[Today’s post comes to us courtesy of Mark Stanfill]
The SBS Add a Trusted Certificate wizard may fail to display a certificate that is correctly installed in the certificate store if the subject field of the certificate is missing. This happens because some third-party certificate authorities (CAs) issue certificates with a blank subject. The Subject Alternative Name field is used to designate the fully qualified domain name (FQDN) of the certificate instead. This article documents how to manually install these types of certificates.
The behavior that you will see is that the certificate will be correctly installed in the computer’s personal certificate store, but will not show up in the Add a Trusted Certificate Wizard. In the example screenshots below, the external URL being published is remote.contoso.com.
Workaround
To use the certificate, you will need to manually assign it to the web site in IIS. The instructions below assume that the certificate Subject Alternative Name matches the Internet Domain Name on the Network\Connectivity tab of the Windows SBS Console. If the name does not match, first run the Internet Address Management Wizard (IAMW) by clicking on the Set up your Internet address link in the console. This will assign a self-signed certificate temporarily, but also makes other important configuration changes.
Use these steps to assign the certificate:
1. Log on to the SBS server as an administrator and launch the Internet Services Manager (IIS Manager) console.
2. Select the SBS SharePoint site and click on Bindings…
3. Select https and click Edit…
4. Select your certificate from the drop-down list under SSL certificate:. Click View… to verify that the certificate is correct based on the Subject Alternative Name field, issuer, etc.
5. Repeat steps 2-4 for the SBS Web Applications SSL binding on port 443.
6. Obtain the thumbprint of the newly installed certificate by opening an elevated Exchange Management Shell prompt and typing the command Get-ExchangeCertificate. The newly installed certificate should have no services assigned to it. Verify the thumbprint value from Exchange Management Shell against the properties of the actual certificate.
7. Copy the certificate thumbprint from step 6 and run the command
Enable-ExchangeCertificate -Thumbprint <THUMBRPINT> -Services "POP, IMAP, IIS, SMTP"
Where <THUMBRPINT> is the actual thumbprint. When prompted to overwrite the existing services, answer A for all.
8. Verify the Terminal Services Gateway certificate settings. Launch the TS Gateway Manager from START\All Programs\Administrative Tools\Terminal Services\TS Gateway Manager. Right-click on the SBS server name and choose Properties. On the SSL Certificate tab, click on Browse Certificates… and select the appropriate certificate.
Please visit Sean Daniel’s blog at the following link for information on what labs are available and how to get started:
http://sbs.seandaniel.com/2009/11/windows-sbs-2008-hands-on-labs.html
[Today's post comes to us courtesy of Shawn Sullivan]
In Exchange 2007, anti-spam processing is performed by a series of Transport Agents. All Exchange 2007 anti-spam Transport Agents, except for Attachment Filtering, are enabled during SBS Setup. Because Attachment Filtering is only available on the Edge Transport role, SBS 2008 gives you the option to install a 120 day trial version of Forefront Security for Exchange during setup, which provides this service as well as anti-virus processing. Out of the box, SBS 2008 offers strong protection against spam while minimizing false positives. However, it is open to customization as determined by the needs of your organization.
The following is an example of the Exchange PowerShell command Get-TransportAgent from a default installation of SBS 2008:
NOTE: The Transport Rule Agent, Journaling Agent, and the AD RMS Prelicensing Agent are configured by default but do not perform anti-spam processing.
SBS 2008 also configures Exchange to automatically update the anti-spam Transport Agents from Microsoft Update. New versions are published every two weeks. This process occurs independently of WSUS.
IMPORTANT: In order to download update definitions for anti-spam, you are required to have either an Exchange 2007 Enterprise CAL for each user mailbox or a Forefront Security for Exchange license. If you have not purchased a Forefront Security for Exchange license before the 120 trial period expires, your anti-spam agents will no longer be updated. You will be notified in both the Windows SBS console and the Forefront Security console when the trial has expired.
Get-AntispamUpdates
Anti-Spam Agents by Priority (First to Last)
Connection Filtering consists of the IP Allow List, Block List, and the online service provider for both. It is enabled by default, but the lists are blank. This is open for your customization. IP addresses that are explicitly allowed through this filter will bypass all subsequent anti-spam processing. Those that are blocked will be unable to submit email to the server.
To add entries to the IP Allow and IP Block List, expand Server Configuration > Hub Transport > Anti-Spam:
To add entries to the IP Allow and IP Block List Providers, expand Organization Configuration > Hub Transport > Anti-Spam:
For more information on adding providers, see http://technet.microsoft.com/en-us/library/bb124369.aspx
Content Filtering is responsible for stamping each email message that traverses the transport pipeline with a Spam Confidence Level (SCL ) value, which ranges from -1 (trusted internal servers) to 9 (highest probability of spam). By default, messages that have an SCL of 7 or greater are rejected, which will inform the sender of the failure through a 550 5.7.1 error upon submission. No custom words or exceptions are configured by default; however you may add these as needed. You may also change the SCL threshold and the action taken when it is met or exceeded:
Sender ID Filtering will query public DNS against every connecting SMTP server and check for the existence of a Sender Policy Framework (SPF) record. Essentially, SBS will use this record to compare the SMTP domain sent during MAIL FROM and the IP Address that the connecting SMTP server is using. If the IP address is not on the list of acceptable sending servers for the SMTP domain, the Sender ID Filter will stamp this failure on the message, which is then taken into consideration by the Sender Reputation Filter (see below):
For more information on the Sender Policy Framework, see http://www.microsoft.com/downloads/details.aspx?familyid=D8A174B1-697C-4AEA-9C92-2E70A013C30B&displaylang=en
To verify or create an SPF record for your domain, use the following http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
Sender Filtering is set to block messages from blank senders by default. You may add individual senders or entire domains to this list as needed:
Recipient Filtering is set to block messages sent to recipients who are not in the Global Address List. Exchange will inform the sending SMTP server, upon the RCPT TO command, that the recipient is invalid. You may choose to add further recipients who are in the GAL to this list:
Sender Reputation Filtering (Protocol Analysis Agent) builds a confidence profile of each sending server based on the following tests:
- Passing or failing the Sender ID check
- Analysis of the EHLO/HELO statement for signs of forgery. This includes frequently changing domain names from the same IP, passing an IP address in the statement that does not match the connecting IP, or passing a domain name that appears to be in the same internal Exchange organization but is coming from a remote server.
- An SCL history of messages sent from a particular IP Address.
- A reverse DNS lookup is performed to determine if the PTR record for the connecting IP Address matches the domain name submitted during EHLO/HELO.
- An open relay test is performed by Exchange through the connecting SMTP server
All of this information is combined to form Sender Reputation assignment level from 0 (minimum) to 9 (maximum). By default, sending IP Addresses who meet or exceed 7 will be added to the IP Block list for 24 hours. If after 24 hours the sender is flagged at 7 or higher, they will again be added for another 24 hours.
Special consideration must be taken when your email is hosted at another location or processed by an SMTP gateway. The following post will explain the action you must take to prevent Sender ID/Sender Reputation from blocking the hosting IP addresses as they submit mail to your server: http://blogs.technet.com/sbs/archive/2008/11/24/how-to-setup-Anti-Spam-in-exchange-2007-when-using-a-mail-hosting-company.aspx
Forefront Security for Exchange Routing Agent details will be included in an upcoming blogpost.
How to Monitor Agent Activity
Dedicated logging for Transport Agent activity is kept in “%ProgramFiles%\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog”. There is no GUI reporting provided by Exchange for the data contained in these logs. However, you can view them in Notepad, Excel, or if you are feeling adventurous you can try Log Parser:
http://msexchangeteam.com/archive/2007/11/28/447598.aspx
Junk Email and SCL Thresholds for Outlook
By default, the global SCL threshold for junk email for all Outlook users is 8 (NOTE: On SBS 2008, only Outlook 2000 SP3 and higher clients are allowed to connect to Exchange). However, any messages that receive a 7 or higher will be rejected by the Content Filter before they reach the mailbox. To display the current setting, use the Get-OrganizationConfig | fl SCLJunkThreshold command. To adjust this value between 0-9, use the Set-OrganizationConfig –SCLJunkThreshold <integer> command.
Individual SCL thresholds and actions can be configured at the per-mailbox level. Email that is not rejected, deleted, or quarantined by the Exchange Anti-Spam Agents can be further filtered by these settings. Options here are delete, reject, junk, or have the email quarantined. By default, this is not configured in SBS 2008 for any mailbox but is open for customization. Further information on adjusting these settings can be found here:
http://technet.microsoft.com/en-us/library/bb123559.aspx
NOTE: To enable Outlook to quarantine messages, you must specify a quarantine mailbox for the organization. Run the Set-ContentFilterConfig –QuarantineMailbox <MailboxEmailAddress> command from the Exchange PowerShell. It is advisable to create a dedicated mailbox for this function so you can impose a retention policy on it.
To display the current settings for all mailboxes, use Get-Mailbox | ft Name, *SCL*
Whitelists and Safelists for Senders and Domains
This can be configured at various points throughout Exchange. If the sending SMTP server’s IP address is not in the IP Allow List or listed as an internal SMTP server, it will be subject to Content Filtering, Sender-ID, and Sender-Reputation.
You can set individual whitelists on the Content and Sender ID filters. For Content Filtering, you can exclude individual senders (BypassedSenders) or entire domains (BypassedSenderDomains):
http://technet.microsoft.com/en-us/library/aa995952.aspx
For Sender ID, you can exclude entire domains (BypassedSenderDomain) and recipients (BypassedRecipients)
http://technet.microsoft.com/en-us/library/bb124506.aspx
NOTE: You cannot simply append entries to the whitelist in PowerShell. You must specify the entire list, separated by commas, in addition to the new entries.
You can also employ Safelist Aggregation to collectively pull individual Outlook safelist configuration from your user’s mailboxes for global use. This is an effective way to quickly obtain a detailed grassroots list of safe senders and reduce false positives. More information is here:
http://technet.microsoft.com/en-us/library/bb125168.aspx
[Today's post comes to us courtesy of Roderick White and Shawn Sullivan]
By design, user accounts that do not belong to the Windows SBS Fax Administrators group are not able to manage the SBS 2008 Fax queue from the Windows XP Fax Console. This is due to the enhanced fax security configuration in Windows 2008, which requires you to create a fax account through Windows Fax and Scan on Vista or Windows7 before managing the queue. This option is not available for Windows XP. However, users will still be able to send a fax from XP using applications such Notepad, Word, and Outlook.
You can expect the following behavior when opening the Windows XP Fax Console as a domain user:
- An “All fax printers are inaccessible” error is displayed at the bottom right.
- No options to manipulate fax are available from the Menu Bar.
- No faxes are displayed in the Incoming, Inbox, Outbox, or Sent Items folders.
- A connection error is shown under Tools > Fax Printer Status
You can verify that you still have the ability to send a fax by doing the following:
- Open notepad and type a test message.
- Select File > Print > Select <Fax on Server> and select Print
- Complete the Send Fax Wizard
- Verify at the remote site that the fax was received successfully.
- You can also open Windows Fax and Scan on SBS 2008, Vista, or Windows7 as Administrator after creating a fax account to verify the fax was sent. For more information on this, see http://technet.microsoft.com/en-us/library/dd346633(WS.10).aspx
We recommend that you do not change the default security configuration for SBS 2008 Fax Service. However, if decommissioning Windows XP is not an option and you require ability for users to manage and send faxes from the XP Fax Console, you can take the following action:
- Click Start > Administrative Tools > Fax Services Manager
- Right-click on the Fax(Local) select Properties
- Select the Security Tab, you will have two options:
- Select the Individual Domain User and give both Fax and Manage Fax Documents permission.
- Select the Windows SBS Fax Users group and add the Manage Fax Documents permission. User accounts created by the SBS 2008 console will be members of this group by default.
Note: User accounts that have Manage Fax Document permission will now have the same experience in the XP Fax console that they would in Windows Fax and Scan. Besides the ability to send fax, they will also see all unassigned faxes within the Inbox and see only faxes that they have sent in the Outbox and Sent Items.
[Today's post comes to us courtesy of John Bay, Richard Pulliam and Damian Leibaschoff]
When you connect to a share hosted on SBS 2003 from a Windows 7 client joined to the domain and you select “Restore previous versions” or the “Previous Versions” tab under properties of the share/folder, you get a view that shows snapshots with the incorrect time, with share names missing and that cannot be restored. if you open the contents of the snapshot you notice that you are actually viewing the CURRENT contents of the network share and NOT the stored contents of the shadow copy snapshot that is stored on the server.
This is the experience when opening the Previous Versions of a share:
And this is a sample when opening the properties of a folder inside the network share:
As mentioned before, Copy and Restore do not work as expected. Furthermore, opening the contents, shows a view of the current content.
Resolution
To correct this issue, you have to remove the following registry value from your SBS 2003 server:
Before editing the registry make sure you have a working system state backup of the server.
- On your SBS 2003 server, open REGEDIT and navigate to the following location:
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Parameters
- Right click on parameters and select Export.
- Once the export is completed, find the entry for DisableDownLevelTimewarp, select it and then delete it.
After deleting the mentioned key, re-test accessing the Previous Versions from your Windows 7 client. You should see the expected functionality of being able to access the existing shadow copy snapshots.
If you have XP clients, you need to make sure they have Service Pack 3 installed.
[Today's post comes to us courtesy of Damian Leibaschoff]
In the coming weeks you will notice that the SBS 2008 media will now include Windows Server 2008 Service Pack 2. This change will help improve the reliability of the newly deployed SBS servers, while at the same time, providing savings in terms of deployment time.
Other updates included with this release:
- OneCare for Small Business trial version is no longer included. Setup options and integration have been removed.
- Since the original launch of SBS 2008, the OneCare line of products has been replaced by Microsoft Security Essentials. This is a free download that is not designed for business environments, we will keep you posted on any future options for your SBS environment.
- New Migration Preparation Tool (SourceTool).
- In Join Domain (Migration) setup scenarios, the SBS 2008 setup will pause if it has detected that the Source Tool has not been completed successfully on the domain being joined.
The new Migration Preparation Tool (SourceTool)
This new tool is designed to be run on ANY type of source domain controller, not only SBS 2003. You should run this tool on the source domain controller that will be used in the migration. It is also mandatory to complete the installation and execution of the tool on the source domain for the SBS 2008 setup to continue past the pre-requirement checks. The tool itself still performs the same tasks as before, mainly these 4 tasks on the source domain (as needed based on the presence of SBS or not):
Installs update 943494 on the SBS 2003 server to extend the migration grace period from 7 to 21 days. Runs ADPREP to update the forest, domain, and group policy object access control entries. Changes Exchange 2003 from Mixed mode to Native mode. Adds the Authenticated Users group to the Pre-Windows 2000 security group. New to the Migration Preparation Tool is the ability to get updates from Microsoft during execution. We plan to add additional functionality to the tool so that it can perform health checks on the source server and domain. The additional functionality will be pushed down to the tool once it is installed by selecting the option to allow updates when launching it. We will notify the blog once new features are added.
Once all the tasks are completed, the source domain controller will be marked as ready for the migration.
The new Migration Preparation Tool can be found in the same place as before, on your SBS 2008 Standard DVD (DVD 1), under the \tools folder. An important change that needs to be noted is that the new tool has an installation package (SourceTool.MSI) while the existing one is a standalone executable. This MSI package needs to be installed on the source domain controller. The new tool must be used with the new media. The new tool will work with older media, but not the other way around. Furthermore, the new Migration Preparation Tool will be made available for download for easier access and use when only older media is present.
The main goal is to make sure that that the source domain is healthy for a successful migration. For more information regarding migrations, please read the following post <SBS 2008 Migrations from SBS 2003 – Keys to Success>
Installing the tool on the source domain controller:
<DVD #1>:\Tools
Running the tool:
Remember to always Select to “Download and install updates (recommended)”, these updates are ONLY for the Migration Preparation Tool and will include newer health checks in future updates.
Remember, this tool will now be mandatory when using the updated SBS media, so make a point of making that backup of the source server also a mandatory step.
This is the new text when running on a NON-SBS server.
How do you manage your small business through the currents of today? Between the current flu epidemic and the possibility of natural disasters occurring in your area; are you prepared for your workers to be out of the workplace, possibly for weeks? Windows Small Business Server with Remote Web Workplace can help.
This year we face a potential global workplace crisis as the Swine (H1N1) flu re-emerges. According to the Washington Post “Swine flu could infect half of the U.S. population this fall and winter…” As mentioned in the Huffington Post “Millions of businesses are developing contingency plans and continuity of operation plans to keep their businesses and operations going if and when critical employees are out…In just a few weeks, a significant number of American businesses could have their operations negatively affected by swine flu. “
We understand that small businesses are struggling with how to enable their employees to be productive especially when they are not able to physically be at the office. In this time of worldwide illness we see that many are looking to technology to create a collaborative working experience where employees can be productive no matter where they are or what device they have to engage with. Many of today’s business challenges can be greatly reduced with help from technology solutions like Windows Small Business Server with its Remote Web Workplace feature.
Remote Web Workplace (RWW) is essentially a web site page that provides a simple, single, secure entry point into your Small Business Server 2008 network. Authorized employees can connect to Remote Web Workplace using any device connected to the Internet. If you know how to surf the internet, you can use Remote Web Workplace. This means that employees can be productive from wherever they need to be not only at the office.
Is your small business prepared? Find out more about how Windows Small Business Server 2008 with Remote Web Workplace can help your business. If you’re interested, you can try SBS 2008 today for free by visiting our product site; find a Microsoft Small Business Specialist who can assist you with the planning & implementation of your Windows Small Business Server or join the SBS community on Facebook.
[Today's post comes to us courtesy of Dave Berkowitz]
We are nearing the point where Windows Server 2008 R2 is going to be unleashed on the world, providing a host of new capabilities that will help dial down costs and improve productivity.
One of the key features we’ve discussed in this blog is how Windows Server 2008 R2 and Windows 7 both offer features, primarily DirectAccess and BranchCache, for more effective and cost efficient management of remote workforces.
Most of us think of mobility as a large enterprise issue, which makes sense. After all, larger companies have the financial wherewithal to effectively plan, deploy and manage the infrastructure needed to provide employees with secure access to their email, files, company intranet or necessary applications.
But that doesn’t mean that mid-sized organizations don’t have the same or similar needs. In fact, the number of full-time employees performing their jobs remotely at least part of the time rose 39 percent from 2006 through 2008, or about 17.2 million employees, according to a recent WorldatWork study. Similarly, a majority of Microsoft Small Business Specialists said earlier this year that, despite economic conditions, they expected their SMB customers to actually increase their remote worker base this year, according to the 2009 Microsoft SMB Insight Report.
Unlike larger enterprise organizations, the challenge for small businesses is that they don’t always have the financial means, time or staffing to easily roll out a mobile solution. And the challenge for mid-sized businesses is that they don’t always have an extensive staff to quickly deploy and manage remote operations. Typically, it’s just one or two IT professionals who are over-tasked with putting out fires and running from desktop-to-desktop troubleshooting issues. Add remote access to the mix, and you’re talking a pretty incendiary situation.
Fortunately, Microsoft has a solution to address scenarios for small- and mid-sized businesses.
Drawing on Microsoft’s strength in helping customers implement technology that is familiar, easy to use and works well together, we released Windows Small Business Server (SBS) 2008, which is primarily for small businesses, and Windows Essential Business Server (EBS) 2008, which primarily serves mid-sized business. Think of these solutions as central hubs to help SMB employees connect to their information, calendars, and important business applications -- whether in the office, at a customer site, or on the soccer field. The great thing about these solutions is that we did all of the tough integration work that large enterprises often hire IT specialists to handle, so remote access is enabled as soon as you set up your server.
SBS 2008 and EBS 2008 are important parts of the Windows Server family, and we are fully committed to expanding the capabilities of these solutions to meet the needs of our SMB customers. In fact, we are currently hard at work building the next versions of Windows SBS and Windows EBS. We’ll have more on that at a later date.
The important thing to know today is that customers continue to benefit from these editions, which we released in November 2008. If you’re interested, you can try SBS 2008 today for free by visiting our product site or join the SBS community on Facebook. Similarly, you can try EBS 2008 today for free by visiting that product site or join the EBS community on Facebook.
[Today's post comes to us courtesy of Becky Lymberis]
Small business owners understand how challenging it can be to run a productive business where customers are satisfied and employees are enabled to deliver high quality service. Today’s business environment is competitive and staying ahead requires a renewed commitment to satisfying existing customers while delighting new ones. Many small business owners tell us they are working harder and longer than ever before, often sacrificing time with their family to keep their business healthy. They are always relieved to hear that there are affordable solutions that help them to increase the productivity of their business while enabling them to stay connected to everyone within their network (customers, employees and family). Windows Small Business Server 2008 (SBS) can be thought of as the central hub for the small business that helps them get connected to their information, calendars, and important business applications whether in the office, at a customer site, or on the soccer field. SBS gives people the flexibility to work from anywhere.
SBS 2008 was designed for the needs of small businesses. Many larger organizations have the skills and resources ($$$) to set up and integrate all the right things to enable their workers to have secure access to their email, files, company intranet or necessary applications. Small businesses have similar needs for remote access don’t but have the same level of resources as larger companies. Therefore we did all of the hard integration work in the SBS 2008 solution, so remote access is available immediately once your server is set up. We enable this through a really simple to use feature called Remote Web Workplace. Remote Web Workplace (RWW) is essentially a web site page that provides a simple, single, secure entry point into your Small Business Server 2008 network. Authorized employees can connect to Remote Web Workplace using any device connected to the Internet. If you know how to surf the internet, you can use Remote Web Workplace.
What does that mean for your business? With SBS 2008 Remote Web Workplace enabled you and your employees can be connected and productive even while out of the office. SBS 2008 works great with Windows phones, so you can share, update, change and manage your calendar and email, view and update proposals or documents from your mobile device. Remote workers can use the internet from any device to access business information and applications, including e-mail, shared folders and files. They can even remotely connect to their desktop computer at the office. With Remote Web Workplace, anyone who needs to be offsite can enjoy a productive experience similar to their office counterparts.
Setting your business up with the infrastructure to support remote working may become a necessary fact of life for many small businesses. Between storms, illness, telecommuting and travel there are plenty of times that your employees may be unable to get into the office. Looking toward the future consider this statistic – according to a recent WorldatWork study, the number of full-time employees performing their jobs remotely at least part of the time rose 39 percent from 2006 through 2008, that equals approximately 17.2 million employees! If you have Small Business Server 2008 with Remote Web Workplace, your employees can be away from the office and keep the business running by staying connected and productive.
Many small businesses are benefiting from a server, even those with as few as 2 to 3 PCs and SBS 2008 was designed specifically for businesses with 75 or fewer PCs or users. If you’re interested you can try SBS 2008 today for free by visiting our product site.
SBS 2008 software can be purchased through a variety of channels such as Microsoft Small Business Specialists, retailers, or preinstalled on a server. Full solutions with server hardware can be purchased through a local system builder or major OEM (Original Equipment Manufacturer) such as Dell or HP for as little as $1,299. You can visit our product site for more information on “How to Buy SBS 2008” or visit one of our partners directly.
Boost your productivity and responsiveness with Windows Small Business Server 2008,
whether you are out of the office, at home or on the road. Windows Small Business Server 2008 helps you stay plugged in and connected to your business.
We’d love to hear from you! Please join our community on Facebook.
[Today's post comes to us courtesy of Mark Stanfill, Justin Crosby, Damian Leibaschoff, and Charanjeet Singh]
While upgrading to Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) on Windows Small Business Server 2008, you will be present with the WSUS Configuration Wizard. You should not need to make changes to any section of this wizard except for the Choose Languages section. Making a change to any other section of the wizard may break the SBS console to WSUS integration.
By default only the default operating system language is selected. You must manually select any other language you wish to support. If you are running a non- English version of SBS you MUST ALWAYS select English in addition to your native language. You must include English due to the fact that some updates are only released in English.
For example on a German (Deutsch) server:
After WSUS 3.0 SP2 installation, WSUS Server Configuration Wizard appears. The ‘Choose Languages’ (‘Sprachen auswählen’) page of the wizard only has the Server OS language (Deutsch/German) selected. You must also select English before clicking next.
Warning: Selecting a previously unused client language will download a significant amount of data and increase the size of the updates stored on disk. Do not select additional languages unless you have WSUS clients that require them.
If you made any addition changes in the WSUS configuration wizard and the SBS console gives an error please run the BPA to fix.
More Information
You must be a member of the WSUS Administrators group on the WSUS server to perform this procedure. The SBS administration account is a member of this group by default.
For more information about this see the WSUS 3.0 SP2 Release Notes.
This information in this article is also documented in the following Knowledge Base document: After upgrading to WSUS 3.0 SP2 on Small Business Server 2008 only the local operating system language is enabled.
[Today's post comes to us courtesy of Becky Lymberis]
We’re often talking with small business owners about their business - to understand not only their needs and usage of technology, but also what’s important to them as business owners. Not surprisingly saving time and money, all the while providing better and differentiated service to their customers is of key importance. Windows Small Business Server 2008 (SBS 2008) is really a best kept secret that is a catalyst for small businesses to reduce costs, increase productivity and delight their customers because it really enables them to organize their business and communicate more effectively internally and with their customers.
SBS 2008 is an all in one server suite designed specifically for small businesses. It provides businesses with the technology to do the following:
· Organize and centralize information and data so everyone can find what they need.
· Share hardware such as printers and faxes.
· Back-up important data and restore files.
· Work remotely with easy and secure access to desktops, files, email and calendars from an internet connected PC or mobile phone.
· Share files more easily across PCs and mobile devices with a company intranet
· Run accounting or other business software on more than one PC (SBS 2008 Premium Edition)
· Easily set up new users, computers, and network access (or discontinue existing users and devices) as staffing levels fluctuate
· Look professional by consolidating email accounts with your own company hosted email
· Get better performance out of existing PC investments with centralized storage to free up memory on individual PCs.
SBS 2008 was designed specifically for businesses with 75 or fewer PCs or users – and many small businesses are benefiting from a server, even those with as few as 2 to 3 PCs. If you’re interested you can try SBS 2008 today for free by visiting our product site.
SBS 2008 software can be purchased through a variety of channels such as Microsoft Small Business Specialists, retailers, or preinstalled on a server. Full solutions with server hardware can be purchased through a local system builder or major OEM (Original Equipment Manufacturer) such as Dell or HP for as little as $1,299. You can visit our product site for more information on “How to Buy SBS 2008” or visit one of our partners directly.
Later this month, we will provide a business value deep dive on “Remote Working enabled by Windows Small Business Server 2008”. We’d love to hear from you! Please join our community on Facebook.
[Today's post comes to us courtesy of Chris Puckett]
When you attempt to install SBS 2008 UR 3 (969121) it may fail with error code 6BA "Windows Update encountered an unknown error".
The C:\Windows\WindowsUpdate.log file for this update reports error 0x80070643 / 0x000006BA.
Troubleshooting:
One of the actions SBS2008 Update Rollup 3 (UR3) performs is to change the Integrated Windows authentication in the companyweb site from NTLM to Negotiate (Kerberos) while maintaining client integration to allow you to browse http://companyweb from the server after installing IE rollup 963027 or later, IE8 or Windows 2008 SP 2.
Check the C:\Windows\temp\EnableKerberosLog_2009_<date_time>.log file for more clues.
1. If you see text similar to the log below, it’s most likely that the zone has changed:
2009/09/04 13:35:45| Reading registry keys to get URL for SBS SharePoint
2009/09/04 13:35:45| Url found: https://remote.contoso.com:987
2009/09/04 13:35:45| Trying to enable Kerberos, as well as set other authentication configurations
2009/09/04 13:35:45| Backup original settings of site https://remote.contoso.com:987
2009/09/04 13:35:46| Webapplication found
2009/09/04 13:35:46| Webapplication is running in app pool with identity NetworkService
2009/09/04 13:35:46| Checking authenticaiton mode for Default zone
2009/09/04 13:35:46| Authentication provider is Kerberos
2009/09/04 13:35:46| Originally not allow anonymous
2009/09/04 13:35:46| Originally client integration enabled
2009/09/04 13:35:46| Originally not use basic authentication
2009/09/04 13:35:46| Original settings backup-ed. The machine is ready for authentication settings configuration
2009/09/04 13:35:46| Calling stsadm.exe to enable Kerberos with parameter "-o authentication -url https://remote.contoso.com:987 -type windows -enableclientintegration -usewindowsintegrated"
2009/09/04 13:35:47| Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.InstallException: Fail to enable Kerberos with exit code -1 at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.EnableKerberosHelper.TryEnableKerberos() at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.Program.Main(String[] args)
Check the zones in SharePoint Central Administration.
a. Open SharePoint 3.0 Central Administration, click the Operations tab, and then click Alternate access mappings (under Global Configuration).
b. If https://remote.contoso.com:987 and http://companyweb are not in the zones mentioned above, adjust them accordingly and try installing SBS 2008 Update Rollup 3 again.
Note: https://Remote.contoso.com:987 should be in the Default zone. If it is in the Internet zone, this can prevent SBS 2008 UR3 from changing the authentication mode on companyweb and resulting in the SBS 2008 UR3 installation failure.
2. If you see text similar to the log below, you may need to specify a domain prefix like remote or www along with the external domain name in the IAMW.
2009/09/03 15:55:34| Reading registry keys to get URL for SBS SharePoint
2009/09/03 15:55:34| Url found: https://.contoso.com:987
2009/09/03 15:55:34| Trying to enable Kerberos, as well as set other authentication configurations
2009/09/03 15:55:34| Backup original settings of site https://.contoso.com:987
2009/09/03 15:55:34| Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.InstallException: https://.contoso.com:987 is not in correct URI format ---> Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.KerberosConfigurationException: https://.contoso.com:987 is not in correct URI format ---> System.UriFormatException: Invalid URI: The hostname could not be parsed.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) at Microsoft.WindowsServerSolutions.IWorker.EnableKerberos.EnableKerberosHelper.BackupOriginalSettings(String url)
--- End of inner exception stack trace ---
You have two options here.
Option 2 involves running the IAMW two times but may temporarily affect external Outlook and OWA clients from accessing email and RWW and SharePoint will temporarily not work with the contoso.com URL that users will be used to using because the certificate and URL will change from contoso.com to remote.contoso.com for example. Option 1 avoids this, but requires manual steps to perform. Choose one method.
Choose Option 1 or 2. It is not necessary to do both.
Option 1: Manually edit the registry and SharePoint.
a. Open regedit and navigate to HKLM\Software\Microsoft\SmallBusinessServer\Networking.
b. Double-click PublicFQDNPrefix. Type remote and click OK.
c. Try installing SBS 2008 Update Rollup 3 again.
d. Open an elevated command prompt and change directories to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Bin.
e. Run this command: stsadm.exe -o authentication -url https://contoso.com:987 -type windows –enableclientintegration -usewindowsintegrated
f. The URL will be the value of PublicFQDNProvider in the registry key mentioned in step a. You can also get this command and URL from the EnableKerberos log file mentioned above. It will return Operation completed successfully if it completes successfully. If it fails with a syntax error try retyping the dashes. If it still fails with a syntax error try manually typing in the entire command.
g. Open regedit and navigate to HKLM\Software\Microsoft\SmallBusinessServer\Networking.
h. Double-click PublicFQDNPrefix. Delete the remote value and click OK.
Option 2: Re-run the IAMW to set the proper URL.
a. Open the Windows SBS Console. On the Home tab, click Set up your Internet address.
b. Specify your external domain name in the wizard like contoso.com (not contoso.local).
c. On that same page, click the Advanced settings link.
d. Uncheck the box ‘Do not use a domain prefix’. Set the domain prefix set to remote or whatever (this is temporary) and do not check the box ‘Do not use a domain prefix’.
e. Click OK and finish the wizard.
f. Try installing SBS 2008 Update Rollup 3 again.
g. Re-run IAMW. Click the Advanced settings link on the page where you type the domain name (contoso.com).
h. Check the box ‘Do not use a domain prefix’.
i. Click Yes, OK, Yes and finish the wizard.
3. If the only text you see in the log is like the example below, your companyweb site may be inaccessible for some reason.
2009/09/04 14:33:46| Reading registry keys to get URL for SBS SharePoint
2009/09/04 14:33:46| Url found: https://remote.contoso.com:987
2009/09/04 14:33:46| Trying to enable Kerberos, as well as set other authentication configurations
2009/09/04 14:33:46| Backup original settings of site https://remote.contoso.com:987
OR
2009/09/04 14:34:42| Rolling back to NTLM
2009/09/04 14:34:42| The install was not started. Nothing to rollback
OR
2009/09/04 14:34:42| Kerberos Enabling fix is not installed. Do nothing this time
SharePoint is inaccessible.
See this post for the details: http://blogs.technet.com/sbs/archive/2009/05/06/companyweb-inaccessible-after-sharepoint-3-0-service-pack-2.aspx
4. If you’ve made it to this point and it’s still not fixed, consider engaging Microsoft Support for assistance.
[Today's post comes to us courtesy of Ed Walters]
Certain Group Policy Objects (GPOs) are created and configured by default during the installation of SBS 2008. This blog post will cover how to create these GPOs manually in the event that they are missing or have been accidentally deleted without a backup. Note: If one or more of these GPOs are missing as the result of a failed install, you should not follow this procedure. We recommend that you call Microsoft Product Support as other components are likely to be broken. The steps have been broken down into two types of Group Policies:
Update Services Policies:
- Update Services Client Computers Policy
- Update Services Common Settings Policy
- Update Services Server Computer Policy
Windows SBS Policies:
- Windows SBS Client – Windows Vista Policy
- Windows SBS Client – Windows XP Policy
- Windows SBS Client Policy
- Windows SBS CSE Policy
- Windows SBS Users Policy
- Small Business Server Folder Redirection Policy (Optional)
We do not cover the steps to create the Default Domain Controllers Policy or the Default Domain Policy in this post. Either restore these policies from backup or contact Microsoft Product Support Services for assistance.
Create the three Update Services Policies
- Open Start > Run and enter gpmc.msc to open the Group Policy Management Console.
- Expand Forest: <SBS Forest>\Domains\<SBS Domain>\Group Policy Objects
- Right-click the Group Policy Objects key and choose New
- Enter Update Services Client Computers Policy as the name
- Select OK
***The name must be entered exactly as shown, DOUBLE CHECK your spelling before selecting OK
- Create the two remaining WSUS policies in this way
- Update Services Common Settings Policy
- Update Services Server Computers Policy
Configure the Update Services Client Computers Policy
- Right-click Update Services Client Computers Policy and choose Edit. On the Group Policy Management Editor, open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
- Configure the settings as shown in the report below
Configure the Update Services Common Settings Policy
- Right-click Update Services Common Settings Policy and choose Edit. On the Group Policy Management Editor, open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
- Configure the settings as shown in the report below
Important: The Set the intranet update service for detecting updates and Set the intranet statistics server policies are specific to your server and must be configured with http://<YourServerName>:8530
Note: The above report for this GPO shows the “enabled” and “disabled” policy settings only. Any policy that does not appear in the above report should be set to “Not configured” on your server.
Configure the Update Services Server Computers Policy
- Right-click Update Services Server Computers Policy and choose Edit. On the Group Policy Management Editor, open Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update
- Configure the settings as shown in the report below
Configure the scope of the new Update Services Policies
The configuration on the Scope tab for each new Update Services GPO needs to be as follows:
- Update Services Client Computers Policy
- Leave “Links” empty
- Remove any object under “Security Filtering”
- Set “WMI Filtering” to <none>
- Update Services Server Computers Policy
- Leave “Links” empty
- Remove any object under “Security Filtering”
- Set “WMI Filtering” to <none>
- Update Services Common Settings Policy
- Leave “Links” empty
- “Authenticated Users” must be listed under “Security Filtering”
- Set “WMI Filtering” to <none>
Link the new Update Services Policies
- In the Group Policy Management Console, right-click on your SBS domain and select Link an Existing GPO
- Select the following 3 policies
- Update Services Client Computer Policy
- Update Services Common Settings Policy
- Update Services Server Computer Policy
- Click OK
Once the WSUS policies have been updated and applied, Security Filtering on the Client Computers and Server Computers GPOs will begin populating with the machine accounts of your domain joined clients and servers. This is done automatically by SBS.
Create the Windows SBS Policies
Create the Small Business Server Folder Redirection Policy (Optional):
This is an optional GPO. Follow these steps only if you wish to use folder redirection
- On the SBS 2008 Console, select the Shared Folders and Web Sites tab
- On the Right hand side, under “Tasks” select Redirect folders for user accounts to the server
- Complete the wizard
Create the remaining SBS GPOs
These steps will create the following GPOs:
- Windows SBS Client – Windows Vista Policy
- Windows SBS Client – Windows XP Policy
- Windows SBS Client Policy
- Windows SBS CSE Policy
- Windows SBS Users Policy
- Copy the following file and save it to an easily accessible path, such as c:\windows\temp, on the SBS 2008 server:
http://cid-d5fe25afb6c3615f.skydrive.live.com/self.aspx/.Public/gpofix.txt
- Right-click on the Command Prompt and select Run as Administrator
- Run the following command from the Administrator Command prompt, substitute the path to the gpofix.txt file as needed (We recommend that you DO NOT copy & paste the command directly from the blog post):
“C:\Program Files\Windows Small Business Server\Bin\GPOTask.exe” /config:c:\windows\temp\gpofix.txt
- The task will take a few moments to complete, after which it will return to the command prompt
- Verify that the GPOs have been created in the Group Policy Management Console
- Run and complete the Internet Address Management Wizard from the SBS 2008 Console to complete the configuration.
[Today's post comes to us courtesy of Chris Puckett.]
We have updated the Why Are Some of My Groups Not Displaying in the SBS Console? blog post to include a tool you can use to update Universal groups in the MyBusiness OU so that they appear in the Windows SBS Console. This update cannot update groups that are not Universal groups. After you update the Universal groups, you can use the Windows SBS Console to manage these groups.
Download the tool:
Windows SBS 2008 Active Directory Group Converter.
More information on the tool:
961148 When you open the console in Windows Small Business Server 2008, some existing groups in the MyBusiness organization unit do not appear.
