Replies

mcbsys wrote:

When I visit that domain today, it shows that its certificate expired 9/16/2023.

As of 9/19/2023 10:30am PST, the certificate for https://dyndns.domains.live.com/service/livedyndns.asmx now shows as valid through 6/27/2024. In fact, that address returns a list of supported operations (screen shot).

Does that fix the Essentials issue?

Someone here says they get the “same error” after installing September updates. Since resolving DNS would not depend on whether an update is installed, I guess that they are talking about errors (re)configuring a domain via the dashboard. I haven’t tried that; in fact, I haven’t installed September updates yet at customer sites.

Update:  and now I see a comment (in German) here that the problem is an IIS page appearing instead of the RWA login page. I’ve had that problem since the beginning with Essentials 2016. You can set up a redirect to the /remote page–see Server 2016 Anywhere Access Shows IIS instead of Login Page.

Update 2:  Glancing through my blog post on this issue, I commented on 11/14/2022 that there was an issue with https://dyndns.domains.live.com/service/livedyndns.asmx. When I visit that domain today, it shows that its certificate expired 9/16/2023. I suspect that is related, perhaps the cause. A bit ironic that the certificate for the site that issues certificates has expired!

@Jesse, please be more specific:  are you unable to update the IP address after it has changed? Or is the yourdomain.remotewebaccess.com not resolving an IP address?

@sb, I don’t think that site tells us anything:  [www.]remotewebaccess.com is not supposed to work.

I have three sites that are still accessible via customerdomain.remotewebaccess.com, so the DNS seems to be resolving fine. The IP addresses of these customers pretty much never change, so I don’t know if the dynamic update part is working.

I wrote a short article to remind myself of DISM commands, including from a local source when you have to determine and specify an index:

https://www.mcbsys.com/blog/2019/06/dism-examples/

I’m also slowly moving towards a couple standards to make this kind of thing easier:

1. Install servers as VMs, even if it’s just one VM in a small physical server. This makes it easy to mount ISOs for the guest, but also to forklift the entire VM to another box in the event of a hardware issue.
2. Create a Ventoy USB stick with a few key files and leave it permanently plugged in to the server. This could be OS installers, hardware drivers, a Veeam recovery ISO, a Linux partition manager, etc.–basically anything that might be needed to build the server or do disaster recovery.

The HP Microserver that I built recently actually has an internal USB slot which is very handy for this. And Ventoy is a game-changer with its ability to boot from any of several ISOs on the same USB stick.

Re. legacy LAPS (which I helped a client deploy on a few hundred machines), I’m confused. Two quotes from this article:

“If you are deploying the April updates to an existing PC, remove the old LAPS app first.”

“Existing machines with LAPS already installed are fine — no action needed.”

I probably need to re-read and test, but I thought I’d ask for clarification first.

 

Correct syntax (if WordPress doesn’t mess up the quotation marks):

reg delete "HKLM\System\CurrentControlSet\services\KDC" /v "KrbtgtFullPacSignature"

So now that December patches have been installed successfully (“Resolved KB5021235“), are we good to remove the temporary registry value? This should work, right?

reg delete “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature”

Seems like 2012R2 updates may not be cumulative (as they are with 2016+). Might need to install November before December, but you could still wait until December. The machine should tell you what’s applicable.

Thanks for the heads-up. I’m going the regedit route on four DCs to which I applied November updates and OOB fixes in the past week. Notes:

• Two Server 2016 machines show lsass.exe using about 72K of memory on each machine. The registry key did not exist on either. Adding.
• Two Server 2012R2 machines shows lasss.exe using 100K and 161K of memory. The registry key did not exist on either. Adding.

I don’t see any reboot requirement for applying this fix?

Business patcher here. I installed November updates Monday night. No issues reported. Just deployed a script to check these two events in the System log:

Microsoft-Windows-Kerberos-Key-Distribution-Center – 14 – Error
Kdcsvc – 42 – Error

No reports coming back. In fact, on one DC that I checked, Kdcsvc isn’t even registered as an Event Source. I wondered if they meant KdsSvc.

What I’m unclear on, even if there were issues, would installing the applicable out-of-band updates fix the issues, or do I have to go through all the steps and scripts in those two DirTeam articles to mitigate manually?

[Insert another gripe about frequent OOB updates and long mitigation articles. How is one supposed to manage a few small servers in this break-now-fix-later environment? Synology? Azure?]

 

Coming back to this. I may have figured it out for  my case.

I discovered that if you run Wireshark on the server, you can filter on “dcom” and see the Auth level requested and in use. I’ve added AuthenticationHint and Auth level as columns (isystemactivator.properties,scmresp.authhint and dcercp.authlevel, respectively). Here we see “Packet integrity” is in use, but only on the initial connection (in the RemoteCreateInstance requests and responses):

Per this reference that AuthenticationHint=2 corresponds to RPC_C_AUTHN_LEVEL_CONNECT. So I’m requesting Connect and getting Packet Integrity, but only during the initial connection.

After increasing my DCOM proxy on the client to specify Packet Integrity, the AuthenticationHint increases to 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). More importantly, all the packets carry that Auth level = Packet integrity. So that is apparently what Packet integrity means, that every single packet has authentication info.

The thing that still seems odd to me is that even with the server set to enforce RequireIntegrityActivationAuthenticationLevel, it still wasn’t complaining (raising errors) when Auth level was set to Connect–maybe because that connection uses Packet integrity? I guess I could try setting the Authentication level to None to see if it would fail.

Okay Robert, gold star for you! Poking around in the client registry, I found

HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery\SkipAutoDNSServerDetection

With that name, I was able to backtrack to

https://support.microsoft.com/en-us/topic/update-rollup-3-for-windows-server-2012-essentials-7e71b958-0b1c-25ba-7f60-4213a51186b1

also archived as KB2862551:

https://mskb.pkisolutions.com/kb/2862551

which talks about disabling DNS detection for a single client or at the server level for all clients (HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ClientDns\SkipAutoDnsConfig).

That article is about Rollup 3 for Essentials 2012. It’s not clear if that will work on 2016. The server key isn’t there on 2016. But I don’t see it on a 2012R2 Essentials box either.

This thread suggests that the registry “hacks” work on 2016 but only if you uninstall and reinstall the connector:

https://social.technet.microsoft.com/Forums/en-US/3f499dc7-182a-43b6-8f18-3feff862dc6d/windows-server-2016-essentials-overwriting-dns-servers?forum=winserveressentials

Well it’s worth a try!

Thanks everyone for your thoughts and suggestions.

 

Robert,

Thanks very much for chiming in.

Robert wrote:

Wasn’t there a registry key you could set to stop it doing that?

Would love for it to be that simple!

Robert wrote:

As I’m writing I’m remembering something about that needing to be set at connector install time.

I don’t recall seeing any related options in the setup wizard.

Robert wrote:

What do you mean it doesn’t always work setting it back to DHCP? That the service kicks in and sets it back to static?

The other way around:  it’s already static because you’re on site, but when you leave the LAN, it doesn’t revert to DHCP; it’s stuck on static. Which prevents the user from resolving anything on the Internet. So the service should detect that it’s off the LAN (maybe a failed ping to the IP of the server?), but it doesn’t.

Robert wrote:

Remind me, is there a service called WSS LAN Configuration on the client?

Not that I see. You mention the Windows Server LAN Configuration Service at the end of this article, but I guess that’s for 2012 R2 Essentials only?

https://windowspoweressentials.com/2013/06/17/unravelling-the-mystery-of-client-dns-with-essentials-family-servers/

 

I see this in one of the connected desktop’s ClientOperator.log:

[7912] 220808.212521.1989: ClientSetup: NetGetJoinInformation (server = [], …)

If I have time, I might try to take a laptop off site and check the logs for errors.

I posted on server-essentials.com about a week ago. The post showed awaiting moderation for a few days, then disappeared. Is that forum still active?