Rules used by the Windows Server 2012 Essentials Best Practices Analyzer (BPA) Tool
Applies To: Windows Server 2012 Essentials, Windows Server 2012 R2 Essentials
This article describes the rules used by the Windows Server 2012 Essentials Best Practices Analyzer (BPA). The BPA examines a server that is running Windows Server 2012 Essentials and presents a report that describes issues and provides recommendations for resolving them. The recommendations are developed by the product support organization for Windows Server 2012 Essentials.
It is a standard practice, when you migrate to Windows Server 2012 Essentials from Windows Server 2011 Essentials, Windows Small Business Server 2011 Essentials, or Windows Home Server 2011, to run the BPA on the Destination Server after you finish migrating your settings and data. You can run the tool from the Dashboard at any time.
Log on to the server as an administrator, and then open the Dashboard.
On the Dashboard, click the Devices tab.
On the Server Tasks pane, click Best Practices Analyzer.
Review each BPA message, and follow the instructions to resolve issues if necessary.
Issue: IP filtering is currently enabled on the server. You must disable IP filtering.
Impact: If IP filtering is enabled, network traffic might be blocked.
Resolution:
Open regedit.exe on the server.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
Right-click EnableSecurityFilters, and then click Modify.
In the Edit DWORD (32-bit) Value window, change the Value data field to zero, and then click OK.
To apply the change, restart the server.
The Distributed Transaction Coordinator (MSDTC) service should be set to start automatically by default
Issue: The MSDTC service is not configured to start automatically
Impact: The MSDTC service might not start automatically when the server starts. If the service is stopped, some SQL Server or COM functions might fail. As a result, applications that use Microsoft SQL Server or COM functions might not work correctly.
Resolution:
Open services.msc on the server.
Right-click the Distributed Transaction Coordinator service, and then click Properties.
On the General tab, change the Startup type to Automatic (Delayed Start), and then click OK.
Issue: The Netlogon service is not configured to start automatically.
Impact: The Netlogon service might not start automatically when the server starts. If the service is stopped, the server might not authenticate users and services.
Resolution:
Open services.msc on the server.
Right-click the Netlogon service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The DNS Client service is not configured to start automatically.
Impact: The DNS Client service might not start automatically when the server starts. If this service is stopped, the server might not be able to resolve DNS names.
Resolution:
Open services.msc on the server.
Right-click the DNS Client service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The DNS Server service is not configured to start automatically.
Impact: The DNS Server service might not start automatically when the server starts. If this service is stopped, DNS updates will not occur.
Resolution:
Open services.msc on the server.
Right-click the DNS Server service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: Active Directory Web Services is not set to the default start mode of Automatic.
Impact: Active Directory Web Services (ADWS) is not set to the default start mode of Automatic. If ADWS on the server is stopped or disabled, client applications such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center cannot access or manage directory service instances that are running on this server. For more information, see What's New in AD DS: Active Directory Web Services (https://technet.microsoft.com/library/dd391908(WS.10).aspx) in the Windows Server Technical Library.
Resolution:
Open services.msc on the server.
Right-click the Active Directory Web Services service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The DHCP Client service is not configured to start automatically.
Impact: The DHCP Client service will not start automatically when the server starts. If this service is stopped, client computers cannot receive an IP address from the server.
Resolution:
Open services.msc on the server.
Right-click the DHCP Client service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The IIS Admin Service is not configured to start automatically.
Impact: The IIS Admin Service will not start automatically when the server starts. If this service is stopped, you might be unable to access websites running on the server, such as Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click IIS Admin Service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The World Wide Web Publishing Service is not configured to start automatically.
Impact: The World Wide Web Publishing Service might not start automatically when the server starts. If this service is stopped, you might be unable to access websites running on the server, such as Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click World Wide Web Publishing Service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The Remote Registry service is not configured to start automatically.
Impact:
The Remote Registry service might not start automatically when the server starts. If this service is stopped, you might be unable to perform some network operations remotely.
Resolution:
Open services.msc on the server.
Right-click the Remote Registry service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The Remote Desktop Gateway service is not configured to start automatically.
Impact: If this service is stopped, users might be unable to access computers using Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click the Remote Desktop Gateway service, and then click Properties.
On the General tab, change the Startup type to Automatic (Delayed Start), and then click OK.
Issue: The Windows Time service is not configured to start automatically.
