can’t get the information it needs from the server and to contact the administrator.

      • Perhaps, I misunderstood with my earlier reply. Did you mean the URL for the connector, for the CRL Location, or the CRLDestination?

      • Brian Weinberg says:

        The CRL Location URL fails with a 404 error, when accessed from the client PC.

    • Also, if you could, please edit my original post to change the initial part of the .crl name to be XXXXX. I would appreciate it. Same with the username. Thanks. Your blog doesn’t allow me to edit the original post.

      • Did you reinstall Certificate services at all?
        It sounds like the CRL is either not being published correctly in CA, or the file is there but IIS is blocking it.

        If you go into IIS can you see the virtual directory for CertEnroll?

  10. Brian Weinberg says:

    I can’t say what was done prior in any detail regarding trying to use the self-signed cert, other than what I outlined above. I do know that they tried using the IIS tools to set up the self signed cert, as opposed to the Essentials wizard for installing a commercial cert using the Anywhere Access wizard. I have since run the Anywhere Access wizard to install a commercial cert.

    I do see the virtual directory for CertEnroll in IIS.

  11. I do have four files listed. Two CRL files, one .asp, and one .crt.

    The 404 page says: Not Found. HTTP Error 404. The requested resource is not found.

    • Not sure how much more help I can be through forum type support, id offer to logon and take a look if that is something you are interested in.

      • That could work. How do you propose we arrange this?

      • Drop me an email.

      • Brian Weinberg says:

        Forgive me, Robert, but I can’t find your email anywhere on your site. You have mine, included in the post information, if you can shoot me an email, we can set something up. Thanks so much!

        Brian

      • Due to Robert’s brilliant help on this, we tracked the problem down to two things. Not only was the wrong cert being used, but, the HTTP: binding for the default site had somehow had the Host Name field filled with “Default Web Site,” which prevented all access to the crl. Once the field was made blank, and the correct cert in place, restarting the IIS services enabled everything to work correctly.

        Robert, I can’t thank you enough for this!

  12. irishtechnomonster says:

    Hi Robert, I’m a bit of a novice when it comes to Windows Server 2012 but I’m having an issue where none of the client computers are backing up. I’m seeing a NotConfigured error in the event logs on the client machines although from what I can see it is configured correctly. There is very little info on this problem in google land but I came across this site on my travels. I ran the configuration tool on the server with no errors but I got a ‘Client DNS Server’ error when I ran it on one of the clients. Problem is I’m not sure how to troubleshoot that or even if it is related to the backup issue. Any help you could offer would be greatly appreciated!

    • The client should use the servers IP as a static dns entry.

      What do they have?

      • irishtechnomonster says:

        Hi Robert, thanks for the reply! Sorry I didn’t see it until now. I checked the ipv4 properties in adapter settings on the client and it’s set to obtain DNS server address automatically. Should I set this to the server’s IP?

      • irishtechnomonster says:

        I ran your essentials tester script on the client and am getting an error for the Client DNS Server. I tried setting the DNS IP to the server’s IP but I get the same result.

      • irishtechnomonster says:

        I’ve fixed the Client DNS Server issue (had to disable ipv6) and now script returns all ok. Unfortunately, the backup issue remains…

  13. Benjamin Cripe says:

    This is a great MS Essentials tool! First and foremost, thank you. I am having an issue that I recently inherited support on. I ran the PS tool across the server b/c I am having Status and backup issues. Also clients are unable to connect to the server via the URL http://servername/connect. Below are my findings thus far:
    TCP 80 (Used for Websites) : OK
    TCP 443 (Used for Websites) : OK
    TCP 6602 (Used for Status) : Error
    TCP 8192 (Used for Backups) : Error
    TCP 65520 (Used for Mac Website) : OK
    TCP 65500 (Used for CA Website) : OK

    • Do you have third party firewall or AV on the Server?

      • Benjamin Cripe says:

        No third party AV or FW’s are on the server. I believe that someone else has tried to fix this issue previously and has added and removed different roles from the server previously. Everything appears to be functioning as it supposed to be, just not able to join the domain via the http://servername/connect method. Although I am able to join manually via the local computers system properties. Then also their backups have been failing and the server itself is unable to see the client machines.

      • Can you check that the Windows firewall is enabled and has exceptions for those ports?

  14. Benjamin Cripe says:

    I went ahead and created a custom rule to allow those ports access. Unfortunately not luck, are these ports supposed to be in the bindings for IIS? If so, I am not seeing them there.

  15. Benjamin Cripe says:

    Okay, thank you for confirming the IIS portion. The findings for the NetStat are:
    I see port 6602 listening in 22 different instances, but nothing for 8192

  16. Benjamin Cripe says:

    will do, thank you for the advice.

  17. Benjamin Cripe says:

    If I were to simply disable the FW temporarily after hours and then test. Could we eliminate that portion?

  18. Benjamin Cripe says:

    After hours this evening, I disabled all FW’s (local PC FW, Server FW, and Network FW) and I am unable able to telnet to those two ports 8912 and 6602. Although they report to be listening…any thoughts? I am able to connect on 443 and 80 obviously.

  19. Benjamin Cripe says:

    The client tool is still unable to connect with all firewalls disabled. I also went ahead and tried the http://servername/connect method and the error message “An unexpected error has occurred. To resolve this issue, contact the person responsible for your network”….unfortunately that is me, and I am unsure of the solution. Then I did run your PS tool and it claimed that there are errors on those ports. Any other suggestions?

  20. Bryan Wong says:

    Robert, I just did a brand new installation of Server Essentials Experience on a Server 2012 R2 box. I ran the tool, and an error was generated on the CRL Destination check. It returned the error (503) Server Unavailable. I hopped over to IIS to check the bindings, and things appear to be fine. Do you have any suggestions on what else to check? I tried navigating to http://servername/connect, and it is also giving the 503 Server Unavailable error.

  21. Halit says:

    Hi, thank you for the useful Tool.

    Im Stuck with following Error

    Testing CA Name..
    Certificate Authority Online : Error
    Certificate Authority Name : OK
    Certificate Authority Cert : OK

    Where should I look first?

    My Main Problem is i can’t join new Computers to the Domain because the Connector Website is not accessible anymore.

  22. GrantD. says:

    I am getting a 403 Forbidden (You do not have permission to view this directory or page using the credentials that you supplied) when trying to connect a new client to an existing Essentials 2012 R2 server. Running EssentialsTester.ps1 shows a failure on CRL Download and 3 tests on Dashboard Certifcate with 1 OK and 2 Errors.

    I am at a loss on where to correct this, and I am certain it has something to do with my attempts to set up Anywhere Access several months ago (this is the first client I’ve tried to add since then).

    Any insight would be appreciated.

  23. GrantD. says:

    If you could please edit the server name to something anonymous, I would appreciate it. :)

    • You should start by checking how many certificates you have for the server in the local machine store – it appears you have 3 and you should only have 1.
      If you go to HKLM:>Software\Microsoft\Windows Server\Identity
      I think the String is for LocalMachineCert – this is a thumbprint ID. and it should match one of the certs in the local machine store. You should remove the other two.

      • GrantD. says:

        I’ve identified the correct certificate. Can you provide instruction on removing the others?

        Also, any chance of removing my server name above in the test results?

      • I unpublished the comment so it should no longer be visible.

        Just right click and hit delete.

      • GrantD. says:

        Okay, just deleted the 2 extra certificates with not matching the thumbprint from LocalMachineCert.
        Now the EssentialsTester does one “Dashboard” check and it passes. However, there is still a CRL download failure, as I’m sure would be expected at this point.
        IIS test returns the same, it appears.

      • GrantD. says:

        This was ultimately fixed with your help! After we got rid of the extra console certificates, the rest of the problem was fixed by unchecking “Use SSL” from the default web site under IIS (I’m sure I toggled that either in troubleshooting myself or when I set up Remote Access a few months ago.

  24. GrantD. says:

    Also, I have 3 other certifcates showing as follows:
    –CA
    ..local

    Are these okay to leave in?

  25. GrantD. says:

    Now something odd has occurred. The WSE Dashboard says there are ZERO computers attached. Before, as in this morning, there were 7 including the server.
    I’m wondering if removing those “extra” certificates had something to do with it, but I don’t know.
    I’m assuming that client computer backups won’t take place now, which is a Bad Thing.

    • Assuming you deleted the correct certificate this would have been ok. If you have a backup of the server I can explain how to recover them. Can you confirm at least that the remaining ‘server’ certificate has a thimbprint that matches the registry entry?

      • GrantD. says:

        I can confirm the thumbprint matches the registry key.

      • Id be inclined to crack on then and not worry about the other certs currently. Fixing the auth issue should rule out a lot of issues and get connect working again. I will be back in the office tomorrow and can compare my lab settings to yours.

      • GrantD. says:

        Also I have backups (twice a day).

      • GrantD. says:

        Sounds fine…a little worried I won’t get our desktop backups, but that’s me being overly uptight. :)

        I, too, suspect the connect site issue will fix all. I assume once that’s going, I can just run connect again and all will be well..

        Sidebar: I’m in the process of migrating the WSE2012R2 server to new hardware, but have only gotten so far as creating a new replica domain controller; I haven’t moved the FMSO roles or promoted the new box to a domain controller. Hopefully that doesn’t impact what we’re doing here directly. That happens in a couple of days, but I would like to get this healthy again before I press on.

      • If you are migrating, you will have to reinstall the connector software anyway, and will be starting with fresh backups of your PCs. It may be just as well to finish your migration than spend time troubleshooting here.

      • GrantD. says:

        That makes sense and I had considered that option, however I would like to understand what is broken here if possible. It’s obvious I created the issue, and I’d like to know what to avoid in the future. Furthermore, having everything healthy before I take the next migration step would ease my mind a bit. :)
        I also don’t want to impose on you unnecessarily. If this is something I can figure out in one or two more steps, fantastic! If it’s going to be a long, drawn-out detective process, I may have a change of heart.

      • I understand what you mean. It is difficult to say how long it would take to resolve, hopefully not too long.
        I suspect you have tweaked IIS to get Anywhere Access working, and with Essentials the last thing you want to do is tweak iis, or play with the certificates.

        Can you tell me what authentication settings you have on… Default Web Site\CertSrv and \Connect

      • GrantD. says:

        \CertSrv: All disabled except “Windows Authentication”
        \Connect: All disabled except “Anonymous Authentication”

      • Can you send a screen shot of the 403 Error for /Connect ?

      • GrantD. says:

        Here’s the full text (don’t know how to post a screenshot here) upon opening http://(servername)/connect:

        Server Error

        403 – Forbidden: Access is denied.
        You do not have permission to view this directory or page using the credentials that you supplied.

      • GrantD. says:

        Also, WSE Best Practices Analyzer complains “Certificate subject does not match the name configured by the Domain Name wizard.” I’m only including that in case it helps narrow things down.

    • Just realised you installed Wsus. Did you install that to its own website or under default website?

      • GrantD. says:

        WSUS Administration is at the same “level” as Default Web Site, Mac Web Service and WSS Certificate Website.

  26. Alex T. says:

    Hi Robert,

    First of all, thank you very much for this amazing script, I have been slowly unwinding the results of a failure caused by using the “Use Express Instalation Files” feature in WSUS.

    After going through all the .config files, I have successfully removed a reference to

    I have been using your EssentialsTester.ps1 file to slowly get back to normalcy, and I am at the point where Options 2,3,4 run without any errors :O)

    However, when running option 1, there is only one item left, which I have been wracking my brains out on.

    Checking IIS Bindings..
    Binding Missing : Default Web Site

    I have been looking at many different things and this is the only thing I can’t resolve at this point.

    My current bindings when I have “Default Web Site” selected and I use the right side Actions menu and select bindings are:

    type: http hostname: {blank} Port: 80 IP Address: * Binding Information: {blank}
    type: https hostname: {blank} Port: 443 IP Address: * Binding Information: {blank}

    What am I missing? Any help you can provide is appreciated!

    Thank you,

    Alex

    • Ah yes that last one is tricky.

      Go into Powershell (elevated)
      New-WebBinding "Default Web Site" -IPAddress * -Protocol HTTPS -HostHeader yourservername -SSLFlags 1

      for example,

      New-WebBinding "Default Web Site" -IPAddress * -Protocol HTTPS -HostHeader Essentials01 -SSLFlags 1

      • Alex T. says:

        Thanks for that! It ended up solving my bindings issue. Funny thing with my setup, is what messed everything up originally was enabling “Use Express Installation Files” for WSUS. Once I removed WSUS, that un-install failed or errored out somehow and I was left with the IIS Scheme for “xpress” in my system (applicationHost.config) as follows:

        This setting was propagating to all the other AppPools and kept repopulating everytime I restarted the Windows Process Activation service.

        Running this command, removed the scheme and once again allowed everything to run as it should!

        appcmd.exe set config -section:system.webServer/httpCompression /-[name=’xpress’]

        that led to this message and finally fixed! thanks for your help! and that amazing EssentialsTroubleshooter powershell, it really led me back to a working system!

        Applied configuration changes to section “system.webServer/httpCompression” for “MACHINE/WEBROOT/APPHOST” at configuration commit path “MACHINE/WEBROOT/APPHOST”

  27. Dan Johnson says:

    Hi Robert,

    I have a Windows Server 2012 Essentials R2 installation that is having some troubles. http:///connect is not working and giving 500 Internal Server Errors. I have a suspicion that it is a certificate issue but I do know know enough to trouble shoot. I downloaded and ran your PowerShell script (thank you by the way for providing this!). I only get an error when running the Test CA Infrastructure portion as follows:

    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server Error.”
    At C:\users\\desktop\EssentialsTester.ps1:1160 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    CRL Download : Failed

    When I try browsing the Default Website from IIS I get:

    “HTTP Error 500.19 – Internal Server Error
    The requested page cannot be accessed because the related configuration data for the page is invalid.

    Most likely causes:
    The worker process is unable to read the applicationhost.config or web.config file.
    There is malformed XML in the applicationhost.config or web.config file.
    The server cannot access the applicationhost.config or web.config file because of incorrect NTFS permissions.

    Things you can try:
    Look in the event logs for information about why the configuration files are not readable.
    Make sure the user identity specified for the application pool, or the authenticated user, has the required permissions to access the web.config file.

    Detailed Error Information:
    Module DynamicCompressionModule
    Notification SendResponse
    Handler ExtensionlessUrlHandler-Integrated-4.0
    Error Code 0x8007007e
    Requested URL http://localhost:80/
    Physical Path C:\Program Files\Windows Server\Bin\WebApps\Site
    Logon Method Anonymous
    Logon User Anonymous
    Request Tracing Directory C:\inetpub\logs\FailedReqLogFiles”

    Any help would be greatly appreciated!

    Thanks,
    Dan

  28. Brian Perks says:

    Robert

    I’ve downloaded your splendid script and run it against a new 2012 R2 WSE role without error.

    However, the reason for me coming across your site is that I cannot get Anywhere Access to configure. I get the dreaded errors:

    Anywhere Access to your server is blocked.

    and

    There may be more than one router on your network.

    This is my 3rd installation of WSE on 2012 R2 in the last couple of months and the 1st 2 worked like a dream :-(.

    This installation has a Meraki MX64 WAN Security Device and a Meraki MR34 WAP. I have a VPN set up between this site and HQ across the Meraki network and a two-way Domain Trust is in place.

    I’d appreciate it if you could offer any advice to fix this.

    Regards

    Brian

    • Have you confirmed the ports are open correctly and accessible from outside?
      Some routers are not comfortable doing nat loopback which is essentially how the AA wizard tries to verify external connectivity.
      I guess your setup is similar to the other installs you did – what is different here, ISP? Router?

      • Brian Perks says:

        Robert

        I have one site connecting through a Meraki MX 80 using NAT, but this site is just using a port forwarding rule through the MX64 for 443 and 80.

        I’ve done a test for 443 and 80 externally and it is reporting that they are blocked, so I’ve asked the IT guy there to investigate if the ISP has them blocked by default.

        I’m also looking to put WSE AA onto its own external WAN IP so I can use NAT.

        Very many thanks for your swift response.

        Regards

        Brian

      • Brian Perks says:

        Robert

        An update.

        Turns out there are some issues port forwarding 80,443 on a Meraki MX64 which I am investigating at the moment. Best to use 1:1 NAT, which leads me onto….

        This site only has a single WAN IP address so I’m looking into upgrading (hopefully will not cost too much) to multiple so I can assign Anywhere Access to its own WAN IP and use NAT.

        Thanks again

        Brian

  29. Bob says:

    I ran this tool and now my connector doesn’t work. When I try to launch the connector from a client it says “Your server cannot be located. Enter Server’s name or IP address to proceed”. It doesn’t see the server if I enter Name or IP address. I can add the machines to the domain manually. Do you know if the script changed anything that may have caused the connector to stop working?

  30. Gareth White says:

    Hi Rob can you help with my issues?

    Enter Task..
    1
    Only Errors will be shown.

    Checking Websites..

    Checking Connect Site..

    Checking Virtual Directories..

    Virtual Directory : /CertSrv
    Application Pool : RootApp
    Content Path : C:\Windows\system32\CertSrv\en-US

    Checking AppPools..

    Checking ISAPI Filters..

    Checking IIS SSL..

    Checking IIS Bindings..

    Checking IIS Authentication..
    Site : Default Web Site\RDWeb\FeedLogin
    Authentication : windowsAuthentication
    Enabled : True

    Site : Default Web Site\RDWeb\Pages
    Authentication : digestAuthentication
    Enabled : False

    Review your results, items in red should be investigated.

