locked
Windows Server General FAQ RRS feed

All replies

  • Server Core - Q1: Are there any documents that describe how to install and manage a Windows Server 2008  Server Core computer?


    A1: The following step-by-step guide provides instructions to build and initially configure a Windows Server 2008 Server Core computer. It also includes information on common tasks to manage a Server Core server.

     

    Server Core Installation Option of Windows Server 2008 Step-By-Step Guide

    http://technet.microsoft.com/en-us/library/cc753802.aspx
    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:31 AM
  • Server Core - Q2: How can I manage Windows updates on a Windows Server 2008 Server Core computer?

    A1:

    Install an update.

    At a command prompt, type:

    wusa <update>.msu /quiet

    List installed updates

    At a command prompt, type:

    systeminfo

    Remove an update.

    1.      Type at a command prompt:
    expand /f:* <update>.msu c:\test

    2.      Navigate to c:\test\ and open <update>.xml in a text editor.

    3.      In <update>.xml, replace Install with Remove and save the file.

    4.      At a command prompt, type:
    pkgmgr /n:<update>.xml

    Configure automatic updates.

    At a command prompt:

    ·         To verify the current setting, type:
    cscript scregedit.wsf /AU /v

    ·         To enable automatic updates, type:
    cscript scregedit.wsf /AU /4

    ·         To disable automatic updates, type:
    cscript scregedit.wsf /AU /1

    Scan, download and install Windows Update

    Use and customize the script sample provided in the following links:

    http://msdn.microsoft.com/en-us/library/aa387102(VS.85).aspx

     

    To return user friendly status code, you can also refer to Fermin Sanchez’s blog:

    http://blogs.technet.com/ferminsa/archive/2008/11/26/how-to-patch-windows-server-2008-core-using-wsus.aspx

    Scan, download and install a specific Windows Update

    Use and customize the script sample provided in the following links:

    http://msdn.microsoft.com/en-us/library/aa387101(VS.85).aspx

     


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:32 AM
  • Server Core - Q3: How can I add a DEP exception for a program on Windows Server 2008  Server Core computer?


    A:
    You can perform the following steps to add a specific application to the DEP exception list: 

     

    Step 1: Check the current level of the DEP

    ================================

    Run the following command:

     

    wmic OS Get DataExecutionPrevention_SupportPolicy

     

    You can check the return value according to the following table.

    DataExecutionPrevention_SupportPolicy

    Policy Level

    Description

    2

    OptInDefault

    Turn on DEP for essential Windows programs and services only

    3

    OptOut

    Turn on DEP for all programs and services except those I select. Admin can add create one DEP exception list

    1

    AlwaysOn

    Enable DEP for all process

    0

    AlwaysOff

    Disable DEP for all process

     

    Step 2: Change the Policy Level

    ========================

    If you want to add your application to the DEP exception list, you need to change the Policy Level to "OptOut" (please see the above table for this information).You can run the following command to change this setting:

     

    bcdedit.exe /set {current} nx OptOut

     

    Note that you have to restart your computer for it to take effect.

     

    Step 3: Create your exception list

    =========================

    NOTE: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

     

    256986 Description of the Microsoft Windows Registry

    http://support.microsoft.com/?id=256986

     

    You can add the specific application to the DEP exception list by changing registry as follows:

     

    For each application for which you want to disable DEP, please create a String Value where the name of the value is the full path to the executable (e.g. C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriter.exe) and the value data is "DisableNXShowUI" (without quotes), under the following registry key:

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

     

    This should look like the registry key settings as Tim mentioned in his blog (note that this blog is mainly for Windows XP and the startup settings have been changed from boot.ini to BCD since Windows Vista):

     

    http://blogs.technet.com/askperf/archive/2008/06/17/to-dep-or-not-to-dep.aspx


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:33 AM
  • Server Core - Q4: How can I import certificates on a Windows Server 2008  Server Core computer?


    A: To install a certificate (.PFX), you can run the following command:

    certutil -importpfx <Path to the certificate file>


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:33 AM
  • Server Core - Q5: How can I configure local security policy on a Windows Server 2008 Server Core computer?


