RE: Several Problems; how to reset security and troubleshoot serve
- From: Robert Ozone <RobertOzone@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 20 Apr 2006 16:25:01 -0700
Jenny, There is no error or action when I click on either "Offer Remote
Assistance" or "Help and Support", absolutly nothing happens. I can click on
them all day long nothing happens.
On the old error; after spending the time to find the issue I realize it was
the RAS not FAX, here are the details. Crina Li was providing support and her
suggestions fixed the problem.
""Crina Li"" wrote:
Hi Robert,Robert Ozone" wrote:
Thank you for posting in SBS newsgroup.
From the rraslog, I find the following error message:
Saving changes and restarting services returned ERROR c0040393
CRRASCommit::ConfigureISA2k4() returned ERROR c0040393
Configure ISA2k4 returned ERROR c0040393
CRRASCommit::CommitEx returned ERROR c0040393
Based on my further research, this issue may occur if the following policy
settings are not assigned to the Network Service account on the domain
controller:
- Adjust memory quotas for a process
- Generate security audits
- Log on as a service
- Replace a process level token
The Network Service account must be added to the policy settings in the
list. This issue may occur if Group Policy settings that were applied at
the domain level have modified the policy settings for the Network Service
account on the domain controller.
RESOLUTION
==========
To resolve this issue, make sure that the Network Service account is added
to the following policy settings on the domain controller:
- Adjust memory quotas for a process
- Generate security audits
- Log on as a service
- Replace a process level token
To configure the policy settings for the Network Service account on the
domain controller, follow these steps:
1. Click "Start", point to "Administrative Tools", and then click "Domain
Controller Security Policy".
2. Expand "Local Policies", and then click "User Rights Assignment". The
policy settings are displayed in the right pane.
3. Double-click the policy setting that you want to add the Network
Service account to.
4. If the Network Service account is not in the list of users and groups
that are assigned to that policy setting, click "Add User or Group".
5. In the "Select User or Groups" dialog box, type "Network Service"
(without the quotation marks) in the "Enter the object names to select"
box, and then click "OK".
6. Verify that "NETWORK SERVICE" is displayed in the list of users and
groups that are assigned to that policy setting, and then click "OK".
7. Close the policy editor.
8. Run GPUPDATE /FORCE from a command prompt.
9. Reboot the server.
If the problem still occurs, please try the following steps:
1. Please try to rerun CEICW.
2. Temporarily delete the static routes on RRAS console. You can do so
through expanding Server name | IP Routing.
3. Disable RRAS service on RRAS console and disable Microsoft Firewall
service on ISA console through expanding Server name and clicking
Monitoring and then clicking Services tab in the right pane.
4. Re-run Remote Access wizard.
5. Can you enable Microsoft Firewall service and does the uptime of the
firewall service display normally in ISA console. (Running or Stopped)?
If it does not work, would you please help me collect the following
information?
1. Manually add static routes using "route add ..." in command line. For
example:
route add IP of NIC which connect to VPN device mask 255.255.255.0 gateway
-p
For example: route add 10.171.2.0 mask 255.255.255.0 10.171.1.254 -p
2. Can you describe the detailed network topology?
For example: remote VPN network--VPN device--LAN
client-SBS-router---------internet
3. Collect the result of route print. Please open a command prompt. Run the
following command:
route print > c:\routeprint.txt
Hope this helps.
Please do not hesitate to let me know if you have any questions or if you
need further assistance.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
=====================================================
Problem Running Romote Access Wizard on new installation
I just installed SBS2003 PremEd w/SP1 included on media, ISA2004 also.
RAW is failing with the following message.
"An error occurred while running the Remote Access Wizard. For details,
%1!s!, and then rerun the Remote Access Wizard."
I have already ran EICW successfully.
I am using FQN which is has is registered.
I noticed that the RAS service gets stopped but is not started back up
during the RAW process and it is confirmed in this rraslog it looks
like it is having a problem with ISA also.
11/18/2005 4:11 PM
E:\Program Files\Microsoft Windows Small Business
Server\Networking\RRASWiz\wizrras.dll, version 5.2.2893.0
Calling CRRASCommit::CommitEx
Calling CRRASCommit::ValidatePropertyBag
pdispPPPBag->QueryInterface returned OK
PropertyBag 25a9e0
Reading property value for enabling Remote Access returned OK
bRemoteAccess = 1
Reading property value for VPN returned OK
bVPN = 1
Reading property value for RAS returned OK
bRAS = 0
Calling CRRASCommit::ValidateVPNProperties
Reading VPN Server Name returned OK
VPN Server Name is aicsbs2kserver.alphainsulation.com
Calling CRRASCommit::ValidateDHCPProperties
DHCP server is installed on the box
CRRASCommit::ValidateDHCPProperties returned OK
CRRASCommit::ValidateVPNProperties returned OK
CRRASCommit::ValidatePropertyBag returned OK
pdispPPPBag->QueryInterface returned OK
Pointer to the property bag 25a9e0
Calling CRRASCommit::CommitRRAS
Arguments:
PropertyBag 25a9e0
bRAS 0
bVPN 1
Getting the GUID of the private NIC returned OK
Private NIC Guid is {63DBF162-721B-4E7D-96F8-C08D274B05A2}
Checking whether RRAS is already running returned OK
RRAS already running
Stopping RRAS returned OK
Installing RRAS returned OK
Configuring ports returned OK
Saving RRAS method returned OK
Method is 2
Where 1 = RAS, 2 = VPN 3 = both
CRRASCommit::CommitRRAS returned OK
Committing RRAS returned OK
Initializing Stingray library returned OK
Enabling VPN Client Access returned OK
Setting maximum number of vpn clients returned OK
Dhcp server is installed and running on this box
Enabling DHCP client addressing returned OK
*** Saving changes and restarting services returned ERROR c0040393
*** CRRASCommit::ConfigureISA2k4() returned ERROR c0040393
*** Configure ISA2k4 returned ERROR c0040393
*** CRRASCommit::CommitEx returned ERROR c0040393
I need help on this quickly.
