I saw a little e-mail the other day that linked to an article at ZDNet about a new app for the iPad – OnLive Desktop – which promised to deliver a virtual Windows 7 desktop and Office applications over the air. Of course, I popped right on over to the web site at OnLive and signed up to be notified when the service was opened up. Well, this morning I received my e-mail that my account was ready to go, so I fired up my iPad, downloaded the OnLive Desktop app, and got going. Here’s a very quick overview of the service, because I had very little time to really investigate this morning.
First, I launched the OnLive Desktop app:
One project we’ve been working on locally requires that a particular URL be added to the Trusted Sites zone in Internet Explorer for all users. Since this is a rather large site, we didn’t want to have to touch each machine individually, especially since some of the machines are shared. I did quite a bit of looking around to see if this could be done with Group Policy, and there is a solution that has a lot of blog posts about how to configure it using the Site to Zone Assignment List Policy setting. Unfortunately, when we tested this, it had the unfortunate side effect of locking users out from making any changes to the Trusted Sites list and effectively removed all of the sites that had been in their lists beforehand (luckily for us, we follow our own best practices and tested this internally before deploying at the client site).
It took quite a bit of digging, but I did find a way to achieve our goal using Group Policy Preferences and manipulating the appropriate settings in the user section of the registry. In this example, we’re going to add the url https://remote.smallbizco.net to the Trusted Sites zone. Here’s how it’s done.
- On the domain controller, open the Group Policy Management Console (gpmc.msc or under Administrative Tools).
- Right-click on the domain object and select Create a GPO in this domain, and Link it here…
- Give the GPO a meaningful name (I chose the not-very-clever URLs Added to IE Security Zones as a sample name).
- Right-click on the new GPO and select Edit.
- Expand User Configuration -> Preferences -> Windows Settings and select Registry.
- Right-click on Registry and select New -> Registry Item.
- Select Update for the Action and HKEY_CURRENT_USER as the Hive, then click on the browse button next to Key Path.
- Expand HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Internet Settings ->ZoneMap and click EscDomains, then click Select.
- Click anywhere in the Key Path field and press the End key. At the end of the Key Path string, type a backslash, then the domain of the site (in this case smallbizco.net) then another backslash and the name of the site in the domain (in this example, remote). In the Value field enter the protocol type (in this example we used https, but http, ftp, and other protocols can be used in this field, or you can ender an asterisk for all protocols). Change the Value Type to REG_DWORD, then enter the value data for which security zone you want to enter the URL into. 1 is for the Intranet zone, 2 is for the Trusted Sites zone, 3 is for the Internet Zone, and 4 is for the Restricted Sites zone).
- Click Apply, then click OK. If you want to add other URLs repeat steps 6 through 10.
- After you have entered all the URLs you need, close the Group Policy Management console.
- From the domain controller, run the command gpupdate /force and wait for the command to finish. You may be prompted to log off, but that is not necessary for this policy to take effect.
- From the workstation, you can either reboot and let the policy apply at the next login, or you can close Internet Explorer and run gpupdate /force from the workstation to apply the updated policy.
- When you look at the Trusted Sites list in Internet Options, you will now see the URL has been added to the list.
Note that the client will have to have the Group Policy Prefences Client Side Extensions loaded if the client OS is Windows XP, Windows Vista, or Server 2o03 ( KB943729). Adding URLs using this method does not interfere with any URLs that may have already been added by the user, and this will apply to every user in the domain. If you need to further restrict which users have this policy applied, you can either apply the GPO to a different OU within the domain or change the Security Group to which the GPO should apply in the Security Filtering settings of the GPO.
As discussed in the January 2011 Third Tier webinar on SBS 2011 Standard Installation, creating a bootable USB drive to run the installer from goes MUCH faster than running off a DVD, if you can find a DVD writer and dual layer media for the 6.5GB installation ISO for SBS 2011 Standard. Microsoft provides a tool that makes it very easy (note I said “easy” not “fast”) to transform your SBS 2011 Standard installation ISO into a bootable USB key. Here’s how to do it:
First, you need the following:
- A 64-bit Windows 7 system
- The Microsoft Windows 7 USB/DVD Download Tool installed on the Window 7 system ( http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe)
- The SBS 2011 Standard Installation ISO
Once you have those in place, follow these simple instructions:
- Open the Windows 7 USB DVD Download Tool
- Click Browse and locate the SBS 2011 Standard Installation ISO file.
- Click Next.
- Insert the USB media (if it hasn’t already been inserted).
- Disable your on-access virus scan on the computer (this can interfere with the copy operations).
- Click USB Device.
- Select the correct USB media (needs at least 6.5GB space don’t forget) and click Begin copying.
- Wait a really, really long time….
- When the process completes, close the Windows 7 USB/DVD Download Tool and eject your USB key.
- Re-enable the on-access scanning of your anti-virus software.
That’s it, you’re done!
Now, since the USB media is writable (unlike the DVD media), you can do some interesting things with it, like copying your SBS Answer File to the USB key and have it already present when you start your installation or migration. But that also means that you can damage or destroy the install media if you accidentally overwrite or delete any of the files on the USB key, so tread lightly when making changes to the media.
[Note - the genesis of this idea came from Susan Bradley's post of a similar nature from September 2010, enhanced a little with some of the items I've picked up along the way...]
Yes, it’s June 24, and the new iPhones have been hitting the streets, and a number of people have been updating their previous iPhone models to the iPhone OS 4 (IOS4). As we’ve done for the previous versions, here are instructions for connecting your iPhone 4 to an Exchange server.
- From the Home screen (or whichever screen you’ve moved the icon to), click the Settings icon.
- In the Settings screen, click Mail, Contacts, Calendars
- Click Add Account
- Click Microsoft Exchange
- Enter the information in the account screen:
- Enter your e-mail address *exactly* as the default account is set (for example, if your outbound e-mail address is Jonathan.Dough@smallbizco.net, enter it exactly that way – do not enter firstname.lastname@example.org).
- Enter your internal domain name (if needed)
- Enter your account name (this is the name used to log into your computer, it may or may not match your e-mail address)
- Enter your account password
- Enter a description for the account (Exchange will be the name if you do not put anything into the description field
- Once you have verified that the information entered is correct, click Next.
- You may see a warning that your server identity cannot be identified. This is expected if the server is Exchange 2003 or if the Autodiscover record for the server has not been set up properly. If you see this message, click Continue.
- If you did get the previous message that the phone could not verify the identity of the server, you will need to enter the name of the server. This will be the same address you enter to get to Outlook Web Access (i.e., if you use https://remote.smallbizco.net/owa as the address for your Outlook Web Access server, then enter remote.smallbizco.net in the Server field).
- You may receive a second warning that the server identity cannot be verified. This will be the case if your Exchange server has an invalid or untrusted SSL certificate. The iPhone can continue to communicate with the server using this certificate, and that communication is still secured. If this is the first, or second, time you get this warning, click Continue.
- If you receive a message that the Exchange account cannot be verified, click OK and make sure you have entered the account information correctly. This error will most often appear if a password has not been entered correctly or if the Domain information is incorrect.
- Once the account has been validated, select which Exchange features you wish to synchronize with your phone, then click Save.
- After creating the account, you can go back into the account settings to change the items you wish to synchronize, or to modify other synchronization options.
At this point, your iPhone will start to synchronize information with your Exchange account. Depending on the data connection speed of the iPhone and your server, along with how much data you have in your mailbox to synchronize, this process may take some time.
Yesterday I finally ran into my first failed SBS 2008 install, not one I had picked up from someone else, but one of my own where I’ve managed the source server for years and did all the prep work myself. It was both a good thing and a bad thing: good because we got to finally troubleshoot one where we knew the entire environment up front so we could immediately eliminate several potential causes, bad because we were on a really limited migration timetable for this particular customer and we’ve ended up losing more than just a day on the project.
But the interesting thing about this migration is why it failed, and the blame lies right at the feet of Dell. Short story: the Dell PowerEdge R310 server does not allow you to individually disable the on-board NICs in BIOS. In BIOS, you can choose to disable both NICs, but the individual integrated NIC options include “Enabled,” “Enabled with PXE,” and “Enabled with iSCSI.” No “Disabled” option at all.
I’ll be perfectly honest, this was not a scenario I tested when working on the migration documentation with Microsoft and researching for the SBS 2008 Unleashed book. Since the SBS 2008 requirements list a single NIC only, that’s all the testing that I did. So when I went through with the migration install yesterday, I knew I was taking a bit of a chance, but hoped that since I only had one NIC connected to the network it wouldn’t be a problem.
Well, it was.
During the setup, the SBS portion of the install tried to do a WMI query against DNS for the existing domain. The query succeeded on the connected NIC, but the installer performed the query again on the disconnected NIC and failed. That failure led to the dreaded cascading failure of Exchange and everything else that followed. We were able to get the source server back online quickly since we followed best practices and took a System State Backup immediately prior to launching the SBS 2008 installer on the destination server, but then we faced the dilemma of how to proceed. After discussing the issue with a Microsoft contact, we thought the setup might complete if we connected both NICs to the network, but the better option is to disable the unused NIC in BIOS and do the migration setup the way it’s supposed to be done.
After a 3.5 hour call with Dell, it basically cannot be done on the R310. Apparently someone decided that an all or nothing configuration on the NICs on that particular server was the better solution than letting each NIC be individually disabled as done on every other Dell server I’ve worked with for a decade. The issue has been escalated with the engineering team, but we don’t yet know if there will be a fix or how long it will take to get one if it can be done.
Bottom line, I cannot recommend installation of SBS 2008 on a Dell PowerEdge R310 server until (or if) Dell resolves the issue of disabling the NICs individually in BIOS. I can almost guarantee that a migration setup will fail on this platform, but I don’t know if a clean install will have a similar issue or not. If anyone has successfully installed SBS 2008 on an R310 server, I’d love to hear from you. Since this is a relatively new model from Dell, however, I may well be one of the first to attempt this particular configuration. And I hope that our pain can save someone else from the same…
On Monday, March 29, Apple released a major update to its Snow Leopard operating system, making the incremental update of 10.6.3 available for download and installation. According to ComputerWorld ( http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update) and other sources, the 92 updates and fixes included in the release is a record number of issues addressed in a single update.
The default Software Update settings in Snow Leopard will check in with the Apple update servers on a weekly basis, so within the next 5-7 days any Mac running Snow Leopard should notify its operator that new updates are available for download and installation. Users can check for this and other updates manually by selecting Software Updates from the Apple Menu on any Mac running OS 10.x.
A security update for Mac OS 10.5 was also released on Monday, and while it is not as large of an update as 10.6.3, it still addresses several significant security issues and should be installed on any 10.5 Macintosh as soon as possible.
While I’ve not been a huge fan of WSUS in the past, it’s been growing on me over the last year or so. Specifically, I’ve been really pleased with how WSUS 3.0 and SBS have been integrated (well, so long as you don’t hit a problem with the integration, which can then lead to a LOT of work to recover or repair or reinstall, but that’s a different post for a different day). But there are still challenges to keeping WSUS in check and keeping it from having unintended impacts on those same SBS servers.
Fortunately, most of the commonly-encountered problems with WSUS 3.x can be dealt with by running the Server Cleanup Wizard from the Update Services console. [NOTE: If you have never run the Server Cleanup Wizard in WSUS on a server that's been in production for a while, I recommend running the wizard manually and only select one category at a time. The first run can clean a LOT of information out of the WSUS environment, and it can take a VERY long time to complete.] But in this day of automating tasks, I don’t want to manually run the Server Cleanup Wizard on a regular basis as it can still take some time to complete the supplemental runs even after the first (and potentially longest) pass has been completed.
Well, there are two mechanisms for automating the Server Cleanup Wizard process on an SBS 2008 server (and other servers running WSUS for that matter). The first method that I’ll discuss below is fairly easy to google, but the second doesn’t show up in searches related to SBS 2008 (that I’ve been able to find at the time that I put this post together), so I’m going to document it here.
Let me start by saying that a lot of people who have implemented one of these two methods seem to be in agreement that these processes (or a variation thereof) should be included within WSUS itself and not relegated to what amounts to an add-on for maintenance and management. I’m in the same category, and really would like the WSUS team to look at providing tools with WSUS to be able to schedule the maintenance out of the box.
The first solution I ran across last year was a tool uploaded to Codeplex: http://wsus.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=17612. This is a complied tool that will perform operations on the WSUS implementation based on command-line parameters that are passed to the tool when executed. It can run each of the cleanup tasks in the Server Cleanup Wizard individually or in groups, and also includes an SQL script that the tool can call to perform maintenance on the WSUS database file itself. I’ve deployed this in testing on a few SBS 2003 installations where I have WSUS 3.x running, and it’s been able to keep the WSUS installation in check rather nicely. My only beef with the tool is that since its a compiled executable, it’s impossible to tweak its operation beyond what the developer has coded into the tool. Currently, I can’t think of any WSUS tasks that I’d like to do that this tool cannot, but if an update to WSUS changes the way some of these tasks can be called, it’s possible that the tool might cease to function or not be able to handle new functionality and need an update from the author. I’ve also not run this on SBS 2008 yet simply because I don’t have a test box that I could run this on to make sure it doesn’t misbehave on that platform. It might work just the same on SBS 2008 as SBS 2003, but I can’t confirm that first-hand, so I haven’t pushed in out.
