Windows Server 2003

129K

Solutions

59K

Contributors

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Share tech news, updates, or what's on your mind.

Sign up to Post

Preface
Having the need
* to contact many different companies with different infrastructures
* do remote maintenance in their network
required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are not designed to be accessed from a network, you have to use a NAT capable solution.
In this article I will show how to manage all parts of the necessary configuration tasks.

Prerequisites
This solution requires that the VPN client or dial-out software creates either a pseudo-dynamic dial-out interface, as with PPTP, L2TP and ISDN, or a static network interface (e.g. Cisco VPN Client). Additionally, the LAN has to stay functional while connected - this might be an obstacle, as some VPN clients cut off network access as long as the connection is open (no-split-tunneling policy).

The client or connection can only be routed starting from XP onwards, as we need a NAT capable Remote and RAS (RRAS) service. Client OS like XP and Vista do not support a GUI for RRAS administration, only server OS do (Windows 2003, 2008) - so you have to manage them with netsh.

The solution was implemented on XP for OpenVPN Clients, and on W2003 for ISDN, PPTP, L2TP, and VPN clients from Cisco and Phion. The configuration methods for XP can be used the same way with W2003.
Since the lack of RRAS GUI on XP and Vista the configuration of a dial-out connection on that OS (using netsh) can be painful, I do not recommend that.


Configuration
1
LVL 75

Author Comment

by:Qlemo
Comment Utility
I (still) recommend to use W2003 (R2). Sadly, W2008 and above changed the way the interfaces are presented to RRAS, and I could not manage to make any of the interfaces created by 3rd-party VPN clients visible to the routing/NAT engine.

Juniper's JunOS Pulse can be added to the VPNs testified to work with RRAS.

Not working are:
Cisco AnyConnect Secure Mobility Client  (the SSL VPN replacing the IPSec one, which is EOL now)
Juniper Network Connect (SSL VPN)
0
I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point&

Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't manually complete installations that I have downloaded locally.

For example:

1. I start an MSI installation
2. I wait an unusually long time&&.
3. Then, this error appears:  
      a. The Windows Installer Service could not be accessed.  This can occur if you are running Windows in safe mode, or if the Windows Installer is not installed properly
4. Application Event Log displays the following Warning:
      a. Event ID:  1015     Failed to connect to server.  Error:  0x80080005
      
      
So&how do you resolve this problem?

1. Open a CMD prompt
2. Msiexec /unregister
3. Msiexec /regserver

That's it!  Retry the installation.

Here is the Microsoft KB concerning this crazy issue:  
http://support.microsoft.com/defaul...kb;en-us;319624

      
If the above solution doesn't work&go to that KB article.   The article lists four other ways to resolve the problem.
0
LVL 2

Expert Comment

by:Vivek Reddy
Comment Utility
Hi,

try this

Method 1: Unregister and re-register the Windows Installer

   1. Click Start, click Run, type MSIEXEC /UNREGISTER, and then click OK. Even if you do this correctly, it may look like nothing occurs.
   2. Click Start, click Run, type MSIEXEC /REGSERVER, and then click OK. Even if you do this correctly, it may look like nothing occurs, or you may briefly see an hourglass. After you run this command, the operation is complete.
   3. Try your Windows Installer-based application again.


Method 2: Verify the DCOM permissions
This method involves changing the DCOM default impersonation level to Identify, removing the Msisip.dll file, and then reinstalling SP 3 for Windows 2000.

To do this, follow these steps:

   1. Click Start, click Run, type dcomcnfg, and then click OK.
   2. On the Default Properties tab:
         1. In the Default Authentication Level list, click Connect.
         2. In the Default Impersonation Level list, click Identify, and then click OK.
   3. Click Start, click Run, type explorer /select, %windir%\system32\msisip.dll, and then click OK.
   4. Rename the Msisip.dll file as Msisip.old.
   5. Reinstall Windows 2000 Service Pack 3.


Method 3: Give Full Control permission to the SYSTEM account

   1. Start Windows Explorer, right-click the computer's root hard drive, and then click Properties.
   2. Click the Security tab, and then click Add.
   3. In the Select Users, Computers, or Groups dialog box, click the SYSTEM account, click Add, and then click OK.
   4. Under Allow, click to select the Full Control check box, and then click OK.
   5. Click the TEMP folder and then verify that the SYSTEM account has full control.


Method 4: Verify the registry permissions

   1. Click Start, click Run, then type Regedt32.
   2. For each of the registry hives, follow these steps:
         1. Select the hive.
         2. For Windows XP, on the Edit menu, click Permissions.

            For Windows 2000 and Windows NT 4, on the Security menu, click Permissions.
   3. Verify that the SYSTEM account has been added and that it has Full control. If it does not, add the SYSTEM account with Full control.