    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : Errors Detected – ProgramData

    Testing CRL Download..
    CRL Location : http://SERVER02/CertEnroll/ew-SERVER02-CA-Xchg!00282!0029.crl
    CRL Destination : c:\windows\temp\crl.crl
    CRL Download : OK

    Testing CRL Distribution Configuration..
    Get-CACrlDistributionPoint : CCertAdmin::GetConfigEntry: The parameter is incorrect. 0x80070057 (WIN32: 87
    ERROR_INVALID_PARAMETER)
    At C:\users\localadmin\desktop\EssentialsTester.ps1:1186 char:23
    + $CDPS = ( Get-CACrlDistributionPoint | where-object { $_.Uri -like ” …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-CACrlDistributionPoint], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.CertificateServices.Administration.Commands.CA.GetCrl
    DistributionPointCommand

    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)

    Testing Dashboard Certificate..
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    Thank You in advanced!

    Gareth

    • There should be a log in the %appdata% folder for the script. Can you send me that?

      It looks to me like you have a CA issue, have you changed anything CA related – uninstalled/reinstalled?

      • Gareth White says:

        Thanks for your reply, yes the “Active Directory Certificate Services” wasn’t installed as i had to remove it to migrate from anther server. I have since installed it back on. Regrading Log these isn’t any logs in the folder is it in a subfolder? C:\Users\Localadmin\AppData\Roaming

      • Depending on your position, you may find it easier to remove the Essentials role and CA and reinstall it.

        If that is not an option, follow this guide. https://support.microsoft.com/en-us/kb/2795825

        Although some of the components you need to ‘repair’ your CA may not be present, meaning you will be looking at using more creative methods to repair the server!

      • Sorry my mistake, the log file is actually in %temp% (c:\users\user\appdata\local\temp)

  31. Gareth White says:

    Thanks Robert the Reinstall of CA Role fixed it :)

  32. Peter says:

    Hi Robert,
    I’m having IIS Cert issues and I hope you can help. Here are the results from tests 1 & 2:
    Version Info: Version: 2.04
    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit
    Enter Task..
    1
    Only Errors will be shown.
    Checking Websites..
    Checking Connect Site..
    Connect Website : Error : 500
    Checking Virtual Directories..
    Checking AppPools..
    Checking ISAPI Filters..
    get-webconfiguration : Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
    Line number: 207
    Error: Can not log on locally to C:\Program Files\Windows Server\Bin\WebApps\Site as user admin with virtual directory
    password
    At D:\_IT archive\EssentialsTester.ps1:420 char:17
    + $isapif = (get-webconfiguration -pspath iis:\sites\* -filter “/system.webse …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WebConfiguration], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.IIs.PowerShell.Provider.GetConfigu
    rationCommand
    Checking IIS SSL..

    Website Name : Mac Web Service *:65520:
    SSL Certificate : Error: Does not match Dashboard Certificate
    Checking IIS Bindings..
    Binding Missing : Default Web Site
    Checking IIS Authentication..
    Review your results, items in red should be investigated.

    Version Info: Version: 2.04
    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit
    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : OK
    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK
    Testing CRL Download..
    CRL Location : http://SERVER2012/CertEnroll/CDG-SERVER2012-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server
    Error.”
    At D:\_IT archive\EssentialsTester.ps1:1196 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
    CRL Download : Failed
    Testing CRL Distribution Configuration..
    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK
    Testing Dashboard Certificate..
    Dashboard Certificate : OK
    Dashboard Certificate : Error : 84435D4ACBA26DFAEC7CDBE281900C6D1CB32152
    Dashboard Certificate : Error : 3DB7B9EE73BF39562073BDD512DF55891BD1BE69
    Dashboard Certificate : Error : 1E417FD2362556FC6BD1C81936EBC5826FAB4BBB
    Review your results, items in red should be investigated.

    • Hi Peter,

      So we have a couple of issues here.

      I would fix the Dashboard certificate first as that is likely to be easiest.
      You need to work out which certificate is correct. To do that, you need to check the registry.
      HKLM>Software>Microsoft>Windows Server>Identity there will be a RE here with a thumbprint ID. It should match one of the certificates in your local machine personal store.
      It looks like you currently have four certificates in the store, three of which show as errors above.

      Once you have identified the correct one, remove the others.

      Next, IIS.

      Can you go to http://server/connect and get the full error message displayed? This will help troubleshoot further.

      • Peter says:

        Robert,
        I was able to remove the unneeded certificates.
        The error message when browsing to https://server/connect is as follows:
        ——————————————————————————————————————————–
        HTTP Error 500.19 – Internal Server Error
        The requested page cannot be accessed because the related configuration data for the page is invalid.Detailed Error Information:
        Module IIS Web Core
        Notification Unknown
        Handler Not yet determined
        Error Code 0x8007052e
        Config Error Can not log on locally to C:\Program Files\Windows Server\Bin\WebApps\Site as user admin with virtual directory password
        Config File \\?\C:\inetpub\temp\apppools\Client_App\Client_App.config
        Requested URL https://server2012:443/connect
        Physical Path
        Logon Method Not yet determined
        Logon User Not yet determined
        Config Source:
        89:
        90:
        91:

        ————————————————————————————————————————-
        Also, I am now receiving different errors when running the EssentialsTester:

        Version Info: Version: 2.04

        1. Test IIS
        2. Test CA Infrastructure
        3. Test Services
        4. Test Service Ports
        0. Quit

        Enter Task..
        1
        Only Errors will be shown.

        Checking Websites..

        Checking Connect Site..

        Connect Website : Error : 500

        Checking Virtual Directories..

        Checking AppPools..

        Checking ISAPI Filters..

        get-webconfiguration : Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
        Line number: 207
        Error: Can not log on locally to C:\Program Files\Windows Server\Bin\WebApps\Site as user admin with virtual directory
        password
        At D:\_IT archive\EssentialsTester.ps1:420 char:17
        + $isapif = (get-webconfiguration -pspath iis:\sites\* -filter “/system.webse …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [Get-WebConfiguration], COMException
        + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.IIs.PowerShell.Provider.GetConfigu
        rationCommand

        Checking IIS SSL..

        Website Name : Mac Web Service *:65520:
        SSL Certificate : Error: Does not match Dashboard Certificate

        Checking IIS Bindings..

        Binding Missing : Default Web Site

        Checking IIS Authentication..

        Review your results, items in red should be investigated.

        ************************************************
        * Essentials Server Configuration Tester *
        ************************************************

        OS Detected: Microsoft Windows Server 2012 Essentials

        This tool will check your current Configuration against known Essentials Server Values.
        Written by Robert Pearman (TitleRequired.com) February 2016

        Version Info: Version: 2.04

        1. Test IIS
        2. Test CA Infrastructure
        3. Test Services
        4. Test Service Ports
        0. Quit

        Enter Task..
        2
        Testing CA Name..
        Certificate Authority Online : OK
        Certificate Authority Name : OK
        Certificate Authority Cert : OK

        Testing /Connect Certificate Package..
        Connect Computer Certificate : OK

        Testing CRL Download..
        CRL Location : http://SERVER2012/CertEnroll/SERVER2012-CA.crl
        CRL Destination : c:\windows\temp\crl.crl
        Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (500) Internal Server
        Error.”
        At D:\_IT archive\EssentialsTester.ps1:1196 char:9
        + $wc.DownloadFile($source,$destination)
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : WebException

        CRL Download : Failed

        Testing CRL Distribution Configuration..

        It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)

        CRL Extension (CDP) : OK
        CRL Extension (CRL) : OK

        Testing Dashboard Certificate..
        Dashboard Certificate : OK

        ————————————————————————————————————————-
        Thank you very much for your help,
        Peter

      • Can you confirm that the IIS_IUSRS group has read permission to C:\inetpub\temp\apppools\Client_App\Client_App.config
        Can you confirm what Identity the Client_App AppPool is running under?

      • Peter says:

        The Client_App AppPool is running under the NetworkService identity.

        The IIS_IUSRS group does not have any explicit permissions on the Client_App.config file. The owner of the file is the Domain Administrators group; SYSTEM and Domain Administrators groups have Full Control, the Client_App group has Read access.

      • On my lab system that group does have permissions on that folder. Can you set it to have Read&Execute? then probably reboot the server is best.

  33. Peter says:

    I was looking at the permissions to the file Client_App.config instead of looking at the permissions for the folder. The folder from which that file perhaps inherits its permissions, C:\inetpub\temp\apppools\Client_App\ does have the IIS_IUSRS group listed. That group has Read, Read & Execute, and List Folder Contents.
    I have rebooted the server. Unfortunately I’m getting the same error when browsing to http://server/connect

    • If you drill down all the way to the Client_App.config file, the ‘Client_App’ user account should have Read access. Can you confirm that?

      • Peter says:

        Yes, that’s exactly what I see when I view the properties of the Client_App.config file.

      • Peter says:

        Robert,
        I thought I’d follow up with you to let you know how I fixed the permissions issue.

        IIS
        Sites
        Default Web Site
        Right Click
        Manage website
        Advanced Settings
        Physical Path Credentials ( click on …)
        Specific User (Click on set button)

        Type in user name and current password

  34. Eshwar Somashekar says:

    Hi there. Since I upgraded my Window8 machines (about a year ago) join them to Windows Essentials 2012 R2 server as managed devices (to enable automatic backups). When I initially researched this, Microsoft said that the Essentials connector was not supported on Windows10 yet and it would be released in a few months. Now, I’ve manually installed the connectors on two different Windows 10 machines and am still unable to connect and after researching it online, I checked ClientDeploy.log which shows a certificate error. After further research, I stumbled onto your very helpful script! When I run it, Test IIS shows no errors. However, Test CA Infrastructure, shows the following error:

    Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.

    Do you have suggestions on how to fix this? Thank you!

    • Can you manually confirm if that file exists?

      I believe you can simply export the CARoot Certificate (in cer format) and place it in there, make sure to name it correctly.

  35. Eshwar Somashekar says:

    Hello there. Thank you for developing this useful tool! I ran it to try to figure out why my Windows 10 clients are unable to connect to my Windows Essentials 2012 R2 server. On the server, the tool reports the following error:

    Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.
    At C:\users\SankulaAdmin\EssentialsTester.ps1:1120 char:17
    + $cert = Get-Item “C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.ce …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\ProgramData\…Data\CAROOT.cer:String) [Get-Item], ItemNotFoundExcep
    tion
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

    Exception calling “Import” with “1” argument(s): “Array may not be empty or null.
    Parameter name: rawData”
    At C:\users\SankulaAdmin\EssentialsTester.ps1:1122 char:9
    + $certPrint.Import($cert)
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException

    Any ideas on how to fix this? Thank you again!

  36. Keith Chandler says:

    Robert, thanks for this tool! It has found my config problem; now if only I what to do to fix it!
    I have a 2012 R2 server, and am trying to add a Windows 10 client. The computerConnector fails during the configuration, and by browsing logs I saw that I’m having cert problems.

    History: When server was setup it had domain name of company.com, then after setup, in the midst of trying to get anywhere access working, the domain name was changed to zone.company.com. That was 7 months ago. Server works well, except for anywhere access and, of course, ability to add new clients. The ca-name is company-server3-ca, when apparently it wants to be zone-server3-ca.

    Can you point me to guidance on clearing up my mess?
    Thanks a million!

    • You renamed the internal domain name?
      What does the config tester suggest is wrong?

    • What does it say the problem is?

      Did you rename your internal domain name?

      • Keith Chandler says:

        The Config Tester , in the CA Infrastructure test, reports:
        Certificate Authority Online : OK
        Certificate Authority Name : Name Error
        Certificate Authority Cert : OK

        The server started life as server3.company.com, and later was renamed to be server3.home.company.com (with home.company.com being my home network where Server Essentials lives, and company.com being hosted elsewhere with a DNS pointer to this server for this subdomain).

      • So you renamed the Domain?

        I’m not sure of a way out of that.

        You will probably have to uninstall the Essentials Role and CA, then reinstall the Essentials Role which should build a new CA for you with the correct name.

        But of course doing this will mean you lose client backup history and will have to reinstall the connector on the computers.

  37. Keith Chandler says:

    Not the best word to hear, but not the end of the world, either. There are only a few client computers involved, so the re-connects won’t be too bad. As long as storage pools and network/DNS configuration is preserved on the server I can weather the loss of backup history. Step 1 is ensuring a good backup of server before starting remediation.

    Thanks, Robert, for your insight. And for the tool that started this discussion.

  38. Luke Murphey says:

    You are a life-saver. I have been debugging an issue where I could not connect clients to an Essentials server. I had tried everything but your script pointed me towards the CA being the problem (“Certificate Authority Online : Error”). It turned out that Active Directory Certificate Services would not start due to a corrupted log. I restored it from backup and now it works great.

    Thanks, this saved me from having to rebuild this server.

  39. Michal Bieniek says:

    Hello Robert,
    I di d run your script and found 7 errors. I’ve never work with power shell or that setting up servers like that. I’m running Server Essential 2012 and currently I started to have a problem with joining to domain.
    Here is my report from your script:
    Pool Name : WebPortalAppPool
    Enabled 32bit Apps : True
    .NET Version : v2.0
    State : Started

    Checking ISAPI Filters..

    Checking IIS SSL..

    Website Name : WSS Certificate Web Service *:65500:
    SSL Certificate : Error: Does not match Dashboard Certificate

    Website Name : Mac Web Service *:65520:
    SSL Certificate : Error: Does not match Dashboard Certificate

    Checking TLS Version 1.0

    Checking IIS Bindings..

    Binding Missing : Default Web Site

    Checking IIS Authentication..
    Site : Default Web Site\PDMWeb
    Authentication : windowsAuthentication
    Enabled : True

    Site : Default Web Site\PDMWSearch
    Authentication : digestAuthentication
    Enabled : False

    Site : Default Web Site\PDMWSearch
    Authentication : windowsAuthentication
    Enabled : True

    Site : Default Web Site\Remote
    Authentication : digestAuthentication
    Enabled : False

  40. Kurt says:

    Great tool Robert. I’m running 2016 Standard with Essentials Experience installed. I had to add the following code snippet to get it to recognize that (after the test for “Essentials” since my configuration returns “Microsoft Windows Server 2016 Standard”)
    $checkOS = $os.Contains(“2016”)
    if (($checkOS) -eq “True”)
    {
    Import-Module WebAdministration
    $Global:OS = “Essentials2016”
    Menu
    }

  41. Edd Chadwick says:

    Hi,

    Your tool has been really helpful in trying to resolve our issue but I am stuck at a point, our server has been migrated from SBS 2011, I didn’t build it and whoever did missed out the CA so I have added that back in which resolved the IIS issues found in step one but now I have issues in step 2, can you help me?

    I am getting errors in
    “testing /connect certificate package..
    Connect computer certificate : Errors detected – ProgramData”

    and

    “Testing Dashboard certificate..
    Dashboard certificate : Error : (String Value)
    Dashboard certificate : OK”

    Any help much appreciated.

    Cheers

  42. jrp says:

    I am migrating from SBS2011 (using your excellent guide) to a 2016 server with the essentials experience add-in. It has been a painful experience because various users need to be allowed to add-in as a service / batch job. There seems to be no definitive documentation on what those are. Since the (eg, Anywhere Access) wizards give no clue as to what the problem is and, as the log files are hard to find, voluminous and impenetrable, it makes for a lengthy journey.

    I’ll give this tool a whirl to see whether everything is settled.

  43. Tim says:

    Hi Robert,
    Running into an issue were clients are indicating offline, failed backup status. Appears to have started after failed attempt to implement direct access.
    Connect website returns 403 forbidden on http and certificate error on https.
    Results of test tool.
    Enter Task..
    1
    Only Errors will be shown.

    Checking Websites..

    Checking Connect Site..

    Checking Virtual Directories..

    Checking AppPools..

    Checking ISAPI Filters..

    Checking IIS SSL..

    Checking TLS Version 1.0

    Checking IIS Bindings..

    Website Name : Default Web Site
    Binding : https[fd37:f6ae:b62e:3333::1]:62000:0

    Website Name : Default Web Site
    Binding : https10.58.168.1:62000:0

    Website Name : Default Web Site
    Binding : https[fd37:f6ae:b62e:1:0:5efe:10.58.168.1]:62000:0

    Checking IIS Authentication..
    Site : Default Web Site\RDWeb\FeedLogin
    Authentication : windowsAuthentication
    Enabled : True

    Site : Default Web Site\RDWeb\Pages
    Authentication : digestAuthentication
    Enabled : False

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2016 Essentials

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (TitleRequired.com) August 2016

    Version Info: Version: 2.07

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : OK

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Location : http://VHSERVER-1/CertEnroll/VHS-INC-VHSERVER-1-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (403)
    Forbidden.”
    At C:\Users\VHS-ADMIN\Downloads\EssentialsTester.ps1:1215 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    CRL Download : Failed

    Testing CRL Distribution Configuration..

    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoi
    nt)

    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2016 Essentials

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (TitleRequired.com) August 2016

    Version Info: Version: 2.07

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..
    4
    Testing Service Ports on : VHSERVER-1

    TCP 80 (Used for Websites) : OK
    TCP 443 (Used for Websites) : OK
    TCP 6602 (Used for Status) : Error
    TCP 8912 (Used for Backups) : Error
    TCP 65520 (Used for Mac Website) : OK
    TCP 65500 (Used for CA Website) : OK

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2016 Essentials

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (TitleRequired.com) August 2016

    Version Info: Version: 2.07

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..

    Thanks Tim

  44. Brian says:

    I couldn’t get the connector software to install on windows 10 Pro connecting to Server 2016. Kept giving me ‘server not available’ after entering the credentials. I used your Powershell program and the only thing is error was TLS1.0. Been trying to get the connector to work for months. I had changed my IIS settings to only use TLS1.2, but it seems the connector only works with TLS1.0 (I know.. right?). I had to disable TLS1.2 and TLS1.1 and enable TLS1.0 in IIS registry to get connector to install.

    Hope this helps others out there.

  45. Jan Didden says:

    At home I have a Windows Server 2012 Essentials server (not R2) and I have installed the connector software for Windows Server Essentials on al my PC’s and portables. I think that at the time all my workstations were on Windows 7 and Windows 8 and there was no problem connecting the workstations.
    Now i want to connect my first Windows 10 Pro PC but the connector software keeps failing and i cannot connect this PC to my server.
    The connector seems to be working because i get several screens (finding server, getting started, username and password selection) but after i have entered a username and password i get the following error: Cannot connect this computer to the network. The server is not available. Try connecting this computer again, or for more information, see Troubleshoot connecting computers to the server.
    I have run the troubleshooter and that says that the binding is missing on the default web site.
    I don’t know if there is a link between this problem and the connector that’s not working.
    But how can i fix the missing binding error?

  46. You have an https binding missing.

    There is a comment about half way up the page for New-WebBinding that has some PowerShell syntax that may help. (October 27th 2015)

    • Jan Didden says:

      I have followed the instructions above resulting in these 3 bindings:
      1.
      Type: http
      IP address: All Unassigned
      Port: 80
      Host name:
      2.
      Type: https
      IP address: All Unassigned
      Port: 443
      Host name:
      Require Server Name Indication: UNchecked
      SSL certificate: HPMICROSERVER
      3.
      Type: https
      IP address: All Unassigned
      Port: 443
      Host name: HPMICROSERVER
      Require Server Name Indication: CHECKED
      SSL certificate:

      When i run your troubleshooter i get the following error:
      Checking IIS SSL
      Website Name: Default Web Site *:443:HPMICROSERVER
      SSL Certificate: Error: Does not match dashboard certificate

      I have added the HPMICROSERVER certificate resulting in these 3 bindings:
      1.
      Type: http
      IP address: All Unassigned
      Port: 80
      Host name:
      2.
      Type: https
      IP address: All Unassigned
      Port: 443
      Host name:
      Require Server Name Indication: UNchecked
      SSL certificate: HPMICROSERVER
      3.
      Type: https
      IP address: All Unassigned
      Port: 443
      Host name: HPMICROSERVER
      Require Server Name Indication: CHECKED
      SSL certificate: HPMICROSERVER

      Now your troubleshooter does not give any errors anymore.

      But my original problem (see comment September 18, 2017 at 9:49 am) still exists,
      When I try to connect a Microsoft Surface 3 with Windows 10 Pro to the Windows Server 2012 Essentials server (not R2) with the connector software i get the following error: Cannot connect this computer to the network. The server is not available. Try connecting this computer again, or for more information, see Troubleshoot connecting computers to the server.

      Any idea?

  47. Jim says:

    Hi Robert,

    I have a Windows Server 2016 Standard DC that has the Essential Role installed. It was brought up to replace an SBS 2011 server that has since been removed, I ran your script and I get the following errors:

    IIS
    Checking Virtual Directories..
    Content Path : C:\Program Files\Windows Server\Bin\WebApps\Site

    Checking AppPools..
    Pool Name : ConnectivityAppPool
    Enabled 32bit Apps : False
    .NET Version : v4.0
    State : Stopped

    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : Name Error
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : Errors Detected – ProgramData

    Everything else checks out..when running the connector on PC’s (Windows 10) I get the error that the server is not available. Any suggestions?

    Regards,
    Jim

    • Looks like a few issues there, can you say what the history of the box is?

      • Jim says:

        Hi Robert,

        It is a new VM server, we just migrated from SBS 2011, I believe the CA was moved from the SBS server.

        Jim

      • Mike Webb says:

        Hi Robert,

        I’m seeing similar errors:

        Testing CA Name..
        Certificate Authority Online : OK
        Certificate Authority Name : Name Error
        Certificate Authority Cert : OK

        Testing /Connect Certificate Package..
        Connect Computer Certificate : Errors Detected – ProgramData

        My box was a SBS 2011 to Essentials 2016 transfer, I can’t find any information on Connect certificate, but I’m thinking it’s trying to use the certificate from SBS 2011 and that’s why it’s failing.

        Do you have any ideas on how to rectify this?

        Thanks

        Mike

      • Hi Mike, would need more info. Can contact me via https://windowsserveressentials.com/support

  48. Rudd van Deventer says:

    Thanks Robert,
    Script worked well in identifying my issues.
    I ran the script to check the install after we set the system up and no errors, very please man on this end!
    I had a bunch of things we planned so started on the list….Started trying to connect a NAS to my domain and installed iSCSI to services be able to integrate. This did not work and I decided to remove the role from my WSE 2016 – bad mistake!
    The removal trashed the setup and it was so bad that I could not get the dashboard to start fixing the mess. After looking at the avalanche of error messages I decided to roll back the server state.
    This has brought stability to the place but clients are faster at getting their data from the web through OneDrive than from the shared drives or folders.
    I ran your tool again and the ONLY outstanding issue is that it cannot find the CAROOT.cer file on the server – it is not there.
    Are these two issues related?

    Thanks,

    Rudd

  49. Ok, my dashboard is NOT opening..I assume it is due to multiple certs being in here? and if so how do I delete the baddies?

    Testing Dashboard Certificate..
    Current Dashboard Certificate : AB9352214B81B873861C309BA6D579FFCF638D0C A6861BA04608F5DF70226705E38806F628BD02E5 2C802A
    342F40CC6BA9DDD41A2E4061A40821752A
    Dashboard Certificate : ErrorAB9352214B81B873861C309BA6D579FFCF638D0C
    Dashboard Certificate : ErrorA6861BA04608F5DF70226705E38806F628BD02E5
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    • Yes, it is likely if you have multiple certs.

      Can you send a screen shot of the errors?

      • When I try to open the dashboard in S2012R2 it closes immediately after it building the GUI.. with no errors on screen.. the the error logs I see this.

        Application: Dashboard.exe
        Framework Version: v4.0.30319
        Description: The process was terminated due to an unhandled exception.
        Exception Info: System.InvalidOperationException
        at System.Security.Cryptography.SHA256Managed..ctor()
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconCache.GetIconHash(System.Drawing.Icon)
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconCache.GetCachedIcon(System.Drawing.Icon)
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconProxy..ctor(System.Drawing.Icon, System.Drawing.Icon)
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.IconProxy.Create(System.Drawing.Icon, System.Drawing.Icon)
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.ExceptionHandler.Run[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](ProtectedCallback`1)
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.PageContent+ListPageContent`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].GetObjectIcon(System.Object)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.Details.DetailsView.OnObjectSelected(System.Object, Microsoft.WindowsServerSolutions.Administration.ObjectModel.ObjectSelectedEventArgs)
        at System.EventHandler`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Invoke(System.Object, System.__Canon)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.ConsoleUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
        at System.EventHandler`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Invoke(System.Object, System.__Canon)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.ConsoleUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.OnObjectSelected(System.Object, Microsoft.WindowsServerSolutions.Administration.ObjectModel.ObjectSelectedEventArgs)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.dataBoundListView_SelectionChanged(System.Object, Microsoft.MidMarketServer.UI.ConsoleListViewItemSelectedEventArgs)
        at Microsoft.MidMarketServer.UI.EventUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
        at Microsoft.MidMarketServer.UI.ConsoleListView.HandleReflectionNotify(tagNMHDR*, Int32 ByRef)
        at Microsoft.MidMarketServer.UI.ConsoleListView.WndProc(System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
        at System.Windows.Forms.UnsafeNativeMethods.SendMessage(System.Runtime.InteropServices.HandleRef, Int32, IntPtr, IntPtr)
        at System.Windows.Forms.Control.SendMessage(Int32, IntPtr, IntPtr)
        at System.Windows.Forms.Control.ReflectMessageInternal(IntPtr, System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.Control.WmNotify(System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
        at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr, IntPtr, Int32, IntPtr, IntPtr)
        at System.Windows.Forms.NativeWindow.DefWndProc(System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
        at Microsoft.MidMarketServer.UI.ConsoleListView.WndProc(System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
        at .SendMessageW(HWND__*, UInt32, UInt64, Int64)
        at Microsoft.MidMarketServer.UI.ConsoleListView.SetItemInfo(Int32, Microsoft.MidMarketServer.UI.ConsoleListViewItem)
        at Microsoft.MidMarketServer.UI.ConsoleListViewItem.set_Selected(Boolean)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView+EntitySelectorAdapter.SelectListViewIndex(Int32, Boolean)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView+EntitySelectorAdapter.SelectClosestItem(Boolean)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView+EntitySelectorAdapter.SelectEntity()
        at Microsoft.WindowsServerSolutions.Administration.ObjectModel.Internal.EventUtilities.RaiseEvent[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.EventHandler`1, System.Object, System.__Canon)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.OnRefreshDataCompleted(System.Object, System.EventArgs)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.listViewWorker_WorkComplete(System.Object, Microsoft.WindowsServerSolutions.Dashboard.Forms.Work.WorkCompleteArgs)