The second solution I ran across (again, not in an SBS 2008 search) is a PowerShell script that calls the Server Cleanup Wizard functions from WSUS directly. Since PowerShell is enabled by default on SBS 2008 out of the box, and since I can get into the code directly, I went ahead and implemented this script on my own production server, because I honestly hadn’t run the Cleanup Wizard on it in I don’t know how long. The script came from the Microsoft Technet Script Center at http://gallery.technet.microsoft.com/ScriptCenter/en-us/fd39c7d4-05bb-4c2d-8a99-f92ca8d08218. I have a Tools folder on the root of the second partition of every server I deploy, and I added a Scripts folder in that to house this script. I named the script WSUS_Cleanup.ps1 and copied the contents from the Script Center page into the file. I then opened a Command Prompt as Adminstrator and ran “powershell.exe WSUS_Cleanup.ps1″ on the server. After a long wait (like I said, I hadn’t run the Server Cleanup Wizard in a looooooong time), I got output from the script that showed the results of each of the steps it ran within the script (as listed on the Script Center page, the option to remove old computer from WSUS has been commented out).
Being the kind of guy who likes to review the results of processes once they complete, I build a quick and dirty batch file wrapper for the PowerShell script. Yes, I probably could have done the whole thing in PowerShell, but I’m still a bit of a PS newbie, so I relied on my comfort with batch files to get this wrapper done. Here’s the contents of the WSUS_Cleanup.bat that I put on the server:
@echo off @echo Starting cleanup: %date% %time% >> d:\tools\scripts\WSUS_Cleanup.log powershell.exe d:\tools\scripts\WSUS_Cleanup.ps1 >> d:\tools\scripts\WSUS_Cleanup.log @echo Finished cleanup: %date% %time% >> d:\tools\scripts\WSUS_Cleanup.log
The batch file writes the current date and time to a log file that I created in the same Scripts folder where the other pieces are, then calls PowerShell to run the cleanup script and appends the output of that process to the log file as well. Once that finishes, the current date and time are again appended to the log. Now I can see when the script ran, what it did when it ran, and how long it took to complete.
Either of these tools are easily adaptable to running as scheduled tasks or as scripts from your favorite RMM tool. THE WSUS_Cleanup from Codeplex has a couple of advantages over the PowerShell script. One, you can select which components of the Cleanup Wizard you wish to run by adjusting the command line call to the tool. With the PowerShell script as written, you have to modify the script and comment or uncomment each of the tasks. (Yes, a savvy PowerShell person should be able to modify that script to mimic the behavior of the Codeplex tool, and as I’ve mentioned, I’m not that guy. Yet.) Second, the Codeplex tool has the SQL maintenance script included which can be run within the scope of the Codeplex tool. The PowerShell script does not include anything for SQL maintenance on the actual database files. Again, someone with SQL skills could easily script up and automate a process to do the same thing, and again that’s not me.
Given that PowerShell is getting more and more visibility in the Server 2008 world, I’m going to be focusing (when possible) on dealing with automation tasks that make use of PowerShell or other native scripting tools rather than rely on someone else to build an executable file. Not to say that the WSUS_Cleanup tool on Codeplex is a bad thing. I’m probably going to keep that on my 2003-based systems until there’s a reason not to. But for my 2008 deployments, I’m going to stick with PowerShell for WSUS maintenance. If nothing else, I get an excuse to learn more about PowerShell and keep my WSUS installations in good working order.
One of the significant differences in the minimum specs for installing SBS 2008 versus SBS 2003 was the minimum size of the C: partition needed for installation and operation. SBS 2008 requires a minimum of 60GB in the install partition or it won’t go. Those of us who were used to fighting the 12GB C: partition implemented by OEM vendors in SBS 2003 initially looked at that and thought “yeah, that’s a good change.” Well, as it turns out, kinda like the 4GB RAM minimum spec, the 60GB C: partition may not be big enough after all.
If you ask around those who have been doing SBS 2008 deployments, one of the best practices adopted by most is to use the Move Data Wizards in the Server Storage tab of the SBS 2008 Console and get the key data components off the C: partition and onto another partition (Exchange, SharePoint, User’s folders, User’s redirected documents, and WSUS content). And if you take the step that some do of installing third-party software to a partition other than C:, we should be ending up with a fairly pristine C: partition with minimal dynamic data on it. In theory.
I’ve been deploying my SBS 2008 installs with a 100GB C: partition simply because I figured that over time, something would find a way to suck up all the space on C: and we’d eventually get to a point where we’d have to deal with resizing paritions or doing manual data cleanup. I didn’t expect that I’d hit that scenario just over a year after my first SBS 2008 production deployment.
In the last couple of weeks, my monitoring tools have started chirping about low disk space on C: on a couple of installs. Sure enough, one installation had 17GB remaining of a 100GB partition, another had 3.5GB remaining on an 80GB partition (my own production box, and yeah, it really needs an overhaul, but that’s another story). I started digging around and found the most common disk hog that’s been complained about across the net, the winsxs folder. Based on everything I’ve been able to read about winsxs, including a post from the Windows Server Core Team, that’s something that we’ll just have to live with, and really isn’t the point of this post anyway. Still, on my boxes, the winsxs folder still only amounted to about 12GB (bigger than what I’d like, but certainly not the primary culprit) which is only about 10% of my standard install C: space. Something else had been sucking away space and keeping it from me.
We use TreeSize from JAM Software as a standard utility on our server deployments to help monitor disk space usage, as this is something that comes up from time to time. [NOTE: this is not a specific endorsement of TreeSize, just a note that it's one of the many tools that we use in our operation.] So in the case of these low-free-space servers, I fired up TreeSize and went looking for the disk hog. Surprisingly, I couldn’t find it. I did clear up some areas that showed a larger-than-expected usage, but couldn’t find the smoking gun. A few weeks have gone by, and while I’ve been monitoring the state of these servers to ensure that free space didn’t get critically low, other tasks moved up on the priority list.
Then a discussion on one of my private lists cropped up regarding this exact topic, and I learned two valuable tidbits from that discussion.
The first is that in order for TreeSize to see the contents of ALL folders on the C: partition, it must be Run As Administrator. Upon reflection, this makes sense, but I know it’s catching a lot of experienced system admins off-guard. Some are advocating disabling UAC on the server to avoid this kind of issue, and I’m honestly not fully decided where I stand on that, so I won’t comment either way on that. But it does serve as a reminder that many system tools we may have been using for years on 2003 servers might not behave the same way under 2008 if you don’t use the almighty Run As Admin option.
The second is that the WSUS site in IIS has been logging an OBSCENE amount of data into the IIS logs folder. One of my servers had nearly 30GB (yes, that’s 30 gigabytes) of data in the WSUS log folder (C:\inetpub\logs\LogFiles\W3SVC1372222313). Another had just over 20GB. And in looking in the folder, I saw numerous DAILY log files that were well over 100MB each, with some well over 200MB each.
Once I cleared out the old log files (honestly, how far back am I going to need to look at WSUS logs anyway?) the free space on C: increased to a reasonable level, and my monitoring stopped yelling at me quite so often.
There are multiple lessons learned from this experience for me. The first is the whole reminder about Run As Administrator in the Server 2008 era. I’ve even taken to labeling some shortcuts with “Run As Administrator” in the icon name just to serve as a reminder. The second lesson is that 60GB is certainly NOT going to be sufficient as a minimum partition size on a production SBS 2008 server, even if all other data is moved off to different volumes (and I haven’t even covered the option of moving the WSUS SQL database files off of C: to another partition, which can’t be done through wizards but must be done by hand). With winsxs and the WSUS logs as two items that will definitely be grabbing disk space unexpectedly (well, it’s expected now anyway), we can be sure that over time there will be others. And as stated on the Core Team blog, you can only expect that winsxs will continue to grow over time. If it’s 12GB now, how large will it be in a couple of years? The third lesson is that some logging that happens automatically on the server probably should not just be left unchecked. If you enable SMTP logging (which I do and recommend for troubleshooting purposes), you should clean out old SMTP logs on a regular basis. Well, now you can add WSUS/IIS logs to that approach as well. There are numerous posts out there for ways to script this process, and I’m evaluating the approach we’re going to take within our operation to make this happen for our customer base.
If you’ve been struggling with low disk space issues on SBS 2008 C: partitions, hopefully this information will help you get a better handle on the immediate actions as well as the long term strategy that you’ll develop for your particular environment.
Earlier this month an associate pinged me about an unusual situation. He had an SBS 2003 server that was shutting itself down periodically, claiming that it was doing so because there was another SBS server in the domain. Well, this is expected behavior if there is, in fact, another SBS server in the domain, but this particular network had only one server, the SBS sever, and not a single other server or history of another server in the network. Another unusual symptom of the behavior is that the server would remain up for a little over 24 hours before it would shut itself down because of the phantom SBS server. According to MS KB 925652 the SBS server will shut down every hour if it detects another SBS server in the domain, so clearly a different set of events were causing this behavior. The server was logging SBCore 1011 errors in the event logs, but only after the server had been online for about a day.
On a tip from a colleague at MS, we started to look for a possible memory leak in the system. I worked with my colleague to set up perfwiz and poolmon to try to identify the process (or processes) that were leaking. The theory was that a runaway leak could strip the server of valuable no-paged pool memory which could cause the SBCore check to fail and generate the errors and shutdown event. I must admit, perfwiz and poolmon never were my strong points, so even after we got some results back, the review didn’t come up with a smoking gun.
Then my associate found a tip that I’d not heard of before, even though I regularly modify settings where this tip was found. He opened the Task Manger on the server, selected the Processes tab, then opened Select Columns under the View menu. In here, he enabled the “Memory – Non-paged Pool” column and then sorted the Task Manager process list by that column. Sure enough, he not only quickly found the culprit, but also could sit and watch the Non-paged Pool count grow steadily right before his eyes. The service causing the problem? spoolsv.exe, the print spooler service.
A quick bit of Googling on his part ultimately led him to this post from Tek-Tips which helped him identify the root cause of the problem: HP Standard TCP/IP ports for printers on the sever. He changed the port types for the printers from HP Standard TCP/IP ports to Standard TCP/IP ports, and the server hasn’t shut down again since.
Turns out, there is a KB on this situation, too, MS KB 933999. And in going back and looking further, the server was logging the Srv 2019 errors in the event logs as well. Since we were sidetracked by the anomalous SBCore behavior, we did overlook the 2019 as a possible factor as well.
In the end, I learned two things from this. One, you can track non-paged pool memory usage in Task Manager (which really isn’t a *revelation* per se, just something that I wouldn’t have necessarily deliberately gone out and looked for), and two, memory leak issues can cause anomalous SBCore errors and the shutdown of an SBS server. The good news is that the server was shutting down “normally” because of the SBCore misfire instead of totally running out of non-paged pool memory and crashing, as MS KB 933999 points out can happen. Bottom line, customer happy, and tech support further educated!
One of the advantages of the activation process in newer versions of Windows is that you can install the OS in evaluation mode for 60 days without having to use a license key. Additionally, you can extend this evaluation for more than 60 days by following steps outlined in several public posts (I’m including this link to Sean Daniel’s post on this).
A critical step in this process, however, is the restart of the box AFTER the slmgr.vbs -rearm command has been run. If the system is NOT restarted after this process, some unusual behaviors can be observed. This post is to identify the specific errors that can result from this specific set of circumstances so that should someone run across this situation you can see what may be going on.
I recently ran into this issue with an SBS 2008 server. When signing into the server, the above error dialog appeared on the server. Closing the error allowed continued normal use of the server, both from an interactive login point of view as well as from a remote resource use point of view. Checking the state of the activation window using the slmgr.vbs script generated the error below:
The error appears quickly (unlike the normal response of the slmgr.vbs script) and the key element is the error code. The 0xC004D302 indicates that an slmgr.vbs -rearm has been run, but the server has not been restarted. In the case of this system, a normal restart of the system returned the box to normal operation without Activation errors and slmgr.vbs ran correctly.
NOTE: This does not cover ALL possible causes for the Windows Activation Errors tied in with slmgr.vbs script errors. It is possible that this behavior could indicate other issues. But if you can log in and use the system “normally” after seeing this error (other activation errors prevent you from completing the login process and you never get to a desktop), chances are you just need to restart the server to return to normal behavior.