You cannot create a session collection and an error occurs in Windows Server 2012

This article provides a solution to an issue where you can’t create a session collection correctly.

Original product version: В Windows Server 2012 R2
Original KB number: В 3014614

Symptoms

Consider the following scenario:

You enable the one of the following Group Policy settings on a Windows Server 2012-based server:

• Require user authentication for remote connections by using Network Level Authentication
• Set client connection encryption level
• Use the specified Remote Desktop license servers

You create a session-based desktop deployment.

In this scenario, the session collection deployment fails with an «Unable to create the session collection» error message. In addition, the RemoteApp programs that are being created are canceled.

Additionally, if you create a session collection individually, you receive the following error message:

Unable to configure the RD Session Host Server . Invalid operation

The Group Policy settings are under the following Group Policy paths:

• Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Security
• Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

Workaround

To work around this issue, apply the Group Policy settings that are mentioned in the Symptoms section after you create the Session Collection.

Status

Microsoft has confirmed that it’s a problem in the Microsoft products that are listed in the Applies to section.

Error message: «Windows cannot create the object because the Directory Service was unable to allocate a relative identifier»

Symptoms

When you try to create a new object in Active Directory, you may receive the following error message:

Windows cannot create the object because the Directory Service was unable to allocate a relative identifier.

When this problem occurs, the following event may be logged in the NT Directory Service (NTDS) event log:

This error is logged in the NTDS event log each time Windows 2000 tries to initialize the Relative ID (RID) Master. The error is logged at 1-minute intervals for the first 3 tries, and then one time every 30 minutes until the RID Master initializes.

Cause

This problem may occur if the domain controller that held the operations master role (also known as flexible single master operations or FSMO) of RID Master was removed from the domain and restored from backup. If the role of RID Master was forced onto another domain controller as a temporary replacement, when the original RID Master is restored and returned to the domain, it does not replicate with its direct replication partner and does not reclaim the role of RID Master.

Windows 2000 Service Pack 3 and Windows Server 2003 introduced features designed to help avoid the adverse effects of duplicate operations master roles existing in the same forest or domain. Domain controllers perform an initial synchronization at startup on each naming context hosted on a particular domain controller. A domain controller that holds the Schema Master, Domain Naming Master, RID Master, PDC emulator, or the Infrastructure Master role does not assume ownership of the role until it synchronizes with at least one neighbor for each writeable naming context.

Resolution

To resolve this problem, follow these steps:

Move the computer that you want to restore to a separate network that is isolated from you production network.

Restore this computer from backup. Do not restart the computer when the restoration is complete.

On the temporary RID Master domain controller on the production network, open a command prompt, type repadmin /showvector, and then press ENTER.

Shut down the temporary RID Master domain controller, and then move it to the separate network with the restored computer.

Start both computers.

Use the Sites and Services Manager Snap-in to initiate replication between the two computers. To do so, follow these steps:

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

Expand the Sites container in the left pane, and then expand the container that represents the name of the site containing the target server that you must synchronize with its replication partners.

Expand the Servers container, and then expand the target server to display the NTDS Settings object (an object that represents the settings for the domain controller).

Click the NTDS Settings object. The connection objects in the right pane represent the target server’s direct replication partners.

Right-click a connection object in the right pane, and then click Replicate Now.

Windows 2000 initiates replication of any changes from the source server (the server represented by the connection object) to the target server for all the directory partitions that the target server is configured to replicate from the source server.

Transfer all the operations master roles back to the original role-holder.

Move both computers back to the production network.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the «Applies to» section.

More Information

For more information about how to determine the RID Master role holder, click the following article number to view the article in the Microsoft Knowledge Base:

234790 How to find servers that hold Flexible Single Master Operations roles

For more information about what to do if the RID Master is down for a long time, click the following article number to view the article in the Microsoft Knowledge Base:

223787 Flexible Single Master Operation transfer and seizure process

For more information about restoring the RID Master after a seizure, click the following article number to view the article in the Microsoft Knowledge Base:

316201 «Domain controller has failed to obtain a new identifier pool» error event in Windows 2000 Server S316201 and earlier

For more information about how to perform an authoritative restore to a domain controller, click the following article number to view the article in the Microsoft Knowledge Base:

241594 How to perform an authoritative restore to a domain controller in Windows 2000

For more information about FSMO placement and optimization on Windows 2000 domains, click the following article number to view the article in the Microsoft Knowledge Base:

223346 FSMO placement and optimization on Active Directory domain controllers

Unable to create windows service

Вопрос

please help me create a service account.. Not sure if am executing right command..

New-ADServiceAccount –Name SAACCOUNT –DNSHostname DC.xyz.com

ERROR:

New-ADServiceAccount : Key does not exist

+ New-ADServiceAccount –Name servadmin –DNSHostname DC.xyz.com

+ CategoryInfo : NotSpecified: (CN=SAACCOUNT,CN. C=xyz,DC=com:String) [New-ADServiceAccount], ADException

Все ответы

There is no -DNSHostName parameter for this cmdlet. Use -OtherAttributes to assign a value. For example:

Check the help for New-ADServiceAccount:

Richard Mueller — MVP Enterprise Mobility (Identity and Access)

• Предложено в качестве ответа William Liang Microsoft contingent staff 26 сентября 2017 г. 8:20

Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

Best Regards,
William

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

Unable to create new service: ChromeDriverService #5876

Comments

Lastrellik commented May 9, 2018

OS: Windows 10 Hub, Ubuntu 18.04 Node
Selenium Version: 3.12.0
Browser: chromedriver
Browser Version: 2.38.552522 (64 bit)

Expected Behavior —

Chromedriver opens and navigates to http://www.google.com on Linux virtual machine node after being initiated from Java code on Windows 10 hub

Actual Behavior —

org.openqa.selenium.SessionNotCreatedException: Unable to create new service: ChromeDriverService

Steps to reproduce —

1. Set up an Ubuntu 18.04 virtual machine on a Windows 10 host
2. Begin selenium hub on host with
   java -jar selenium-server-standalone-3.12.0.jar -role hub
3. Begin selenium node on Ubuntu machine with
   java -Dwebdriver.chrome.driver=» » -jar selenium-server-standalone-3.12.0.jar -role node -hub http:// :4444/grid/register
4. Run the following code on the host machine

The text was updated successfully, but these errors were encountered:

cgoldberg commented May 9, 2018

incompatible versions of Chrome and Chromedriver?

Lastrellik commented May 10, 2018

@cgoldberg the version of Chrome I have installed is Chrome 66. Chromedriver v2.38 supports version 65-57 according to their download page. This problem has happened on both Ubuntu and Debian 64 bit.

Lastrellik commented May 10, 2018

I have found my problem.

The issue wasn’t with the Chromedriver or Chrome or my code or Selenium, but rather with my version of Java. I installed Java on Ubuntu using

sudo apt-get install default-jre default-jdk -y

This installed the wrong version of Java. I was mistaken when I thought this command would always install the latest Java versions. Anyway, installing Oracle’s version of Java resolved the issue for me.

I think it would be nice if when selenium starts there was a check to make sure that you have a compatible java version. All of the logs seemed to suggest that everything was running okay.

barancev commented May 11, 2018

@Lastrellik What Java flavour and version did you have before?

Lastrellik commented May 13, 2018

@barancev sooo I tried to recreate the issue and couldn’t. I reinstalled Ubuntu and did everything the way I thought I did it before and it worked this time. I don’t know what was wrong. Maybe there was a conflict between the version of Chrome I had installed and that particular version of Selenium. Either way, it seems to be working now.

barancev commented May 14, 2018

Thank you for getting us know everything is OK now.

gopinath386 commented Sep 24, 2018

I have facing issue «Unable to create new service: ChromeDriverService» Error for chrome, IEdriver driver execution.

I have used 3 node 1 hub. I set hub also one node. From hub machine i am executing the code. Selenium webdriver parallel execution.
I have set the drivers in system environment also in selenium code with driver path.

Issue: From hub system drivers not start to execute the code. Error message «org.openqa.selenium.SessionNotCreatedException: Unable to create new service: ChromeDriverService»
Refer the attached screen shot too.
error_run
nodes

Selenium java 3.14, Standalone 3.14 jar, TestNG 6.14.2, Java 1.8.0_144 and chromedriver 2.42.
Chrome as 69.0.3497.100.
Hub & node 1 for System as Windows Server 2008 R2 Enterprise, 64-bit. other two nodes System as Windows Server 2012 R2 Standard, 64-bit and all other is same properties.
Note: Same code working for other 2 nodes. Same chromedrivers only used in all three nodes.

Kindly check and advice. what is the root cause for the issue. Why the error shows only for the hub machine.

Unable to create windows service

Вопрос

I have a small virtual lab on my Windows 10 machine. The lap includes two Windows Server 2016 machines. One machine is a domain controller. One machine is domain attached server. I am exercising the MSA feature, and I’m having a rough go of it.

I can create the MSA on the domain controller with no issue:

The problem comes when I try to install the MSA on the target server:

am logging into the target server as a domain administrator. I don’t know what is possibly denying my access.

Ответы

Hi, got the same, looks like a lack of knowledge or smth. else, tried to do everything as in (https://blogs.msdn.microsoft.com/arvindsh/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips/)

but i’ve got an error just like yours.

Just figured out — you need to Allow your target computer to read MSA:

Set-ADServiceAccount -Identity %targetidentity% -PrincipalsAllowedToRetrieveManagedPassword %allowedcomputer%.

First written here:

https://community.spiceworks.com/topic/1994519-problem-installing-newly-created-service-account-on-server and point here:

you first allow your computer to read new SMA, then add it to local system:

1)Set-ADServiceAccount -Identity %targetidentity% -PrincipalsAllowedToRetrieveManagedPassword %allowedcomputer%.

2)Install-ADServiceAccount %targetidentity%.

Serge, you magical man you! If you were here, I’d give you a kiss on the cheek..

I ran the following:

The portion headed «On the Domain Controller» was what I ran on my DC. The portion headed «On the Host Machine» was what I ran on my database server (where I wanted the MSA created). Here is the actual call:

Here is my SQL Server instance configured to use my new MSA:

I’d read the help page on «Install-ADServiceAccount», which had the following snippet:

«To successfully install a managed service account, the service account should have the PrincipalsAllowedToRetrieveManagedPassword parameter option set first by using either the New-ADServiceAccount or Set-ADServiceAccount cmdlet first. Otherwise, installation will fail.»

Meaning, you can make that call to «PrincipalsAllowedToRetrieveManagedPassword» in either the «New-ADServiceAccount» or «Set-ADServiceAccount» calls. I tested both ways, and they both worked.

Now, when I first tried your suggestion. It didn’t work.When I executed the following:

I would receive the following error:

«Set-ADServiceAccount : Identity info provided in the extended attribute: ‘PrincipalsAllowedToRetrieveManagedPassword’ could not be resolved. Reason: ‘Cannot find an object with identity
‘sbx-misc-dbs02’ under: ‘DC=sandbox,DC=local’.’.»

I was only able to get this load of stuff to work when I used the distinguished name. I have no idea why that is, and I don’t really care.

For folks who don’t want to have to copy-and-paste the distinguished name,