Computer Support The sircles IT support & solutions blog | Windows Server

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

VPNs with WIndows Active Directory and DNS/DHCP

2. June 2017 09:17 by sirclesadmin in Windows Server, Internet Security, VPN
Windows Active Directory, DNS & DHCP with VPNs When a VPN is set-up it is simply a connection be

Windows Active Directory, DNS & DHCP with VPNs

When a VPN is set-up it is simply a connection between LAN subnets that allows certain traffic to be passed between them. If you are using a Windows Server Active Directory network then you need to make sure that you are adjusting your settings to maintain normal traffic and avoid any catastrophes like loopback etc.

Even some of the most down-to-Earth routers can trip you up with DNS and AD when it comes to VPN. DrayTek routers can connect two subnets with the same LAN Subnet but if the Windows servers start inter-communicating it can cause all sorts of issues at Layer-2 and 3. I would always recommend changing one subnet (or even both if they are x.x.1.x or x.x.0.x) rather than using route NATing between subnets.

Before you connect a VPN you should be treating the planning exactly as if you were running a cable between the two sites you plan to connect. Although a VPN arrives via a WAN connection, it is not necessarily subject to the same rules as the internet in  the case of DrayTek routers unless you specifically tell the firewall to block certain services. If you are using a highly configurable router such as a Cisco or Juniper then you can configure all sorts of setting on the firewall specifically for that subnet, but if you are using a simpler router such as a home WiFi router or similar, then you will find that a VPN connection forwards most of the traffic between sites including all types of ICMP & NetBIOS. As a result you must be sure that nothing is allowed to connect to the other LAN that you would not wish to be connected to the existing LAN.

Active Directory is heavily dependent on DNS to locate the resources it requires in order to function and so, regardless of what is behind each VPN endpoint, DNS is a primary concern. If you are connecting an office of PCs to a LAN with servers, you need to configure the remote LAN VPN top use at least one of the remote DNS LAN servers in order to be able to resolve hostnames on the remote LAN. We would not recommend setting both DNS servers to the remote LAN DNS servers in case the VPN drops, but the first server DNS server entry should be set to one.


In the above image, the remote network, has only client machines, but uses the remote network for multiple hosts. The client machines therefore need the remote LAN DNS server set as their primary DNS server and their local router set as their secondary. This way the client machines on the remote router network are able to find the email server and databases but if the VPN drops they can still connect to the secondary server to browse the web from the local router.


In more complex configurations, there may be servers at each end of the VPN tunnel, and there may be domain trusts involved due to companies merging etc. In these cases the DNS servers need to be configured to share their network zones amongst each other. This is a very simple process but you will need the LAN IP addresses of all of the DNS servers before you start. Best practices suggest that you allow only the IPs of known DNS server to access the zone data from your DNS and this can be configured from the DNS server admin on each Windows DNS server. Once you have given permission for each server to access the DNS servers at the opposite end of the DNS tunnel, the clients of each interconnected LAN will be able to locate hosts at either end. If there is a Windows Trust in place then the client machines of each LAN will be able to access assigned documents and resources on the servers at the other office without any need for internet facing servers on either LAN.


Event ID: 16393 Publishing Failed for RDSH Collection - RemoteApp name: Collection name: Failure: Could not create a published application instance on the server

We were receiving the following error: Log Name: Microsoft-Rdms-UI/AdminSource: Microsoft-Windows-Rd

On our Windows 2012 R2 Remote Desktop Collection, We were receiving the following error:

Log Name: Microsoft-Rdms-UI/Admin
Source: Microsoft-Windows-Rdms-UI
Event ID: 16393
Task Category: Publishing
Level: Error
User: domain\user
Computer: server.domain.suffix

Description: Publishing Failed for RDSH Collection - RemoteApp name: Sage 50 Report Designer Collection name: QuickSessionCollection Failure: Could not create a published application instance on the server server.domain.suffix.

