[Today's post comes to us courtesy of Shawn Sullivan and Edwin Joseph]
SBS 2008 includes a brand new version of the POP3 connector. This post will introduce key elements in understanding how this version differs from previous versions and how to implement it properly. Like its predecessors, the POP3 connector in SBS 2008 is meant to be a migration solution to allow companies to transition from hosting their email at the ISP to hosting their email in-house on Exchange server. It is highly recommended to retire the POP3 Connector once your migration is complete and allow Exchange 2007 to directly host email for your domain.
On a high level, the POP3 Connector performs the following steps during its mail-flow lifecycle:
- A connection is established to external POP3 Server.
- Each user’s mailbox is accessed with the credentials stored in the POP3 Connector’s configuration.
- Email is downloaded and deleted from the source mailbox and then submitted to the Exchange Transport service via SMTP.
High-level mail flow process using a POP3 Connector
Key differences between this and the previous versions are:
- The POP3 Connector in SBS 2003 bypassed Exchange message filtering by using the Collaborative Data Objects (CDO) process to move downloaded email to the “pickup” directory. In SBS 2008, the POP3 Connector submits email directly to the Exchange Transport service via SMTP. The email is filtered just like any other message received from the internet, which allows Exchange 2007 anti-spam agents and Forefront to protect your environment.
- The minimum retrieval time has been reduced to 5 minutes from 15 minutes
- Only individual mailboxes can be configured. There is no longer support for Global Mailboxes.
- Diagnostics and troubleshooting is now done through the Pop3Connector.exe located in “C:\Program Files\Windows Small Business Server\Bin”.
In order to configure the POP3 Connector, you must meet the following requirements:
- Exchange must be installed and running
- You must complete the Internet Address Management Wizard (IAMW)
- You must be logged in as a domain administrator
- Gather the following information for each POP3 account:
- The name or IP address of the POP3 server that you will download from
- The TCP port that the POP3 server requires for POP3 connections (usually 110)
- The authentication method required by the POP3 server (Basic, SPA, APOP) to login to each mailbox
- Username and password for each POP3 email account
Configuring the POP3 Connector
The POP3 Connector is accessed in the SBS Console under Network > Connectivity > POP3 Connector. Click on “View POP3 Connector properties”
To add a new POP3 mailbox, highlight “Mail Accounts” and click “Add”
Provide all required POP3 mailbox account information as listed above in the requirements section. Select the destination Windows Small Business Server e-mail account from the drop‑down menu and click “OK” to confirm the POP3 mailbox account.
The Scheduling option allows you to adjust the e-mail retrieval interval, which is 15 minutes by default. You can set this between every 24 hours to every 5 minutes. You can also “Retrieve now” to trigger an immediate download attempt.
Logging
POP3 Connector related errors and events are recorded in Event Viewer under the Microsoft Windows Small Business Server/Operational log, see below:
“C:\Program Files\Windows Small Business Server\Bin\POP3Connector.exe” can be launched from the command prompt with the logVerbose switch to enable diagnostics logging.
To return to normal logging mode, run Pop3Connector.exe /lognormal
Events are written in the pop3service.log located in “C:\Program Files\Windows Small Business server\Logs\pop3connector” when you enable diagnostics logging or when you click “Retrieve Now”
Message Size Limit
Messages exceeding 10MB will not be downloaded by the POP3 Connector; no event will be logged for this. If you suspect that this is happening, install the telnet client on SBS 2008 and manually connect to the POP3 server to see the message size. To install the telnet client, open an administrator command prompt and enter servermanagercmd –install telnet-client. You can then follow http://support.microsoft.com/kb/196748 as a guide for testing POP3 with telnet. Once you enter “list”, you will see a list of messages including size in bytes:
Message Hygiene Agents
Email that is rejected by Exchange 2007 anti-spam agents will be placed in to “C:\Program Files\Windows Small Business Server\Data\Badmail”. You can review messages in this directory, and if you determine that they are legitimate, you can manually drop them in the pickup directory for submission (make sure the file name ends with .eml or they will not be processed). Review your anti-spam agent configuration in Exchange to make necessary adjustments. If email is being quarantined by Forefront Security for Exchange, please review: http://blogs.technet.com/sbs/archive/2008/11/03/how-to-view-emails-quarantined-by-forefront-security-for-exchange.aspx
[Today's post comes to us courtesy of Shawn Sullivan and Moloy Tandon]
Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:
- Check their E-mail.
- Access the Internal Web Site (CompanyWeb).
- Connect to a computer through RDP (only network admins can connect to the SBS server)
- Change their domain password
- Access help and configuration information for RWW
- Access customized corporate links (more information available at: http://technet.microsoft.com/en-us/library/cc527586.aspx)
RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.
For full access to the RWW feature set from the Internet, you must ensure the following:
- TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
- Clients are running Internet Explorer 6.0 SP2 or higher
- The RDP 6.1 client or higher is installed on the client machine
- The client must trust the SSL certificate that is installed on the SBS Web Applications site
- The client must connect using the URL that matches the common name on the certificate.
Features
From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).
Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:
- Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
- Users are not presented with the “Administration” links
SBS Console Integration
From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:
- Enabling or disabling the website
- Browse the website (opens in IE using https)
- Add or remove users permissions to login to RWW
- Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
- Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles
Login Requirements
As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:
User Account Properties for RWW Login Rights
Launching OWA and CompanyWeb
When OWA and CompanyWeb are launched in RWW, your browser is connected to either https://remote.domain.com/owa or https://remote.domain.com:987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:
Connect to a computer
When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:
Computer account properties:
Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.
If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:
- To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
- Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer.
- Right-click SmallBusinessServer, click New, and then click Key.
- Name the key BusinessProductivity.
- Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
- Name the new value ShowAllComputers.
- Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.
TSGateway Integration
RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.
The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:
You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:
Enter in the URL for the SBS 2008 server (which you configured during the IAMW)
Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:
Additional Information
If you are having issues connecting to RWW or TSGateway, visit the following posts:
For non domain-joined machines and mobile devices, you must install the certificate distribution package for proper web access to the server (if you are not using a trusted 3rd party SSL certificate):
[Today’s post comes to us courtesy of Shawn Sullivan]
SBS 2008 includes the Update Services component to provide the administrator with a simple interface for managing software updates from the SBS Console. Those who are familiar with Update Services from SBS 2003 R2 will find that the SBS 2008 implementation is quite similar. It is essentially a wrapper for the native WSUS 3.0 interface meant to simplify the management of software updates for the network. By default all critical updates, security updates, and update definitions will be automatically approved for installation if at least one machine on the network requires it. Other updates are manually approved by the administrator as needed.
Default Configuration Settings
Below is the full list of default configuration settings in WSUS as they exist after SBS 2008 setup has completed:
| Parameters | Settings |
| Update Classifications | Critical Updates
Definition Updates
Security Updates
Service Packs
Update Rollups |
| Products | All |
| Languages | English and the Language of the SBS 2008 SKU |
| Update Files | Store update files locally on this server
Download update files to this server only when updates are approved |
| Synchronization | Automatically
01:00 am
Daily |
| Server Cleanup | Unused updates and update revisions
Computers not contacting the server
Unneeded update files
Expired updates
Superseded updates |
| WSUS Groups | Update Service Excluded Computers
Update Services Client Computers
Update Services Server Computers |
Important: If you go into the native WSUS 3.0 SP1 console and change these default settings, SBS Update Services will detect this and shut down. In order to guarantee the accuracy and reliability of its reporting function, it requires WSUS to be configured with these settings. If you are in this state, you will get the following warning when you click on “Change the software update settings” in the SBS console:
“Windows Small Business Server (Windows SBS) Update Services is not running because it automatically turns off if you customize Windows Server Update Services (WSUS)”
The easiest way to tell which changes you need to revert is to run the SBS 2008 BPA: http://www.microsoft.com/downloads/info.aspx?na=22&p=1&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d86a1aa32-9814-484e-bd43-3e42aec7f731%26DisplayLang%3den
The below screenshot shows an example of the warning and its specific cause:
WSUS Update Groups
The Update Services Excluded Computers, Update Services Client Computers, and Update Services Server Computers groups are created natively in WSUS during setup and managed through the SBS 2008 Console.
By default, the Client and Server groups will be populated by machine accounts that are either in the SBS Servers or SBS Computers Organizational Units in Active Directory. The purpose of these groups is to assign one of the following update levels to them through the SBS Console:
- High: Automatically approve for installation all security, critical, and definition updates and all service packs
- Medium: Automatically approve for installation all security, critical, and definition updates
- Low: Automatically approve for installation all security and definition updates.
- None: Do not automatically approve any updates
By default, Server updates are set to Medium and client updates are set to High. If you choose to exclude a machine from receiving updates through Update Services, then they will be placed in the Excluded Computers group.
Included Computers adds the machine account to the proper WSUS group and to the security filter of either the Update Services Client Computers or Update Services Server Computers GPOs:
WSUS Group Policy Objects
These GPOs control various settings in how machines in your network contact WSUS. You should not make changes to them:
- Update Services Client Computers Policy: Configures client machines to “auto download and schedule the install” everyday at 03:00.
- Update Services Server Computers Policy: Configures server machines to “auto download and notify for install”. Updates will never be automatically installed.
- Update Services Common Settings Policy: Settings common to both servers and clients, include update detection frequency, system restart settings, scheduled installation settings, and the URL that machines contact for Update Services and intranet statistics (:8530">http://<SBSServer>:8530)
Windows SBS Manager Service
Among its many responsibilities, this service applies all of the configuration settings that the administrator has chosen through the SBS 2008 Console. It performs the following tasks:
- Every 5 minutes it will check Active Directory and apply machine accounts to the proper WSUS Update Group, either the Client Computers or the Server Computers group. It also adds the machine account to the security filter of either the client or server GPOs. This is all configured by the administrator in the “Included Computers” window in Figure 2 above.
- Every 60 minutes it checks with WSUS to review the updates being reported as needed by the machines. At this time, it will approve critical, security, and update definitions for all machines while including service packs for machines in the Client Update group.
The logs for this service are found in the following directory: C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs.
Administration through the SBS 2008 Console
All of the pieces described above are brought together to give the administrator a simplified interface in the SBS 2008 Console in which to manage all updates for all machines on the network. You can access Update services information from the following locations:
- Under “Network Essentials Summary” on the Home tab: If all updates that are needed have not been installed, you will receive a Warning here. If you have made changes to the default WSUS configuration, you will also receive a blue question mark here
- Under the “Computers” sub-tab on the Network tab: Right-click on the machine accounts and go to properties to access the list of missing and installed updates.
- Under the “Updates” sub-tab on the “Security” tab: At this location, you can “Change the software update settings” to change the update levels for servers and clients, specify the schedule for installation or notify the user, and choose which servers and clients to manage through Update services:
You also receive a list of Updates with Microsoft Software License Terms that are pending approval, Updates with Errors, Optional Updates and Updates in Progress. From here you can deploy the update, decline the update, or view the update deployment report:
[Today's post comes to us courtesy of Wayne McIntyre]
We are seeing quite a few calls where public folders, Offline Address books, and Free/Busy information are not replicating to the new SBS 2008 server after following the “Move Exchange Server public folders for Windows SBS 2008 migration” steps from http://technet.microsoft.com/en-us/library/cc527516(WS.10).aspx. The key thing to remember is that public folder replication messages use SMTP for transport, therefore if you have modified settings to the default SMTP Virtual Server these messages may never reach the destination. The SBS 2003 BPA will detect some of these mis-configurations, so make sure to also run both the Exchange BPA and SBS BPA.
Identifying the Issue
To identify the issue you should view the queue in Exchange 2003. You will notice you have a backlog of messages in the queue using the Routing group connector that SBS 2008 creates during a migration setup. In this case we have a non-standard outbound TCP port configured.
Common Causes
- You have a Smarthost configured on your SMTP virtual server, which will route all messages including Public Folder replication messages to your Smarthost server. To modify this go to the properties of your Default SMTP Virtual Server on your Exchange 2003 server, select the Delivery tab and click the Advanced button. You should then see a dialogue like the one below, if a Smarthost is configured, simply remove it and hit OK.
- Verify that Outbound Security on the SMTP Virtual Server is using Anonymous access.
![clip_image002[8]](http://blogs.technet.com/blogfiles/sbs/WindowsLiveWriter/SBSMigrationsTroubleshootingMovingPublic_F27B/clip_image002%5B8%5D_thumb.jpg "clip_image002[8]")
- The Outbound Connections TCP port has been modified to something other than port 25 on the Default SMTP Virtual Server in Exchange 2003. From the same Delivery tab as before click on the Outbound connections button and verify the TCP port is set to 25.
- A less common issue is that you have added your domain to the blocked senders list. This is often done to prevent spam from spammer@contoso.com (where Contoso is your email domain) who is spoofing your domain. In Exchange 2007, under Organization Configuration – Hub Transport, click on the Anti-Spam tab and go to the properties of Sender Filtering. Within Sender Filtering Properties verify the Blocked Senders List, and ensure that you have not listed your own domain as a blocked sender.
- Integrated Windows Authentication is unchecked on the Default SMTP virtual server on your source SBS 2003 machine. To ensure that Integrated Windows Authentication is enabled, go to the properties of the Default SMTP virtual server, select the Access tab, and click the Authentication button.
Additional Information
Understanding Public Folder Replication: http://technet.microsoft.com/en-us/library/bb629523.aspx
[Today's post comes to us courtesy of Wayne McIntyre, Damian Leibaschoff, and Justin Crosby]
The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.
What we will cover:
- Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
- VBScript Error: 50331676
- Connection Authorization Policies and Resource Authorization Policies.
- Authentication Failures
- Client Machine Requirements
- Internal DNS Considerations
- External DNS Considerations
- TS Gateway Service Known Issues
1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx
2. VBScript Error: 50331676
When you try to connect to a server or machine you get the following error:
You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:
- Open TS Gateway Manager from Administrative Tools --- Terminal Services
- Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.
As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.
3. Connection Authorization Policies and Resource Authorization Policies.
You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.
We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:
- Open TS Gateway Manager from Administrative Tools – Terminal Services
- Expand your computer object
- Expand Policies
- Select Connection Authorization Policies
- Right-Click on the General Connection Authorization policy on the right hand side and choose properties
- Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.
4. Authentication Failures
You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.
Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:
Get-OutlookAnywhere
(Ignore the warning)
Check the value for the IISAuthenticationMethods Parameter.
You can also check in IIS Manager under the RPC virtual directory, authentication.
Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.
If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):
Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm
After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.
If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:
5. Client Machine Requirements
The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.
6. Internal DNS Considerations
You might connect to an unexpected machine when trying to connect to the remote machine. If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct. To do this open the DNS Management console from Start, Administrative Tools, DNS. Expand the forward lookup zones, and your local active directory zone. Verify that the host (A) records for the clients are correct.
7. External DNS Considerations
The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.
The only fix is the change the PTR record for the client pc's external IP address.
Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.
Note: This is a very RARE issue.
8. TS Gateway Service known issues
TS Gateway Service Not Started After Restart in IIS Manager.
This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx
The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.
- If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed. Check the following link for issues related to improperly disabling IPv6: http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx
- If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
- In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.
Additional RWW related links:
We have updated the SBS 2003 to SBS 2008 Migration Best Practices blog post with a few new recommendations. Please review the following post before attempting an SBS 2003 to 2008 migration: SBS 2008 Migrations from SBS 2003 – Keys to Success
Are you interested in hearing about how other IT pros are reacting to economic conditions and where they’re investing?
Do you have questions about Microsoft’s efforts to help IT be more cost effective and deliver new solutions to business?
Is there a connection between virtualization and cloud computing?
What is Microsoft doing in enterprise security?
On Tuesday, June 23rd from 10:30am - 11:00am (PDT), join a teleconference with Bob Kelly, corporate VP of Infrastructure Server Marketing. Bob will talk about the state of IT within the context of results from a new Harris Interactive study of 1,200 IT professionals from the U.S., United Kingdom, Japan and Germany. The study was commissioned by Microsoft's Server & Tools Business.
There will be time for your questions following the brief presentation. Submit questions over the phone or you can submit them at any time leading up to or during the teleconference by tweeting with the Twitter hashtag, #qs4ms.
If you are interested in attending, please REGISTER NOW. Once you open the invite box, you can save and close to your calendar.
[Today's post comes to us courtesy of Chris Puckett]
There are two places you can do this (copied below for your convenience).
To change the client time-out setting for Remote Web Workplace (default = 30 minutes)
- Open Registry Editor.
- Open the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\RemoteUserPortal
Note: If the RemoteUserPortal key does not exist, create it. - Create the following DWORD (32-bit) value:
PublicTimeOut - In the Value data box, type the number of minutes that you want to elapse before the Remote Web Workplace session times out.
Important: The value you enter should not be larger than 1440. Otherwise, Connect to a computer and Connect to a server will not function properly. - Click OK.
To change the server time-out setting for Remote Web Workplace (default = 20 minutes)
- On the Windows SBS 2008 server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
- At the User Account Control prompt, click Continue.
- In the left pane, double-click the name of the server to expand the tree.
- Double-click Sites to expand it, and then double-click SBS Web Applications to expand it.
- In SBS Web Applications Home, double-click Session State.
- In Cookie Settings, change the Time-out (in minutes) to the desired amount of time.
- Click Apply to save the changes.
If the client timeout value is GREATER THAN the server timeout value:
- The RWW page will log you off after the client timeout value and return you to the RWW logon page without displaying any message.
- If you opened OWA from the link within RWW, the OWA page will also be logged off and returned to the OWA logon page when you click anything within OWA.
- This is the default behavior in SBS 2008 with the default settings.
If the client timeout value is EQUAL TO or LESS THAN the server timeout value:
- The RWW page will log you off after the client timeout value and display a message indicating this.
- If you opened OWA from the link within RWW, the OWA page will remain open until the OWA idle timeout is reached (default is 15 minutes).
More Information
For more information on configuring the OWA idle timeout see the following links on TechNet:
For more information on configuring the CompanyWeb idle timeout see the following link: How to Change the CompanyWeb Timeout in SBS 2008 on The Official SBS Blog. The RWW timeout does not affect the CompanyWeb timeout that is defined in the default master page.
[Today's post comes to us courtesy of Justin Crosby, Shawn Sullivan, and Mohammed Sabir Chandwale]
You may receive the following error when trying to install SQL Server 2005 on an SBS 2008 server:
Microsoft SQL Server 2005 Setup
SQL Server Setup failed to modify security permissions on the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.#\MSSQLServer\SuperSocketNetLib for user <username>.
You will also notice the following entries in the SQL setup log (C:\Program Files (x86)\Microsoft SQL Server\90\Setup Bootstrap\LOG\Files\SQLSetup000#_ServerName_SQL.txt)
Configuring ACL:
Object: HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\MSSQLServer\SuperSocketNetLib
ACL: (A;CI;KR;;;[SQLServer2005SQLBrowserUser$WIN-EUGSO7LO7PY])(A;CI;KR;;;SY)
Action: 0x100
Failed ACL:
ReplaceSDDLSid is failed at the error code 1332; Converted SDDL: '(A;CI;KR;;;[SQLServer2005SQLBrowserUser$WIN-EUGSO7LO7PY])(A;CI;KR;;;SY)'
Error Code: 0x80077344 (29508)
Windows Error Text: Source File Name: sqlca\sqlsddlca.cpp
Compiler Timestamp: Tue Sep 13 01:08:29 2005
Function Name: ExceptionInSDDL
Source Line Number: 65
Resolution
Once you get this error you must click Abort to cancel and rollback the SQL installation. Once SQL install finishes the rollback you must make the following registry change:
- Click Start, click All Programs, click Accessories, and then click Run.
- Type regedit, and then click OK.
- At the User Account Control prompt, click OK.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\90\Machines.
- Double-click OriginalMachineName, and then change the OriginalMachineName value name to the current server name. (An easy method to find the current server name is to use the hostname command from a command prompt.)
- Click OK.
Once this registry key has been updated you should be able to install SQL 2005 without error. We recommend that you install your LOB applications and SQL instances on the 2nd server included with SBS 2008 Premium for best performance.
For more information please see: http://technet.microsoft.com/en-us/library/cc794697(WS.10).aspx.
[Today's post comes to us courtesy of Justin Crosby]
We have noticed a few cases where customers are getting incomplete Microsoft Exchange Outlook Web Access sites. You will see Red X in place of images and the over-all theme will look off. Here is a screen shot of the issue:
This issue can also present itself as a blank screen when accessing https://remote.domain.com/owa.
Resolution
To resolve this issue install the latest Exchange 2007 Update Rollup. If it is already installed, the installation may be corrupt. In this case, you should reinstall the UR. At the time of this blog's writing the current UR is 8 which can be found here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e1f5c8b2-c4f2-4eba-849b-e464d4f2869c.
[Today's post comes to us courtesy of Rod White]
Customers are currently seeing issues where SBS 2008 servers receives faxes successfully, but intermittently faxes routed to email may fail. You may also notice that the Fax Server Services crashes (fxssvc) due to a CDO call. If you look within Fax and Scan Console the Incoming queue folder may show that faxes are in a retry or failed state.
In normal troubleshooting you would enable protocol logging for the "Windows SBS Fax SharePoint Receive Connector" within Exchange Management Console and wait for the failure to occur. However, this time logging shows nothing. The reason for this is that the faxes are failing before the connection to Exchange 2007 so nothing is logged.
At the time of the Errors the fax server will continue to route to Folders, Printers, and SharePoint. Faxes are also routed to the Archive folder on the server. Note that customers are not losing faxes, just the notification through email fails.
Log Name: Application
Source: Microsoft Fax
Event ID: 32083
Task Category: Inbound
Level: Error
Description:
Unable to route fax C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\1C9BEB28C4E2F.tif to the requested e-mail address.
The following error occurred: 0x80040211
This error code indicates the cause of the error.
Check the SMTP server configuration, and correct any anomalies.
0x80040211 translates to CDO_E_SMTP_SEND_FAILED
Log Name: Application
Source: Microsoft Fax
Event ID: 32089
Task Category: Inbound
Level: Error
Description:
The Fax Service failed to execute a specific routing method. The service will retry to route the fax according to the retries configuration. If the retries fail, verify routing method configuration.
Job ID: 0x0401c9beb28c4e2f.
Received on Device: 'Courier V.Everything EXT PnP (V90-x2)'
Received file name: 'C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\1C9BEB28C4E2F.tif'.
Routing extension name: 'Microsoft Routing Extension'
Routing method name: 'Route through e-mail'
Log Name: Application
Source: Microsoft Fax
Event ID: 32078
Task Category: Inbound
Level: Error
Description:
A successfully received fax was not routed automatically. You can find the fax in the Inbox/Incoming archive folder by its Job ID. Job ID: 0x0401c9be065c1fd1. Received on Device: 'Courier V.Everything EXT PnP (V90-x2)'
Resolution
We are currently tracking this issue, but are unable to provide a solution at this time. If you experience the symptoms in this article, please contact Microsoft Support at 1.800.936.4900. As always, if the issue is determined to be a bug, there is no charge for the support incident. To verify that you have the issue we are currently investigating, try restarting the Fax service. If email routing starts working (for awhile, not a permanent fix) you probably have the issue under investigation.
[Today's post comes to us courtesy of Kim Oehmichen]
We have recently seen a few cases where creating a new user with the Add a New User Account wizard from the SBS Console does not create the respective Exchange 2007 mailbox.
The wizard finished with the following warnings:
In these cases the AddUser.log (C:\Program Files\Windows Small Business Server\Logs) indicated that the default Mailbox Database was not found:
[8120] 090515.192332.7283: Messaging: MessagingTaskException: Unable to find default mailbox database with name [Mailbox Database] - Check access and verify if mailbox database exists - Error# (80004)
[8120] 090515.192332.7595: AdminTME: Status: TaskId = MessagingTasks.TaskCreateMailbox, RootTaskId = TaskCreateUser, Success: True, Warning: True, Continue: True, Message: Unable to find default mailbox database. Make sure mailbox database exists and you have access to view the database.
This issue will occur when the First Storage Group database name is changed from the default as seen below:
Resolution
- Open the Exchange Management Console
- Expand Server Configuration and select Mailbox
- Open the Mailbox Database Properties of the First Storage Group in the Database Management tab
- On the General tab, ensure that the name of the database is Mailbox Database
- Apply the change and click OK
Now the Add a New User Account wizard from the SBS Console will successfully create an Exchange mailbox for the user when run. Note: You will need to manually create a mailbox for any users that were created without mailboxes, while the wizard was in the broken state.
[Today's post comes to us courtesy of Rod White]
When an Administrator attempts to create or delete a user within the SBS 2008 Console they may get an error and a "View Warning Details" link. Reviewing the details show two warnings:
- Administrator <Admin name> does not have Exchange administrator rights.
- Mailbox does not exist for recipient of welcome mail.
When removing a user account the wizard will hang with the error below:
You will also get the following errors in the C:\Program Files\Windows Small Business Server\Logs\Adduser.log file:
Messaging: MessagingTaskException: Insufficient privledge, not a member of an Exchange administrator group - Error# (80010)
AdminTME: Status: Tasked = MessagingTasks.TaskCreateMailbox, RootTaskId = TaskCreateUser, Success: True, Warning: True, Continue: True, Message: Administrator Robert Brown does not have Exchange administrator rights.
Resolution
- Open AD Users & Computers > double click the <Admin User name> you are logged on as
- Select the Member Of tab
- Verify the Primary Group attribute. If the Primary Group is set to Domain Admins then you'll need to change it Domain Users.
- Within the Member of list box, highlight the Domain Users group and click the Set Primary Group button.
You should now be able to run the wizards without error.
[Today's post comes to us courtesy of Justin Crosby]
Windows 2008 SP2 and Vista SP2 has been released. Windows 2008 SP2 should be installed on SBS 2008. You can download the X64 version of SP2 here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=656c9d4a-55ec-4972-a0d7-b1a6fedf51a7 or use Windows Update. As with any update, you should be sure to take a good backup prior to installing. SP2 will require a reboot so plan accordingly. For more information on Windows 2008/Vista SP2 please see: http://technet.microsoft.com/en-us/windowsserver/dd727510.aspx.
