Troubleshooting issues configuring Server management tools


UPDATE: The troubleshooting guide below has been integrated into the Server management tools menu in the Azure portal! We’ll be continuously updating the content, so click on the “Diagnose and solve problems” menu to see the up-to-date guide if you run into any problems.

image

 

Having trouble setting up or using Server management tools? See our troubleshooting guide below for solutions to common issues. This troubleshooting guide will become part of the Azure portal UI as a separate menu under Server management tools shortly, but we wanted to share this out in case you get stuck in the meantime. And if you can’t find a solution to your problem, please file a bug on our UserVoice forum or reach out to us on Twitter!

I can’t connect to a server

  • Check the gateway’s health status
    Make sure the Health status on the Gateway blade is displayed as “OK”. If not, see the “I can’t connect to a gateway” section in the Gateway blade’s Troubleshoot menu.
  • Connecting to a non-domain-joined workgroup machine
    If you are trying to connect to a workgroup machine, run the following command in PowerShell or Command Prompt as Administrator on the gateway machine. TargetMachineIPAddress should be the IP address of the workgroup machine you are connecting to. Also, when creating a Server management tools connection to the workgroup machine, use the machine’s IP address as the computer name.
    winrm set winrm/config/client @{ TrustedHosts=”TargetMachineIPAddress” }
  • Logging on with a local user account
    When entering credentials in the server connection’s “Manage as” dialog box, in order to use a local user account that is a member of the local administrators group, you will need to enable the policy on the target machine by running the following command in PowerShell or Command Prompt as Administrator on the target machine:
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
  • Connecting to a workgroup machine on a different subnet
    In order to connect to a workgroup machine which is not on the same subnet as the gateway, make sure the firewall port for WinRM (TCP 5985) allows inbound traffic on the target machine. You can run the following command in PowerShell or Command Prompt as Administrator on the target machine to create this firewall rule:
    NETSH advfirewall firewall add rule name=”WinRM 5985″ protocol=TCP dir=in localport=5985 action=allow
    More info: Windows Remote Management – Obtaining Data from a Remote Computer
  • “CANNOT CONNECT” error when connecting to a server
    If you get a “CANNOT CONNECT” error when entering credentials in the “Manage as” popup dialog box, make sure the credentials are correct and the user is a member of the target server’s local administrators group. In some cases, WinRM also requires that the user additionally be a member of the Remote Management Users group.
  • Connecting to a Windows Server 2012 or 2012 R2 machine
    When configuring a connection to a Windows Server 2012 or 2012 R2 machine, if you get a “Required software not detected” error or have trouble installing the required packages, see the “I can’t set up a connection to a Windows Server 2012 or 2012 R2 machine” section below.

I can’t set up a connection to a Windows Server 2012 or 2012 R2 machine

In order to connect to a Windows Server 2012 or 2012 R2 machine using Server management tools, an additional WMI provider package and Windows Management Framework 5.0 is required. When connecting to the server using Server management tools, it will detect and ask if you would like these packages installed. If an error occurs while installing the packages, or if you cannot connect to the server after the packages are installed, try one or more of the following methods.

  • Check the installation logs on the gateway machine
    Check the WMI and WMF installation logs on the gateway machine for any errors or details. These logs should be your first point of reference for troubleshooting and can be found in the path below. WMI installation logs are located in the Providers subfolder and WMF installation logs are located in the WMF5 subfolder.
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\Logs\ServerManagementPrerequisites
  • Check the installation logs on the target machine
    If you need more detailed logs for advanced troubleshooting, check the WMI and WMF installation logs on the target machine.
    %systemdrive%\SMTInstallers\Logs
  • WinRM error on the target machine
    If the following error occurs after installing the packages or when connecting to a Windows Server 2012 or 2012 R2 machine, log on to the target machine and run “services.msc” to launch the Services MMC snap-in. Then restart the “Windows Remote Management (WS-Management)” service.
    “The WinRM client received an HTTP server error status (500), but the remote service did not include any other information about the cause of the failure”
  • If you’ve tried all the steps above but still can’t connect to the target machine, see the additional troubleshooting steps in the “I can’t connect to a server” section above.

I can’t connect to a gateway

To resolve common issues, try one or more of the following methods.

