Windows 2016 RRAS installation initialization hangs

Question

Windows 2016 Server (Fully SPd) Roles installed Active Directory, IIS, DNS Also installed Exchange 2013 CU4

Up to that point the server seemed to be running fine.

Added the role Remote Access, which installs fine Post Install wizard runs and select Deploy VPN only

This then starts Routing and Remote Access Run the “Configure and Enable Routing and Remote Access” wizard

Select a custom config, as the server only has one NIC check VPN Access Wizard completes and prompts to start the service

Click Start Service and a dialog box appears with a rotating clock and nothing else happens. It just hangs and on the window it says, "please wait while the routing and remote access service finishes initialization"

No errors in the event viewer

Tried going to services.msc, Both the “Routing and Remote Access” and “Remote Access Management” services say they are running. Right click on those services and all options are greyed out, so can’t start, stop or restart the services.

After some Google searching I’ve checked the “Logon As A Service” for the local policy and that matches, so I presume that’s ok. Link to that article I also tried setting the permissions on the “Logon As A Service” using a powershell script Link to the script

The GPO for Default Domain Policy and Default Domain Controller Policy are as default from the MSAD installation.

I checked the windows firewall and RRAS rules are there.

1. What am I missing?

2. Could it be a firewall preventing the service starting? I tried turning that off, and that made no difference.

3. Could it be a permission stopping something, if so what?

4. What should I look for?

##### UPDATE #####

I decided to add a second server to the domain as a member server. I then added the RRAS role and feature.

Ran the wizard to configure RRAS as Custom (only one NIC) VPN Only. The wizard completes and then tries to start the service and simply hangs on the window saying, "please wait while the routing and remote access service finishes initialization" and nothing happens.

This is the exact same problem as the first server.

So I am no left wondering if some sort of GPO is causing it. However both the "Default Domain Policy" and the "Default Domain Controller Policy" remain untouched.

Regardless of that I tried resetting the two GPOs using the below

dcgpofix /target:Domain dcgpofix /target:DC

and delete the local GPO

RD /S /Q "%WinDir%\System32\GroupPolicyUsers" RD /S /Q "%WinDir%\System32\GroupPolicy" gpupdate /force

That didn't change anything either.

I tried resetting the security settings on each of the servers?

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

I get several "Warning 5 Access Denied" message but claims to have completed.

Must confess I was worried about running that command on DC.

Would resetting the security effect MSAD, MS Exchange or IIS that's running on the main server?

Annoyingly there is nothing in the Event Log at all. When I say nothing I mean no mention of RRAS at all, no errors, no information. So clearly the service starting is hanging before any log information can be recorded.

I tried turning on Tracing, but nothing in there either

netsh ras set tracing * enabled

So where do I go from here?

Any ideas??

##### SOLUTION #####

Yay!!! Many thanks to Bob (See below)

I was indeed running the Windows 2016 server on Proxmox. Changed the Network Card from VirtIO to Intel E1000 then did the RRAS install again.

BINGO!!! the Wizard completed and RRAS is working.

Many thanks Bob...

Answer 1

I came across this while having a similar issue on Nutanix using their Acopolis HV (AHV).

There is no way that I could find to use an emulated Intel driver, so this fix didn't work for me, but it did point me in the right direction, so thank you for that.

The issue was using the Nutanix VirtIO 1.1.1 NetKMV drivers, I installed the latest Fedora VirtIO NetKVM from 0.1.141 and it resolved my issue.

Thanks again for posting this.

Answer 2

This can happen if a certificate for DirectAccess remains in the personal certificate store of the local computer account after DirectAccess is uninstalled

Answer 3

I had the same problem but on Nutanix AHV where initially configuring DirectAccess would cause the exact same problems. Tried my initial image which had the Nutanix VirtIO 1.1.1 drivers, even a clean install with the Nutanix VirtIO 1.1.1 drivers.

But this didn't affect my other Server 2016 installs with DirectAccess as they were using the Nutanix VirtIO 1.0.1 drivers, or some previous version.

Luckily I found this post otherwise I would have been stuck for way longer than intended.

After some digging and comparing of the working driver (1.0.1) VS the non working one (1.1.1), I found that disabling the following two network adapter advanced settings fixed the problem:

• Recv Segment Coalescing (IPv4)
• Recv Segment Coalescing (IPv4)

These 2 options were not available in the 1.0.1 driver version.

Hopefully disabling these two options helps anyone else facing the same issues. If that doesn't work using try using the Nutanix VirtIO 1.0.1 driver.

Answer 4

Deleting the entire registry key as below worked for me: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipv6

by the way it was a 2012 server in place upgraded to 2016