    A:
    To configure local security and account policy on a Windows Server 2008 Server Core computer, you can first create a security template on a full installation server and then apply the settings to the Server Core computer. To do so, please perform the following steps:

     

    On the reference server

    -------------------------------

    1. Click Start, type secpol.msc in the Start Search box and press Enter to open the Local Security Policy snap-in on another computer.

    2. Configure the security policy according to your requirement, and then right-click Security Settings, click Export policy to save it as a security template.


    On the Server Core server

    ------------------------------------

    1. Copy the security template from the reference server to the Server Core server.

    2. Run the following command to apply the security policy:

    secedit /configure /cfg <Policy File Name> /db secedit.sdb


    Laura Zhang - MSFT

    If you want to overwrite the current system with teh settings in the template, you can add the "/Overwrite" option. For more information about secedit options, please refer to the following TechNet link:
    http://technet.microsoft.com/en-us/library/cc737638(WS.10).aspx

    Wednesday, April 1, 2009 8:34 AM
  • Server Core - Q6: How can I configure iSCSI initiator by using iscsicli.exe on a Windows Server 2008 Server Core computer?


    A: To use iSCSI Initiator to connect to an iSCSI target on a Windows Server 2008 Server Core computer, please perform the following steps:

     

    1.       Start the Microsoft iSCSI Initiator service and configure it to start automatically. Use the sc (service control) command line tool to configure the automatic startup:

    sc \\<server_name> config msiSCSI start= auto

     

    Then run net start msiSCSI to start the service.

     

    2.       Configure advanced features for the firewall to allow the iSCSI Initiator service to communicate through the firewall. This can be accomplished using the netsh command line tool or the Windows Firewall MMC snap-in on a remote Vista or Windows Server 2008 (non-Core) machine.

     

    3.       After the iSCSI service is started, add a target portal so you will be able to add the server to the target server and assign LUNs for storage. The command is as follows:

    iSCSIcli QAddTargetPortal <Portal IP Address>

     

    Configure the LUN information on the target. Once the command completes, you can run the iSCSIcli ListTargets command to verify the target name.

     

    Once the target is identified, login to the target using the following command:

    iSCSIcli QloginTarget <Targetname>

     

    If you want the target to persist after reboots, execute the following command:

     iSCSIcli PersistentLoginTarget <target_iqn> T * * * * * * * * * * * * * * * 0

    Note: There are 15 * and there are <spaces> between all of them.

     

    After this command completes, verify a couple of things before configuring the storage you have just connected to. Ensure that you have persisted the target and list the mappings on the target. The two commands are: iSCSIcli ListPersistentTargets.

    You can then confirm connectivity to the storage and prepare the storage by using diskpart.

    More Information
    -----------------------
    iSCSI
    http://blogs.technet.com/daven/archive/2008/06/19/iscsi.aspx


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:36 AM
  • Printer & Fax - Q1: Event ID 6161 (Error Code: 5) appeared when you try to print through a Terminal session to Windows Server 2008 by using the Easy Print feature


    Symptom

    =========

    You have a Windows Server 2008 based Terminal server and a client computer which has a printer installed. You establish a remote desktop connection from the client to the terminal server and use the Easy Print feature to redirect the printer.

     

    When you try to print, you find that it does not work. Also on the Server, the following event is logged:

     

    Log Name: System
    Source: Microsoft-Windows-PrintSpooler
    Date:<Date>
    Event ID: 6161
    Task Category: None
    Level: Error
    Keywords: Classic
    User: <User>
    Computer: <Computer>
    Description:
    The document Test Page, owned by <User>, failed to print on printer <Printername> (redirected N). Try to print the document again, or restart the print spooler.
    Data type: RAW. Size of the spool file in bytes: <nnnnnn>. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\<computer>. Win32 error code returned by the print processor: 5. Access is denied.

     

    Possible Cause

    ============

    This problem may occur if the Users group does not have enough permission on the Spooler folder.

    Note: By default, the spooler folder is in the  %systemroot%\system32\spool\Printers folder.

     

    Resolution

    ========

    Grant the permission of the Spooler folder.

     

    First, locate the Spool folder.

    1. Go to Control Panel, switch to Classic View and then double click Printers.

    2. Click Server Properties in "Printers".

    3. On the Advanced tab, you can get the path of the Spooler folder. By default, it is C:\Windows\system32\spool\PRINTERS

     

    Then grant the permissions.

    1. Find the spool folder. Right click it and click Properties.

    2. Click on the Security tab, and click the Edit button.

    3. If User Account Control prompts, click Continue.

    4. If the Users group is not listed there, click Add, and add the group.

    5. Select the Users group. Make sure the "Deny" boxes are cleared.

    6. Click to check the "Modify" box.

    7. Click Apply and click OK.


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:37 AM
  • Printer & Fax - Q2: Printing fails when using Print.exe to print from Windows Vista/Server 2008 based client to Windows Vista/Server 2008 based print server

     

    Symptom

    =======

    On a Windows Vista or Windows Server 2008 based computer, the printing fails when you try to use print.exe to print to a Windows Vista or Windows Server 2008 based print server. One of the following error messages may appear:

    "Unable to connect to the device"

    "Unable to initialize device prn"

    "Unable to initialize device"

     

    Cause

    =====

    This behavior occurs because Print.exe is currently incompatible with SMB 2.0. When Windows Vista/Server 2008 computer tries to print to Windows Vista/Server 2008 based print server, SMB 2.0 is being used. Thus the printing fails.

     

    Workaround

    ==========

    To work around the problem, use the following command:

        type filename.ext > \\printserver\printer


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:38 AM
  • Printer & Fax - Q3:TCP/IP Printers are not deployed properly via Group Policy Preference policy with the Event 4098 error saying that “The print processor is unknown”.

     

    Symptom

    =========

    You use the Group Policy Preference policy to deploy TCP/IP printer to clients. However, the printer is not installed on clients successfully and you receive the following event error:

     

    Source: Group Policy Printers

    Catagory: disk

    Event: 4098

    User: system

    The computer 'xx.xx.xx.xx' preference item in the 'USScienceComputers {202CC7A1-D524-4B3A-91F2-F388D62F13C8}' Group Policy object did not apply because it failed with error code '0x80070706 The print processor is unknown.' This error was suppressed.

     

    Possible Cause

    =============

    This problem may occur when the printer is using a non-default print processor.

     

    Resolution

    =========

    Please perform the following steps to change the print processor to WinPrint:

     

    1.       Right click the printer, and click Properties

    2.       Click the Advanced tab and click the Print Processor.. button.

    3.       Choose “WinPrint” in the “Print Processor” list box, and click OK.

    4.       Test this problem again.


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:38 AM
  • Printer & Fax - Q4: How can I deploy printer connections to users or computers and install the appropriate printer drivers?

    A: There are several methods to deploy printer connections to users or computers.

     

    Method 1: Use Print Management (Printmanagement.msc) with Group Policy

    ------------------------------------------------------------------------------------------------------

    To deploy printer connections by using Group Policy, your environment must meet the following requirements:

     

    1.       The Active Directory Domain Services (AD DS) schema must use a Windows Server 2003 R2 or above schema version.

    2.       Client computers running Windows 2000, Windows XP, or Windows Server 2003 must use the PushPrinterConnections.exe tool in a startup script (for per-computer connections) or in a logon script (for per-user connections).

     

    If your environment meets the above requirements, you can refer to the following Microsoft TechNet article to deploy printer connections by using Print Management console with group policy:

     

    Deploy printers by using Group Policy

    http://technet.microsoft.com/en-us/library/cc754699.aspx

     

    Method 2: Use Group Policy Preference

    --------------------------------------------------------

    You can also use the Group Policy Preference policy to deploy printer connections.

     

    [Computer Configuration\Preferences\Control Panel Settings\Printers]

    [User Configuration\Preferences\Control Panel Settings\Printers]

     

    You do not need to upgrade to Windows Server 2008 or Windows Server 2008 R2 to use Group Policy Preference policies. You can configure a Group Policy preference item in a Windows Server 2003 environment from either a Windows Server 2008/R2 server or a Windows Vista with Service Pack 1/Windows 7 client with RSAT update installed. If you do not have Windows Server 2008/R2 server, you can download and install Remote Server Administration Tools on a Windows Vista or Windows 7 client to manage and configure them.

    Microsoft Remote Server Administration Tools for Windows Vista
    http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en


    Remote Server Administration Tools for Windows 7


    http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en


    The CSEs for the new Group Policy preference functionality are required in Windows XP Service Pack 2 (SP2), Windows Server 2003 Service Pack 1 (SP1), and Windows Vista to process the new preference items. To download and install CSEs, please refer to the following link:

     

    Information about new Group Policy preferences in Windows Server 2008

    http://support.microsoft.com/kb/943729

     

    Method 3: Use Script

    -----------------------------

    You can also develop a script to install printer connection by calling the AddWindowsPrinterConnection() function, and then deploy a logon script to deploy printer connections to all users.

     

    AddWindowsPrinterConnection Method

    http://msdn.microsoft.com/en-us/library/zsdh7hkb(VS.85).aspx


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:39 AM
  • Printer & Fax - Q5: How can I add an inbox x86 (32-bit) printer driver to a x64 (64-bit) Vista or Windows Server 2008 printer server?

     

    There are several ways to install an inbox x86 (32-bit) printer driver to a x64 (64-bit) printer server.

     

    Method 1

    ========

    1.       On printer server, create and share a print queue, such as PrintShare1.

    2.       On  x86 clients, browse to the printer share and install the 32-bit printer driver.

     

    1)      On  x86 Windows Vista RTM/SP1 or  x86 Windows Server 2008 RTM clients, login as the Domain Administrator account.

    2)      Browse to the printer server share.

    3)      Double click on "Printers".

    4)      Right click on the PrintShare1, click on the "Sharing" tab, and click on the "Additional Drivers...".

    5)      Check the box for 'x86 Type 3 - User Mode' and click OK.

    6)      Click on Close.

     

    Method 2

    =======:

    1.       On the printer server, open the Printers folder.

    2.       Press the ALT button.

    3.       Click on File, Run as administrator, Server Properties...

    4.       Click on the Drivers tab, click on Add…, and click on Next.

    5.       Uncheck the 'x64 Type 3 - User Mode' and check the 'x86 Type 3 - User Mode'.

    6.       Click on Have Disk...

    7.       Click on Browse... (to the x86 (32-bit) machine).

    \\x86W2K8\c$\windows\system32\driverstore\filerepository\prn*.inf_{GUID}

    or

    \\x86Vista\c$\windows\system32\driverstore\filerepository\prn*.inf_{GUID}

     

    For example:

    \\x86W2K8\c$\windows\system32\driverstore\filerepository\prnhp001.inf_5fecfc5e\prnhp.inf

     

    8.       Click on Open and click on OK.

    9.       Under "Printers", select the print driver that you want to install, and follow the wizard to complete the installation.


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:40 AM
  • Setup & Deployment - Q1: You receive an error message saying that "The returned count from your Key Management Service is insufficient" when you try to activate a Windows Vista-based computer in a KMS pool.

     

    Symptom

    =========

    When you try to activate a new Windows Vista-based client computer by using Key Management Service (KMS), it is not activated successfully and is not added to the KMS pool. You receive the following error message:

     

    0xC004F038

     

    The computer could not be activated. The returned count from your Key Management Service is insufficient.

     

    Cause

    ======

    The KMS host counts activation requests and replies to each valid request with the value of the current count. If the count meets the activation policy requirements for a Windows volume client, the client will be activated properly. Activation count requirements are as follows:

     

    1.       Windows Vista clients require a KMS count of 25 to activate.

    2.       Windows Server 2008 requires a KMS count of 5 to activate.

    3.       The count can be a combination of Windows Vista and Windows Server 2008.

     

    This problem may occur when there are fewer than 25 client computers in the KMS pool.

     

    Resolution

    =========

    To determine how many computers are in the KMS pool on the KMS host, type the following command at a command prompt, and then press ENTER:

     

    Slmgr.vbs –dli

     

    If the number is less than 25, please add more clients to the KMS pool.

     

    Please note that Windows Vista and Windows Server 2008 in virtual machine environment do not contribute to the activation count although they can be activated using KMS.




    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:40 AM
  • Setup & Deployment - Q2: When you perform an unattended installation of Windows Server 2008, you receive the error message saying that "Windows could not parse or process unattended answer file [drive:\Windows\Panther\unattend.xml] for pass [oobeSystem]".

     

    SYMPTOMS

    ==========

    When you perform an unattended installation of Windows Server 2008, you receive the following error message:

     

    Windows could not parse or process unattended answer file [ drive :\Windows\Panther\unattend.xml] for pass [oobeSystem]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].

     

    CAUSE

    ======

    This problem occurs because you have set a value for the ShowMediaCenter option in the Unattend.xml file.

     

    • The ShowMediaCenter option is in the "Microsoft-Windows-Shell-Setup" subsection of the Unattend.xml file. The "Microsoft-Windows-Shell-Setup" subsection is in the "Windows Features" section. 

     

       This issue can also occur if you specify these settings in a Unattend.xml file and you try to install one of the following operating systems:

     

    • Windows Vista Enterprise 

    • Windows Vista Business 

    • Windows Vista Home Basic 

    • Windows Vista Starter 

     

    RESOLUTION

    ==========

    To resolve this problem, do not set any value for the ShowMediaCenter option, and then restart the unattended installation.



    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:41 AM
  • Setup & Deployment - Q3: Windows Server 2008 unattended installation fails when specifying ShowWindowsMail=False.

     

    SYMPTOMS

    ==========

    Windows Server 2008 unattended installation fails if the ShowWindowsMail option is set in the unattend.xml file for a Windows Server 2008 installation. In the <systemroot>\panther\unattendgc\setupact.log file, you may notice the following error:

     

     Error [Shell Unattend] WindowsFeatures:

    Failed to read show/hide command value 'SOFTWARE\Clients\Mail\Windows

    Mail\InstallInfo' 'HideIconsCommand' (0x80070002) [gle=0x00000002]

     

    Cause

    ======

    ShowWindowsMail is an option in an unattend.xml file to decide whether a shortcut for Windows Mail is created. Windows Mail is not a component in Windows Server 2008. If this option is set in the unattend.xml file for a Windows Server 2008 installation, the installation will fail

     

    Resolution

    ==========

    Not set the ShowWindowsMail option in Windows Server 2008 unattended installation.



    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:42 AM
  • Setup & Deployment - Q4: You download Windows Server 2008 from the MSDN website. When you try to activate it, you receive the error saying that “0x8007232b DNS name does not exist”.

     

    SYMPTOMS

    ==========

    You download Windows Server 2008 from the MSDN website. When you try to activate it, you receive the following error:

     

     “0x8007232b DNS name does not exist”.

    Or

     

    0xC004F041 The software Licensing Service determined that the Key Management Server (KMS) is not activated. KMS needs to be activated.

     

    Cause

    =======

    When the MSDN media is used it is pre-setup for KMS activation. If the key that is being used is a MAK key, you are not prompted to enter your product key during the installation.

     

    Resolution

    ==========

     After the installation, please perform the following steps to change the product key:

     

    1.       Right click My Computer and click Properties.

    2.       On the General Tab, click “Change Product Key” and enter your product key.

    3.       Online activate the server.


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:44 AM
  • Setup & Deployment - Q5: How can I enable Windows Vista Desktop Experience and Windows Aero features on a computer that is running Windows Server 2008?

     

    A: To use Windows Aero in Windows Server 2008, you can perform the following steps:

     

    Step 1: Install the Desktop Experience feature

    ------------------------------------------------------------

     1.  Start Service Manager. 

    2.  In the details pane, locate the Features Summary area, and then click Add Features. 

    3.  In the Add Features Wizard, click to select the Desktop Experience check box, and then click Next. 

    4.  Click Install. 

    5.  After the Desktop Experience feature is installed, click Close to exit the Add Features Wizard, and then click Yes to restart the computer. 

