[This post comes to us courtesy of Swapnil Rane from Commercial Technical Support]

This post will reduce your efforts to identify which log to refer to and where to find it. This can be very useful when you are troubleshooting issues on an Essentials server. We have compiled a list of important logs and their associated wizards below. There can be issues where we may have to refer to multiple logs.

Server-side Logs:

In Windows Server Essentials 2012 and 2012 R2, the location of the log files is under %programdata%\Microsoft\Windows Server\Logs.

Service Integration Log Files:

Backup Log Files:

Storage and Devices Log Files:

Azure Backup Log Files:

Other Helpful Log Files:

Program and Service Quality Measurement Log Files:

Client-side Logs:

The client-side log files are located in the folder %programdata%\Microsoft\Windows Server\logs. They are as:

The above logs should be able to guide you through the process of troubleshooting effectively on Essentials relevant issues.

In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials. 

I am happy to announce the re-release of the Windows August Update which was originally released on (8/12/2014, PST). This update adds support for both Azure Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.

For more information, please go to http://support.microsoft.com/kb/2974308. 

[This post comes to us courtesy of Swapnil Rane and Rituraj Choudhary from Global Business Support]

This post explains how to increase the logging level for the individual components of Server Essentials role for troubleshooting purposes. In order to accomplish this, we need to modify the Logging.config file. This file can be located at C:\Program Files\Windows Server\Bin on a Windows Server 2012 Essentials machine. On a Windows Server 2012 R2 Essentials this file is present at C:\Windows\System32\Essentials.

Make sure to save a backup copy of the file before modifying it. You need to change the ownership of Logging.configfile and give the user adequate permissions to save any modifications to it. You may use the following commands on an elevated Command Prompt to make modifications to the file:

For Windows Server 2012 R2 Essentials:

takeown /f C:\Windows\System32\Essentials\Logging.config
icacls C:\Windows\System32\Essentials\Logging.config /grant administrators:F
icacls C:\Windows\System32\Essentials\Logging.config /setowner "NT Service\TrustedInstaller"
notepad C:\Windows\System32\Essentials\Logging.config

For Windows Server 2012 Essentials:

takeown /f "C:\Program Files\Windows Server\Bin\Logging.config"
icacls "C:\Program Files\Windows Server\Bin\Logging.config" /grant administrators:F
icacls "C:\Program Files\Windows Server\Bin\Logging.config" /setowner "NT Service\TrustedInstaller"
notepad "C:\Program Files\Windows Server\Bin\Logging.config"

The file Logging.config is now ready for editing. Search for the string level= and replace the string next to level= to All if it is set otherwise. For example:

<add level="Warning" name="ProviderFramework">
<listeners>
<add name="DefaultTraceListener" />
</listeners>
</add>

Change it as:

<add level="All" name="ProviderFramework">
<listeners>
<add name="DefaultTraceListener" />
</listeners>
</add>

Changing the level to Allenables verbose logging. There are other values that the level can be set to, but mostly verbose logging is preferred, and can be achieved as mentioned above.

When the issue is reproduced subsequently, the logs at C:\ProgramData\Microsoft\Windows Server\Logsfolder should now contain verbose information.

Note: You may use the same procedure to enable verbose logging on the Essentials clients.

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support]

In our previous post, we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment.

In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected.

To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command:

Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT

Let us now discuss some common issues with VPN connection.

Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer.

If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes.

You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced.

Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network.

That should ensure that the network and internet connection are up and running.

Let’s look at another error.

Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port.

You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not.

To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site.

On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit.

On the Edit Site Binding page, click View.

On the Certificate window, chose Details and make a note of the Thumbprint of the certificate.

Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site:

Get-WebBinding | Where-Object {$_.bindinginformation -eq "*:443:"} | fl certificateHash

Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well.

If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters /v SHA1CertificateHash /t REG_BINARY /<thumbprint recorded from previous step> /f

Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of.

Let’s look at the next error.

Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.

If VPN client is unable to obtain an IP address from the VPN server, you may see this error.

In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties.

On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope.

On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%\tracing directory.

Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer.

These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.