Windows Server 2003 Wireless Troubleshooting

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic provides basic troubleshooting information for wireless computers connecting to Windows Server 2003 with Service Pack 1 (SP1) domain wireless networks. If you are looking for wireless troubleshooting for a Windows XP home office environment, see the following:

• Troubleshooting Microsoft Windows XP-based Wireless Networks in the Small Office or Home Office at https://go.microsoft.com/fwlink/?LinkID=55033

• How to troubleshoot wireless network connections in Windows XP at https://go.microsoft.com/fwlink/?LinkId=83226

• Troubleshooting IEEE 802.11 Wireless Access with Microsoft Windows at https://go.microsoft.com/fwlink/?LinkId=83227

• Configuring Windows XP IEEE 802.11 Wireless Networks for the Home and Small Business at https://go.microsoft.com/fwlink/?LinkID=30045

Quick lists for common connectivity problems

This section provides a series of tables and lists that can help you to quickly identify conditions that can cause connectivity problems. The quick lists are presented in two categories: by symptom and by network type.

Quick lists by symptom

• Symptom: Inability to connect

• Symptom: Intermittent connectivity

• Symptom: Incorrect, missing, or stale visible networks

• Symptom: Wireless client has associated, but there is no valid IP address configuration or no network connectivity

• Symptom: There are no visible wireless networks or the Wireless Networks tab is not present in the Network Connections folder

Quick lists by network type

• General network connectivity problems

• Domain network connectivity problems

• 802.1X-authenticated network connectivity problems

Quick lists by symptom

The following series of tables present common symptoms, their causes, and likely solutions.

Symptom: Inability to connect

Possible Causes	Corrective Measures
Incorrect or incompatible wireless network configuration. For example, shared key authentication is configured on the wireless AP, and the wireless client is attempting open system authentication. Inadvertent media access control (MAC) address filtering. The wireless network name is not visible. The wireless AP and wireless network adapter are not using the same 802.11 standard (for example, you are using an 802.11b network adapter and an 802.11a wireless AP).	Verify that the wireless network configurations between the wireless client and wireless AP are compatible. Double-check the steps you followed during configuration. User error is a common source of incorrect configuration.
Radio frequency (RF) interference from nearby devices, such as cordless phone and Bluetooth devices. Wireless client is at the periphery of the RF range of the wireless AP.	Review the wireless network environment and network topology. Double-check the steps you followed during configuration. User error is a common source of incorrect configuration.
Improperly functioning or outdated wireless network adapter driver.	Obtain and install the most recent version of the wireless network adapter driver.

Symptom: Intermittent connectivity

Possible Causes	Corrective Measures
Improperly functioning or outdated wireless network adapter driver. Improperly functioning wireless AP.	Obtain and install the most recent version of the wireless network adapter driver.

Symptom: Incorrect, missing, or stale visible networks

Possible Causes	Corrective Measures
Improperly functioning or outdated wireless network adapter driver. Improperly functioning radio equipment on wireless AP or wireless network adapter. Malfunctioning wireless network adapter drivers cannot detect and register visible networks.	Obtain and install the most recent version of the wireless network adapter driver. Run the Repair tool on the wireless network adapter. Note To run Repair, right-click the wireless connection icon in the notification area or in Network Connections, and the click Repair.

Symptom: Wireless client has associated, but no there is no valid IP address configuration or no network connectivity

Possible Causes

Corrective Measures

Authentication problem. Incorrect encryption key. Corrupt, expired, or missing certificates. Improperly functioning wireless AP.

Verify that the wireless network configurations between the wireless client and wireless AP are compatible. If you are using a static wired equivalent privacy (WEP) key, verify that it has been correctly configured. Note Due to known security issues with WEP encryption, it is recommended that you use only Wi-Fi Protected Access version 2 (WPA2) (preferred) or WPA. Verify whether other computers that connect to the wireless AP have the same problem. If all wireless clients of the same wireless AP have the same problem, make sure the wireless AP settings match the IAS RADIUS Clients settings configured for the specific wireless AP. Also make sure that the Wireless Network (IEEE 802.11) Policy configuration settings for client computers match the wireless AP settings.

Symptom: There are no visible wireless networks or the Wireless Networks tab is not present in the Network Connections folder

Possible Causes

Corrective Measures

The Wireless ZeroConfig Service is not running. Improperly functioning or outdated wireless network adapter driver. On a portable computer, the external switch for the wireless antenna might be turned off.

Check to see if the Wireless ZeroConfig Service is running by checking the state is Started in the Services Microsoft Management Console (MMC) snap-in. Use the Services console to configure the Wireless ZeroConfig Service to start automatically. A wireless network adapter driver that fails in the early stages of service startup can cause the Wireless ZeroConfig Service not to initialize on that interface. If this is determined to be the problem, install the most recent version of the driver for that adapter.

Quick lists by network type

The following quick lists are not exhaustive catalogs of connectivity problems. They provide information about the types of conditions that can cause connectivity problems.

For the purposes of this document, network connectivity problems fall into three groups:

• General network connectivity problems

• Domain network connectivity problems

• 802.1X-authenticated network connectivity problems

General network connectivity problems

These types of problems can occur on networks ranging from small office/home office (SOHO) workgroup-based networks to enterprise networks.

Possible Causes	Corrective Measures
A wireless setting mismatch exists between the wireless AP and the wireless client. For example, the wireless AP is configured to use WPA2 and the client is configured with WPA-PSK.	For a single computer, manually configure the settings to match. For multiple computers, use the Wireless Network (IEEE 802.11) Policy to configure settings to match the settings configured on the wireless AP.
The wireless adapter is disabled in Network Connections.	Right-click the disabled connection, and then click Enable.
The external switch that controls the wireless antenna is turned off.	Set the external switch to the On position.
The wireless network adapter is malfunctioning.	Install the most recent driver for the adapter. If that fails to fix the problem, replace the wireless adapter, if possible. Note In cases where the adapter is built into the computer, you can try to install a second wireless adapter, such as a Universal Serial Bus (USB) adapter to test connectivity. If you install a second wireless adapter, it is recommended that you first disable the original wireless connection. In Network Connections, right-click the wireless connection, and then click Disable. Install the second wireless adapter, and then attempt to connect to the network.
Network clients configured with static IP addresses are configured by using an IP address that is not in the correct IP address range or by using a different subnet mask.	Configure the IP settings with a unique IP address in the correct IP address range, using the correct subnet mask.
The DHCP service is enabled on the wireless router to allocate IP addresses to network clients, but one or more network clients are configured with a static IP address.	Configure the Internet Protocol (TCP/IP) properties of the wireless adapter to Obtain an IP address automatically.
The DHCP server is disconnected from the network, powered off, or the service is not running.	In a SOHO network, the DHCP service is typically provided by the wireless router or by Internet Connection Sharing (ICS). Restore the DHCP service.
In a SOHO network: In a new wireless network or when replacing your modem or wireless AP, you have not registered your modem with your Internet service provider (ISP), or your router media access control (MAC) address. Modem or router registration varies by ISP. You have not configured the public connection on the router to accept DHCP leases from the ISP network. For example, you have configured the public connection on the wireless router with a static IP address.	Contact your ISP to register your device. Configure the public interface to accept DHCP leases from the ISP network.

Domain network connectivity problems

In addition to the general network connectivity problems, these types of problems commonly occur on domain networks, ranging from small organizations to enterprise networks.

Active Directory

Possible Causes	Corrective Measures
The user does not have an account in the Active Directory Users and Computers snap-in.	Create an account for the user.
The Dial-in properties of the user account or computer account in Active Directory Users and Computers is set to Deny access.	Set the user and computer account Dial-in properties to Allow access. Note In 802.1X networks that use IAS to authenticate connections, set the user account Dial-in properties to Control access through Remote Access Policy.
The user account is disabled.	In Active Directory Users and Computers, in Users, right-click the account, and then click Enable.
The user account has expired.	In Active Directory Users and Computers, right-click the account, click Properties, and then on the Account tab, in Account expires, select Never, or in End of set a new expiration date.
The user is attempting a connection at a prohibited time, as specified in the logon hours of the user account (the default setting is Logon Permitted for all hours).	In Active Directory Users and Computers, in the user account properties, on the Account tab, click Logon Hours, and then configure the settings to specify the hours that the client is allowed to connect to the network.
The user is attempting a prohibited connection by using a computer that is not specified in the Log On To setting of the user account properties, or the default setting All computers is not selected.	In Active Directory Users and Computers, in the user account properties, on the Account tab, click Log On To, and then either select All computers, or select The following computers. In Computer name, specify the computers that the user is allowed to use to connect to the network.
The Domain Name System (DNS) service is stopped or is not configured.	On your DNS server, in the Services snap-in, right click DNS Server, and then click Start.

Users and Computers

Possible Causes	Corrective Measures
The client computer is not a member of the domain.	Join the computer to the domain.
The client is attempting to log on to the domain by using non-domain credentials. A common error with new computers or user accounts is that users log on to the computer by using their computer account.	At the log on window, in Log on to, select the domain if it is available, and then use the domain user account. For newly joined computers, logon using the domain name and user account in the format DomainName\UserName.

DHCP

Possible Causes	Corrective Measures
The DHCP scope is full, and therefore the DHCP server cannot lease addresses to requesting DHCP clients.	If the DHCP scope does not use the full address range, edit the scope to expand the address range.
The IP address of the DHCP server was changed and now DHCP clients cannot get IP addresses.	Make sure that the static IP address and subnet mask of the DHCP server are within the addressing scheme of the subnet.
The DHCP service is stopped.	On your DHCP server, in the Services snap-in, right-click DHCP Server, and then click Start.
On a newly configured DHCP server: The DHCP server is not authorized in Active Directory. The IP address range of the DHCP scope is incorrectly specified. The DHCP scope is not activated. The DHCP server is not on the same subnet as the clients. The DHCP server is offline.	In the DHCP snap-in, right-click the domain container, and then click Authorize. Set the IP address range and subnet mask in the scope to match the addressing scheme of your subnet. In the DHCP snap-in, right-click the domain container, right-click the scope for the subnet that is presenting connectivity problems, and then click Activate. Physically connect the DHCP server to the correct subnet. Restart the DHCP server.

802.1X-authenticated network connectivity problems

This section provides examples of configuration problems that are specific to networks that deploy 802.1X-authenticating wireless APs and IAS for 802.1X-authenticated connections. In an 802.1X network, consider the following examples in addition to the examples listed in the previous two sections.

Active Directory problems

Possible Causes	Corrective Measures
The Active Directory domain functional level is not raised to Windows Server 2003. IAS Remote Authentication Dial-In User Service (RADIUS) settings require the Windows Server 2003 domain functional level.	In the Active Directory Domains and Trusts snap-in, click Action, and then click Raise Domain Functional Level. Important If domain controllers on your network are running Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows 2000 native. After the domain functional level is set to Windows 2000 native, it cannot be changed back to Windows 2000 mixed. Likewise, if domain controllers on your network are running Windows 2000 or Windows NT 4.0 and earlier, then do not raise the domain functional level to Windows Server 2003. After the domain functional level is set to Windows Server 2003, it cannot be changed back to Windows 2000 mixed or Windows 2000 native.
In Active Directory Users and Computers, the dial-in properties of the user account are not configured to Control access through Remote Access Policy.	In the Active Directory Users and Computers snap-in, in the domain container, open Users, right-click the user account, click Properties, and then on the Dial-in tab, select Control access through Remote Access Policy.
The IAS remote access policy grants access for members of an Active Directory security group. However, the user is not a member of the security group that is specified in the remote access policy.	In Active Directory Users and Computers, in the domain container, open Users, right-click the security group that is specified in the applicable IAS remote access policy, click Properties. On the Members tab, click Add, and then in Enter the object names to select, type the user account to add the user to the security group.
The authentication method specified in Wireless Network (IEEE 802.11) Policies does not match the authentication method specified in the IAS remote access policy. For example, if network clients running Windows Vista are configured by Wireless Network (IEEE 802.11) Policies to use Protected Extensible Authenticated Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAPv2) authentication, but no IAS remote access policy specifies PEAP-MS-CHAPv2 authentication, the mismatch prevents client authentication.	Change the Extensible Authenticated Protocol (EAP) authentication method specified in either the IAS remote access policy or in Wireless Network (IEEE 802.11) Policies to match the method deployed for your network.

Client

Possible Causes	Corrective Measures
The Wireless ZeroConfig Service is not running. By default, the Wireless ZeroConfig Service starts automatically.	For an individual computer, manually start the service in the Services snap-in. For multiple computers, in Group Policy Object Editor, open Wireless Network (IEEE 802.11) Policies. In the details pane, right-click the applicable wireless policy, click Properties, and then on the General tab, select Use Windows to configure wireless network settings for clients.
When using Extensible Authenticated Protocol-Transport Layer Security (EAP-TLS) authentication, the client does not have a certificate that contains the Client Authentication purpose in the Enhanced Key Usage extension. Instead, the client is configured according to minimum client certificate requirements.	Instruct the user to log on to the network by using a wired Ethernet connection and domain credentials; the enhanced certificate is automatically installed.

Certificate Services

Possible Causes	Corrective Measures
When using EAP-TLS, the user does not have a client certificate.	Instruct the user to log on to the network by using a wired Ethernet connection and domain credentials; the certificate is automatically installed.
The client does not have a corresponding root CA certificate that matches the issuing CA of the IAS server certificate.	In Group Policy Object Editor, open Wireless Network (IEEE 802.11) Policies. In the details pane, right-click the applicable wireless policy, and then click Properties. On the Preferred Networks tab, in Networks, select the corresponding wireless network, and then click Edit. On the 802.1x tab, in EAP type, click Settings, and then in Trusted Root Certification Authorities, select the certificate that matches the IAS server certificate.

IAS (RADIUS)

Possible Causes	Corrective Measures
The RADIUS shared secret on the wireless AP does not match the shared secret configured for RADIUS clients in IAS.	Configure the wireless AP to use the same shared secret. The shared secret is specified in the RADIUS Clients node of the IAS snap-in.
The IAS remote access policy properties are configured to reject the user or computer requests. For example: On the Settings tab, the properties of the policy are set to Deny remote access permission. On the Dial-in Constraints tab of the remote access policy, time restrictions prohibiting the connection are configured. On the Dial-in Constraints tab, an incorrect media type is specified.	In the IAS snap-in, right-click the applicable remote access policy, click Properties, and then click Grant remote access permission. In the IAS snap-in, right-click the applicable remote access policy, click Properties, click Edit Profile. On the Dial-in Constraints tab, select Allow access only on these days and at these times, and then click Edit to specify allowed access times. In the IAS snap-in, right-click the applicable remote access policy, click Properties, click Edit Profile, and then on the Dial-in Constraints tab, do one of the following: Clear Allow access only through these media (NAS-Port-Type) Select Allow access only through these media (NAS-Port-Type), and then select Wireless - IEEE 802.11.
A mismatch exists between the trusted root CA that issued the RADIUS server certificate specified in the IAS remote access policy, and the trusted root CA specified in the selected EAP type in Wireless Network (IEEE 802.11) Policies.	In Group Policy Object Editor, open Wireless Network (IEEE 802.11) Policies. In the details pane, right-click the applicable wireless policy, and then click Properties. On the Preferred Networks tab, in Networks, select the corresponding wireless network, and then click Edit. On the 802.1x tab, in EAP type, click Settings, and then in Trusted Root Certification Authorities, select the certificate that matches the IAS server certificate.
The vendor-specific attributes (VSAs) for the wireless AP are configured incorrectly.	Check the wireless AP product documentation for VSA usage, and then specify the IAS Vendor specific attributes in IAS. If you are unsure about the correct VSA setting, select RADIUS Standard.
The IP address of the wireless AP (RADIUS client) specified in IAS is incorrect.	In the IAS snap-in, select RADIUS Clients. In the details pane, right-click the RADIUS client that corresponds to the wireless AP, and then click Properties. On the settings tab, in Address (IP or DNS) type the correct IP address, and then click Verify.
The IAS server certificate has expired.	For information about requesting an IAS Server certificate, see the Windows Server 2003 Help topic Computer certificates for certificate-based authentication.
The IAS service is stopped.	In the Services snap-in, right-click Internet Authentication Service, and then click Start.
EAP is configured differently in the applicable remote access policy than it is in Wired Network (IEEE 802.11) Policy in Active Directory.	Configure both the IAS remote access policy and Wired Network (IEEE 802.11) Policy to use the EAP method that corresponds with your network deployment.
On a newly configured IAS server: IAS is not registered in Active Directory. The IAS server does not have a server certificate.	In the IAS snap-in, right-click Internet Authentication Service, and then click Register Server in Active Directory. See the Windows Server 2003 Help topic Computer certificates for certificate-based authentication for information about requesting an IAS Server certificate.

Wireless AP

Possible Causes	Corrective Measures
The wireless AP does not have the correct or latest firmware.	Contact the wireless AP manufacturer for the latest firmware.
The IP address of the wireless AP is incorrectly configured for the subnet.	Configure the wireless AP with a static IP address and subnet mask according to your network TCP/IP addressing scheme.
The wireless AP does not specify the correct IP address of the IAS RADIUS server.	On the wireless AP, configure the RADIUS server IP address to match the IP address of your IAS server.

Troubleshooting Windows XP wireless connections: quick list

Wireless connection problems frequently occur for the following reasons:

• Disabled wireless network adapters.

• Incorrectly configured wireless network settings.

• Insufficient credentials for authentication or missing permissions for authorization.

• Distance, interference, or obstructions between wireless devices.

Because successful troubleshooting depends on your ability to identify the source of the problem, Windows Server 2003 with Service Pack 1 (SP1) includes status and warning reporting to help you isolate and resolve wireless network connection problems.

Follow these steps to solve several common problems associated with wireless connections:

• Many portable computers have a switch that can be used to turn 802.11 wireless network adapters on and off. On a laptop computer, the switch might be on the left side of the computer case. Be sure that the switch is turned on. For more information, see the product documentation for your portable computing device.

• Make sure that the wireless adapter has not been disabled. You can disable a wireless adapter through the user interface (UI) by right-clicking on a wireless adapter icon, and then selecting Disable. Wireless adapters that have been disabled in this way will not appear in the notification area and can only be enabled in Network Connections. For more information, see Configuring wireless network settings on client computers.

• Use Wireless Auto Configuration to configure wireless network settings. When enabled, Wireless Auto Configuration allows you to connect to an existing wireless network, change wireless network connection settings, configure a connection to a new wireless network, and specify preferred wireless networks. It also notifies you when new wireless networks are available. When you switch wireless networks, your wireless network adapter settings will be dynamically updated to match the settings of that new network and a network connection attempt will be made. For more information, see Use Windows to configure wireless network settings on a client computer.

• If you are connecting to a wireless network for the first time, Wireless Auto Configuration will configure basic network settings, if the service is enabled. However, you may need to configure additional settings, such as the data encryption type or Wired Equivalent Privacy (WEP) key, if they are not automatically configured for your account in the Active Directory directory service. For more information, see Define Wireless Network Policies on a Client Computer. You might also need to request account permissions from your network administrator.

• Check to see if the desired wireless network appears in the network list. Right-click the wireless icon, and then click View Available Wireless Networks. If the desired wireless network does not appear under Choose a wireless network, you might be outside of the broadcast range of that network or the network might be suppressing the beaconing signal. First, try to relocate the wireless device to a location that receives a stronger signal. To refresh the network list and get the most current list of wireless networks that are advertising within reception range of your computer, right-click the wireless icon, click View available wireless networks, and then, under Network Tasks, click Refresh network list.

  Note

  • Some infrastructure networks suppress the beaconing signal because they do not want to advertise the availability of their wireless network. In these cases, the network will not appear under Choose a wireless network. However, you can connect to these networks if you enter all of the correct configuration information, which you can obtain from the network administrator.

    For more information about configuring wireless network settings, see Use Windows to configure wireless network settings on a client computer, Add, edit, or remove wireless network connections on a client computer, and Define a wireless network connection on a client computer.

• Check to see if there is a wireless warning icon in the notification area. You can click the warning icon to get information about the error as well as possible remedies. If you used View Available Wireless Network to open the list of available wireless networks, check for a warning where the wireless network is displayed under Choose a wireless network. You can click the warning link text to get information about the warning and possible remedies.

• If you have previously connected successfully to a specific network, but the connection to that network failed, right-click the wireless icon, and then click Repair. This will disable, and then enable the wireless adapter.

• Balloon notifications appear in the notification area when the status of a wireless connection changes (for example, when status changes from Connected to Not Connected because the wireless device has moved out of reception range). If a balloon notification indicates an error, you can click the notification for more information and remedies to correct the problem.

Status and warning reporting

Windows Server 2003 SP1 monitors wireless connection status to detect connection errors. Status and connection error information is reported in real time in the following ways:

Notification area icons

The wireless icon in the notification area changes appearance to indicate the state of the wireless connection:

Icon	Wireless connection state
	Connected
	Connecting
	Not connected
	Warning

If the warning icon is displayed, click the icon, and then, on the General tab of the Wireless Network Connection Status dialog box, under Connection, click More information.

Hovering pointer display

You can hover the mouse pointer over the wireless icon in the notification area and instantly see the connection status and other information:

Status type	Reported status
Wireless Network Connection	The name of the network to which the computer is currently connected. This is the same as the service set identifier (SSID).
Speed	Connection speed (for example, 11.0 Mbps)
Signal Strength	Excellent Very good Poor
Status	Connected Limited or no connection Not connected Note In the event of a service interruption, the status will display the name of the most recent wireless network connection, but it will indicate that the connection has limited or no connectivity.

Balloon notifications

Balloon notifications will appear in the notification area when the status of a wireless connection changes, regardless of whether the wireless icon has been configured to display in the notification area.

Example notifications

When Windows has detected an error, you might receive the following notification:

The connection has limited or no connectivity. You may not be able to access the Internet or some network resources. For more information, click this message.

To open the Wireless Network Connection Status dialog box, click the balloon. On the Support tab, under Connection Status, a message similar to the following will be displayed:

Limited or no connectivity. You might not be able to access the Internet or some network resources. This problem occurred because the network did not assign a network address to the computer.

To restart the connection and try to establish full connectivity, click Repair.

After you click Repair, the wireless adapter is restarted, and shortly afterward, you will receive a notification similar to the following:

Wireless Network Connection is now connected

Connected to: Gulliver

Signal Strength: Very Good

The balloon notifications are displayed for a short time only. For this reason, there are alternative ways to access the Support tab in the Wireless Connection Status dialog box.

Choose a wireless connection

Wireless network connection status is also reported in Choose a wireless connection in the Wireless Network Connection dialog box. To control the connection to wireless networks that appear under Choose a wireless network, click Connect or Disconnect. If you have attempted to connect to a wireless network and the connection attempt failed, a status message such as Limited or no connectivity might be displayed for that item. To open the Wireless Network Connection Status dialog box, click the message text. On the Support tab, under Connection Status, a message similar to the following will be displayed:

Limited or no connectivity. You might not be able to access the Internet or some network resources. This problem occurred because the network did not assign a network address to the computer.

To restart the connection and try to establish full connectivity, click Repair.

Additional troubleshooting tools

You can use the following tools to troubleshoot 802.11 wireless network connections and infrared devices:

• 802.11 wireless networks. To troubleshoot problems related to 802.11 wireless network connections, you can view details about wireless access points and wireless clients in Wireless Monitor. For detailed information about the statistics displayed in Wireless Monitor, see Logging and viewing wireless network activity.

• Infrared devices. To troubleshoot problems related to infrared devices, you can use the Input Devices Troubleshooter.

Note

• In the Windows Server 2003 family, only Windows Server 2003, Standard Edition, supports infrared networking.

Additional references

• A Support Guide for Wireless Diagnostics and Troubleshooting at https://go.microsoft.com/fwlink/?LinkId=83229

• Microsoft Wireless Networking home page at https://go.microsoft.com/fwlink/?LinkId=83230

• Windows Vista Wireless Networking Evaluation Guide at https://go.microsoft.com/fwlink/?LinkId=79943

• Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab at https://go.microsoft.com/fwlink/?Linkid=28117