Impact: If this service is stopped, data and time synchronization are not available.
Resolution:
Open services.msc on the server.
Right-click the Windows Time service, and then click Properties.
On the General tab, change the Startup type to Automatic, and then click OK.
Issue: The MSDTC service is not running on the server.
Impact: If this service is stopped, some SQL Server or COM functions might fail. As a result, applications that use Microsoft SQL Server or COM functions might not work correctly.
Resolution:
Open services.msc on the server.
Right-click the Distributed Transaction Coordinator service, and then click Start.
Issue: The Netlogon service is not running on the server.
Impact: If this service is not started, the server might not authenticate users and services.
Resolution:
Open services.msc on the server.
Right-click the Netlogon service, and then click Start.
Issue: The DNS Client service is not running on the server.
Impact: If this service is not started, the server might be unable to resolve DNS names.
Resolution:
Open services.msc on the server.
Right-click the DNS Client service, and then click Start.
Issue: The DNS Server service is not running on the server.
Impact: If the DNS Server service is not started, DNS updates might not occur.
Resolution:
Open services.msc on the server.
Right-click the DNS Server service, and then click Start.
Issue: Active Directory Web Services is not started.
Impact: Active Directory Web Services (ADWS) is not started. If ADWS on the server is stopped or disabled, client applications such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center cannot access or manage directory service instances that are running on this server. For more information, see What's New in AD DS: Active Directory Web Services (https://technet.microsoft.com/library/dd391908(WS.10).aspx) in the Windows Server Technical Library.
Resolution:
Open services.msc on the server.
Right-click Active Directory Web Services, and then click Start.
Issue: The DHCP Client service is not running on the server.
Impact: If this service is stopped, client computers cannot receive an IP address from the server.
Resolution:
Open services.msc on the server.
Right-click the DHCP Client service, and then click Start.
Issue: The IIS Admin Service is not running on the server.
Impact: If this service is stopped, you might be unable to access websites running on the server, such as Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click IIS Admin Service, and then click Start.
Issue: The World Wide Web Publishing Service is not running on the server.
Impact: If this service is stopped, you might be unable to access websites running on the server, such as Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click World Wide Web Publishing Service, and then click Start.
Issue: The Remote Desktop Gateway service is not running on the server.
Impact: If this service is stopped, users might be unable to access computers by using Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click the Remote Desktop Gateway service, and then click Start.
Issue: The Windows Time service is not running on the server.
Impact: If this service is stopped, data and time synchronization will be unavailable.
Resolution:
Open services.msc on the server.
Right-click the Windows Time service, and then click Start.
The Distributed Transaction Coordinator (MSDTC) service logon account should be NT AUTHORITY\Network Service
Issue: The default logon account for the Distributed Transaction Coordinator (MSDTC) service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, applications that use SQL Server or COM functions might not work correctly.
Resolution:
Open services.msc on the server.
Right-click the Distributed Transaction Coordinator service, and then click Properties.
On the Log On tab, select This account, type NT AUTHORITY\Network Service, and then click OK.
Issue: The default logon account for the Netlogon service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, the server might not authenticate users and services.
Resolution:
Open services.msc on the server.
Right-click the Netlogon service, and then click Properties.
On the Log On tab, select Local System account.
Issue: The default logon account for the DNS Client service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, the server might be unable to resolve DNS names.
Resolution:
Open services.msc on the server.
Right-click the DNS Client service, and then click Properties.
On the Log On tab, select This account, and then type NT AUTHORITY\Network Service.
Issue: The default logon account for the DNS Server service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, DNS updates might not occur.
Resolution:
Open services.msc on the server
Right-click the DNS Server service, and then click Properties.
On the Log On tab, select Local System account.
Issue: Active Directory Web Services is not the default logon account. By default, the logon account is set to Local System account.
Impact: Active Directory Web Services (ADWS) is not started. If ADWS on the server is stopped or disabled, client applications such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center cannot access or manage directory service instances that are running on this server. For more information, see What's New in AD DS: Active Directory Web Services (https://technet.microsoft.com/library/dd391908(WS.10).aspx) in the Windows Server Technical Library.
Resolution:
Open services.msc on the server.
Right-click Active Directory Web Services, and then click Properties.
Change the Startup type to Automatic, and then click OK.
In Active Directory Web Services Properties, click the Log On tab.
