-
mcbsys
AskWoody PlusSeptember 19, 2023 at 12:36 pm in reply to: Server Essentials dynamic DNS failing again (remotewebaccess.com) #2588375When I visit that domain today, it shows that its certificate expired 9/16/2023.
As of 9/19/2023 10:30am PST, the certificate for https://dyndns.domains.live.com/service/livedyndns.asmx now shows as valid through 6/27/2024. In fact, that address returns a list of supported operations (screen shot).
Does that fix the Essentials issue?
-
mcbsys
AskWoody PlusSeptember 18, 2023 at 10:49 am in reply to: Server Essentials dynamic DNS failing again (remotewebaccess.com) #2588159Someone here says they get the “same error” after installing September updates. Since resolving DNS would not depend on whether an update is installed, I guess that they are talking about errors (re)configuring a domain via the dashboard. I haven’t tried that; in fact, I haven’t installed September updates yet at customer sites.
Update: and now I see a comment (in German) here that the problem is an IIS page appearing instead of the RWA login page. I’ve had that problem since the beginning with Essentials 2016. You can set up a redirect to the /remote page–see Server 2016 Anywhere Access Shows IIS instead of Login Page.
Update 2: Glancing through my blog post on this issue, I commented on 11/14/2022 that there was an issue with https://dyndns.domains.live.com/service/livedyndns.asmx. When I visit that domain today, it shows that its certificate expired 9/16/2023. I suspect that is related, perhaps the cause. A bit ironic that the certificate for the site that issues certificates has expired!
-
mcbsys
AskWoody PlusSeptember 17, 2023 at 6:23 pm in reply to: Server Essentials dynamic DNS failing again (remotewebaccess.com) #2588047@Jesse, please be more specific: are you unable to update the IP address after it has changed? Or is the yourdomain.remotewebaccess.com not resolving an IP address?
@sb, I don’t think that site tells us anything: [www.]remotewebaccess.com is not supposed to work.I have three sites that are still accessible via customerdomain.remotewebaccess.com, so the DNS seems to be resolving fine. The IP addresses of these customers pretty much never change, so I don’t know if the dynamic update part is working.
-
mcbsys
AskWoody PlusI wrote a short article to remind myself of DISM commands, including from a local source when you have to determine and specify an index:
https://www.mcbsys.com/blog/2019/06/dism-examples/
I’m also slowly moving towards a couple standards to make this kind of thing easier:
- Install servers as VMs, even if it’s just one VM in a small physical server. This makes it easy to mount ISOs for the guest, but also to forklift the entire VM to another box in the event of a hardware issue.
- Create a Ventoy USB stick with a few key files and leave it permanently plugged in to the server. This could be OS installers, hardware drivers, a Veeam recovery ISO, a Linux partition manager, etc.–basically anything that might be needed to build the server or do disaster recovery.
The HP Microserver that I built recently actually has an internal USB slot which is very handy for this. And Ventoy is a game-changer with its ability to boot from any of several ISOs on the same USB stick.
-
mcbsys
AskWoody PlusRe. legacy LAPS (which I helped a client deploy on a few hundred machines), I’m confused. Two quotes from this article:
“If you are deploying the April updates to an existing PC, remove the old LAPS app first.”
“Existing machines with LAPS already installed are fine — no action needed.”
I probably need to re-read and test, but I thought I’d ask for clarification first.
-
mcbsys
AskWoody PlusCorrect syntax (if WordPress doesn’t mess up the quotation marks):
reg delete "HKLM\System\CurrentControlSet\services\KDC" /v "KrbtgtFullPacSignature"
-
mcbsys
AskWoody PlusSo now that December patches have been installed successfully (“Resolved KB5021235“), are we good to remove the temporary registry value? This should work, right?
reg delete “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature”
-
mcbsys
AskWoody PlusSeems like 2012R2 updates may not be cumulative (as they are with 2016+). Might need to install November before December, but you could still wait until December. The machine should tell you what’s applicable.
-
mcbsys
AskWoody PlusThanks for the heads-up. I’m going the regedit route on four DCs to which I applied November updates and OOB fixes in the past week. Notes:
- Two Server 2016 machines show lsass.exe using about 72K of memory on each machine. The registry key did not exist on either. Adding.
- Two Server 2012R2 machines shows lasss.exe using 100K and 161K of memory. The registry key did not exist on either. Adding.
I don’t see any reboot requirement for applying this fix?
-
mcbsys
AskWoody PlusBusiness patcher here. I installed November updates Monday night. No issues reported. Just deployed a script to check these two events in the System log:
Microsoft-Windows-Kerberos-Key-Distribution-Center – 14 – Error
Kdcsvc – 42 – ErrorNo reports coming back. In fact, on one DC that I checked, Kdcsvc isn’t even registered as an Event Source. I wondered if they meant KdsSvc.
What I’m unclear on, even if there were issues, would installing the applicable out-of-band updates fix the issues, or do I have to go through all the steps and scripts in those two DirTeam articles to mitigate manually?
[Insert another gripe about frequent OOB updates and long mitigation articles. How is one supposed to manage a few small servers in this break-now-fix-later environment? Synology? Azure?]
-
mcbsys
AskWoody PlusComing back to this. I may have figured it out for my case.
I discovered that if you run Wireshark on the server, you can filter on “dcom” and see the Auth level requested and in use. I’ve added AuthenticationHint and Auth level as columns (isystemactivator.properties,scmresp.authhint and dcercp.authlevel, respectively). Here we see “Packet integrity” is in use, but only on the initial connection (in the RemoteCreateInstance requests and responses):
Per this reference that AuthenticationHint=2 corresponds to RPC_C_AUTHN_LEVEL_CONNECT. So I’m requesting Connect and getting Packet Integrity, but only during the initial connection.After increasing my DCOM proxy on the client to specify Packet Integrity, the AuthenticationHint increases to 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). More importantly, all the packets carry that Auth level = Packet integrity. So that is apparently what Packet integrity means, that every single packet has authentication info.
The thing that still seems odd to me is that even with the server set to enforce RequireIntegrityActivationAuthenticationLevel, it still wasn’t complaining (raising errors) when Auth level was set to Connect–maybe because that connection uses Packet integrity? I guess I could try setting the Authentication level to None to see if it would fail.
-
mcbsys
AskWoody PlusAugust 9, 2022 at 11:34 am in reply to: Essentials 2016 connector without static DNS override? #2468764Okay Robert, gold star for you! Poking around in the client registry, I found
HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery\SkipAutoDNSServerDetection
With that name, I was able to backtrack to
also archived as KB2862551:
https://mskb.pkisolutions.com/kb/2862551
which talks about disabling DNS detection for a single client or at the server level for all clients (HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ClientDns\SkipAutoDnsConfig).
That article is about Rollup 3 for Essentials 2012. It’s not clear if that will work on 2016. The server key isn’t there on 2016. But I don’t see it on a 2012R2 Essentials box either.
This thread suggests that the registry “hacks” work on 2016 but only if you uninstall and reinstall the connector:
Well it’s worth a try!
Thanks everyone for your thoughts and suggestions.
-
mcbsys
AskWoody PlusAugust 9, 2022 at 11:11 am in reply to: Essentials 2016 connector without static DNS override? #2468761Robert,
Thanks very much for chiming in.
Wasn’t there a registry key you could set to stop it doing that?
Would love for it to be that simple!
As I’m writing I’m remembering something about that needing to be set at connector install time.
I don’t recall seeing any related options in the setup wizard.
What do you mean it doesn’t always work setting it back to DHCP? That the service kicks in and sets it back to static?
The other way around: it’s already static because you’re on site, but when you leave the LAN, it doesn’t revert to DHCP; it’s stuck on static. Which prevents the user from resolving anything on the Internet. So the service should detect that it’s off the LAN (maybe a failed ping to the IP of the server?), but it doesn’t.
Remind me, is there a service called WSS LAN Configuration on the client?
Not that I see. You mention the Windows Server LAN Configuration Service at the end of this article, but I guess that’s for 2012 R2 Essentials only?
-
mcbsys
AskWoody PlusAugust 8, 2022 at 11:33 pm in reply to: Essentials 2016 connector without static DNS override? #2468667I see this in one of the connected desktop’s ClientOperator.log:
[7912] 220808.212521.1989: ClientSetup: NetGetJoinInformation (server = [], …)
If I have time, I might try to take a laptop off site and check the logs for errors.
-
mcbsys
AskWoody PlusAugust 8, 2022 at 10:33 pm in reply to: Essentials 2016 connector without static DNS override? #2468654I posted on server-essentials.com about a week ago. The post showed awaiting moderation for a few days, then disappeared. Is that forum still active?
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Reddit is removing the option to prevent Reddit from tracking ..
by
Alex5723
31 minutes ago -
Vivaldi for iOS and iPadOS released
by
Alex5723
35 minutes ago -
Windows 11 attempted update to 22H2 results in Error Code 0x8024001e
by
Tiernan
7 minutes ago -
lock screen goes black after ~ 25-30 secs.
by
krism
57 minutes ago -
Need File Location Which Lists Default Apps Used
by
HARLEYMAN124
3 hours, 17 minutes ago -
Canadian’s identify alternative tape that prolongs life of laptop batteries
by
Kathy Stevens
10 hours, 43 minutes ago -
Browswers and Windows 11
by
WSG
11 hours, 7 minutes ago -
Advice on whether to upgrade to Windows 11
by
millerah
11 hours, 40 minutes ago -
Linuxmint LMDE 6 Officially Released
by
Microfix
27 minutes ago -
Edge browser – ad quality concern
by
doriel
14 hours, 11 minutes ago -
Strange problem after upgrade from Win10Pro 22H2 to Win11Pro 22H2
by
JohnH
1 hour, 46 minutes ago -
Return Full Context Menus to File Explorer
by
RetiredGeek
1 hour, 49 minutes ago -
Unusual Activity on Startup
by
Kenneth Stephens
9 hours, 48 minutes ago -
Windows Backup – incremental possible?
by
colin_thames
1 day, 10 hours ago -
New HD addition??
by
weendoggy
1 day, 1 hour ago -
Defcon 4 and Windows 11
by
cmar6
1 day, 17 hours ago -
Add-ins keep disappearing
by
hession
1 day, 15 hours ago -
MS-DEFCON 4: Is Windows 11 really a disaster?
by
Susan Bradley
6 hours, 7 minutes ago -
The Takahē is not extinct afterall
by
lylejk
2 days, 2 hours ago -
How to unbloc W10pro from moving to W11
by
hession
2 days, 16 hours ago -
Windows 11, Surface, and Windows Copilot
by
Will Fastie
16 hours, 37 minutes ago -
Why File Explorer keeps me on Windows
by
Josh Hendrickson
3 hours, 9 minutes ago -
Uninstalr — “World’s best cup of coffee”
by
Deanna McElveen
4 hours, 27 minutes ago -
Locked out of your refurbished computer?
by
Susan Bradley
10 hours, 30 minutes ago -
Thunderbird 115: Changing font size in the Message Panel
by
WCHS
3 hours, 49 minutes ago -
Lenovo ThinkPad not updating to Windows 11 22H2
by
Gordski
15 hours, 36 minutes ago -
Android Security
by
Magic66
2 days, 17 hours ago -
What happened to the manual?
by
Susan Bradley
2 days, 8 hours ago -
OK to Restore Files From a Possibly Hacked Computer?
by
kc27
1 day, 1 hour ago -
Startup loop after adding new user and installing File Explore Patch
by
PFC
4 days, 8 hours ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.