[Today's post comes to us courtesy of  Wayne McIntyre] 

A scenario we come across from time to time is a “network behind a network” configuration in an environment with an SBS server running ISA 2004 Server (diagram below). This issue was briefly addressed in blog http://blogs.technet.com/sbs/archive/2005/12/12/415953.aspx. The first problem with this configuration is that ISA 2004 does not know about the remote network or how to access it. So when client A on the local SBS network wants to communicate with the web server on the remote subnet it will check its routing table and see no direct route to that network and send the request to its default gateway (SBS w/ISA 2004). Once ISA receives the packet destined for the remote network it also does not contain a route to this network and will therefore discard the packet. The second problem is that if the communication is initiated from the remote site direct to a client machine or another server on the local site, the traffic being sent back to the remote site is going to be passed thru ISA. Since ISA did not see the first half of the communication it will detect this traffic as a spoof attack and drop the packet. This post will provide the workaround for this configuration and the different ways to implement it.

The first step would be to make ISA aware of the remote network in order to do so we need to do the following 2 steps:

1. Add a route in the route table on SBS to the remote network.
   · From a cmd prompt type “Route Add 192.168.2.0 Mask 255.255.255.0 192.168.16.254 –p"
2. Add the address range of 192.168.2.0 – 192.168.2.255 in the Internal Network Object in ISA 2004.

** Do not create a separate network for this remote subnet, whenever a new network object is created ISA will attempt to find a network adapter that correlates with that network. Since we do not have a Network Card associated with this address range ISA will think that it is either disconnected or disabled.

The second problem will have to be resolved by either adding a manual entry to the route table on each local client machine for the remote network or we need to configure the local clients default gateway to use the router and the routers default gateway to use SBS. To edit the route table on the local clients it can either be done manually on each local client, or by DHCP.

Method 1: Using the route add command.

This can either be done manually on each client or you can add it to a logon script.

Route ADD 192.168.2.0 Mask 255.255.255.0 192.168.16.254 –p

The first IP being the destination network followed by the subnet mask for that network, followed by the IP of the gateway to reach that network. The –p makes this route persistent so it exists after a reboot.

Method 2: Using DHCP

If all your clients are using DHCP there is a scope option defined to add a static route.

1. Open DHCP console expand your IP Scope.
2. Right click on Scope Options and go to Configure Options
3. Select Scope option 249 Classless Static Routes
   
4. Select Add Route
5. Enter the appropriate information for your remote network.
   

** Note Servers or Client machines that have Static IP addresses will still have to use Solution 1.

Testing:

Verify that the static route has been created and it appears in your route table. To view the route table, go to a cmd prompt and type “route print”. Here is a sample output.

You will notice the third entry in this route table is for the remote network. Additional tests that you will want to perform is pinging a machine in the remote network and attempting to access a resource i.e. file share, web server.

** If you are trying to access resources on a XP SP2 machine on either site be aware that by default the XP service pack 2 firewall may block it as its default configuration is to only allow connections from its local subnet. You can modify these settings to allow the remote subnet as well.

Additional Resources:

http://www.microsoft.com/technet/isa/2004/plan/ts_networks.mspx

http://support.microsoft.com/default.aspx?scid=kb;EN-US;884496

http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/unsupportedconfigs.doc

[Today's post comes to us courtesy of James Frederickson] 

Small Business Server 2003 Premium Edition customers that are still running ISA 2000 have until December 30, 2007 to order their SBS SP1 Premium CD3 with ISA 2004. Beginning December 31, 2007 this offer will no longer be available. For more information on this offer please see:

http://blogs.technet.com/sbs/archive/2007/05/25/upgrading-existing-microsoft-windows-small-business-server-2003-sbs-installations-to-sbs-2003-sp1.aspx
http://www.microsoft.com/windowsserver2003/sbs/downloads/sp1/default.mspx

It is very important to get your order in and upgrade SBS 2003 to SBS 2003 SP1 as support for SBS 2003 SP0 was retired as of July 10, 2007. Microsoft will continue to support SBS 2003 SP 1 and SBS 2003 R2, which includes SBS 2003 SP 1, after July 10, 2007. For more information on support lifecycles please see:

http://blogs.technet.com/sbs/archive/2007/07/03/sbs-2003-sp-0-support-retirement.aspx
http://blogs.technet.com/sbs/archive/2007/05/25/upgrading-existing-microsoft-windows-small-business-server-2003-sbs-installations-to-sbs-2003-sp1.aspx
http://support.microsoft.com/gp/lifesupsps

[Today's post comes to us courtesy of Justin Crosby, Damian Leibaschoff, David Copeland, Mark Stanfill, Chris Puckett, and John Bay] 

We have discovered a new issue today with WSUS on SBS. You may receive the following error accessing Update Services from the SBS 2003 Server Management Console:

--------------------------------------------------------------------------------
Server Error in '/UpdateServices' Application.
--------------------------------------------------------------------------------

The specified string is invalid. Parameter name: Title
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentException: The specified string is invalid. Parameter name: Title

Source Error:

Line 194:        </div>
Line 195:        <%Response.Flush();
Line 196:          RenderPage();%>
Line 197:        <div id="divForm" style="display: none">
Line 198:        <form id="formMain" method="post" runat="server">
Source File: d:\inetpub\UpdateServices\Home.aspx    Line: 196

Stack Trace:
[ArgumentException: The specified string is invalid.
Parameter name: Title]
   Microsoft.UpdateServices.Internal.StringValidation.ValidateUpdateContainerTitleString(String paramName, String value) +256
   Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer.set_Title(String value) +19
   Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer..ctor(GenericReadableRow row) +182

[WsusInvalidDataException: The specified string is invalid.
Parameter name: Title]
   Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer..ctor(GenericReadableRow row) +397
   Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory..ctor(GenericReadableRow row) +24
   Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory.BuildUpdateCategoryCollection(GenericReadableRow[] categoryRows) +415
   Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory.GetAll(DateTime fromSyncDate, DateTime toSyncDate) +134
   Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetUpdateCategories(DateTime fromSyncDate, DateTime toSyncDate) +23
   Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetUpdateCategories() +52
   Microsoft.SBS.UpdateServices.DataProvider.GetScheduledUpdates() +140
   Microsoft.SBS.UpdateServices.StatusPage.Utility.GetStatusItems(Boolean waitingForSyncStart) +3203
   Microsoft.SBS.UpdateServices.StatusPage.formHome.RenderPage() +23
   ASP.Home_aspx.__Render__control1(HtmlTextWriter __output, Control parameterContainer) in d:\inetpub\UpdateServices\Home.aspx:196
   System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +27
   System.Web.UI.Control.Render(HtmlTextWriter writer) +7
   System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +243
   System.Web.UI.Page.ProcessRequestMain() +1926

You may see the following event in your Application event log:

Event Type: Error
Event Source: ServerStatusReports
Event Category: None
Event ID: 1001
Date: 11/12/2007
Time: 1:14:39 AM
User: N/A
Computer: SBSSVR

Description:
A fatal error occurred either while synchronizing the Update Services computer groups with Group Policy or while moving the Unassigned Computers group. To see a detailed log, create a file called SyncSecurity.Log in %SBSProgramDir%\Support, and then run SyncSecurity.exe again. The error returned was: Cannot start service wsusservice on computer '.'.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If you access the WSUS 2.0 console directly (http://servername:8530/WSUSAdmin) you may receive:

Windows Server Update Services encountered an error.

The specified string is invalid.
Parameter name: Title

Microsoft.UpdateServices.Administration.WsusInvalidDataException: The specified string is invalid.
Parameter name: Title ---> System.ArgumentException: The specified string is invalid.
Parameter name: Title
   at Microsoft.UpdateServices.Internal.StringValidation.ValidateUpdateContainerTitleString(String paramName, String value)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer.set_Title(String value)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer..ctor(GenericReadableRow row)
   --- End of inner exception stack trace ---
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer..ctor(GenericReadableRow row)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory..ctor(GenericReadableRow row)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory.BuildUpdateCategoryCollection(GenericReadableRow[] categoryRows)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory.GetAll(DateTime fromSyncDate, DateTime toSyncDate)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetUpdateCategories(DateTime fromSyncDate, DateTime toSyncDate)
   at Administration.Reporting.CurrentStatus.CurrentStatusProxy.GetHomeStatus()
   at Administration.Reporting.ReportingXPost.Page_Load(Object sender, EventArgs e)

   at Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer..ctor(GenericReadableRow row)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory..ctor(GenericReadableRow row)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory.BuildUpdateCategoryCollection(GenericReadableRow[] categoryRows)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateCategory.GetAll(DateTime fromSyncDate, DateTime toSyncDate)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetUpdateCategories(DateTime fromSyncDate, DateTime toSyncDate)
   at Administration.Reporting.CurrentStatus.CurrentStatusProxy.GetHomeStatus()
   at Administration.Reporting.ReportingXPost.Page_Load(Object sender, EventArgs e)

If you try to access the Products and Classifications on a WSUS 3.0 install you may receive:

Error: Unexpected Error
An unexpected error occurred.  Please contact your system administrator if the problem persist.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,

Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

System.ArgumentException -- The specified string is invalid.
Parameter name: Title

Source
Microsoft.UpdateServices.BaseApi

Stack Trace:
   at Microsoft.UpdateServices.Internal.StringValidation.ValidateUpdateContainerTitleString(String paramName, String value)
   at Microsoft.UpdateServices.Internal.BaseApi.UpdateContainer..ctor(UpdateServer updateServer, GenericReadableRow row)
** this exception was nested inside of the following exception **

System.Reflection.TargetInvocationException -- Exception has been thrown by the target of an invocation.

Source
Microsoft.ManagementConsole

Stack Trace:
   at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
   at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
   at System.Windows.Forms.Application.OnThreadException(Exception t)
   at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
   at System.Windows.Forms.ContainerControl.WndProc(Message& m)
   at System.Windows.Forms.Form.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
** this exception was nested inside of the following exception **

System.Reflection.TargetInvocationException -- Exception has been thrown by the target of an invocation.

Source
Microsoft.ManagementConsole

Stack Trace:
   at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
   at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
   at System.Windows.Forms.Control.WndProcException(Exception e)
   at System.Windows.Forms.Control.ControlNativeWindow.OnThreadException(Exception e)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
   at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)
   at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
   at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
   at System.Windows.Forms.Form.ShowDialog(IWin32Window owner)
   at Microsoft.ManagementConsole.Internal.ConsoleDialogHost.ShowDialog(WaitCursor waitCursor, ShowDialogCallback callback)
   at Microsoft.ManagementConsole.Internal.ConsoleDialogHost.ShowDialog(Form form, WaitCursor waitCursor)
   at Microsoft.ManagementConsole.Advanced.Console.ShowDialog(Form form)
   at Microsoft.UpdateServices.UI.SnapIn.Pages.SettingsSummaryPage.UpdateCategoryAndClassificationSettingsTitle_LinkClicked(Object sender, LinkLabelLinkClickedEventArgs e)

Issue Resolution:

To resolve this issue all you need to do is synchronize WSUS with Windows Update. By default SBS synchronizes with Microsoft Update every day. Therefore this issue will resolve itself by tomorrow (11/13/2007). If you cannot wait until the manual synchronization you can initiate a manual synchronization by using the directions below:

WSUS 3.0

1. Open WSUS 3.0 MMC
2. Select Synchronizations
3. Click the Synchronize Now action.

WSUS 2.0

There is not an easy way to start a manual synchronization on WSUS 2.0 when the console is already broken. We recommend WSUS 2.0 users wait for the automatic synchronization. If you feel that you cannot wait and are comfortable writing, compiling and then running custom code you can use the following method from a Microsoft MVP: http://msmvps.com/blogs/athif/archive/2005/11/21/76100.aspx. Please be sure to create a full server backup prior to running this code.

[Today's post comes to us courtesy of Mark Stanfill] 

From http://blogs.technet.com/kevin_beares/archive/2007/11/07/windows-server-centro-is-officially-unveiled-and-has-a-new-name.aspx:

Windows® Essential Business Server is the new Microsoft server solution for small to medium businesses, with 50 to 250 client computers in their organizations. Windows®Essential Business Server offers a standardized server configuration that is designed to meet the needs of most midsize businesses. The configuration is optimized to meet the currently recommended practices for networking, security, collaboration, and remote access. The tightly integrated Windows Essential Business Server simplifies setup, migration, and licensing for Microsoft infrastructure server products that a midsize business uses most frequently. Most network services and resources are managed through a single Windows®Essential Business Server Administration Console, which is accessible from anywhere on the network or remotely over a virtual private network.

Windows®Essential Business Server is installed on three physical servers. These are referred to by their primary roles in the network:

·         Windows®Essential Business Server Management Server – Centralizes management of your Windows Server "Centro" network. Enables and manages worker collaboration and network services.

·         Windows®Essential Business Server Security Server – Manages security, Internet access, and remote-worker connectivity.

·         Windows®Essential Business Server Messaging Server – Provides messaging capabilities and manages network services.

If you are interested in joining the Windows®Essential Business Server upcoming Beta 2 effort;

1. Please go to http://connect.microsoft.com,
2. Click on Invitations and sign in with your Windows Live ID (Passport ID).
3. Enter the following invite ID: EBSE-VKDP-276Y. 
4. You will be asked to take a short survey.  
5. Once you complete the survey we will evaluate your application for participation in the Techbeta.
6. Then look for an email from MsftConn@microsoft.com with further details.

[Today's post comes to us courtesy of Damian Leibaschoff]

DISCLAIMER: There are many different ways to implement this solution, this is just one of them.

A very common request we get is people wanting to be able to send outbound Internet e-mails from Outlook using different addresses as the originating address. This is different than just using a delegation or Sending on Behalf, this is truly sending the e-mail with a different “From:” address. The solution presented here will focus in using Outlook and Exchange without the need to create new accounts in Outlook. It will not only allow a user to send using a different e-mail address, it will also allow a user or a group of users to send using the e-mail address of a mail enabled security group.

An example would be: You have a mail enabled security group or a distribution group with an address of sales@contoso.com and you want to send your replies as coming from that address instead of your personal one. The same concept can be used for a single user that wants to be able to send using other addresses.

1. Removing the additional E-mail addresses from your existing user

This first step is optional and it really depends on where you are in the implementation of this process. If you already have a mail enabled security group or distribution group with the desired e-mail address, then you can skip it. On the other hand if your user already has the address you want to use to send as (as a secondary e-mail address in Active Directory), we will need to remove it from the user itself, we cannot have two objects in active directory with the same e-mail address. We will need to add this e-mail address to another object that we will create shortly, so for now, we need to remove it. Remember, Exchange will always use your default e-mail address as the reply-to/from address, so we need to work around this limitation.

• Open AD Users and Computers
• Find the user that might have the needed e-mail added as a secondary e-mail address and open its properties. If you are not sure you can use the FIND feature:
• Right click on the domain container and select Find
• Go to the Advanced tab
• Click on Field, select User and pick Proxy Addresses, change the condition to Is (exactly), and on the Value type in the e-mail address you are searching for (prefix it always with SMTP:, for example, SMTP:sales@contoso.com), click Add.
• Click Find Now
• Once you find the user, open its properties and go to the E-mail addresses tab
• Remove the secondary E-mail address that you want to use as an alternate primary address. It is recommended that you temporally stop mail flow by stopping the SMTP Virtual Server from Exchange System Manager (under protocols\SMTP) as to avoid receiving e-mails to this address for the few minutes that this procedure will take until the e-mail is moved to another object.
• Click OK to accept the changes.

2. Creating the new Mail Enabled Security Group.

• Open AD Users and Computers from Administrative Tools.
• Expand your domain, MyBusiness, and select Security Groups
• Do right click, New, Group
• Selected Global and Security, give it a distinctive name (it will show up when sending e-mails) and click Next.
• Put a check next to "Create an Exchange e-mail address", don't worry about the alias, we can modify it to match the address we need once the object is created.
• Click next and finish.

Wait a few minutes for the object to be stamped by the Exchange Recipient Update Service.

• Now open the Properties of the Security Group you just created.
• Go to the E-mail Addresses tab, if this is blank, stop, the object has not been stamped yet. Once you have address in the E-mail addresses tab, you can proceed.
• If you see the e-mail address you need as the primary, then you can skip the next few steps, if you don’t, then add it:
• Click New, SMTP Address, and add the e-mail address we removed from step 1 (for example sales@contoso.com).
• Click ok to accept.
• Select the newly added SMTP E-mail address and click Set As Primary.
• Also uncheck the "Automatically update e-mail addresses based on recipient policy".
• Click Ok to close the properties. Note: It is important not to make this security group a member of any other groups, this will help prevent issues with the AdminSDHolder resetting the security permissions we are going to be changing in the next section.

3. Adding the group membership and setting the proper security to allow the Send As.

We will be working on the properties of the Security Group we just created, but before we continue, we need enabled the Advanced Features in AD Users and Computers.

• Select View on the top menu and then select Advanced Features.

Now we can open the properties of the Security Group we just created.

• Expand your domain, MyBusiness, and select Security Groups
• Right Click the desired Security Group we just created and select properties.
• Go to the Members tab
• Click Add
• Type the name of the User who is going to be receiving the e-mails sent to the E-mail address what we have configured for this Group. Remember, e-mails sent to the e-mail address that we added on step 2 will be delivered to members of this group only, if this is just one user that needs to send and receive using the second e-mail address, then you would have only 1 member, if this is a shared address, then you can have multiple members, they will all get a copy of e-mail sent to the address in question.
• Repeat the Add process as needed.
• Once you have added the members, click Apply, inbound e-mail sent to the address in question will start flowing again. Start the SMTP Virtual Server if you had that stopped. Do not close the properties yet.

Now we need to set up the proper security. We will need to add the user or group accounts we will want to allow to send as using this Security Groups primary e-mail address. This is the key step that will allow us to use the e-mail address as our new From. Keep in mind that Domain Administrators and Account Operators will already be able to Send As this group and no changes are needed.

• Go to the Security tab
• Click Add
• Type the name of the User who is going to be sending the e-mails using the e-mail address configured for this mail enabled Security Group. If you want to allow all members of this group to be able to send using the e-mail address here, then add the security group name (Sales Group in our example).
• Once you have added the user/users/groups, find them on the security list, select the object, and scroll down on the Permissions half of the window until you find the "Send As" right. Put a check on the Allow column. You are basically giving the user Send As rights on the Security Group.
• Click ok
• Open the Services MMC
• Re-start the Microsoft Exchange System Attendant service (and its dependants)

Picture showing the allow just on a per user basis scenario:

Picture showing the allow all group members to Send As:

4. Testing from Outlook

At this point all the pieces should be in place. Mail should be flowing to the e-mail address in question and the only thing left is for the user to learn how to pick which account to use when sending outbound e-mail. Please note that this will not happen automatically, the user will have to take action for every e-mail they want to use a different address for.

• In Outlook while logged in to the user’s mailbox that has Send As permissions to the newly created group (so basically, open Outlook as normal, nothing should change from the client perspective), click to open a new email
• Outlook 2003: Click View, and select “From Field”
• Outlook 2007: Click Options and select “Show From”
• Click on the From: and pick the Group that has the address we want to use or type the Group name or just type the e-mail address (on our case sales@contoso.com). Due to potential timing issues while updating the offline address book while in cached mode, the new group may not show up to be selected. It should eventually show up, if it doesn’t then something is not working as expected with the OAB generation.
• Fill in the To, Subject, write up your email and click Send email
• The receiver should only see the alternate email address as the From.

5. Troubleshooting

• You get the following NDR:

Your message did not reach some or all of the intended recipients.

Subject: Test

Sent: 10/31/2007 2:27 PM

The following recipient(s) could not be reached:

usera@msft.local on 10/31/2007 2:27 PM

You do not have permission to send to this recipient. For assistance, contact your system administrator.

MSEXCH:MSExchangeIS:/DC=local/DC=MSFT:SERVER

• Or the following error (if you are not in cached mode):

• This is a sign that the security was not setup properly or has not taken effect. Re-check step 3. Do not forget to re-start the Microsoft Exchange System Attendant Service on the server and Outlook on the client. If permissions have been changed on the security group, check the group membership of that group, make sure it is not a member of a protected AdminSDHolder group (direct or transitive). See the following KB for additional information http://support.microsoft.com/default.aspx?scid=kb;EN-US;907434 .

[Today's post comes to us courtesy of Justin Crosby]

Today's post will answer some of the common questions we have seen regarding the BPA.

Q: Can the BPA be run from a client?
A: No

Q: Will this tool make changes to my server?
A: No, this tool is read-only

Q: How often will the definitions get updated?
A: The current plan is every 4 months, this may change without notice

Q: How can I provide feedback on this tool?
A: Email: sbsbpabu@microsoft.com

Q: Can the SBS 2003 BPA be run on a non-SBS server?
A: No

Q: Can the BPA be run on an SBS 2000 server?
A: No

Q: I ran the BPA and it’s telling me to make a change that I think will cause problems, what should I do?
A: The BPA is an informational tool designed to provide guidance for the most common error states and misconfigurations.  Specific environments need to be evaluated on an individual basis.

Q: Does this replace the Exchange/ISA/SQL/SharePoint BPAs?
A: No, they are complimentary and not mutually exclusive

For more information on the BPA please see:
How to Use the Windows SBS 2003 BPA
Common Questions
Download BPA