[Today's post comes to us courtesy of Shawn Sullivan]

In SBS 2003, the CEICW was available to administrators for configuring their firewall, Internet connection, self-signed certificate, and email settings from a single wizard. Re-running the CEICW was a common troubleshooting step in fixing network related problems. However, SBS 2008 has taken the concept of the CEICW and broken it down into several specific wizards in place of one monolithic wizard. Administrators can now address more specific tasks, reducing the likelihood that they may inadvertently change settings that are unrelated to their end goal.

One of these new wizards is the FNCW, which is solely a troubleshooting tool meant to help the administrator resolve network issues. It automatically scans the environment for potential issues with Certificate Services, certificates, DNS, DHCP, TCP/IP configuration, VPN, Exchange, IIS, and Network Discovery. It will either attempt to correct them automatically, or will suggest a course of action to take towards resolution.

The FNCW has been designed to be run by the administrator as the first step in any network related troubleshooting. You can launch it as many times as you require from the Windows SBS Console under the Network > Connectivity sub-tab.

After it performs its initial scan, it will display a list of issues that require your attention.

Once you click “Next”, it will attempt to fix the issues automatically. If it is unable to do this, it will suggest a course of action to be taken by the administrator. This may involve running one of the other SBS 2008 wizards, performing manual configurations, verifying the state of underlying components, or performing deeper technical troubleshooting.

If the wizard is able to fix the issue, it will require no further action from you for that specific item.

For information on related networking wizards in SBS 2008, please visit:

• Connect to the Internet Wizard (CTIW): http://blogs.technet.com/sbs/archive/2008/09/17/introducing-the-connect-to-the-internet-wizard-ctiw.aspx
• Internet Address Management Wizard (IAMW): http://blogs.technet.com/sbs/archive/2008/10/15/introducing-the-internet-address-management-wizard-part-1-of-3.aspx
• Add a Trusted Certificate Wizard:  http://blogs.technet.com/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx

[Today's post comes to us courtesy of Shawn Sullivan]

Exchange 2007 introduces a built-in feature called Sender Reputation for both the Edge and Hub Transport server roles. The purpose of Sender Reputation is to record the legitimacy, through a number of tests, of each external SMTP server that sends email to Exchange. For detailed information on how Sender Reputation works, please visit the following link: http://technet.microsoft.com/en-us/library/bb124512.aspx

By default, SBS 2008 is aggressive in blocking suspicious senders, and since all inbound e-mail is coming from the same sending server, there is a risk that the hosting company server could be incorrectly blocked. This feature will eventually block an offending host for 24 hours.

Furthermore, you need to also consider Sender ID Filtering, also enabled by default on SBS, since all e-mail is coming from a series of hosts that are most likely not the designated approved senders (as they are your hosting companies servers), this will cause the SPF check to fail and raise the probability of the sender reputation to fail among other things. This can cause an issue for those using a 3^rd party mail hosting service to deliver incoming email.  Based on the nature of their operation, these SMTP servers will likely fail some of the criteria used by Exchange once they connect, ending up in denied connections and broken inbound email flow.

The other scenario you need to consider is if you have a non-Exchange mail server in your organization that is accepting inbound e-mails, performing messaging hygiene functions and then forwarding the e-mails to the Exchange server running on the SBS server. On that case, you should add the IP of this server to your InternalSMTPServers. If you have a firewall doing SMTP Proxy and the connections appear to come from the Internal IP, you will potentially have to also add that internal IP, however, you should not do this unless the firewall is performing messaging hygiene.

To resolve this problem, you will need to add the IP address ranges of the hosting SMTP servers to a list trusted by Exchange. Open the Exchange Management Shell as Administrator and type the following:

Set-TransportConfig –InternalSMTPServers <IP>

For example, if we were using Exchange Hosted Service message hygiene and compliance, then we would run:

Set-TransportConfig –InternalSMTPServers 127.0.0.1, 12.129.20.0/24, 63.241.222.0/24, 207.46.51.64/26, 207.46.163.0/24, 213.199.154.0/24, 213.244.175.0/24, 216.32.180.0/24, 216.32.181.0/24, 12.129.199.61, 12.129.219.155, 206.16.57.70

To verify that these have been added correctly, you can run the following cmdlet to display the entries:

Get-TransportConfig | ft “InternalSMTPServers”

Once added, connections from these IP addresses will have bypass-anti-spam access rights on each receive connector in your organization; so take caution and make sure you are truly adding trusted IPs only.

IMPORTANT:  If you are using one of our partner registrars to host your external DNS information while using a mail hosting company to accept your email, you will need to either set or create the following registry key on your SBS 2008 server:

HKLM\Software\Microsoft\SmallBusinessServer\networking\Services
Value: SkipMXConfig
Type: REG_DWORD
Data: 1

This prevents the dynamic DNS service on the SBS 2008 server from incorrectly changing the IP address on your MX to point to your router’s public IP instead of your mail host. The DDNS service checks this every 5 minutes by default when you choose to host your DNS at a partner registry when you run the Internet Management Address Wizard (IAMW).