Select the Local System account option, and then click OK.
Issue: The default logon account for the Automatic Updates service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, the server might not receive automatic updates.
Resolution:
Open services.msc on the server.
Right-click the Windows Update service, and then click Properties.
On the Log On tab, select Local System account.
Issue: The default logon account for the DHCP Client service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, the client computer will not receive IP addresses from the server.
Resolution:
Open services.msc on the server.
Right-click the DHCP Client service, and then click Properties.
On the Log On tab, select This account, and then type NT AUTHORITY\Local Service.
Issue: The default logon account for the IIS Admin service is changed.
Impact: The service might not have the permissions required that are required to work as expected. As a result, you might be unable to access websites running on the server, such as Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click IIS Admin service, and then click Properties.
On the Log On tab, select Local System account.
Issue: The default logon account for the World Wide Web Publishing Service is changed.
Impact: The service might not have the permissions that are required to work as expected. As a result, you might be unable to access websites running on the server, such as Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click World Wide Web Publishing Service, and then click Properties.
On the Log On tab, select Local System account.
The Remote Desktop Gateway service should use the NT AUTHORITY\Network Service account as its logon account
Issue: The default logon account for the Remote Desktop Gateway service is changed.
Impact: The service might not have the appropriate permissions to work as expected. As a result, users might not be able to access computers by using Remote Web Access.
Resolution:
Open services.msc on the server.
Right-click the Remote Desktop Gateway service, and then click Properties.
On the Log On tab, select This account, and then type NT AUTHORITY\Network Service.
Issue: The default logon account for the Windows Time service is changed.
Impact: The service might not have the appropriate permissions to work as expected. As a result, date and time synchronization might be unavailable.
Resolution:
Open services.msc on the server.
Right-click the Windows Time service, and then click Properties.
On the Log On tab, select This account, and then type NT AUTHORITY\Local Service.
Issue: The built-in Administrators group does not have the right to log on as a batch job.
Impact: If the Administrator creates an alert and configures the alert to run when the Administrator is not logged on, the alert will fail with an error code of 2147943785.
Resolution: For information about how to give the built-in Administrators group permission to log on as a batch job, see Give the built-in Administrator group the right to log on as a batch job (https://technet.microsoft.com/library/jj635076).
Issue: Windows Firewall is turned off. The default value is on.
Impact: Depending on your firewall settings, Windows Firewall can help protect your server and network from malicious activity by blocking some information from passing through the server.
Resolution:
Open Control Panel on the server.
In Control Panel, click System and Security, and then click Windows Firewall.
In Windows Firewall, click Turn Windows Firewall on or off, select the Turn on Windows Firewall option, and then click OK.
Issue: The internal network adapter is not configured to register its IP address in DNS.
Impact: If the IP address of the internal network adapter is not registered in DNS, it might not be possible to access the server by using the server’s computer name.
Resolution: Verify that the internal network adapter is configured to register in DNS.
Issue: The value of the DNS ForwardingTimeout registry key should not be the same as the value of the RecursionTimeout registry key.
Impact: You might not be able to access Internet resources by name.
Resolution: Set the value for the RecursionTimeout registry key to be greater than the value of the ForwardingTimeout key, located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters.
Issue: You should configure the forward lookup zone to allow only secure dynamic updates.
Impact: When you enable secure dynamic updates, only authorized users and hosts can make changes to the records.
Resolution:
Open dnsmgmt.msc on the server.
Right-click the forward lookup zone for your Active Directory domain, and then click Properties.
In the Dynamic updates drop-down list, select Secure only, and then click OK.
Issue: You should configure the forward lookup zone for the _msdcs.* zone to allow only secure dynamic updates.
Impact: When you enable secure dynamic updates, only authorized users and hosts can make changes to records in the msdcs.* zone.
Resolution:
Open dnsmgmt.msc on the server.
Right-click the forward lookup zone for the _msdcs zone, and then click Properties.
In the Dynamic updates drop-down list, select Secure only, and then click OK.
Issue: Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Administrators group.
Impact: If Internet Explorer Enhanced Security Configuration is not enabled for the Administrators group, your server and Internet Explorer have increased exposure to malicious attacks that can occur through Web content and application scripts.
Resolution:
Open Server Manager on the server, and then click Local Server.
On the Properties pane, change the setting for IE Enhanced Security Configuration to On, and then click OK.