        Exception Info: System.Reflection.TargetInvocationException
        at System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
        at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
        at System.Delegate.DynamicInvokeImpl(System.Object[])
        at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry)
        at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(System.Object)
        at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
        at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
        at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry)
        at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
        at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
        at Microsoft.WindowsServerSolutions.Dashboard.Forms.Controls.AdminListView.WndProc(System.Windows.Forms.Message ByRef)
        at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
        at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
        at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
        at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
        at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
        at Microsoft.WindowsServerSolutions.Dashboard.Program.Main(System.String[])

  50. And then right above that error is this one:

    Faulting application name: Dashboard.exe, version: 6.3.9600.17393, time stamp: 0x54333ee9
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.18895, time stamp: 0x5a4b1cf7
    Exception code: 0xe0434352
    Fault offset: 0x00000000000092fc
    Faulting process id: 0x3214
    Faulting application start time: 0x01d3b6fc46e2ab4c
    Faulting application path: C:\Windows\system32\Essentials\Dashboard.exe
    Faulting module path: C:\Windows\system32\KERNELBASE.dll
    Report Id: 8fd39ff3-22ef-11e8-80fc-44a842421510
    Faulting package full name:
    Faulting package-relative application ID:

  51. Ok, re downloaded and here is the output:

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Essentials

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (TitleRequired.com) January 2018

    Version Info: Version: 2.10

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : OK

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Location : http://SERVER/CertEnroll/WAI-WIRESERVER-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    CRL Download : OK

    Testing CRL Distribution Configuration..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName

    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)

    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Current Dashboard Certificate : AB9352214B81B873861C309BA6D579FFCF638D0C A6861BA04608F5DF70226705E38806F628BD02E5 2C802A
    342F40CC6BA9DDD41A2E4061A40821752A
    Dashboard Certificate : ErrorAB9352214B81B873861C309BA6D579FFCF638D0C
    Dashboard Certificate : ErrorA6861BA04608F5DF70226705E38806F628BD02E5
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Essentials

    Still shows two bad certs in the dashboard.

  52. slongmire says:

    Robert – I have been searching everywhere to solve my Certificate Authority Cert: Errors Detected – Local Machine Store. I am still running WSE 2012 (not R2). Reading the above thread I found the Registry contains one value for the LocalMachineCert, wheras the certsrv (Certification Authority (Local)) contains a completely different one – both based on the Windows ServerSolutionsComputerCertificateTemplate. Can I just copy the one from the certsrv over the entry in the registry to make them match? I certainly don’t want to do anything that would prevent the machine from booting! THe Dashboard launches but several services that depend on Windows Server Search all fail because the search service fails immediately on launch.

    • You should be able to create a new one, I think it was a PowerShell command, add-wsslocalmachinecert

      I’d make sure you have a good backup as well so you can always go back.

      • slongmire says:

        Thanks for the quick reply. I did make an image backup and then followed your recommendation. The PowerShell admin window where I typed the command stayed open for about 3 seconds and then closed. I rebooted and ran the essentialstester (7-27-18) again and it reports Binding Missing: Default Web Site and Certificate Authority Cert: Errors Detected – Local Machine Store. Under Testing Dashboard Certificate – the value remains identical to the one I found before all this in the registry and is different from the one shown in certsrv, so I’m not sure whether the command given above had any effect at all or if I made some error. To rule this out – I tried it again after a cold boot by copying and pasting the command into admin powershell – but the results are the same.

      • slongmire says:

        Robert – I am feeling quite silly at the moment – I looked once again to see how to verify the Local Machine Store – and after opening Certificates(Local Computer)\Personal\Certificates ASUS-P5WDH (my servername) – I find that the thumbprint of this certificate DOES MATCH the value in the registry HKLM>Software\Microsoft\Windows Server\Identity except it is listed in lowercase in the mmc snapin and as an uppercase REG_SZ in the registry. So I am now well and truly confused why the essentials tester is reporting an error in the Local Machine Store.

        I apologize that I earlier confused thumbprint with serial number when trying to be sure these matched.Please advise what I must do next, thanks so much – Steve

  53. slongmire says:

    Robert – I did some additional investigating this weekend and found that I needed to follow more closely a Technet block you published back in 2013. Once I did that, a new certificate was issued. However, new errors appeared when I ran the essentials tester after rebooting. The bindings of the web certificate and Mac websites were wrong – but I got those fixed easily enough – but – now the Errors Detected Local Machine Store include a Dashboard Certificate Error which was not present before. Checking the local machine store, the thumbprint of the new dashboard cert matches the one in the registry, and the dashboard launches ok. Below is the pintout from the IIS Test and CA Test:

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected : Microsoft Windows Server 2012 Essentials
    Local IP Address : 192.168.10.10
    System Type : Domain Controller
    IPv4 DNS Servers : 192.168.10.10
    DNS Forwarder : 192.168.10.1, 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (WindowsServerEssentials.com) July 2018

    Version Info: Version: 2.22

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    5. Test Role Install
    0. Quit

    Enter Task..
    1
    Only Errors will be shown.

    Checking Websites..

    Checking Connect Site..

    Checking Virtual Directories..

    Checking AppPools..

    Checking ISAPI Filters..

    Checking IIS SSL..

    Checking TLS Version 1.0

    Checking for Web.Config Corruption..

    SFC Web.Config : OK

    Checking IIS Bindings..

    Binding Missing : Default Web Site

    Checking IIS Authentication..

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected : Microsoft Windows Server 2012 Essentials
    Local IP Address : 192.168.10.10
    System Type : Domain Controller
    IPv4 DNS Servers : 192.168.10.10
    DNS Forwarder : 192.168.10.1, 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (WindowsServerEssentials.com) July 2018

    Version Info: Version: 2.22

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    5. Test Role Install
    0. Quit

    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Location : http://ASUS-P5WDH/CertEnroll/sl-w-main-ASUS-P5WDH-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    CRL Download : OK

    Testing CRL Distribution Configuration..

    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)

    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Current Dashboard Certificate : 5B3627E2CEC61873336943E8C8F88D71CCA45472
    Dashboard Certificate : Error : D8CB0F0D3765FFF0D268882BB8D35EE10E5F5E1D
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.
    I tried to resolve this by marking the original Dashboard certificate as revoked – superseded, rebooted, but the results are still the same.

    Please advise what I need to do to correct. All of the services start and run as expected. The dashboard launches

    Thanks –

    Steve

  54. woburnchina says:

    Hi Robert, Great tool.

    Having difficulty connecting a new Win 10 Client PC to our Server 2012 r2 essentials using the connector. It finds the server but cannot connect. All the following are showing red but we are not expert server administrators and would appreciate some guidance on how to fix these SSL related errors.

    No other errors for all the other tasks.

    Tim

    Enter Task..
    1
    Only Errors will be shown.

    Checking Websites..

    Checking Connect Site..

    Connect Website : Error : 403

    Checking IIS Authentication..
    Directory : Default Web Site/Connect
    SSL Settings : Ssl

    Site : Default Web Site\Customization
    Authentication : digestAuthentication
    Enabled : False

    Site : Default Web Site\RDWeb\FeedLogin
    Authentication : windowsAuthentication
    Enabled : True

    Site : Default Web Site\RDWeb\Pages
    Authentication : digestAuthentication
    Enabled : False

    • OK, go into IIS Management.
      Expand Default Web Site, go to /Connect.

      In the right hand side find SSL Settings.
      Make sure ‘require SSL’ is unticked and the other setting, is set to ignore.

      Under /Customisation, look at Authentication Settings, make sure only ‘Anonymous’ is enabled.

      Have you by any chanced installed any additional features like RD Gateway Web Access?

      • woburnchina says:

        Hi Robert, I have spent a very long time trying to connect the Win 10 client, and thanks to your help, the issue has been resolved within minutes and the new client is connected – I am very grateful.

        Running the tester again on the server, the following items are showing red:

        Checking IIS Authentication..
        Site : Default Web Site\RDWeb\FeedLogin
        Authentication : windowsAuthentication
        Enabled : True

        Site : Default Web Site\RDWeb\Pages
        Authentication : digestAuthentication
        Enabled : False

        To answer your other question, yes, we have installed RD Gateway Web access.

        Tim

      • That is why those errors show as that role is not present or required by essentials.

  55. Chris Good says:

    Hi All,

    I have been trying for…months! to get my connector working again. Using the Config Tester i have managed to knock off as many errors as i can but i am still getting a 401 error. All clients and ping the server, i have tested clients connecting to fresh installs of server 2016 so i know it is server side.

    Checking Connect Site..

    Connect Website : Error : 401

    Any ideas?

    Thanks

    • 401 sounds like an authentication issue on the page. Can you post the actual error message?

      • Chris Good says:

        Hi Robert, in the end i created a from scratch sandbox and went through every IIS setting for all sites and i think it was an windows authentication being turned on. Sadly i was at the end of my tether and at that point kept no change log but its working after a long long time so not complaining. Thanks for your really helpful tool, i had a few issues which this allowed me to work through. Thanks again :-)

  56. Fred says:

    Robert, How do I use the tool? I am having certificate problems with Windows Storage Server 2008 R2 after resetting the WD Sentinel DX4000 to factory settings. The name of the server changed and now I can’t access it and when I run the setup wizard i get Certificate Authenticity rejections.

  57. Paul R says:

    Hi Robert
    Thanks for the script – a light in a very dark space
    I did a migrate from an existing SBS2011 server to Windows 2016 with the Essentials role
    Only two servers – the DC and the Exchange
    All seems to be working – Exchange, DNS, DHCP etc but I fear the CA migrated badly.
    You tool gives the all clear (as does pkiview) bar three lines but I am pretty certain are a result of the botched CA migrate
    I just wondered if you could shed any light on those errors as I cannot get the Connector to work and am having some wierd errors due, I believe, to Certificate issues
    the errors are:

    Certificate Authority Name : Name Error
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : Errors Detected – ProgramData

    Understand the name difference (the old CA cert was migrated) but not sure how to get over the third as I believe it is why the computer connector cannot “find” the server.

    thanks in advance

    Paul R

    • I’m surprised the Essentials role installed with those errors present. Does the dashboard open?

      • mujikcom says:

        Yes and can be accessed both internally and externally as a remote app (I have third party FQDN SSL Certs on both Mail and Remote). Exchange Redirect in the Dashboard setup fine and is confirmed working. DNS and DHCP check out. DeltaCRL, AIA, CDP and CRT check out fine from pkiview.

        The only error I get from the Connector is the “ClientSetup: Call MachineIdentityManager.GetMachineStatus General: Failed to open IDENTITY registry key” which seems to suggest a CA issue ,which is why I was interested in what your script is telling me. Obviously something is wrong but the MS tools seem to say all is good.

      • That key is created as part of the essentials install, it stores information about the CA (I think) and the local machine cert tied to the dashboard.

      • mujikcom says:

        Hi Robert

        Some more checking. Your script compares the $LocalCA variable to the results of get-childitem cert:\localmachine\my | where { $_.Subject -like “*-CA” }

        If I eyeball the results of both, the format might be different enough to throw the error ? (see below)

        > $LocalCA =get-childitem cert:\localmachine\my | where { $_.Subject -like “*-CA” } | foreach { $_.Thumbprint } | out-string > C6CD46785AE035B6AE5AD3EBB1415B0EFBF58C24 > 626CDA2CFD404ED84FEA0696EF747ED9A992916A > 1D9D482945C7E82B426A32B683C59E31711B304F > 16545BB3467F18D6CD4EAE4206ABEB172FC4678D > 0CFA37C4A64CFDE4FE88D5461CAB5710230B2080 > get-childitem cert:\localmachine\my | where { $_.Subject -like “*-CA” } > Thumbprint                                Subject > ———-                                ——- > C6CD46785AE035B6AE5AD3EBB1415B0EFBF58C24  CN=blanked-SERVER01-CA > 626CDA2CFD404ED84FEA0696EF747ED9A992916A  CN=blanked-SERVER01-CA > 1D9D482945C7E82B426A32B683C59E31711B304F  CN=blanked-SERVER01-CA > 16545BB3467F18D6CD4EAE4206ABEB172FC4678D  CN=blanked-SERVER01-CA > 0CFA37C4A64CFDE4FE88D5461CAB5710230B2080  CN=blanked-SERVER01-CA

        The CA name (because it has been migrated) is different to the machine name. AFAIK, this is not a problem but no doubt throws an error when you compare $CAName (which returns the CA Name) to $env:COMPUTERNAME (which returns the actual machine name).

        As mentioned before, this seems acceptable behavior.

        So both those are a bit of a furphy

        However, the output of $ProgDCA is

        > CD03F1486F359217266CB3D71A3DD47806D15BD4 Which matches none of the above thumbprints. So my ROOTCA.crt is registered wrongly?

        At least I think I am heading in the right direction.

        Hopefully the above comments on your script helps some other poor soul out there.

        thanks

        Paul R

  58. AE B says:

    I am that poor soul. Thanks to this handy tool I’ve narrowed down the issues with vpn and a client connector to the certificate server. However, since everyone is working from home I am doing all I can just to keep the VPN up (it crashed last week and then again this week – with the dreaded 443 and 80 port blocks in Anywhere Access…I think I need to rebuild my certificate authority but I don’t want to do that right now because I am afraid it might lock everyone out (again.)

    I have multiple certs listed in the CertEnroll virtual directory. I think the bindings are correct because everyone (for the most part) is able to vpn in successfully. The connector is messed up because some people connect and I can see them online in the Dashboard, and some people connect and have access to network but they show as offline in the Dashboard.

    Here is my test report for the CA:

    Get-Item : Cannot find path ‘C:\ProgramData\Microsoft\Windows Server\Data\CAROOT.cer’ because it does not exist.
    At C:\Users\XXXXXX\Downloads\EssentialsTester.ps1:1121 char:17
    + … $cert = Get-Item “C:\ProgramData\Microsoft\Windows Server\Data\CA …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\ProgramData\…Data\CAROOT.cer:String) [Get-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemCommand

    Exception calling “Import” with “1” argument(s): “Array may not be empty or null.
    Parameter name: rawData”
    At C:\Users\XXXXXX\Downloads\EssentialsTester.ps1:1123 char:9
    + $certPrint.Import($cert)
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentException

    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : OK

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Location : http://XXXXXXX/CertEnroll/XXXXXX-XXXXXXX-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    CRL Download : OK

    Testing CRL Distribution Configuration..

    It is normal to see some ‘File Not Found’ messages above when using this CmdLet (Get-CACrlDistributionPoint)

    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Current Dashboard Certificate : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Dashboard Certificate : OK

    Any advice on how to carefully and confidently fix my trust issues welcome.

  59. Phil says:

    Hi Robert

    I was pleased to find this script, so thank you.

    Tool provides lots of green text and very little red for me. However my WHS-2011 dashboard still shows my computers offline and not being backed up. I can’t even connect a new computer.

    Below is results of test on client and server.

    CLIENT

    *****************************************************************
    ** Essentials Server Configuration Tester (Client Version) **
    *****************************************************************

    OS Detected: Microsoft Windows 10 Pro

    IP Address :
    DNS Server :

    Enter the hostname of your Essentials Server :
    WHS
    Connecting to.. WHS
    IP Address Resolved: 192.168.232.202
    Client DNS Server : Error
    TCP 80 (Used for Websites) : OK
    TCP 443 (Used for Websites) : OK
    TCP 6602 (Used for Status) : OK
    TCP 8912 (Used for Backups) : OK
    TCP 65520 (Used for Mac Website) : OK
    TCP 65500 (Used for CA Website) : OK

    Review your results, items in red should be investigated.

    SERVER
    Note that I commented out line 1990 ($currentIP = get-netIPConfiguration) as get-netIPConfiguration is not supported in the powershell I am running

    Test 1

    ************************************************
    * Essentials Server Configuration Tester *
    ************************************************

    OS Detected : Essentials2008
    Local IP Address :
    System Type : Member Server
    IPv4 DNS Servers :

    This tool will check your current Configuration against known Essentials Server Values.
    Written by Robert Pearman (WindowsServerEssentials.com) July 2018

    Version Info: Version: 2.22

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    5. Test Role Install
    0. Quit

    Enter Task..
    1
    Only Errors will be shown.

    Checking Websites..

    Checking Connect Site..

    Checking Virtual Directories..

    Checking AppPools..

    Checking ISAPI Filters..

    name : ASP.Net_2.0.50727-64
    path : %windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_filter.dll
    enabled : True
    enableCache : True
    preCondition : bitness64,runtimeVersionv2.0
    PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
    Location :
    ConfigurationPathType : Location
    ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_2.0.50727-64′]
    Attributes : {name, path, enabled, enableCache…}
    ChildElements : {}
    ElementTagName : filter
    Methods :
    Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

    name : ASP.Net_2.0.50727.0
    path : %windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
    enabled : True
    enableCache : True
    preCondition : bitness32,runtimeVersionv2.0
    PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
    Location :
    ConfigurationPathType : Location
    ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_2.0.50727.0′]
    Attributes : {name, path, enabled, enableCache…}
    ChildElements : {}
    ElementTagName : filter
    Methods :
    Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

    name : ASP.Net_2.0_for_V1.1
    path : %windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
    enabled : True
    enableCache : True
    preCondition : runtimeVersionv1.1
    PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
    Location :
    ConfigurationPathType : Location
    ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_2.0_for_V1.1′]
    Attributes : {name, path, enabled, enableCache…}
    ChildElements : {}
    ElementTagName : filter
    Methods :
    Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

    name : ASP.Net_4.0_64bit
    path : C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_filter.dll
    enabled : True
    enableCache : True
    preCondition : runtimeVersionv4.0,bitness64
    PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
    Location :
    ConfigurationPathType : Location
    ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_4.0_64bit’]
    Attributes : {name, path, enabled, enableCache…}
    ChildElements : {}
    ElementTagName : filter
    Methods :
    Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

    name : ASP.Net_4.0_32bit
    path : C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_filter.dll
    enabled : True
    enableCache : True
    preCondition : runtimeVersionv4.0,bitness32
    PSPath : MACHINE/WEBROOT/APPHOST/Default Web Site
    Location :
    ConfigurationPathType : Location
    ItemXPath : /system.webServer/isapiFilters/filter[@name=’ASP.Net_4.0_32bit’]
    Attributes : {name, path, enabled, enableCache…}
    ChildElements : {}
    ElementTagName : filter
    Methods :
    Schema : Microsoft.IIs.PowerShell.Framework.ConfigurationElementSchema

    get-webconfiguration : Filename: \\?\C:\inetpub\FusionPBX\web.config
    Error: Cannot read configuration file
    At C:\Apps\EssentialsTester.ps1:420 char:17
    + $isapif = (get-webconfiguration -pspath iis:\sites\* -filter “/system.webse …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-WebConfiguration], DirectoryNotFoundException
    + FullyQualifiedErrorId : System.IO.DirectoryNotFoundException,Microsoft.IIs.PowerShell.Provider.GetConfigurationCommand

    Checking IIS SSL..

    Checking TLS Version 1.0

    Checking IIS Bindings..

    Checking IIS Authentication..
    Site : vtiger\cron
    Authentication : basicAuthentication
    Enabled : True

    Site : vtiger\cron
    Authentication : clientCertificateMappingAuthentication
    Enabled : False

    Site : vtiger\cron
    Authentication : windowsAuthentication
    Enabled : True

    Site : vtiger\data
    Authentication : digestAuthentication
    Enabled : False

    Test 2

    Enter Task..
    2
    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : OK

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing Dashboard Certificate..
    Current Dashboard Certificate : 74BB8A8B9F73F65CD72820B0980F8093C1026503
    Dashboard Certificate : OK

    Testing CRL Download..

    Unable to fully Test Certificate Authority on this Operating System.

    Test 3

    Enter Task..
    3
    Testing Services on: WHS

    Active Directory Certificate Services : Running Auto
    WSS Addins Infrastructure Service : Running Auto
    WSS Client Computer Backup Provider Service : Running Auto
    WSS Client Computer Backup Service : Running Auto
    WSS Devices Provider : Running Auto
    WSS Domain Name Management : Running Auto
    WSS Health Service : Running Auto
    WSS Identity Management Service : Running Auto
    WSS Initialization Service : Stopped Auto
    WSS Media Streaming and HomeGroup Service : Running Auto
    WSS Networking Helper Service : Running Auto
    WSS Notifications Provider Service : Running Auto
    WSS Remote Web Access Administration Provider : Running Auto
    WSS Server Backup Service : Running Auto
    WSS Service Provider Registry : Running Auto
    WSS Settings Provider : Running Auto
    WSS SQM Service : Running Auto
    WSS Storage Service : Running Auto
    WSS UPnP Device Service : Running Auto

    I started WSS Initialization Service and it runs for a short time then stops.

    Test 4

    Enter Task..
    4
    Testing Service Ports on : WHS

    TCP 80 (Used for Websites) : OK
    TCP 443 (Used for Websites) : OK
    TCP 6602 (Used for Status) : OK
    TCP 8912 (Used for Backups) : OK
    TCP 65520 (Used for Mac Website) : OK
    TCP 65500 (Used for CA Website) : OK

    Test 5

    Enter Task..
    5
    Checking Installed Roles..

    The event viewer on the server has thousands of EventID 36878 SChannel
    The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is 0x80090325. The attached data contains the client certificate.

    I am out of my depth here and really appreciate some help.

    Regards, Phil

  60. Phil says:

    After a little more digging:

    I have uninstalled the connectors and removed the machines from dashboard and when I went to install the connector there was trust issues, which I overcame by importing a certificate from the server. That got the connector installed but no connections.

    On the server, in a log file named SharedServiceHost-AlertServiceConfig.2.log I see many entries with:

    ProviderFramework: Information: [0] : PfErrorHandler: IGNORING WCF internal exception: (SecurityNegotiationException) The remote certificate is invalid according to the validation procedure. ==> (AuthenticationException) The remote certificate is invalid according to the validation procedure.
    ChainTrustCertValidator: Certificate is not supported (not rooted from service’s root cert). Expected root ca thumb=[8A5ACC7CDA0305C6D6FF7E562648990D1B396DA8], Actual = [4AE72E0721BD0831DA2D96BB7ADC03FD8E75B673]

    Looking on the server at \Console Root\Certificates (Local Computer)\Personal Certificates I see 2x certificates with the server name followed by -CA

    Issued to WHS-CA, Issued by WHS-CA, Expiration date 7/03/2052
    Issued to WHS-CA, Issued by WHS-CA, Expiration date 25/05/2060

    Details for the one with Expiration date 7/03/2052 has thumbrint of ‎8a 5a cc 7c da 03 05 c6 d6 ff 7e 56 26 48 99 0d 1b 39 6d a8
    Details for the one with Expiration date 25/05/2060 has thumbrint of ‎‎4a e7 2e 07 21 bd 08 31 da 2d 96 bb 7a dc 03 fd 8e 75 b6 73

    The 2 also appear in \Console Root\Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates

    In Certificate Authority, a right click on WHS-CA and looking at the properties, under General, shows 2x CA certificates:

    Certificate #0 with validity from 15/03/2012 to 7/03/2052 and thumbprint ‎8a 5a cc 7c da 03 05 c6 d6 ff 7e 56 26 48 99 0d 1b 39 6d a8
    Certificate #1 with validity from 2/06/2020 to 25/05/2060 and thumbprint ‎ 4a e7 2e 07 21 bd 08 31 da 2d 96 bb 7a dc 03 fd 8e 75 b6 73

    These are the 2 mentioned in the log file.

    When I couldn’t get the connector installed on the client PC, I exported Certificate #1 to a file and then imported into the client. The connector install on the client was then successful.

    Looking on the client (WIN10 Pro) at \Console Root\Certificates (Local Computer)\Personal Certificates I see a certificate with the name of the client PC

    Issued to DELL, Issued by WHS-CA, Expiration date 18/08/2050
    It has a thumbprint of 49a921b7c43e63e78479bf1745aacd4d8e9496a7

    Looking on the client at \Console Root\Certificates (Local Computer)\Personal Certificates I see 2x certificates with the server name followed by -CA

    Issued to WHS-CA, Issued by WHS-CA, Expiration date 7/03/2052
    Issued to WHS-CA, Issued by WHS-CA, Expiration date 25/05/2060

    Details for the one with Expiration date 7/03/2052 has thumbrint of ‎8a 5a cc 7c da 03 05 c6 d6 ff 7e 56 26 48 99 0d 1b 39 6d a8
    Details for the one with Expiration date 25/05/2060 has thumbrint of ‎‎4a e7 2e 07 21 bd 08 31 da 2d 96 bb 7a dc 03 fd 8e 75 b6 73

    That’s where I am stuck.

    It seems to be a certificate issue but I have no idea on how to remedy it so looking for assistance here.

    Thanks, Phil

  61. Josh Zeman says:

    I’m having issues, too, but the PS script isn’t helping me. It’s crashing on both the server and the client. It shows “loading…” and then crashes.

    • What issue are you trying to solve?

      • iatoolman says:

        I finally got the script to work in powershell ISE administrator mode. It all works well, except the DNS server is in red. I don’t know why. I can’t get the clients to connect to the server. It’s shown as “offline” both ways. I had them connected last year and backing up and I checked the backups this week and found they haven’t worked since at least November. I can ping all clients from server and vice versa. After difficulty, I have anywhere access working again. I can view and use the files on the clients from the server and vice versa. I have tried every trick I can find to connect them. Every help article online from every source doesn’t help me. I’ve given up. My error is “the server is unavailable”

      • What errors are reported on the server?

      • iatoolman says:

        I got everything to work through a fluke. I was ready to reinstall the OS just to start from scratch. Even though I have technically been having problems for a year, I only started noticing and fixing this last week. I noticed the server had (for whatever reason) only one system image, and it was for one day earlier, well into my problems. I thought, “what the hell” and used it. And then it all worked. I now have every client re-attached. I first uninstalled any WS2012R2E connectors and related software. Then I manually addressed the client using the server as the primary DNS, and the router as the secondary DNS. Then I rebooted the client and downloaded the connector from the server. After an installation, and another reboot for good measure, everything is back to square one.

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: