none
Cannot finish Post-Deploy of Essentials Role on 2012 R2 Standard

    Question

  • Good day,

    I'm attempting to finish post-deployment of Windows Server 2012 R2 Standard, Essentials role. I click configure and it fails with no information besides try again.

    I have followed the steps to try and add <Domain>\ServerAdmin$ to logon as a service. I was unable due to that the user did not exist. I created a user with that name, gave it quite a few rights and was able to make that change to the GPO. Upon refreshing policy and trying to run the configuration again, still failed. Any direction or tips would be appreciated. This has happened when trying to setup as Server 2012 R2 Essentials and Standard with Essentials role.

    Our primary DC is Server 2008 R2 and this is virtualized on ESXi 5.1

    Monday, December 16, 2013 3:20 PM

All replies

  • Check the status of the WseMgmtSvc. If this server is stopped, try starting this service.

    If this service fails check if we have <domain>\ServerAdmin$ added to "Log on As a Service" Under

    "Default Domain Controllers Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment"

    If we do not have this user add this user to the "Log on As a Service". Try starting the WseMgmtSvc if the service starts the configuration

    should complete successfully.



    This post is "AS IS" and confers no rights. Mohammed Sabir [MSFT]

    Monday, December 16, 2013 7:53 PM
  • The user ServerAdmin$ doesn't exist in my domain. Should I create it then and what rights should it have?
    Monday, December 16, 2013 8:03 PM
  • Hi,

    Would you please let me know the complete information of prompt error or provide a screenshot, when you add account ServerAdmin$ into Log on as a service setting?

    In addition, when you add this account, please select all object types and Locations: Entire Directory. Then check if you encounter the same issue.

    Best regards,

    Justin Gu
    Thursday, December 19, 2013 9:42 AM
  • Good day,

    Attached is the error I am getting when attempting to add <domain>\ServerAdmin$

    Friday, December 20, 2013 2:49 PM
  • have you tried simply typing domain\serveradmin$ in to the add user box, rather than trying to browse or search the directory?

    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Friday, December 20, 2013 9:51 PM
  • Yes, I have tried that and yields the same error. 

    IF, I Just do straight ServerAdmin$  no domain, it gets added to the list, but RSOP complains about not being able to map between account name and SID. And of course, not able to continue with the deployment wizard.
    Friday, December 20, 2013 9:56 PM
  • Are you doing this on the DC or from the Essentials Server?

    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Saturday, December 21, 2013 8:53 PM
  • I'm having the same issue on a Server 2012 R2 box that will also serve as the domain controller.

    The first time I installed the essentials role it screwed up my profiles, so I restored from a server backup. Besides, I wanted to see how the restore operation goes.

    The second time, it did not install the prerequisites and there was no domain controller, so I removed the feature.

    The third time it correctly installed the reqs and I now logon to a domain account. But it errors out with a completely useless and non-descript message and there is nothing in any logs anywhere that I can find.

    I've manually created a ServerAdmin$ account and added it to the aforementioned policy.

    Saturday, December 21, 2013 10:00 PM
  • I have attempted it from both and yields the same result. 
    Sunday, December 22, 2013 12:50 AM
  • Just tried this on an Essentials Server R2 myself, and also do not have a ServerAdmin$ account available.

    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Sunday, December 22, 2013 10:14 PM
  • David, ServerAdmin$ is a managed service account and it is used to do the configuration of essentials. And it is created at the beginning of the configuration.

    The solution of "adding logon as service" permission seems doesn't apply to your issue, considering your service account has not been created yet.

    Would you mind provide the logs under %programdata%/microsoft/windows server/logs and also the event log under microsoft\windows\serveressentials-deployment? We will have an investigation based on it.

    Does the powershell "new-adserviceaccount -name 'testsrvacc' -RestrictTosingleComputer" work in your environment? It is used to create a service account called testsrvacc. You can check whether it works by "active directory - users and computers" tools.

    Let me know whether it helps! and very appreciate the feedback.


    This post is "AS IS" and confers no rights.

    Tuesday, December 24, 2013 3:05 AM
  • Good day,

    https://www.dropbox.com/sh/vwajh3fzfqc56c1/TO_voA43jm 

    Should be a link to zip file containing all the logs files. I ran that command and it worked with -path declared

    Do you think using that to force create that service account will help?

    Tuesday, December 24, 2013 3:49 AM
  • there is no event logs in the zip. would you please upload too?

    In fact, force creating that service account would not help.

    Which account you are using to do the configuration? Is it domain admins? Thanks!


    This post is "AS IS" and confers no rights.

    Tuesday, December 24, 2013 8:25 AM
  • Sorry about that, missed the part about event viewer logs.

    https://www.dropbox.com/sh/vwajh3fzfqc56c1/AWuIqj3zEb/EventLogs.evtx This is the full bit since installtion.

    I do see errors when I try to use the wizard as well as call it by powershell cmdlet. 

    This is while from wizard:

    Unexpected error occured: System.Management.Automation.CmdletInvocationException: Value cannot be null.
    Parameter name: container ---> System.ArgumentNullException: Value cannot be null.
    Parameter name: container
       at Microsoft.WindowsServer.Essentials.ActiveDirectory.DirectoryEntryExtensions.GetNewChildName(DirectoryEntry container, String preferredName)
       at Microsoft.WindowsServer.Essentials.ActiveDirectory.WellKnownStandaloneMsa.Initialize(Domain domain, DirectoryEntry master, Guid wkguid, String preferredName, DirectoryEntry& entry, String& connectedServer)
       at Microsoft.WindowsServer.Essentials.ServerSetup.ServerSetupMsaHelper.InitializeServiceAccount()
       at Microsoft.WindowsServer.Essentials.ServerSetup.ServerSetupMsaHelper.UseServiceAccount(NetworkCredential credential)
       at Microsoft.WindowsServerSolutions.Setup.Commands.InitialConfigurationHelper.StartInitialConfiguration(PSCredential credential, Dictionary`2 data)
       at Microsoft.WindowsServerSolutions.Setup.Commands.InvokeEssentialsConfigureServiceCommand.ProcessRecord()
       at System.Management.Automation.CommandProcessor.ProcessRecord()
       --- End of inner exception stack trace ---
       at System.Management.Automation.PowerShell.EndInvoke(IAsyncResult asyncResult)
       at Microsoft.Windows.ServerManager.ServerEssentials.Plugin.RemotePSHelper.InvokeRoleConfigurationCommand(String command, IDictionary`2 parameters, Func`1 isCancellationRequested, Action`1 onProgress)

    The account I am using is domain admin, enterprise admin, schemaadmin. It's pretty much as close to God account can be. 

    Tuesday, December 24, 2013 6:43 PM
  • I noticed when running the command to execute it manually via powershell, I get back the error that the value container cannot but null. I searched and searched and cannot find parameter to add that is called container or delcare it. Did I botch something?
    Tuesday, December 24, 2013 6:51 PM
  • Essentials tries to create the service account in the default containers. ("managed service account" container)

    But in your environment, there is no such container.  To resolve this issue, we need the default container back and re-run configuration. BTW, creating it manually by yourselves doesn't help.

    To restore it, I think the below forum might be helpful. thanks.

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/f9588fd5-0236-419d-b217-8c4de67732ae/deleted-managed-service-accounts-container?forum=winserverDS


    This post is "AS IS" and confers no rights.

    Wednesday, December 25, 2013 2:04 AM
  • Good evening,

    I followed those steps and I appear to have the Managed Service Accounts container now. I ran the configuration again and still the same error. Sorry to be difficult on this :) 

    Why would creating the account manually not help since I have the folder now? what creates that account or at what point is it created?

    Wednesday, December 25, 2013 3:30 AM
  • It might be different root cause. The service account is not idenitfied by its name. So even thought it is create manually, it will not be taken as the service account which configuration will use.

    Would u mind give the logs and event logs again? Considering it has the container now, it should not fail at the same place. thanks.


    This post is "AS IS" and confers no rights.

    Wednesday, December 25, 2013 4:32 AM
  • https://www.dropbox.com/sh/vwajh3fzfqc56c1/0RVdLXoGv4/logs_2.zip

    There you go, Logs + event viewer logs from just attempting short while ago.

    Wednesday, December 25, 2013 4:47 AM
  • you are right. it is still the same issue. the code cannot find the container. But it is wired. The only reason I can image should be the data has not been replicated to all the domain controllers.

    1. please make sure the container object has the well-known guid "1EB93889E40C45DF9F0C64D23BBB6237".

    2. replicate the data to all domain controllers.

    3. new-adserviceaccount -name 'testsrvacc' (without path parameter). Pass?

    4. re-run the configuration.

    thanks


    This post is "AS IS" and confers no rights.

    Wednesday, December 25, 2013 7:11 AM
  • Sorry for the delay and thank you for helping so much with this.

    The Managed Service Accounts has no wellknownobjects guid set, and I cannot edit it. Not sure if I would be able to. This is from both DC's.

    Sunday, December 29, 2013 12:01 PM
  • I went ahead and tested new-adserviceaccount - name, and it prompted for DNSHostname, performing this from the Essentials server and failed stating path is required.  
    Sunday, December 29, 2013 1:03 PM
  • Sorry for the delay. the "Dnshostname" might be because you need to add the parameter RestrictTosingleComputer.

    And the path issue is still the root cause. from msdn, “The Path parameter specifies the container or organizational unit (OU) for the new service account object. When you do not specify the Path parameter, the cmdlet creates an object in the default container for service account objects in the domain.” In this case, the default managed service account has not been created.

    Would u give more details about how you restore your managed service account containers? thanks

    Until we resolve this issue, I am sorry to say that essentials configuration will be blocked.


    This post is "AS IS" and confers no rights.

    Thursday, January 02, 2014 2:07 AM
  • Or did you just create an OU named Managed Service Accounts?

    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Thursday, January 02, 2014 12:34 PM
  • Good day, to recreate the Managed Service Accounts OU, I followed the steps outlined in http://social.technet.microsoft.com/Forums/windowsserver/en-US/f9588fd5-0236-419d-b217-8c4de67732ae/deleted-managed-service-accounts-container?forum=winserverDS

    Which in short, Delete the container "CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,DC=<DOMAIN>,DC=<COM>"

    as well as 

    d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d

    Lastly I removed the value of the revision attribute for CN=ActiveDirectoryUpdate.

    From there ran adprep /domainprep and it took a bit but the OU appeared. 

    Thursday, January 02, 2014 1:58 PM
  • David, I tried to do the following to repro your issue:

    1. delete the container manually

    2. restore the container as you do

    3. run "new-adserviceaccount -name 'testsrvacc' RestrictTosingleComputer"

    It reports the same issue as you did. I checked the wellknown settings of the domain and I thought it is right.

    But it still cannot get the objects by LDAP://<WKGUID=1EB93889E40C45DF9F0C64D23BBB6237,DC=wssgg720v2d,DC=ss> "DC=wssgg720v2d,DC=ss is my domain info"

    I am not the expert of that. But I will try to see whether any other can help. I will update you once I get any feedbacks. thanks


    This post is "AS IS" and confers no rights.

    Friday, January 03, 2014 5:09 AM
  • I've just been dealing with the same problem, and I've managed to correct it and get essentials configured and running.

    I had also been having troubles with managed service accounts which I think stemmed from having the container accidentally deleted. After following the same instructions to recreate the container several months ago I thought things were working ok as I could create MSAs, but I found I needed to always specify the Path manually.

    As it turns out, when the container was deleted, it didn't entirely remove references to the well-known GUID. Thus when it was recreated, the container still couldn't resolve properly as the GUID is referencing the deleted object as well as/instead of the proper one.

    There is an attribute on the base domain object (eg. DC=example,DC=com) called 'otherWellKnownObjects'. In that there will be an entry related to the deleted copy of the MSA container:

    B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts\0ADEL:61602070-a00d-460f-aa2a-1d3a21e2c3df,CN=Deleted Objects,DC=example,DC=com

    Once that is removed everything started to work as expected - creating MSAs found their path automatically, and the essentials wizard created its MSA and configured itself.

    I did this using ldp.exe. The only entry related to MSA left in the attribute should be:

    B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=example,DC=com

    In the first case when I fixed this in my environment there were both of these present so I only had to delete the problem one. Just now though when I tried to reproduce this though I was left with only the problem one, so I readded the correct one myself.

    Thursday, February 13, 2014 5:40 AM
  • Ello there,

    Thanks for taking a look at this calamity I have going on. I was able to edit OtherWellKnownObjects and point it to where it should be and did domainprep like previous steps, but I am still unable to finish the setup for essentials.  I am getting a much different error now. I think maybe I borked something.

    Unexpected error occured: System.Management.Automation.CmdletInvocationException: Unknown error (0x80005004) ---> System.Runtime.InteropServices.COMException: Unknown error (0x80005004)
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_SchemaClassName()
       at System.DirectoryServices.AccountManagement.SAMUtils.DirectoryEntryAsPrincipal(DirectoryEntry de, StoreCtx storeCtx)
       at System.DirectoryServices.AccountManagement.SAMMembersSet.get_CurrentAsPrincipal()
       at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
       at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
       at Microsoft.WindowsServer.Essentials.ServerSetup.ServerSetupMsaHelper.AddAccountToLocalAdministrators(Principal account)
       at Microsoft.WindowsServer.Essentials.ServerSetup.ServerSetupMsaHelper.InitializeServiceAccount()
       at Microsoft.WindowsServer.Essentials.ServerSetup.ServerSetupMsaHelper.UseServiceAccount(NetworkCredential credential)
       at Microsoft.WindowsServerSolutions.Setup.Commands.InitialConfigurationHelper.StartInitialConfiguration(PSCredential credential, Dictionary`2 data)
       at Microsoft.WindowsServerSolutions.Setup.Commands.InvokeEssentialsConfigureServiceCommand.ProcessRecord()
       at System.Management.Automation.CommandProcessor.ProcessRecord()
       --- End of inner exception stack trace ---
       at System.Management.Automation.PowerShell.EndInvoke(IAsyncResult asyncResult)
       at Microsoft.Windows.ServerManager.ServerEssentials.Plugin.RemotePSHelper.InvokeRoleConfigurationCommand(String command, IDictionary`2 parameters, Func`1 isCancellationRequested, Action`1 onProgress)

    Friday, March 07, 2014 6:13 PM
  • I take it this issue still remains unsolved?  I attempted to configure Server Essentials role on Server 2012 r2 DC today so I could take advantage of the hooks into Office 365 but am encountering the same issue as everyone here.  There is simply no Managed Service Accounts container and never has been on this DC.  So not sure how to proceed.  (Not even sure if the fix above to restore the deleted container applies to me since it never existed).  I was hoping a Windows Update might have been released by now.  No dice.
    Friday, May 09, 2014 1:41 AM