How to repair Software service won’t start on a domain controller or Windows software protection will not start access denied 5. on server 2012 R2.

Good day all,

I had the strangest activation issue today. I decided to detail the issue If I ever see it again. So I must admit, the whole idea came from searching the core team blog. My issue was the Software activation service would not start. This resulted in all of the activation related items failing from the customer perspective.

My particular error code was a little different, but the error verbiage was the same. I considered the verbiage enough to try a few things, and I found success. Its always important to share success.

The Core Team can solve your issue without me, so feel free to consult their article. I am just showing the folder and registry locations I needed to add the SPPSVC to, for my protection service to start. This is apparently only on a Domain Controller, Hence the name.

The Key was to add the NT Service\SPPSVC to some specific locations, both in the Folder system and the Registry. There was a little trick here. You have to deselect the domain, when choosing the account. This caused me to wallow along for much longer, as I never thought of doing this on my own power. That is where the Core Team Saved me. Thank you guys.

Screen shots of my 42DC Server look like:

 

 

Just to be clear what I am saying, you are to not use active directory groups when making your search. If you do, the NT SERVICE\SPPSVC will not be

there. So select your local machine and add your group. It should be there.

 

So now we understand how to make an otherwise mysterious user account show up on a Domain controller, here we go with the folder and registry locations.

  1. The Store Folder Located:

C:\Windows\System32\spp\ – Right click and chose the store folder permissions

2. The SPPSVC registry folder located at the  SPPSVC folder

Regedit\Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC

3. The SoftwareProtection Registry Folder located at

Regedit\Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Software Protection

4. This one, I don’t know if this was necessary, so I would not do this unless it was your last gasp:

  • Take ownership of C:\Windows\System32\SPPSVC.EXE
  • Make sure you screen shot original permissions and put them back
  • Add SPPSVC as needed.

Those were the locations I found. Now I did not find this all on one MS KB, so I certainly don’t recommend this is a true fix for an issue. I simply found this in the moment of trying to get a customer back into functionality. Please look to the core team for updated information. This will supersede anything I have here today.

 

Update 6/22/2017

 

So in my one particular case, there was an additional location that changed. I had to find it with PROCMON by sysinternals. Using Procmon, I followed the MS blog to capture the traffic. I did not even need to filter the traffic. It clearly showed the WPA folder in the registry was missing a permission. Since the Service stared, after I made this change, It was definately the network service that was missing:

Here is the Key Location in regedit:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\WPA

 

I hope this may help get you out of a Jam, and I hope your licensing functions well.

Louis

Advertisements

For That Once in a Blue Moon when I Need That Program Called RoboCopy!

Hello everyone,

 

Untitled

Happy Friday! Let me start by saying I know many of you may not feel the need to keep this article. However, In that one Blue Moon, I guarantee you will need the information, because Robocopy has some odd scenarios.

I only call light to the thing we do with Robocopy: copy files. There are two scenarios for this. The target existed previously, or the target did not. Expressed another way, you are copying files or you are syncing files. It is a fine line indeed. So I tried to supply the basic commands below. If you are creating the target, then run the Create Target commands. If you are Syncing, then run the Sync Target Commands.

Create Target Commands

I know you likely already know how to use robocopy. But this little application can go wrong, if you make a mistake in your syntax. I decided to just share my basic commands with you. I generally just want a whole drive or a whole folder moved, with thread control.

The scope of my command is narrow, but it gets the job done in the fastest time, without a mistake.

the general form is

robocopy (source)(destination)(controls)

Here are solid examples of copying when the target does not yet exist.

In the above commands, the source is copied to the destination. You may add /SEC to any of these commands. This will copy and keep the security permissions. On a first time copy, the command will perform as expected.

Sync Target Commands
Now I am not getting into the insanity when the target exists. we all have too many things to do. If the Files have been copied before, to the destination, then you have to worry about files that have not changed from source to destination. My vote would be to delete all the target folders and recopy. If that does not work for you, then read on.

If you have an existing source and old target, meaning you are really syncing data, and not copying, there is another set of commands I will lay on you:

  • ROBOCOPY /Mir <Source> <Target>
  • ROBOCOPY /E /Copy:S /IS /IT <Source> <Target>

You have to run both commands! This is a work around, but it works. If you want to spend the hours of spinning up on robocopy, go ahead. I plan to just keep this article, with the two basic sets of commands, to get the work done.
I sourced my information from the following blog, which you can read and understand if you need detail:

Robocopy Mirror Switch Mirroring File Permissions

I hope this is helpful. I know we don’t do this too often, but I wanted to make sure I pointed to the Correct Article for this issue. This is likely going to remain a work around, based on the behavior of the command.

 

Have a great Early Spring weekend!

 

Louis Reeves

How to Troubleshoot SQL, Skype, Windows, Active Directory, Exchange and Basic Server issues with one tool! Its called Multi-Perf!

 

5

Figure 1. Perfmon

Hello Everyone,

Well Multi-Perf sounds like it will do a lot! I don’t want to mislead anyone, so I will say up front, Yes it will troubleshoot all those products; One at a time. It is an industry Standard, that you only work on one problem at a time. Therefore, This tool will collect performance information, related to one of the topics of concern. Once the log is collected, you can then review it for specific problems, related to your installation.

1Figure Figure 2. Set-Execution Policy

The benefit of this tool, is That I have been fortunate enough to partner with one of my Best Friends; Tommy Paulk. He is a Master Engineer for Exchange Server. My title Is Skype Architect. See where I am going with this? Tommy created the Exchange Counter set. I created the Skype counter set. Each counter set has been created by a professional in their field of study. The bottom line is you get a script that gives you choices on what set of performance information you need.

So the Multi-Perf is run simply as “Multi-Perf  counter”, where the counters are Basic, Active, SQL, EXCH and Skype

0       Figure 3. Multi-Perf and Readme 

Lets go ahead and get started on explaining what you get for your money here. See Figure 1 at the top of this read? That is the result of any counter set; a sort of mix up of settings that you have to get into, dance with, and somehow survive victoriously. The particulars are beyond the scope of this article; but Begin here. No I take that back, I always make the first link, one I would never read myself. Ok, read this one- Windows Perfmon. Its pretty good.

Now that your up to speed, lets get you some instructions! Figure 2 is set-execution policy. You should open your PowerShell as admin, and run this command : Set-Execution Policy –Execution Policy Unrestricted.

Next you just have to know the syntax of the command:

.\Mult-Perf testname –computer mycomputer –instance my instance. Notice the red lines in figure 4? that represents the 3 data points you are responsible for.

0  Figure 4. Mult-Perf Syntax

If you are not using SQL, then you only have 2 items to put  in!. If you are running on the local computer, you only have to put the test name in! If you forget the test name, you automatically get the Basic counter pack.

So this means this tool will work, regardless of input. You wont get the detail you want, but you get a basic counter log, at a minimum. Let me now give you some example of running syntax.

Figure 5. Run Active test on computer 2

See above, you use the form: .\Program testname –computer computername

If you forget the computer name, it will automatically select the local computer:

 

Figure 6. Run as Program .\Multi-Perf.ps1 only

1

in this case you will have no difference in result, because you are giving the most important test variable in, the test type.

 

Figure 7. with SQL; If you forget to specify the instance, you will get another chance to put it in. 3

If you put the instance in, then that is fine. But if you did not, there is no penalty. This makes the Log tool, infallible and easy to use.

As the last example, I will take you over the case where a person starts the SQL trace, and does not input the Instance:

 

0   Figure A. No instance specified.  

 

Instead of failing, The Script looks up the SQL instances, and presents them for the customer. It also says the user must type the instance name themselves, so there is no accident.

1    Figure B

Once the user types in the instance in Figure B, we move to Figure C and we just ask how many seconds between snapshots. 1-60 is best.

2  Figure C

 

Finally, With Figure D, we are just asking for an Enter, to go ahead and create the counter object. Upon hitting enter, The confirmation that the Counter perfmon is started.

3    Figure D

Finally, with Figure E, you see performance counter is stated. As long as that is the end result, The interceding Steps were all successful. You can see the fruits of your labor in Figure F, which is the running Performance monitor!!

 

4    Figure E

 

Figure F is start-> run-> Perfmon

Untitled Figure F Permon running. Always called Perf.

 

The counter that is created is always called Perf. It will always deleted the old one before another one is created. If you want to keep the old one, just rename it.

 

Ok if you made it this far, you must want your copy. Please have it and go in Peace!

Download Me Here

 

L

 

 

g

All Migration Guides for Small Business server to SBS 2012 Essentials

 

All Migration Guides for Small Business server to SBS 2012 Essentials

 

Migrate Windows Small Business Server 2003 to Windows Server 2012 Essentials

Migrate Windows Small Business Server 2008 to Windows Server 2012 Essentials

Migrate Windows Small Business Server 2011 Essentials to Windows Server 2012 Essentials

Migrate Windows Small Business Server 2011 Standard to Windows Server 2012 Essentials

Migrate Windows Server 2008 Foundation to Windows Server 2012 Essentials

Migrate Windows Server 2012 Essentials to New Hardware

Transition from Windows Server 2012 Essentials to Windows Server 2012 Standard