[Today's post comes to us courtesy of Shawn Sullivan]

You may have noticed that some of your computer accounts are not showing “online” in the SBS Console. The purpose of this post is to shed some light on why you may see this and how this information is obtained by the server.

Status information for your machines is displayed under the Network > Computers sub-tab in the SBS console.

The console will only display status information for domain-joined computers from the following three OUs:

• OU=Domain Controllers,DC=Domain,DC=local
• OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=Domain,DC=local
• OU=SBSServers,OU=Computers,OU=MyBusiness,DC=Domain,DC=local

Note: Replace domain and local with your domain name.

Regardless of whether you join a client or a server computer to the domain, by default it will always appear in the SBSComputers OU. Machine accounts for servers must be manually moved to the SBSServers OU .For more information, please visit: http://blogs.technet.com/sbs/archive/2008/09/24/why-does-my-sbs-2008-premium-second-server-display-as-a-client-computer.aspx

What SBS 2008 Checks For

The server first queries DNS for the host A or AAAA record of the machine; IPv4 is preferred over IPv6 in this scenario. If an A record is found, the server will test this with an ARP request (ARP is used instead of Ping since many firewalls will block ICMP by default). However, if the machine is in a different subnet, the server will attempt to ping it. If only an AAAA record is found, the server will ping the IPv6 address for a response (IPv6 does not support ARP). Possible failures include

• The machine account is disabled: Unknown/Account is disabled
• No DNS record exists for the machine: Unknown/No DNS entry
• No response from ARP request: Offline
• No response from the IPv6 client to the Ping: Unknown/Unable to detect computer on the network

If the server receives a response from either the ARP request or the Ping, then a NetApi call is made to the machine for NetGetJoinInformation. This requires that “Client for Microsoft networks” and “File and Print Sharing” are enabled on the NIC and the proper exceptions are configured in Windows Firewall. Possible failures at this point included:

• Unable to make an RPC connection to the machine: Online/Unable to query computer information
• The NetApi call receives an access denied: Online/No access to query computer information
• The machine is not in the domain: Online/Not joined to domain

Summary

Troubleshooting Checklist

1. Make sure the machine account is enabled, and exists in the proper OU (Domain Controllers, SBSComputers, or SBSServers), and that it is currently domain-joined.
2. Check DNS for the Host A or AAAA record. Ensure the machine is properly updating DNS with their IP address.
3. Enable “Client for Microsoft Networks” and “File and Print Sharing” on the NIC if they are not already.
4. From the server, run net view \\workstationname and note any errors you may receive.
5. Review the IP configuration settings on the machine. Make sure that it is pointing only to the SBS server for DNS, it can properly communicate with the server (login to the domain, access shares) and that It can apply group policy from the SBS server.
6. Ensure that the “Windows Vista Policy” and the “Windows XP Policy” have not been removed from the SBSComputers OU. These GPOs contain the necessary Windows Firewall restrictions. Run “gpresult” on the client to ensure they are applying either GPO. Note: If the client is not running XP SP2 or above, they will not receive these policy settings.
7. If an XP SP2 or higher client is in a different subnet than the server, the NetApi call may be blocked by Windows Firewall due to the default settings in the Windows XP Policy GPO, which only allows file and printer sharing connections from the local subnet. To fix this, you must change the GPO settings for this exception to include the server’s subnet in the scope. For more information, please visit: http://support.microsoft.com/default.aspx?scid=kb;EN-US;957713
8. If a 3^rd party firewall is installed on the machine, check its firewall exceptions.

[Today's post comes to us courtesy of Chris Puckett] 

After one day, you may find your Windows 2008 DNS Server is unable to resolve names in certain top level domains (tld’s) like .co.uk, .cn, and .br when it is configured to use root hints. It may also occur with other tld’s. A network monitor trace shows the DNS Server does not send any DNS traffic out to the internet. The Windows 2008 DNS server returns SERVFAIL to the client or when using nslookup.

Workarounds include restarting DNS, clearing the DNS cache, setting maxcachettl to 2 days or greater, and using DNS Forwarders instead of root hints.

If you want to use root hints, you can set the maxcachettl registry value on the Windows 2008 DNS Server as follows:

1. Start Registry Editor (Regedit.exe).

2. Locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

3. On the Edit menu, click New, click DWORD (32-bit) Value , and then add the following value:

Value: MaxCacheTtl
Data Type: DWORD
Data value: 0x2A300  (172800 in decimal = 2 days)

4. Click OK .

5. Quit Registry Editor.

6. Restart the DNS server.

Data type                       Range 
REG_DWORD 0x0 | 0x1 - 0xFFFFFFFF seconds Default value:0x15180 (86,400 seconds = 1 day)

You may see this behavior in Windows 2008, SBS 2008 and EBS 2008.

UPDATE: KB Published. 

968372 Windows Server 2008 DNS Servers may fail to resolve queries for some top-level domains
http://support.microsoft.com/default.aspx?scid=kb;EN-US;968372

[Today's post comes to us courtesy of John Bay]

In this post we will discuss how to use a recovery storage group in SBS 2008 to restore two lost important messages.

Our test user has two messages in his inbox that are important to him.

Somehow these two messages got deleted and for some reason we are unable to recover the messages using deleted item recovery in Outlook. We have a backup made prior to the deletion of the messages so we can use a recovery storage group to restore just this one user’s mailbox.

Restore Exchange

In order to use a recovery storage group you must first restore the Exchange databases to an alternate location.

1. To do the restore we would launch Windows Server Backup from administrative tools and click recover.
2. Choose to recover This Server.
   
   
3. Pick the date of the backup job that contains the missing mail messages.
   
4. Choose to recover applications.
   
5. Choose to recover Exchange and if the checkbox for the option “Do not perform a roll-forward recovery of the application databases” is available to be checked, check it.
   
6. Choose to recover to another location and enter in the path.
   
7. Choose to recover the databases. This will recover the databases and place in the specified path.

Create Recovery Storage Group

Once the databases are restored, you can run the Exchange Database Recovery Management to setup a recovery storage group with the databases that were just restored.

1. Open the Exchange Management Console
2. Select the Toolbox node
3. Open the Database Recovery Manager
   
4. Once on the welcome screen fill in the Exchange server name (the SBS 2008 server name) and click next.
   
5. Select create a recovery storage group
   
6. Select the storage group you want to create it for.
   
   Note: First Storage Group contains your Mailbox store by default in SBS 2008
7. Change the path of the Transaction Logs, the System Folders and the Database folders to point to the recently recovered database and then choose to create the recovery storage group.
   

If everything goes correctly you should a screen similar to the following indicating that the recovery storage group was successfully created.

Mount Recovered Databases

1. Choose the option to Go Back to the Task Center
2. Select the option to Mount or dismount databases in the recovery storage group
   
3. Mount the mailbox store you just added.
   

How to Handle Corruption

The database may fail to mount because it is in an inconsistent state. If it fails to mount you will see a screen similar to the following:

If you see this choose to Go Back to the Task Center and Choose the option in the task center to Repair Database.

1. Choose the Recovery Storage Group
   
2. Choose the mailbox database.
   
3. Choose to Perform Repair Task. Exchange will run database repair procedure. If the repair is successful you will see a screen similar to the following.
   
4. Choose to Go Back to the Task Center and choose the option to Mount of dismount databases in the recovery storage group again and try to mount the mailbox database a second time.

Merge Mailboxes

1. Once the database mounts choose to Go Back to the Task Center and Once in the task center, select Merge or Copy mailbox contents to continue the merge process.
   
2. Choose to Gather Merge Information
   
3. Chose Perform Pre-Merge Tasks
   
4. Select the desired accounts to merge and choose perform merge actions.
   
5. The backup copy of the users mailbox will be merged into the current mailbox and the deleted mail should be restored.
   

This method will merge all of the contents of the restored mailbox and the current mailbox together. There are advanced options on the merge function that allow for selecting a date range or a specific subject. You can use these options to narrow down the amount of email to restore.

Note: Don’t forget to dismount the RSG mailbox and remove the RSG when finished.

[Today's post comes to us courtesy of Chris Puckett]

During the installation of SBS 2008, when you select the option “Go online and get the most recent installation updates (recommended)” you may not receive the most recent installation updates.

• Security updates and critical updates from Windows Update will still be installed.
• Updates from Microsoft Update will not be installed. This includes SBS 2008 specific updates.
• You will receive an error at the end of the installation saying “One or more updates cannot be installed.”

1. During the installation of SBS 2008, select the option “Go online and get the most recent installation updates (recommended)”.
   
2. When setup is complete, you will receive this screen.
   
3. When you click View installation issues, you receive this screen.
   

Resolution

When setup is finished:

• Allow WSUS to synchronize the updates for installation.
• Or you can manually browse to https://update.microsoft.com from the server to download updates.

[Today's post comes to us courtesy of Justin Crosby and Damian Leibaschoff]

In some scenarios you may want to increase the logging level for the SBS console and wizards.  This post will detail how to change the logging mode. In order to change the logging level of the console you must edit the following configuration file: C:\Program Files\Windows Small Business Server\Bin\logging.config.

1. Close any SBS applications that may be using logging (like console.exe)
2. Go to SBS bin directory and locate file called logging.config.
3. Save a backup copy of this file and then open this file in notepad. You need to run notepad with elevated credentials since the bin directory is in program files and thus protected by UAC.
4. Locate the <sources> and <predefinedsources> section of the file as seen below:
   
   Note the values highlighted below – this specifies the threshold for the logging levels:
   
   <sources>
     <add level="Information" name="General">
       <listeners>
         <add name="DefaultTraceListener" />
       </listeners>
     </add>
     <add level="Information" name="Antimalware Reporting">
       <listeners>
         <add name="DefaultTraceListener" />
       </listeners>
     </add>
     <add level="Information" name="Security Plugin Infrastructure">
       <listeners>
         <add name="DefaultTraceListener" />
       </listeners>
     </add>
     <add level="Information" name="Update Services">
       <listeners>
         <add name="DefaultTraceListener" />
       </listeners>
     </add>
   </sources>
   <predefinedsources>
     <unmatched level="Information" name="Unmatched">
       <listeners>
         <add name="DefaultTraceListener" />
       </listeners>
     </unmatched>
   </predefinedsources>
   
5. Replace the level values (The “Information” value) with the desired value, such as “All”. This will enable verbose logging.These are the legal values:
   
1. Off -> no logging entries goes through the filter
2. All -> all logging entries go through the filter
3. Critical -> only critical entries go through the filter
4. Error -> only Critical and Errors would be logged
5. Warning -> only Critical, Errors, and Warnings would be logged
6. Information -> allows Critical, Errors, Warning, and Information events to be logged
7. Verbose -> allows Critical, Error,  Warning, Information, and Verbose

Note: In most cases changing the level for General and Unmatched should give you the detail you want, but if you want it all change all 5.