Event Xml:
<Event xmlns="">
<Provider Name="Microsoft-Windows-Rdms-UI" Guid="{GUID}" />
<TimeCreated SystemTime="2017-04-19T07:26:59.337215000Z" />
<Correlation ActivityID="{ActivityID}" />
<Execution ProcessID="4996" ThreadID="5604" />
<Security UserID="UserID" />
<Data Name="arg1">RemoteApp name: Application Name Collection name: Collection Name Failure: Could not create a published application instance on the server server.domain.suffix.</Data>


Our issue was expired certificates in the RD server set-up which were interfering with the system even though in IIS they were all up-to-date and the server was working fine.

So under server manager we went into the RD settings and then highlighted the deployment and under tasks chose 'edit deployment properties' and went to the certificates page:

Here we chose the new certificate, one-by-one, to replace the expired certificates:

And then applied each certificate replacement before attempting the next.

Once all the certificates were showing as status OK, we re-published the RemoteApp settings:

And the publish now suceeds:


CRM 2016 for Outlook - Cannot display the folder Path does not exist Verify the path is correct

If you are seeing the following in CRM 2016 using Outlook 2016: Then you should check the registry

CRM 2016 for Outlook

Cannot display the folder Path does not exist Verify the path is correct


If you are seeing the following in CRM 2016 using Outlook 2016:

Then you should check the registry - this commonly occurs when the user has migrated or upgraded office and the system has used the incorrect 32 or 64 bit registry settings.

Start registry editor as your normal logon user - i.e. the one that you use for Outlook rather than an Admin user - and under HK_Current_User go to software>Microsoft>MSCRM and have a look under these keys:

Make sure that the CRM_Client_InstallDir and InstallPath keys point to either program files (x86) or program files as befits your Microsoft Office install.

CRM_Client_InstallPath should be:    C:\Program Files (x86)\Microsoft Dynamics CRM\ or C:\Program Files\Microsoft Dynamics CRM\ for 32 and 64 bit respectively.

InstallPath should be:    C:\Program Files (x86)\Microsoft Dynamics CRM\Client\ or C:\Program Files\Microsoft Dynamics CRM\Client\ for 32 and 64 bit respectively



HP DL360 G7 Red Screen of Death Illegal OpCode

This is a fairly disturbing occurrence - when your server, instead of booting-up, just after one rec

HP DL360 G7 Red Screen of Death Illegal OpCode


This is a fairly disturbing occurrence - when your server, instead of booting-up, just after one recommended update or a fist time reboot after install you receive a bright red screen explaining that the server feels it has done enough and will proceed no further. Not great news if you have a lot of users awaiting emails or database results and even worse if you've never seen it before.



Well this error can be related to a few problems related to running various forms of Linux on SD card drives but it can also affect those of us just running plain old Windows Server on the inbuilt 410i RAID controller.

In essence the message means that it is unable to read the boot device and so has thrown an HP level issue instead of a standard Windows or BIOS error.

I have found this problem in connection with the following:

  • Installing using iLO3 with a network accessed ISO file and then rebooting for the first time
  • Installing a recommended update to the NICs that made the whole server BSOD and then reboot into this and so we had to fix the error to find out that the DB was intact
  • Updating BIOS for the motherboard that has somehow disabled the USB boot in the BIOS and so lost the SD card boot device (which I was using on that occassion)
  • Installed the Windows iLO3 drivers which then somehow told Windows, because there was an ISO listed in the ILO3 boot-up system, that Windows was not the boot device

In order to fix these issues you should:

  1. Update the iLO3 firmware as there is a fix in the latest versions (allegedly) but I have found this unreliable
  2. Disable the iLO if this fails at boot-up
  3. Change the boot order in BIOS so that your boot device is first and then:
  4. Boot from a Windows DVD and ensure you can see the boot volume and then use the inbuilt repair (this seems to be the best solution for Windows installs)

If all the above fails you can just try unplugging all the PSUs for ten minutes as this is a recommended solution from HP but only for the G8 servers. 

Good luck with a really distressing and fairly futile error screen.

WBAdmin snap-in failed to initailise

The other day we had an issue with the Windows Backup on a Windows 2012 R2 server that had previousl

WBAdmin snap-in failed to initailise


The other day we had an issue with the Windows Backup on a Windows 2012 R2 server that had previously backed up OK.

On start-up of the Windows Backup application we received a message saying that the windows backup wbadmin snap-in failed to start and that we should restart the service and retry the snap-in.

When we tried the command line we received a message saying that the command was not available on portable workstations

After some looking around we found that a possible cause was that the registry had this entry:


PortableOperatingSystem = 1

So we changed to 0 as the server would have been tricky to carry and then wbadmin stated that there were no jobs scheduled.

We then ran the following command in order:

  1. Get-WBPolicy | Remove-WBPolicy
  2. Remove-WBBackupSet
  3. Remove-WBCatalog
  4. get-Service *wb* | Start-Service
  5. Restart Windows Server Backup

We then found that the backup record was destroyed but that the service could be run in the GUI once more.

The TCP/IP Protocol Microsoft DNS Microsoft Active Directory FSMO Roles

Windows Server Security Practices Your Windows network is reliant on a few basic elements that allow

Windows Server Security Practices


Elements Required for Active Directory

Microsoft DNS - This is a very different animal in Windows 2000/3 compared to NT4, not because of the way it does anything but because of what it is used for. Microsoft NT4, Windows 95/8 uses WINS - the Windows Internet Naming Service (rather confusingly named) to locate each other over inter-connecting LANs. The system basically works with DHCP, the Dynamic Host Configuration Protocol which ascribes an IP Address to your Network Interface Card and supplies the Default Gateway, DNS Server and WINS server and also registers you with WINS at the same time. One WINS server then replicates with another on another LAN and then the hosts can look up your workstation on their own LAN and the communication can be successfully routed between machines. DNS was simply for looking up domains on the Internet at this stage and had a 'Reverse WINS Lookup' feature for tracking down workstations from the DNS server. Microsoft DNS on Windows 2000 has the option of being entirely dynamic. It can be configured to live in Active Directory, has built in reverse lookup and is updatable just as WINS is from the DHCP server negotiation.- better!

TCP/IP - The Transport Control Protocol / Internet Protocol. This is just moving from it's fourth to sixth incarnation at present and it is a complicated protocol. It is routable in more ways than you can wave an Ethernet cable at and with version 6 supports IPSec as standard. It is the basis of nearly all inter communication of computers today, whether we are talking about Macintosh, Netware, Linux or Windows, they are most likely using TCP/IP to speak with their cohorts. Microsoft have favoured it for some time whilst Netware moved over at version 5. Macintosh jumped on the wagon (as opposed to leading the way as they normally do) and began dropping AppleTalk with the arrival of OSX. Although TCP/IP is referred to as a single protocol it is not. It is a standard set of amalgamated systems and the resultant protocol lives in layer 3 of the standard model. As with all other communications protocols, TCP/IP is composed of layers:
The Internet Protocol (IP) - is responsible for moving packets of data from one node to another. IP forwards each packet based on a four byte destination address (the IP address). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. Each computer using the internet can do so because at some level it is using an IP address. Typically in most networks nowadays your LAN may have only one 'real' IP address at your router or firewall and your computer may use a 192.168.x.x or 10.1.x.x address. These are reserved address sets for computers in internal LANs and are assigned to no one. This is made possible by NAT and PAT which stand for Network Address Translation and Port Address Translation which is performed by your router or firewall so as to redirect any traffic your machine requested back to you.

The Transport Control Protocol (TCP)- is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. TCP makes TCP/IP a very robust system and allows different sections of the Internet to fall over and reroute data constantly and seamlessly.

