RE: Several Problems; how to reset security and troubleshoot serve

Hi Robert,

Thanks for your update.

For current situation, let us refer to below steps to trouble shoot the
issue:

1. Please follow the steps outlined in KB 816585 to apply Secure DC
template (securedc.inf) to the server: ''816585 HOW TO: Apply Predefined
Security Templates in Windows Server 2003 -
http://support.microsoft.com/?id=816585.

2. Run command ''gpupdate /force'' (no quotation marks) on the SBS server
box and all client workstations to force the policy refresh.

3. Restart the SBS server to see if the issue is resolved.

If the issue persists, please try to reinstall the "Help and Support
Center" to see if it helps.

a. Logon the server as an administrator, Run
..-->%windir%\PCHealth\HelpCtr\Binaries\helpsvc.exe /install
/regserver/svchost netsvcs /reinstall

b. Wait till helpsvc.exe completes installation (watch process activity in
Task Manager)

c. Copy the hscsp*.cab and hscmui.cab (hscmui.cab on USA systems only) from
%windir%\PCHealth\HelpCtr\Binaries to %windir%\PCHealth\HelpCtr\BATCH and
wait for it to be processed.

d. Then check if you can properly run "Help and Support Center".

If the issue persists, please let me know the detail symptom and help me
collect Application, System and Security log files for analyze. My working
mailbox: v-yanniw@xxxxxxxxxxxxx

I appreciate your time!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Thread-Topic: Several Problems; how to reset security and troubleshoot
serve
thread-index: AcZk0aWJCZAljAOrRHuSItG84lfq7w==
X-WBNR-Posting-Host: 24.99.91.108
From: =?Utf-8?B?Um9iZXJ0IE96b25l?= <RobertOzone@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <C414EEC4-E7BE-4E62-97D8-2AE0C7896B5C@xxxxxxxxxxxxx>
<cPNzJZsXGHA.6000@xxxxxxxxxxxxxxxxxxxxx>
<3E6E1B7A-7010-4B87-B49E-7234690F4225@xxxxxxxxxxxxx>
<SuSbalGZGHA.880@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Several Problems; how to reset security and troubleshoot serve
Date: Thu, 20 Apr 2006 16:25:01 -0700
Lines: 488
Message-ID: <DE58A8C6-4363-4FF4-BCFD-7A3491B2688F@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:262081
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.sbs

Jenny, There is no error or action when I click on either "Offer Remote
Assistance" or "Help and Support", absolutly nothing happens. I can click
on
them all day long nothing happens.
On the old error; after spending the time to find the issue I realize it
was
the RAS not FAX, here are the details. Crina Li was providing support and
her
suggestions fixed the problem.


""Crina Li"" wrote:

Hi Robert,

Thank you for posting in SBS newsgroup.

From the rraslog, I find the following error message:

Saving changes and restarting services returned ERROR c0040393
CRRASCommit::ConfigureISA2k4() returned ERROR c0040393
Configure ISA2k4 returned ERROR c0040393
CRRASCommit::CommitEx returned ERROR c0040393

Based on my further research, this issue may occur if the following
policy
settings are not assigned to the Network Service account on the domain
controller:

- Adjust memory quotas for a process
- Generate security audits
- Log on as a service
- Replace a process level token

The Network Service account must be added to the policy settings in the
list. This issue may occur if Group Policy settings that were applied at
the domain level have modified the policy settings for the Network
Service
account on the domain controller.

RESOLUTION
==========

To resolve this issue, make sure that the Network Service account is
added
to the following policy settings on the domain controller:

- Adjust memory quotas for a process
- Generate security audits
- Log on as a service
- Replace a process level token

To configure the policy settings for the Network Service account on the
domain controller, follow these steps:

1. Click "Start", point to "Administrative Tools", and then click
"Domain
Controller Security Policy".

2. Expand "Local Policies", and then click "User Rights Assignment".
The
policy settings are displayed in the right pane.

3. Double-click the policy setting that you want to add the Network
Service account to.

4. If the Network Service account is not in the list of users and
groups
that are assigned to that policy setting, click "Add User or Group".

5. In the "Select User or Groups" dialog box, type "Network Service"
(without the quotation marks) in the "Enter the object names to select"
box, and then click "OK".

6. Verify that "NETWORK SERVICE" is displayed in the list of users and
groups that are assigned to that policy setting, and then click "OK".

7. Close the policy editor.

8. Run GPUPDATE /FORCE from a command prompt.

9. Reboot the server.

If the problem still occurs, please try the following steps:

1. Please try to rerun CEICW.
2. Temporarily delete the static routes on RRAS console. You can do so
through expanding Server name | IP Routing.
3. Disable RRAS service on RRAS console and disable Microsoft Firewall
service on ISA console through expanding Server name and clicking
Monitoring and then clicking Services tab in the right pane.
4. Re-run Remote Access wizard.
5. Can you enable Microsoft Firewall service and does the uptime of the
firewall service display normally in ISA console. (Running or Stopped)?

If it does not work, would you please help me collect the following
information?

1. Manually add static routes using "route add ..." in command line. For
example:

route add IP of NIC which connect to VPN device mask 255.255.255.0
gateway
-p

For example: route add 10.171.2.0 mask 255.255.255.0 10.171.1.254 -p

2. Can you describe the detailed network topology?

For example: remote VPN network--VPN device--LAN
client-SBS-router---------internet

3. Collect the result of route print. Please open a command prompt. Run
the
following command:

route print > c:\routeprint.txt

Hope this helps.

Please do not hesitate to let me know if you have any questions or if
you
need further assistance.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support
=====================================================
Robert Ozone" wrote:
Problem Running Romote Access Wizard on new installation

I just installed SBS2003 PremEd w/SP1 included on media, ISA2004 also.
RAW is failing with the following message.
"An error occurred while running the Remote Access Wizard. For details,
%1!s!, and then rerun the Remote Access Wizard."

I have already ran EICW successfully.
I am using FQN which is has is registered.
I noticed that the RAS service gets stopped but is not started back up
during the RAW process and it is confirmed in this rraslog it looks
like it is having a problem with ISA also.

11/18/2005 4:11 PM
E:\Program Files\Microsoft Windows Small Business
Server\Networking\RRASWiz\wizrras.dll, version 5.2.2893.0
Calling CRRASCommit::CommitEx
Calling CRRASCommit::ValidatePropertyBag
pdispPPPBag->QueryInterface returned OK
PropertyBag 25a9e0
Reading property value for enabling Remote Access returned OK
bRemoteAccess = 1
Reading property value for VPN returned OK
bVPN = 1
Reading property value for RAS returned OK
bRAS = 0
Calling CRRASCommit::ValidateVPNProperties
Reading VPN Server Name returned OK
VPN Server Name is aicsbs2kserver.alphainsulation.com
Calling CRRASCommit::ValidateDHCPProperties
DHCP server is installed on the box
CRRASCommit::ValidateDHCPProperties returned OK
CRRASCommit::ValidateVPNProperties returned OK
CRRASCommit::ValidatePropertyBag returned OK
pdispPPPBag->QueryInterface returned OK
Pointer to the property bag 25a9e0
Calling CRRASCommit::CommitRRAS
Arguments:
PropertyBag 25a9e0
bRAS 0
bVPN 1
Getting the GUID of the private NIC returned OK
Private NIC Guid is {63DBF162-721B-4E7D-96F8-C08D274B05A2}
Checking whether RRAS is already running returned OK
RRAS already running
Stopping RRAS returned OK
Installing RRAS returned OK
Configuring ports returned OK
Saving RRAS method returned OK
Method is 2
Where 1 = RAS, 2 = VPN 3 = both
CRRASCommit::CommitRRAS returned OK
Committing RRAS returned OK
Initializing Stingray library returned OK
Enabling VPN Client Access returned OK
Setting maximum number of vpn clients returned OK
Dhcp server is installed and running on this box
Enabling DHCP client addressing returned OK
*** Saving changes and restarting services returned ERROR c0040393
*** CRRASCommit::ConfigureISA2k4() returned ERROR c0040393
*** Configure ISA2k4 returned ERROR c0040393
*** CRRASCommit::CommitEx returned ERROR c0040393


I need help on this quickly.


""Jenny wu [MSFT]"" wrote:

Hi Robert,

Thanks for posting back. I appreciate your time to the issue.

Could you tell me what your fax issue is and how you resolved it? You
can
give me the issue link so that I can analyze it.

When you tried to launch the Remote assistance, what is error message
you
received? Can you help me capture a screen shot of the symptom?

When you tried to open "Help and Support", what is the error message you
received? Can you help me capture a screen shot of the symptom?

Also please save the application, security and system logs to .evt files
and mail them to me for analyze.

Please compress all files and mail it to my working mailbox:
v-yanniw@xxxxxxxxxxxxx

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the
corresponding
newsgroups so that they can be resolved in an efficient and timely
manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there
are
any updates in your thread. When responding to posts via your
newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly.
Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

--------------------
Thread-Topic: Several Problems; how to reset security and troubleshoot
serve
thread-index: AcZkA99CStGf+ZQ3Qia2N5kMI6ckVg==
X-WBNR-Posting-Host: 24.99.91.108
From: =?Utf-8?B?Um9iZXJ0IE96b25l?=
<RobertOzone@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <C414EEC4-E7BE-4E62-97D8-2AE0C7896B5C@xxxxxxxxxxxxx>
<cPNzJZsXGHA.6000@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Several Problems; how to reset security and troubleshoot
serve
Date: Wed, 19 Apr 2006 15:52:02 -0700
Lines: 351
Message-ID: <3E6E1B7A-7010-4B87-B49E-7234690F4225@xxxxxxxxxxxxx>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.windows.server.sbs
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:261702
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.windows.server.sbs

Sorry it took so long to respond,

First of all thank you for the detailed response.

1.) On the SBS security settings ; I accept your response, but will ask
is
there a utility pgm that resets portions of the settings back to
default
settings? "the safe to do areas"

2.) On the Remote Assistance Issue I have check all of the settings as
you
outlined everything is OK. I need to add that I think what you had me
doing
was past the main issue. Let me explain further:
From the SBS server I can not even launch the dialog to start the
Remote
Assistance Offer from the Server Managment MMC, Alot of the settings
you
had
me checking especially on the clients has to do with an offer being
unsuccesful. I can even start an offer. I have also discovered that I
can
not
launch "Help and Support" from the Start Menu either. They may be
related.
What started me on the path of security problem was I had a simular
problem
a while ago when I could not launch the FAX setup from the Server
Management
Console. I was instructed to reset some security settings and wala it
worked.

3.) On the browser problem I follow all of your instructions with no
change
in the result. here is the resultsyou requested.
nbtstat -n

LAN Connection:
Node IpAddress: [192.168.16.2] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
AICSBS2KSERVER <00> UNIQUE Registered
ALPHAINSULATION<00> GROUP Registered
ALPHAINSULATION<1C> GROUP Registered
AICSBS2KSERVER <20> UNIQUE Registered
ALPHAINSULATION<1B> UNIQUE Registered
ALPHAINSULATION<1E> GROUP Registered
AICSBS2KSERVER <03> UNIQUE Registered
ALPHAINSULATION<1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
AICSBS2KSERVER <01> UNIQUE Registered
ADMINISTRATOR <03> UNIQUE Registered

WAN Connection:
Node IpAddress: [69.15.216.18] Scope Id: []

No names in cache

E:\Documents and Settings\administrator.ALPHAINSULATION>nbtstat -r

NetBIOS Names Resolution and Registration Statistics
----------------------------------------------------

Resolved By Broadcast = 1
Resolved By Name Server = 506

Registered By Broadcast = 8
Registered By Name Server = 3

NetBIOS Names Resolved By Broadcast
---------------------------------------------
ALPHAINSULATION<1E>




""Jenny wu [MSFT]"" wrote:

Hi Robert,

Thanks for using the SBS newsgroup.

From your description, I understand that you have several problems on
the
SBS server box. That is:

1. Remote Assistance does not work.

2. The SBS serve box does not show up in network browser.

3. The domain policy can not be deployed properly to client
workstations.

If I am off base, please don't hesitate to let me know.

Let us focus the first issue first. Microsoft engineers can only
focus
on
one issue per thread. we recommend you post different incidents in
different threads to keep the thread clean. In doing so, it will
ensure
your issues are resolved an efficient and timely manner. Thanks for
your
understanding!

Since the SBS server box is an DC, also there are many specific
security
settings has been configured on the SBS server box, we can not easily
reset
the security settings to default settings.

To the remote assistance issue, please refer to the following steps
to
check your configurations and then test the issue again to see if it
resolved.

To configure the computer of the novice user to accept Remote
Assistance
offers, you must make sure that the following requirements are met:

1. The Group Policy on the computer of the novice user must be
configured
to enable Remote Assistance offers.
2. The computers of the novice and expert users must be members of
the
same
domain or members of trusted domains.
3. Both computers must have Windows XP or Windows 2003 installed.
4. The expert user must be a member of the Local Administrators group
on
the computer of the novice.

I. To configure the Group Policies for the Remote Assistance tool,
you
need
a list of expert users from which the computers of the novice users
can
accept Remote Assistance offers. This list must contain Domain User
groups
and Domain User accounts.

