How to repair Software service won’t start on a domain controller or Windows software protection will not start access denied 5. on server 2012 R2.

Good day all,

I had the strangest activation issue today. I decided to detail the issue If I ever see it again. So I must admit, the whole idea came from searching the core team blog. My issue was the Software activation service would not start. This resulted in all of the activation related items failing from the customer perspective.

My particular error code was a little different, but the error verbiage was the same. I considered the verbiage enough to try a few things, and I found success. Its always important to share success.

The Core Team can solve your issue without me, so feel free to consult their article. I am just showing the folder and registry locations I needed to add the SPPSVC to, for my protection service to start. This is apparently only on a Domain Controller, Hence the name.

The Key was to add the NT Service\SPPSVC to some specific locations, both in the Folder system and the Registry. There was a little trick here. You have to deselect the domain, when choosing the account. This caused me to wallow along for much longer, as I never thought of doing this on my own power. That is where the Core Team Saved me. Thank you guys.

Screen shots of my 42DC Server look like:

 

 

Just to be clear what I am saying, you are to not use active directory groups when making your search. If you do, the NT SERVICE\SPPSVC will not be

there. So select your local machine and add your group. It should be there.

 

So now we understand how to make an otherwise mysterious user account show up on a Domain controller, here we go with the folder and registry locations.

  1. The Store Folder Located:

C:\Windows\System32\spp\ – Right click and chose the store folder permissions

2. The SPPSVC registry folder located at the  SPPSVC folder

Regedit\Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC

3. The SoftwareProtection Registry Folder located at

Regedit\Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Software Protection

4. This one, I don’t know if this was necessary, so I would not do this unless it was your last gasp:

  • Take ownership of C:\Windows\System32\SPPSVC.EXE
  • Make sure you screen shot original permissions and put them back
  • Add SPPSVC as needed.

Those were the locations I found. Now I did not find this all on one MS KB, so I certainly don’t recommend this is a true fix for an issue. I simply found this in the moment of trying to get a customer back into functionality. Please look to the core team for updated information. This will supersede anything I have here today.

 

Update 6/22/2017

 

So in my one particular case, there was an additional location that changed. I had to find it with PROCMON by sysinternals. Using Procmon, I followed the MS blog to capture the traffic. I did not even need to filter the traffic. It clearly showed the WPA folder in the registry was missing a permission. Since the Service stared, after I made this change, It was definately the network service that was missing:

Here is the Key Location in regedit:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\WPA

 

I hope this may help get you out of a Jam, and I hope your licensing functions well.

Louis

Advertisements

For That Once in a Blue Moon when I Need That Program Called RoboCopy!

Hello everyone,

 

Untitled

Happy Friday! Let me start by saying I know many of you may not feel the need to keep this article. However, In that one Blue Moon, I guarantee you will need the information, because Robocopy has some odd scenarios.

I only call light to the thing we do with Robocopy: copy files. There are two scenarios for this. The target existed previously, or the target did not. Expressed another way, you are copying files or you are syncing files. It is a fine line indeed. So I tried to supply the basic commands below. If you are creating the target, then run the Create Target commands. If you are Syncing, then run the Sync Target Commands.

Create Target Commands

I know you likely already know how to use robocopy. But this little application can go wrong, if you make a mistake in your syntax. I decided to just share my basic commands with you. I generally just want a whole drive or a whole folder moved, with thread control.

The scope of my command is narrow, but it gets the job done in the fastest time, without a mistake.

the general form is

robocopy (source)(destination)(controls)

Here are solid examples of copying when the target does not yet exist.

In the above commands, the source is copied to the destination. You may add /SEC to any of these commands. This will copy and keep the security permissions. On a first time copy, the command will perform as expected.

Sync Target Commands
Now I am not getting into the insanity when the target exists. we all have too many things to do. If the Files have been copied before, to the destination, then you have to worry about files that have not changed from source to destination. My vote would be to delete all the target folders and recopy. If that does not work for you, then read on.

If you have an existing source and old target, meaning you are really syncing data, and not copying, there is another set of commands I will lay on you:

  • ROBOCOPY /Mir <Source> <Target>
  • ROBOCOPY /E /Copy:S /IS /IT <Source> <Target>

You have to run both commands! This is a work around, but it works. If you want to spend the hours of spinning up on robocopy, go ahead. I plan to just keep this article, with the two basic sets of commands, to get the work done.
I sourced my information from the following blog, which you can read and understand if you need detail:

Robocopy Mirror Switch Mirroring File Permissions

I hope this is helpful. I know we don’t do this too often, but I wanted to make sure I pointed to the Correct Article for this issue. This is likely going to remain a work around, based on the behavior of the command.

 

Have a great Early Spring weekend!

 

Louis Reeves

How to Troubleshoot SQL, Skype, Windows, Active Directory, Exchange and Basic Server issues with one tool! Its called Multi-Perf!

How to Troubleshoot SQL, Skype, Windows, Active Directory, Exchange and Basic Server issues with one tool! Its called Multi-Perf!

I made this tool last year and you know what? Its really cool! The instructions make it sound hard, but all i can say is it works,  you almost cant make a mistake, and it keeps running until a point of failure.  You will get a trace no matter what the customer does. this script has enough checking in it to run consistently, regardless of user input.

 

But we do want users to input the execution term correctly, so here they are.

So I know they are cryptic, but I wanted to share a few screen shots.

 

This script just uses a Perfmon collector to create a counter package that runs on a schedule.

5

Figure 1. Perfmon

 

Well Multi-Perf sounds like it will do a lot!  This tool will collect performance information, related to the main counters for that technology. Once the log is collected, you can then review it for specific problems,

1

Figure Figure 2. Set-Execution Policy

The bottom line is you get a script that gives you choices on what set of performance information you need.

 

dont forget to run set-execution policy Fig. 2

ex… Set-Execution Policy –Execution Policy Unrestricted.

Multi-Perf is run simply as “.\Multi-Perf  counter”, where the counter is Basic, Active, SQL, EXCH and Skype

0

Figure 3. Multi-Perf and Readme

See in figure 3, you have a read-me as well. This will tell you all you need to know, to run and execute the collectors for the performance monitor.

Information like the syntax of the command are located there.

.\Mult-Perf testname –computer mycomputer –instance myinstance.

0

Figure 4. Mult-Perf Syntax

If you are not using SQL, then you only have 2 items to put  in the tests are active, sql,lync,exch, active or basic

 

 

Here is some syntax examples

 

2

Figure 5. Run Active test on computer

See above, you use the form: .\Program testname –computer computername

If you forget the computer name, it will automatically select the local computer:

 

 

1

Figure 6. Run as Program .\Multi-Perf.ps1 only

If you forget to put the type of test, it will default to basic.

 

3

Figure 7 with SQL instance

If you forget to specify the instance, you will get another chance to put it in.

If you put the instance in, then that is fine. But if you did not, there is no penalty. This makes the Log tool, infallible and easy to use.

 

 

Instead of failing, The Script looks up the SQL instances, and presents them for the customer. It also says the user must type

the instance name themselves, so there is no accident

1

Hopefully you get the Idea of how this tool works. See the read me as well, it lays out all the features. Just try it out! It will not be as hard as at looks… because it will work every time.

 

Download Me Here

 

L

 

 

g

All Migration Guides for Small Business server to SBS 2012 Essentials

 

All Migration Guides for Small Business server to SBS 2012 Essentials

 

Migrate Windows Small Business Server 2003 to Windows Server 2012 Essentials

Migrate Windows Small Business Server 2008 to Windows Server 2012 Essentials

Migrate Windows Small Business Server 2011 Essentials to Windows Server 2012 Essentials

Migrate Windows Small Business Server 2011 Standard to Windows Server 2012 Essentials

Migrate Windows Server 2008 Foundation to Windows Server 2012 Essentials

Migrate Windows Server 2012 Essentials to New Hardware

Transition from Windows Server 2012 Essentials to Windows Server 2012 Standard