"The system cannot find the file specified" during Remote Access Setup Wizard


  • Hi all

    Simple as that,

    I configured a new DirectAccess environment on Windows Server 2012 R2 with 2 network adapters behind NAT

    I used the advanced wizard to configure all the DirectAccess settings and everything seems to be fine

    when I pressed "Apply" to finish the wizard and to automatically create the group policy settings I've noticed this error:

    I restarted the server and tried again - still, same result.
    there's nothing on the event viewer that points for an error, or what file exactly is missing (!?)

    isn't there a log file of the DA Wizard to get more details on this error?


    Tamir Levy

    Monday, February 10, 2014 7:02 AM


  • I'm disappointed no one even bothered to comment on this thread...

    anyhow... I found the solution

    I add the SPN Cifs/[domain FQDN] under my domain controller machine account under ADSI Edit

    hope will help others

    Tamir Levy

    Sunday, March 16, 2014 1:38 PM

All replies

  • Hello? anyone? :/

    Tamir Levy

    Sunday, February 16, 2014 6:50 AM
  • Ok. some updates.

    I did a step-by-step mode and managed to configure the DirectAccess server successfully.

    though it only works with KERBEROS PROXY authentication!

    I still get this error message when I choose I want to use computer certificate and choose my root CA.

    I have only one CA server

    I tried to run procmon during the wizard - nothing over there :(

    also , not in C:\windows\tracing\ramgmtuimon.log. it's empty!

    the only thing I get is from the event viewer. information message. Source: RemoteAccess-MgmtClient, Event ID: 902, Detail: Applying the configuration failed

    as you can see, I get this error one step after the "validating the management servers". so it seems related to the CA validation

    does anyone know what exactly the DirectAccess trying to do in order to validate the CA Server?

    or... something else? that might be related?  


    Tamir Levy

    Sunday, February 16, 2014 9:40 AM
  • I'm disappointed no one even bothered to comment on this thread...

    anyhow... I found the solution

    I add the SPN Cifs/[domain FQDN] under my domain controller machine account under ADSI Edit

    hope will help others

    Tamir Levy

    Sunday, March 16, 2014 1:38 PM
  • I'm disappointed no one even bothered to comment on this thread...

    anyhow... I found the solution

    I add the SPN Cifs/[domain FQDN] under my domain controller machine account under ADSI Edit

    hope will help others

    Tamir Levy


    I can't thank you enough for this tip, I sure hope this resolves my issue. Do you mind elaborating on which DC you added this SPN too? The FSMO DC? The authenticating DC? The CA DC? All DC's? :)

    Thanks again,


    Wednesday, July 09, 2014 6:23 PM
  • Hi Brandon.

    At first I added the SPN on the DC by the LOGONSERVER attribute of the DirectAccess server without checking the FSMOs of this server and it was enough for the wizard to finish successfully.

    We have only 3 DCs. I advised with MS support about this FSMOs and since they told me there's no risk of having this SPN listed - we just added it to all of our DCs machine account

    Tamir Levy

    Thursday, July 10, 2014 7:52 AM
  • Tamir,

    I believe I am experiencing the exact same error. No matter if I use the simple wizard or the custom wizard, the configuration of DirectAccess Fails. I am a noob when it comes to ADSI edit. Made a few changes in my day. I have also use the SPN for adding support for SQLServer; however I am still confused on adding the Cifs under a domain account. I do not see LOGONSERVER as a attribute for the DC or DA server. Advanced mode is enough. I can see Logonworkstation but no logonserver.  Can you elaborate on this and/or post code or screen shots on how you went on solving this issue. Thank you

    Sunday, September 28, 2014 5:25 AM
  • Hi Eillirand

    when I realized there's no harm in adding that SPN to my domain controllers, I say - add the CIFS for all of your Domain Controller machine accounts.

