The Workplace Ninja Summit takes place from 12-14 September 2022 in Lucerne, Switzerland. The conference focuses on endpoint management and security with platforms such as System Center Configuration Manager (SCCM) and Microsoft Endpoint Manager/Intune.
Conference Sessions
If you are participating in the conference, be sure to attend one of my sessions! I’m delivering the following three talks during the event.
This session will explore the options for deploying enterprise PKI certificates using Intune. I’ll be sharing lots of security and implementation best practices.
This talk will dive into the options for deploying Always On VPN using Intune. I’ll be covering many tips, tricks, and best practices and shining a light on many limitations and shortcomings of using Intune for Always On VPN.
Join Me!
Unfortunately, the conference is sold out, so if you haven’t made arrangements to attend you’ll have to wait until next year. If you are attending, please be sure to say hello!
The Routing and Remote Access Service (RRAS) role in Windows Server is a popular VPN server choice for administrators deploying Windows Always On VPN. It is easy to configure, scales well, and is cost-effective. After installing RRAS, administrators can optionally enable inbox accounting to log historical data and generate user access and activity reports as described in Always On VPN RRAS Monitoring and Reporting.
Inbox Accounting Database
A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled.
WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally.
Inbox Accounting Database Management Scripts
I have created a series of PowerShell scripts to address the inbox accounting database management requirements for organizations using Windows Server RRAS. Scripts are available to perform the following inbox accounting database management tasks.
Optimize the inbox accounting database.
View the size of the inbox accounting database files.
Compress the size of the inbox accounting database.
Back up the inbox accounting database to a file on disk.
Restore the inbox accounting database from a backup file.
Move the inbox accounting database file to a different location.
Remove the inbox accounting database.
Optimize Database
A known issue with the inbox accounting database can result in high CPU and memory utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. This issue persists in Windows Server 2022. To correct this issue, download and run the following PowerShell script on each RRAS VPN server in the organization.
The database can grow rapidly depending on how busy the RRAS server is. Administrators can view the current database file sizes by downloading and running the following PowerShell script on the RRAS server.
Over time, the database can become fragmented, decreasing performance. Compressing the database can improve performance and result in significant recovery of disk space. To compress the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.
In this example, compressing the database reduced its size by more than 8MB, resulting in a nearly 70% reduction in disk space usage.
Backup Database
Administrators may wish to back up the inbox accounting database before purging older records from the inbox accounting database. Also, backing up the database preservers access records when migrating to a new server. To back up the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.
Restoring a database from backup will erase all records in the current database. It does not append. Proceed with caution!
Move Database Files
Inbox accounting database and log files are located in C:\Windows\DirectAccess\Db by default.
However, storing database and log files on the system drive is not ideal. A better alternative is to place the inbox accounting database and log files on a separate disk for optimum performance. To move the inbox accounting database, download and run the following PowerShell script on each VPN server in the organization.
Moving inbox accounting files may not be formally supported by Microsoft. Use caution when making this change.
Remove Database
Occasionally an inbox accounting database becomes corrupt and can no longer be managed. If this happens, completely removing the database is required. It is essential to know that simply disabling and re-enabling inbox accounting on the VPN server does not delete the database. To delete the database completely, download and run the following PowerShell script.
To simplify things, the PowerShell scripts described in this article are available in a PowerShell module that can be installed from the PowerShell gallery using the following command.
Always On VPN Administrators may encounter a scenario where Always On VPN connections suddenly stop working for all clients using the Secure Socket Tunneling Protocol (SSTP) VPN protocol. IKEv2 VPN connections continue to work, however.
Event Log
Reviewing the event log on a client machine reveals an error event ID 20227 from the RasClient source. The error message states the following.
“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is -2146762495.”
Error -2146762495?
Always On VPN administrators will be familiar with error codes such as 809, 691 and 812, 853, 858, and even 13801, 13806, and 13868. However, this error code seems to be formatted much differently. As it turns out, this message is in decimal format. Thankfully it’s pretty easy to convert it to something more meaningful, like hexadecimal. To do this, open the Windows calculator (calc.exe) and switch to programmer mode. Highlight DEC and enter -2146762495. The hexadecimal value will be displayed in the HEX field, as shown here.
Error 0x800B0101
After converting the error message from decimal to hex, use the Microsoft Error Lookup tool (err.exe) to translate the hex value of this error. As shown here, 0x800B0101 translates to CERT_E_EXPIRED.
Expired TLS Certificate
Once again, an expired certificate is to blame! In this case, the TLS certificate installed on the VPN server has expired and is no longer valid.
Resolution
The problem is simple enough to resolve, of course. Obtain a new TLS certificate from your certification authority (CA) of choice and update your VPN server configuration. You can find detailed guidance for updating the RRAS VPN server’s TLS certificate here. You will also find a video demonstration of the RRAS SSL/TLS certificate renewal process here.
