Windows Server 2012 Beta Essentials Post 3: The Client View

In two previous posts, I talked about the installation process for Windows Essentials Server 2012 Beta and some of the configuration process. In this post, I am going to show the same lab environment with configuring a pair of clients, a Windows 7 client and a Windows Server 2008 R2 server.

The Windows 7 Client

I started with the Windows 7 Client. When I set up the server, it configured a local IIS installation with three web sites:

image

The default, primary web site includes a virtual directory for connecting to the server, like the earlier product incarnations. I was able to connect to it from the Windows 7 client:

image

I clicked the Download link, and that gave me an EXE to run. Notice underneath the very large Windows link is a much smaller Mac link. I don’t have the ability to test this now (primarily because I can’t easily run an OS X VM), but at some point I hope to be at the office where a Mac Mini sits somewhat abandoned.

Moving on, I received the expected UAC prompt:

image

Notice it shows as “Downloaded from the Internet”. Out of curiosity, I clicked No, then enabled Intranet settings as I had be prompted to by Internet Explorer:

image

Then, I emptied the IE cache (to make sure the client really re-downloaded the connector), then clicked the Download link again. This time, UAC shows it as a local file:

image

I admit I had never tried this before, so I didn’t really know what to expect; this is somewhat interesting I think. Continuing, the Connector searched for the server:

image

The Getting Started wizard came up at that point:

image

In this case the client was fully patched with all optionally offered components from Windows Update, so the client had everything the Connector wanted:

image

That said, notice the Connector is going to install the recent .NET Framework 4.5, which in fact wasn’t even RTM’d until just a couple of weeks ago. Continuing:

image

While that ran, I went ahead and started the server also, just to keep things moving. I had not done much on the server, so it still had the Internet Explorer Enhanced Security Configuration enabled, causing a warning when connecting to the Connect virtual directory:

image

That gave an interesting prompt in the Connect site:

image

“How do I…” is a link, although that’s not at all clear from the page. Someone went a little overboard on the CSS. Because of IE ESC, and because the Download link uses JavaScript to invoke the download action, it didn’t work. This struck me as silly, even stupid. There’s no excuse for using ASP.NET to make this simple web site doing a simple act. But because it is, I was faced with the choice of turning off IE ESC or adding the site as a Trusted site. I did the latter, although in real life I think I’ve disabled the IE ESC on almost every, if not every, server I’ve ever had to do anything on. I know that would work, but the page tells me to do it a certain way, so I did. When I refreshed, the warning went away, and the download and run worked:

image

Same process, just without the client Aero/desktop experience UI touches.

At this point the client was ready for me, so I left the server going for the time being and went back to the client:

image

I put in my account credentials for an administrator and was told, basically, “don’t do that!”:

image

So I said Yes, and used a standard user account:

It would have been nice if the user login dialog made it clear that they would recommend a standard user account, perhaps saying something like “we recommend you do not use an administrator account for connecting…” but at least in this release it doesn’t.

At this point, I hit an error, and retrying didn’t help:

image

So I decided I’d let the client go for now, and switch back to the server, where I saw something very interesting:

image

So this was a surprising thing to see – server against server isn’t officially supported, but you can try it. Well, this is all about experimentation and learning, so of course I said “Continue anywhere”. At that point, I was told that I might need to have some server components added, which might require a reboot. I didn’t screen capture that because, well, I clicked “Next” like everyone normally does, so you don’t get to see that dialog here. But would I lie to you about what it said?

So that left the server doing the prerequisite work, so it was a chance to check the client out again. I put on my “normal person” hat again, and rebooted the client, because when in doubt, reboot, right? So I did that, and checked the server in the meantime to see that two automatic services had stopped – Software Protection and Remote Registry. I started them both and went back to the client. I logged back in to the client and restarted the Connector installation. The installation moved past the prerequisite check much quicker this time because there was no work for it to do, and then asked for credentials again. This time, there was a much longer wait, but again, the client couldn’t connect to the server. The troubleshooting link wanted to go online, which didn’t help me any as I had no Internet access. But looking at the server again, the Remote Registry service had stopped again! Software Protection had also, but I didn’t really care about that one. Remote Registry is a much bigger deal – lots of different weird remote connection scenarios fail without it. But still no dice.

So now, I had to figure out what happened there. I was able to ping the server by name through IPv6 but not IPv4, so I added the server as an IPv4 host to the local client HOSTS file. I have to do this with Windows Home Server, so I thought it might help here:

image

And that’s why I figured out that DHCP actually wasn’t working in the lab, so I had no IPv4 address. What an idiot I was! Well, that was easy to fix – I just gave the client an IPv4 address and ta da, it worked. So then I commented out the HOSTS entry as I shouldn’t have needed it, and ran the Connector yet again. I should point out how interesting it was that IPv6 automatic addressing worked completely to access the server at this point including accessing IIS, downloading the Connector installer, and doing the initial steps to here, all of which shows that IPv6 pretty much “just works” for a lot of stuff in this scenario, but not everything.

This time, things made it slightly further:

image

So I checked the date/time information and it was fine. But the server showed something more interesting:

image

Active Directory Certificate Services denied request 7 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=MIKEBAZ-PC. Additional information: Error Constructing or Publishing Certificate  Resubmitted by BLOGDEMO\BLOGDEMOSERVER$.

OK, well, let’s bounce Certificate Services. It is common for a VM save/restore cycle to break CS revocation checks, actually, and restarting AD CS solves it, so I did that.

And look, finally, more progress!

image

What was really going on here, although it wasn’t completely telling me, was that it was migrating local user profiles for domain user use, much like a tool like Quest Migration Manager’s VMover tool would do. I chose the simplest option of setting up for myself and letting it migrate. Note that I had placed the Connector installer on the desktop at this point, so that would be a way to see if the Desktop migrated correctly. At that point, it was time to reboot:

image

After the reboot, there was an automatic login, then a prompt for the computer’s description:

image

This is not that different than the previous product releases. This is also true of the backup wake prompt:

image

I was then asked about the CEIP:

image

The user profile was migrated:

image

There was a quick “configuring the computer” step I didn’t get a picture of, then a download of the full Connector software:

image

The computer was then “connected” to the server:

image

In the previous Windows Home Server releases this was a relatively light operation but in this case, it was a domain join operation. It then finalized:

image

And told me it was done:

image

I chose not to run the Dashboard at this time. I was logged off as promised, so I logged in with my domain credentials – noticing the machine was indeed now configured to log in to the domain as would be expected:

image

The login worked, and my Desktop came back correctly, with the new look of the Launchpad showing up:

image

The three complaints were about lacking virus and spyware protection and not having Windows Update configured, all of which is accurate:

image

But one interesting thing in the viewer that I didn’t expect was this:

image

This computer is not connected to the server.

This was a little odd. I clicked Shared Folders in the Connector, and I could connect fine:

image

So I don’t know what was up with “not connected” message. I’m thinking it’s a beta bug but I don’t know that for sure.

For now, that’s far enough – I’ll come back to it later in the post, but I want to get back to the server and finish it. When I went back, it was waiting for login credentials, which I gave it just like on the client machine. I then had to restart the server:

image

So I restarted, and again I got the screen for profile configuration:

image

Notice this time I did not get the “I do not need to migrate..” checkbox. I don’t know if that is because there was only the local Administrator on the server or because it was a server OS – there’s likely a good investigation point there – but in any event I chose just the one account again. The remaining steps were exactly the same as on the client, as you would expect.

That said, something odd next happened. Because the migrated account was Administrator, I couldn’t log in with it, because by default that account is disabled in the domain. It seems there’s a small edge case gap here; the Connector should probably warn about this edge case.

Anyway, the server was joined to the domain when it came up. So let’s look now at backing up a machine. I brought up the Dashboard, and was prompted for credentials:

image

Why was I prompted for credentials when I’m logged in to a domain account in the domain for the Essentials server? Well, after I entered credentials, I was told I wasn’t an administrator… so that’s why, it wanted administrative credentials. It didn’t say explicitly that’s what it wanted, but of course it makes perfect sense.

I closed the Dashboard because I just wanted to see it came up. What was not available though was Launchpad. It wasn’t in the Start Menu at all:

image

The executable was there, it just didn’t launch:

image

I tried Windows 7 Compatibility Mode but no go. So there’s an issue there – can’t run the Launchpad on a server. Doing it is not supported, so it’s not 100% surprising, but in a small business environment I can see it being a nice thing to have.

