[Today’s post comes to us courtesy of James Frederickson and Shawn Sullivan from Commercial Technical Support]
We have seen an increase of instances where customers are experiencing various networking problems because they have altered the networking topology by installing multiple NICS or assigning multiple IPs to their single NIC. Some of the more common issues we have seen with this scenario include, but are not limited to:
· Slow or complete loss of file share/network login access
· Problems with Outlook connectivity (mailbox login, Autodiscover, OAB, Free/Busy, OOF assistant, Outlook Anywhere)
· Issues accessing web sites (OWA, RWW, Sharepoint, Connect)
· Issues with service startup, particularly Exchange.
· The server hangs at “Applying Computer Settings” upon boot.
· Inability to complete the SBS networking wizards (IAMW and CTIW)
SBS 2008 (Server 1 in Premium Edition) is supported by Microsoft only in a single network card environment with a single IP address. If multiple NICs are detected during the initial SBS setup, all but one will be disabled. This is because the integration between the various components included with the product has been designed to depend on this basic topology. This, in turn, simplifies the deployment of the product. Other configurations, although supported and perfectly legitimate on Windows Standard edition, would be considered unsupported in SBS 2008. Microsoft technical support may require that the server is brought back into a supported scenario before troubleshooting can begin. For more information regarding supported network topologies and SBS, see the following post.
To return the server to a functioning and supported state, begin by running the SBS 2008 BPA. This will check for and notify you of any network configuration settings that require attention:
Common Scenarios
1. Multiple NICs are installed and active. Or multiple NICs are installed, but only one is plugged in.
To fix this, open Network Connections from the Control Panel, or type ncpa.cpl from the Run command.
**Note** It is critically important to know which IP addresses your services (DNS, IIS, SMTP, Terminal Services, etc) currently are listening on before you make any changes to your TCP/IP configuration. You could easily render a critical service completely unbound from the network.
Right-click and disable all but the primary adapter. If you decide remove and uninstall the additional adapters, please read the following SBS blog Device Manager may seem to hang while uninstalling a NIC.
You will also need to verify the binding order of your NICs by clicking on Advanced > Advanced Settings menu. Your enabled NIC must be first in the list and must have both File/Print sharing and Client for Microsoft Networks enabled:
2. Multiple IPs are assigned to the NIC.
As stated before, SBS 2008 is designed to only have a single IP address on a single network adapter. The NIC must use a private IP address with a 255.255.255.0 subnet mask. The following IP ranges are supported:
Remove any additional IP addresses that you have bound to the NIC. Be careful and verify which IP address(es) your services are listening on, changing them if necessary, beforehand.
A note about NIC teaming:
We periodically encounter servers with NIC teaming enabled. When configured properly, teamed NICs will logically act as a single NIC with a single IP address and provide fault tolerance if one fails. However, this still falls into an unsupported network topology on SBS 2008 and you may be asked by Microsoft technical support to break the team as part of troubleshooting. You can find this documented as well in the SBS 2008 Release Documentation under the section “The Windows Small Business Server 2008 networking wizards do not support network teaming”.
[Today’s post comes to us courtesy of Douglas Boyd and Damian Leibaschoff from Commercial Technical Support]
In the past few months we started seeing the recurrence of an old issue that was previously documented in:
832880: You cannot successfully install the intranet component or connect to http://companyweb in Windows Small Business Server 2003 http://support.microsoft.com/default.aspx?scid=kb;EN-US;832880
However, the scope of the SBS 2003 media affected by this issue has effectively changed. You now need to use SBS 2003 with SP1, SBS 2003 with SP2, or SBS 2003 R2 media to have a successful installation. Any older media will encounter the problem, no matter the version of SQMCFG.DLL present on CD 3.
This problem may occur if one of the following used to install the Intranet component:
Background Information:
When SBS 2003 originally released in 2003, an issue was discovered with the way WMSDE verified the validity of a SharePoint file. To work around the problem, a fix was created (KB832880) and a NEW release of SBS 2003 shipped that included updated files on CD 3. However, this would only circumvent the problem until late 2009. A proper resolution to this issue was not available until Service Pack 4 was released for the SharePoint WMSDE instance (KB909544).
Symptoms:
The following error is generated when the installation tries to create the configuration database in WMSDE.
Metadata manifest 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\bin\sqmsto.dll' does not exist or has invalid signature. (Error code: 2779).
To identify if you have the affected media, look for the existence of a folder named IE6 present on the CD 3 under \SBS\CLIENTAPPS. If you have the folder, then the CD is older than SP1 and you will experience the problem. If your CD 3 does NOT have the \SBS\CLIENTAPPS\IE6 folder, then it is an SP1 or greater CD. If that is the case, you will also have a CD 4 that contains the following folder structure:
02/23/2005 01:37 PM 2,238 autorun.ico 02/23/2005 01:37 PM 52 autorun.inf 04/05/2007 10:34 AM <DIR> MSDE_SP4 04/05/2007 10:34 AM <DIR> SBS 04/05/2007 10:34 AM <DIR> WMSDE_SP4
Resolution:
In order to resolve this issue, perform the following steps:
[Today’s post comes to us courtesy of Mike Toot from the SBS Marketing Team]
The first line of malware defense is a robust firewall between your business and the Internet. Nearly all routers on the market include firewalls that reduce the attack surface, so most businesses connected to the Internet have one layer of defense in place.
What’s not as apparent is the need for firewalls on each computer within the business. Malware can find its way onto internal computers through e-mail, from USB memory sticks or thumb drives, or external hard drives used to move files between customers. Laptops that are used outside the network can likewise be infected; once the laptop is inside the firewall it can then launch attacks within your network.
When you have a firewall on each computer on the network, you add another layer of protection. Both SBS 2008 and Windows 7 ship with firewalls that help protect you from malware. But how do you manage all these firewalls – router, SBS 2008, desktops and laptops – so they provide uniform protection for what network traffic is allowed in and out of your network?
SBS 2008 and Windows 7 make it easy to manage the firewalls on your network. Both SBS 2008 and Windows 7 use the same firewall technology so you don’t need to memorize a different interface. In addition, if your router is UPnP-enabled, SBS 2008 can manage the router for you so that network traffic is correctly configured for services such as Remote Web Workplace. No need to look up tables for protocols and ports; SBS 2008 makes the changes for you.
To view the SBS 2008 firewall properties, open the Windows SBS Console, click the Security tab, select Server Firewall, and then click View Server Firewall properties.
The Firewall Settings dialog appears, and the General tab shows you overall information about the firewall’s settings. Management functions are on the Advanced tab. Click the Advanced tab and then click Manage rules. Note that on the Advanced tab you can also click Manage Router. This which will launch Internet Explorer and you can then log on to the router and manually configure its settings.
The Windows Firewall dialog opens. It shows you the high-level status, including whether the firewall is on, whether inbound connections are blocked, and whether the firewall generates a notification when a program is blocked. Click Change settings.
The Windows Firewall Settings dialog displays the green check of health and a bright green band on the dialog, letting you know whether the firewall is enabled and providing protection to your server. The dialog also provides the global switch for the server firewall, as well as the Block all incoming connections option. This option is useful if you need to perform troubleshooting on the server. Click the Exceptions tab.
The Exceptions tab shows you which services are allowed through the Windows Firewall to interact with your server. Most administrators will never need to change any settings here, or add exceptions for other programs or services. It does provide a quick way to verify whether a service has been enabled, and clicking the Properties tab lets you see what protocols and ports are in use for that service. Close this dialog and the remaining dialogs and return to the SBS 2008 desktop.
Windows 7 uses the same firewall technology, but with a twist: since laptops and other devices can be used on other networks, the Windows 7 firewall applies location-dependent firewall rules. On a computer running Windows 7, click Start, Control Panel, and then Windows Firewall.
The Windows Firewall shows the high-level rules that are applied on the computer depending on its network type. Since the Windows 7 computer is a member of the SBS 2008 domain, some of the firewall settings are managed by the administrator, so users may not have the ability to change security policies on the computer depending on the rule. To see the specific rules that are being applied on the computer running Windows 7, click Allow a program or feature through Windows Firewall.
The Allowed Programs page shows which programs are allowed to communicate through Windows Firewall and on which network types. This page also shows whether the setting is controlled through a group policy set by SBS 2008. This provides additional flexibility for businesses that want to give its remote employees the ability to use computers at work or at home, yet still provide protection against malware at both locations.
Advanced administrators will also find value in the tools available to manage SBS 2008 and Windows 7 firewall rules. On the server running SBS 2008, click Start, Administrative Tools, and then Windows Firewall with Advanced Security. This launches an MMC snap-in that helps manage domain firewall settings.
For example, if your business uses an instant messaging application to help customers in real time, you can use the Windows Firewall snap-in to configure and deploy a new firewall rule that allows IM traffic. Or, if you want to prevent employees from using an instant messaging application, you can create rules to block inbound and outbound IM traffic. These rules are then applied to a firewall policy group such as the network domain. A full discussion of creating and applying firewall rules to the domain is beyond the scope of this post, but you can find out more information by browsing the SBS 2008 help file and by consulting TechNet.
When used together the Windows Firewall technology in SBS 2008 and Windows 7 help safeguard your work as well as gain more IT control and flexibility. You can now manage more computers and devices, more consistently and more effectively, in less time. It’s yet another way that SBS 2008 and Windows 7 are better together.
For more information on how SBS 2008 and Windows 7 are better together, visit the Microsoft Web site (http://www.microsoft.com/sbs/en/us/windows7.aspx).
For information on a trial version of SBS 2008, visit the Microsoft Web site (http://www.microsoft.com/sbs/en/us/trial-software.aspx).
For a test drive of Windows 7 Professional, visit the Microsoft Web site (http://www.microsoft.com/windows/business/windows-7-test-drive/).
[Today’s post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support, Chris Puckett from Product Quality, and Alex Shao from the Product Team]
You may receive multiple prompts for authentication from Outlook clients connected to an SBS 2008 Server at roughly 5 minute intervals. Both local and Outlook Anywhere clients can encounter this issue. OWA clients are not affected. The behavior may be inconsistent for different users and is remedied temporarily by rebooting. You may have noticed this behavior on existing installations after installing security updates or on new deployments if you installed the security updates during installation.
To resolve this issue, log on to the SBS 2008 Server and install Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later. Update Rollup 8 for Exchange Server 2007 SP1 was released on May 16, 2009. As of this writing Update Rollup 9 for Exchange Server 2007 Service Pack 1 is available and supersedes Update Rollup 8. To obtain Update Rollup 9 from the Microsoft Download Center, see Update Rollup 9 for Exchange Server 2007 Service Pack 1. It is also available from Microsoft Update and WSUS.
As another option, you may log on to the SBS 2008 Server and run the following command from an elevated command prompt (Note: the commands may wrap in this post, so you may need to combine the lines from copy and paste):
%windir%\System32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useKernelMode:false
More Information:
The update from KB 973917 enables authentication at the root level of IIS by adding the following to the C:\Windows\system32\inetsrv\config\applicationhost.config file at a global level:
<windowsAuthentication enabled="false" />
This exposes a behavior with IIS 7 where the mix of user and kernel mode authentication requests while servicing clients will not work.
Installing UR8 for Exchange 2007 SP1 or later resolves this issue by forcefully disabling kernel mode authentication at the global level thus preventing the situation where IIS 7 cannot service both types of authentication.
After installing Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later or running the appcmd specified above, the applicationhost.config is modified and the previously mentioned entry will look like this:
<windowsAuthentication enabled="false" useKernelMode="false">
Installing Update Rollup 8 for Exchange Server 2007 Service Pack 1 or later prior to installing the KB 973917 security update should also prevent you from experiencing the symptoms described above.
There are many configuration issues that can cause Exchange clients to not be able to log on to the server. This is only one possible cause.
If the steps above don’t resolve your connectivity issue, the next steps are:
1. Read this blog post on certificate mismatch warnings to see if it matches your symptoms
2. Run the Exchange BPA on the SBS 2008 server.
3. Run the Remote Connectivity Analyzer.