Port Numbers - is a name given to packages of subroutines that provide access to TCP/IP on most systems. A socket is a combination of a port number and an IP Address and therefore uniquely identifies a network process on any individual network. There are many standardized port numbers such as 80 for HTTP and 25 for SMTP etc. A port number is basically a feature of a packet just like the routing header. It is a property that, instead of deciding where it is going, like the IP Address, it decides what it will do when it gets there and most likely whether it will be allowed to get there or not.

Microsoft Active Directory - Don't be put off by the way this is continuously described by Microsoft as all sorts of different things. The simple nuts and bolts of it are most easily described as follows. AD is a secured and replicated set of files shared around the domain or domains that allow all of the clients and servers to share and use information. For those of us familiar with the nuts and bolts of a Windows PC, it's like a replicated registry that is shared around the Domain Controllers. It sits in different files, just like the registry did, and it can be edited with a straightforward tool, just like the registry. It relies on five central roles for a forest to function. (A Forest is a collection of Domain Trees - yes I know very clever etc.) The replicated information that is shared to non DC clients is stored in the SYSVOL share on a DC and there will be a folder inside for each domain storing policies, scripts and other information. The old Netlogon share is now inside of the shared SYSVOL directory but is still shared as Netlogon for backwards compatibility. The Database of all DC only AD information is kept inside %systemroot%\SYSVOL - note that the SYSVOL folder shared to clients is inside of the first sysvol directory i.e. at %systemroot%\SYSVOL\SYSVOL. The database itself and the log files by default are kept in %systemroot%\WINDOWS\NTDS but the location can be specified when installing Active Directory to a server.

FSMO Roles - Flexible Single Master Operations (Pronounced by all the guys on the Microsoft Websites as Fuszmo.) So there you are, after all of the fuss Microsoft made about Windows 2000/3 no longer requiring a PDC or BDC it turns out that there are five different sorts of the darn things.
PDC Emulator - All Winnt fans know what this guy is bound to do. He emulated the old PDC on behalf of backwards compatibility. He also creates group policy objects and synchronizes the w32time service.
RID Master - Hands out the Global Unique Identifiers to each Domain Controller. Each object in Active Directory must have one to be indexed in the registry-like list. The RID hands out different sets to each DC for labelling all of the objects created on it.
Infrastructure Master - This guy is the Ambassador. He is monitoring everything to do with memberships of trusts and other domains. He checks that you are allowed into the country by having a good look at your passport- well you know the way things are these days.
Domain Naming Master - This ol' gal is the only central repository for child domain names. There is only one in an attempt to prevent duplicate domain names. Just as well, duplicate computer names are bad enough!
Schema Master - This fellow is responsible for changes to the Schema of Active Directory. In other words he is the man who alters the way in which data is stored inside of any types of object. If you want to add a field to the standard computer object then you've got to ask him.

OK so there we have it. It is worth remembering that Active Directory is dependant, not only on all of the FSMO bear roles but also on TCP/IP and Microsoft DNS because without either there is no transport with or from Active Directory.

So based on these observations we will start with a few pointers. When you are building or designing your new Windows Active Directory you will want to minimize network traffic and administration and to optimize ease of use. This may seem a confusing and daunting task but let us get things in perspective. Active Directory goes a long way to doing this itself and the design does not have to be completed before you begin your upgrades/installs. If it is not a huge network - i.e. less than 10 sites and 20 Domain Controllers - you are not going to notice a huge impact on how you do things anyhow, unless there are a lot of different bandwidth connections. Windows  Active Directory is based on replication and it can cause networking problems and bottlenecks when it gets itself confused and is using all of the available bandwidth, but these services can be stopped if they are bringing things to a halt whilst you work out what is going on. Active Directory does do some funny things just because of the order in which it is created so make sure you design your Upgrade path from the centre of your networks where the most bandwidth lies moving out gradually toward the more remote slower sites. But all of this is scare-mongering as much as anything else. If you are just upgrading or designing a single LAN network then the most important part is to choose the correct specification of servers and make sure you have checked with manufacturers and software designers that the upgrade paths have been tested and are supported. (This still doesn't guarantee anything so if you can, test it on a dummy example.) The worst kind of Microsoft designers are those who come to the job with all of the AD knowledge in the world but have neglected to think about where the servers will be plugged in. Try and effect a policy of security and robustness in where the servers are and how they are looked after as well as in how Windows is configured. Many server compromises are at source, remember that.

Some services work better together than others. The Domain Controllers should be DNS Servers, there is no point having a domain controller if it has no access to DNS and it forgoes the risk of losing communications during adding and removing Domain Controllers which can lead to catastrophic results. If there is a DNS server on board then you always at lease have a single copy of what is happening in the domain and it can be replicated once network communications have been restored. If there is only one DC in a site then they should be set as a Global Catalogue, a Global Catalogue keeps a copy of every object in the forest and if a site needs information on part of the forest it must be able to retrieve it without running home to momma down a slow connection. Sometimes replication must be set to copy to more remote sites when the office is out of use to retain bandwidth but replication can always be halted if a connection is beginning to feel the strain. Sites are important and define the replication characteristics of Active Directory. A site boundary should indicate where there is a connection to the main LAN over a lower bandwidth; just because you need a separate Windows site doesn't mean an separate Exchange site, Exchange is another animal when it comes to designing site boundaries.

A dedicated Domain Controller is always a good idea, a server that can deal with the FSMO roles which need not be distributed over different servers unless your domain exceeds 2000 clients. The FSMO roles are a difficult point because there are they are single entity for an entire domain. With enough changes being made to the domain the workload can become such that you will have to redistribute the roles to multiple servers, the name changing role and the schema and operations master are a good place to start. As a rule, if you are including Microsoft Exchange, the Domain Controllers should have the Active Directory Connector for Microsoft Exchange installed and it is also a good machine to have in charge of your antivirus and DHCP. WINS should be phased out once all clients and servers have been moved over to 8 or 10 and your network performance and reliability should start to increase as duplicate WINS entries and the need to replicate the WINS servers become things of the past.
Lastly always change the logon name for the Administrator account to something difficult to guess as a lot of the scripts that people run trying to compromise security rely on password lists which pre-supposes the administrator account login name.

Windows 2008 R2 Restore using Windows Backup error (0x80042408)

Whilst restoring (transfering) a Windows 2008 R2 machine using the built-in Windows Backup software

Windows 2008 R2 Restore using Windows Backup error (0x80042408)


Whilst restoring (transferring) a Windows 2008 R2 machine using the built-in Windows Backup software we ran into a few problems:

The original machine was a PC server with some dynamic disks as the system did not have RAID support for all drives.

The system disk was 111 GB

The data disk was 465 GB

The log file disk was 69 GB

We were restoring to a SUN X4150 with:

131GB system disk

514 GB Data disk

131 GB log file disk

The error we were getting was that the disks were too few or too small ????

0x80042408 We have never understood why it thought that there were not enough disks but...

We used the workaround with the wbadmin command line:

wbadmin get versions –backuptarget:<Target:> 

This is to interrogate the media for the backup sets that are present on the target drive.

wbadmin get items –version:<versionid> -backuptarget:<Target:>

Then this command shows the volumes and applications contained within the backup set on that drive or device.

Wbadmin start recovery –version:<versionid> -backuptarget:<Target:> -itemType:Volume –items:C: -recoverytarget:D:

Where Target: is the target drive letter. This command performs the restore. Here we are only restoring the system drive, as the applications and services relying on the data contained on other disks could be restored simply by robocopying the data back onto those data disks and then correcting the drive letters afterwards whereupon the services could be started.

After completing the above, the system was then still missing some boot files.

