Event ID 37 — Terminal Services License Server Availability

Event ID 37 — Terminal Services License Server Availability

Updated: January 5, 2012

Applies To: Windows Server 2008

The Terminal Services license server relies on the Terminal Services Licensing service to be running in order to install, issue, and track the availability of Terminal Services client access licenses (TS CALs).

Event Details

Product: Windows Operating System
ID: 37
Source: Microsoft-Windows-TerminalServices-Licensing
Version: 6.0
Symbolic Name: TLS_E_SERVICEINIT
Message: The Terminal Services Licensing service cannot start. The following error occurred: %1!s!To resolve this issue, ensure that required groups are granted the correct permissions to the TermServLicensing registry key and that the value of the DBPath registry key matches the location of the LServer directory. If the problem persists, shut down and then restart the Terminal Services license server.

Resolve
Ensure that registry permissions and values are correct on the license server

To resolve this issue, do the following on the Terminal Services license server:

  • Ensure that the required permissions are set on the TermServLicensing registry subkeys.
  • Ensure that the value of the DBPath registry subkey matches the location of the TS Licensing database.
  • Start the Terminal Services Licensing service.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Ensure that the required permissions are set on the TermServLicensing registry subkeys

Caution:  Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To check the permissions on the TermServLicensing registry subkeys:

  1. On the license server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServLicensing registry subkey.
  4. Do the following for both the Data and Parameters registry subkeys:
    1. Right-click the registry subkey (for example, Data), click Permissions, and then click Advanced.
    2. Ensure that SYSTEM, NETWORK SERVICE, Administrators, and TermServLicensing each have Full Control permissions assigned.
    3. If the permissions are not correctly assigned, click Edit to change the permissions.
    4. Click OK until all dialog boxes are closed.

Ensure that the value of the DBPath registry subkey matches the location of the TS Licensing database

By default, the TS Licensing database is located in the %systemroot%\system32\lserver folder (where %systemroot% is the folder in which the operating system is installed, which is, by default, c:\windows).

To confirm the location of the TS Licensing database:

  1. On the license server, open TS Licensing Manager. To open TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click All Servers, click the name of the license server, and then on the Action menu, click Review Configuration.
  4. The database location is listed at the top of the Configuration dialog box.

Caution:  Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To check the DBPath registry subkey:

  1. On the license server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServLicensing\Parameters registry subkey.
  4. In the right pane, locate the DBPath entry, and then view the value for the entry in the Data column.
  5. If the TS Licensing database folder location is incorrect, right-click DBPath, click Modify, type the correct TS Licensing database folder location in Value data, and then click OK.

Start the Terminal Services Licensing service

To start the service:

  1. On the license server, open the Services snap-in.To open the Services snap-in, click Start, point to Administrative Tools, and then click Services.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the Services pane, right-click Terminal Services Licensing, and then click Properties.
  4. On the General tab, ensure that Startup type is set to Automatic. If it is not, click Automatic, and then click Apply.
  5. Under Service status, click Start.
  6. Click OK to close the Terminal Services Licensing Properties dialog box.
  7. Confirm that the Status column for the Terminal Services Licensing service displays Started.

Verify

To verify that the Terminal Services license server is available, ensure that the Terminal Services Licensing service is running.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Terminal Services Licensing service is started:

  1. On the license server, open the Services snap-in. To open the Services snap-in, click Start, point to Administrative Tools, and then click Services.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the Services pane, locate Terminal Services Licensing.
  4. Confirm that the Status column for the Terminal Services Licensing service displays Started.

Related Management Information

Terminal Services License Server Availability

Terminal Services

Related:

Event ID 28 — Volume Shadow Copy Service Operations

Event ID 28 — Volume Shadow Copy Service Operations

Updated: January 27, 2011

Applies To: Windows Server 2008

The Volume Shadow Copy Service (VSS) provides the ability to create a point in time image (shadow copy) of one or more volumes that can be used to perform backups. The service is also used during restores of applications.

Event Details

Product: Windows Operating System
ID: 28
Source: VSS
Version: 6.0
Symbolic Name: VSS_ERROR_SWPRV_DISABLED
Message: Volume Shadow Copy Service error: The Microsoft Software Shadow Copy Provider (SWPRV) service is disabled. Please enable the service and try again. %1

Resolve
Ensure that the Microsoft Software Shadow Copy Provider service is enabled

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To ensure that the Microsoft Software Shadow Copy Provider service is enabled:

  1. Click Start, click Administrative Tools, and then click Services.
  2. In the results pane, double-click Microsoft Software Shadow Copy Provider.
  3. Make sure Startup type is set to Manual.
  4. Click OK.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the Volume Shadow Copy Service is started:

  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the results pane, double-click Volume Shadow Copy.
  3. In Service status, make sure that the status is Started. If the status is not Started, click Start.
  4. Make sure Startup type is set to Manual.
  5. Click OK.

