April 30, 2013 Leave a comment
March 22, 2012 3 Comments
Another question from the forum prompted this post. The question related to disabling offline files for Desktop computers that never left the office after deploying the Win 7 Pro Pack. Read more of this post
September 27, 2011 20 Comments
(that’s not true i do know people who have already deployed it)
Far more common at least, is for it to be an issue with SBSe or WHS2011.
I wanted to put together a resource for people who are struggling to get this installed, not built by me, but a collation of forum posts, solutions and tips that should either fix the issues, or point you in the right direction.
So first off, you might want to have a quick read through of this, which is my own post on how the process should work. It also gives some guidance on what to do if the profile move doesn’t work.
You may also be interested to know where the log files are for the Connector Install..
Log File Location, C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Server\Logs
This is a hidden folder.
Windows Vista / 7
Log file location, C:\ProgramData\Microsoft\Windows Server\Logs
This is a hidden folder
Did you know about the SBS 2011 Log Collector Tool? You can read about that here
Troubleshooting the Installation
I thought it might be good to run through an install and try to monitor the logs and find out which log is most useful at which time.
The first log file, is Computerconnector.log, this shows a very high level progress indicator of the first steps of the install.
If you are a bit sad like me, and you do monitor the logs folder during a connector install, you will see the second log file to be generated is CSetup.log, which gives us a more detailed view of the early setup stages, for example when .NET 4 is installed.
You can also see that the CSetup.log file is 10kb, as opposed to Computerconnector.log 3kb.
When we get to the stage where you are prompted to enter your network username and password, we have a third log file. ClientDeploy.log,
This log file picks up from CSetup.log
You can follow the progress of the next stage of deployment through this log file. You can see things like the tasks to locate the SBS Server, configuration of the local NIC DNS settings, and you can also spot errors and problems.
The log shows it has found a duplicate machine name, so it pauses the Join Domain task, to give you a chance, in the GUI to confirm you want to continue
And now i have hit a problem.
What you can see from the log here is that there is an Access Denied condition when trying to join the domain.
Why would that be?
In this instance, as mentioned above, a machine already existed in the domain with this name. Therefore, to join this current machine with the same name, i would need certain Active Directory (AD) permissions, which a normal network user account doesn’t have.
So how come a normal user can add a computer to the domain usually?
Whilst i don’t have the full technical answer to that question, i imagine it is something to do with certain settings have been set so that ANY account has the right to join a computer to the domain, but only the Domain Admin has the permissions to reset a machine account password, remove a machine from the domain, or overwrite a machine account in AD.
So, the solution here to get a clean join, would be to ensure any duplicate machine names have been removed from the server, either by the dashboard or through AD directly. Or simply rename the computer.
That being said, you can work around this issue by installing the connector using the Domain Admin credentials, and that will work in this situation, but doing so has it’s own caveats described here.
You might say, well i haven’t had a complete install on this PC yet so how can it possibly have a duplicate name.
To that i would say – maybe the first time you tried it, it failed on a different error? You fixed that and now attempt it again, but didn’t know to remove the account from the dashboard?
On this client, i removed the computer from the Dashboard, and re ran the connect software, using the same, NON ADMIN credentials.
In this screen shot i highlighted in Blue, where we started in the last screen shot ‘Calling Join Domain’ and ended in Red on the ‘JoinNetwork Tasks Task Status’ in Red.
The GUI of the wizard now shows us we need to reboot.
After the reboot, it is a little trickier to keep track of the logs because ‘Explorer.exe’ is not loaded up yet and we have no way to browse the logs folder.
So, if you want to, hit CTRL-ALT-DEL and go into task manager.
From task manager, click File, New Task, and then you can type in the folder path to the logs folder. (you may need to put it into quotes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Server\Logs
At this point we still have just our 3 log files.
Looking at ClientDeploy.log again, we can see in Red where we left off, and then where the process continued, and finally in Green the reboot.
Let’s move on through the GUI and see what happens to the logs. I am going to leave all of the options on their defaults.
We can see the profile is migrated.
In the GUI i am setting to wake the computer for backup and I am setting that i want to participate in the Customer Experience program.
When clicking next in the GUI on the Customer Experience program page, the GUI will display ‘Connecting this Computer to the network’ with a nice progress indicator.
At this point our ClientDeploy.log file is finished up, and we can now see a new Log File appears, ClientCoreX86.msi.log
After a few minutes, you will see a whole host of new log files appears.
With any luck in the GUI you will then see this..
I’m guessing you may not have done, which is why you are reading this… So let’s go and have a quick look through the ClientCoreX86.msi.log,
We now have 19 Log files by the way… and i am slowly starting to regret getting into this. Anyway..
We know that ClientDeploy.log finished, and ClientCoreX86.msi.log took over. That then spawned all of these other logs, but looking at the size of ClientDeploy.log i would say that also had some more info appended.
Switching to details view, we can see in what order these logs were written to.
In the first stages of ClientCoreX86.msi.log we can see that UR1 for SBS Essentials is referenced, and installed.
Moving on you can follow a huge amount of detail in this log – far too much for me to interpret or comment on, but this will be the place to look if you get errors in your install at this point.
You may notice a reference to the other Colorado products..
(Cropped here to enlarge)
So NAS = Windows Storage Server 2008 R2… Nice.
You can follow the log file all the way though the installation of the Launchpad program and the setting up of things like allowing remote desktop to the machine. The other logs show the progress of individual tasks like adding of scheduled tasks or installing a backup driver. (not applicable on Windows XP)
When you have finished the installation, you will total 25 log files. The key ones for the installation have already been mentioned.
I hope that may of been some use to anyone struggling to find a reason why their connector may not install. If it doesn’t answer the question it may at least shed some light on where you can look for the answer. Of course failing that I have Susan Bradleys home address if you need it :p
Have a look at the links below if you need more specific help.
Client Connector Installation failures : links to forums and known solutions
Please feel free to send me any solutions i don’t have, i want to have as many as possible!
These links, have been highlighted as answering the issues in the OP, i am not making any guarantee they will solve your issue, this is just somewhere to link them all together.
Microsoft’s Official Troubleshooting Resource For SBSE Connector
Pending File Rename
Trust Relationship (Time Zone Error / Certificate Policy)
TechNet forum post (Time Zone)
TechNet forum post (Certificate Policy)
Username and Password Error
TechNet forum post (Username and Password)
TechNet forum post (Installation Cancelled)
WeGotServed forum post
TitleRequired.com Quick Fix: Installation Cancelled
Cannot Find ‘Temp Client’
WeGotServed forum post
Check the system time of both the server and the client. Check the Time Zone matches as well.
You shouldn’t need to use a static IP on the client machine, but it might help during troubleshooting.
Check for the overall health of your client PC. You don’t need a client to be fully patched, nor does it need the latest browser (examples above are all from IE6) but you do need a ‘healthy’ client. If you are having problems, take a backup, use tools like CCleaner, MalwareBytes, Look for issues on the client that stop it running normally rather than an issue with the Connector itself. A good example of that is from Eriq Neale, who had an issue with a machine installing the connector, which he traced back to a screwed up Task Manager.
Tips for a Migration
I have also seen some success on migrated computers, which are already in the domain but won’t install the connector, by creating a new local user, making that account a local admin, and then running the connect installer as that person.
August 11, 2011 22 Comments
The Windows 7 Professional Pack Add-in (Forever after called W7PP or Pro Pack) is a Free Add-in for SBS Essentials that Microsoft have developed and will be releasing on the 12th of August.
Whilst most Add-ins will work across the Suite of Colorado Products (SBS Essentials, WHS 2011 and Windows Storage Server 2008 R2 Essentials, try saying that after a few drinks) this one is specifically for SBS Essentials.
The Add-In simplifies configuration of Folder Redirection, Windows Firewall Settings and also Windows Update & Defender settings for client computers running Windows 7 Professional.
It does this by creating Group Policy Objects (GPO) by means of a Wizard, and targets Windows 7 Pro by means of a WMI filter, more on WMI Filters here.
Now, for the more experienced Administrator, that obviously means it is trivial to retarget these GPO’s to apply to any Domain Joined Client, however do keep in mind the Target Audience or market for SBS Essentials is that of the DIY’er Admin, someone who doesn’t know one end of a GPO from an OPG.
And just because we can doesn’t mean we should right? We’ve all seen Jurassic Park.
Anyway, i am going to cover the installation of the W7PP and detail the changes it makes, and what you can expect to see on your client machine, and also a little bit of troubleshooting as well.
So, having downloaded your W7PP and extracted it, you will be presented with the setup file. The file is called, Win7ProAddIn.wssx (you may need to unhide known extensions to see the .wssx)
Double click the file to start the installation, and the first screen is the License Agreement.
The next page is a simple choice, Install the Add-in or Cancel.
So let’s switch to the Dashboard now and see what has happened.
Go to the Add-ins tab, and you’ll see the W7PP. You can’t really do much here apart from Admire a job well done to get this installed. You can of course undo your handy work by uninstalling (remove) the add-in.
Since this is all about getting it working i am not covering the uninstall.
If we move along the tabs to the left, and go to Server Folders and Hard Drives, we can see no changes on this tab, no folders have been added.
Keep moving left, and onto the Computers and Backup tab.
On the right hand side we have a new option, Implement The Windows 7 Professional Pack.
Just installing this beast is not enough, we have to go all the way and IMPLEMENT!
So let’s click on the Implement W7PP link.
On the first page, we can read a little overview of what the implementation wizard will be doing. Click Next.
Enable Folder Redirection Group Policy. On this page we have the choice to choose whether to use Folder Redirection or not, and the choice of which folders to redirect. For example, you may not want to redirect someone’s My Music folder, and have 40gb worth of Abba tracks clogging up your new server. On the other hand you might like Abba, in that case its probably Ok. You can click to ‘Select All’ or cherry pick which ones you want to have redirected. Click Next When you are ready.
Folder Redirection allows a client computer to store data files and folders on a network share. The process is invisible to users. It is a way to make sure that all users documents and files are stored on the server, whether they save them to their ‘desktop’ folder or their ‘documents’ or in the company data share. It can also make it easier for users who move between computers, but when you don’t want the PITA that is Roaming Profiles.
Enable Security Policy Settings. Here we can choose if we want to let the W7PP control our Windows Update, Firewall and Defender settings. The default is to have all 3 selected. Click Next when you are ready.
The wizard will now run through and setup your policies and also add the folder to host the redirected folders.
With any luck you will see a green tick. Green means good.
So, let’s go back to the Dashboard and back to the Server Folders and Hard Drives tab, we can see we now have a new Shared Folder created.
FolderRedirection, this shared is located in your D:\ drive, and as you will see in the troubleshooting later on, its quite picky about that D:\.
If we right click the folder, and go to ‘View the Folder Properties’ we can have a look at the default settings.
On the General Tab, we have the name and description fields, a size total for the folder and a link to open the folder itself.
On the Sharing tab we can see the level of access our Users have to this folder.
NB. Don’t me tempted to change this – all will become clear later on.
If we go to the Computers and Backup tab, we can now see that the status of the W7PP is now ‘implemented’
Now, let’s open up the Group Policy Management Console, and we can run through the settings created by the Pro Pack. (Click Start, Administrative Tools, then find Group Policy Management Console)
If you are not familiar with the GPMC or GPO’s in general, i would strongly advise you not to play around with it. Group Policy is extremely powerful and can be used to good effect to create safe, secure, computing environments.
It can also be used to lock yourself out of your own network if you click the wrong thing. Be Warned!
If you expand, Forest, Domains, and finally yourdomain.local you will see a Tree structure that Mirrors what you would see in Active Directory Users and Computers (ADUC) Only this time you can see the GPO’s applied in the tree.
All Domains have a Default Domain Policy, even if you are experienced with GPO’s my advice is not to change the Default Domain Policy at all if you can avoid it. So let’s ignore that.
You can see now we have 2 policies created by the Implementation Wizard.
W7PVP Folder Redirection
W7PVP Security Templates
No, i don’t know what the V in PVP stands for.
W7PVP Folder Redirection
Left click on on the Folder Redirection Policy, and the details pane on the left will change to show you more specific info on this policy.
Folder redirection is a really useful feature, and you can find out more from this TechNet page http://technet.microsoft.com/en-us/library/cc732275.aspx
This is a warning, telling you if you make changes to the GPO – they will affect anything the GPO is currently linked to. So be careful.
You can click OK here.
Under Links, you can see where the policy has been Linked, Under Security Filtering, you can see which Groups or Accounts the Policy will affect (apply to) and WMI Filtering shows if any WMI filters have been applied.
WMI Filters and GPO’s are really powerful.
For example, a normal GPO without a WMI Filter will apply to any object below where it has been linked.
That is generally a good thing, but, if we wanted to change a setting on only a particular . group of computers, lets say computers running Office 2010, or if computers have a hard drive of X GB’s then a WMI filter can do that for us.
When the policy is applied, WMI will query the computer for the settings defined in your Filter, and if it matches then the policy will be applied.
WMI in itself is a massive topic and way way way beyond what we are talking about here, and ill follow up with a separate post about the WMI Filter used with the W7PP.
So moving on, we will ignore the Details tab, as this just shows us some info you will not need to worry about, and also the Delegation tab is for advanced targeting and security settings, which you will not need to use.
The Settings tab is the main one, and this shows us which settings have been set, and what the values are.