After seeing that, I launched the Dashboard again, to see if I could manually launch a backup, but I couldn’t, so I’m going to have to let it run long enough at some point to hit the scheduled window and see the backup work.

However, I could go back to the client, and try to back that up, and I did:that just to see that it worked, and it did. No screen shots here as it’s the same as it was before, so nothing remotely interesting here. Just enough to say that it works like it did and that’s that.

A coworker (hi, DNC) had asked me about backing up a server that was in another domain or a workgroup, but I haven’t run this test because he actually found this:

http://tinkertry.com/windows-server-2012-essentials-fine-with-pcs-in-domain-or-workgroup/

And that answers the question, for the odd edge cases where it matters, so that’s good. In real life (not lab or enthusiast environments) I would think this would only matter for integrating a new server for media/backup into an existing full environment, but even that is a bit of an edge case IMHO.

So at this point, I’ve covered all of the basic stuff except media and remote access. Unfortunately, I don’t know if I will have time to revisit this piece, but I will certainly try.

Thanks for reading!

Michael C. Bazarewsky
Principal Consultant, Server and Security

Windows Server 2012 Beta Essentials Post 2

[Also see PART 1, PART 3]

In my previous post, I explained the installation process I went through to test Windows Server 2012 Beta (Release Candidate it calls itself) Essentials, as well as some of the reasoning behind the installation. In this post, I’m going to take you through the resulting server a bit. In a later post I’ll take you through the client view.

As a warning, this is yet another very long post. So buckle up, recline your seat, and get your snack box ready.

First things first. Between that post and this one, I had shut down the server, so this was a chance to see the boot experience. Remember that the server did NOT configure itself as a DHCP server, so when it came up it picked up an IP address from the network, which in this case was a new network from last time. That’s a fairly unusual situation – in real life that’s not going to happen very often but it will occasionally. For example, when a consumer-grade router is replaced, especially with one from a different vendor, it’s likely to have a different IP configuration for the LAN, so devices are going to change around a bit. Luckily, the server seemed to handle that okay, for now.

However, since I’m talking about IP addressing, after logging in, let’s look at the IP configuration:

IPConfig - Local DNS

Notice that DNS is set to point at itself, and the primary DNS suffix is now “BLOGDEMO.local“. This is reasonable – the server became a domain controller as part of the installation, and set its DNS name to be the same as the NetBIOS name that I gave it plus “.local“. That is a common-enough configuration and is a fair default. Like most DCs it is a DNS server, and that DNS server has the normal DNS records for a DC:

DNS zone blogdemo.local

So all of this is what I would expect to see. What I did not expect is what I did not see – it occurred to me at this point that Server Manager did not come up as it would normally on a Server 2012 machine. So that’s interesting – but then what should I use? Well, the Dashboard of course, conceptually carried forward from the WHS and EBS product predecessors. One interesting point to make before I continue is that Windows Home Server 2011/Essentials Business Server 2011 Dashboard add-ins are supposed to work on the new product. I have not had time to test this yet, partially because I don’t have too many add-ins on my home server (I know, weak sauce). That said, I’ll just repeat the Microsoft statement and go on.

How do I get to the Dashboard? Well, there’s a desktop shortcut right under the Recycle Bin on an otherwise clean desktop, and it’s pinned to the task bar as the first icon followed by PowerShell and Windows Explorer:

Dashboard on Desktop Pinned Dashboard

Fun fact: Microsoft won’t let a server product ship without PowerShell support. Old-timers will remember that there was a time that WMI support was a tollgate… so just like how it used to be that knowing VBScript and WMI was what separated the senior administrators from the junior administrators, now PowerShell does, although of course there are plenty of products (I’m looking at you, Exchange and Lync) where there’s a lot that can only be done through PowerShell, and not through the GUI at all, so it’s almost a “separate the junior administrators from the out of a job administrators” thing to now PowerShell now…

But enough about that. Back to the issue at hand. Let’s launch that Dashboard bad boy and see what we get.

We get, first, a generic server splash screen – slightly disappointing, but it fits with the new Microsoft model of “there’s only one product with variations” theme instead of “there’s dozens of SKUs, good luck! [muhahahahahahaha]”:It's Windows Server 2012!

Approximately 90 minutes later (ha ha, I kid!) I was presented with the new Metro Dashboard:

Metro Dashboard

Uh oh, there’s a scary icon in the corner with a “2”. I bet there’s two alerts! Let’s see:
Server Alerts

Well now that looks familiar! One of the scary alerts is “you must activate,” which is true.. so let’s click the task link and see how that goes:

Windows Activation Screen

Activating...

Uh oh:

image

Say what?!? Maybe DNS is broken:

DNS Failure

Yup. I wonder if DNS was configured to use the OLD DNS entries it picked up from DHCP when I first set it up as forwarders:

DNS Forwarders

<p class="commercial">Yes, I really did guess that right away. I’m that good. For the record so is the rest of Advanced Infrastructure at BA so feel free to hire us to help with your server needs.</p>

Interestingly the server should have realized that we can’t get to the forwarders and still worked, but it didn’t. Anyway, I removed those forwarders so that changing IPs wouldn’t burn me moving forward, but now, it’s time for me to get ready for my flight to Seattle. So I’m going to ignore that issue and move on for now. I’ll come back to it later, I promise.

Da plane boss!  Da plane! OK, I’m back, this time on the flight. United Channel 9 was keeping my ears occupied so you know I’m telling the truth. So let’s pick up where we were. First I need to make sure we have an IP address, so I set up a router VM and a private LAN for the lab. The details aren’t important, I just mention it to make it clear that this will stabilize the network configuration for the duration and to point out that private network support is one of the (few) areas that VMware currently does better than Hyper-V (one of the few as of Hyper-V 3.0). Now back to the regularly scheduled server investigation.

Twenty-two paragraphs of useless noise ago, I had the alert screen up. So let’s see what else we have on the list:

  1. Backups are not set up yet on the server. That’s true.
  2. Server folders are on the system drive. Also true, mainly because that’s the only drive. Guess I should fix that.
  3. Multiple services aren’t running – hmm, might be timing and network.
  4. Microsoft Update is not enabled. True.

So I re-evaluated the alerts, mainly so I could see if the services were up by now. There’s a refresh button on the top right of the list area that re-evaluates the alerts, just like the previous release. The services still weren’t up, so I clicked “Try to repair the issue” and it seemed happy. A quick check of services.msc confirmed all Automatic and Automatic (Delayed) services were now running, so we’re good there.

Next was to add drives to fix the backup and server folder location complaints. So, I figured, two drives, one for the server folders, one for the backups. So I shut down the VM (Windows+C, Power, Shut Down or Control-Alt-End, Power, Shut Down), added a SCSI controller, and added two drives. I brought the server up – hey, this is great, it’s a chance to see how the server responds to new storage, and that’s with an information alert (again, like earlier versions):

Unformatted hard drives are connected!

So it’s time to “Format and configure the hard drive“:

Choose one of the hard drives

Notice the server already had the drivers for the Hyper-V Synthetic SCSI card, which it should. So that worked right.

I picked the first drive, and decided it would be the backup drive. In real life you’re more likely going to have an external drive or small drive array for this so you can easily take it with you.

Configure hard drive usage

This brings up a dialog yet again familiar as Server Backup tries to get the lay of the land:

Loading data

Then it’s time to configure backup:

Getting Started

Select the Backup Destination

An odd dialog considering the disk is empty and it knows its empty:

Format warning

Label the destination drives

Specify the backup schedule

Select which items to back up

Confirm the backup settings

Setting up Server Backup

Success!

I could then click the same Alert Viewer link to configure the other drive:

Choose one of the hard drives
Format it Formatting... Success again!

OK, so now it’s time to use that new drive. I picked the alert complaining about having server folders on the system drive:
More alerts

No nice link to solve the problem there (why not?) so it’s time to manually go to the right screen, starting by closing the Alert Viewer.

Now I have a choice – I can continue the setup given in the start page for the Dashboard or do the storage. Because I’m going down a road I’ll keep going down it and switch to Storage:

image

Time to move each folder in turn:

Move the folder

Move a Folder

Calculating...

Choose a new location

Moving the folder

Moving the folder

Again, success!

OK, now it’s moved, but we need to make sure it’s backed up from the new location. Luckily the wizard prompts me to remember that. I actually waited until I had moved all of them and then just set it up at this page after the last one as otherwise I’m just repeating myself.

Server Backup Getting Started

Configuration options

Select Destination

<exact same screens for labeling the drive and scheduling backups>

Note Users came up selected as it was the last one moved, but I could select the previously moved ones, which is what I wanted to do and did:

Selecting folders to back up

Confirming backup settings

<same setup and confirmation screens as before>

More success!  It's going to go to my head!

Green is good! But if you pay attention when doing this you’ll see that just like in the previous release, the checkmark shows up as soon as you hit the Open button. This wizard doesn’t care if you actually set up backup, just that you acknowledged it’s existence. It’s like a small child with a short memory.

So let’s see the Alert Viewer now:

Only two more alerts to go!

That’s the best I could do without an Internet connection I thought, so I went back to the Home view in the Dashboard and saw what remained to check off:

Remaining tasks

Out of curiosity I checked the Microsoft Update setting – in the past you had to go to a web site to turn this on, but let’s see if that’s changed:

Microsoft Update view

Microsoft Update Dialog

YAY!  Thanks, whatever PM made this decision – the web site redirect out and back thing always struck me as at best a hack, so I’m glad that’s fixed.

Next is to add some users:

Adding users...

A user account

Oh, there’s those goofy checkmarks that I hated before. Yes, they look like the three entries towards the bottom are checked, but they aren’t – they turn green when on. This has always struck me as supremely confusing for some reason. Maybe it’s just me.

Anyway, what if I am a lazy administrator who hates security and just wants things to be easy for users?  Well, there’s a link there to “Change the password policy“:

Password policy

For now I left this alone and cancelled out of there.

I did the rest of the dialog – notice the default username was first name followed by last name and the green checkmarks I mentioned before:

Finishing adding a user

Yes I’m an administrator. I’ll make a peon in a moment.

Next are two screens confirming that as an administrator I am a god [muhahaha] or at least a demigod:

Shared folder access Anywhere access

After a brief creation screen I failed to screenshot (it’s not that exciting, it looks like all of the other progress dialogs, I promise), I have a confirmation that I have an account:

Success!

There’s a link I could use in case I forgot the password I just set, which is actually in a way nice, but I couldn’t use it as it requires an online connection to go to a help web site:

Online help link

Since I was still on the plane I let this go. Moving on…

I next added a standard user:

Standard User

Now I could set security for shared folders since standard user accounts are not automatically able to get to everything – the default was Read only but I changed it as Jarrod is my boss and I didn’t want to get fired. Making him a standard user is pushing my luck as it is 😉

Shared folder access

I will also allow Anywhere Access (note the VPN option – that’s new for a WHS replacement but not for an EBS replacement):

Anywhere Access

So enough of that, let’s go through the next step, adding more Server Folders. I’m going to add Audiobooks because I have that on WHS today at home:

Add server folders Name and description Level of access

The progress dialog and completion dialog (prompting for Server Backup) are exactly the same as moving a folder, which is somewhat reasonable. I won’t show them here as this post is already very long and it’s not new information.

At this point, I’m back off the plane. This post is taking many days to create! Anyway, that means for Anywhere Access I can try to get it to happen.

So next is what is now called Anywhere Access. It was hinted at before when setting up a user:

Set up Anywhere Access Set up Anywhere Access welcome

In my case I skipped the automatic router setup but a home or small business user will likely be able to use UPnP here. I suspect it works as well as WHS 2011 which means it works as well as your router does with handling UPnP:

Getting started

So now it’s time for the domain name. In WHS 2011 you have “yourchoice.homeserver.com” automatically provided as a dynamic DNS service. Can I do that now?  Let’s see:

I want to set up a new domain name Searching for domain name providers

Then I selected a name from Microsoft, which is how the previous release worked if you chose to use it:
What kind of domain name?

I am then asked for a Windows Live account (uh oh – out of date name!) to associate with the domain name:
Live Account

This failed with a fairly useless error message.  So I’m skipping it for now. In fact I’m going to skip the e-mail configuration and media server configuration for now as well, because there’s way too much here already, and without an Internet connection those items don’t make sense. I won’t forget about them forever, I promise!  Another post will come with that in it, likely after we look (finally) at the view from a client and another server.

Michael C. Bazarewsky
Principal Consultant, Server and Security