[Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support]

If you have ever been in the situation where you had to recover an Active Directory object that was accidentally deleted within a multiple Domain Controller environment, then you are probably somewhat familiar with the term “authoritative restore” and what it does. This link gives a pretty in-depth look at the procedure, however, some important points I want to call out on this post are:

• An authoritative restore is used if you are recovering objects from Active Directory that have either been deleted or changed and you need to restore those objects to their previous state.
  • An object change or deletion will replicate to the other Domain Controllers in your network.
  • The state of the object in the backup is considered “out-of-date” unless you specifically mark the restore of this object as authoritative.
  • If you restore the system state and boot the server into normal mode before you mark the object for an authoritative restore, you will find that the object is once again changed or deleted when the server receives inbound replication from its partner.
• Be as specific as possible when targeting the objects that you intend to restore. For example, if you simply need to recover a deleted user account, don’t mark the entire OU that contains it for an authoritative restore. Just mark the user account itself.
  • Avoid unnecessarily or undesirably reverting any objects to their previous state that are not related to the deletion. You could inadvertently restore attributes like passwords, profile paths, and group memberships that may no longer be valid.
  • Minimize the amount of data requiring replication across the network.
• If you are recovering a Domain Controller from a full or system state backup and wish to restore it back into the domain without making any changes to the state or content of the domain, then you should not perform an authoritative restore.
  • This is usually in scenarios where something other than Active Directory needs to be recovered on a Domain Controller. For example, a server with a corrupted file system or failing hardware.
  • In this scenario, a healthy copy of Active Directory in the desired state still remains within the other Domain Controllers in the network. When the Domain Controller is restored, its copy of Active Directory will be brought up to date when it receives inbound replication from its partner.

Scenarios where you would mark the entire copy of Active Directory as authoritative are rare and the situation is most likely catostrophic. If you believe you might be in a situation like this, you should probably contact Microsoft Product Support Services for troubleshooting assistance.

Performing an authoritative restore of objects in Active Directory can become a very complicated proposition, depending on what it is that you intend to recover. There are just too many variables and different situations you could find yourself in to cover in one comprehensive article. However, to give you a good idea of the whole process, we will go through the common scenario where you wish to restore a single user account to its complete original state.

Note: There are tools, such as ADRestore, that can pull a deleted object out of its tombstone and place it in its previous location. However, certain attributes that are stripped from the object when it was deleted cannot be restored by such tools; for instance passwords and group memberships for user accounts. A tool like ADRestore is meant to be used if you do not have system state backup, not as a replacement for a system state backup.

1. Boot the SBS server into Directory Services Restore Mode and restore the system state backup with your chosen backup application:
   1. After the POST, press F8 to enter the advanced boot options, choose Directory Services Restore Mode
   2. Concerning the username and password that you will use to login to the server after it has booted into DSRM, review the following post
   3. If you have taken your backup using SBS Backup or Windows Server Backup, review the following post. Here I have used wbadmin to obtain the ID for my available system state backup and to begin the restore procedure:
      
      
      
2. Before you boot into normal mode, launch NTDSUTIL and mark the user account you wish to recover for authoritative restore:
   1. Activate the NTDS instance: Activate Instance NTDS (see below).
   2. Enter the Authoritative Restore context (see below).
   3. Mark the object for authoritative restore: Restore Object “cn=username,ou=organizational unit,dc=domain,dc=local” (see below).
   4. Click Yes to confirm
      
      
      
      
      
      
      
      Note: The .txt. and .ldf files that are created during the restore process (see the output above) are for use in situations where you are recovering users and security groups that may have been migrated at some point in time from SBS 2000. For an explanation on this, see the sections “LVR and Restoration of Group Memberships” and “Files for Recovering Group Memberships Following Authoritative” under the following technet article : http://technet.microsoft.com/en-us/library/690730c7-83ce-4475-b9b4-46f76c9c7c90

You can see from the output that the attribute’s version number was incremented by 100000, which essentially make it more up-to-date as compared with what the remaining Domain Controllers have for this object. You can also see that 4 records were updated, this is the security group membership held by the account that I had deleted. In a simple recovery of a single user account, we do not have to take any further action at this point other than rebooting the server into normal mode.

New for SBS 2011 Standard

Windows 2008 R2 introduces a new feature called the AD Recycle Bin, which allows you to restore a deleted object in its entirety without having to go through the process I just talked about. This can save you quite a bit of time, but there are some caveats:

• This is not enabled by default on SBS 2011 Standard.
• To enable this feature, you must raise the forest functional level to Windows 2008 R2. This means you cannot have any domain controllers running Windows 2008 and earlier in the SBS domain.
• There is no simple GUI interface for this feature. You have to go through either LDP.exe or PowerShell to use it.
• This is not a replacement for system state backups. This is for recovering individual objects only, not the entire server.

You can find a step-by-step walkthrough at the following link, this covers everything from raising the functional level to performing a restore: http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx

[Today’s post comes to us courtesy of Michael Leworthy from Windows Server Marketing]

Today, the Small Business Server (SBS) engineering team signed off the release version of SBS 2011 Essentials—an exciting milestone for the product, and for the entire SBS family. This now starts a process to make the product available for purchase and evaluation.

Ideal as a first server for small businesses with up to 25 users, Windows Small Business Server 2011 Essentials provides a cost-effective and easy-to-use solution to help protect data, organize and access business information from virtually anywhere, support the applications needed to run a business, and quickly connect to online services for e-mail, collaboration and line-of-business applications.

To help with questions we hear during this time of the product release cycle, I have provided further guidance below. If you have a specific question, please feel free to post in comments, on our SBS forums, or on our SBS Facebook site.

• When can I purchase SBS 2011 Essentials?
  We expect SBS 2011 Essentials to be made available via all channels including VL starting May 1.
• What languages is SBS 2011 Essentials available in?
  SBS 2011 Essentials will be released in 19 languages including Chinese (Simplified), Chinese (Traditional, Taiwan), Chinese (Hong Kong), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Korean, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish, and Turkish.
• When will OEMs offer SBS 2011 Essentials?
  Many OEMs and System Builders have already started building specific form factors and solutions based on SBS 2011 Essentials. We expect to start seeing them in the market starting May.
• When will the Evaluation for SBS 2011 Essentials be made available?
  The evaluation for SBS 2011 Essentials will be released in early April.
• When will I be able to download SBS 2011 Essentials via my TechNet or MSDN subscription?
  SBS 2011 Essentials will be made available on MSDN and TechNet also in early April.
• When will I be able to download SBS 2011 Essentials via MAPs or MPN?
  Further information about MPN and MAPs availability will be released early April.
• What is the difference between SBS2011 Standard and SBS 2011 Essentials?
  You can learn more about this at the official SBS 2011 website, and on the SBS 2011 TechNet site.

I would also like to thank all our MVPs, partners and customers that have helped us get to this point. I look forward to sharing more information with you in early April.

[Today's post comes to us courtesy of John Bay from Commercial Technical Support]

On SBS 2008/2011 when you reboot the server, you may notice that some of the Exchange services that are set to automatic start are not started.

Some of the services that may not be started are:

• Microsoft Exchange Information Store
• Microsoft Exchange RPC Client Access (SBS 2011 Server Only)
• Microsoft Exchange Forms Based Authentication (SBS 2011 Server Only)

If you attempt to manually start the services, the services should start correctly.

The problem occurs in some environments when Exchange is installed on a Global Catalog. The Exchange Team has released a KB article that addresses the issue. The article has four methods to try to resolve the issue.  In SBS environments, Method 1 is usually impractical.  Methods 2 and 3 tend to work the best on an SBS server.  Method 2 is the easiest to implement because you can use Microsoft Fix It to adjust the service dependencies for you.  If your server experiences the problem the Exchange services not starting automatically, we suggest you use the Fix It under Method 2 in the article to resolve the problem. 

[Today's post comes to us courtesy of Justin Crosby from Commercial Technical Support]

Today we are going to discuss the first thing you should always check if you get an HTTP 500 error attempting to access OWA on an SBS 2011 server, after you have provided your credentials to the login form.

In Exchange 2010 a new service has been introduced to handle forms based authentication (FBA). The service name is Microsoft Exchange Forms-Based Authentication service, MSExchangeFBA for short. If this service is stopped and you have FBA enabled, the default on SBS, you will get an error 500 attempting to access OWA. So if you receive this error please verify that the MSExchangeFBA service is started as your first step.

[Today's post comes to us courtesy of Shawn Sullivan and Justin Crosby from Commercial Technical Support]

Some of you who have worked with SBS 2011 so far may have noticed a change in how archived email for security groups is handled; for details see our previous post. SharePoint document libraries are no longer used for email storage; this job has now been given to Public Folders. As a result, the configuration necessary to allow the routing of email from Exchange to SharePoint is no longer done automatically for you during SBSSetup. However, it is possible to have this functionality on SBS 2011 as well; you just need to perform the configuration manually. This post will show you how and covers the following areas:

• Enabling incoming email in SharePoint.
• Creating a mail enabled SharePoint document library.  We will cover how to allow this library to receive email from unauthenticated users, which is critical if you want it to receive email from internet senders.
• Configuring the mail drop directory and foreign connector for Exchange 2011.
• Configuring a security group that will archive to the document library. We will cover how to allow this group to receive email from the internet.

Note: The SBS 2011 Add Security Group wizard is hardcoded to give you the option to archive to a Public Folder only. It will remain this way even after following these steps. There is no way to change the wizard’s options.

Enable incoming email in SharePoint

Incoming email is not enabled in SharePoint 2010 running on SBS 2011 by default. You will need to enable it, choose the “Companyweb” SMTP namespace, and enter the path of the drop directory that the SharePoint Timer service will poll for incoming email:

1. Go to Start > Microsoft SharePoint 2010 Products > SharePoint 2010 Central Administration
2. On the left side of the window, select System Settings and choose Configure incoming e-mail settings.
   
   
   
   Note: You may receive a message regarding the fact that the IIS SMTP service is not installed on the server, this is normal. Do not install the IIS SMTP service.
3. Under “e-mail settings” do the following:
   1. Select Yes to Enable sites on this server to receive e-mail
   2. Enter Companyweb under E-mail server display address:
   3. Enter c:\inetpub\mailroot\drop under E-mail drop folder:
   4. Leave the rest of the settings at default.
      
      Your configuration should look exactly like this:
      

Create the document library

You’ll need a place inside your Companyweb site to store the archived email that will have an email address for you to send to. To do this:

1. Browse http://companyweb
2. In the upper left-hand corner of the page, expand Site Actions and choose New Document Library.
3. Give the library a name and an email alias of your choosing, then click Create.
   
   
4. Your browser will be taken directly to the library, where you can further edit the email settings:
   
   1. Click on Library Tools > Library > Library Settings
      
      
   2. Click Incoming e-mail settings. Here you will find options for storing attachments, whether or not to save the original .EML in the library, and whether or not to bypass the default library security.
      
      Note: By default only members of Windows SBS SharePoint_MembersGroup and Windows SBS SharePoint_OwnersGroup have rights to send email to any library you create. You can override this setting at the library level; it will not perform a lookup of the sender against the groups and will accept e-mail from anyone.  If you wish to do this, select the Accept e-mail messages from any sender.
      
      

Configure drop directory, foreign connector and remote domain

Now we are ready to create the pieces that will physically connect Exchange and SharePoint as far as SMTP is concerned. Basically, Exchange will use the foreign connector to determine that email destined for the @Companyweb domain should be sent to the drop folder (c:\inetpub\mailroot\drop). SharePoint, on the other side, will pick the email up from this folder, read the recipient, and place the email into the document library that has the matching email address.

1. Create the “c:\inetpub\mailroot\drop” folder and add FULL CONTROL permissions to NETWORK SERVICE and All Authenticated Users.
   IMPORTANT: If you do not add these permissions, Exchange will not have the right to place mail in the folder and SharePoint will not have the right to pick mail up out of the folder.
2. Launch the Exchange 2010 Management shell as Administrator and run the following commands to create the foreign connector:
   1. Get-TransportServer | Set-TransportServer -RootDropDirectory c:\inetpub\mailroot\
   2. New-ForeignConnector -Name "CompanyWeb Connector" -AddressSpaces {smtp:companyweb;1}
   3. Set-ForeignConnector "CompanyWeb Connector" -DropDirectory Drop
   4. New-remotedomain -name "Windows SBS Company Web Domain" -domainname "companyweb"
   5. Set-remotedomain "Windows SBS Company Web Domain" -tnefenabled $false

To begin testing this, you should be able to send an email to the document library by directly addressing it in OWA. Any mistakes made with the above steps will result in errors that are documented fairly well in the SharePoint Products Event Viewer log: Application and Services Logs > Microsoft > SharePoint Products > Shared > Operational.

Archiving email to this library

In order to route e-mail sent to a security group, you will have to create a contact for the SharePoint document library and add it as a member of the group. You can actually use either a distribution group or a security group here.

In this example, we will create a contact for mylist@companyweb and add it to the new test distribution group. This group’s SMTP address will be derived from the e-mail address policy, which will allow it to receive e-mail from the internet. Unless you specify otherwise, no sender restrictions are placed on the group.

1. From the same Exchange 2010 Management shell, run the following command to create the contact:
   New-MailContact –Name MyList –ExternalEmailAddress MyList@Companyweb
   
2. Run to following to create the group while adding the contact as a member:
   New-DistributionGroup –Name Test –Members MyList@Companyweb

If you wish to add the contact to an existing group, test2 for example:

1. Run the following command to update the member list:
   Add-DistributionGroupMember –Identity Test2 –Member MyList@Companyweb
   
2. You can check the email address of the group with the following command:
   Get-DistributionGroup Test2 | fl EmailAddresses, PrimarySMTPAddress
   
3. You can check sender restrictions on the group:
   Get-DistributionGroup Test2 | fl *accept*,*reject*

A group who does not have any restrictions will display the following output:

[PS] C:\Windows\System32>Get-DistributionGroup test2 | fl *accept*,*reject*

AcceptMessagesOnlyFrom                                    : {}
AcceptMessagesOnlyFromDLMembers               : {}
AcceptMessagesOnlyFromSendersOrMembers : {}
RejectMessagesFrom                                              : {}
RejectMessagesFromDLMembers                        : {}
RejectMessagesFromSendersOrMembers          : {}

If you do see entries for these parameters that are not intentional, go to the Exchange Management Console > Recipient Configuration > Distribution Group > properties of the group in question > Mail Flow Settings > Message Delivery Options. Adjust the settings from there (it’s much easier than typing a potentially very lengthy command). One common mistake people make is unintentionally allowing the “Require that all senders are authenticated” option to be checked, which kills the ability of external senders to submit to this group. An example of a group that is not applying restrictions looks like this:

If attachments are missing from e-mail messages that are sent to a SharePoint Foundation 2010 document library, it might be because you associated the document library with an e-mail address. When you do this, Directory Management Service may not add the following two attributes:

• internet Encoding = 1310720
• mAPIRecipient = false

You must use Active Directory Service Interfaces (ADSI) to manually add these two missing attributes.

Today, we are proud to announce that Windows Small Business Server (SBS) 2011 Standard and Premium Add-On are now fully available through all channels - from Volume Licensing to our largest OEM partners.

Microsoft has always been committed to supporting you and your business success. Our goal is to help you maximize the value of IT, even when your IT resources are stretched very thin—as is the case in organizations that have few IT professionals managing IT needs.

In keeping with this commitment, we’re introducing Windows SBS 2011 Standard, which is one of the latest editions of our SBS family of products. This all-in-one solution is designed to address key customer pain points: SBS takes the benefits of enterprise-class technology and makes them accessible, affordable and less complex for small and medium businesses (SMBs).

With this latest edition we have completely refreshed SBS Standard’s technologies and components. As a result, SBS 2011 Standard offers new, exciting features and technology solutions that will help SMBs reduce costs and increase productivity.

Features like mobile device security that makes sure Security policies are enforced by default in SBS 2011; like the easier migration to the new platform with enhanced migration tools, extensive pre-migration checks, and prescriptive guidance, or like the streamlined Outlook Web Access interface included in Exchange Server 2010, are just few examples that explain how, over the long term, Windows SBS 2011 Standard will help you grow your business.

Early adopters have seen the ease-of-use and value of SBS 2011 Standard. Take Scott Starr, Marketing Director of Firetrace International, for example. He says, “With Windows Small Business Server 2011, it’s a lot easier for me as a non-technical person to understand how the server is doing and take care of daily administrative tasks without involving our Microsoft partner or chasing down my coworker. I’d say that it’s given me back about two hours a week that I can use to do more important things than manage servers.”

To learn more about this product and how it can help your business, please visit the SBS 2011 Standard website. If you are interested in a trial version of the software, sign up here and discover why many customers and analysts are so passionate about it.

Microsoft’s partners are also excited about SBS 2011. This week HP announced full availability of SBS 2011 Standard on the HP server platform. You can hear more about how SBS 2011 Standard and HP can be an important asset in increasing your business's productivity. Just tune in to one of our recent launch webcasts.

Dell is another partner supporting SBS 2011. Make sure you don’t miss out on the live webcast next week, where you can learn how SBS 2011 and Dell can help you maximize return on your IT investment, improve employee productivity and ensure your data is protected. Register now!

Act now and get SBS 2011 Standard to give your business all the advantages that come with it.

Curtis Lee, Director, Server and Cloud Platform Marketing.