""Jenny wu [MSFT]"" wrote:
Hi Robert,.
Thanks for posting back. I appreciate your time to the issue.
Could you tell me what your fax issue is and how you resolved it? You can
give me the issue link so that I can analyze it.
When you tried to launch the Remote assistance, what is error message you
received? Can you help me capture a screen shot of the symptom?
When you tried to open "Help and Support", what is the error message you
received? Can you help me capture a screen shot of the symptom?
Also please save the application, security and system logs to .evt files
and mail them to me for analyze.
Please compress all files and mail it to my working mailbox:
v-yanniw@xxxxxxxxxxxxx
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Several Problems; how to reset security and troubleshootserve
thread-index: AcZkA99CStGf+ZQ3Qia2N5kMI6ckVg==<cPNzJZsXGHA.6000@xxxxxxxxxxxxxxxxxxxxx>
X-WBNR-Posting-Host: 24.99.91.108
From: =?Utf-8?B?Um9iZXJ0IE96b25l?= <RobertOzone@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <C414EEC4-E7BE-4E62-97D8-2AE0C7896B5C@xxxxxxxxxxxxx>
Subject: RE: Several Problems; how to reset security and troubleshoot servedoing
Date: Wed, 19 Apr 2006 15:52:02 -0700
Lines: 351
Message-ID: <3E6E1B7A-7010-4B87-B49E-7234690F4225@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:261702
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.sbs
Sorry it took so long to respond,
First of all thank you for the detailed response.
1.) On the SBS security settings ; I accept your response, but will ask is
there a utility pgm that resets portions of the settings back to default
settings? "the safe to do areas"
2.) On the Remote Assistance Issue I have check all of the settings as you
outlined everything is OK. I need to add that I think what you had me
was past the main issue. Let me explain further:had
From the SBS server I can not even launch the dialog to start the Remote
Assistance Offer from the Server Managment MMC, Alot of the settings you
me checking especially on the clients has to do with an offer beingnot
unsuccesful. I can even start an offer. I have also discovered that I can
launch "Help and Support" from the Start Menu either. They may be related.problem
What started me on the path of security problem was I had a simular
a while ago when I could not launch the FAX setup from the ServerManagement
Console. I was instructed to reset some security settings and wala itworked.
change
3.) On the browser problem I follow all of your instructions with no
in the result. here is the resultsyou requested.the
nbtstat -n
LAN Connection:
Node IpAddress: [192.168.16.2] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
AICSBS2KSERVER <00> UNIQUE Registered
ALPHAINSULATION<00> GROUP Registered
ALPHAINSULATION<1C> GROUP Registered
AICSBS2KSERVER <20> UNIQUE Registered
ALPHAINSULATION<1B> UNIQUE Registered
ALPHAINSULATION<1E> GROUP Registered
AICSBS2KSERVER <03> UNIQUE Registered
ALPHAINSULATION<1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
AICSBS2KSERVER <01> UNIQUE Registered
ADMINISTRATOR <03> UNIQUE Registered
WAN Connection:
Node IpAddress: [69.15.216.18] Scope Id: []
No names in cache
E:\Documents and Settings\administrator.ALPHAINSULATION>nbtstat -r
NetBIOS Names Resolution and Registration Statistics
----------------------------------------------------
Resolved By Broadcast = 1
Resolved By Name Server = 506
Registered By Broadcast = 8
Registered By Name Server = 3
NetBIOS Names Resolved By Broadcast
---------------------------------------------
ALPHAINSULATION<1E>
""Jenny wu [MSFT]"" wrote:
Hi Robert,
Thanks for using the SBS newsgroup.
From your description, I understand that you have several problems on
onSBS server box. That is:
1. Remote Assistance does not work.
2. The SBS serve box does not show up in network browser.
3. The domain policy can not be deployed properly to client workstations.
If I am off base, please don't hesitate to let me know.
Let us focus the first issue first. Microsoft engineers can only focus
resetone issue per thread. we recommend you post different incidents in
different threads to keep the thread clean. In doing so, it will ensure
your issues are resolved an efficient and timely manner. Thanks for your
understanding!
