Remote Access Role Will Not Install on Server 2016

Robert Battaglia
Robert Battaglia used Ask the Experts™
Hello All,

I have a new Server 2016 system that I have setup up a DC.  This will be a new server taking over for an old SBS 2011 system being decommissioned.  I am logged in as a domain admin but can't get Remote Access for VPN to install.  It keeps saying that the server needs to be restarted to finish the install but it won't finish.  It does the same thing each time I try to install the role.  I can install the snap-in and turn on RRAS and I can set up the VPN that way but  I don't know if it really is setting everything up correctly.  I can't test yet since the SBS Server is till the VPN host and I want to make sure this is set up before I turn that one off.   I have done this on other Server 2016 systems with no problem so I don't know what is missing here.


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

It keeps saying that the server needs to be restarted to finish the install but it won't finish.
How do you know it hasn't finished? do you get an error?

I notice you have other questions open on problems with this migration including sysvol issues and log in issues.
I recommend you solve those before attempting to move any further roles across. SBS is an odd beast and you need to be very careful you don't dig yourself a hole.

Also, it's not really ideal to have your DC also acting as your remote access server really. is this your only option?


Yes this is my only option and I have done this for many small business clients with no problems.  The way I know that it does not finish is that the routing and remote access snap-in does not show up in Admin Tools after the restart.  The system shows that it is installing changes at reboot but nothing new shows up.  And if I start the Remove Roles it shows Remote Access as not being installed.

But like I said I can add the snap-in manually, turn on the service and then configure it and it configures just fine.  I have not tested it yet because the SBS server is till the main system for VPN access.  My sysvol issues have been solved so that is no longer an issue.  I was able to restart the old SBS server and the new 2016 still was accessible.
Top Expert 2013

When you are configuring are you using PPTP?  Hope not.  Very insecure.  You can use SSTP, but both now require you configure NPS as well.  As Steve mentioned you would be much better using a VPN router and having authentication at the perimeter of your network and not on the Domain controller itself.  Just a note as an FYI: Remote Desktop services other than the default remote management of the server for 2 admins will no longer install on a DC.

fr your description it sounds like its trying to install but doesnt appear to have worked. event viewer may be your bets starting point as it's all guesswork without knowing why the role hasnt installed.

If there are no errors, we have to assume maybe it has installed. check services for Routing and Remote Access service. is it there? is it started?

If it is, maybe the issue is the admin tools, not the role. try running them manually (rrasmgmt.msc) or adding the snap-in to MMC.

My best guess here however, is that its because you're installing it on a DC which is not recommended. recent server versions have got much better with enforcing default settings to encourage best practice.
I seem to recall that DCs by default may prevent some services and roles from being installed on a DC due to the 'default domain controller' group policy. no harm in checking but settings like limiting which services can 'log on as a service' may be preventing some roles being installed (quite rightly to be fair, as a DC shouldn't run other roles really)

Open group Policy Management
Policies> Windows settings> security settings> local policy> user rights assignment
Take a look at "log on as a service" and see if NETWORK, NETWORK SERVICE and/or SERVICE are in there. if the right one isnt, the role will fail to install.
Can't recall which is needed for RRAS but I suspect one of these may be your issue (openly admit its just a guess though).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial