This page describes steps to troubleshoot problems that you might have while using Windows instances on Google Cloud.
Troubleshooting Windows Server instances
Connecting to the Emergency Management Services console
You can use the Emergency Management Services (EMS) console to troubleshoot problems with your Windows Server instance, such as issues with drivers. For an overview of the EMS console, see the EMS Technical Reference.
To connect to the EMS console:
From your terminal or in Cloud Shell, enable connections to your instance's serial ports. In the following
gcloud
command, replace[INSTANCE_NAME]
with the name of your migrated instance:gcloud compute instances add-metadata [INSTANCE_NAME] \ --metadata=serial-port-enable=1
Connect to the EMS console on the instance's serial port 2. In the following command, replace
[INSTANCE_NAME]
with the name of your migrated instance:gcloud compute connect-to-serial-port [INSTANCE_NAME] --port 2
When you are connected to the serial port, you see the following prompt:
Computer is booting, SAC started and initialized. Use the "ch -?" command for information about using channels. Use the "?" command for general help. SAC>Windows has finished checking the disk. EVENT: The CMD command is now available. SAC>
To create a new command prompt session, type
cmd
.To connect to the new command prompt session, type
ch -si 1
. The session details are shown. PressEnter
to connect to the session.To sign in to the session, type your Windows username and password. After you have successfully signed in, the Windows command prompt opens.
Enabling Remote Desktop Protocol (RDP) connections
If you cannot connect to your migrated instance using the Remote Desktop Protocol (RDP), try enabling RDP using the Emergency Management Services (EMS) console.
For steps to connect to the EMS console, see Connecting to the EMS console.
To enable RDP connections, in the EMS command prompt, type the following commands:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal ^
Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net stop TermService
net start TermService
Enabling advanced boot options
You can use the Windows Boot Manager (BOOTMGR) to enter Safe Mode and to access other advanced boot options. Before you can connect to the Boot Manager, you must enable interactive access on the serial console and enable the Windows boot menu:
Enable interactive access to the serial console. For example, you can enable it on a single instance with the following command:
gcloud compute instances add-metadata [INSTANCE_NAME] \ --metadata serial-port-enable=1 \ --zone [ZONE]
Enable the Windows boot menu.
From an administrative command prompt, run the following commands:
bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 10
bcdedit /set {bootmgr} bootems yes
Use the Cloud Console or the
gcloud
command-line tool to connect to the instance's interactive serial console on serial port 2. For example:gcloud compute connect-to-serial-port [INSTANCE_NAME] --port 2
Restart the instance through the Windows UI or in a command prompt on the instance:
shutdown /r /f
If you cannot access the instance using RDP, you can reset the instance using the Cloud Console or
gcloud
tool.The boot manager will appear through the interactive serial console and you can interact with it, for example, to select and start an operating system.
Before an operating system starts, press
Esc+8
, which is interpreted by Windows asFn+8
, to select Advanced Options. From here you can access Windows system recovery tools.
Windows license
By default, Compute Engine Windows instances automatically connect to the KMS server every seven days via TCP port 1688 to renew their activation. If you receive messages about license expiration or any other issues related to licenses on your Windows instances, check the following items:
Confirm that your Windows Server instance has an IP address that is configured to allow communication with the KMS server.
Confirm there are no firewall egress rules blocking connections to
kms.windows.googlecloud.com
over TCP 1688.
If you still have licensing issues, run the following commands from an elevated command prompt window to force set the KMS server IP address and force an activation:
cscript \windows\system32\slmgr.vbs /skms 35.190.247.13:1688 cscript \windows\system32\slmgr.vbs /ato
For more information about licensing, read: licensing Windows Server images.
Tips to keep a Windows Server 2003 instance secure
Support for Windows Server 2003 has ended, and no updates or patches are being released. As a result, your instance might be vulnerable to security exploits. Use the following tips to reduce the risk to your Windows Server 2003 instance.
You must not assign an external IP address to your Windows Server 2003 instance. Because support for Windows Server 2003 has ended, your instance might be vulnerable to security exploits. Use a VPC network to set up a private IP address for your instances.
Restrict remote desktop (RDP) access to your Windows Server 2003 instances by setting up a Remote Desktop Gateway.