[Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]
As we've been discussing in the past few posts, Windows Small Business Server (Windows SBS) 2008 includes the full, latest versions of the software that you need to run your business. Perhaps one of the best reasons to deploy Windows SBS 2008 is that the Premium edition includes a separate server with a copy of Windows Server 2008 Standard along with Microsoft SQL Server 2008 Standard.
Note: For more information about the product technologies included in each edition of Windows SBS, see http://www.microsoft.com/sbs/en/us/compare-features.aspx.
In this post, we'll focus on the capabilities your business can benefit from with Windows SBS 2008 Premium, thanks to SQL Server Standard. Based on best practices, SQL Server 2008 Standard is a comprehensive data management and analysis solution that makes it possible to use many server-based business applications, such as accounting, business planning, and contact management software, which share a centralized database so that all employees can work from the same information.
SQL Server 2008 contains improvements and additional features in nearly every area of the product. Some of the top new features are:
SQL Server 2008 builds on a strong legacy of supporting non-relational data by providing new data types that let you efficiently store and manage unstructured data such as documents and images. Support for managing advanced geospatial data has also been added. In addition to new data types, SQL Server 2008 provides a rich set of services on the different data types while providing the reliability, security, and manageability of the data platform.
With the new FILESTREAM data type, you can store binary data in the file system while preserving it as an integral of the database. This new data type lets you more easily manipulate unstructured data such as documents and images that reside outside the database.
You can ensure compliance with system configuration policies and simplify administration tasks with policy-based management. Policy-based management simplifies the administration of access to data throughout the data infrastructure. This reduces the time you spend on daily maintenance operations by defining a common set of policies for database operations.
You can use the performance data collector to troubleshoot, tune, and monitor SQL Server 2008. The data collector collects different sets of data and stores them in a management data warehouse. You can adjust the scope of the data collection to suit your test and production environments.
SQL Server 2008 drives broader analysis with enhanced analytical capabilities and with more complex computations and aggregations. New cube design tools help you streamline the development of the analysis infrastructure so that you can build solutions for optimized performance. Best Practice Design Alerts have been built into the design, and these let developers integrate real-time alerts at design time, which optimizes design. Dimension Designer enables easy viewing and editing of attribute relationships and also provides multiple built-in validations for support of ideal dimension design.
The new SQL Server 2008 Integration Services data profiling tool helps you improve the quality of data. You can analyze source data for a variety of properties such as data type, length, histograms of data values, and the strength of integrity relationships. This helps improve the quality of data going into a data warehouse.
You can easily build reports with any structure through the redesigned Report Builder. It has the familiar look and feel of Microsoft Office 2007, including a ribbon interface and the ability to integrate powerful visualizations into reports.
SQL Server 2008 Standard provides new Microsoft Office rendering that lets users access reports directly from within Microsoft Office Word. In addition, the existing Excel renderer has been greatly enhanced to support features such as nested data regions, sub-reports, and merged cells. This lets users maintain layout fidelity and improves the overall usability of reports that are created in Microsoft Office applications.
Included with Windows SBS 2008 Premium, SQL Server 2008 lets you run your LOB and other mission-critical applications while lowering the cost of managing the data infrastructure and delivering insights and information to all users. This platform has the following qualities:
For more information, see the following resources:
[Today’s post comes to us courtesy of Wayne Gordon McIntyre from Commercial Technical Support]
Troubleshooting resource exhaustion issues in support is something that you have no choice but to get good at, and not to worry, we get plenty of practice with the number of performance based cases that come in on a regular basis. It is generally pretty easy to spot a potential resource exhaustion condition, as the symptoms are usually resolved (perhaps the better word is relieved) by a reboot only to resurface a few days to weeks later depending on how fast the particular resource is exhausted. So, if you encounter a server that you have to reboot every few days to work properly, you probably have an issue with resource exhaustion which is usually caused by a memory leak. This next case will discuss such a condition; however the resource exhaustion occurred in an area of memory where we had never previously encountered, and have not encountered again since which puts it into the corner case bucket.
The case involved an SBS 2003 server which being 32bit has many memory resource limitations especially for kernel mode. The main ones being 2GB of virtual address space for the kernel (assuming no /3gb switch), 530MB for paged pool (can be paged out) and 256MB for NonPaged Pool (can’t be paged out to a pagefile) on server SKUs. For a complete list of memory limits see:
http://msdn.microsoft.com/en-us/library/aa366778(VS.85).aspx#memory_limits
The symptoms in this case were MMC snap-ins were not loading correctly such as active directory users and computers, the SBS mmc etc… of course they would reboot and everything would work again until 1 or 2 days later when the symptoms would re-emerge. Going thru the case notes, it seemed they had checked all of the usual suspects of resource consumption issues but were not making any progress. Since I had the dump file, I decided I would double check everything. I started out with inspecting the virtual memory usage with !vm 1 (!vm displays summary information about virtual memory use statistics, the 1 just causes the display to omit process-specific statistics which I don’t care about at the moment)
The output immediately stood out as interesting to me, the NonPagedPool Usage is roughly 41MB and the PagedPool Usage is roughly 39MB (we can also see the potential max is 256MB and 530MB which means there is no /3gb switch at play). The part that was interesting to me is that there have been 3988 pool allocation failures, yet there is plenty available pool memory. Luckily the O/S keeps a counter for all pool allocation failures and their reasons in “MmPoolFailures” and “MmPoolFailureReasons”. Next I dumped out those addresses in memory using dd nt!MmPoolFailures and dd nt!MmPoolFailureReasons, which basically showed me that the failures were in session pool and there was actually a total of 8064 pool allocation failures. After consulting the debugger’s help on how to view Session Paged Pool memory statistics I discovered a better method by enabling the bit 2 flag (0x4) with the !vm command. !vm 4 includes session memory in the output; this is where the answer was clearly revealed to where the resource exhaustion was occurring. . The bottom portion of the output is shown below.
Ahh, so we are out of session paged pool, but who uses session paged pool? Turns out SessionPoolSize is used for video card driver allocations when Terminal Services is enabled, and SessionViewSize (Desktop heap when TS is enabled) is used for GUI objects such as fonts and menus. The default value of SessionPoolSize on an SBS 2003 server is 4MB; however this value is controllable thru the SessionPoolSize DWORD in “HKLM\System\CCS\Control\Session Manager\Memory Management\”. In this case 4MB was not a sufficient amount of session paged pool for his video card’s driver allocations so we increased it to 16MB which resolved the problem. The KB article below talks about the sizes you can configure for SessionPoolSize and SessionViewSize as well as their default values.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;840342
[Today’s post comes to us courtesy of Shawn Sullivan and Damian Leibaschoff from Commercial Technical Support and Chris Puckett from Product Quality]
We wanted to give everyone an update on the current situation with update 983444 and Small Business Server 2008 and to try to help anyone that is having problems. The majority of our customers should not have any problems with this update on SBS. For those who are running into this issue, the solution is very simple in most cases and we see a very high success rate. However, for some it is a little more complex. What we document below has helped the majority of the situations where this issue has been seen.
[Updated Content: 10/15/2010]
We have recently begun to see the same behavior surrounding the installation of 2345304 (MS10-072: Description of the security update for Windows SharePoint Services 3.0: October 12, 2010). For this scenario, the steps towards resolution are the same as those given below.
Background: The first thing we want to clarify is how SharePoint 3 updates are being installed. There are two main phases (detailed description <link>) Phase one is the binary deployment, this is where the actual SharePoint files are updated. The second phase is the provisioning of the databases, if for any reason the provisioning doesn’t complete, your sites will be inaccessible. You may see errors similar to the ones mentioned on this blog post “Companyweb Inaccessible After SharePoint 3.0 Service Pack 2”, also, you may see an event with an error mentioning the text “Invalid Signature” or “missing Windows Internal Database signatures.". Almost all of this issues we have seen on this update is phase two failing.
Solution:
For most issues the resolution will be to be to forcefully finish phase two and complete the provisioning of the databases. To do this, follow these steps:
The previous steps take care of most of the issues, on a few others we’ve seen issues with abnormally configured custom accounts for the Search Service causing problems. Here is a quick workaround to get you through the issue back to a working CompanyWeb if you are indeed hitting this issue.
Important: If you are receiving event 2436 for Windows SharePoint Services 3 Search after initiating the full crawl, then you need to follow the steps that are documented in the following blogpost: Event 2436 for SharePoint Services 3 Search. In fact, we have seen the occurrence of this issue become the reason why many customers change the login account for spsearch as an attempted workaround.
Check the following KB article for other known issues:
KB 944267 How to troubleshoot common errors that occur when you run the SharePoint Products and Technologies Configuration Wizard on a computer that is running Windows SharePoint Services 3.0 or SharePoint Server 2007
For similar issue on SBS 2011 Standard, please check the following blog:
http://blogs.technet.com/b/sbs/archive/2011/05/24/you-must-manually-run-psconfig-after-installing-sharepoint-2010-patches.aspx
[Today’s post comes to us courtesy of Shobhit Garg and Justin Crosby from Commercial Technical Support]
Today’s post will cover the basics of performing a bare metal restore on Small Business Server 2008. As you will see, a bare metal restore allows you to recover your Operating System, installed applications and data without first having to install an OS or backup software. The Small Business Server Backup Wizard will create backups that are bare metal capable. For more information on SBS 2008 backup, see: http://blogs.technet.com/sbs/archive/2008/11/03/introducing-sbs-2008-backup.aspx. It is important to remember to backup all volumes if you want the ability to restore the server to the exact state it was in at the time of the backup. You cannot restore data that was never backed up.
Some Advantages of Bare Metal Restore
Now let’s consider that some irreparable damage has occurred to the server OS. You can perform a bare metal restore using the following steps:
If you have chosen to format the drive, you will receive a confirmation message before proceeding.
The restore process will take several minutes. Once it completes, you will be prompted for a reboot. Important: This procedure will trigger a reactivation of the server, which you must complete within three days.
Are you concerned about the security of your company's data? If your employees use laptops, they can easily be lost or stolen. USB sticks are easy to lose or to leave in a customer's office. What if your office building was broken into and the thieves managed to steal servers and desktop computers? How can you make sure that you don't lose the company-critical information on your server? The BitLocker feature of Windows Small Business Server 2008 and of Windows 7 Ultimate can help mitigate these risks.
For the purposes of this post, let's consider that your accountant uses a laptop. The data is backed up on your server that is running Windows SBS, but you want to make sure that the data both on the laptop and on the server is protected. In this post, we'll discuss how you can use BitLocker to accomplish this goal.
BitLocker encrypts all the data that is stored on the Windows operating system volume (and configured data volumes). This includes the Windows operating system, the hibernation and paging files, the applications, and the data.
BitLocker uses encryption keys to help ensure the integrity of the components that are used in the earlier stages of the startup process. By default, BitLocker is configured to use a Trusted Platform Module (TPM) chip for the storage and management of these keys. Protected volumes remain protected even if your accountant's computer is tampered with when the operating system is not running.
BitLocker encrypts the entire drive. Your accountant can log on and work with files normally, but BitLocker can help block hackers from accessing the system files that they rely on to discover your accountant's password or from accessing your accountant's drive by removing it from the laptop and installing it in a different computer.
Whenever you deal with the encryption of data, especially in an enterprise environment, you must consider how that data can be recovered in the event of hardware failure, changes in personnel, or other situations in which encryption keys are lost. BitLocker supports a robust recovery scenario.
BitLocker offers many benefits when you use it in Windows SBS 2008 or in Windows 7 Ultimate. A few of the primary benefits are as follows:
In our scenario, we're discussing securing your accountant's laptop, but why stop there? You can use Group Policy to enforce BitLocker for all of the computers and USB drives in your domain.
From policy-configured Active Directory Domain Services integration for the escrow of recovery keys, to simple and efficient hardware recovery processes, BitLocker provides an integrated management experience. Group Policy settings that affect BitLocker are located in Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption. For more information about BitLocker drive encryption and about these settings, see the following Microsoft TechNet article: http://technet.microsoft.com/en-us/library/cc725719(WS.10).aspx
You can use Group Policy settings to configure BitLocker to require or to prevent different types of recovery password storage or to make them optional. You can also use Group Policy settings to prevent BitLocker from being enabled if the keys cannot be backed up to Active Directory. For more information about how to configure Active Directory to support recovery options, see Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information (http://go.microsoft.com/fwlink/?LinkId=82827).
Note: If you choose to save encryption keys in Active Directory, it is a best practice to promote an additional domain controller as a backup.
Two new sets of Group Policy settings have been introduced to support BitLocker and management of the TPM. All of the policy settings are explained in the Local Group Policy Editor and the Group Policy Management Console. To view more detailed explanations, start the Local Group Policy Editor by typing gpedit.msc at an elevated command prompt or in the Start Search box, and then examine the description provided for each of the settings in the table.
You can use BitLocker to secure your server that is running Windows SBS 2008. BitLocker is an optional component in Windows SBS 2008; you must install BitLocker before you can use it. Please note that depending on your hardware configuration, enabling BitLocker can have a moderate impact on server performance. If your server is already I/O bound, you should upgrade your disk subsystem before implementing Bitlocker on the server that is running Windows SBS 2008.
Important: Before you install BitLocker, it is imperative that you perform a full backup of the server.
To install BitLocker during the initial configuration, follow these steps:
To install BitLocker after the initial installation by using the Windows user interface, follow these steps:
To install BitLocker after the initial installation by using a Command Prompt window, follow these steps:
After you install BitLocker, turn on BitLocker Drive Encryption:
By completing this procedure, you encrypted the operating system volume and created a recovery password unique to this volume. The next time that you log on, you will see no change. If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start the computer from a product CD or DVD to circumvent the operating system, the computer will switch to recovery mode until the recovery password is supplied.
For additional scenarios, refer to the "BitLocker Drive Encryption Step-by-Step Guide" at the following TechNet website: http://technet.microsoft.com/en-us/library/cc732725(WS.10).aspx
Now that you've protected your server with BitLocker, you can use BitLocker Drive Encryption to help protect all the files that are stored on your employees' computers. BitLocker is available in Windows 7 Ultimate and can help protect the data that is stored on client computers, particularly mobile ones.
If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the TPM chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.
If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a password or a smart card, or you can set the drive to automatically unlock when you log on to the computer.
You can turn off BitLocker at any time, either temporarily by suspending it or permanently by decrypting the drive.
And of course you can also use BitLocker on your Windows 7 Ultimate laptops to ensure that confidential information on the hard drive cannot be accessed if the laptop gets stolen or lost. Users must supply the correct credentials to access the disk, either through a smart card and a PIN, by entering a password, or through their regular domain logon. Setting up BitLocker in Windows 7 Ultimate is a breeze; any Windows SBS administrator can enable BitLocker with a simple right-click since disk preparation is now automatic.
To turn on BitLocker, follow these steps:
For additional information, refer to the "BitLocker Drive Encryption Step-by-Step Guide for Windows 7" at the following TechNet website: http://technet.microsoft.com/en-us/library/dd835565(WS.10).aspx.
By turning on BitLocker for your computers that are running Windows Server 2008 and Windows 7 Ultimate, you've gone a long way toward protecting your infrastructure from accidental loss and theft. Let's not forget the easiest to lose, though: removable media.
To protect USB sticks, thumb drives, and other portable media, you can use BitLocker to Go on your Windows 7 Ultimate workstations and laptops. BitLocker to Go protects any USB storage device and allows access only if you know the correct passphrase or key. As an administrator, you have control over passphrase length and complexity, and you can also set a policy that requires users to apply BitLocker protection to any removable drives before they can write to them. This means that even if your users lose their USB drive, no one else can get to the data unless they know the BitLocker key. To manually protect a removable storage device, connect the device to your Windows 7-based computer, follow the instructions in the "Help Protect Files and Folders on Client Computers" section of this post, and click Turn On BitLocker next to BitLocker Drive Encryption–BitLocker To Go in step 2.
To protect the data contained within the backup files themselves, it is a best practice to store them on a data drive that has been encrypted with BitLocker. Although the backup may be of a drive that has been encrypted by BitLocker, the backup files themselves are not inherently encrypted. Also, if you must recover a machine that is protected by Bitlocker, you must reapply Bitlocker encryption after the restore. This does not happen automatically.
Available in Windows SBS 2008 and in Windows 7 Ultimate, BitLocker Drive Encryption helps you protect your organization's sensitive information by encrypting the data that is stored on servers, client computers, and removable storage devices. You can easily install BitLocker, turn BitLocker on and off, and manage BitLocker by using Group Policy. To return to our scenario, as a result of turning on BitLocker throughout your infrastructure, you can feel confident that your employees' computers and removable media and your server are protected. Additionally, you've applied Group Policy to automatically enforce these settings. Thanks to BitLocker, you've backed up and protected your critical data.
For more information about the topics covered here, watch the following video:
You can also refer to the following resources for more detailed information and step-by-step instructions for using BitLocker:
[Today’s post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support]
This was an interesting situation that developed during April of 2009; this is what happened behind the scenes.
Around April 20 (as early as April 17) we started getting reports of 2008 servers with Exchange 2007 where an SVCHOST was spiking one of the CPU cores, our main objective was to find a server that was reproducing this behavior. Lucky for me, my own server was experiencing the same behavior. By looking at the PID (process identifier) of the SVCHOST and getting a list of services being hosted there by using tasklist /svc (SVCHost is a shared service process for hosting multiple services) I was quickly able to determine that the actual service causing the spike was WUAUCLT (Windows Update Client service). Many readers may remember similar issues with this service especially on XP clients, they may also remember that the AU client was partially at fault and that MSI had a lot to do with this issue, you will see how this is relevant (again) in the next paragraph…
I decided to take a process monitor capture while the issue was happening to see if I could identify any obvious activity causing the spike in the CPU. (if you never used the Windows Sysinternals tool set, you need go there now and have a look at the great tools available <link>). Since the issue was with CPU utilization, I used the stack trace view to see what process/function call was actually triggering the activity, and we finally got down to MSI.DLL being the trigger as shown below. Next, I jumped to the registry key that was being repeatedly accessed (also shown in the Procmon capture), and found it had to do with Exchange 2007 anti-spam updates. My SBS 2008 server had the automatic Anti-Spam updates enabled, product of having selected the option to install Forefront Security for Exchange during the setup.
We now had enough information to start digging into what was triggering the issue. We knew it was related to updates, most specifically to Exchange Anti-Spam updates (block list). We took a peek at Windows Server Update Services only to find a very large number of non-expired, superseding, updates (over 40). Once we manually removed them the issue subsided.
I contacted the Exchange Sustained Engineering team and they brought in their update people. Turns out that they had been working on an issue with their updates in WSUS, and by accident released over 40 updates at the same time; this was enough to cause the AU client to go into this state on a low powered server like mine. The Exchange team immediately expired the extra updates that had been published to WSUS and the issue was resolved on the backend within the hour, with most folks never realizing they had an issue (it would take WSUS to be synchronized again for the change to be effective for the affected server).
A quick disclaimer here in case you see this scenario presented in a different venue: We have shared this scenario with Mark Russinovich as he collects these types of successful experiences with the Windows Sysinternals toolset for use in presentations and training.
Hope you enjoyed this, look for our next post pretty soon.
Damian