Issue: Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Users group.
Impact: If Internet Explorer Enhanced Security Configuration is not enabled for the Users group, your server and Internet Explorer have increased exposure to malicious attacks that can occur through Web content and application scripts.
Resolution:
Open Server Manager, and then click Local Server.
On the Properties pane, change the setting for IE Enhanced Security Configuration to On, and then click OK.
Issue: The source server that is running Windows Small Business Server still exists in Active Directory Sites and Services in the Default-First-Site-Name.
Impact: If the source server remains in Active Director Sites and Services, client computers can experience connectivity Issue: s.
Resolution: You should demote the source server, remove it from the domain, and then delete the source server from Active Directory Sites and Services and Active Directory Users and Computers.
Issue: The source server that is running Windows Small Business Server still exists in Active Directory Users and Computers.
Impact: If the source server remains in Active Director Users and Computers, client computers can experience connectivity Issue: s.
Resolution: You should demote the source server, remove it from the domain, and then delete the source server from Active Directory Sites and Services and Active Directory Users and Computers.
Issue: The Default Domain Policy group policy is missing.
Impact: The Default Domain Policy is required for proper domain functions.
Resolution:
Open gpmc.msc on the server.
In Group Policy Manager, expand the domain forest, and search the console tree for the Default Domain Policy group policy object.
If the policy does not appear in the tree, restore it from a system state backup.
Issue: There are no DNS name server (NS) resource records in the forward lookup zone for your server.
Impact: If no DNS name server (NS) resource record exists in the forward lookup zone for the Active Directory domain, users might not be able to access resources on the network or on the Internet.
Resolution:
Open dnsmgmt.msc on the server.
In DNS Manager, right-click the forward lookup zone for the Active Directory domain, and then click Properties.
On the Name Servers tab, verify that the settings are correct.
Make any necessary changes, and then click OK to save the settings.
Issue: There are no DNS name server (NS) resource records in the _msdcs zone for your server (for example: _msdcs.contoso.local).
Impact: If no DNS name server (NS) resource record exists in the _msdcs zone for the Active Directory domain, users might not be able to access resources on the network or on the Internet.
Resolution:
Open dnsmgmt.msc on the server.
In DNS Manager, right-click the forward lookup zone for the _msdcs zone, and then click Properties.
On the Name Servers tab, verify that the settings are correct.
Make any necessary changes, and then click OK to save the settings.
Issue: There are no DNS name server (NS) resource records for the delegated _msdcs forward lookup zone.
Impact: If no DNS name server (NS) resource record exists for the delegated _msdcs forward lookup zone, the DNS Server service cannot resolve the DNS resource records for the domain and will fail to start.
Resolution:
Open dnsmgmt.msc on the server.
In DNS Manager, expand your server name, and then expand Forward Lookup Zones.
Click the forward lookup zone for your Active Directory domain (for example: contoso.local).
The delegated _msdcs zone appears as a greyed out folder. Right-click the _msdcs zone, and then click Properties.
On the Name Servers tab, verify that the settings are correct.
Make any necessary changes, and then click OK to save the settings.
Issue: The Authenticated Users group is not a member of the Pre-Windows 2000 Compatible Access group.
Impact: If the built-in Authenticated Users group is not a member of the Pre-Windows 2000 Compatible Access group, network users might encounter "Access is Denied" errors.
Resolution:
Open dsa.msc on the server.
In the Builtin folder, right-click Pre-Windows 2000 Compatible Access, and then click Properties.
Click Add, type Authenticated Users, and then click OK two times.
Issue: The DNS client is not configured to point only to the internal IP address of the server.
Impact: If the DNS client is not configured to point only to the internal IP address of the server, DNS name resolution can fail.
Resolution:
From the client computer, open the Properties page for the network connection.
Make sure that DNS is configured to point only to the internal IP address of the server.
Issue: The number of Maximum Worker Processes for the DefaultAppPool Application Pool is not set to the default value of 1.
Impact: Users might not be able to connect to Windows Small Business Server web-based services.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Application Pools.
In Application Pools, right-click DefaultAppPool, and then click Advanced Settings.
In Advanced Settings, change the value for Maximum Worker Processes to 1, and then click OK.
Close Advanced Settings, right-click DefaultAppPool, and then stop and restart the application pool.
Issue: The RemoteAppPool application pool is not running with the default account.
Impact: Network users might not be able to access the Remote Web Access website.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Application Pools.
In Application Pools, right-click RemoteAppPool, and then click Advanced Settings.
In Advanced Settings, change the Identity to NetworkService, and then click OK.
Close Advanced Settings, right-click RemoteAppPool, and then stop and restart the application pool.
Issue: The RemoteAppPool application pool is not running with the default version of Microsoft .NET Framework.
Impact: Network users might not be able to access the Remote Web Access website.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Application Pools.
In Application Pools, right-click RemoteAppPool, and then click Advanced Settings.
In Advanced Settings, change the .NET Framework Version to v4.0, and then click OK.
Close Advanced Settings, right-click RemoteAppPool, and then stop and restart the application pool.
Issue: If the size of the Remoteaccess.log file exceeds 1 GB, you can experience low disk space errors on the system drive.
Impact: If the Remoteaccess.log file is too large, it might cause free space Issue: s on drive C:.
Resolution: After you back up the server, you can delete the Remoteaccess.log file, which is located in the %ProgramData%\Microsoft\Windows Server\Logs\WebApps folder.
Issue: If the size of the default website’s log folder exceeds 1 GB, you can experience low disk space errors on the system drive.
Impact: If the default website's log folder is too large, it might cause free space Issue: s on drive C:
Resolution: After you back up the server, and while the default website is stopped, you can delete the log files in the C:\inetpub\logs\LogFiles\W3SVC1 folder. Then start the default website.
Issue: There is no binding for Secure Sockets Layer (SSL) on all IP addresses on the server.
Impact: If SSL is not bound to all IP addresses on the server, some websites will not be available to users.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, on the Connections pane, expand your server, expand Sites, right-click Default Web Site, and then click Edit Bindings.
In Site Bindings, click Add, and then select the following settings:
Type = https
IP Address = All Unassigned
Port = 443
Select an SSL certificate, and then click OK to save your changes.
Issue: There is no binding for SSL on the default website.
Impact: If SSL is not bound to the default website, some websites might not be available to users.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, on the Connections pane, expand your server, expand Sites, right-click Default Web Site, and then click Edit Bindings.
In Site Bindings, click Add, and then select the following options:
Type = https
IP Address = All Unassigned
Port = 443
Note
If an HTTPS binding for port 443 exists for a specific IP address, change the IP Address attribute for that binding to All Unassigned. The exception to this is for IP address 127.0.0.1. Do not change the binding for 127.0.0.1.
- Select an SSL certificate, and then click OK to save your changes.
Issue: Your server certificate will expire within 30 days.
Impact: The server cannot use an expired certificate. If the certificate expires, users might not be able to use Anywhere Access functions.
Resolution: To prevent the certificate from expiring, renew the certificate with your Trusted Certification Authority.
Issue: The certificate subject does not match the name that was configured by Domain Name wizard.
Impact: If the certificate subject does not match the name that was configured by Domain Name wizard, some websites will not initialize. Other sites will display the error "There is a problem with this website’s security certificate."
Resolution: To resolve this Issue: , either run the Set up Anywhere Access Wizard again and provide the correct domain name for the certificate, or purchase a new certificate that matches the domain name that you wish to use.
Issue: One or more user accounts have duplicate CN names: {0}.
Impact: If user accounts have duplicate CN names, users might not be able to log on to the network. In addition, searches of Active Directory for users can return incorrect values.
Resolution: To resolve this Issue: , ensure that network user accounts do not have duplicate "CN=" names. To make this easier, consider exporting Active Directory contents to a text file for review. For information about how to do this, see Using LDIFDE to import and export directory objects to Active Directory (Knowledge Base article 237677) (https://support.microsoft.com/kb/237677).
Issue: The Windows NT Backup program is installed on the server.
Impact: Windows Server 2012 Essentials uses Windows Server Backup. If the Windows NT Backup program is also installed, conflicts can exist between the two backup programs. This can cause the Windows Server Backup process to fail. The conflicts might also prevent you from using a backup to restore the server.
Resolution: To resolve this Issue: , uninstall the NT Backup program from the server.
Issue: Internet Information Services (IIS) does not own port 80 (0.0.0.0:80) or Port 443. These ports are currently bound by other applications.