II. Configure Offer Remote Assistance policy setting in XP workstation
1. Start the Microsoft Management Console (MMC) Group Policy snap-in.
To
do
this, click Start, and then click Run. In the Open box, type:
gpedit.msc.
Then, click OK.
2. In the Local Computer Policy\Computer Configuration\Administrative
Templates\System\Remote Assistance folder, locate and double-click
Offer
Remote Assistance.
3. On the Offer Remote Assistance Properties dialog box, click
Enable.
4. Select an option from the list to determine which of the following
actions the expert users can take
** View the computer of the novice user
** View and control the computer of the novice user

*Note: This setting is for the entire group that is listed. The Offer
Remote Assistance policy setting does not provide a mechanism that
lets
one
group of users view the computer of the novice user, and also lets a
second
group of users view and control the computer of the novice user.
There
can
be only one expert group.

5. Click Show. The Show Contents dialog box opens.
6. Click Add to add the Domain Users and Domain User Groups.
7. Click OK to close the Show Contents dialog box, and then click OK
to
close the Offer Remote Assistance Properties dialog box.
8. Quit the MMC Group Policy snap-in.
These policies are effective immediately. You do not have to restart
the
computer.

***Important: Use caution when you populate the properties of the
Offer
Remote Assistance Group Policy because you cannot verify the domain
accounts that you enter. We recommend that you extensively test this
policy
setting before you perform a large policy roll out.

*Note: The Offer Remote Assistance policy is not available in
Microsoft
Windows XP Home Edition.

*Note: Remote Assistance uses DCOM. In Windows XP and Windows 2003,
the
DCOM entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
The String value of the DCOM entry is EnableDCOM = Y. If this value
is
set
to 'N' or if this value is missing, Remote Assistance will not work.

III. Configure Windows Firewall for offer-based Remote Assistance in
XP
workstation

To update your Group Policy objects with the new Windows Firewall
settings,
follow these steps:
1. Log on to your Window XP SP2-based computer as a member of the
Domain
Administrators security group, of the Enterprise Administrators
security
group, or of the Group Policy Creator Owners security group.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, click the Standalone
tab,
and then click Add.
4. In the Available Standalone Snap-ins list, click Group Policy
Object
Editor, and then click Add.
5. In the Select Group Policy Object dialog box, click Browse.
6. In Browse for a Group Policy Object, click the Group Policy object
that
you want to update with the new Windows Firewall settings, and then
click
OK.
7. Click Finish to complete the Group Policy Wizard.
8. In the Add Standalone Snap-in dialog box, click Close.
9. In the Add/Remove Snap-in dialog box, click OK.
10. In the console tree, expand Computer Configuration, expand
Administrative Templates, expand Network, expand Network Connections,
and
then click Windows Firewall.
11. Use the Group Policy Object Editor snap-in to locate Windows
Firewall
Group Policy settings. To do this, click Start, click Run, type
gpedit.msc
in the Open box, and then click OK.

*Note: The Group Policy settings are located in the following Group
Policy
Object Editor folders:
o Computer Configuration/Administrative Templates/Network/Network
Connections/Windows Firewall
o Computer Configuration/Administrative Templates/Network/Network
Connections/Windows Firewall/ Domain Profile
o Computer Configuration/Administrative Templates/Network/Network
Connections/Windows Firewall/ Standard Profile

12. For each snap-in path that you located in step 11, add the
following
entry to the Windows Firewall: Define port exceptions setting:

135:TCP:*:Enabled:Offer Remote Assistance


.

Relevant Pages

  • RE: Remote Assistance not working
    ... How do you request from client to server? ... Using Windows Messenger or MSN ... > I have yet to get the offer remote assistance to work when launched from the ... The Group Policy on the computer of the novice user must be configured ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet Explorer
    ... Microsoft Windows Server 2003 SP1 ... You can link the GPO to the OU which contains the Terminal Server ... policy settings. ... 260370 - How to Apply Group Policy Objects to Terminal Services ...
    (microsoft.public.windows.terminal_services)
  • Re: Offer Remote Assistance on Windows Server 2003 Enterprise
    ... That particular group policy allows remote assistance to that server .... ... I was able to offer remote assistance and take control of the client ...
    (microsoft.public.windows.server.general)
  • Re: Offer Remote Assistance on Windows Server 2003 Enterprise
    ... That particular group policy allows remote assistance to that server .... ... Can I give and take control of a users computer and session with the ...
    (microsoft.public.windows.server.general)
  • Re: Domain Policy
    ... First from the server you can access the registry remotely see if you can ... manage Group Policy remotely to undo your changes. ... If that does not work use the registry editor. ... Table 1 Approved Registry Key Locations for Group Policy Settings ...
    (microsoft.public.win2000.security)