The Network Policy Server Service (NPS or IAS) Fails to Start on Windows SBS Server 2008 with an unspecified error (0x80004005)

vss registry keySo I was recently helping out a client clean up their Small Business Server environment, one thing they weren’t using was SharePoint, so we decided to remove it from their SBS 2008 server. The removal went smoothly, simply uninstalling SharePoint Services via Add/Remove control panel did the trick. But after a restart we found that clients were no longer connecting to their Wireless network, so I went did some troubleshooting and found that the NPS service hadn’t started since boot-up.

I then tried starting it up but got an error after trying to start the service with an unspecified error 0x80004005 which was very helpful. After some more digging around and Google-Fu I found that this had to do with permissions on a registry entry for VSS. The following key needed to be updated from the value 1 to 0.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Make sure that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is not and set to 0, change it to 1.  Once you have changed the value you can restart or terminate any IAShost.exe that are running via task manager and then start up the NPS service.

This issue has been documented by Microsoft to occur if you remove SharePoint from SBS Server 2008, so just a heads up if you do and rely on NPS for authentication for things like Remote Access or Wireless.

How to set (and change) an NTP time source in Windows Server 2008 R2 (SBS 2011 and Vanilla Server).

Recently, the clocks on my home networked PCs began drifting off sync until the difference was around 30 minutes. At first i thought that my SBS server was no longer synching with time.windows.com (the default time server for windows). After a quick look at the event log, I could see that it was syncing correctly and that the date and timezone were correct. So I began to look at how I could change the NTP server that Windows was syncing with. Unlike Windows XP, which had a tab were you could set the source and even add your own in the date and time control panel applet, Windows Server 2008 and Windows 7 have nothing of the sort, so how was I going to change the source. A quick look on technet led me to an article titled Windows Time Services Tools and Settings.

To query the time service about its current status open up an elevated command prompt and type in:
w32tm /query /status

This will display the following output (it will either state Source: Local CMOS Clock or time.windows.com)

After working out the souce and that it was synching without error as well as the obvious the fact the time was way off I needed to find a reliable Time service. After a bit of searching around the web I found pool.ntp.org which is the part of the home for the Network Time Protocol open source project (ntp.org). Members work together to provide a public pool of time servers for use by individuals and businesses. pool.ntp.org uses DNS round robin to make a random selection from a pool of time servers who have volunteered to be in the pool making this service highly redundant and reliable.

If you navigate to the Time Servers page on their wiki you will see a list of servers as rell as regional servers which you can also choose from.  Since I’m in Australia I narrowed it down to Oceanaia and then Australia leaving me with au.pool.ntp.org.  So basically I now had to reconfigure the Windows Time service to sync with the NTP Australian Server Pool. A quick look over the technet documentation told me the commands I needed to run which was:
w32tm /config /manualpeerlist:au.pool.ntp.org

Which after being executed in an elevated command prompt will leave you with command completed successfully.  Once that is configured we need to restart the time service by either doing net stop/start w32time or via the Services Control Panel on Windows Time.

You can then query the time service again using /query and /status which will present you with the above output. As you can see the time service is now synching with the service that I specified it to. You can look around the NTP site to find a group of services which are closer to your location, but it generally doesn’t matter where you pick the NTP server from.

And there you have it, how to reconfigure the Windows Time service to look at a different time source.  As a side note before closing off the article, Microsoft don’t fully support the Windows 32 Time service for use in high accuracy environments as mentioned in this Knowledge base article. So if you need something which is highly accurate then you need to look elsewhere.