Impact: Windows Server 2012 Essentials web applications require the use of port 80 and port 443 to make services available to users. If another process or application is already using port 80 or port 443, the Windows Server 2012 Essentials web applications cannot run. If this occurs, Remote Web Access and other applications are not available to users.
Resolution: To resolve this Issue: , either uninstall the application that is already using port 80 or port 443, or assign that application to a different port.
Issue: The default website is not running in your Windows Server 2012 Essentials environment.
Impact: Windows Server 2012 Essentials web applications require the use of the default website. If the default website is not running, Remote Web Access and other applications are not available to users.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Sites.
Right-click Default Web Site, point to Manage Website, and then click Start.
Issue: Read and Script permissions are not assigned to the /Remote virtual directory.
Impact: If the Read and Script permissions for the /Remote virtual directory are incorrect, users cannot use Remote Web Access. When they try to use Remote Web Access to browse the Internet, they might encounter the error "HTTP Error 403.1 – Forbidden."
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Sites.
Expand Default Web Site, and then expand Remote.
In Features View, double-click Handler Mappings.
On the Actions pane, click Edit Feature Permissions.
Select the Read and Script check boxes, and then click OK.
Issue: The HTTP Redirect attribute is unexpectedly set or inherited on the /Remote virtual directory.
Impact: If the HTTP Redirect attribute is set on the /Remote virtual directory, Remote Web Workplace does not work correctly.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Sites.
Expand Default Web Site, and then expand Remote.
In Features View, double-click HTTP Redirect.
Clear the Redirect requests to this destination check box, and then click Apply on the Actions pane.
Issue: A host name is assigned for port 80 on the default website.
Impact: If a host name is assigned for port 80 on the default website, you might not be able to connect to some Windows Server 2012 Essentials web applications. A host name is not required and is not recommended in this situation
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Sites.
In Features View, right-click Default Web Site, and then click Bindings.
In Site Bindings, select the http for port 80 setting, and then click Edit.
In Edit Site Binding, clear the Host name entry, and then click OK.
Issue: A non-NTFS partition is scheduled for backup by Windows Server Backup.
Impact: Windows Server Backup can only back up partitions that are formatted as NTFS.
Resolution: Do not configure Windows Server Backup to back up non-NTFS partitions. For more information, see Event IDs 12290 and 16387 are logged when system state backup fails on a Windows Server 2008-based computer (Knowledge Base article 968128) (https://support.microsoft.com/kb/968128).
Issue: The most recent backup attempt did not complete successfully.
Impact: The backup status for the system is not correct.
Resolution: Review the event logs and backup logs for errors that occurred during the most recent backup.
Issue: The File Replication Service (FRS) might not start if the startup type is not set to the default value of Automatic.
Impact: If the File Replication Service is not running, the domain controller might stop advertising its services. This can lead to other problems such as logon errors and Group Policy errors.
Resolution:
Open the Services console.
In the list of services, double-click File Replication.
For Startup type, select Automatic, and then click Apply.
Issue: The File Replication Service is not running.
Impact: If the File Replication Service is not running, the domain controller might stop advertising its services. This behavior can lead to other problems such as logon errors and Group Policy errors.
Resolution:
Open the Services console.
In the list of services, double-click File Replication Service.
Click Start.
Issue: The File Replication Service is not configured to use the Local System account as the default logon account.
Impact: If the File Replication Service does not use Local System as the default logon account, you might encounter permissions-related errors. These errors can trigger other errors, and can eventually cause the domain controller to stop advertising its services.
Resolution:
Open the Services console.
In the list of services, double-click File Replication.
On the Service Properties page, click the Log On tab.
Select the Local System account option, and then click Apply.
Restart the service.
Issue: The DFS Replication service might not start if the startup type is not set to the default value of Automatic.
Impact: If the DFS Replication service is not running, the domain controller might stop advertising its services. This can lead to other problems such as logon errors and Group Policy errors.
Resolution:
Open the Services console.
In the list of services, double-click DFS Replication.
For Startup type, select Automatic, and then click Apply.
Issue: The DFS Replication service is not currently running.
Impact: If the DFS Replication service is not running, the domain controller might stop advertising its services. This behavior can lead to other problems such as logon errors and Group Policy errors.
Resolution:
Open the Services console.
In the list of services, double-click DFS Replication.
Click Start.
Issue: The DFS Replication service is not set to use the Local System account as the default logon account.
Impact: If the DFS Replication service does not use Local System as the default logon account, you might encounter permissions-related errors. These errors can trigger other errors, and can eventually cause the domain controller to stop advertising its services.
Resolution:
Open the Services console.
In the list of services, double-click DFS Replication.
On the Service Properties page, click the Log On tab.
Select the Local System account option, and then click Apply.
Restart the service.
Issue: The Windows Server Office 365 Integration Service is not set to use the Local System account as the default logon account.
Impact: If Windows Server Office 365 Integration Service does not use Local System as the default logon account, some features of Office 365 might not function properly. You might also encounter permissions-related errors.
Resolution:
Open the Services console.
In the list of services, double-click Windows Server Office 365 Integration Service.
On the Service Properties page, click the Log On tab.
Select the Local System account option, and then click Apply.
Restart the service.
Issue: The Windows Server Office 365 Integration Service is not currently running.
Impact: If the Windows Server Office 365 Integration Service is not running, the cloud-based features of Office 365 are not available.
Resolution:
Open the Services console.
In the list of services, double-click Windows Server Office 365 Integration Service.
Click Start.
Issue: The Windows Server Office 365 Integration Service might not start if the startup type is not set to the default value of Automatic.
Impact: If the Windows Server Office 365 Integration Service is not running, the cloud-based features of Office 365 are not available.
Resolution:
Open the Services console.
In the list of services, double-click Windows Server Office 365 Integration Service.
For Startup type, select Automatic, and then click Apply.
Issue: A registry key under HKEY_LOCAL_MACHINE \Software\Microsoft\Rpc\RpcProxy either contains incorrect values, or does not exist.
Impact: If the RPCProxy registry key is set incorrectly, you might receive an error message that resembles the following: "Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance."
Resolution:
Open Registry Editor.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
Ensure that the string named "Website" has a data value of “Default Web Site”:
If the data value is incorrect, modify the string to use the correct value.
If the string does not exist, create a new string named "Website," and set the data value to “Default Web Site."
Issue: The Block Level Backup Engine Service is not using the default startup type of Manual.
Impact: The Block Level Backup Engine Service might not start if the startup type is not set to Manual. This Issue: can cause Windows Server Backup jobs to fail.
Resolution:
Open the Services console.
In the list of services, double-click Block Level Backup Engine Service.
For Startup type, select Manual, and then click Apply.
The logon account for the Block Level Backup Engine Service is not set to use the Local System account
Issue: The Block Level Backup Engine Service is not set to use the Local System account as the default logon account.
Impact: If Block Level Backup Engine Service does not use Local System as the default logon account, you might encounter permissions-related errors. These errors can prevent Windows Server Backup jobs from completing successfully.
Resolution:
Open the Services console.
In the list of services, double-click Block Level Backup Engine Service.
On the Service Properties page, click the Log On tab.
Select the Local System account option, and then click Apply.
Restart the service.
The common name on the certificate that is bound to the WSS Certificate Web Service website does not match the server name
Issue: A non-valid certificate is bound to the WSS Certificate Web Service website in IIS. The common name on this certificate does not match the server name.
Impact: If you bind a non-valid certificate to the WSS Certificate Web Service website, the Connect Wizard might not function correctly.
Resolution:
Open Internet Information Services (IIS) Manager on the server.
In IIS Manager, expand your server name and then click Sites.
Right-click WSS Certificate Web Service, and then click Edit Bindings.
In Site Bindings, click HTTPS, and then click Edit.
In Edit Site Binding, for SSL certificate, select the certificate that has the same name as your server.
If more than one certificate entry has the same name as your server, click View to determine which certificate is valid, and then select the appropriate certificate.
Issue: The certificate for the Remote Desktop Gateway service seems to be bound incorrectly.
Impact: If the certificate for the Remote Desktop Gateway service is not configured correctly, users cannot connect to Remote Web Access.
Resolution:
Open a command prompt as an Administrator, and enter the following commands:
REG ADD HKLM\SYSTEM\CurrentControlSet\services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 /v DefaultFlags /t REG_DWORD /d 1 /f net stop tsgateway net start tsgateway
For more information, see How to Manage the Remote Desktop Gateway Service in Windows Server 2012 Essentials (Knowledge Base article 2472211) (https://support.microsoft.com/kb/2472211).