Method 5: Fix the broken security key for the MsiServer service

   1. Start the computer by using Windows 2000.
   2. Click Start, click Run, type regedit.exe, and then rename the following key to Old_Security:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Security
   3. Restart the computer (you must do this).
   4. Run Instmsiw.exe for installer 2.0 again; this corrects the broken security key for the MSI service.

For more information about an error message that you may receive when you add or remove a program, click the following article number to view the article in the Microsoft Knowledge Base:
315346  (http://support.microsoft.com/kb/315346/ ) Error message when you try to add or remove a program on a computer that is running Windows XP or Windows Server 2003: "The Windows Installer service could not be accessed

If problem not solved try this link


http://support.microsoft.com/smarterror/default.aspx?spid=global&query=scid%20fh%20EN%20US%20KBHOWTO&errurl=%2fdefault.aspx%3fscid%3dfh%3bEN-US%3bKBHOWTO
0
It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server, you will know that replacing a Domain Controller and migrating everything Active Directory based over is not the easiest procedure you've ever performed.

Of course, you could simply image the old server and restore it to the new server, but this could cause licensing and driver issues, not to mention the fact that I prefer to rebuild a server from scratch rather than live with the clutter of an old server on new hardware. In order for you to build a new server, promote it as a Domain Controller and then migrate Active Directory, you need to follow several steps.

Note, at this stage, you must verify two things. First, check on the old server (to be replaced) in Control Panel, Add/Remove Programs that Microsoft Exchange Server (any version) is NOT installed on the server. Furthermore, do not perform this procedure if the old server to be replaced is a Small Business (SBS) Server, since this procedure of replacing the server will break the SBS, and special precautions must be taken. Look out for future articles on how to migrate off an SBS server.

1. Check the network

Prior to working on the network, I suggest you download the Windows Server 2003 Support Tools to the old server from …
29

Expert Comment

by:EricoSan
Comment Utility
Your can use Replicator by DFS with Windows 2003 R2 or Windows 2008 R2.
0
LVL 7

Expert Comment

by:BobintheNoc
Comment Utility
To work with my documents redirections that are stored on the old server, you need to get the data and share moved over to the new server--lots of ways depending on your uptime/availability requirements.  If you can simply keep users off the network, just cut/paste (suitable in small environments), if you must keep max availability, consider robocopy /mir options several times during normal hours to keep a close duplicate of the files/folders right up till the last minute before cutover.  Verify permissions are proper on new ntfs system and in share perms, then make your gpo change to point to the new location.

If you have offline files turned on, you'll have to deal with the locally cached copies (client side cache), either manually or with the ms tool. Csccmd.exe for migrating the csc on each pc.  It's possible to simply let each user and client pc do it's own relocation of the files via folder redirection policy settings, but unless you only have a small numer of users with small my dox folders, almost everyone prefers to stage the file relocates in advance.
0
When bringing a new server on line, you may see an error that says:

The Security System detected an authenticaton error for the server ldap/xxxxxxxt.
The failure code from the authentication protocal Kerberos was "There are currently no logon servers available to service the logon request.
Event id: 40960
category: SPENGO (Negotiator)
(0xc000005e)

This issue is the result of missing or the inability to contact the DNS SRV (SeRVice) records.

You just brought a new server on line. To complete the process, the server has to register its own host A record and SVR record in DNS. To do this, Type the following at the command prompt:
IPconfig /flushdns
IPconfig /registerdns
net stop netlogon
net start netlogon

flushing DNS will remove all old or improper DNS records
registering dns records registers your Host A record
restarting the netlogon will register your SRV records.
__________________________________________________________________________________
Speaking of SRV records, here is your second potential problem: (For 2003 server ONLY)

2003 server has a quirk in it. When the netlogon service is restarted it registers the SRV record of both NICs on the DNS server. As you know DNS is the service that provides the DNS translation to the Authenticating server. If DNS sees two SRV records, Cityofabbeville,int picks up on the NIC that shouldn't be providing DNS to the clients, you may get "no netlogon servers can be found" for your authentication server and …
1
LVL 39

Author Comment

by:ChiefIT
Comment Utility
@Lasareath:

Yes, this means that a service pack or hotfix has already been downloaded to fix your issue. I saw your problems on another question you posted, reviewed them, and it looks like a DNS related issue caused your problem. If you continue to have issues, I will monitor your question asking. I usually am on the zone 2003 server. Posting another question to troubleshoot and fix further might be necessary, but make sure you include the 2003 server zone.
0

Expert Comment

by:Lasareath
Comment Utility
Thanks!
0

Windows Server 2003

129K

Solutions

59K

Contributors

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).