    Open ADSI Edit, connect to your domain, expand the Domain Controllers Organization Unit and open each of the machine accounts and add the CIFS value with your domain FQDN to the ServicePrinipalName property like in the picture and press add

    please update us if your managed

    Tamir Levy

    Monday, September 29, 2014 4:00 AM
  • Thanks for the details. I was able to follow this more clearly.  On one of the DCs, I had the CIFS/; on the other, it was not present. However, attempting to add to the later, I receive an error stating the value is not unique forest-wide.  "The operation failed because SPN value provided for addition/modification is not unique forest-wide."

    I only have two DCs and they are both global catalogs. The primary server (with the FSMO roles) has the value; yet DirectAccess will still not complete the configuration.  One other note that may or may not be relevant. Our internal domain is still using a SLD (It is not FQDN).  I have tried both CIFS/[our SLD domain name] i.e. Cifs/Contoso and with our FQDN (external domain) Cifs/

    I also tried using CIFS/computername.domainname (as other entries had that format) and the external FQDN for the DA server with no success.

    Either way, it will only let me add to one domain controller and the wizard continues to fail with the same "No such host is known".  About ready to pass on the DirectAccess. Bad enough that Microsoft is requiring each Surface Pro to be "upgraded to Enterprise" for this headache.  /grrrr....  Love to hear from you on what I am missing.

    Monday, September 29, 2014 2:38 PM
  • Hi again Eillirand. I think we're mixing some issues

    you wrote the error message "No such host is known". I don't remember I ran into this issue as this thread is about "The system cannot find file specified" so I'm not sure if this solution will help you. can you send a screenshot?

    if you still think this is the same issue.

    • does the user you run in the ADSI is an enterprise admin?
    • What level function and what server are you using for your DC?

    just from curiosity, are you able to finish the wizard if you choose Kerberos Proxy and not Computer Certificate authentication?

    another thing I would like to add - I use DirectAccess for almost 2 years already. this remote access technology is so stable, so seamless and so easy to deploy to clients that I can't think of my self use anything else but that!

    about the Enterprise - you are right. this feature is for Enterprise only but I saw already organizations who use the Remote Access server either for DirectAccess and for VPN. in that case you can use the DA for Enterprise clients and use the same topology and the same security with Microsoft VPN for clients who don't use Ultimate\Enterprise or Windows OS.

    best regards

    Tamir Levy

    Monday, September 29, 2014 6:17 PM
  • My apologizes.  The error varies based on the question "Use computer certificates"

    When I check this (required for W7 clients) and select intermediate certificate; selecting my Root CA, I receive the "system cannot find file specified". I receive the same error if I do not use the intermediate certificate and point to the Root CA. The certificate used to authenticate IP-HTTPS connections is the certificate I created based off of the web server template.

    If I do not select "Use computer certificates", I receive the "No such host is known". This is also the error I receive if I select the Getting started wizard and let the system pretty much fill in the blanks.

    I do not receive a prompt for Kerberos, but I am guessing that is the same as not selecting a computer certificate.  Does that help?

    Thank you,

    Monday, September 29, 2014 6:36 PM
  • is this the error you're getting?

    2 things that helped me diagnose my problem that leaded me to the CIFS

    1. after the wizard fails, right-click on the "No such host is known" and press copy script. paste it here

    2. check the event viewer when the wizard fails. my issue created an error event under the System log, so you can either check it or Application log.

    waiting for results

    Tamir Levy

    Monday, September 29, 2014 6:53 PM
  • Here is the script.

    Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName '[SLD Internal Domainname]\DirectAccess Server Settings' -ClientGpoName 'wrightsreprints\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Ethernet' -InternalInterface 'Ethernet' -ConnectToAddress '[external FQDN for connecting]' -DeployNat -NlsCertificate ([System.Byte[]]@(48,130,4,93,48,130,3,69,160,3,2,1,2,2,19,102,0,0,0,230,37,242,46,211,118,250,26,203,0,0,0,0,0,230,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,48,59,49,31,48,29,6,10,9,146,38,137,147,242,44,100,1,25,22,15,119,114,105,103,104,116,115,114,101,112,114,105,110,116,115,49,24,48,22,6,3,85,4,3,19,15,87,114,105,103,104,116,115,32,82,111,111,116,32,67,65,48,30,23,13,49,52,48,57,50,54,50,50,49,51,53,56,90,23,13,49,54,48,57,50,54,50,50,50,51,53,56,90,48,38,49,36,48,34,6,3,85,4,3,19,27,72,79,85,45,68,65,45,86,80,48,49,46,119,114,105,103,104,116,115,114,101,112,114,105,110,116,115,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,153,21,131,0,241,189,87,111,222,39,145,28,235,1,109,137,247,105,110,175,168,117,175,182,70,3,193,47,187,228,139,174,182,128,238,24,104,75,48,39,138,63,98,229,39,55,74,54,165,121,5,110,10,197,31,227,210,210,80,16,104,108,176,155,249,197,192,115,66,225,217,212,29,66,33,115,53,217,209,101,203,20,161,142,223,250,235,39,132,95,238,58,101,91,87,138,152,42,182,188,237,138,253,48,46,5,159,77,117,161,2,134,27,62,86,249,94,44,83,44,208,173,85,97,210,157,168,50,83,205,157,66,211,70,19,199,220,16,73,221,56,37,65,121,193,183,240,247,111,113,87,82,59,92,47,123,130,28,160,115,253,130,22,76,248,21,30,196,193,189,212,34,71,247,103,112,213,23,122,156,220,84,10,228,69,55,197,149,249,177,87,142,241,73,157,182,101,120,10,154,16,177,246,185,167,254,6,156,244,208,78,159,173,56,67,25,4,172,94,128,231,148,172,155,49,30,112,32,171,111,251,117,238,138,169,141,252,118,195,181,114,128,48,156,107,35,197,204,248,69,194,168,73,182,185,105,2,3,1,0,1,163,130,1,109,48,130,1,105,48,62,6,9,43,6,1,4,1,130,55,21,7,4,49,48,47,6,39,43,6,1,4,1,130,55,21,8,135,153,149,69,132,142,230,52,132,217,137,19,130,236,193,108,132,182,149,88,129,2,135,183,233,40,130,169,168,78,2,1,100,2,1,7,48,19,6,3,85,29,37,4,12,48,10,6,8,43,6,1,5,5,7,3,1,48,14,6,3,85,29,15,1,1,255,4,4,3,2,5,160,48,27,6,9,43,6,1,4,1,130,55,21,10,4,14,48,12,48,10,6,8,43,6,1,5,5,7,3,1,48,29,6,3,85,29,14,4,22,4,20,174,79,38,54,30,190,154,226,86,4,123,84,126,104,227,207,124,61,154,195,48,31,6,3,85,29,35,4,24,48,22,128,20,94,205,205,142,64,210,41,208,81,207,163,128,60,109,171,143,119,202,241,44,48,79,6,3,85,29,31,4,72,48,70,48,68,160,66,160,64,134,62,104,116,116,112,58,47,47,119,119,119,46,119,114,105,103,104,116,115,109,101,100,105,97,46,99,111,109,47,99,101,114,116,101,110,114,111,108,108,47,87,114,105,103,104,116,115,37,50,48,82,111,111,116,37,50,48,67,65,46,99,114,108,48,84,6,3,85,29,17,4,77,48,75,160,44,6,10,43,6,1,4,1,130,55,20,2,3,160,30,12,28,72,79,85,45,68,65,45,86,80,48,49,36,64,119,114,105,103,104,116,115,114,101,112,114,105,110,116,115,130,27,72,79,85,45,68,65,45,86,80,48,49,46,119,114,105,103,104,116,115,114,101,112,114,105,110,116,115,48,13,6,9,42,134,72,134,247,13,1,1,5,5,0,3,130,1,1,0,134,248,166,26,191,63,207,78,218,137,240,230,76,186,122,62,165,6,210,84,157,246,171,154,120,205,231,134,158,138,171,162,225,117,146,70,159,233,230,170,248,222,187,206,200,229,235,182,113,122,229,173,222,182,40,75,5,143,229,86,188,85,217,23,239,95,84,114,46,182,44,54,175,187,218,10,136,83,14,103,230,143,174,146,74,135,241,173,98,122,147,90,127,96,180,73,105,204,74,2,235,34,96,160,31,223,99,8,165,235,38,187,5,29,106,101,178,178,4,168,210,108,24,42,91,20,96,36,60,72,208,120,227,238,92,252,144,112,53,193,192,214,88,125,163,206,51,38,254,30,12,75,87,202,20,204,208,177,178,14,76,101,50,255,181,195,178,168,31,208,16,181,157,139,123,57,71,144,20,147,34,95,239,114,195,171,86,111,190,7,92,43,163,186,181,142,43,218,16,76,208,198,171,161,50,194,97,58,74,142,129,249,145,234,5,252,129,156,228,144,161,84,246,135,109,147,194,30,6,21,253,53,194,81,19,169,123,129,111,145,191,249,254,232,139,50,96,234,140,77,32,224,183,237,207,150)) -Verbose -ComputerName 'HOU-DA-VP01'

    Add-DAClient -SecurityGroupNameList @('[SLD Internal Domainname]\DirectAccessClients') -Verbose -ComputerName 'HOU-DA-VP01'

    Remove-DAClient -SecurityGroupNameList @('[SLD Internal Domainname]\Domain Computers') -Verbose -ComputerName 'HOU-DA-VP01'

    Set-DAClient -OnlyRemoteComputers 'Disabled' -Verbose -ComputerName 'HOU-DA-VP01'

    Set-GPRegistryValue -Type 'String' -Value 'wrightsreprints' -Name 'DirectAccess Client Settings' -Key 'HKLM\Software\Policies\Microsoft\Windows NT\DNSClient' -Domain '[SLD Internal Domainname]' -ValueName 'SearchList'

    Set-GPRegistryValue -Type 'String' -Value '[SLD Internal Domainname]' -Name 'DirectAccess Server Settings' -Key 'HKLM\Software\Policies\Microsoft\Windows\RemoteAccess\Config' -Domain '[SLD Internal Domainname]' -ValueName 'SearchList' -Server 'HOU-DC-VP01'

    Set-DAClientExperienceConfiguration -FriendlyName 'VPN' -PreferLocalNamesAllowed $True -PolicyStore '[SLD Internal Domainname]\DirectAccess Client Settings' -SupportEmail '[my email address]' -CorporateResources @('HTTP:http://intranet/')

    No error is reported in System or Application. However, if I drill down to RemoteAccess Management Client Channel, this is where I see the "Applying the configuration failed" and that the Event ID is 902. This is what lead me to this thread.

    This is a virtual machine built solely for the purpose of DA (hence the server name DA). Running Windows 2012 R2 with all updates applied. GUI installed as I had to run through the Certificate MMC to create the computer certificate.

    Monday, September 29, 2014 7:07 PM
  • And yes, that is the error I am receiving the same message.
    Monday, September 29, 2014 7:11 PM
  • Do you have any orphaned CA Servers or DC Servers in your environments?

    you know... servers you installed and just removed them without cleanup?

    what about the error message in the event log?

    Tamir Levy

    Tuesday, September 30, 2014 6:23 AM
  • No orphaned DCs. There might be a CA server as I had issues with the first install. It is no longer under servers, workstations or computers in AD. Is there a place in ADSI to look for CA servers? I looked under servers there as well and it looks clean. I normally disjoin any computer prior to removal.  
    Tuesday, September 30, 2014 2:53 PM
  • Hi,

    yes you can.

    follow this article

    also relevant for higher server versions...

    what about the eventlog?

    Wednesday, October 01, 2014 10:24 PM
  • Ok, I removed any references of the old server. I noticed there are several that mentions the new server name including a -1 at the end. Not sure if those are safe to remove. For example under AIA and CDP I have the Root CA, one with the Domainname-companyname-CA and one with the Domainname-companyname-CA-1

    As far as event logs, there are no errors or warnings under Administrative, System, or Applications.


    Wednesday, October 01, 2014 10:46 PM