Related Management Information

Volume Shadow Copy Service Operations

File Services

Related:

Event ID 22€” AD CS Online Responder Service

Event ID 22 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 22
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK
Message: The Online Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless verbose logging is enabled, this error will not be logged again for 20 minutes.

Resolve
Manage the maximum size of requests the Online Responder will process

Incoming messages larger than the default value of 64 MB can indicate a denial-of-service attack. To resolve this error:

  • Try to locate the originator of the request, which might be an unauthorized user or application trying to compromise the Online Responder. The originator may be identified in the failed request or in the event log message.
  • If the request was rejected in error, you can increase the maximum size of incoming messages by editing the registry.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

To change the maximum size of incoming Online Responder messages:

  1. On the Online Responder, Start, type regedit, and then press ENTER.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder.
  3. Add a DWORD registry entry titled MaxIncomingMessageSize.
  4. Set this this value to any number of bytes required (1 MB = 1,024 bytes).
  5. Click Start, point to Administrative Tools, and click Services.
  6. Right-click Online Responder Service, and click Restart.

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

Event ID 22 — AD CS Online Responder Service

Event ID 22 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 22
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK
Message: The Online Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless verbose logging is enabled, this error will not be logged again for 20 minutes.

Resolve
Manage the maximum size of requests the Online Responder will process

Incoming messages larger than the default value of 64 MB can indicate a denial-of-service attack. To resolve this error:

  • Try to locate the originator of the request, which might be an unauthorized user or application trying to compromise the Online Responder. The originator may be identified in the failed request or in the event log message.
  • If the request was rejected in error, you can increase the maximum size of incoming messages by editing the registry.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

To change the maximum size of incoming Online Responder messages:

  1. On the Online Responder, Start, type regedit, and then press ENTER.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder.
  3. Add a DWORD registry entry titled MaxIncomingMessageSize.
  4. Set this this value to any number of bytes required (1 MB = 1,024 bytes).
  5. Click Start, point to Administrative Tools, and click Services.
  6. Right-click Online Responder Service, and click Restart.

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

Event ID 15 Volume Shadow Copy Service Operations

Event ID 15 — Volume Shadow Copy Service Operations

Updated: January 27, 2011

Applies To: Windows Server 2008

The Volume Shadow Copy Service (VSS) provides the ability to create a point in time image (shadow copy) of one or more volumes that can be used to perform backups. The service is also used during restores of applications.

Event Details

Product: Windows Operating System
ID: 15
Source: VSS
Version: 6.0
Symbolic Name: VSS_ERROR_USER_DOES_NOT_EXIST
Message: The user name %1 specified in registry (%2) does not map to a real user name. The entry is ignored. It must have a valid username as name, be of type REG_DWORD, and value either ‘0’ or ‘1’. %3

Resolve
Ensure that the VssAccessControl key specifies a valid account

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To ensure that a valid account is specified for the VssAccessControl registry key and delete accounts that are not valid:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Click Start.
  2. In the Start Search box, type Regedit, and then press ENTER.
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl.
  4. To delete an account that is not valid, right-click the name, and then click Delete.
  5. To add a new valid account, right-click VssAccessControl, click New, and then click DWORD (32-bit) Value.
  6. Give the registry entry the same name as the user account.
  7. Right-click the registry entry name, and then click Modify.
  8. Type 1, and then click OK.

    Note: You must set this value to 1. If you set it to 0, the Volume Shadow Copy Service is prevented from using the specific user account.

In addition to adding the writer’s user account to the VssAccessControl registry key, you must also make sure the account has read and write permissions to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag registry key. This step is optional, but not doing so will result in errors in the Application event log, and may cause certain VSS diagnostic tools to not function correctly. To grant these permissions, use the following procedure.

To grant permissions the Diag registry key:

  1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag.
  2. Right-click Diag, and then and click Permissions.
  3. If the writer’s user account is listed under Group or user names, ensure that it has Full Control.
  4. If the writer’s user account is not listed under Group or user names, click Add to add the account, and then grant it Full Control.
  5. Click OK.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the Volume Shadow Copy Service is started:

  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the results pane, double-click Volume Shadow Copy.
  3. In Service status, make sure that the status is Started. If the status is not Started, click Start.
  4. Make sure Startup type is set to Manual.
  5. Click OK.

Related Management Information

Volume Shadow Copy Service Operations

File Services

Related: