[Today's post comes to us courtesy of Shawn Sullivan]

The method in which the Directory Services Restore Mode (DSRM) password is set during an install of SBS 2008 is different than that of Windows Server 2008. Like most component installation in SBS 2008 setup, the dcpromo process is hidden from the user and they will not be prompted to enter a DSRM password.

In a clean install of SBS 2008, SBS setup will synchronize the DSRM password with that of the admin account password that you specify during setup.

During a migration, SBS setup will synchronize the DSRM password with that of the admin account you have specified in the SBS Answer file generator tool when creating the SBSAnswerfile.xml.

In either case, once the DSRM password is set by SBS setup, it does not change. So even if you change your domain administrator password a few months down the road, the DSRM password still remains the same. Therefore, it is extremely important for you to document and secure this information. If you have forgotten the DSRM password (and you can still boot into normal mode), you can manually set it by following the steps in http://support.microsoft.com/kb/322672 (you must type activate instance NTDS after launching NTDSUtil.exe). Example:

When logging into DSRM in SBS 2008, you have two choices:

1. If another DC is available to service login requests, you can login to the server using a domain administrator account (http://technet.microsoft.com/en-us/library/cc732714.aspx). This is very convenient if you have forgotten your DSRM password.
2. If no other DC is available, you must login locally using “.\administrator” or “machinename\administrator” and the DSRM password.

If you have forgotten your DSRM password, there is no other Domain Controller available to service logins, and you cannot boot into Normal Mode, you will not be able to login to the server.

NOTE:  A new feature has recently been released that allows you to synchronize the DSRM password with that of a user account.  Details regarding this can be found here http://support.microsoft.com/kb/961320.  After you install the feature and reboot the server, you can run the following command to initiate the sync:

ntdsutil "set dsrm password" "sync from domain account <AccountName>" q q

Important: This sync only occurs once.  If your user account's password changes, the DSRM password is not automatically updated and you will need to run the command again

[Today's post comes to us courtesy of the SBS SE Team]

This article lists the known issues and their workarounds after installing IE 8 on your Small Business Server and the on your Vista clients.  This article is for test purposes only.  Installing beta products in a production environment is not recommended or supported by PSS.

There will be some known issues after you install IE 8 on Small Business Server 2008 or your Vista clients:

1. A dialog will pop up for authentication when visiting http://companyweb through IE 8, which will block you from visiting http://companyweb.
2. You are not able to sign into your Office Live website.
3. On a Vista client, clicking the SBS gadget to open a flyout will close the SBS gadget if a flyout is already displayed.

A dialog will pop up for authentication when visiting http://companyweb through IE 8, which will block you from visiting http://companyweb

1. On the SBS 2008 server, when using IE8 to access http://companyweb you will be prompted for credentials. If you click cancel you can neither access http://companyweb nor provide credentials again.
2. If you input correct credential information and click “OK”, the credential box will open again, then you click OK or re-provide the credential, but the credential box still pops up. During this time, any click cancel will cancel this visit. After the third time you click OK or provide the credential, you finally got a 401 unauthorized error in IE.

To work around this issue, use one of the following methods.

Method 1: Enable Negotiate (Kerberos) option for Sharepoint 3.0

Follow these steps:

1. Click Start, click Administrative Tools, Click SharePoint 3.0 Central Administration, and then click Continue on the User Access Control Dialogue.
2. In the Authentication Providers page, Click Application Management, and then click the "Authentication providers" under the "Application Security" tab
3. Check the Web Application, make sure the port is 987; otherwise change web application to the URL which has the port 987
4. Click the "Default" zone, you will go to the Edit Authentication page;
5. Check the Negotiate(Kerberos) option under the Integrated Windows authentication tab;
6. Click OK in the Dialog which gives a warning that "You have chosed to use Kerberos with Integrated Windows authentication. Manual configuration steps by a domain administrator will be required if the application pool's security account is not the Network Service" and then click Save;

Method 2: This issue will be fixed in upcoming update rollup for SBS 2008; you can download and install it from Microsoft Update when it is available.

You are not able to sign into your Office Live Website

1. After you set up Microsoft Office Live Small Business Web sites in the Home Page of Windows SBS Console
2. Go to “Shared Folders and Web Sites” Page in SBS Console; try to browse to the Business Web Site under Office Lie Small Business Websites by using IE 8;you will see the sign in office live website is blocked due to Java script is disabled in IE 8 by default;
3. To enable Java Script in IE 8, you need to follow this KB http://support.microsoft.com/gp/howtoscript

In Vista, clicking the SBS gadget to open a flyout will close the SBS gadget if a flyout is already open

1. Join a Vista client to Small Business Server 2008 domain.
2. In the Vista client, add Small Business Server Gadget to the desktop sidebar.
3. Click "Organization links" to open its flyout In the Small Business Server Gadget.
4. Click "Administration links" to open another flyout In the Small Business Server Gadget.
5. You will see Small Business Server gadget is closed.
6. To visit the SBS gadget, you need to add Small Business Server Gadget to the desktop sidebar in the Vista Client again.
7. To avoid this issue you should not open 2 flyouts at once.

[Today's post comes to us courtesy of Shawn Sullivan] 

SBS 2008 Backup is not designed to work with either LCR (Local Continuous Replication) or SCR (Standby Continuous Replication). The backup job will not fail, however you will receive an error under the details of the completed job telling you that Exchange is not available for recovery. Likewise, when you choose to restore an application from your backup job, you will not see Exchange in the list. This prevents you from performing an online backup or restore of your Exchange data.

Even with LCR/SCR enabled, SBS does back up the entire Exchange directory at a file level. This is not, however, the same as an online backup of Exchange.  It is not a point-in-time copy of the production database. The copy of the database may not be consistent, logs already committed to the database are not purged, the production database is not checksummed, and so on. You may have the ability of restoring your databases to an alternate location for recovery, such as in scenarios where you would use a recovery storage group for individual mailbox recovery. However, this does not guarantee reliablility of the data that you are recovering. 

If you require the ability to take online Exchange backups while you have either LCR or SCR enabled, use an Exchange 2007 aware application, such as System Center Data Protection Manager (DPM) or a capable third party solution. Note: The DPM management software cannot be installed on a domain controller, only the DPM agent.

For related information, please visit the links below:

How to Recover a Mailbox by Using a Recovery Storage Group
http://technet.microsoft.com/en-us/library/aa997694(EXCHG.80).aspx

System Center Data Protection Manager
http://technet.microsoft.com/en-us/dpm/bb798076.aspx

[Today's post comes to us courtesy of Damian Leibaschoff and Wayne McIntyre]

We have seen some cases where the Network Policy Server service fails to start, when this happens, functionality provided by TS Gateway (used in RWW) or Routing and Remote Access (RRAS) will also stop working. Furthermore, we’ve also seen, that as part of the troubleshooting, partners are uninstalling the entire role, and when trying to re-install it fails.

How to identify you are experiencing this issue?

When starting the NPS service it fails with:

The following event is logged:

Log Name: System
Source: Service Control Manager
Date: 1/30/2009 11:36:35 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
The Network Policy Server service terminated with the following error:
Unspecified error

If you try to start RRAS you get:

Log Name:      System
Source:        Service Control Manager
Date:          2/16/2009 1:34:37 PM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:  
Description:
The Routing and Remote Access service terminated with service-specific error 16389 (0x4005).

If you try to re-install the Role service you get:

Network Policy and Access Services
Network Policy Server
Network Policy and Access Services: Installation failed
<Error>: Attempt to install Network Policy Server failed with error code
0x80070643. Fatal error during installation
The following role services were not installed:
Network Policy Server

In the servicing logs you see:

ServerManager.log
5316: 2009-01-29 12:06:25.902 [CBS] ...current state of 'IAS
NT Service': p: Staged, a: Staged, s: UninstallRequested
5316: 2009-01-29 12:06:25.902 [CBS] ...setting state of 'IAS
NT Service' to 'InstallRequested'
5316: 2009-01-29 12:06:25.919 [CBS] ...'IAS NT Service' :
applicability: Applicable
5316: 2009-01-29 12:07:05.658 [CbsUIHandler] Initiate:
5316: 2009-01-29 12:07:08.975 [InstallationProgressPage] Installing...
5316: 2009-01-29 12:08:54.092 [CbsUIHandler] Error: -2147023293 :
5316: 2009-01-29 12:08:54.093 [CbsUIHandler] Terminate:
5316: 2009-01-29 12:08:54.093 [CBS] Error (Id=0) Function:
'NativeMethods.GetPackageStatus(out status)' failed: 80070643 (-2147023293)
5316: 2009-01-29 12:08:54.094 [CBS] ...done installing 'IAS
NT Service '. Status: -2147023293 (80070643)
5316: 2009-01-29 12:08:54.094 [InstallationProgressPage] Verifying
installation...
5316: 2009-01-29 12:08:54.194 [Provider] Skipped configuration of
'NetworkPolicyServer' because install operation failed.
cbs.log
2009-01-29 12:07:27, Error CSI 00000001 (F) Logged
@2009/1/29:12:07:26.752 : [ml:96{48},l:94{47}]"Attempting to start service {IAS}
synchronously"
[gle=0x80004005]
2009-01-29 12:07:27, Error CSI 00000002 (F) Logged
@2009/1/29:12:07:27.753 : [ml:260{130},l:258{129}]"Service did not run. Current
state (3) Exit code (-2147467259) Service specific exit code (0) Check point (1)
Wait hint (300000) "
[gle=0x80004005]
2009-01-29 12:07:27, Error CSI 00000003@2009/1/29:12:07:27.864
(F) CMIADAPTER: Inner Error Message from AI HRESULT = E_FAIL
[
[19]"Unspecified error"
]
[gle=0x80004005]

The problem can happen when the NPS service tries to register it’s VSS writer and finds that it does not have enough rights to do so.

To resolve this:

1. Check the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
   Verify that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is set to 0 change it to 1.
   
   
   
   
2. Open Task Manager, select Show Processes for all users, and kill any instances of IASHOST.EXE that might be running.
   
   
3. Start the NPS Service. (If it is not installed, re-install it at this point)

We are investigating why the value would be 0 instead of 1. At this time we have identified that uninstalling WSS 3.0 will cause the value to change to 0, there are other interactions that could lead to this value getting changed. We will update this post once we have more information.

[Today's post comes to us courtesy of Shawn Sullivan]

We have been receiving a number of inquiries from customers regarding the ability to send email from the Internet to a SharePoint document library running on SBS 2008.

The steps on how to set this up are all documented under method 2 from the previous post:

http://blogs.technet.com/sbs/archive/2009/02/02/how-to-use-outlook-to-send-email-to-a-sharepoint-document-library-on-sbs-2008.aspx

After you create the new mail contact, the Windows SBS Email Address Policy will stamp the contact with the external SMTP address as a secondary address:

When you send an email to this SMTP address, the Exchange Transport service will deliver to the primary SMTP address. In the example above, if I send to mylist@contoso.com, Exchange will deliver to mylist@companyweb. At that point the email is forwarded to the drop directory, picked up by Sharepoint, and the attachments are delivered to the “mylist” document library.

Note: This has the potential to be broken if you manually edit the Windows SBS Email Address Policy, which applies your SMTP domain address to all recipients.

We have been receiving several support calls on how to install SBS 2008 CALs.  In SBS 2008 you do not install the CALs onto the server.  You should place the CALs in a safe or somewhere similar where they will not get lost, damaged, or stolen.

This and other licensing issues are also covered in the Licensing FAQ.  SBS MVP Susan Bradley has also summed up quite nicely what you should do with your SBS 2008 CALs.