     

    Step 2: Install Windows Aero-capable graphics drivers

    ------------------------------------------------------------------------

    Windows Server 2008 supports the Windows Aero user interface experience. However, by default, Windows Aero is not turned on in Windows Server 2008. Also, Windows Server 2008 does not include Windows Aero-capable graphics drivers. To enable Windows Aero, you must obtain graphics drivers from a third-party vendor or from the graphics adapter manufacturer.

     

    To obtain graphics adapter drivers, visit the following AMD Web sites:

     

    • For ATI FireGL 64-bit drivers

    http://ati.amd.com/support/drivers/vista64/firegl-vista64.html

    • For ATI FireGL 32-bit drivers

    http://ati.amd.com/support/drivers/vista32/firegl-vista32.html

    • For ATI Radeon 64-bit drivers

    http://ati.amd.com/support/drivers/vista64/common-vista64.html

    • For ATI Radeon 32-bit drivers

    http://ati.amd.com/support/drivers/vista32/common-vista32.html

     

    Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

     

    Step 3: Enable Windows Aero

    ------------------------------------------

    1.        Start the Themes service. To do this, follow these steps:

     

    a.  Click Start, click Run, type services.msc, and then click OK. 

    b.  In the list of installed services, right-click Themes, and then click Properties. 

    c.  In the Startup type list, click Automatic, click Apply, click Start, and then click OK. 

     

    2.        Enable Windows Aero. To do this, follow these steps:

     

    a.  Right-click a blank area of the desktop, and then click Personalize. 

    b.  In the Personalization dialog box, click Window Color and Appearance. 

    c.  In the Color scheme list, click Windows Aero, and then click OK. 

     

    Note If Windows Aero does not appear in the Color scheme list, the graphics adapter may not support Windows Aero, or you may have to update the graphics adapter drivers. 



    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:45 AM
  • MISC - Q1: Computer browsing does not work after upgrading the server to Windows Server 2008

     

    SYMPTOMS

    ==========

    After upgrading Windows Server 2003 domain controllers to Windows Server 2008 or adding a Windows Server 2008 server into a network, you may find that computer browsing does not work properly. The following symptoms may occur when you view computer list from “My Network Places”:

     

    1. You may be unable to see computers from other subnets although you could see them before the upgrade of the server.

    2. The computer list in the local subnet may become inconsistent since the upgrade of the server.

     

    Cause

    ==========

    This behavior occurs because the Computer Browser service is disabled by default on Windows Server 2008.

    Resolution

    ==========

    To resolve the problem, set the Computer Browser service to Automatic and then start this service on the Window Server 2008 server. To do so, follow the steps below.

    1.         Make sure "File Sharing" and "Printer Sharing" are turned on.

     

    To do so, go to Control Panel and open "Network and Sharing Center". Then select the "File Sharing" item and turn it on. Select "Printer Sharing" and turn it on. If there is no printer installed on the server and this option is gray, just skip this step.

     

    2.         Click Start>Run. Type Services.msc.

    3.         Find the "Computer Browser" service. Right click it and click Properties.

    4.         Change the Startup type from "Disabled" to "Automatic". Click Apply.

    5.         Click Start to start the service. 


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:51 AM
  • MISC - Q2: Unable to add Roles or Features in Windows Server 2008 and Event ID 1601 occurs: “Error 0x80070543 Cannot open an anonymous level security token.”

     

    Symptom

    ==========

    When you try to view or add roles or features in Server Manager on a Windows Server 2008 server, the following error occurs:

     

    Server Manager

    Unexpected error refreshing Server Manager: Cannot open an anonymous level security token. (Exception from HREULT: 0x80070543)

     

    If you try to add roles in the Initial Configuration Tasks interface, the following error occurs:

     

    Initial Configuration Tasks

    Initial Configuration tasks encountered an unexpected error while collecting data about the status of this computer.

    In the ServerManager/Operational log, the following event may be logged.

    Log Name: Microsoft-Windows-Server Manager/Operational

    Source: Microsoft-Windows-ServerManager

    Date: <MM/DD/YYYY hh:mm:ss>

    Event ID: 1601

    Task Category: None

    Level: Error

    Keywords:

    User: <username>

    Computer: <computername>

    Description:

    Could not discover the state of the system. An unexpected exception was found:

    System.Runtime.InteropServices.COMException (0x80070543): Cannot open an anonymous level security token. (Exception from HRESULT: 0x80070543)

       at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

       at Microsoft.Windows.ServerManager.ComponentInstaller.CreateSessionAndPackage(IntPtr& session, IntPtr& package)

       at Microsoft.Windows.ServerManager.ComponentInstaller.InitializeUpdateInfo()

       at Microsoft.Windows.ServerManager.ComponentInstaller.Initialize()

       at Microsoft.Windows.ServerManager.Common.Provider.Initialize(DocumentCollection documents)

       at Microsoft.Windows.ServerManager.ServerManagerModel.InternalRefreshModelResult(Object state)

     

    Cause

    ==========

    This behavior may occur if the DCOM setting on the computer was changed.

    Resolution

    ==========

    Please perform the following steps to reset the DCOM authentication and impersonation level to the default:


    - Click Start, right click the Command Prompt and click Run as administrator. Click Continue if being prompted.
    - In the Command Prompt, type the following command and press Enter:

     

    Dcomcnfg.ex
    - Click to expand Component Services and then expand Computers
    - Right click "My Computer" and click Properties.
    - Click on the Default Properties tab.
    - In the "Default Authentication Level" drop down list, if it is set to "None", change it to "Connect". If it is not set to None, do not change it.
    - In the "Default Impersonation Level" drop down list, select "Identify".
    - Click Apply and click OK.

     

    The information in this article applies to:

    • Windows Server 2008, Datacenter
    • Windows Server 2008, Enterprise
    • Windows Server 2008, Standard

    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:52 AM
  • MISC - Q3: DHCP Server Service does not start on Windows Server 2008 Read-Only Domain Controller.

     

    Symptom

    ==========

    On a Windows Server 2008 based Read-Only Domain Controller (RODC), the DHCP Server service does not start. When you try to start the service, the following error message will occur:

    An error occurred while trying to start the DHCP Server service on <computername.domainname.com>. For more information about the error, see Event Viewer.

    The request is not supported.

    In the system event log, the following events may be logged:

    Product: Windows Operating System
    ID: 1035
    Source: Microsoft-Windows-DHCP-Server
    Version: 6.0
    Symbolic Name: EVENT_SERVER_READ_ONLY_GROUP_ERROR
    Message: The DHCP service was unable to create or lookup the DHCP Users local group on this computer. The error code is in the data.

    Product: Windows Operating System
    ID: 1036
    Source: Microsoft-Windows-DHCP-Server
    Version: 6.0
    Symbolic Name: EVENT_SERVER_ADMIN_GROUP_ERROR
    Message: The DHCP server was unable to create or lookup the DHCP Administrators
    local group on this computer. The error code is in the data.

    Cause

    ==========

    This behavior is expected. DHCP service is trying to create and read the “DHCP Users” and “DHCP Administrators” groups in Active Directory. However, this cannot be done on Read-Only Domain Controllers. The objects can only be replicated into an RODC from a writable DC.

    Resolution

    ==========

    To work around this behavior, use either of the methods below:

    Method 1:

     Create the groups manually on a writable domain controller and allow them to replicate to the RODC.

    Method 2:

    1. Install DHCP on a writable domain controller to allow the groups to be created automatically, and then allow them to replicate to the RODC.
    2. Uninstall the DHCP server service from the writable DC and the groups will remain.

    More Information

    =================

    http://technet.microsoft.com/en-us/library/cc726854.aspx

    http://technet.microsoft.com/en-us/library/cc732790.aspx


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:53 AM
  • MISC - Q4: Members of the Administrators group cannot access the folder although the Administrators group has the permission to it.

     

    Symptom

    ==========

    In Windows Server 2008, you log on as a user who is not the built-in Administrator account. This account has been added into the Administrators group. When you try to access some folders, it fails with the "Access is denied" error. You checked the security permission of this folder and found that the "Administrators" group has the permission to access this folder. However, you are not able to access the folder using this account although it is a member of the Administrators group.

     

    Cause

    ==========

    This behavior is by design. It is a result of Admin approval mode (AAM) for User Account Control.

