none
Network Location Server and Services show Unknown and blue question mark icon RRS feed

  • Question

  • We have a Direct Access 2012 server and clients are connecting fine.  But I noticed today that both the Network Location Server component and the Services component show Unknown as their status, with a blue question mark icon.  This is something that seems to have happened only recently.  Clients are connecting okay from outside the network. 

    Does anyone have any suggestions as to (1) what tests are being run on these components, and /or (2) what might have gone wrong? 

    I'm going to restart the server overnight to see if that makes any difference.

    Tuesday, May 20, 2014 12:46 AM

Answers

  • Check that your NLS server has also a binding on for https 443 *

    You should get an IIS welcome page when browsing to https://nlsserver

    Use the DNS name of your NLS server to browse to it and see if you get a certificate warning.

    If you go to Remote Access Set up, Step 3 Infrastructure Set up, you should see your NLS server. Make sure that your certificate has the correct CN in the subject field (should be the DNS name of the NLS server), check the certificate validity and if it is trusted.

    I recommend running the NLS on a separate server.




    • Edited by Thomas Vitoz Wednesday, May 21, 2014 6:04 AM
    • Marked as answer by 0499FROSTY Wednesday, July 2, 2014 10:39 PM
    Wednesday, May 21, 2014 5:57 AM
  • I've managed to fix this.  I looked at a bunch of things to do with certificates and decided (agreeing with you) that it just had to be something to do with that. I went into IIS Manager on the server and tried selecting various certificates for the three HTTPS/443 Bindings that were configured. But each time I did this, the Blue icon changed to a Red Cross. Then I discovered that I couldn't remove the certificate selections and set it all back to "Not Selected" again. That's when I thought I had stuffed it completely.

    But then I went into the Remote Access Manager Console on the DA Server and clicked my way through the Wizard screens. I found the one where the NLS is configured and a certificate is selected.

    I had noticed previously that there were two (2) Computer certificates for the server (via MMC, loaded the Certificates plugin). Guessing that the NLS was using one and IIS wrongly using the other, I explicitly changed Both so that they were using the same one (based on its Identity and Expiry Date). And hey presto, now everything is showing Green ticks again.

    What I think happened is something like this:

    • DA Server is in our DMZ subnet and normally does NOT have access to our PKI subordinate server

    • this means that Computer certificates cannot auto-renew for DMZ servers

    • back in April the old Computer certificate for DA Server expired

    • it was so old that it could not be renewed (not even manually)

    • I must have created more than one *new* Computer certificate

    • this 'broke' NLS which had been configured with the *old* (now expired certificate)

    • Marked as answer by 0499FROSTY Wednesday, July 2, 2014 10:39 PM
    Wednesday, July 2, 2014 10:39 PM

All replies

  • In addition to being able to successfully connect to the NLS using an HTTP GET, the monitoring must also be able to ping the NLS server.

    First try to browse from IE to https://nls.corp.contoso.com/

    Double-check DNS resolution too and successful ping.

    You could try an iisreset also.



    Tuesday, May 20, 2014 8:54 AM
  • After the overnight reboot of the DA server, the blue icon on the Services component now shows "Working", but there is still a blue icon on the Network Location Server component. 

    Looking into Step 3 of the Configuration Wizard, I can see that my NLS server is set to use the certificate of the DA server, so I assume that this means that our NLS server is just the DA server name.  I have checked PING to the IPv4 and IPv6 addresses and these respond correctly. 

    I tried HTTPS connections to the DA server (via the Browse Website links in IIS on the server); all of those work, but, there is an "invalid certificate" warning because the links are just IP addresses.  Once I click through that, I do see the default IIS page.  I can see Bindings for the internal IPv4 and IPv6 addresses as well as the internal ISATAP IPv6 address.

    But if I construct a URL like this:  https://<SERVERNAME>  or  https://<SERVERNAME>.domain.name

    then I get the certificate warning, click through, and see "webpage cannot be found" error.  So does anyone know exactly what checking the DA server is doing when it browses to do its NLS checks?  If it is using the DA server name, then I can see why it might get an error.

    Wednesday, May 21, 2014 2:10 AM
  • Check that your NLS server has also a binding on for https 443 *

    You should get an IIS welcome page when browsing to https://nlsserver

    Use the DNS name of your NLS server to browse to it and see if you get a certificate warning.

    If you go to Remote Access Set up, Step 3 Infrastructure Set up, you should see your NLS server. Make sure that your certificate has the correct CN in the subject field (should be the DNS name of the NLS server), check the certificate validity and if it is trusted.

    I recommend running the NLS on a separate server.




    • Edited by Thomas Vitoz Wednesday, May 21, 2014 6:04 AM
    • Marked as answer by 0499FROSTY Wednesday, July 2, 2014 10:39 PM
    Wednesday, May 21, 2014 5:57 AM
  • I've managed to fix this.  I looked at a bunch of things to do with certificates and decided (agreeing with you) that it just had to be something to do with that. I went into IIS Manager on the server and tried selecting various certificates for the three HTTPS/443 Bindings that were configured. But each time I did this, the Blue icon changed to a Red Cross. Then I discovered that I couldn't remove the certificate selections and set it all back to "Not Selected" again. That's when I thought I had stuffed it completely.

    But then I went into the Remote Access Manager Console on the DA Server and clicked my way through the Wizard screens. I found the one where the NLS is configured and a certificate is selected.

    I had noticed previously that there were two (2) Computer certificates for the server (via MMC, loaded the Certificates plugin). Guessing that the NLS was using one and IIS wrongly using the other, I explicitly changed Both so that they were using the same one (based on its Identity and Expiry Date). And hey presto, now everything is showing Green ticks again.

    What I think happened is something like this:

    • DA Server is in our DMZ subnet and normally does NOT have access to our PKI subordinate server

    • this means that Computer certificates cannot auto-renew for DMZ servers

    • back in April the old Computer certificate for DA Server expired

    • it was so old that it could not be renewed (not even manually)

    • I must have created more than one *new* Computer certificate

    • this 'broke' NLS which had been configured with the *old* (now expired certificate)

    • Marked as answer by 0499FROSTY Wednesday, July 2, 2014 10:39 PM
    Wednesday, July 2, 2014 10:39 PM