  • Make sure the Health status on the gateway blade is displayed as “OK” and there aren’t any additional errors or warnings displayed.
  • Log on to the gateway machine and make sure it can connect to the public internet.
  • Run “services.msc” to launch the Services MMC snap-in and make sure the “ServerManagementToolsGateway” service is running. Also try restarting the service.
  • Make sure the system date/time on the gateway machine is correct. Gateway authorization will fail if the system time between the gateway and the Server management tools Azure service differ by more than 15 minutes.
  • You can try reinstalling the gateway deployment package. On the gateway machine, go to “Programs and Features” and uninstall “Server management tools gateway”. Generate a gateway deployment package, download and install it on the gateway machine.

Installing the gateway service on Server Core

  • The gateway service can be installed on Windows Server 2012/R2, Windows Server 2016 Full Installation or Server Core. To install on Server Core, use the following command to install the GatewayService.msi via command line. A certificate is required to securely store the credentials to connect to your target machines and using the following command options will generate a self-signed certificate for this purpose.
    GatewayService.msi /qn GATEWAYPROFILEJSON=.\profile.json ACCEPTEULA=true ACCEPTPRIVACYPOLICY=true
  • To use an existing certificate installed on the machine, use the following command options. Replace EnterThumbprintHere with your certificate encryption thumbprint.
    GatewayService.msi /qn GATEWAYPROFILEJSON=.\profile.json ACCEPTEULA=true ACCEPTPRIVACYPOLICY=true ENCRYPTION_CERTIFICATE_OPTION=root ENCRYPTION_THUMBPRINT=EnterThumbprintHere

Gateway installer fails to install

  • The GatewayService.msi installation will fail with the error “Installation ended prematurely” if you attempt to install the .msi from a remote file share. Copy the entire .zip package to a local disk on the gateway machine and install from there.

How do I update the gateway service?

  • You can configure gateway updates to occur automatically or manually in the Gateway update blade. If “Automatic” is selected, the update will be installed within 30 minutes after the update has become available. If “Manual” is selected, you will need to choose “Schedule now” to schedule a one-time update to occur within the next 30 minutes.
  • If an immediate update is necessary, you can do so by restarting the gateway service. Log on to the gateway machine, run “services.msc” to launch the Services MMC snap-in. Restart the “ServerManagementToolsGateway” service and the update will occur within a few minutes.

Issues with the gateway certificate

Certificate requirements may change, or certificates may expire. To resolve, try one of the following solutions:

  • Use the gateway installer to register a new certificate. Previously saved credentials will need to be re-entered.
    1. On the gateway machine, go to “Programs and Features” and uninstall “Server management tools gateway”.
    2. On the setup blade, generate a new gateway deployment package, download and install it on the gateway machine. During the install, choose either a new self-signed certificate or an existing installed certificate.
    3. If you had saved credentials for your connections, you can use Manage As to enter the credentials again since the new certificate cannot decrypt previously saved credentials.
  • Use the certificate rotation script to register a new certificate. Previously saved credentials will continue to work.
    1. On the gateway machine, open PowerShell with Administrator privileges.
    2. Change directory to the Scripts folder where the gateway software is installed, e.g. C:\Program Files\ServerManagementToolsGateway\Scripts
    3. Run the New-GatewayEncryptionCert.ps1 with no parameters to generate a new self-signed certificate, or with the -Thumbprint <thumbprint> parameter to use an existing installed certificate.
    4. Restart the gateway service. If you had saved credentials for your connections, they will continue to work if you access the connections at least once during the certificate rotation period (currently 30 days), which allows the previously saved credentials to be re-encrypted using the new certificate.

Known issues and limitations

  • Nano Server
    Online domain join and online change in workgroup membership of Nano servers is not supported. See below for instructions on joining Nano Server to a domain.
    Getting Started with Nano Server – Joining Nano Server to a domain
    Nano Server Domain Join (Deployment-at-a-scale an introduction)
  • Registry Editor
    Editing Binary values is not supported.
  • Services
    Any action taken on a service, such as Start or Stop service, will be reflected in the UI after 10 seconds.
  • Certificate Manager
    Certificate import and export are not supported on the Nano Server version of Windows Server 2016 Technical Preview (TP) 5. You will get an error that ‘CertPKICmdlet.dll’ is missing. This will be fixed in the RTM version of Nano Server.
Comments (2)

  1. Thanks Lee, Excellent document. Do we need to install Diagnose and solve problems toll or it will existing ?

    1. Hi Harvansh,
      No, you don’t need to install anything. It’s part of our menu in the Azure web portal, so it should show up and be updated automatically.