    Resolution

    ==========

    To work around this behavior, you may create a security group, grant this group the permissions to this folder, and then add this user account into this group.

    Another method is to explicitly grant the permissions for the folder to this specific user account.

    More Information

    ===============

    For more information about Admin Approval Mode, please refer to the following Technet article:

    http://technet.microsoft.com/en-us/library/cc772207.aspx


    Laura Zhang - MSFT
    Wednesday, April 1, 2009 8:53 AM
  • and how do you do this in server core 2008 r2
    Monday, November 30, 2009 7:41 PM
  • Your instructions don't match what I see on my screen (Windows Server 2008 Standard). I'm logged in as Administrator so for 1. I just click Start, Run. 2. done.
    3. is the problem. When I right-click on "My Computer" and select "Properties"  I don't see what you describe. I see two tabs -- "COM Security" and "MSDTC". If I close and right-click "My Computer" and select "Properties' again, I now see the "Default Properties' tab. When I view it "Enable Distributed COM on this computer" is unchecked and the fields you describe are greyed out. If I place a check mark in "Enable Distributed COM on this computer" the fields you describe are no longer grey but there are no options on the drop down list. If I "Apply" "Enable Distributed COM on this computer" remains enabled but ther eis still no info in the drop down lists and when I exit and come back everything has returned to its previous state (not enabled and greyed out).

    Is there any other way to solve this error regarding Roles and Features showing an Error? Thanks.

    --------------QUOTED SECTION STARTS-----------------
    Please perform the following steps to reset the DCOM authentication and impersonation level to the default:

     

    1.       Click Start, right click the Command Prompt and click Run as administrator. Click Continue if being prompted.

    2.        In the Command Prompt, type the following command and press Enter:

     

    Dcomcnfg.exe

     

     Click to expand Component Services and then expand Computers.

     Right click "My Computer" and click Properties.


    3.        Click on the Default Properties tab.

     In the "Default Authentication Level" drop down list, if it is set to "None", change it to "Connect".

    In the "Default Impersonation Level" drop down list, select "Identify".

     Click Apply and click OK.

    ------------QUOTED SECTION ENDS----------------

    Thursday, January 14, 2010 8:56 PM
  • Hi..

    Thanks for the Information..

    Even it is general FAQ, There is lot of information that every one can understand and can solve the problem on their own easily..

    Found this a bit late, even found a great one..



    xtraordinary
    uk fast
    rackspace
    Saturday, June 5, 2010 9:08 AM
  • What if you don't have a reference server to work from?  In my environment, I'm limited to command line functions.  Can I use secedit in any other way to modify default local security policy settings?
    Thursday, October 7, 2010 2:04 PM
  • Server Core - Q5: How can I configure local security policy on a Windows Server 2008 Server Core computer?


    A:
    To configure local security and account policy on a Windows Server 2008 Server Core computer, you can first create a security template on a full installation server and then apply the settings to the Server Core computer. To do so, please perform the following steps:

     

    On the reference server

    -------------------------------

    1. Click Start, type secpol.msc in the Start Search box and press Enter to open the Local Security Policy snap-in on another computer.

    2. Configure the security policy according to your requirement, and then right-click Security Settings, click Export policy to save it as a security template.


    On the Server Core server

    ------------------------------------

    1. Copy the security template from the reference server to the Server Core server.

    2. Run the following command to apply the security policy:

    secedit /configure /cfg <Policy File Name> /db secedit.sdb


    Laura Zhang - MSFT

    If you want to overwrite the current system with teh settings in the template, you can add the "/Overwrite" option. For more information about secedit options, please refer to the following TechNet link:
    http://technet.microsoft.com/en-us/library/cc737638(WS.10).aspx


    Saturday, April 7, 2012 5:14 AM
  • Thanks for the info. However. I have a printer were only 32 bit drivers exists, no 64 bit drivers. I want to install and use the printer on a Windows 7 64 bit, not shared, but localy connected and used. I followed your method above and I imported the 32 bit drivers into Win7. Through the MMC console, I can see the driver, but when I add a new printer, I can't see the driver into the "installed printer drivers" ???

    Regards.
    Peter


    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be



    Wednesday, October 3, 2012 9:07 AM