You do not need to set this if you have chosen the option to manage your domain name yourself using the IAMW.

Additional Information:

IP address range information for Exchange Defender and Postini can be found in the following links:

• Exchange Defender: https://www.exchangedefender.com/support_deployment_guide.php
• Postini: http://www.postini.com/webdocs/admin_ee_cu/wwhelp/wwhimpl/js/html/wwhelp.htm (under IP Ranges and Security)

Be aware of the following Windows Live OneCare Announcement.

SBS 2008 Specific Q&A:

Q: How does this impact Windows Small Business Server 2008 (part of the Windows Essentials Server Solutions offerings) and Windows Live OneCare for Server?

A: Microsoft will continue to support the 120 day trial for Windows Live OneCare for Server offered in SBS 2008.  The subscription service will be available for purchase through June 30, 2009.  Microsoft will ensure Windows Live OneCare for Server subscribers will remain protected for the duration of their trials and subscriptions.  For language and market availability please see http://www.microsoft.com/sbs/en/us/editions-overview.aspx.

Q. Didn’t you announce at the Windows Small Business Server 2008 beta that Windows Live OneCare for Server would be offered as a trial on SBS 2008? 

A. Yes we did and in some cases the new Windows Small Business Server 2008 will ship with a Windows Live OneCare for Server trial (please see http://www.microsoft.com/sbs/en/us/editions-overview.aspx for language and market availability).  This announcement does not affect the trial at this time.  Microsoft will continue to support the 120 day trial for Windows Live OneCare for Server currently offered in SBS 2008.  The subscription service will be available for purchase through June 30, 2009.  Microsoft will ensure Windows Live OneCare for Server subscribers will remain protected for the duration of their trials and subscriptions.

Updates at http://www.microsoft.com/sbs/en/us/onecare.aspx

Updated Q&A on 12/1/2008

Added Onecare updates link on 4/17/2009

[Today's post comes to us courtesy of Rod White and Justin Crosby]

When you attempt to activate your SBS2008 server you receive the following error:

"A problem occurred when Windows tried to activate. Error Code 0xC004C009"

If you select "More Information", the description reads:

"The activation server determined the license is invalid"

Cause:

This issue occurs because SBS was installed WITHOUT entering a valid Product Key.  You can only activate the server with a valid Product Key. To determine what key has been entered run the following command from the command prompt or Run line: "slmgr.vbs -dli". 

From here you will be able to verify:

• Product Key (Partial)
• License Status
• Eval Time Period

If you see a license status of "Initial grace period" that means that a valid key has not been entered.  SBS can run in this trial/evaluation state for 60 days by default.  SBS 2008 will work normally with the exception that you cannot activate while it is in trial mode.  If you need to extend the trial/evaluation mode please see http://support.microsoft.com/kb/948472.

Resolution:

To fix this activation issue all you need to do is enter a valid product key before activating.  To do this run the following command from the command prompt or Run line: "slui 3".  You will see the following screen:

Enter your Windows SBS 2008 Product Key and click Next.  SBS will attempt to activate with the new key.  If successful you will see the following:

[Today's post comes to us courtesy of Wayne McIntyre]

As many are already aware, Microsoft and other industry leaders introduced sender ID filtering to assist in the combat against e-mail spam. Basically the concept of sender ID filtering is to verify that the host sending the email is authorized to send email for that domain. With sender ID filtering enabled, the receiving server will check the “mail from” domain’s SPF record to retrieve a list of valid senders for that domain. To learn more about the Sender Policy Framework please see the following document. http://www.microsoft.com/downloads/details.aspx?familyid=D8A174B1-697C-4AEA-9C92-2E70A013C30B&displaylang=en.

The “Setup Your Internet Address” wizard in SBS 2008 can configure your SPF record for you if you selected for SBS 2008 to manage your DNS records. An SPF record is a basic “TXT” record in DNS, which in SBS is configured as v=spf1 a mx ~all. Here is a breakdown of what each portion defines:

• “v=spf1” defines the version of Sender Policy Framework being used.
• “a” provides a verification mechanism that if the IP address of the sending machine matches any “a” records in DNS for that domain, that it is an authorized server.
• “mx” provides a verification mechanism if the IP address matches one of the MX hosts for a domain name.
• “~all” states that perform a SoftFail for all other IP addresses as they are not in the permitted set and their use is discouraged.

This is a sufficient configuration for most purposes; however, if you use a SmartHost the SPF record generated by SBS should not be used, as it will not contain the information for your SmartHost's sending servers.  You must manually create the SPF record with your DNS provider AND make one of the following changes to your SBS server.

A. Create the following registry key.  This registry key will configure SBS to bypass generation of the SPF record as part of it's DNS management.

HKLM\Sofware\Microsoft\SmallBusinessServer\Networking\Services
Name: SkipTXTConfig
Type: Dword
Value: 1

B. Use the IAMW to configure SBS to not manage your DNS records. Option A is the preferred option.

To create your own customized SPF record we recommend you use the SPF Record Wizard below which will ask you a series of questions then configure your SPF record based on your responses.

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/