Since the SBS server box is an DC, also there are many specific security
settings has been configured on the SBS server box, we can not easily
configuredthe security settings to default settings.
To the remote assistance issue, please refer to the following steps to
check your configurations and then test the issue again to see if it
resolved.
To configure the computer of the novice user to accept Remote Assistance
offers, you must make sure that the following requirements are met:
1. The Group Policy on the computer of the novice user must be
sameto enable Remote Assistance offers.
2. The computers of the novice and expert users must be members of the
needdomain or members of trusted domains.
3. Both computers must have Windows XP or Windows 2003 installed.
4. The expert user must be a member of the Local Administrators group on
the computer of the novice.
I. To configure the Group Policies for the Remote Assistance tool, you
groupsa list of expert users from which the computers of the novice users can
accept Remote Assistance offers. This list must contain Domain User
doand Domain User accounts.
II. Configure Offer Remote Assistance policy setting in XP workstation
1. Start the Microsoft Management Console (MMC) Group Policy snap-in. To
gpedit.msc.this, click Start, and then click Run. In the Open box, type:
oneThen, click OK.
2. In the Local Computer Policy\Computer Configuration\Administrative
Templates\System\Remote Assistance folder, locate and double-click Offer
Remote Assistance.
3. On the Offer Remote Assistance Properties dialog box, click Enable.
4. Select an option from the list to determine which of the following
actions the expert users can take
** View the computer of the novice user
** View and control the computer of the novice user
*Note: This setting is for the entire group that is listed. The Offer
Remote Assistance policy setting does not provide a mechanism that lets
secondgroup of users view the computer of the novice user, and also lets a
cangroup of users view and control the computer of the novice user. There
policybe only one expert group.
5. Click Show. The Show Contents dialog box opens.
6. Click Add to add the Domain Users and Domain User Groups.
7. Click OK to close the Show Contents dialog box, and then click OK to
close the Offer Remote Assistance Properties dialog box.
8. Quit the MMC Group Policy snap-in.
These policies are effective immediately. You do not have to restart the
computer.
***Important: Use caution when you populate the properties of the Offer
Remote Assistance Group Policy because you cannot verify the domain
accounts that you enter. We recommend that you extensively test this
setsetting before you perform a large policy roll out.
*Note: The Offer Remote Assistance policy is not available in Microsoft
Windows XP Home Edition.
*Note: Remote Assistance uses DCOM. In Windows XP and Windows 2003, the
DCOM entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
The String value of the DCOM entry is EnableDCOM = Y. If this value is
settings,to 'N' or if this value is missing, Remote Assistance will not work.
III. Configure Windows Firewall for offer-based Remote Assistance in XP
workstation
To update your Group Policy objects with the new Windows Firewall
thatfollow these steps:
1. Log on to your Window XP SP2-based computer as a member of the Domain
Administrators security group, of the Enterprise Administrators security
group, or of the Group Policy Creator Owners security group.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, click the Standalone tab,
and then click Add.
4. In the Available Standalone Snap-ins list, click Group Policy Object
Editor, and then click Add.
5. In the Select Group Policy Object dialog box, click Browse.
6. In Browse for a Group Policy Object, click the Group Policy object
clickyou want to update with the new Windows Firewall settings, and then
andOK.
7. Click Finish to complete the Group Policy Wizard.
8. In the Add Standalone Snap-in dialog box, click Close.
9. In the Add/Remove Snap-in dialog box, click OK.
10. In the console tree, expand Computer Configuration, expand
Administrative Templates, expand Network, expand Network Connections,
Firewallthen click Windows Firewall.
11. Use the Group Policy Object Editor snap-in to locate Windows
gpedit.mscGroup Policy settings. To do this, click Start, click Run, type
Policyin the Open box, and then click OK.
*Note: The Group Policy settings are located in the following Group
Object Editor folders:
o Computer Configuration/Administrative Templates/Network/Network
Connections/Windows Firewall
o Computer Configuration/Administrative Templates/Network/Network
Connections/Windows Firewall/ Domain Profile
o Computer Configuration/Administrative Templates/Network/Network
Connections/Windows Firewall/ Standard Profile
12. For each snap-in path that you located in step 11, add the following
entry to the Windows Firewall: Define port exceptions setting:
135:TCP:*:Enabled:Offer Remote Assistance
- Follow-Ups:
- RE: Several Problems; how to reset security and troubleshoot serve
- From: "Jenny wu [MSFT]"
- RE: Several Problems; how to reset security and troubleshoot serve
- References:
- RE: Several Problems; how to reset security and troubleshoot server
- From: "Jenny wu [MSFT]"
- RE: Several Problems; how to reset security and troubleshoot serve
- From: Robert Ozone
- RE: Several Problems; how to reset security and troubleshoot serve
- From: "Jenny wu [MSFT]"
- RE: Several Problems; how to reset security and troubleshoot server
- Prev by Date: Re: Need help ASAP
- Next by Date: Re: SBS and low memory errors
- Previous by thread: RE: Several Problems; how to reset security and troubleshoot serve
- Next by thread: RE: Several Problems; how to reset security and troubleshoot serve
- Index(es):
Relevant Pages
|
