Merge pull request #8575 from MicrosoftDocs/main

Auto push to live 2025-03-26 10:00:02

Author: Deland-Han

.openpublishing.redirection.json

@@ -13195,6 +13195,18 @@
     {
       "source_path": "support/windows-server/active-directory/connection-adfs-failed-set-msoladfscontex.md",
       "redirect_url": "/previous-versions/troubleshoot/windows-server/connection-adfs-failed-set-msoladfscontex"
+    },
+    {
+      "source_path": "support/windows-client/user-profiles-and-logon/error-invalid-store-path-loadstate-user-state-migration-tool.md",
+      "redirect_url": "/troubleshoot/windows-client/setup-upgrade-and-drivers/error-invalid-store-path-loadstate-user-state-migration-tool"
+    },
+    {
+      "source_path": "support/windows-server/active-directory/file-replication-service-event-13552-13555.md",
+      "redirect_url": "/troubleshoot/windows-server/networking/file-replication-service-event-13552-13555"
+    },
+    {
+      "source_path": "support/windows-server/active-directory/remove-orphaned-domains.md",
+      "redirect_url": "/troubleshoot/windows-server/windows-security/remove-orphaned-domains"
     }
   ]
 }

support/azure/virtual-machines/windows/reset-rdp.md

@@ -12,9 +12,9 @@ ms.collection: windows
 ms.workload: infrastructure-services
 ms.tgt_pltfrm: vm-windows
 ms.topic: troubleshooting
-ms.date: 10/18/2024
+ms.date: 03/26/2025
 ms.author: genli
-ms.reviewer: herensin
+ms.reviewer: herensin, v-monicaba
 ---
 # Reset Remote Desktop Services or its administrator password in a Windows VM
 
@@ -91,6 +91,22 @@ First, make sure that you have  the [latest PowerShell module installed and conf
 
 1. If you still can't connect remotely to your virtual machine, see [Troubleshoot Remote Desktop connections to a Windows-based Azure virtual machine](troubleshoot-rdp-connection.md). If you lose the connection to the Windows domain controller, you will need to restore it from a domain controller backup.
 
+## Troubleshoot and support
+
+### Error messages
+
+| Error  | Description |
+| ---- | ---- |
+| {"innererror": {"internalErrorCode": "CannotModifyExtensionsWhenVMNotRunning"}, "code": "OperationNotAllowed","message": "Cannot modify extensions in the VM when the VM is not running."} | This error indicates that the operation to modify extensions in the VM isn't allowed because the VM isn't running. <br><br> To resolve this issue, ensure that the VM is running before attempting to modify extensions. |
+| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'VMAccess Extension does not support Domain Controller.'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error indicates that the VM extension "enablevmAccess" failed because it doesn't support a domain controller. <br><br> To resolve this issue, ensure that the VM isn't configured as a domain controller when using this extension. For more information, see [Reset Remote Desktop Services or its administrator password in a Windows VM](reset-rdp.md). |
+| VM 'vmname' has not reported status for VM agent or extensions. Verify that the OS is up and healthy, the VM has a running VM agent, and that it can establish outbound connections to Azure storage. Please refer to https://aka.ms/vmextensionwindowstroubleshoot  for additional VM agent troubleshooting information. | To troubleshoot this error, see [Troubleshooting checklist](windows-azure-guest-agent.md#troubleshooting-checklist). |
+|VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements. --- End of inner exception stack trace --- at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) at Microsoft.WindowsAzure.GuestAgent.Plugins.WindowsUser.SetPassword(SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.RemoteAccessAccountManager.AddOrUpdateRemoteUserAccount(String userName, SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.VMAccessExtension.OnEnable()'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot. | This error indicates that the VM extension "enablevmAccess" failed to update the Remote Desktop Connection settings for the Administrator account due to a password policy violation. <br><br> To resolve this issue, ensure that the password meets Windows password policy requirements, including minimum length, complexity, and history. For more information, see [Troubleshoot VM extensions](/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions). |
+| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'The Admin User Account password cannot be null or empty if provided the username.'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error indicates that the VM extension "enablevmAccess" failed because the Admin User Account password wasn't provided. <br><br> To resolve this issue, ensure that a non-null and non-empty password is specified for the Admin User Account. |
+|   Provisioning of VM extension enablevmaccess has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. | This error message indicates that the provisioning of the VM extension "enablevmaccess" has timed out because it took too long to complete. Additionally, the extension didn't provide any status message during the process. <br><br> To resolve this issue, consider checking the VM's performance and network conditions, and then retry the provisioning operation. For more information, see [Troubleshooting Azure Windows VM extension failures](/azure/virtual-machines/extensions/troubleshoot). |
+| VM has reported a failure when processing extension 'enablevmAccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Exception: User account scsadmin already exists but cannot be updated because it is not in the Administrators group. at Microsoft.WindowsAzure.GuestAgent.Plugins.RemoteAccessAccountManager.AddOrUpdateRemoteUserAccount(String userName, SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.VMAccessExtension.OnEnable()'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error indicates that the VM extension "enablevmAccess" failed because the user account "scsadmin" already exists but isn't in the Administrators group. <br><br> To resolve this issue, ensure that the user account is added to the Administrators group.|
+| VM has reported a failure when processing extension 'enablevmaccess' (publisher 'Microsoft.Compute' and type 'VMAccessAgent'). Error message: 'Cannot update Remote Desktop Connection settings for Administrator account. Error: System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements. at System.DirectoryServices.DirectoryEntry.CommitChanges() at Microsoft.WindowsAzure.GuestAgent.Plugins.WindowsUser.SetPassword(SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.WindowsUserManager.CreateUserInGroup(String userName, SecureString password, Boolean expirePassword, String[] groups) at Microsoft.WindowsAzure.GuestAgent.Plugins.RemoteAccessAccountManager.AddOrUpdateRemoteUserAccount(String userName, SecureString password, Boolean expirePassword) at Microsoft.WindowsAzure.GuestAgent.Plugins.JsonExtensions.VMAccess.VMAccessExtension.OnEnable()'. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot . | This error message indicates that the VM failed to process the "enablevmaccess" extension due to an issue with updating the Remote Desktop Connection settings for the Administrator account. The specific error is related to the password not meeting the policy requirements, such as minimum length, complexity, and history. <br><br> To resolve this issue, ensure that the password complies with the required policy standards. For more information, see [Troubleshoot VM extensions](/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions). |
+| {"innererror": {"internalErrorCode": "MultipleExtensionsPerHandlerNotAllowed"}, "code": "BadRequest","message": "Multiple VMExtensions per handler not supported for OS type 'Windows'. VMExtension 'enablevmaccess' with handler 'Microsoft.Compute.VMAccessAgent' already added or specified in input."} | This error message indicates that the OS type "Windows" doesn't support multiple VM extensions per handler. The "enablevmaccess" extension with the handler "Microsoft.Compute.VMAccessAgent" has already been added or specified in the input. <br><br> To resolve this issue, ensure that only one extension per handler is configured for the VM. <br><br> You can manually remove an extension by using the following PowerShell cmdlet and retry the operation: <br> `Remove-AzVMExtension -ResourceGroupName "ResourceGroup11" -Name "ExtensionName" -VMName "VirtualMachineName"` |
+
 ## Next steps
 
 - If the Azure VM access extension fails to install you can [troubleshoot VM extension issues](/azure/virtual-machines/extensions/troubleshoot?toc=/azure/virtual-machines/windows/toc.json).

…h-loadstate-user-state-migration-tool.md …h-loadstate-user-state-migration-tool.mdsupport/windows-client/user-profiles-and-logon/error-invalid-store-path-loadstate-user-state-migration-tool.md renamed to support/windows-client/setup-upgrade-and-drivers/error-invalid-store-path-loadstate-user-state-migration-tool.md support/windows-client/user-profiles-and-logon/error-invalid-store-path-loadstate-user-state-migration-tool.md renamed to support/windows-client/setup-upgrade-and-drivers/error-invalid-store-path-loadstate-user-state-migration-tool.md

@@ -7,8 +7,8 @@ audience: itpro
 ms.topic: troubleshooting
 ms.reviewer: kaushika, shijoy
 ms.custom:
-- sap:user logon and profiles\user profiles
-- pcy:WinComm Directory Services
+- sap:windows setup,upgrade and deployment\user state migration tool (usmt)
+- pcy:WinComm Devices Deploy
 ---
 # Error "Invalid store path" during the LoadState process when you use the User State Migration Tool
 

support/windows-client/toc.yml

@@ -839,6 +839,8 @@ items:
       href: ./setup-upgrade-and-drivers/updates-not-install-with-fast-startup.md
   - name: User state migration tool
     items:
+    - name: Error "Invalid store path" during the LoadState process
+      href: setup-upgrade-and-drivers/error-invalid-store-path-loadstate-user-state-migration-tool.md
     - name: USMT common issues
       href: ./setup-upgrade-and-drivers/usmt-common-issues.md
     - name: USMT return codes
@@ -1103,14 +1105,12 @@ items:
       href: ./user-profiles-and-logon/cached-user-logon-fails-lsasrv-event-45058.md
   - name: User profiles
     items:
-    - name: Can't set a convenience PIN
-      href: ./user-profiles-and-logon/cannot-configure-a-convenience-pin.md
     - name: Create a new profile if the profile is damaged
       href: ./user-profiles-and-logon/create-new-user-profile.md
-    - name: Error "Invalid store path" during the LoadState process
-      href: ./user-profiles-and-logon/error-invalid-store-path-loadstate-user-state-migration-tool.md
   - name: Windows Hello for Business
     items:
+    - name: Can't set a convenience PIN
+      href: user-profiles-and-logon/cannot-configure-a-convenience-pin.md
     - name: Windows Hello errors during PIN creation in Windows 10
       href: ./user-profiles-and-logon/windows-hello-errors-during-pin-creation-in-windows-10.md
     - name: Retrieve certificate to troubleshoot Windows Hello for Business logon failures

support/windows-server/active-directory/cannot-promote-dc-to-global-catalog-server.md

@@ -120,7 +120,7 @@ For more information, see:
 [Clean up server metadata by using GUI tools](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816907(v=ws.10))  
 [Clean up Active Directory Domain Controller server metadata](/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup).
 
-After you have verified that the replication between domain controllers is working correctly, determine whether an orphaned domain object exists. You can use the Ntdsutil.exe utility to clear the orphaned domain object. If there's any orphaned domain controller object for that domain, also delete the domain controller object. For more information, see [How to remove orphaned domains from Active Directory](remove-orphaned-domains.md).
+After you have verified that the replication between domain controllers is working correctly, determine whether an orphaned domain object exists. You can use the Ntdsutil.exe utility to clear the orphaned domain object. If there's any orphaned domain controller object for that domain, also delete the domain controller object. For more information, see [How to remove orphaned domains from Active Directory](../windows-security/remove-orphaned-domains.md).
 
 For more information about how to remove orphaned domain controller objects, see [Clean up Active Directory Domain Controller server metadata](/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup).
 
@@ -150,4 +150,4 @@ The command completed successfully
 
 Verify that the `Flags` entry of the output includes `GC`.
 
-For more information, see [How to remove orphaned domains from Active Directory](remove-orphaned-domains.md).
+For more information, see [How to remove orphaned domains from Active Directory](../windows-security/remove-orphaned-domains.md).

support/windows-server/active-directory/error-0x5-access-denied-rename-computer.md

@@ -0,0 +1,83 @@
+---
+title: Error 0x5 Access Denied When You Rename a Computer That Is a Member of a Domain
+description: Helps resolve error 0x5 Access Denied when you rename a computer that is a member of a domain.
+ms.date: 03/26/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: kaushika, raviks, herbertm, dennhu, eriw, v-lianna
+ms.custom:
+- sap:active directory\on-premises active directory domain join
+- pcy:WinComm Directory Services
+---
+# Error 0x5 Access Denied when you rename a computer that is member of a domain
+
+This article helps resolve error 0x5 **Access Denied** when you rename a computer that is a member of a domain.
+
+When you check the **NetSetup.log** file, you see the following entries:
+
+```output
+NetpChangeMachineName: from 'TESTNAME97' to 'TESTNAME98' using 'ADATUM.COM\test_adm_user' [0x2]
+NetpDsGetDcName: trying to find DC in domain 'ADATUM', flags: 0x1010
+NetpDsGetDcName: found DC '\\ADATUMDC01' in the specified domain
+NetpChangeMachineName: status of connecting to  dc '\\ADATUMDC01': 0x0
+NetpGetLsaPrimaryDomain: status: 0x0
+NetpManageMachineAccountWithSid: status of NetUserSetInfo on '\\ADATUMDC01' for 'TESTNAME97$': 0x5 Access Denied
+```
+
+`NetUserSetInfo` targets the domain controller (DC) Security Accounts Manager Server (SAM) server component, which uses the SAM Remote Procedure Call (RPC) function on Server Message Block (SMB) Named Pipes. Here's the complete TCP connection network traffic during the NetSetup failure event, which indicates the failure at a SAM connection:
+
+```output
+ADATUMDC01   10.101.56.150 TCP TCP: [Bad CheckSum]Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=59729, PayloadLen=0, Seq=347025249, Ack=2963325843, Win=8192 (Negotiated scale factor 0x8) = 8192
+10.101.56.150 ADATUMDC01   TCP TCP:Flags=...A...., SrcPort=59729, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=2963325843, Ack=347025250, Win=256
+...
+ADATUMDC01   10.101.56.150 MSRPC MSRPC:c/o Fault:  Call=0x2  Context=0x0  Status=0x5  Cancels=0x0  0x5 Access Denied
+...
+```
+
+## Security policy prevent malicious SAM enumeration
+
+Remote SAM access control was introduced in Windows Server 2016 and Windows 10, version 1607 and later versions as a new security policy to prevent malicious SAM enumeration. Here's the information of the policy:
+
+|Security policy path  |Local Security Policy > Security Settings > Local Policies > Security Options  |
+|---------|---------|
+|**Policy**     |**Network access: Restrict clients allowed to make remote calls to SAM**         |
+|**Registry value**     |`HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictRemoteSam`         |
+
+Only security groups allowed to read the Remote SAM Remote Procedure Call (RPC) access defined in the policy setting can set up a SAM connection with the target machine.
+
+This policy setting isn't useful on DCs because Active Directory objects have their own access control settings, which aren't available for domain members or stand-alone machines with the SAM database.
+
+DCs might have the setting as it stays configured when you promote a member server with this setting to be a DC.
+
+To resolve this issue, you can use one of the following methods:
+
+## Method 1: Define a policy setting for DCs that allows the calls
+
+Set the **Network access: Restrict clients allowed to make remote calls to SAM** policy to allow **Everyone** or **Authenticated Users** and apply it to all DCs.
+
+This resolves the problem for all DCs, and ensures they all use the same setting.
+
+## Method 2: Delete the registry value RestrictRemoteSam
+
+> [!NOTE]
+>
+> - Only consider this approach if for some reason you can't follow method 1. With this method, you might encounter the problem again if a DC happens to have `RestrictRemoteSam` set to a restrictive Access Control List.
+> - The default Security Descriptor Definition Language (SDDL) could be overwritten by the setting defined in other level Group Policy Objects (GPOs).
+
+Delete the registry value to apply the default SDDL. The default value for DCs means that everyone has read permissions to preserve compatibility. To delete the registry value, run the following command:
+
+```console
+reg delete "HKLM\system\currentControlSet\control\lsa" /v restrictRemoteSam /f
+```
+
+> [!NOTE]
+> This change doesn't require a restart.
+
+A customized SDDL for the policy might result in unexpected failures. Here're some scenarios to be aware of:
+
+- Admin tools, scripts, and software that previously enumerated users, groups, and group memberships might fail.
+- Remote Desktop Protocol (RDP) connections to Remote Desktop Services (RDS) Servers fail when the RDS tries to retrieve user details using remote SAM RPC calls.
+- Applications that use Authorization (AuthZ) against accounts that are disabled can run into Access Denied errors. For example, Microsoft Exchange Server might encounter this issue during Offline Address Book (OAB) generation checks.
+  
+  For more information, see [AuthZ fails with an Access Denied error when an application does access checks in Windows Server](../group-policy/authz-fails-access-denied-error-application-access-check.md).

support/windows-server/active-directory/rodc-replicates-passwords-grant-incorrect-permissions.md

@@ -7,7 +7,7 @@ audience: itpro
 ms.topic: troubleshooting
 ms.reviewer: kaushika, v-jeffbo
 ms.custom:
-- sap:active directory\active directory backup,restore,or disaster recovery
+- sap:active directory\active directory replication and topology
 - pcy:WinComm Directory Services
 ---
 # RODC replicates passwords when it's granted incorrect permissions in Windows Server

…replication-service-event-13552-13555.md …replication-service-event-13552-13555.mdsupport/windows-server/active-directory/file-replication-service-event-13552-13555.md renamed to support/windows-server/networking/file-replication-service-event-13552-13555.md support/windows-server/active-directory/file-replication-service-event-13552-13555.md renamed to support/windows-server/networking/file-replication-service-event-13552-13555.md

@@ -7,8 +7,8 @@ audience: itpro
 ms.topic: troubleshooting
 ms.reviewer: kaushika, skushida, v-ivz, shinicht, torumi
 ms.custom:
-- sap:active directory\active directory backup,restore,or disaster recovery
-- pcy:WinComm Directory Services
+- sap:network connectivity and file sharing\file replication technologies (frs and dfsr)
+- pcy:WinComm Networking
 ---
 # Event ID 13552 and 13555 are logged in the File Replication Service log on a Windows-based domain controller