Inbox Accounting Database Management

The Routing and Remote Access Service (RRAS) role in Windows Server is a popular VPN server choice for administrators deploying Windows Always On VPN. It is easy to configure, scales well, and is cost-effective. After installing RRAS, administrators can optionally enable inbox accounting to log historical data and generate user access and activity reports as described in Always On VPN RRAS Monitoring and Reporting.

Inbox Accounting Database

A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled.

WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally.

Inbox Accounting Database Management Scripts

I have created a series of PowerShell scripts to address the inbox accounting database management requirements for organizations using Windows Server RRAS. Scripts are available to perform the following inbox accounting database management tasks.

  • Optimize the inbox accounting database.
  • View the size of the inbox accounting database files.
  • Compress the size of the inbox accounting database.
  • Back up the inbox accounting database to a file on disk.
  • Restore the inbox accounting database from a backup file.
  • Move the inbox accounting database file to a different location.
  • Remove the inbox accounting database.

Optimize Database

A known issue with the inbox accounting database can result in high CPU and memory utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. This issue persists in Windows Server 2022. To correct this issue, download and run the following PowerShell script on each RRAS VPN server in the organization.

Optimize-InboxAccountingDatabase.ps1

View Database Size

The database can grow rapidly depending on how busy the RRAS server is. Administrators can view the current database file sizes by downloading and running the following PowerShell script on the RRAS server.

Get-InboxAccountingDatabaseSize.ps1

Compress Database

Over time, the database can become fragmented, decreasing performance. Compressing the database can improve performance and result in significant recovery of disk space. To compress the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Compress-InboxAccountingDatabase.ps1

In this example, compressing the database reduced its size by more than 8MB, resulting in a nearly 70% reduction in disk space usage.

Backup Database

Administrators may wish to back up the inbox accounting database before purging older records from the inbox accounting database. Also, backing up the database preservers access records when migrating to a new server. To back up the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Backup-InboxAccountingDatabase.ps1

Restore Database

Naturally, to restore the inbox accounting database from a previous backup, administrators can download and run the following PowerShell script.

Restore-InboxAccountingDatabase.ps1

Restoring a database from backup will erase all records in the current database. It does not append. Proceed with caution!

Move Database Files

Inbox accounting database and log files are located in C:\Windows\DirectAccess\Db by default.

However, storing database and log files on the system drive is not ideal. A better alternative is to place the inbox accounting database and log files on a separate disk for optimum performance. To move the inbox accounting database, download and run the following PowerShell script on each VPN server in the organization.

Move-InboxAccountingDatabase.ps1

Moving inbox accounting files may not be formally supported by Microsoft. Use caution when making this change.

Remove Database

Occasionally an inbox accounting database becomes corrupt and can no longer be managed. If this happens, completely removing the database is required. It is essential to know that simply disabling and re-enabling inbox accounting on the VPN server does not delete the database. To delete the database completely, download and run the following PowerShell script.

Remove-InboxAccountingDatabase.ps1

PowerShell Module

To simplify things, the PowerShell scripts described in this article are available in a PowerShell module that can be installed from the PowerShell gallery using the following command.

Install-Module InboxAccountingDatabaseManagement

Additional Information

Windows Always On VPN RRAS Inbox Accounting Database Management PowerShell Module

Windows Always On VPN RRAS Monitoring and Reporting

Windows Always On VPN PowerShell Scripts on GitHub

Always On VPN with Active Directory Group Policy

Windows Always On VPN is a workload explicitly designed to be implemented and managed using Microsoft Endpoint Manager/Intune. While this is the best way to deploy and manage Always On VPN client configuration settings, it is not the only way. Administrators can also use System Center Configuration Manager (SCCM) by deploying a PowerShell script and XML configuration file to configure Always On VPN. Of course, it’s always possible to run the PowerShell script on individual machines.

Group Policy

Until now, there have been few options for deploying and managing Windows Always On VPN using Active Directory and group policy. This presents a challenge for administrators who still rely on group policy to manage their endpoints. It is possible to deploy the PowerShell script and XML configuration file using a group policy startup script. However, there are many limitations to this approach. Administrators must learn to properly configure the XML file and manage any configuration updates post-implementation.

Always On VPN DPC

The folks at PowerON Platforms have developed the Always On VPN Dynamic Profile Configurator (DPC) to address these shortcomings. Always On VPN DPC allows administrators to deploy and manage Always On VPN client configuration settings using Active Directory and group policy. Their software comes with Active Directory group policy templates that include all the necessary settings and client software that manages the configuration on the endpoint.

Advanced Features

Always On VPN DPC includes advanced features not included in Microsoft Endpoint Manager/Intune or XML. Here’s a sample of helpful custom settings that can be configured using Always On VPN DPC.

  • VpnStrategy
  • Interface metrics
  • Route metrics
  • Dynamically updated Office 365 exclusion route list
  • IKE mobility settings
  • IPv6 routes
  • And more…

Videos

I’ve created a brief introduction video for PowerOn Platforms Always On VPN DPC on YouTube. Soon I’ll be releasing additional videos that cover the installation and configuration of Always On VPN DPC and some of its advanced features, so be sure to subscribe to my YouTube channel.

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Special Thanks

I want to extend a special thank you to Leo D’Arcy and the entire team at PowerON Platforms for allowing me to preview this software before its wide release. Also, I’m honored that you have graciously accepted my input and feedback for this solution. I’m consistently amazed at how rapidly you’ve corrected issues and implemented new features at my behest. You are all amazing. Thanks again! 😁

Additional Information

AovpnDPC.com

Introducing PowerON Platforms Always On VPN DPC on YouTube.com

Always On VPN and Intune Proactive Remediation

Always On VPN and Autopilot Hybrid Azure AD Join

When configuring and deploying Windows Always On VPN using Microsoft Endpoint Manager (MEM)/Intune, administrators may find that some settings are not exposed in the MEM UI. In some cases, deploying the configuration profile using custom XML is the workaround. However, many crucial Always On VPN settings are not exposed using either method. Here, administrators must resort to editing settings in the VPN configuration file on the client after provisioning the VPN profile.

Phonebook

A file called rasphone.pbk stores all Windows VPN settings on the endpoint. It includes name/value pairs that correspond to many settings administrators change manually in the GUI. Other settings can be changed using PowerShell. Depending on the connection type, the file can be found in one of two locations.

  • User Tunnel: $env:AppData\Microsoft\Network\Connections\Pbk\rasphone.pbk
  • Device Tunnel: $env:ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Documentation for Windows VPN client phonebook entry settings can be found here.

Limitations

Unfortunately, editing the rasphone.pbk file isn’t always convenient. Making the changes is technically easy. Administrators can write a simple PowerShell script to update the text file as required. However, automating this at scale is challenging. Thankfully, Intune Proactive Remediations can help.

Proactive Remediations

With Intune Proactive Remediations, administrators can create and deploy script packages to monitor and optionally update specific configuration settings. The package includes two scripts, a detection script, and a remediation script. The detection script looks at the current value of a particular setting and reports on its compliance. The remediation script is triggered to update the setting if the value is incorrect.

Requirements

Intune Proactive Remediations has some specific licensing requirements. Administrators must also enroll devices into Endpoint analytics and provision a Windows Health Monitoring configuration profile. There are also limitations on the size and type of scripts that administrators can use. More information on prerequisites can be found here.

Script Packages

Administrators can create detection and remediation PowerShell scripts to update settings in rasphone.pbk, or optionally, they can download sample scripts from my GitHub repository here. This repository contains user and device tunnel detection and remediation scripts for many popular settings in rasphone.pbk. Examples include updating the VPN Strategy, changing VPN interface metrics, disabling class-based default routes, and many more.

Note: The scripts in my GitHub repository are examples only. While they can be used in production environments, they are basic and may not work as expected in all scenarios. For example, the scripts as written today assume only a single VPN profile provisioned. Unexpected results may occur if more than one VPN profile exists. Please use them at your own risk.

Deployment

In this example, we’ll deploy a Proactive Remediation to disable IKE mobility for user tunnel VPN connections. To configure an Intune Proactive Remediation, open the Microsoft Endpoint Manager portal (https://endpoint.microsoft.com/) and navigate to Reports > Endpoint analytics > Proactive remediations. After creating or downloading the detection and remediation scripts, perform the following steps to create and deploy a Proactive Remediation script package.

  1. Click Create script package.
  2. Enter a name for the package in the Name field.
  3. Enter a description for the package in the Description field (optional).
  4. Click Next.
  5. Click the blue folder icon next to the Detection script file field and upload the detection script.
  6. Click the blue folder icon next to the Remediation script file field and upload the associated remediation script.
  7. For user tunnel connections, click Yes next to Run this script using the logged-on credentials. For device tunnel connections, click No.
  8. Click Next.

Assign scope tags and group assignments as necessary, then click Create. Click Refresh to update the UI to display the newly created script package.

Caveats

Be advised that Proactive Remediation script packages run immediately after the first device sync and then every 24 hours after that. Timing issues could lead to delays in functionality. For example, if an Always On VPN profile is provisioned after a Proactive Remediation script runs, the changes made by the remediation script won’t be available until much later. Also, changes made while the VPN is active will not take effect until after restarting the connection.

Special Thanks

Special thanks to Tom Klaver at Inspark for turning me on to this feature. It has been an absolute lifesaver for sure!

Additional Information

Microsoft Intune Proactive Remediation Tutorial

Windows VPN Phonebook Entry Settings

Intune Proactive Remediation Script Samples on GitHub

Microsoft Windows Always On VPN Class-Based Default Route and Intune

Microsoft Windows Always On VPN Short Name Access Failure

%d bloggers like this: