The Official SBS Blog

The official blog for Small Business Server (SBS) support and product group communications.
Search Form
  • Advanced search options...
Tags
SBS Related Links
SBS-Related Links
EPS Team Blogs
Disclaimer
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
Options

March, 2010

TechNet Blogs > The Official SBS Blog > March, 2010
Recent Blog Posts
Sort by: Most Recent | Most Views | Most Comments
Excerpt View | Full Post View
  • The Official SBS Blog

    Source Server Does Not Meet Minimum Requirements for Migration

    Posted over 2 years ago
    by
    • 2 Comments

    [Today's post comes to us courtesy of Chris Puckett from Product Quality and Damian Leibaschoff from Commercial Technical Support]

    When installing SBS 2008 in migration mode, you are prompted to Run the Migration Preparation Tool on the Source Server, even though you already have:

    Source Server does not meet minimum requirements for migration

    You must perform additional steps to prepare the Source Server for migrating to Windows SBS.  The following list describes the issues found and tells you what step you must take.  Follow the links for instructions on how to perform the required steps.

    When all the issues on the Source Server are fixed, return here, and then click Check Again.

    Migration Issues

    Run the Migration Preparation Tool on the Source Server

    Either you did not run the Migration Preparation Tool on the Source Server, or you did not start the migration within the allowable time frame. For instructions, see “Run the Migration Preparation Tool” in the Migration Guide.”

    clip_image002

    Resolution

    In the Windows Small Business Server 2008 media with Windows Server 2008 Service Pack 2 included, the SBS 2008 migration preparation tool has been updated.  The SBS 2008 with SP2 included migration setup routine will pause, resulting in the message above, if it has detected any of the following conditions:

    · The updated Source Tool from the new media has not completed successfully on the source server being joined. 

    · The updated Source Tool from the new media has not completed successfully in the last 21 days.

    Therefore, you must install SourceTool.MSI from the new media and successfully run the updated migration preparation tool on the source server in order to proceed.

    1. Take the SBS 2008 with Service Pack 2 DVD out of the destination server and load it into the DVD tray on the Source Server.

    2. Navigate to <DVD Drive>:\Tools and install SourceTool.MSI on the Source Server.

    clip_image004

    clip_image006

    clip_image008

    clip_image010

    3. Once SourceTool.MSI is installed on the Source Server, you can take the SBS 2008 with Service Pack 2 DVD out of the source server and load it into the DVD tray on the destination server.

    4. On the Source Server, run the new source tool by clicking Start, Programs, Windows Small Business Server Tools, Windows Small Business Server 2008 Migration Preparation Tool.

    clip_image012

    5. To ensure that you are prepared for the best possible migration experience, Microsoft recommends that you always choose to install the most recent updates. These updates are ONLY for the Migration Preparation Tool and will include newer health checks in future updates.

    clip_image014

    6. Remember, this tool will now be mandatory when using the updated SBS media, so make a point of making that backup of the source server also a mandatory step.

    clip_image016

    7. This is the new text when the Migration Preparation Tool is running on a NON-SBS source server.

    clip_image018

    8. The Migration Preparation Tool has completed successfully when you see the screen below.

    clip_image020

    9. On the destination server, click Check Again.

    More Information

    If you happen to have copied SourceTool.exe (version 6.0.5601.0) from the SBS 2008 RTM media  to removable media such as a USB drive, you should strongly consider replacing it with SourceTool.MSI from the SBS 2008 with SP2 included media. The updated SourceTool.MSI is compatible with both SBS 2008 RTM media  and SBS 2008 with SP2 included media.

    If you are not sure which version of the Windows Small Business Server 2008 Migration Preparation Tool you are running, run it again and look to see if you receive the screen below to Get Important Updates.  The old version of the Migration Preparation Tool does not have this screen.

    clip_image021

  • The Official SBS Blog

    Work Smarter with Offline Files and Shadow Copy

    Posted over 2 years ago
    by
    • 4 Comments

    [Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]

    Have you ever needed to access important files stored in a shared folder on your network but couldn't because the network connection was unavailable? Then you can understand the need for offline files. Luckily, if you’re running SBS 2008 on your server and Windows 7 Professional on your clients, you can start using the Offline Files and Shadow Copy features right away. Using the Offline Files feature of Windows 7 Professional, you can work offline and automatically sync your files when you reconnect. With Shadow Copies of Shared Folders, you can rest assured knowing that if your file accidentally gets written over or deleted, you can easily recover it.

    How Offline Files Work

    When you need to work offline, SBS 2008 working with Windows 7 Professional Offline Files provides a great way to continue to work with documents and files that are stored on your corporate network.

    Let’s say you’re having your car repaired, and you’re sitting in the waiting room while the work is completed. You don’t need internet access to keep the file in sync with the version on the server. You can work on a copy of a file that’s cached on your PC, and any changes you make will automatically be synchronized with the server the next time you connect to the corporate network.

    Offline files are quickly synched with your work server when you reconnect to your corporate network. Offline files offer several advantages to anyone who works with files stored on shared network folders. By working with offline files, you can:

    • Protect yourself from network outages
    • Work with files while you are away from the network
    • Easily sync with network files
    • Boost your efficiency when working over a slow connection

    You can plan ahead and choose the network files you want to make available offline, which automatically creates a copy of the network files on your computer. These copies of network files that are stored on your computer are called offline files. User folders, Desktop, documents, and Start Menu can all be redirected to the server, where any files saved there will be made available offline for clients, no matter which computer they use. You can configure this feature in the User Account Properties on the SBS server, and it will be seamlessly applied to all users. Windows will automatically sync your offline files for you and open them whenever the network versions are unavailable; for example, when you disconnect your laptop computer from your intranet and work from a remote location.

    image

    You can access network files when you can connect to the computer where the network files are stored.

    image

    You can access local copies of network files when you can't connect to the computer where the network files are stored.
       

    Keeping your offline files in sync

    Windows 7 Professional reduces initial wait times and improves branch office and remote access scenarios by operating in a Usually Offline mode when you are not connected to the same local area network (LAN) as the central server. Any changes made to copies of files that are cached on your computer are synchronized to the central server the next time you connect to the corporate network.

    Administrators can also control when offline files are synchronized with the server, set up specific time intervals for synchronization, block out other times for bandwidth management, and configure a maximum stale time after which files must be resynchronized.

    You can rename and delete folders even while in the offline mode. If network latency slows, and a share is transitioned into the slow-link mode, the share will automatically transition back to the online mode if network latency improves.

    When you select a network file or folder to make available offline, Windows automatically creates a copy of that file or folder on your computer. Anytime you re-connect to that network folder, Windows will sync the files between your computer and the network folder. You can also sync them manually at any time.

    image

    Offline files are quickly synchronized with your work server when you reconnect to your corporate network.

    That's all you really need to know to keep your offline files in sync. However, for the curious, here are some additional details:

    • If you are working offline and make changes to offline files from a network folder, Windows SBS 2008 and Windows 7 Professional will automatically sync any changes you made to the files the next time you connect to that network folder.
    • If you are working offline while someone else changes files in a shared network folder, Windows SBS 2008 and Windows 7 Professional will sync those changes with the offline files on your computer the next time you connect to that network folder. If you have also changed the files since you last connected to the network folder, a sync conflict will occur and Windows will ask you which version you want to keep.
      You can resolve these and other sync conflicts by using Sync Center. For more information, see
      Resolving sync conflicts: frequently asked questions.
    • If Windows SBS 2008 and Windows 7 Professional encounter a problem when trying to sync offline files between your computer and a network folder (for example, if the network folder you are trying to sync with is unavailable), a sync error will occur. For more information, see
      Understanding sync errors and warnings.

    Working with network files when you are offline

    Let’s return to our scenario of working on files offline at the car shop. Before you leave the office for the shop, you first need to make the files you’ll need available offline.

    1. Locate the network file or folder that you want to make available offline.
    2. Right-click the file or folder, and then click Always Available Offline.

      The next time you try to access this file or folder, you will be able to open it even if the network version is unavailable.

      image 
    3. To confirm that the file or folder is now available offline, right-click the file or folder again, and make sure that a check mark appears next to Always Available Offline.
    4. If you don't want a network file or folder to be available offline any longer, right-click the file or folder, and then click Always Available Offline to clear the check mark next to the command.
    To enable offline files

    Enable offline files if you want to work with files that are in a network folder. A copy of the file on your hard drive will be synchronized with the network copy as soon as you are back at work or you regain your network connection.

    1. Open Offline Files by clicking the Start button , clicking Control Panel, clicking Sync Center, and then clicking Manage Offline Files in the panel on the left.
    2. Click the General tab, and then click Enable Offline Files.

      image 
    To work offline

    Once you’re at the car shop, you can access your offline files:

    1. Open the network folder that contains the files you have made available offline, and then, on the toolbar, click Work offline. This button appears only if you have already made this folder available offline.

      image
    2. When you are finished working with the files offline and want to begin working with the files in the network folder again, click Work online on the toolbar. This will sync any changes you have made offline with the files on the network.
    To find out whether you're working offline

    Let’s say the shop has wireless internet, but it’s not reliable. Offline files turn on automatically if you lose your network connection. A copy of your file is copied to your computer, and once your network connection is re-established, the two copies will be synchronized. To find out if you're working offline, do the following.

    1. Open the network folder that contains the file you are working on.
    2. Check the Details pane at the bottom of the window for the status. If the status is offline, you are working with a copy of the file on your computer. If the status in online, you are working with the file on the network.

      image
    To view all your offline files

    If you work with offline files in many different folders, you may want to view all of them without opening each folder individually. To view all your offline files at once, open Offline Files by clicking the Start button, clicking Control Panel, clicking Sync Center, and then clicking Offline Files.

    To sync all of your offline files immediately

    Once you’re back online, Windows SBS 2008 and Windows 7 Professional sync your offline files for you automatically, so that when a network file is changed, the offline copy stored on your computer is also updated, and vice versa. But Windows SBS 2008 and Windows 7 Professional do not sync your files continuously. Sometimes it is helpful to sync your offline files right away, such as if you are about to disconnect from a network and want to be sure you have the latest versions of files stored on the network.

    1. Open Sync Center by clicking the Start button , clicking Control Panel, then clicking Sync Center.
    2. Click the View sync partnerships in the panel on the left.
    3. Right-click your Offline Files folder, then click Sync Offline Files.

      image

    Tip: If you only want to sync the contents of a specific folder, open the folder that contains the files that you want to sync, and then, on the toolbar, click Sync. To sync an individual file, right-click the file, and then click Sync.

    Shadow Copies of Shared Folders (with Previous Versions)

    But what if you get home from the car shop, sync your files with the server, and then realize that you’ve accidentally written over a file you wanted to keep? To protect yourself from situations like this, with Windows SBS 2008, you can enable Shadow Copies [m1] of Shared Folders. While Shadow Copies of Shared Folders is not a replacement for creating regular backups, it can certainly be useful in situations such as this.

    Shadow Copies of Shared Folders automatically creates shadow copies of files and data on shared resources, such as a file server. Then, you can use the Previous Versions feature of Windows 7 Professional to recover files on the SBS server if the files are in redirected folders that reside on the SBS server. Shadow Copies of Shared Folders is enabled on SBS by default and will snapshot twice daily at 7am and 12pm.

    Previous Versions is available as a tab in the Properties dialog box for any item. To access the Previous Versions tab in Windows SBS 2008 or Windows 7 Professional:

    1. Locate the file or folder that you want to restore.
    2. Right-click the file or folder and click Properties. The Properties dialog box will appear.
    3. Click the tab labeled Previous Versions.

      image
    4. Select the version you want to restore, and then choose an action:
      • To save a copy of the file or folder to a new location, click Copy.
      • To restore the file or folder to its original location, click Restore.

        image

    Shadow Copies of Shared Folders provides point-in-time copies of files that are located on shared resources, such as a file server. With Shadow Copies of Shared Folders, you can view shared files and folders as they existed at points of time in the past. Accessing previous versions of your files, or shadow copies, is useful because you can:

    • Recover files that were accidentally deleted. If you accidentally delete a file, you can open a previous version and copy it to a safe location.
    • Recover from accidentally overwriting a file. If you accidentally overwrite a file, you can recover a previous version of the file.
    • Compare versions of file while working. You can use previous versions when you want to check what has changed between two versions of a file.

    You can access the server portion of Shadow Copies of Shared Folders through the Shadow Copies tab of the Local Disk Properties dialog box. For more information about how to use Shadow Copies of Shared Folders, see Shadow Copies for Shared Folders How To....

    Clients running Windows XP SP2 or later can access the client view of shadow copies through the Previous Versions tab of the Properties dialog box of the shared file or folder. Older clients must first install the Shadow Copy Client, which can be accessed from the server share (\%systemroot%\system32\clients\twclient).  For more information about how to deploy Shadow Copies of Shared Folders, see Deploying Shadow Copies for Shared Folders.

    Notes

    • Creating shadow copies is not a replacement for creating regular backups.
    • Physical access to a server is a high security risk. To maintain a more secure environment, you must restrict physical access to all servers and network hardware.
    • Files and directories that are restored from backup retain their original permissions. Files and directories that are restored from shadow copy will have their permissions replaced with those of the parent.
    • For information on enabling and using shadow copies of shared folders in a server cluster, see Using Shadow Copies of Shared Folders in a server cluster.
    • When storage area limits are reached, the oldest shadow copy will be deleted and cannot be retrieved.
    • There is a limit of 64 shadow copies per volume that can be stored. When this limit is reached, the oldest shadow copy will be deleted and cannot be retrieved.
    • Shadow copies are read-only. You cannot edit the contents of a shadow copy.
    • You can only enable Shadow Copies of Shared Folders on a per-volume basis; that is, you cannot select specific shared folders and files on a volume to be copied or not copied.

    Avoid Version Control Nightmares

    With the built-in version control features of Offline Files, Shadow Copies of Shared Folders, and Previous Versions, you can rest assured that your files are up-to-date and that you can access previous versions. In the scenario we used in this post, you were able to make a file available offline, work on it even when you didn’t have internet access, then sync it with the version on the Windows SBS 2008 server later that day. When you realized that you’d overwritten a file, you used the Shadow Copies of Shared Folders and Previous Versions features of Windows SBS 2008 and Windows 7 Professional to revert to the correct version. Thanks to Windows SBS 2008 and Windows 7 Professional, you can use Offline Files, Shadow Copies of Shared Folders, and Previous Versions to work smarter, more intuitively, anytime, anywhere.

  • The Official SBS Blog

    A Tip for Preventing Certain SharePoint Connectivity Failure in SBS 2008

    Posted over 2 years ago
    by
    • 0 Comments

    [Today's post comes to us courtesy of Chris Puckett from Product Quality and Shawn Sullivan from Commercial Technical Support]

    There is a pre-emptive update that you can install to decrease you chances of running into the issue described in “Companyweb Inaccessible after Sharepoint 3.0 Service Pack 2” where you receive the error “Cannot Connect to the Configuration Database”. Customers who are planning to install WSS 3.0 SP2 should follow this post. However, this update will not help you if your server is already affected by the issue described in the aforementioned link; in which case you need to follow its resolution.

    Steps to take:

    1. Download the December 2009 Windows SharePoint Services 3.0 Cumulative Update Server update package, KB 977022.
    2. Double-click the package you downloaded to extract it to a folder like C:\Users\admin\downloads.
    3. Install the 977022 update by right-clicking the wss-kb977022-fullfile-x64-glb.exe file and clicking Run As Administrator.
    4. Read and accept the EULA and click Continue.

      clip_image002
    5. Click OK on the reminder to run the Sharepoint Products and Technologies Configuration wizard to complete the installation of the update.

      clip_image003

    6. Reboot the server when prompted (without running the Sharepoint Products and Technologies wizard).

      clip_image005

    7. When the server comes back up, click Start – Administrative Tools - Sharepoint Products and Technologies Configuration Wizard. Click Continue on the User Account Control prompt. If this fails to complete successfully, do not proceed to the next step. Troubleshoot why this failed. You need to have a functional companyweb site before you install Windows SharePoint Services 3.0 SP2.
    8. Install Windows SharePoint Services 3.0 SP2 (KB 953338) from WSUS, Microsoft Update, or the Download Center.

    KB Articles for Reference

    953338 Description of Windows SharePoint Services 3.0 SP2 and of Windows SharePoint Services 3.0 Language Pack SP2

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;953338

    977022 Description of the Windows SharePoint Services 3.0 Cumulative Update Server hotfix package (Sts-x-none.msp): December 15, 2009

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;977022

  • The Official SBS Blog

    Rejoining Small Business Server 2008 into a Preserved Domain after a Disaster

    Posted over 2 years ago
    by
    • 0 Comments

    [Today’s post comes to us courtesy of Wayne Gordon McIntyre from Commercial Technical Support]

    You may find yourself in a scenario where your SBS 2008 server has died and you have no backups available, however you do have a second non-SBS domain controller that is still operational which contains all of your domain information. The steps below will guide you thru rejoining the SBS 2008 server back into the existing domain so you do not have to recreate all of your AD objects and rejoin your client machines.

    *** Please note that this is not a replacement for doing regular backups. Our recommended method to recover a server in these situations is to restore from a good backup. You should only do this if you have no other choice because there is no good backup to restore from. ***

    Preparation and Clean Up Steps:

    1. Change the primary DNS server IP on the TCP/IP properties of the network card of the second DC to point to it (e.g. 127.0.0.1).

      clip_image001

    2. Ensure the second DC is a global catalog server. Open Active Directory Sites and Services and go to the properties of NTDS settings of the second DC and check the global catalog box if it was not checked.

      clip_image003


      ***       IMPORTANT:  If the server was not a global catalog, make it a GC and wait for the Directory services event log to log event 1119 that states the server is now acting as a global catalog server. As a sanity test you can use ldp.exe to confirm that the server is responding to requests on port 3268. For these steps please see the appendix.***

    3. Verify which FSMO Roles were held by SBS 2008 by running “NETDOM QUERY FSMO” from an elevated CMD prompt.
    4. Seize all FSMO roles the SBS 2008 Server held to the second domain controller. From an administrative command prompt open the ntdsutil utility by typing NTDSUTIL and pressing ENTER.
      1. Type activate instance NTDS, and then press ENTER. *only required if the second DC is a 2008 Server otherwise skip this step.
      2. Type roles, and then press ENTER.
      3. Type connections, and then press ENTER.
      4. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
      5. At the server connections prompt, type q, and then press ENTER.
      6. Type seize PDC, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
      7. Type seize infrastructure master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
      8. Type seize naming master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
      9. Type seize RID master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
      10. Type seize schema master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
      11. Type q, and press ENTER until you are back at the command prompt.

        Steps taken and modified for 2008 from KB 255504 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

        http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504

    5. Perform metadata cleanup to remove the SBS server from Active Directory.

      216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

      http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498

      ** Please note you have to type “Activate Instance NTDS” in ntdsutil if it is a 2008 DC before you do the meatadata cleanup steps. Also if any FSMO roles were not seized in step 3, the updated version of ntdsutil (2003sp1 and greater) will perform the seizure of the remaining FSMO roles.

    6. Clean up DNS records that point back to SBS 2008.
      1. Delete CNAME records “CompanyWeb”, “Connect”, “SBSConnectComputer” and “Sites”

        clip_image005

      2. Delete the Same as parent ‘A’ records that point to the IP of the SBS server
      3. Go to properties of the _msdcs.domain.local and domain.local zones and go to name servers tab and remove the SBS server as a name server

        clip_image006

    7. Delete the exchange server object out of Active Directory.
      1. Open Active Directory Sites and Services.
      2. With Active Directory Sites and Services highlighted at the top node of the tree use the view menu and click on Show Services Node.

        clip_image008

      3. Expand until you get to the Server name of the failed server as shown below, and press DELETE, put a check in the box to delete sub-containers then click yes.

        clip_image010

    8. You are now ready to rebuild your SBS server to rejoin the existing domain by following Sections 1 – 3 from the link below using the secondary DC as the source server. http://technet.microsoft.com/en-us/library/cc664208(WS.10).aspx

    Post Migration Install Steps

    1. Change the DNS server IP back on the 2nd DC to point to the SBS server, with alternate pointing to itself.

      clip_image011

    2. Re-add the Source Server on the SMTP connector.
      1. Open the Exchange Management Console.
      2. Expand Organization Configuration
      3. Select the Hub Transport Node
      4. Go to the Send Connectors tab.
      5. Open the properties of Windows SBS Internet Send COUGAR connector.
      6. Select the Source Server Tab and choose Add, select the SBS 2008 server as the source server.

        clip_image013

    3. Run “Connect to the Internet Wizard” and the “Set up your Internet Address Wizard”.
    4. If you have data to restore such as Exchange, Sharepoint, SQL or files you can now restore it.

    Appendix A

    Using LDP to verify GC functionality

    1. From an Administrative cmd prompt launch LDP
    2. From the file menu select connect and enter the server name that you are on and change the port number to 3268
    3. Once it connects we know that the server is listening and responding to connections on the GC port. Also verify it has the “isGlobalCatalogReady” equals true setting.
    4. Next step is to verify you can Bind go to file menu and select bind and use the currently logged on credentials.
    5. Click on View > Tree and leave the baseDN blank and you should see your domain tree.

    Appendix B

    Testing replication:

    To test replication between the 2 domain controllers run Repadmin /showrepl. The output should show successful replication for all partitions. For more assistance on using repadmin please see the following Technet link.

    http://technet2.microsoft.com/WindowsServer/en/library/a103036b-5d82-4d99-8e61-23d434a8e6eb1033.mspx?mfr=true

  • The Official SBS Blog

    Help Secure your Business Information using Encrypting File System

    Posted over 2 years ago
    by
    • 1 Comments

    [Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]

    Every day, your users work with information that is valuable to your business. However, this same information—including your customer databases, product price lists, and financial information—is constantly at risk of discovery. You see the reports in the papers nearly every day: laptops are stolen, removable hard drives are sent to the wrong recipient. Savvy businesses realize they need help to secure their business information and protect it from inadvertent or deliberate disclosure.

    That’s why Microsoft created Encrypting File System (EFS), a powerful tool for encrypting files and folders on servers and client computers. EFS helps secure confidential information that should not be disclosed without authorization, information that resides on remote servers or on portable computers such as laptops or netbooks, or confidential information on computers that are shared by multiple workers at a business. With EFS, you can protect your business’s information in case someone gains physical possession of the computer that the files reside on. Even people who are authorized to access the computer and its file system can’t view the data that they shouldn’t. Files are encrypted when you close them, but are automatically ready to use when you open them. If you change your mind about encrypting a file, clear the check box in the file's properties.

    EFS is an integral part of the file system and is transparent to your users and applications; you don’t need to install any special software to work with encrypted files. It’s available on Windows Small Business Server (Windows SBS) 2008 and the Windows 7 Professional, Enterprise, and Ultimate operating systems, including both 32-bit and 64-bit platforms.

    How EFS works

    EFS helps secure the information that is contained in your folders and files by creating a unique key that uses a combination of the server’s credentials and the user’s credentials. When you first apply EFS to a folder, any files that are created in that folder or moved into that folder are encrypted, and only you and the recovery agent are given access to encrypt or decrypt the file. You can give any other user access to individual files in this folder. However, users can only be added to the access list individually; it is not possible to grant an entire group access to a file. Also, although you can give users access to individual files, it is not possible to give users access to an entire folder.

    After a folder is marked for encryption, it isn't necessary to manually mark the files in it for encryption. But when you move a file out of the encrypted folder, the file may be decrypted, depending on whether you move the file into an NTFS volume. The best practice is to keep a file in its encrypted folder until the file is no longer needed.

    If a person or program doesn’t possess the correct key to read the encrypted file or folder, an “Access Denied” message appears. EFS is an excellent file encryption system—there is no "back door”—however, anybody who can obtain the user ID and password can log on as that user and decrypt that user's files.

    Encrypting File System Best Practices

    Because EFS is so secure, it’s critical to enforce a strong password policy. It’s also a best practice to archive and back up the recovery keys for your domain and keep them in a safe place to ensure recovery should the keys become damaged or lost. If you don’t take these precautions, you can permanently lose the information in encrypted files and folders. We will cover recovery keys in the next section of this post.

    When encrypting removable media, it is important to keep in mind that the encrypted files will only be accessible on computers that have certificates for users who are listed as having access to the file (or the recovery agent key). This means that if you are working on an encrypted file at work, and you bring it home to finish up on your home computer, you will only be able to access this file if your home computer has your user certificate.

    Similarly, you should take great care when you enable EFS on a SharePoint site. Any user who has access to a SharePoint site can encrypt any file on that site. However, once that file is encrypted, only users listed as having access to that file (or the recovery agent) will be able to access it.

    For more information on EFS Best Practices, read this TechNet article*: http://support.microsoft.com/kb/223316/en-us.

    Using Encrypting File System

    As previously mentioned, it is essential to back up your user certificates and recovery key before you use EFS to encrypt anything on your computer or the server. Once you have backed up these certificates, you can encrypt folders and files either directly or using group policy

    Creating Backing Up the Domain-Based Recovery Key

    The first step in backing up user certificates and recovery keys is to create a domain-based data recovery agent. By default, the local administrator is set as the recovery key. This means that if the machine is lost or stolen, the domain administrator will not be able to access encrypted files. Instead, it is best to set the domain administrator as the recovery agent.

    To create a domain-based recovery agent:

    1. Log on to the Windows SBS 2008 server.
    2. Click Start > Administrative Tools > Group Policy Management.
    3. Right-click the GPO that contains the EFS policy, and then click Edit.
    4. In the console tree (on the left), navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, and then right-click Encrypting File System

      image
    5. Click Create Data Recovery Agent to make the currently logged on user a Recovery Agent. The new Recovery Agent certificate appears in the right-hand pane.

    To add additional recovery agents, right-click the Encrypting File System node, and then click Add Data Recovery Agent. This will open the Add Recovery Agent Wizard.

    Once you have set the domain recovery agent, you should back up the certificate. To export the domain EFS recovery agent's private key:

    1. Log on to the Windows SBS 2008 server.
    2. Click Start > Administrative Tools > Group Policy Management.
    3. Right-click the GPO that contains the EFS policy, and then click Edit.
    4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.

      image
    5. Right-click the certificate you want to export.
    6. Point to All Tasks, and then click Export. The Certificate Export Wizard starts.
    7. Click Next.
    8. Click Yes, export the private key, and then click Next.
    9. Click Personal Information Exchange – PKCS #12 (.PFX).  

      Note: We strongly recommend that you select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box to protect your private key from unauthorized access. If you select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent's private key only in situations when you need it to recover files. In all other situations, export and then store the recovery agent's private key offline to help maintain its security.
    10. Click Next.
    11. Specify (and confirm) a password, and then click Next.
    12. Specify a file name and location where you want to export the certificate and the private key, and then click Next.

      Note: We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.
    13. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

    Now that you have set the domain recovery agent and backed up the certificate, you can begin to use EFS to help protect files and folders from unauthorized access. The following sections provide instructions on enabling EFS by selecting specific folders and files and by using group policy.

    Encrypting Specific Folders and Files in Windows SBS 2008 or Windows 7 Professional

    In Windows SBS 2008, there are two ways you can use EFS to help protect business information. The first is the easier one to implement: select the specific folders or files on your server that you want to encrypt. These steps are also the same for encrypting folders or files in Windows 7 Professional. Follow these steps to select specific folders or files:

    1. Start Windows Explorer.
    2. Right-click the folder or file you want to protect, then click Advanced > Encrypt contents to secure data.
    3. Click OK twice to close the dialog boxes. Your folder or file is now encrypted.

      image

    This method helps secure your information in cases where unauthorized users attempt to access the files from within your business, or for when the server or its hard drives are removed from your business.

    To allow a user to encrypt or decrypt a file:

    1. Open Windows Explorer.
    2. Right-click the encrypted file that you want to change, and then click Properties.
    3. On the General tab, click Advanced.
    4. In Advanced Attributes, click Details.
    5. To add a user to this file, click Add, and then do one of the following:

      image
    6. To add a user whose EFS encryption certificate is on this computer, click the certificate and then click OK.
    7. To view a certificate on this computer before adding it to the file, click the certificate and then click View Certificate.
    8. To add a user from Active Directory, click Find User, then locate the user in the list and click OK.
    9. To remove a user from this file, click the user name and then click Remove.

    Note: When a user is added to a file and the user's EFS encryption certificate is imported, the certificate is validated to a trusted root certification authority (CA). The certificate is then stored in the Other People certificate store for that user.

    Encrypting Folders and Files in Windows SBS 2008 or Windows 7 Professional Using Group Policy

    The second way to encrypt folders and files is to create a group policy for computers in your business so that specific files and folders on those computers use EFS. The most useful group policies enforce encryption of the user’s Documents folder and encrypt offline files. They give remote users or users with laptops the ability to work with information while on the road, but they keep the information secure should the laptop or hard drive fall into unfriendly hands.

    You should be aware, however, that using Folder Redirection group policy, which redirects specific user folders to server locations, can result in those files being encrypted multiple times. This is unnecessary and can adversely affect file server performance.

    Follow these steps to create an EFS group policy:

    1. Click Start > Administrative Tools > Group Policy Management.
    2. In the console tree, right-click the domain name in the forest in which you want to create and link a Group Policy object (GPO).
    3. Click Create a GPO in this domain, and Link it here… 

      image
    4. In the New GPO dialog box, specify a name for the new GPO, and then click OK.
    5. In the console tree, in the Group Policy Objects folder, right-click the new GPO and click Properties.

      image
    6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
    7. Right-click Encrypting File System and then click Properties. The Encrypting File System Properties dialog box appears.
    8. Under File Encryption using Encrypting File System (EFS), click Allow.
    9. Select Encrypt the contents of the user’s Documents folder and then click OK.

      image
    10. Close the console applications. The new group policy will be applied the next time a user logs on to the domain.

    The next time the user uses the computer, the new settings will be applied. To verify that the policy has been correctly applied:

    1. Log in as any user on the domain.
    2. Right-click any folder on the user’s computer.
    3. Select Properties, then Advanced.
      You should see the following settings:

      image

    Note: It can take a few minutes for these settings to propagate. Also, the user’s machine may need to be restarted.

    Recovering EFS Keys

    As we’ve discussed, encrypted data is readable only to users who possesses the required private key to unlock the data and to the recovery agent. It is important for you to realize that if the user's private key is lost or damaged, the encrypted data becomes unusable unless there is a means to restore the plaintext or the private key to the user. Your organizations can lose access to valuable encrypted information unless there is a means for someone else besides the user to recover the encrypted information.

    In order for you to successfully retrieve that user’s data, the EFS user must have a valid EFS user certificate, and at least one EFS recovery agent account must have a valid EFS recovery certificate. Thus, when you deploy EFS or secure mail, you should implement a recovery program and policies to ensure that users' encrypted data can be recovered.

    When Group Policy is downloaded to computers, the Encrypted Data Recovery Agent Group Policy settings contain the certificates for each designated recovery agent account within the scope of the policy. EFS uses the information in the current Encrypted Data Recovery Agent Group Policy settings to create and update DRFs. A recovery agent certificate contains the public key and information that uniquely identifies the recovery agent account.

    To retrieve an encrypted file or folder:

    1. As the recovery agent, log in to the computer from which you need to retrieve data.
    2. Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing ENTER.‌
    3. Click the Personal folder.
    4. Click the Action > All Tasks > Import. This opens the Certificate Import wizard.

      image
    5. Click Next.
    6. Type the location of the file that contains the certificate, or click Browse and navigate to the file's location, and then click Next.

      image

      If you have navigated to the right location but don't see the certificate you are importing, then check that the correct file type is selected (i.e., .PFX, .P12, etc.).
    7. Type the password, select the Mark this key as exportable check box, and then click Next.
    8. Click Place all certificates in the following store, confirm that the Personal store is indicated, click Next, and then click Finish.

    After you import the certificate, you should have access to decrypt the encrypted files: right-click the file, click Properties > Advanced, and then uncheck Encrypt contents to secure data. This will decrypt the file.

    The Combined Benefits of EFS on SBS 2008 and Windows 7

    Using EFS is especially important for those of us who use devices such as laptops and external hard drives away from the office. Encrypting the Documents folder helps ensure that the information is kept from prying eyes and, when used with the redirected folders policy in Windows SBS 2008, also helps ensure that the information is maintained and backed up on the server. When used together, these methods create a centrally-managed business policy that helps add security to your business information. It is important to properly back up recovery keys so that you can access a users’ files if disaster strikes.

    For more information on the Encrypting File System, read this TechNet article: http://technet.microsoft.com/en-us/library/cc700811.aspx.

    *Written originally for Windows XP but still valid for current EFS implementations

  • The Official SBS Blog

    New IT Trends Bring Change to Mid-Market Product Line

    Posted over 2 years ago
    by
    • 5 Comments

    Today Microsoft announced that effective June 30, 2010, Microsoft will discontinue future development of Windows Essential Business Server (EBS), the infrastructure solution we designed specifically for midsize businesses. This blog post is to specifically answer the question around whether the change affects other Microsoft solution products.

    The short answer is, no.

    In no way does today’s EBS announcement impact Windows Small Business Server, Windows Home Server and Windows Server 2008 and R2.

    Our decision to discontinue future plans for Windows Essential Business Server was based on several factors, but most notably in response to midsize businesses making a rapid shift towards technologies such as management, virtualization and cloud computing as a means to cut costs, improve efficiency, and increase competitiveness. As it happens, those technologies are offered today through other Microsoft solutions, and midsized customers are adopting them, including Windows Server 2008 R2, Microsoft System Center, Microsoft Exchange Server, and the Microsoft Business productivity Online Suite (BPOS).

    We believe that streamlining our server product portfolio will provide clarity for customers and partners to determine which option might be right for them.

    Microsoft remains fully committed to small and medium-sized businesses. EBS customers can look forward to continued support and a number of options for continuing with EBS or transitioning to other technologies.

    For more information, please visit: http://www.microsoft.com/ebs.

Page 1 of 2 (7 items) 12