[Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support]
If you wish to connect to your Exchange mailbox on SBS with a remote Outlook client, we recommend that you use Outlook Anywhere. However, if you choose to use POP3 or IMAP instead, then use this post to determine which settings to select on the Outlook client for connectivity to these services. As a result of following these steps, your connections for both the submission and the retrieval of email to and from the SBS server will be encrypted, ensuring no personal information is transmitted over the network in an insecure fashion. The complimentary server-side configuration steps are found here: http://blogs.technet.com/b/sbs/archive/2008/09/19/how-to-configure-sbs-2008-to-host-pop3-imap4.aspx http://blogs.technet.com/b/sbs/archive/2008/09/18/how-to-configure-trusted-smtp-relay-in-exchange-on-sbs-2008.aspx
The key points to understand in this particular configuration are:
Note: We are demonstrating with Outlook 2010 in this post, but these settings need to be the same for any client software that you are using.
After selecting Internet E-mail for your new email account, you are presented with the screen where you choose either POP3 or IMAP for mail retrieval. Other than “Account Type”, much of the configuration will be identical between the two; for instance “Your Name”, “Email Address”, “Incoming mail server”, “Outgoing mail server (SMTP)”, “User Name”, and “Password”.
After completing this page select More Settings. For either client type, click the Outgoing server tab and choose Use same settings as my incoming mail server.
The settings will differ between client types after you select the Advanced tab. For POP3 clients you need to select This server requires an encrypted connection (SSL). Make sure the port changes to 995.
For IMAP clients, select SSL from the dropdown next to Use the following type of encrypted connection. Make sure the port changes to 993.
For either, enter 587 next to Outgoing server (SMTP) and choose TLS from the dropdown next to Use the following type of encrypted connection.
At this point you are ready to test account settings. If they fail, double-check the settings on both the server and the client. Also, make sure the client trusts the certificate presented by the server and that all the necessary ports are being forwarded properly through your firewall.
[Today's post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support]
In SBS 2008 and SBS 2011 standard, we have a service called the Windows SBS Manager that is responsible for a number of tasks around monitoring, alert reporting and maintenance. This service relies on a SQL database running on a SQL express instance called SBSMonitoring. Under certain circumstances, the database may become unusable, when this happens you can experience behaviors like the SBS console crashing, or incorrectly reporting the status of machines. When this happens there might be a need to create a new, blank, database to regain functionality. Since all the information collected is dynamic, by creating a new database you would lose only any custom reports you may have created in the SBS Console, report customizations, and all the archived reports. Furthermore, upon recreating the database, it will need some time to contact all clients and report on their status, this time may vary, since clients may be offline, it is recommended to wait 48hrs before trying to validate the data.
To recreate the databases use these steps:
File C:\windows\temp\create-sbsmonitoringdb.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details. By default we should have the required code execution policy on our SBS servers, this issue is usually related to the way the script was downloaded into the affected server. Open the properties of the download script file from Windows Explorer and click on the Unblock option.
[Today's post comes to us courtesy of Justin Crosby from Commercial Technical Support]
Today’s post is going to cover two commands you should always run when troubleshooting CompanyWeb (SharePoint) on SBS 2011 Standard. These two commands take less than a minute to run and will catch two of our most common CompanyWeb issues.
The commands must be ran as an administrator from the SharePoint 2010 Management Shell. You can launch the shell from All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell.
From the shell you should first run:
Repair-SPManagedAccountDeployment
This command will return nothing if the SharePoint service accounts are synced with Active Directory. If you receive an error here please use the following blog post to fix it: http://blogs.technet.com/b/sbs/archive/2011/08/17/http-error-503-accessing-company-web-on-sbs-2011-standard.aspx
The second command you should run is:
(get-spserver $env:computername).NeedsUpgrade
If this command returns True you must run PSCONFIG as described in the following blog post: http://blogs.technet.com/b/sbs/archive/2011/05/24/you-must-manually-run-psconfig-after-installing-sharepoint-2010-patches.aspx. If the command returns false you will need to troubleshoot your SharePoint issue as normal.
[Today's post comes to us courtesy of Justin Crosby and Damian Leibaschoff from Commercial Technical Support]
If your SharePoint service account passwords ever become out-of-sync, you will have issues trying to access http://companyweb. The most common error you will see is “HTTP Error 503. The service is unavailable.” While this is the most common symptom, there are also several others depending on where you look and what account is out-of-sync, we have included many more symptoms toward the end of this post.
In SBS 2011, we use 3 different accounts to run Windows SharePoint Foundation. The accounts we use are spfarm, spsearch, and spwebapp. For security reasons the passwords on these accounts are periodically reset. SharePoint manages the spsearch and spwebapp accounts and the Windows SBS Manager service manages the spfarm account. All of these accounts can be found under MyBusiness > Users > SBS Users.
Display Name
Logon Account
SharePoint Farm Account
spfarm
SharePoint Search Service Account
spsearch
Windows SBS Internal Web site Account
spwebapp
The password for spfarm is reset every 7 days that the Windows SBS Manager service is running. The passwords or spsearch and spwebapp are reset the first day of each month.
In addition to these passwords being stored in AD, they are also kept in the SharePoint configuration database and the services database. Due to this, the passwords can become out of sync. Passwords may get out of sync or expire due to the following causes:
Of all these possible causes, the most common is restoring a database that contains an old password.
To check if your passwords are in sync, run the SharePoint 2010 Management Shell as an administrator. From the powershell then run Repair-SPManagedAccountDeployment. If one or more of the passwords is out-of-sync it will return an error.
If you receive an error that your passwords are out of sync, perform the following steps for each out-of-sync account to resolve the issue.
If your passwords are out of sync you may receive one or more of the following errors:
Log Name: System Source: Microsoft-Windows-WAS Event ID: 5002 Level: Error Computer: server.domain.local Description: Application pool 'SBS Sharepoint AppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
Log Name: System Source: Microsoft-Windows-WAS Event ID: 5021 Level: Warning Computer: server.domain.local Description: The identity of application pool SBS Sharepoint AppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
Log Name: System Source: Microsoft-Windows-WAS Event ID: 5057 Level: Warning Computer: server.domain.local Description: Application pool SBS Sharepoint AppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid. Log Name: Security Source: Microsoft-Windows-Security-Auditing Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure Computer: server.domain.local Description: An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVER$ Account Domain: domain Logon ID: 0x3e7 Logon Type: 4 Account For Which Logon Failed: Security ID: NULL SID Account Name: spwebapp Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a
Log Name: System Source: Microsoft-Windows-WAS Event ID: 5057 Level: Warning Computer: server.domain.local Description: Application pool SBS Sharepoint AppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure Computer: server.domain.local Description: An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVER$ Account Domain: domain Logon ID: 0x3e7 Logon Type: 4 Account For Which Logon Failed: Security ID: NULL SID Account Name: spwebapp Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a
Following services may fail to start with a logon failure:
9/9/2011: We have identified another cause of the 503 error and have detailed it here: http://blogs.technet.com/b/sbs/archive/2011/09/01/an-uncommon-reason-why-browsing-companyweb-may-fail-with-http-error-503-on-sbs-2011-standard.aspx.
[Today’s post comes to us courtesy of Enrico Toro, Senior Product Manager from Windows Server Marketing]
Today we are happy to announce that we have completed the Windows 7 Professional pack for Windows Small Business Server 2011 Essentials Add-In and starting Friday August 12th our customers will be able to download it through Microsoft’s Download Center.
One of small businesses’ most pressing needs and requests is advanced security of their IT infrastructure and, when Windows 7 Professional and Windows SBS 2011 Essentials work together, they offer our customers a cutting edge solution to help safeguard the security of their information and the control of their PC’s.
The Windows 7 Pro Pack is a free add-in designed exclusively for Windows Small Business Server 2011 Essentials. It is easy to set up and manage, especially with limited IT skills and resources, and was designed to improve and further the interoperability between these two products, thus providing small organizations with a best of class solution for IT security and protection.
The Pro Pack can be quickly deployed in each Windows 7 Professional computer in the domain from the “Computers and Backup” tab in the Dashboard, and it allows administrators to deploy pre-configured security settings, folder redirection and offline files. The group policies apply to all SBS domain users running Windows 7 Professional or higher.
With the Windows 7 Professional Pack our customers can easily deploy pre-configured security settings across several different areas like allowing Windows Update to install the latest security patches and critical updates, using Windows Defender to protect against malware attacks and preventing users from exposing the network to attack by enforcing the use of Windows Firewall.
Many small business users are also used to working without a server and storing all their business critical and sensitive information on their local computers. This habit increases the risk of losing critical data, should the local computer be lost or should it suffer a critical hardware malfunction. While SBS 2011 Essentials provides full client backup out of the box, this solution may not meet the needs for mobile or laptop users who take the PC’s out of the office. Client backup relies on having the PC on the local domain during the backup window (usually after business hours).
With folder redirection the Pro Pack helps small businesses protect the data stored on their client computers. Folder redirection is designed to allow users to continue working in the same way saving their data in real time on their client computer, but reduces the risk of data loss by having the most important data on a particular computer automatically redirected, stored and protected on the server (when on the local domain). This way, even if the client computer is lost or suffers critical damage, is it still possible to access the latest set of data on the server when the client has not been backed up recently. Best of all, when users edit local data when away from the network, any small business can ensure that when the PC is back on the local network, updated information is immediately replicated to the server and protected.
If you would like to know more, you can find here a video that contains a complete demo of the Windows 7 Pro Pack and shows its easiness of use.
So, if you are worried about your organization’s security, do not wait a second. Connect with one of our tens of thousands of partners worldwide and learn more in detail what Windows Small Business Server 2011 Essentials and Windows 7 Pro can, together, do for you.
Updated 8/12/2011The Windows 7 Professional Pack for SBS Essentials is now available at: http://www.microsoft.com/download/en/details.aspx?id=27122
[Today's post comes to us courtesy of Justin Crosby and Wayne Gordon McIntyre from Commercial Technical Support]
Small Business Server 2011 Essentials provides a wizard that will enable you to purchase and install a trusted certificate through our partners GoDaddy and eNom. This blog post will cover the scenario where you already own a trusted certificate and want to re-use it instead of buying a new one. If your domain is not registered with GoDaddy or eNom you can use the wizard to import the certificate by choosing the manual workflow option which is described here http://sbs.seandaniel.com/2011/06/how-to-manually-configure-sbs-2011.html.
The easiest method to import the script is to use the following PowerShell script. Download the ImportTrustedCertSBSE.ps1 script to tools/temp folder and run it as an administrator from WssPowerShell.exe. This script requires that you have your certificate in .pfx form. You will be prompted for the certificate path and password.
Alternatively you can manually import the certificate using the following steps.
** Note: that if you are manually creating a request thru IIS, follow the below TechNet article on making and completing the request in IIS. Once the certificate is installed continue with the other steps to ensure the bindings are correct. Then follow steps 2 and 3.
For more information see: http://technet.microsoft.com/en-us/library/cc731977(WS.10).aspx
Step 1. Import Trusted certificate to local machine store.
Step 2. IIS Configuration
Step 3. RD Gateway Configuration
For more information please see: http://social.technet.microsoft.com/wiki/contents/articles/manually-install-existing-ssl-certificate-into-small-business-server-2011-essentials.aspx
Post Updated: 11/18/2011