As you can see, nothing has been defined under ‘Computer Configuration’.
GPO’s are split into two sections, Computer Configuration and User Configuration. Pretty self explanatory, but settings defined under Computer Configuration apply to a Computer. Settings for Users apply to Users, regardless of which computer in the domain the user logs into.
User configuration will usually override Computer Configuration, but again GPO’s are a massive subject so you can do more research on Group Policy here.
Under User Configuration, we can expand the settings by clicking ‘Show’
Drill down under Folder Redirection, and you can see each folder that can be configured.
Clicking on Show on any of these folders will display the settings that have been chosen.
Each Folders Settings are split in two, You have a Path setting, and then an Options setting.
The path will be set to go to the new Folder created earlier, which is \\servername\FolderRedirection
You will then see %USERNAME%\Folder
%username% is a path Variable, and this tells the Client machine to create a folder under the path, using the users username.
So for example, if i log on as Don Funk, with a user name, DonF then the path to my redirected App Data folder will be
- The options are quite straight forward.
- Grant the User Exclusive Access to the Folder – Means no one else can view this folder
- Move the Contents of the Folder – Means if you have an existing local folder, then its contents will be moved over to the server.
Also, Apply redirection Policy to Win 2000…. Means do we want to use this policy along with Older OS’s. There are several considerations to make when you use this setting, which are beyond this post because this Add-in is only for Windows 7! but you can find a great resource here.
Under Policy Removal, there are also some straight forward settings, for what to do when the policy is removed.
Do we want to Leave the contents of the folder in place, or move it back to the local computer.
All of your Redirected Folders will have the same settings by default, which are,
- Grant the User Exclusive Access
- Move the Contents
Restore Contents on Policy Removal
W7PVP Security Templates
Moving straight on to the settings of this policy we can see we have settings defined under, Windows Settings, and Administrative Templates.
The Windows 7 Firewall settings are configured under ‘Windows Settings’ and ‘Administrative Templates’ and the Windows Update and Defender settings are just configured under Administrative Templates.
Windows Firewall with Advanced Security
This Windows 7 Firewall is very powerful indeed, and can be configured in a very in depth manner. The W7PP does not go to such lengths and just applies some basic firewalling to the client computers. That is to say, it blocks all incoming traffic, and allows all outgoing traffic. It applies these settings on Domain, Private, and Public networks.
Whilst i am security conscious I’m a little concerned that blocking incoming traffic whilst on the domain network might lead to having more issues that it solves, especially if Admins or Users in a small office are used to Sharing desktop printers or folders on each others machines. You could argue that the SBS Server is there to take over… but i am expecting people to trip up on this one.
Anyway going back to the GPMC we can review the settings that are applied.
- Firewall State – On
- Inbound Connections – Block
- Outbound Connections – Allow Moving down to the Administrative Templates,
Moving down to the Administrative Templates:
- Windows Firewall Protect All Network Connections – Enabled
That is it for the Windows Firewall settings. As i said, very basic settings.
Windows Defender is also controlled by the W7PP. There are 8 Available GPO settings for Windows Defender, but the only setting defined by the W7PP is
- Check For New Signatures before Scheduled Scan This is fairly straight forward and, of course will force Windows Defender to check for updates prior to running a scan.
- There are other settings available for use by GPO. I cannot find a definitive resource bearing the Microsoft logo though, so, you’re on your own for now!
Last but not least, Windows Update. Let’s run through which settings are being controlled:
- Allow Automatic Updates Immediate Installation
- Allow Non Administrators to receive notifications
- Configure Automatic Updates
- Enable Windows Update Power Management
- Turn On Recommended Updates
Allow Automatic Updates immediate installation. This is a policy i always disable. It is enabled here by default, and this worries me slightly because an update that is downloaded that may not need to reboot will auto install. This could happen during the work day and i have seen it cause problems with clients. I have never used this setting since Windows XP days.
Allow Non Administrators to Receive Notifications. This will be the little prompt in the system tray that tells users Updates are ready. Personally i also do tend to turn this off, as prompts to users generally means questions, and we don’t like questions do we?
Configure Automatic Updates. This setting is configured with Option 4. Download and Schedule the Install, and the install time is scheduled for 3am. The first one i agree with
Enable Windows Update Power Management. A brilliant feature brought in with Windows Vista, Gone are they days when you had to leave your computer running overnight so it would actually install the updates at 3am. Windows can now switch on the machine for you and install updates, and let power management put it back to sleep when it is finished.
Turn on Recommended updates. I don’t know what makes an update recommended as opposed to any other type. Suffice to say, by default, your going to get them.
You can find out more about controlling Windows Update behaviour through Group Policy here
So that pretty much covers the installation, implementation, and settings on the Pro Pack.
If we switch over to a Win7 Client PC now we can see some of the changes you will see on your machines.
Windows 7 Client Computer
Log on to your Windows 7 Machine, and launch an Elevated Command Prompt. (Right click CMD and click Run as Administrator)
If you are new to GPO’s then one command you really want to learn is GPRESULT. This will show us the status of Group Policy on our client computer.
So from our CMD prompt, run GPRESULT /R
Scrolling through the output, you will see, it is again split into Computer Settings and User Settings – almost like they knew we would be looking.
We can see some really useful information about the Client, the last time it applied Group Policy, and the Server (Domain Controller) it was applied from, the Site we are in and whether we are using a Roaming Profile. Some of this is only for larger networks however and not really important in an SBS Essentials network.
Moving down, we can see what policy is applied to our Computer, and which ones are filtered out.
The same is true for the currently logged on User.
We can see in this output the only policies that are being applied currently are the Default Domain Policy to the computer, and nothing to the user account.
Lets also look at the path to our My Documents folder, if we click on Start, the right click Documents, and click Properties.
We can see the path points to the local computer, c:\users\don
Now lets imagine we magically apply the W7PP, and reboot our PC.
The new GPO’s should be applied at start-up and logon (start-up for computer and logon for user)
You may notice your first logon after implementing the pack is longer than usual, that is because the computer is copying up the contents of your redirected folders at logon.
User wont know that though, they will just see a really slow logon.
Now, running another GPRESULT /R
We can now see that our W7PVP Policies are applied.
If we go back to look at the path of our My Documents folder, we can see that it now points to our FolderRedirection share on the server.
If we navigate to the shared folder we can see all of our redirected folders.
We can also just review the status of the Firewall, right click the network icon in the system tray, then go to Network and Sharing Center, in the bottom left, click Windows Firewall.
You can see a cream coloured bar saying that, For your security, Some Settings are managed by your System Administrator.
During the writing of this post i did come across a few issues.
Firstly, if you do not have a D:\ on your server and you choose to Redirect Folders, the implementation wizard will fail. You do not have the choice to move it to another drive, the wizard will just fail.
What to do if you have built your server with one big C drive?
I would hope that, you have some free space. So my advice today would be to create a VHD in Disk Management and Mount that as Drive D. You can find out how to do that from here (the link is for Windows 7 but the steps are the same)
NB. Do not use DISKPART unless you know what you are doing.
You might think that is a stroke of genius. You’re right. Unfortunately it doesn’t work.
Seemingly if you find yourself here you have strayed too far from the defaults and we know what means in SBS land.. you’re riding a segway on a cliff top, and we all know how that story ended right?
What does work however is Shrinking the C partition down and creating a new D partition in the free space. You can do this from Disk Management.
Whatever happens, You need a D and the only way it seems, to get the wizard to play nice is to get a D:\, from wherever you can!
Troubleshooting clients will be a little easier. First the basics, make sure your Server and Clients are in the same Time Zone (i assume they are physically, but logically, the computers clocks may be different)
Check your GPRESULT command, see what is and what is not applied.
Look in the event logs on the client PC, you will find most errors with GPO are usually something simple like NTFS or Share Permissions.
That links us in nicely with a little oddness from the Dashboard. If you remember earlier, we looked at our new FolderRedirection folder (on the Server Shares and Hard Drives tab)
It shows all our users had no access!
So how then, does Folder Redirection occur?
If we go into the Computer Management MSC console, we can look at the Share Permissions of the FolderRedirection folder. We can see here in the properties and on the Share Permissions tab, that Everyone has Full Control to the Share.
If we look at the Security tab at the NTFS permissions, we can see that Domain Users, have Read, Read & Execute and List folder Contents. We can also See a special permission is applied. That permission is create folders.
So, because our user has the Create Folder permission, we are allowed to create folders for Folder Redirection at logon. Then, because we created the folder, we are the owner, and the owner is granted Full Control of that folder by default.
But why does it show ‘No Access’ in the Dashboard? Good Question.
The answer is, i don’t know. What i can tell you is that on the other default shares, the user access settings result in an entry in the Access Control List on that folders security tab,
We don’t want that on the FolderRedirection folder as that potentially will grant access to other users folders once they have been redirected.
I hope you have enjoyed this run through the W7PP, please form an orderly queue at the download center.
In this follow up post i talk about how to use GPO and WMI on Windows XP and Windows Vista to get similar functionality.