I
Ian Chilvers
Windows 2016 Server (Fully SPd) Roles installed Active Directory, IIS, DNS Also installed Exchange 2013 CU4.
Up to that point the server seemed to be running fine.
Added the role Remote Access, which installs fine Post Install wizard runs and select Deploy VPN only
This then starts Routing and Remote Access Run the “Configure and Enable Routing and Remote Access” wizard
Select a custom config, as the server only has one NIC check VPN Access Wizard completes and prompts to start the service
Click Start Service and a dialog box appears with a rotating clock and nothing else happens. It just hangs and on the window it says, "please wait while the routing and remote access service finishes initialization"
No errors in the event viewer
Tried going to services.msc, Both the “Routing and Remote Access” and “Remote Access Management” services say they are running. Right click on those services and all options are greyed out, so can’t start, stop or restart the services.
After some Google searching I’ve checked the “Logon As A Service” for the local policy and that matches, so I presume that’s ok. Link to that article I also tried setting the permissions on the “Logon As A Service” using a powershell script Link to the script
The GPO for Default Domain Policy and Default Domain Controller Policy are as default from the MSAD installation.
I checked the windows firewall and RRAS rules are there.
I decided to add a second server to the domain as a member server (to see if it was server or domain related). I then added the RRAS role and feature.
Ran the wizard to configure RRAS as Custom (only one NIC) VPN Only. The wizard completes and then tries to start the service and simply hangs on the window saying, "please wait while the routing and remote access service finishes initialization" and nothing happens.
This is the exact same problem as the first server.
So I am no left wondering if some sort of GPO is causing it. However both the "Default Domain Policy" and the "Default Domain Controller Policy" remain untouched.
Regardless of that I tried resetting the two GPOs using the below
dcgpofix /targetomain
dcgpofix /targetC
and delete the local GPO
RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
gpupdate /force
That didn't change anything either.
I tried resetting the security settings on each of the servers?
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
I get several "Warning 5 Access Denied" message but claims to have completed. Must confess I was worried about running that command on a DC. Would resetting the security effect MSAD, MS Exchange or IIS that's running on the main server?
Annoyingly there is nothing in the Event Log at all. When I say nothing I mean no mention of RRAS at all, no errors, no information. So clearly the service starting is hanging before any log information can be recorded.
I tried turning on Tracing, but nothing in there either
netsh ras set tracing * enabled
I'm now stuck. I need to get RRAS working on this server and clearly its domain related as the problem carried over to a fresh installed second server.
I don't need DirectAccess, Just VPN only in the config wizard. I checked "just in case" that DirectAccess may have installed selfsigned certs and that might cause a problem (saw on google search). But no certs either.
So where do I go from here?
Continue reading...
Up to that point the server seemed to be running fine.
Added the role Remote Access, which installs fine Post Install wizard runs and select Deploy VPN only
This then starts Routing and Remote Access Run the “Configure and Enable Routing and Remote Access” wizard
Select a custom config, as the server only has one NIC check VPN Access Wizard completes and prompts to start the service
Click Start Service and a dialog box appears with a rotating clock and nothing else happens. It just hangs and on the window it says, "please wait while the routing and remote access service finishes initialization"
No errors in the event viewer
Tried going to services.msc, Both the “Routing and Remote Access” and “Remote Access Management” services say they are running. Right click on those services and all options are greyed out, so can’t start, stop or restart the services.
After some Google searching I’ve checked the “Logon As A Service” for the local policy and that matches, so I presume that’s ok. Link to that article I also tried setting the permissions on the “Logon As A Service” using a powershell script Link to the script
The GPO for Default Domain Policy and Default Domain Controller Policy are as default from the MSAD installation.
I checked the windows firewall and RRAS rules are there.
I decided to add a second server to the domain as a member server (to see if it was server or domain related). I then added the RRAS role and feature.
Ran the wizard to configure RRAS as Custom (only one NIC) VPN Only. The wizard completes and then tries to start the service and simply hangs on the window saying, "please wait while the routing and remote access service finishes initialization" and nothing happens.
This is the exact same problem as the first server.
So I am no left wondering if some sort of GPO is causing it. However both the "Default Domain Policy" and the "Default Domain Controller Policy" remain untouched.
Regardless of that I tried resetting the two GPOs using the below
dcgpofix /targetomain
dcgpofix /targetC
and delete the local GPO
RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
gpupdate /force
That didn't change anything either.
I tried resetting the security settings on each of the servers?
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
I get several "Warning 5 Access Denied" message but claims to have completed. Must confess I was worried about running that command on a DC. Would resetting the security effect MSAD, MS Exchange or IIS that's running on the main server?
Annoyingly there is nothing in the Event Log at all. When I say nothing I mean no mention of RRAS at all, no errors, no information. So clearly the service starting is hanging before any log information can be recorded.
I tried turning on Tracing, but nothing in there either
netsh ras set tracing * enabled
I'm now stuck. I need to get RRAS working on this server and clearly its domain related as the problem carried over to a fresh installed second server.
I don't need DirectAccess, Just VPN only in the config wizard. I checked "just in case" that DirectAccess may have installed selfsigned certs and that might cause a problem (saw on google search). But no certs either.
So where do I go from here?
Any ideas??
What am I missing?
Could it be a firewall preventing the service starting? I tried turning that off, and that made no difference, plus when the firewall is on the RRAS rules are there and correct.
Could it be a permission stopping something, if so what?
What should I look for?
Continue reading...