We then repaired using a Windows 2008 R2 / 7 x64 automatic repair and the system started to boot but obviously BSOD'd itself from lack of drivers for the new storage devices.

The Windows DVD could not repair any further and so we therefore had to add the storage device drivers manually using:

DISM /image:C:\ /add-driver /driver:G:\ /recurse
(C is my OS partition and G is the DVD drive where the driver DVD is inserted.)

This added the files from the X4150 drivers\storagetek\windows\2008\ and drivers\storagetek\windows\2008\amd64\ 

The system then booted OK but the drive letters had changed. After re-assigning the drive letters the system appeared to be back to normal.

Just for anyone still having difficulty, sometimes we are unable to run the repair from the DVD until we have repaired the bootcfg folder using bootrec /rebuildbcd after which we can run the DVD repair and start Windows successfully which on 7/2008 R2 or later will then install the required drivers to boot from there.

If you still have BSOD difficulties then use the DISM command above to add necessary drivers.



Cryptocard Windows SafeNet Logon Agent with Windows 2012 R2 Remote Desktop

29. March 2016 21:44 by sirclesadmin in Windows Server, Remote Desktop
Just a quick not to explain what happened with our install of this: We were upgrading from the BSID

Cryptocard Windows SafeNet Logon Agent with Windows 2012 R2 Remote Desktop


Just a quick not to explain what happened with our install of this:

We were upgrading from the BSID Black Shield ID 2.7 Windows Agent software on a Windows 2008 R2 machine but keeping the current (for now) Blackshield 2.7 installation of the administration and SQL installs. Our new remote desktop server was a new 2012 R2 box and we installed the x64 Windows 8.1 Safenet agent as described in the install notes.

The installation went as planned and asked for the NetBIOS names of the two authentication servers which we entered as requested.

When it came to testing however the system described the user authentication as having failed.

When we checked the logs of the authentication servers running BSID 2.7 there was no entry and when we ran the Windows Agent software on the Remote Desktop machine it only showed the 'Help' tab rather than the rest.

The simple solution was that when we right-clicked the software and 'ran as administrator' the system reported that part of the registry concerning the software was corrupt and had to be removed. We agreed to this by clicking OK and were then presented with all the tabs as normal and were able to populate the correct server names as required. the system now appears to authenticate as expected...

Windows 2012 R2 New Install Stuck After Installing Office 365 for Remote Desktop VM

After installing Office 365 as per the post below the Windows 2012 R2 Remote Desktop on my VM the in

Windows 2012 R2 New Install Stuck After Installing Office 365 for Remote Desktop VM


After installing Office 365 as per the post below the Windows 2012 R2 Remote Desktop VM the system indicated that it had to restart to activate office 365 and so this is what I did.

The system then decided it had to perform updates during the restart which was fine and it continued to get to 30% where it stayed for 24hrs. Assuming that there was no choice the machine was restarted again and this time the whole system got to configuring updates at 6% and stayed there for 3 days.

Every time the server was reset this was the outcome. 

Having looked through a few suggestions I performed the following:

1. Amended the 'Automatic Start action' on virtual machine settings so that secure boot was disabled

2. Started up the troubleshooting option from the startup repair and chose the command prompt whereupon I performed the following:

3. Renamed the softwaredistribution folder to softwaredistribution.old on the assumption that a new folder will be created when the windowsupdate service next tries a download.

4. Searched for all pending.xml.* files in Windows\WinSXS and deleted them

5. Ran 'dism /image:C:\ /cleanup-image /revertpendingactions' to clear any awaiting updates.

6. Created a blank pending.xml file in WinSXS (not sure if this made a difference but it was a piece of advice seen here: which they did using 'echo > pending.xml' whilst in Windows\WinSXS\ and then rebooted.

The VM undid all of the updates and started up and the Office 365 on Remote Desktop Virtual Machine asked for an email address with which to activate - only took 6 days then!!!