Wiki source code of Windows Server 2012 R2

Last modified by Sebastian Marsching on 2022/05/29 14:04
Show last authors
1 {{toc/}}
2
3 Also refer to the [[Active Directory page|doc:Windows.Active_Directory.WebHome]].
4
5 # Useful Resources
6
7 * [Overview Windows Server 2012 R2 resources in TechNet](http://technet.microsoft.com/en-US/windowsserver/hh534429)
8 * Group Policies:
9 * [How to configure Internet Explorer site-zone mappings without locking the settings](http://www.grouppolicy.biz/2012/07/how-to-configuring-ie-site-zone-mapping-using-group-policy-without-locking-out-the-user/)
10 * DFS and File Sharing:
11 * [Three ways to design your DFS Namespaces](http://blogs.technet.com/b/josebda/archive/2009/08/21/three-ways-to-design-your-dfs-namespaces.aspx)
12 * [Enabling access-based enumeration in Windows Server 2012](http://community.spiceworks.com/how_to/show/45158-configure-access-based-enumeration-server2012)
13 * [Managing file shares with the Server Manager in Windows Server 2012](http://blogs.technet.com/b/keithmayer/archive/2012/10/21/ntfs-shared-folders-a-whole-lot-easier-in-windows-server-2012.aspx)
14 * [Configure DFS to use FQDNs (important if you want it to work without WINS and NetBIOS)](http://support.microsoft.com/kb/244380)
15 * [Why using DFS-R for user (profile) data is a bad idea](http://blogs.technet.com/b/askds/archive/2010/09/01/microsoft-s-support-statement-around-replicated-user-profile-data.aspx)
16 * [DFS FAQ](http://technet.microsoft.com/en-US/library/hh341474.aspx) - Includes information on using DFS Namespaces with Offline Files (however, this information is outdated, because it applies to Windows XP / Windows 7)
17 * [DFS overview in TechNet](http://technet.microsoft.com/en-us/library/cc753479.aspx)
18 * [DFS Namespaces FAQ](http://technet.microsoft.com/en-us/library/ee404780%28v=ws.10%29.aspx)
19 * DFS and Offline Files:
20 * [TechNet forum discussion 1](http://social.technet.microsoft.com/Forums/windowsserver/en-US/acea79eb-41e5-4503-9670-87f3351d223c/roaming-profiles-and-folder-redirection-with-offline-files-on-the-same-dfs-domain-namespace)
21 * [TechNet forum discussion 2](http://social.technet.microsoft.com/Forums/windows/en-US/a5d9c57a-f571-40bf-bd08-8171d936874f/offline-files-always-wants-to-set-dfsrootdata-share-offline?forum=w7itpronetworking)
22 * [Blog post](http://www.networksteve.com/windows/topic.php/Offline_files_always_wants_to_set_%5C%5Cdfsroot%5Cdata_share_offline/?TopicId=33789&Posts=3)
23 * [Hotfix for Windows 7](http://support.microsoft.com/kb/981872)
24 * [What's new in Offline Files in Windows Vista](http://technet.microsoft.com/de-de/library/cc749449%28v=ws.10%29.aspx) (offline status is now handled per Link and not for the whole DFS server / domain)
25 * [What's new in Offline Files in Windows 7](http://technet.microsoft.com/de-de/library/ff183315%28v=ws.10%29.aspx)
26 * [TechNet Magazine: Changes to Offline Files in Windows Vista](http://technet.microsoft.com/en-us/magazine/2007.11.offline.aspx)
27 * Users, Groups, and Permissions:
28 * [Recommended permissions for roaming profile shares](http://technet.microsoft.com/en-us/library/cc757013%28WS.10%29.aspx)
29 * [Default local groups](http://technet.microsoft.com/en-us/library/cc785098%28v=ws.10%29.aspx)
30 * [Windows built-in users and default groups](http://ss64.com/nt/syntax-security_groups.html)
31 * [Using default group accounts](http://technet.microsoft.com/en-us/library/bb726982.aspx)
32 * Security:
33 * [Auditing and restricting NTLM usage guide](http://technet.microsoft.com/en-us/library/jj865674%28v=ws.10%29.aspx)
34 * [Increase Diffie-Hellman parameter / key size](https://technet.microsoft.com/de-de/library/security/3174644.aspx)
35 * WINS:
36 * [Best practises for WINS servers](http://technet.microsoft.com/en-us/library/cc959209.aspx)
37
38 # Changing the Description of a Local User or Group Account with more than 256 Characters
39
40 The _Edit Local Users and Groups MMC_ does not allow to enter a description with more than 256 characters. Funnily, some of the groups that come with the Windows base-installation have such descriptions (e.g. RDS Endpoint Servers, RDS Management Servers, and RDS Remote Access Servers).
41
42 Luckily, we can use PowerShell to set longer descriptions. Example:
43
44 ```ps1
45 $computer=$env:COMPUTERNAME;
46 $username="RDS Remote Access Servers"
47 $description="Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group."
48
49 $user=[ADSI]"WinNT://$computer/$username"
50 $user.Description=$description
51 $user.CommitChanges();
52 ```
53
54 Obviously, PowerShell has to be started with elevated privileges for this commands to be successful. Otherwise the `CommitChanges()` action will fail with an `Access denied` error.
55
56 # Renaming local users when changing the language
57
58 By installing a language pack, we can change the language of nearly everything in the system. However, there is one prominent thing that is not affected by the language pack: the name of the local users and groups. We change those manually of course, but who want to do that? Therefore, I wrote two little scripts that can be used to copy the names of the users and groups created during installation from one system to another one. This way, if you already have a system where the user and group names are in the language you want, you can use the [[export script|attach:export_users.ps1]] to create a text file, copy this file to the target system and run the [[update script|attach:update_users.ps1]] there. For [[English|attach:users_and_groups_en.txt]] and [[German|attach:users_and_groups_de.txt]] I already created these text files. The update script has to be run in a PowerShell with elevated privileges, so it can potentially mess up your system. Test the script in a test environment before using it on a live system and always make backups before running the script.
59
60 # {{id name="additional-ip-address-no-dns-registration"/}}Adding an IP address that is not registered in DNS
61
62 The `netsh` command can be used to add an extra IP address to a network interface, without automatically registering this address in DNS. Example:
63
64 ```bat
65 netsh int ipv4 add address Ethernet 192.0.2.1/24 skipassource=true
66 netsh int ipv6 add address Ethernet 2001:db8::1/64 skipassource=true
67 ```
68
69 In this example, the network adapter has the name "Ethernet". More information is available in [this blog article from TechNet](http://blogs.technet.com/b/rmilne/archive/2012/02/08/fine-grained-control-when-registering-multiple-ips.aspx).
70
71 # Use EUI-64 instead of random IPv6 addresses
72
73 It might be desirable to use an EUI-64-based IPv6 address (an IPv6 address that is generated based on the MAC address of the NIC) instead of a randomly generated address during IPv6 autoconfiguration. This can be achieved by using the following netsh command (from an elevated command prompt):
74
75 ```bat
76 netsh interface ipv6 set global randomizeidentifiers=disabled store=active
77 netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
78 ```
79
80 # Configuring WSUS with SSL and a Virtual Host Name
81
82 This section describes a solution for the following situation: You want Windows Server Update Services (WSUS) to use SSL (in general, it is a good idea to use encryption, even in a private network). However, you do not want to issue a certificate for the FQDN of the host WSUS is running on, because you want to be able to move WSUS to a different server without having to issue a new certificate and update the client configurations.
83
84 The first step is to assign an additional IP address to the server. You do not want this address to be registered with the server's FQDN in the DNS, so follow the [[instructions given above||anchor="additional-ip-address-no-dns-registration"]]. The next step is to register the alternative host name you want to use for WSUS in your DNS by creating an A (and possibly an AAAA) record pointing to this address. For the rest of the instructions we assume that you are using the FQDN `wsus.example.com` as the virtual host name for your WSUS server. In general, it is also a good idea to add a PTR record for the IP address (or addresses) pointing back to the FQDN.
85
86 Now you have to add the SSL certificate to the trust store of the system and to the list of certificates in IIS. This process depends on how you created the certificate, so please refer to one of the many instruction manuals available on the web.
87
88 After having installed the SSL certificate, you can now go to the "WSUS Administration" site in _Internet Information Services (IIS) Manager_ and choose _Edit Bindings..._ from the context menu. You should have to bindings there: One for `http://*:8530` and one for `https://*:8531`. Choose the one for HTTPS and select the certificate for `wsus.example.com`. Leave the _Host name_ field empty. Otherwise it might mess up your configuration (I learned the hard way). After configuring this setting and restarting the site, you can run `wsusutil` to tell WSUS about the SSL certificate. I am not sure, whether this step is necessary, however during the troubleshooting process (see below) I ran it so many times that I am not able to say it would work without running it. However, it is very important to not run it at a later stage, otherwise it will mess up your configuration and WSUS will not start at all. So open an elevated command prompt, go to `C:\Program Files\Update Services\Tools` and run `wsusutil configuressl`. Now you can go back to the IIS configuration and add two bindings: One for HTTP on the virtual IP address and port 80 and one for HTTPS and the virutal IP address on port 443. For the latter one you should also select the SSL certificate. If you are using IPv6, you also have to add two bindings for the IPv6 address. If you now restart the site in IIS Manager, WSUS should be available using the virtual host-name. You can test this using a browser. The default IIS site should not be affected by these changes.
89
90 If you want to force clients to use SSL for some of the services, you should also follow the [instructions on TechNet](http://technet.microsoft.com/en-us/library/bb633246.aspx).
91
92 This leaves us with only one problem: If you want to connect from the WSUS console on the same host, you have to use the regular host name of the server, not the virtual host name for WSUS. However, you cannot use SSL for the connection, because the name in the certificate will not match (after all it is using the virtual host name). If you force SSL like described in the TechNet article, the connection from the local host will not work. This is the point where the trouble starts and while trouble-shooting this, I messed up the configuration where WSUS would not work at all. If this happened to you as well, see the [[instructions below||anchor="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"]] on how to fix things.
93
94 This problem is caused because by default NTLM authentication does not work if the client is the same host and the request uses a host name that is different from the system's host name (or FQDN). There are [two](http://support.microsoft.com/kb/896861) [articles](http://support.microsoft.com/kb/926642/en) in Microsoft's knowledge base and a [more detailed blog post](http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx) describing this problem. The solution is adding your virtual host-name (`wsus.example.com` in the example) to the list of allowed host names. This list is stored in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0` and is a Multi-String Value with the name `BackConnectionHostNames` and taking one host name per line as a value. You edit the registry using the registry editor or [using the PowerShell](http://sharepointadam.com/2010/07/20/add-backconnectionhostnames-to-the-registry-via-powershell/). After making this change, you should restart the server. Maybe it is sufficient to restart IIS, but I did not test this.
95
96 Now you should be able to connect the WSUS console to `wsus.example.com` on port 443 with SSL being enabled.
97
98 If after following this guide WSUS still does not work as expected, you first should clean-up you configuration like described in the [[following section||anchor="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"]] and repeat the steps from this section. If it still does not work, you might be interested in the [[section even further below||anchor="configuring-wsus-use-virtual-ip-address-only"]], which tells you how to make sure that WSUS uses the virtual IP address exclusively. This might be needed in some environments where clients cannot access the WSUS server using its regular IP address.
99
100 ## {{id name="configuring-wsus-with-ssl-what-to-do-if-you-messed-up"/}}What to do if you messed up
101
102 If you messed up (e.g. by running `wsusutil configuressl` after adding the virtual IP address to the bindings in IIS), WSUS will not start correctly and in the event log you will find one or several of the following messages:
103
104 * "The SimpleAuth Web Service is not working."
105 * "The Client Web Service is not working."
106 * "The WSUS content directory is not accessible." (with a 400, 401 or 404 error code)
107 * "The DSS Authentication Web Service is not working."
108 * "The Reporting Web Service is not working."
109 * "Self-update is not working."
110 * "The Server Synchronization Web Service is not working."
111 * "The API Remoting Web Service is not working."
112
113 You should be able to fix this by removing all bindings from the "WSUS Administration" site in IIS manager and just add the two bindings for `http://*:8530` and `https://*:8531`. After this you can restart the WSUS server and it should work again. Subsequently, you can follow the instructions given above for configuring SSL.
114
115 ## {{id name="configuring-wsus-use-virtual-ip-address-only"/}}Configuring WSUS to use a virtual IP address only
116
117 In order to understand what we are going to do here, it makes sense to first understand what we did in the sections above:
118
119 When we run `wsusutil configuressl`, WSUS checks the IIS configuration for its site to determine the SSL address and port it is available. WSUS has to do this, because HTTPS is used for transferring meta-data only. The actual update files are always transferred via regular HTTP without SSL. Therefore WSUS needs to know the address for HTTP so that it can tell the clients where to download the updates. By convention the port for HTTP is 80 when HTTPS is running on port 443 or one below the HTTPS port when HTTPS is using any other port than 443. WSUS will also use this information internally, in order to know how to contact its own services.
120
121 Now, if the IIS configuration does not specify a host name for the binding, WSUS will just assume it is using the servers regular host name. If you are using a virtual IP address, this is not true and so WSUS will use a wrong host name. If IIS does not listen on all addresses for the given port, WSUS will not be able to communicate correctly.
122
123 This is why we ran `wsusutil configuressl` before we configured the bindings for the virtual IP address. This way, WSUS still think it is running on port 8530 and using the regular host name and IP address of the server. This setup has the drawback that WSUS will also tell clients to contact it using the regular hostname and port 8530. If clients can resolve the host name and connect to the regular address on port 8530, this is not a problem. However, if we have a firewall that prevents clients from connecting on this address or port, or our clients are in a different network and the server is only visible by its alias IP address and host name, we have a problem. In this case we have to tell WSUS the virtual host name, so that clients will connect on the right address and port for update downloads.
124
125 We do this by removing the bindings we defined for port 8530 and 8531 and setting the host-name property of the bindings with the virtual IP address to the virtual host name (`wsus.example.com` in our example). Now we run `wsusutil configuressl` again. The results from `wsusutil` should indicate that WSUS is now using the right host name. Now we remove the host name from the bindings, because otherwise IIS will not answer requests without a host name in the header.
126
127 However, this solution has a major drawback, which is the reason why we did not use it in the first place: WSUS will not be able to run its health checks, because the server now thinks that the health-check pings are coming from a different host. You will see this in form of the following symptoms: The WSUS log file will be full of messages like "Ping method is only available from local machine" and the event log will contain the following messages:
128
129 * "The SimpleAuth Web Service is not working."
130 * "The Client Web Service is not working."
131 * "The DSS Authentication Web Service is not working."
132 * "The Reporting Web Service is not working."
133 * "The Server Synchronization Web Service is not working."
134 * "The API Remoting Web Service is not working."
135
136 WSUS should still work correctly though. If you have to choose this configuration mode, you might want to deactivate the health check in order to get rid of this error messages. You can run the following commands to switch the corresponding health checks off:
137
138 ```bat
139 wsusutil healthmonitoring CheckReportingWebService off
140 wsusutil healthmonitoring CheckApiRemotingWebService off
141 wsusutil healthmonitoring CheckServerSyncWebService off
142 wsusutil healthmonitoring CheckClientWebService off
143 wsusutil healthmonitoring CheckSimpleAuthWebService off
144 wsusutil healthmonitoring CheckDssAuthWebService off
145 ```
146
147 # WINS reports initialization error
148
149 The WINS server might log a message on each startup: "The WINS Server could not initialize security to allow the read-only operations."
150
151 This happens if it cannot find the "WINS Users" group. As suggested [here](http://social.technet.microsoft.com/Forums/windowsserver/en-US/d1e91b79-6d33-4bbc-9545-5d0ee5c872a2/the-wins-server-could-not-initialize-security-to-allow-the-readonly-operations?forum=winserverManagement), this can be fixed by just creating a group with that name.
152
153 # Active Directory and Disk Write Cache
154
155 The Active Directory Domain Services might log a warning message in the event log:
156
157 * _Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
158 Hard disk: c:
159 Data might be lost during system failures._
160
161 This might happen if the server runs in a virtual machine: As explained by [this article about running a domain controller in Hyper-V](http://www.hyper-v.nu/archives/hvredevoort/2013/07/keeping-your-virtual-active-directory-domain-controllers-safe/), the hard-disk cache cannot be (reliably) deactivated on a virtual hard-disk. However, if this situation is detected, critical write operations can still be performed in write-through mode. If running on a Windows Server 2008 R2 or Windows Server 2012 Hyper-V host, an [update](http://support.microsoft.com/kb/2853952) needs to be installed because otherwise Active Directory Domain Services might incorrectly assume that the write cache has been disabled, which can lead to the catastrophe described in the article.
162
163 This issue has also been discussed in the [TechNet forum](http://social.technet.microsoft.com/Forums/windowsserver/en-US/c472c3d2-0a12-4883-a86c-4340ffa3d49e/disabling-disk-write-cache-for-a-windows-server-2012-domain-controller-running-as-a-hyperv-guest).
164
165 I got the warning message mentioned earlier on a DC running in as a guest under Linux KVM on Ubuntu 12.04 LTS. So it seems that Linux KVM is correctly reporting that the write-cache cannot be disabled, at least when using up-to-date virtio drivers. In fact current versions of Linux KVM will also handle the write-through flag on write operations correctly and tell the disk controller or hard disk to commit the changes to disk before reporting success, irrespective of the [[cache settings|doc:Linux.KVM.WebHome|anchor="disk-cache-settings"]].
166
167 # Installing an SSL certificate for Remote Desktop
168
169 When using Remote Desktop for remote administration, it is nicer if the certificate used by the server is signed by a certificate authority trusted by the client. As long as Remote Desktop is used over trusted connections only, it is not so important, however, if you have your own PKI already, it makes quite some sense to still do it.
170
171 Installing the certificate into the computer's trust store is pretty straight-forward. However, how can we tell the Remote Desktop server to actually use the certificate? Unlike Active Directory Domain Services, is does not automatically pick up the certificate, but continues to use its self-signed certificate.
172
173 I found the answer on [Server Fault](http://serverfault.com/questions/444286/configure-custom-ssl-certificate-for-rdp-on-windows-server-2012-in-remote-admini):
174
175 The SHA1 finger-print of the certificate needs to be set in the Remote Desktop configuration through WMI. From the command prompt, this can be done with the following command:
176
177 ```bat
178 wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
179 ```
180
181 `THUMBPRINT` has to be replaced by the SHA1 finger-print of the actual certificate (with all spaces removed).
182
183 The answer on Server Fault also mentions a PowerShell command:
184
185 ```ps1
186 $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
187 Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}
188 ```
189
190 However, in contrast to the command-prompt version, the PowerShell variant did not work for me.
191
192 If neither of the two work for you, there is a third variant ([Remote Desktop Services Blog - look for the comment by Sergey Kuzin](http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=4#comments)): The finger print can be directly set in the registry: By adding `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash` of type binary and putting the finger print in (in the editor you can use the hex number as they are displayed in the certificate details). In this case, you also have to manually grant access to the certificates private key by right-clicking it in the certificate store and choosing _All Tasks_ → _Manage Private Keys..._. You should add the read privilege for the _NETWORK SERVICE_ user.
193
194 # Enabling LDAP request signing
195
196 [A knowledge-base article](http://support.microsoft.com/kb/935834) explains how to enable request signing. However, if non-Microsoft clients (e.g. Apache Directory Studio) are used, this can cause problems. However, request signing can still be enabled, if these clients are configured to connect using SSL.
197
198 In order for this to work, a valid SSL certificate has to be installed to the certificate store of each domain controller. This will turn on SSL on the server side. The clients have to be configured to use SSL (ldaps) and connect to the server on port 636. In this case they will continue working without request signing, even so the corresponding options is turned on for the servers.
199
200 # Windows Update Error 80072F8F
201
202 After installing the update from [KB2919355](http://support.microsoft.com/kb/2919355) Windows Update might present an error code of "80072F8F" when trying to check for new updates. Typically, this only happens if using WSUS and if SSL/TLS (HTTPS) is enabled for the WSUS connection. Actually this can have different causes and it took me nearly a day to figure out why I got this error.
203
204 First the most common reasons:
205
206 * WSUS is running on an old (before Windows Server 2012) server and TLS 1.2 is not enabled on this server. This is the problem described in [KB2959977](http://support.microsoft.com/kb/2959977). It should have been fixed with a new revision of KB2919355.
207 * There is a problem with the SSL certificate of the WSUS site (e.g. the certificate is not trusted).
208
209 In my case however, all the possible solutions I found on the Internet did not apply. In fact I had a different problem:
210
211 * The CRL distribution point listed in the WSUS's site certificate is not valid or the CRL cannot be downloaded from this URL. In my case the webserver that should serve the CRL would sent an 302 redirect instead because of a misconfiguration. Most clients do not care because they do not try to download the CRL and at least will not fail if it cannot be downloaded. It seems like the Windows Update service has changed this behavior with KB2919355, which can now cause problems that were not discovered earlier.
212
213 # WSUS Crash
214
215 After installing KB3148812, WSUS might not start or crash after some time. In the event log, there is a message like:
216
217 Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. Reason: Failed to open the explicitly specified database 'SUSDB'. [CLIENT: <named pipe>]
218
219 This might be caused by a [problem with the KB3148812 update](https://blogs.technet.microsoft.com/wsus/2016/05/05/the-long-term-fix-for-kb3148812-issues/). This problem is fixed by the [KB3159706](https://support.microsoft.com/en-us/kb/3159706) update. However, even after this update is installed, there might still be problems. For example, the event log might contain a message like:
220
221 WebHost failed to process a request.
222 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/34250480
223 Exception: System.ServiceModel.ServiceActivationException: The service '/ClientWebService/Client.asmx' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting 'system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying 'system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'.
224 Parameter name: item. ---> System.ArgumentException: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting 'system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying 'system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'.
225 Parameter name: item
226 at System.ServiceModel.UriSchemeKeyedCollection.InsertItem(Int32 index, Uri item)
227 at System.Collections.Generic.SynchronizedCollection`1.Add(T item)
228 at System.ServiceModel.UriSchemeKeyedCollection..ctor(Uri[] addresses)
229 at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
230 at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(Type serviceType, Uri[] baseAddresses)
231 at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
232 at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity)
233 at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
234 --- End of inner exception stack trace ---
235 at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
236 at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)
237 Process Name: w3wp
238 Process ID: 2120
239
240 This happens because the [KB3159706](https://support.microsoft.com/en-us/kb/3159706) update requires some manual intervention after being installed. The steps needed are described in the knowledge-base article for this update.
241
242 # Improving domain controller security
243
244 There are several steps that can be done to improve the security of domain controllers. One can:
245
246 * Disabling the print spooler service on domain controllers. Usually, there is no need to print from domain controllers, and domain contollers should not act as print servers either. This can be done locally on the domain controllers or through a group policy that is linked to the organization unit containing the domain controllers.
247 * Removing users from the “Pre-Windows 2000 Compatible Access” group. By default, the group “Authentiated Users” is a member of this group. Plese note that this might have undesired side-effects and in some environments, it might indeed be necessary for all authentiated users to be in this group. However, in environment where it is not necessary, making sure that this group has no members (or only a few specific members) can improve security because it significantly limits what authentiated users can do (e.g. browsing the Active Directory).