Windows Server Essentials – Configuration Troubleshooter

powershell2xa4I had a support case this week where it became apparent to me that there is no quick and easy way to test Essentials Servers for Configuration errors. Manually working through IIS or Certificates is prone to human error, as was proved to me, by me missing certain key things.

Uncharacteristically i decided to write a PowerShell script to save me from this sort of embarrassment in the future, and make me look really good next time i need to troubleshoot an Essentials Server.

You can download the tool from here, and am very interested to hear how it works for you.

If you have already downloaded it, i have updated the tool so you should download it again!

What does the tool do?

Well, it checks a number of things that i have found are the key things that make an Essentials Server tick. That is IIS and MOST IMPORTANTLY, Certificate Services.

I knew that the CA was pretty significant to an Essentials Server, but i didn’t know just how deep that significance went. In your Local Machine Certificate Store you have a number of Certificates, perhaps the most important file on the whole server (aside from perhaps ntds.dit) is your Certificate Authority Root Certificate. Without that, you cannot correctly reinstall the CA, and without that CA, you can’t do anything. It is not just a case that you cant reinstall the CA, you can. The CA requires a specific name, and if you reinstall and generate a new key, the name is not likely to remain correct.

There may well be a way to get around even that scenario by hacking the crap out of AD, but honestly, i think i might take a reinstall over that.

That was a bit of a side track, so, again, what does this tool do?

Firstly it will decide if you are running on Essentials 2011, 2012 or 2012 R2.

It will then give you the choice of testing IIS or your CA. If you choose to test your IIS Configuration, it will inspect your Web Site Configuration, your Application Pools, Virtual Directories and ISAPI filters as well as your Web Site Bindings.

When you check the CA, it will check that the CA is available, that it has the right name (that is important), that the certificate set in the Registry for the Dashboard matches what you have in your Local Machine Store, it will even download a copy of the CRL from your server and test that it is publishing the right information.

Essentials Configuration Tool

It compares all of this information to ‘’Defaults’ and lets you know where you may have problems.

Essentials Configuration Tool Errors

I have run it against SBS 2011 Essentials, Essentials 2012, and R2, and it has identified the deliberate errors i have introduced and reported back correctly once those have been repaired.

Essentials Configuration Tool Results

i haven’t made it to be an exhaustive tool of everything that could possibly go wrong on an Essentials Server, it really is just focussed on IIS and the CA,  even then it may not cover every scenario. Hopefully if you do come across a broken Essentials Server using this will do enough to point you to the fix, or at least help to rule some things out.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

52 Responses to Windows Server Essentials – Configuration Troubleshooter

  1. Just came across this tool, after having issues with a brand new server Essentials…

    I get a ton of errors when running the CA tests….any idea where to start looking/reading to fix these?

    Testing CA Name..
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
    At C:\users\gregh\downloads\EssentialsTester.ps1:800 char:17
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

    Get-ItemProperty : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
    At C:\users\gregh\downloads\EssentialsTester.ps1:801 char:32
    + $CRLDownload = Get-ItemProperty $destination
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Get-ItemProperty], ItemNotFoundExcepti
    on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

    CRL Download : OK
    Remove-Item : Cannot find path ‘C:\windows\temp\crl.crl’ because it does not exist.
    At C:\users\gregh\downloads\EssentialsTester.ps1:803 char:17
    + Remove-Item $destination -Force
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\windows\temp\crl.crl:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    Testing CRL Distribution Configuration..
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : Error
    Dashboard Certificate : OK
    Dashboard Certificate : Error
    Dashboard Certificate : Error
    Dashboard Certificate : Error

  2. Alan Pendlebury says:

    Hey Robert thank you for your post, I am 99% done with this configuration, but when i ran your tool I got this message, any idea where to start looking at this.

    ************************************************
    * Essentials Server 2012, Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Standard

    This tool will check your current Configuration against known Essentials 2012 Values.
    Written by Robert Pearman (TitleRequired.com) February 2014

    Version Info: Version: 1.7

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..
    2
    Testing CA Name..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
    Certificate Authority Online : OK
    Certificate Authority Name : OK
    Certificate Authority Cert : Errors Detected – Local Machine Store

    Testing /Connect Certificate Package..
    Connect Computer Certificate : OK

    Testing CRL Download..
    CRL Download : OK

    Testing CRL Distribution Configuration..
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
    419.6336.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.2132.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
    437.625.0:: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
    CRL Extension (CDP) : OK
    CRL Extension (CRL) : OK

    Testing Dashboard Certificate..
    Dashboard Certificate : OK

    Review your results, items in red should be investigated.

    ************************************************
    * Essentials Server 2012, Configuration Tester *
    ************************************************

    OS Detected: Microsoft Windows Server 2012 R2 Standard

    This tool will check your current Configuration against known Essentials 2012 Values.
    Written by Robert Pearman (TitleRequired.com) February 2014

    Version Info: Version: 1.7

    1. Test IIS
    2. Test CA Infrastructure
    3. Test Services
    4. Test Service Ports
    0. Quit

    Enter Task..

    • Is the Dashboard opening ok?

      • Alan Pendlebury says:

        Yes it opens ok. I can go to the domain name internally, but I cannot get it to render by dns or IP externally. I can also get to the connect page to download the connector internally but not externally. The configuration wizard, gives me the error saying Anywhere access to your server is blocked, that port 80 and 443 are blocked, but they are open on the firewall. It also tells me that Port forwarding is not configured correctly on your router, which it is. I read some more on these errors on Microsoft partner network, and they said that they can be ignored. I think I have a cert or a routing issue. The cert is installed correctly, at least I think, though I do not know what I am missing on the routing, cause I thought I covered everything.
        Thank you,
        Alan

      • Sounds like you have not opened the ports on your router, given that it is not working externally and you have those errors. At the very least confirm your servers internal IP and check port forwarding on your router. It is also possible your ISP are blocking these ports. If the dashboard opens you may be able to discard the certificate error in the tool.

      • Alan Pendlebury says:

        Hey Robert,
        It was a firewall issue, the firewall rules were in place, but not working cause the firewall needed a firmware update. Once I updated the firmware on the firewall, then everything worked.

        Alan

  3. Susan E Russel says:

    Thanks so much for this tester. I get four errors:

    1. Certificate Authority Name: Name Error
    2. Dashboard Certificate: Error
    3. WSS Initialization Service: Stopped (Which I can start)
    4. TCP Port 65500 (Used for CA Websites): Error (I use 65510)

  4. Ken says:

    I received a 403. Great tool, BTW. I’m just trying to figure out how to re-test the HTTP request. One thing I like to do in my scripting is to echo the call if it returns an error. All we see below is that it happened, and roughly where, but we can’t see the HTTPS call it made.

    Testing CRL Download..
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (403) Forbidden.”
    At C:\Users\administrator.THETECHGUYS\Downloads\EssentialsTester.ps1:802 char:17
    + $wc.DownloadFile($source,$destination)

  5. birdman895 says:

    I do not have much experience in the area’s of scripts and powershell. I am having an issue with multiple client pc’s losing the Trust Relationship with the domain. After searching the forums and TechNet for information I found some references to your script , but… No matter what I do I keep getting this error

    I followed instructions to change the execution policy;

    PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

    And then ran the script

    PS C:\Windows\system32> F:\ServerFolders\Networking\EssentialsTester.ps1
    F:\ServerFolders\Networking\EssentialsTester.ps1 : File F:\ServerFolders\Networking\EssentialsTester.ps1
    cannot be loaded. The file F:\ServerFolders\Networking\EssentialsTester.ps1 is not digitally signed. The
    script will not execute on the system. For more information, see about_Execution_Policies at
    http://go.microsoft.com/fwlink/?LinkID=135170.
    At line:1 char:1
    + F:\ServerFolders\Networking\EssentialsTester.ps1
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

    what am I doing wrong?
    Alan

    • Right click the downloaded ps1 file, go to properties and make sure you click Unblock.

      I am not sure this script will be much help to diagnose Trust issues. Do you have a thread open on the TechNet forum?

      • birdman895 says:

        Thanks for answering. Yes I do have a thread on the Windows Server 2012 Essentials forum. But, I came in this morning and those 3 client pc’s with the trust issue, are able to log in to the domain WITHOUT the trust issue. Don’t want to “look a gift horse in the mouth” but would llike to know why:\. Only thing that changed was more windows updates being installed.
        Alan

      • Link to the thread?
        Difficult to say really, I have seen inexplicable trust issues on Windows 7 clients on a number of domains.

  6. birdman895 says:

    Also, I did “Unblock” your file and it is running just fine.
    Thanks

  7. alerosmile says:

    Hi,
    Can you tell me why the name of the CA is important?
    Thanks

  8. James Brewster says:

    Hi Robert,
    I ran the test and the WSS Cert Server was showing Red status. I did a test in IIS Mgr in the Basic Settings Properties and the Pass-Thru authentication failed on the WSS Cert. Server Service folder? I replaced the Owner and amended permissions on the Folder and it still fails. If I change the Authentication to a specific user it works, but Connector Tool still does not? Any help appreciated.

    • I think those settings are as they should be, and if I remember correctly that test will fail.

      Can you put those settings back as they were and then rerun the test and post a screen shot?

  9. Hi Robert,

    I have a client that runs Server 2012 R2 Essentials server. After the initial client machines were connected and configured, the client wanted to set up Anywhere Access with a self signed cert, and tried various methods of installing the cert using IIS, all of which failed. Later, they installed a commercial cert. All original certs were left in the server. Anywhere access and every part of the network works fine, however, when you attempt to connect a new computer using the Essential Connector application (https:///connect ), it fails to run successfully.

    The connector page shows, and the connector tool downloads fine, but when it runs, it says it can’t find the Essentials server. If I point it to the correct server, it says it can’t get the information from the Essentials server. I have run Robert Pearman’s EssentialsTester.ps1 script, and it indicates the following problem:

    Testing CRL Download..
    CRL Location : http://serverxxx/CertEnroll/XXXX-serverxxx-CA.crl
    CRL Destination : c:\windows\temp\crl.crl
    Exception calling “DownloadFile” with “2” argument(s): “The remote server returned an error: (404) Not Found.”
    At C:\users\admin\Documents\EssentialsTester.ps1:849 char:9
    + $wc.DownloadFile($source,$destination)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
    CRL Download : Failed

    All other aspects of the tester seem to pass successfully. Any advice on how to resolve this issue? All help would be greatly appreciated.

    Brian

    • If you go to that URL in a browser, does it download the file or give an error?

      • If I go to https://servername/connect, it downloads the file. The file will start, but doesn’t “find” the essentials server. It defaults to the second option on the screen that asks what server, using the IP address. I can have it find the correct server in the first (top) option, but it says it can’t get the information it needs from the server and to contact the administrator.

      • Perhaps, I misunderstood with my earlier reply. Did you mean the URL for the connector, for the CRL Location, or the CRLDestination?

      • Brian Weinberg says:

        The CRL Location URL fails with a 404 error, when accessed from the client PC.

    • Also, if you could, please edit my original post to change the initial part of the .crl name to be XXXXX. I would appreciate it. Same with the username. Thanks. Your blog doesn’t allow me to edit the original post.

      • Did you reinstall Certificate services at all?
        It sounds like the CRL is either not being published correctly in CA, or the file is there but IIS is blocking it.

        If you go into IIS can you see the virtual directory for CertEnroll?

  10. Brian Weinberg says:

    I can’t say what was done prior in any detail regarding trying to use the self-signed cert, other than what I outlined above. I do know that they tried using the IIS tools to set up the self signed cert, as opposed to the Essentials wizard for installing a commercial cert using the Anywhere Access wizard. I have since run the Anywhere Access wizard to install a commercial cert.

    I do see the virtual directory for CertEnroll in IIS.

  11. I do have four files listed. Two CRL files, one .asp, and one .crt.

    The 404 page says: Not Found. HTTP Error 404. The requested resource is not found.

    • Not sure how much more help I can be through forum type support, id offer to logon and take a look if that is something you are interested in.

      • That could work. How do you propose we arrange this?

      • Drop me an email.

      • Brian Weinberg says:

        Forgive me, Robert, but I can’t find your email anywhere on your site. You have mine, included in the post information, if you can shoot me an email, we can set something up. Thanks so much!

        Brian

      • Due to Robert’s brilliant help on this, we tracked the problem down to two things. Not only was the wrong cert being used, but, the HTTP: binding for the default site had somehow had the Host Name field filled with “Default Web Site,” which prevented all access to the crl. Once the field was made blank, and the correct cert in place, restarting the IIS services enabled everything to work correctly.

        Robert, I can’t thank you enough for this!

  12. irishtechnomonster says:

    Hi Robert, I’m a bit of a novice when it comes to Windows Server 2012 but I’m having an issue where none of the client computers are backing up. I’m seeing a NotConfigured error in the event logs on the client machines although from what I can see it is configured correctly. There is very little info on this problem in google land but I came across this site on my travels. I ran the configuration tool on the server with no errors but I got a ‘Client DNS Server’ error when I ran it on one of the clients. Problem is I’m not sure how to troubleshoot that or even if it is related to the backup issue. Any help you could offer would be greatly appreciated!

    • The client should use the servers IP as a static dns entry.

      What do they have?

      • irishtechnomonster says:

        Hi Robert, thanks for the reply! Sorry I didn’t see it until now. I checked the ipv4 properties in adapter settings on the client and it’s set to obtain DNS server address automatically. Should I set this to the server’s IP?

      • irishtechnomonster says:

        I ran your essentials tester script on the client and am getting an error for the Client DNS Server. I tried setting the DNS IP to the server’s IP but I get the same result.

      • irishtechnomonster says:

        I’ve fixed the Client DNS Server issue (had to disable ipv6) and now script returns all ok. Unfortunately, the backup issue remains…

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 457 other followers

%d bloggers like this: