The Official SBS Blog

Introducing the Windows SBS 2008 Answer File

[Today's post comes to us courtesy of Rod White and Justin Crosby]

Windows Small Business Server 2008 supports installation using an answer file.  The answer file provides the following functionality:

• Automates the SBS 2008 installation process for both a clean installation as well as a migration.
• Allows you to run a clean installation setup in advanced mode interactively.

In addition, the answer file is the only way to to run the windows SBS 2008 installation in join domain/migration mode, there is no other way to trigger the SBS 2008 setup to act in that mode.  Additionally, if you do not want to use the default of .local as your TLD, you must use an answer file to specify an alternative TLD.

To create the answer file for an automated install:

1. On a client computer or server with .NET Framework 2.0 installed, insert the first Windows SBS2008 DVD and select the Tools link. If autorun is disabled, browse to the Tools folder on the SBS 2008 DVD 1.
2. Launch the answer file generator tool by running SBSAfg.exe.
3. Select New installation or Migration from existing server (Join existing domain) depending on your scenario.
4. Type in the required information.  See below for a summary of each field.
   
5. Save the Answer file as sbsanswerfile.xml.
   Note: you cannot user any filename other than sbsanswerfile.xml. This is the only filename that the SBS 2008 setup will look for.
6. Copy the answer file to the root of a USB drive, floppy disk or a partition on the destination server. Then start either installing or migrating to Windows 2008. If the SBS 2008 installation wizard detects a migration answer file, the migration process starts automatically.

Shared Information

• Get Installation Updates: Whether or not to automatically attempt to download installation updates.
• Run Unattended: If unchecked, the setup fields will be pre-populated but you must click Next during setup.
• Clock and time zone settings: You must make sure that you use the correct time zone.
• Windows Live OneCare for Server: Choose whether or not to install the trial version.
• Microsoft Forefront Security for Exchange Server: Choose whether or not to install the trial version.
• Company Information: The name and address of the business. This information is used for settings on your server and is not sent to Microsoft. You can edit the company information later. To edit it, in the Windows SBS Console, click the Help list menu, and then click Edit Company Information.
• Certificate Authority Name: You can customize the name of your CA.  We recommend leaving this setting blank, which will use the default name of <DomainName>-<ServerName>-CA.

Migration Specific Information

• Source Server Information
• Domain Administrator Account Name: The user account name of a domain administrator in the existing domain.
• Password: The password that corresponds to the existing domain administrator account name.
• Source Server Name:  The name of the server from which you are migrating.
• Source Domain Name: The full DNS name of your organization's internal domain.
• Default Gateway:  The IP address that is assigned to the router on your network.
• Source Server IP Address:  The IP address that is assigned to the Source Server.
• DHCP is running on the Source Server:  Select this box if the DHCP service is running on the Source Server. It is recommended that the DHCP service run on the Destination Server. If you are running the DHCP service on the Source Server, it is moved for you during Windows SBS 2008 migration. If the DHCP service is running on another server or device, you must manually disable it on that server or device.
• Destination Server Information
• Destination Server Name: The name of your new SBS 2008 server.
• Destination Server IP Address: The IP for your new SBS 2008 server.  Please verify that this address is not in use.

New Install Specific Information

• Server Information (Note: You cannot change ANY of the following names after the installation finishes)
• Server Name: The name of your new server. This must be a unique name on the local network.
• Internal Domain Name: The NetBIOS name of the internal domain—for example, contoso. This must be a unique name on the local network. The domain name and the server name cannot be the same.
• Full DNS Name: The DNS name of the internal (local) domain.  You must provide at least two labels for the full DNS name. For example, you can use contoso.local, but contoso alone is not valid. It is recommended that you do not use a public top level domain name, such as .com, as the last label in the full DNS name. This is the DNS name of the internal domain.
• Network Administrator Account
• First Name: First name of the administrator.
• Last Name: Last name of the administrator.
• Administrator User Name: User name or alias for the new network administrator account.
• Administrator Password: Password for the new network administrator account. The password that you provide must be complex. If you do not provide a complex password, the unattended installation stops so you can provide the complex password.
• Network Settings for the Server
• Automatically Detect the Network Settings: Use DHCP to identify an un-used private IP address.
• Manually Choose the Network Settings as Follows:
• IP Address: IP address of the SBS 2008 server.  This must be a private IP address.
• Default Gateway: The IP address that is assigned to the router on your network.

For more information please see:

• Tell Me More About Using Answer Files
• Migrate to Windows Small Business Server 2008 from Windows Small Business Server 2003
• Migrate to Windows Small Business Server 2008 from Windows Small Business Server 2008

Remotely Administer Additional 2008 Servers

[Today's post comes to us courtesy of Wayne McIntyre]

Microsoft Windows Server 2008 is the first server product where the Windows firewall is enabled by default. This is definitely a plus from a security standpoint however by default it does not allow remote administration. If you attempt to remotely connect to the Event Viewer of one of your additional 2008 servers you will see the following error.

On the main SBS server we enable remote administration out of the box, however, if you want to be able to remotely administer any additional Windows 2008 servers in your environment you will have to enable the remote administration firewall policy inbound rule. You can either do this locally or if you have multiple servers you may want to implement a group policy to configure the firewall for your 2008 servers. To do this locally, follow these steps:

1. Open the Windows Firewall with Advanced Security snap in from Administrative Tools.
2. Select inbound rules and enable the following 3 rules.
1. Remote Administration (NP-in)
2. Remote Administration (RPC)
3. Remote Administration (RPC-EPMAP)

Enabling this policy will enable remote administration for all services, but you can also get more granular and just enable remote administration for specific components as well.

Additional Resources: http://technet.microsoft.com/en-us/network/bb545423.aspx

A Method to Configure Outlook Web Access Redirection in SBS 2008

[Today's post comes to us courtesy of Wayne McIntyre ]

The URL for OWA in SBS 2008 is https://remote.contoso.com/owa if a user attempts to access this page without specifying “https” they will receive a 403.4 forbidden this site must be accessed over SSL.  Today we will discuss an easy method to configure HTTP to HTTPS redirection so users do not get this error, and instead are redirected to the proper OWA URL.  The below steps will walk you thru configuring this type of redirection.

1. Open IIS Manager from Administrative Tools and expand the SBS Web Applications web site then click on the OWA virtual directory.  Locate the Error Pages icon in the right pane.

2. Open the Error Pages configuration and click on Add on the far right window pane.

3. Add an HTTP error response for status code 403.4 select the response action of Respond with a 302 redirect, and enter the HTTPS URL for the OWA site e.g. https://remote.contoso.com/owa

4. Click Ok and now you should see the custom error page for 403.4 with a redirect to the HTTPS URL for Outlook Web Access.

Note: The above process should not be used on any other SBS included virtual directory/web site.   Remote Web Workplace (RWW) includes its own method for HTTP to HTTPS redirection.

SBS 2008 Migrations Fail When The Migration Preparation Tool Has Not Been Run

[Today’s post comes to us courtesy of John Bay and Shawn Sullivan]

We have recently received a number of support calls where migrations to SBS 2008 are failing, particularly with Exchange setup, because customers are not running the Migration Preparation Tool on the SBS 2003 server prior to beginning the migration process. This tool performs the following actions:

1. Installs update 943494 on the SBS 2003 server to extend the migration grace period from 7 to 21 days.
2. Runs ADPREP to update the forest, domain, and group policy object access control entries.
3. Changes Exchange 2003 from Mixed mode to Native mode.
4. Adds the Authenticated Users group to the Pre-Windows 2000 security group.

If you attempt to perform a migration install of SBS 2008 before running the Migration Preparation Tool you will receive the following error:

The problem that we are seeing is that customers are manually running ADPREP and accepting the warnings to get past this error instead of running the Migration Preparation Tool. While running ADPREP manually will allows the SBS 2008 install to begin, your Exchange server will still be running in mixed mode which will cause the Exchange 2007 install on SBS 2008 to fail as seen below.

You will also see the following error in the ExchangeSetup.log, located under C:\ExchangeSetupLogs:

[12/10/2008 10:48:20 PM] [0] Setup will run the task 'test-setuphealth'

[12/10/2008 10:48:20 PM] [1] Setup launched task 'test-setuphealth -DomainController 'SERVER.domain.local' -DownloadConfigurationUpdates $true -ExchangeVersion '8.1.240.6' -Roles 'Global' -ScanType 'PrecheckInstall' -SetupRoles 'Global' -PrepareDomain $null -PrepareLegacyExchangePermissions $null -PrepareOrganization $true -PrepareSchema $true'

[12/10/2008 10:48:20 PM] [1] Beginning processing.

[12/10/2008 10:48:46 PM] [1] [ERROR] The Exchange organization is not in native mode.

At this point, you must restore the SBS 2003 server from backup and run the Migration Preparation Tool on the SBS 2003 server before beginning the migration again.

For more information on all of the pre-migration steps that must be performed, including steps on how to run the Migration Preparation Tool, please see http://technet.microsoft.com/en-us/library/cc527611.aspx

SBS 2008 to SBS 2008 Migration Fails When "Windows SBS User Policy" Edited

[Today's post comes to us courtesy of Justin Crosby and Chris Puckett]

Windows Small Business Server 2008 creates a group policy called "Windows SBS User Policy", one of the tasks of this group policy is to add a few shortcuts (OWA, RWW, and WSS) to IE on SBS clients.  If this list is modified AND you attempt a SBS 2008 to SBS 2008 migration the migration will irrecoverably fail.  You will receive this following installation issue and be unable to complete the migration:

The installation of Windows Small Business Server 2008 cannot finish.

At this point, you must restore the original server from backup and completely start the migration process over.  To avoid this issue please complete the following steps prior to a SBS 2008 to SBS 2008 migration:

Note: This only needs to be done if the policy has been edited. If you're not sure, there is no harm in doing these steps as a precaution.

1. Open gpmc.msc and edit the "Windows SBS User Policy".
2. Navigate to User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> URLs.
3. View the properties of Favorites and Links.
4. Make a note of all the Favorites and Links (This has likely been customized from the default).
5. Remove all the Favorites and Links and save the policy.

Once you complete the migration, the favorites for OWA, RWW and Companyweb will be automatically recreated. You will then have to manually re-add your custom URLs.

SBSSetup.log Errors: 

[908] 080925.155308.3044: Setup: Task ConfigureIE succeeded.
[908] 080925.155308.3200: TaskManagement: In TaskScheduler.RunTasks(): The "ConfigureIE" Task or the "NET" TaskProcessor threw an Exception during the ITaskProcessor.Run() call:System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility._normalFavoritesEX()
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility..ctor()
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility.DelIEFavorites(String keyName)
   at Microsoft.WindowsServerSolutions.IWorker.Tasks.ConfigureIE.Run(ITaskDataLink DataLink)
   at Microsoft.WindowsServerSolutions.TaskManagement.TaskProcessors.NetTaskProcessor.Run(Task currentTask, ITaskDataLink dataLink)
   at Microsoft.WindowsServerSolutions.TaskManagement.Data.Task.Run(ITaskDataLink dataLink, IDictionary`2 taskProcessorMap)
   at Microsoft.WindowsServerSolutions.TaskManagement.TaskScheduler.RunTasks(String taskListId, String stateFileName)

[908] 080925.155308.3200: Setup: An error was encountered on the TME thread: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility._normalFavoritesEX()
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility..ctor()
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility.DelIEFavorites(String keyName)
   at Microsoft.WindowsServerSolutions.IWorker.Tasks.ConfigureIE.Run(ITaskDataLink DataLink)
   at Microsoft.WindowsServerSolutions.TaskManagement.TaskProcessors.NetTaskProcessor.Run(Task currentTask, ITaskDataLink dataLink)
   at Microsoft.WindowsServerSolutions.TaskManagement.Data.Task.Run(ITaskDataLink dataLink, IDictionary`2 taskProcessorMap)
   at Microsoft.WindowsServerSolutions.TaskManagement.TaskScheduler.RunTasks(String taskListId, String stateFileName)
   at Microsoft.WindowsServerSolutions.Setup.SBSSetup.ProgressPagePresenter._RunTasks(Object sender, DoWorkEventArgs e)
[2228] 080925.155308.5384: Setup: _UnhandledExceptionHandler: Setup encountered an error: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Reflection.TargetInvocationException: The TME thread failed (see the inner exception). ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility._normalFavoritesEX()
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility..ctor()
   at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility.DelIEFavorites(String keyName)
   at Microsoft.WindowsServerSolutions.IWorker.Tasks.ConfigureIE.Run(ITaskDataLink DataLink)
   at Microsoft.WindowsServerSolutions.TaskManagement.TaskProcessors.NetTaskProcessor.Run(Task currentTask, ITaskDataLink dataLink)
   at Microsoft.WindowsServerSolutions.TaskManagement.Data.Task.Run(ITaskDataLink dataLink, IDictionary`2 taskProcessorMap)
   at Microsoft.WindowsServerSolutions.TaskManagement.TaskScheduler.RunTasks(String taskListId, String stateFileName)
   at Microsoft.WindowsServerSolutions.Setup.SBSSetup.ProgressPagePresenter._RunTasks(Object sender, DoWorkEventArgs e)
   at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
   --- End of inner exception stack trace ---
   at Microsoft.WindowsServerSolutions.Setup.SBSSetup.ProgressPagePresenter.TasksCompleted(Object sender, RunWorkerCompletedEventArgs e)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Delegate.DynamicInvokeImpl(Object[] args)
   at System.Windows.Forms.Control.InvokeMarshaledCallbackDo(ThreadMethodEntry tme)
   at System.Windows.Forms.Control.InvokeMarshaledCallbackHelper(Object obj)
   at System.Threading.ExecutionContext.runTryCode(Object userData)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Windows.Forms.Control.InvokeMarshaledCallback(ThreadMethodEntry tme)
   at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
   at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)
   at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
   at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
   at Microsoft.WindowsServerSolutions.Common.Wizards.Framework.WizardFrameView.Create()
   at Microsoft.WindowsServerSolutions.Common.Wizards.Framework.WizardChainEngine.Launch()
   at Microsoft.WindowsServerSolutions.Setup.SBSSetup.MainClass._LaunchWizard()
   at Microsoft.WindowsServerSolutions.Setup.SBSSetup.MainClass.RealMain(String[] args)
   at Microsoft.WindowsServerSolutions.Setup.SBSSetup.MainClass.Main(String[] args)
[2228] 080925.155308.5696: Setup: Removed the password.
[2228] 080925.155308.5696: Setup: Deleting scheduled task at path Microsoft\Windows\Windows Small Business Server 2008 with name Setup
[2228] 080925.155308.5852: Setup: Removed SBSSetup from the RunOnce.

How to Configure the Store Junk Mail Threshold in SBS 2008

[Today's post comes to us courtesy of Damian Leibaschoff]

In SBS 2008 we automatically configure Content Filtering in Exchange 2007 to reject any e-mail that scores a spam confidence level of 7 or higher.

Get-ContentFilterConfig| fl scl*

SCLRejectThreshold     : 7
SCLRejectEnabled       : True
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled   : False

However, we do not configure the threshold for automatically moving suspect e-mails to the junk mail folder of a recipient. This setting is left with its default of higher than 8, basically having no effect whatsoever for inbound e-mail (as we are rejecting them at 7 anyways).

This is the default setting on an SBS 2008 install:

Get-OrganizationConfig | fl scl*

SCLJunkThreshold : 8

There are many different strategies on how to set these thresholds at the content filter level and at the store, the simplest way is to set the store threshold to a value that is lower than the threshold set on the content filter, for example, we could set it to 5 (meaning that any e-mail that scores 6 will be moved to the Junk Email folder of the recipient).

To do this we have to open an Administrative Exchange Management Shell and then type the following command:

Get-OrganizationConfig | Set-OrganizationConfig -SCLJunkThreshold:5

You have to keep in mind that you have to find the right balance for this value and your needs, as now you are starting to work to levels of confidence that could lead to false positives, if you encounter such, remember that you can always white list the sender (directly from Outlook) and prevent this in the future, or you can tweak the settings higher or even lower.

If you want to read more about this, check the following: http://technet.microsoft.com/en-us/library/aa995744.aspx

Note: You may notice that the math above looks a little off, this is because the SCLRejectThreshold and the SCLJunkThreshold work slightly differently.  The SCLRejectThreshold uses >= (greater than or equal) while the SCLJunkThreshold uses > (greater than) in it's processing logic.

How Outlook 2007 and Windows Mobile 6.1 Use Autodiscover with SBS 2008

 [Today's post comes to us courtesy of Rituraj Choudhary and Shawn Sullivan]

After the completion of SBS 2008 setup and the Internet Address Management Wizard (IAMW), Exchange 2007 is configured to accept both internal and external Outlook 2007 SP1 and Windows Mobile 6.1 Autodiscover requests. These requests are handled by the Exchange Autodiscover service, which in turn provide the following information to connecting clients:

1. The user’s display name as read from Active Directory.
2. Separate connection settings for internal and external connectivity
3. Location of the user’s mailbox (this is why Outlook 2007 is automatically able to find a mailbox that has been moved to another Mailbox server).
4. Location information for free/busy, Out of Office assistant, web-distributed Offline Address Book (gives Windows Mobile 6.1 the capability of GAL lookups from the internet), …
5. Outlook Anywhere (RPC/HTTP) server settings.

This information is combined to automatically configure the user’s profile, requiring no input from them other than their email address.

When configured properly, the Exchange Autodiscover truly is automatic. However, the technology is complex in the fact that its implementation spans several other technologies across multiple locations. In general, the following items need to be in place:

1. External DNS records (Host A and SRV) must be correct.
2. The IAMW creates a zone for the external Fully Qualified Domain Name (FQDN) that you choose on internal DNS. It points this name to the internal IP address of the server to service internal connections to the namespace.
3. Requirement for Outlook 2007 SP1 or Windows Mobile 6.1.
4. Properly configured Autodiscover virtual directory under the SBS Web Applications site.
5. Properly configured internal and external URL on the Autodiscover virtual directory in Exchange 2007.
6. Properly configured service connection point (SCP) in Active Directory for the Client Access (CAS) server.
7. Properly configured SSL certificate installed in Exchange 2007 and the SBS Web Applications site, with the correct Fully Qualified Domain Name (FQDN). Important: Use the “IAMW” to either create the self-signed certificate or use the “Add a Trusted Certificate” wizard to install a 3^rd party trusted certificate.
8. If you are deploying a self-signed certificate created by the IAMW, you must install the certificate distribution package to your non-domain joined Outlook clients or Mobile 6.1 devices: http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

Domain-joined Outlook 2007 connections

A service connection point (SCP) object is created in Active Directory during the installation of the Client Access (CAS) role. Domain-joined clients will query this object and read the following attributes:

1. serviceBindingInformation - Returns the Fully Qualified Domain Name (FQDN) of the CAS server. This will match the public URL that you have chosen in the IAWM. The Autodiscover virtual directory’s internal URL setting must match this value and the SBS server must be able to query the zone for the public domain in its DNS to return the internal IP address of the server.
2. keywords – Returns the Active Directory site which the CAS server belongs to. Exists specifically for when you have multiple CAS servers in different AD sites.

To find its location in ADSIEDIT, go here:

CN=Servername,CN=Autodiscover,CN=Protocols,CN=Servername,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=local

Where Servername is the name of your server, OrganizationName is the name of the Exchange Org and CONTOSO.local is the domain name.

The clients will retrieve the URL from an ldap query for the SCP, and retrieve the IP address from internal DNS. It will then connect to the server through the proper URL to the Autodiscover virtual directory.

Example:

1. The client belonging to the contoso.local domain queries AD and retrieves https://remote.contoso.com/autodiscover/autodiscover.xml from the serviceBindingInformation attribute on the SCP.
2. The client resolves remote.contoso.com to the internal IP address of the SBS 2008 server. This is because the IAMW has created a zone for remote.contoso.com in DNS and has pointed it to the internal IP of the server.
3. A request is sent to https://remote.contoso.com/autodiscover/autodiscover.xml

Note: Non-domain joined clients may not be able to connect internally to the Autodiscover service.

Remote Clients and Windows Mobile 6.1 devices

Remote Outlook 2007 SP1 clients and Windows Mobile 6.1 devices query the DNS SRV record at the DNS registrar to locate the URL for the CAS server, according to the email address that you have specified. This record is either created/maintained automatically (if you choose a partner registrar during the IAMW) or manually (if you choose to maintain the domain yourself in the IAMW).

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: FQDN

Important: Outlook 2007 without SP1 does not query for this SRV record, which causes Autodiscover to fail in default SBS 2008 deployments where the domain name has a prefix, like remote.contoso.com.

Example:

1. User enters an email address of user@contoso.com
2. The Outlook client or mobile device queries _autodiscover._tcp.contoso.com and remote.contoso.com is returned
3. The client or device resolves remote.contoso.com to the external IP address of the SBS 2008 server.
4. The request is sent to https://remote.contoso.com/autodiscover/autodiscover.xml

The auto-discover feature for a user can be checked using the command:

Test-OutlookWebServices -Identity <User Name>

Additional Reference:

For full details on the Exchange 2007 Autodiscover service, please see: http://technet.microsoft.com/en-us/library/bb332063.aspx

Introduction to the Fix My Network Wizard (FNCW)

[Today's post comes to us courtesy of Shawn Sullivan]

In SBS 2003, the CEICW was available to administrators for configuring their firewall, Internet connection, self-signed certificate, and email settings from a single wizard. Re-running the CEICW was a common troubleshooting step in fixing network related problems. However, SBS 2008 has taken the concept of the CEICW and broken it down into several specific wizards in place of one monolithic wizard. Administrators can now address more specific tasks, reducing the likelihood that they may inadvertently change settings that are unrelated to their end goal.

One of these new wizards is the FNCW, which is solely a troubleshooting tool meant to help the administrator resolve network issues. It automatically scans the environment for potential issues with Certificate Services, certificates, DNS, DHCP, TCP/IP configuration, VPN, Exchange, IIS, and Network Discovery. It will either attempt to correct them automatically, or will suggest a course of action to take towards resolution.

The FNCW has been designed to be run by the administrator as the first step in any network related troubleshooting. You can launch it as many times as you require from the Windows SBS Console under the Network > Connectivity sub-tab.

After it performs its initial scan, it will display a list of issues that require your attention.

Once you click “Next”, it will attempt to fix the issues automatically. If it is unable to do this, it will suggest a course of action to be taken by the administrator. This may involve running one of the other SBS 2008 wizards, performing manual configurations, verifying the state of underlying components, or performing deeper technical troubleshooting.

If the wizard is able to fix the issue, it will require no further action from you for that specific item.

For information on related networking wizards in SBS 2008, please visit:

• Connect to the Internet Wizard (CTIW): http://blogs.technet.com/sbs/archive/2008/09/17/introducing-the-connect-to-the-internet-wizard-ctiw.aspx
• Internet Address Management Wizard (IAMW): http://blogs.technet.com/sbs/archive/2008/10/15/introducing-the-internet-address-management-wizard-part-1-of-3.aspx
• Add a Trusted Certificate Wizard:  http://blogs.technet.com/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx

How to Setup Anti-Spam in Exchange 2007 When Using a Mail Hosting Company

[Today's post comes to us courtesy of Shawn Sullivan]

Exchange 2007 introduces a built-in feature called Sender Reputation for both the Edge and Hub Transport server roles. The purpose of Sender Reputation is to record the legitimacy, through a number of tests, of each external SMTP server that sends email to Exchange. For detailed information on how Sender Reputation works, please visit the following link: http://technet.microsoft.com/en-us/library/bb124512.aspx

By default, SBS 2008 is aggressive in blocking suspicious senders, and since all inbound e-mail is coming from the same sending server, there is a risk that the hosting company server could be incorrectly blocked. This feature will eventually block an offending host for 24 hours.

Furthermore, you need to also consider Sender ID Filtering, also enabled by default on SBS, since all e-mail is coming from a series of hosts that are most likely not the designated approved senders (as they are your hosting companies servers), this will cause the SPF check to fail and raise the probability of the sender reputation to fail among other things. This can cause an issue for those using a 3^rd party mail hosting service to deliver incoming email.  Based on the nature of their operation, these SMTP servers will likely fail some of the criteria used by Exchange once they connect, ending up in denied connections and broken inbound email flow.

The other scenario you need to consider is if you have a non-Exchange mail server in your organization that is accepting inbound e-mails, performing messaging hygiene functions and then forwarding the e-mails to the Exchange server running on the SBS server. On that case, you should add the IP of this server to your InternalSMTPServers. If you have a firewall doing SMTP Proxy and the connections appear to come from the Internal IP, you will potentially have to also add that internal IP, however, you should not do this unless the firewall is performing messaging hygiene.

To resolve this problem, you will need to add the IP address ranges of the hosting SMTP servers to a list trusted by Exchange. Open the Exchange Management Shell as Administrator and type the following:

Set-TransportConfig –InternalSMTPServers <IP>

For example, if we were using Exchange Hosted Service message hygiene and compliance, then we would run:

Set-TransportConfig –InternalSMTPServers 12.129.20.0/24, 63.241.222.0/24, 207.46.51.64/26, 207.46.163.0/24, 213.199.154.0/24, 213.244.175.0/24, 216.32.180.0/24, 216.32.181.0/24

To verify that these have been added correctly, you can run the following cmdlet to display the entries:

Get-TransportConfig | ft “InternalSMTPServers”

Once added, connections from these IP addresses will have bypass-anti-spam access rights on each receive connector in your organization; so take caution and make sure you are truly adding trusted IPs only.

IMPORTANT:  If you are using one of our partner registrars to host your external DNS information while using a mail hosting company to accept your email, you will need to either set or create the following registry key on your SBS 2008 server:

HKLM\Software\Microsoft\SmallBusinessServer\networking\Services
Value: SkipMXConfig
Type: REG_DWORD
Data: 1

This prevents the dynamic DNS service on the SBS 2008 server from incorrectly changing the IP address on your MX to point to your router’s public IP instead of your mail host. The DDNS service checks this every 5 minutes by default when you choose to host your DNS at a partner registry when you run the Internet Management Address Wizard (IAMW).

You do not need to set this if you have chosen the option to manage your domain name yourself using the IAMW.

Additional Information:

IP address range information for Exchange Defender and Postini can be found in the following links:

• Exchange Defender: https://www.exchangedefender.com/support_deployment_guide.php
• Postini: http://www.postini.com/webdocs/admin_ee_cu/wwhelp/wwhimpl/js/html/wwhelp.htm (under IP Ranges and Security)

Windows Live OneCare Announcement

Be aware of the following Windows Live OneCare Announcement.

SBS 2008 Specific Q&A:

Q: How does this impact Windows Small Business Server 2008 (part of the Windows Essentials Server Solutions offerings) and Windows Live OneCare for Server?

A: Microsoft will continue to support the 120 day trial for Windows Live OneCare for Server offered in SBS 2008.  The subscription service will be available for purchase through June 30, 2009.  Microsoft will ensure Windows Live OneCare for Server subscribers will remain protected for the duration of their trials and subscriptions.  For language and market availability please see http://www.microsoft.com/sbs/en/us/editions-overview.aspx.

Q. Didn’t you announce at the Windows Small Business Server 2008 beta that Windows Live OneCare for Server would be offered as a trial on SBS 2008? 

A. Yes we did and in some cases the new Windows Small Business Server 2008 will ship with a Windows Live OneCare for Server trial (please see http://www.microsoft.com/sbs/en/us/editions-overview.aspx for language and market availability).  This announcement does not affect the trial at this time.  Microsoft will continue to support the 120 day trial for Windows Live OneCare for Server currently offered in SBS 2008.  The subscription service will be available for purchase through June 30, 2009.  Microsoft will ensure Windows Live OneCare for Server subscribers will remain protected for the duration of their trials and subscriptions.

Updated Q&A on 12/1/2008

Error 0xC004C009 When Activating SBS 2008

[Today's post comes to us courtesy of Rod White and Justin Crosby]

When you attempt to activate your SBS2008 server you receive the following error:

"A problem occurred when Windows tried to activate. Error Code 0xC004C009"

If you select "More Information", the description reads:

"The activation server determined the license is invalid"

Cause:

This issue occurs because SBS was installed WITHOUT entering a valid Product Key.  You can only activate the server with a valid Product Key. To determine what key has been entered run the following command from the command prompt or Run line: "slmgr.vbs -dli". 

From here you will be able to verify:

• Product Key (Partial)
• License Status
• Eval Time Period

If you see a license status of "Initial grace period" that means that a valid key has not been entered.  SBS can run in this trial/evaluation state for 60 days by default.  SBS 2008 will work normally with the exception that you cannot activate while it is in trial mode.  If you need to extend the trial/evaluation mode please see http://support.microsoft.com/kb/948472.

Resolution:

To fix this activation issue all you need to do is enter a valid product key before activating.  To do this run the following command from the command prompt or Run line: "slui 3".  You will see the following screen:

Enter your Windows SBS 2008 Product Key and click Next.  SBS will attempt to activate with the new key.  If successful you will see the following:

How SBS 2008 Configures Your SPF Record

[Today's post comes to us courtesy of Wayne McIntyre]

As many are already aware, Microsoft and other industry leaders introduced sender ID filtering to assist in the combat against e-mail spam. Basically the concept of sender ID filtering is to verify that the host sending the email is authorized to send email for that domain. With sender ID filtering enabled, the receiving server will check the “mail from” domain’s SPF record to retrieve a list of valid senders for that domain. To learn more about the Sender Policy Framework please see the following document. http://www.microsoft.com/downloads/details.aspx?familyid=D8A174B1-697C-4AEA-9C92-2E70A013C30B&displaylang=en.

The “Setup Your Internet Address” wizard in SBS 2008 can configure your SPF record for you if you selected for SBS 2008 to manage your DNS records. An SPF record is a basic “TXT” record in DNS, which in SBS is configured as v=spf1 a mx ~all. Here is a breakdown of what each portion defines:

• “v=spf1” defines the version of Sender Policy Framework being used.
• “a” provides a verification mechanism that if the IP address of the sending machine matches any “a” records in DNS for that domain, that it is an authorized server.
• “mx” provides a verification mechanism if the IP address matches one of the MX hosts for a domain name.
• “~all” states that perform a SoftFail for all other IP addresses as they are not in the permitted set and their use is discouraged.

This is a sufficient configuration for most purposes; however, if you use a SmartHost the SPF record generated by SBS should not be used, as it will not contain the information for your SmartHost's sending servers.  You must manually create the SPF record with your DNS provider AND make one of the following changes to your SBS server.

A. Create the following registry key.  This registry key will configure SBS to bypass generation of the SPF record as part of it's DNS management.

HKLM\Sofware\Microsoft\SmallBusinessServer\Networking\Services
Name: SkipTXTConfig
Type: Dword
Value: 1

B. Use the IAMW to configure SBS to not manage your DNS records. Option A is the preferred option.

To create your own customized SPF record we recommend you use the SPF Record Wizard below which will ask you a series of questions then configure your SPF record based on your responses.

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

SBS 2008 Launch Success

Introducing Server Storage Management in SBS 2008

[Today's post comes to us courtesy of Wayne McIntyre]

A common support call with SBS 2003 was customers running out of space on their O/S partition and they needed to move data to a separate drive/partition in order to free up space. There were many components of SBS that would take up large amounts of hard drive space such as, Exchange databases, SharePoint databases, Users Shared Data, and any SQL based databases you may have (monitoring, WSUS etc…). In SBS 2003 to move this data was a cumbersome task, to see all the steps required here is the white paper on how to move your data folders in SBS 2003 http://technet.microsoft.com/en-us/library/cc708031.aspx. However, there is great news for SBS 2008 with the introduction of Server Storage Management component of the SBS Console.

SBS 2008 Server Storage Management gives you the ability to monitor your disk usage for your main server data that is included with SBS 2008. Additionally SBS 2008 includes the following wizards to simplify the process of moving data between volumes:

• Move Exchange Server Data
  • Moves both the exchange database file as well as your log files for all storage groups.
• Move Windows SharePoint Services Data
  • Moves the SharePoint Content and Configuration databases.
• Move Users’ Shared Data
  • Moves C:\Users\Shares\ directory and all sub directories
• Move Users’ Redirected Documents Data
  • Moves C:\Users\FolderRedirections\ directory and all sub directories
• Move Windows Update Repository Data
• Moves the repository data from C:\WSUS\WSUSContent and C:\WSUS\UpdateServicePackages. Please note it does NOT move the SUSDB Folder and the WSUS database which contains the metadata.

To access these wizards select the "Backup and Server Storage" tab and then select the "Server Storage" sub-tab.  From here the wizards will appear on the right under "Storage Tasks".

Storage Management will only manage drives with a DriveType of 3 (Local Disk) as defined by the Win32_LogicalDisk WMI Class (http://msdn.microsoft.com/en-us/library/aa394173(VS.85).aspx).

It is a best practice to run the move data wizards after hours since users will not have access to the resource that is being moved until the wizard is completed. When running the wizard it will recommend and give you the option to create a backup before it moves the data, it is a good idea to perform this, just in case of a problem during the move. Also, by using these wizards instead of native tools to move your data, SBS Backup will be automatically reconfigured to include the destination drive into your backup configuration.

WESS Launch: Announcing General Availablity of SBS 2008 and EBS 2008

Today we are proud to invite you to attend the official launch of Essential Business Server (EBS) 2008 and Small Business Server (SBS) 2008, making up the Windows Essential Server Solution (WESS) product line, at www.thedreamserver.com.

Considering how tight the economy is for the approx. 1.2 million mid-sized companies and 32 million small businesses worldwide, IT resources are going to be stretched very thin for organizations that have limited or very few IT professionals managing the company’s IT needs. As part of our effort to help customers stretch their technology dollars farther, we’ve designed the WESS products to be “all-in-one” solutions that address key customer pain points by taking the benefits of enterprise-class technology and making it accessible, affordable and less complex for SMBs.

We’ve come so far since getting the first inputs from customers and partners over two years ago. Both SBS and EBS offer a new wave of exciting features and technology solutions for small and mid-sized customers that we believe. We’ve worked to understand what customers are going through and Microsoft wants to work with you to help grow your business over the long term.

At today’s launch event, you will hear more about:

-          Microsoft’s investment into the SMB space,

-          What financing options are available,

-          How local partners are ready and trained to help,

-          How the SBS and EBS products are proven to provide value, reduced costs and increased productivity,

-          And success stories from other customers who are already enjoying the benefits SBS and EBS have to offer.

Please join us at www.thedreamserver.com to participate in the live webcast and virtual tradeshow or visit the WESS Virtual Pressroom for more information.