[Today's post comes to us courtesy of David Copeland from Commercial Technical Support]

The September update for the WSSG BPA has now been released, adding 59 new rules.  Currently the total number of checks per SKU breaks down as (total of 107 total rules)

Small Business Server 2011 Standard Edition         102
Small Business Server 2011 Essentials                       78
Windows Storage Server 2008 R2 Essentials           30
Windows MultiPoint Server 2011                                5

You will be notified of the update in a couple of places.  If you have chosen to integrate the BPA into the SBS console during installation, the BPA will have a status of critical under the Security menu.  You will see this until the update is applied:

You will also see that “An update for the Windows Server Solutions BPA is available” in the systray when you launch the BPA.  You need to click this notification to install the update:

The model for the WSSG BPA has been updated with new rules including:

Small Business Server 2011 Standard Edition

• CACertNameCheck9Section - The name of your certification authority contains one or more periods, or includes either the word "remote" or "mail."
• CheckOrigName9Section - The value set for the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
• CheckOrigName10Section - The value set for the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
• ExchangeSPSection - The server is running the original release of Exchange Server 2010. However, Exchange Server 2010 Service Pack 1 (SP1) is now available.
• JournalEventExist9Section - The server is in a journal wrap condition.
• RPCExtAuthSection - Exchange Server 2010 is not set to use the default method for external authentication
• RPCIntAuthSection - Exchange Server 2010 is not set to use the default method for internal authentication.
• OSRTMSection - This server is running the original release of Windows Server 2008 R2. However, Service Pack 1 for Windows Server 2008 R2 is available.
• SMTPInstalledSection - The Simple Mail Transfer Protocol (SMTP) service is installed.
• EmptyServersContainerSection - One or more Servers containers in your Exchange organization are empty.
• AcceptedDomainSection - The name of the default accepted domain contains one or more spaces.
• SharepointAppPoolIdentitySection - The SBS SharePoint AppPool application pool is not running with the default account.
• SharepointAppPoolFrameworkSection - The SBS SharePoint AppPool application pool is not running with the default .NET Framework version.
• SharepointAppPoolPipelineSection - The SBS SharePoint AppPool application pool is not running with the default Managed Pipeline Mode.
• SharepointAppPoolBitnessSection - The SBS SharePoint AppPool application pool is not running with the default Bitness level.
• RWAAppPoolBitnessSection - The SBS Web Workplace AppPool application pool is not running with the default Bitness level
• RWAAppPoolPipelineSection - The SBS Web Workplace AppPool application pool is not running with the default Managed Pipeline Mode
• RWAAppPoolFrameworkSection - The SBS Web Workplace AppPool application pool is not running with the default .NET Framework version.
• RWAAppPoolIdentitySection - The SBS Web Workplace AppPool application pool is not running with the default account.
• WebGardensSection - The number of Maximum Worker Processes for the DefaultAppPool Application Pool is not set to the default value of 1.
• WarningDiskSpaceVeryLowSection - One or more volumes has less than 20% of free space available.
• SysvolSection - The Sysvol share does not exist
• RDPPortSection - The PortNumber registry key for the Terminal Server port has been changed.
• SysvolRdySection - The value of the SysvolReady registry key is not equal to 1. This indicates that there is a problem with the domain.
• PingDCFailsSection - This server cannot ping one or more domain controllers.
• OldRootVerSection - The value of the RootVer registry key for .NET Framework may be incorrect.
• NotSchemaMasterSection - This server running Windows SBS is not the Schema Master.
• NotSBSDNSSection - The DNS client is not configured to point only to the internal IP address of the server.
• NotRIDMasterSection - This server running Windows SBS is not the RID Master.
• NotPreWin2Section - The Authenticated Users group is not a member of the Pre-Windows 2000 Compatible Access group.
• NotPDCMasterSection - This server running Windows SBS is not the Primary Domain Controller Master.
• NotInfraMasterSection - This server running Windows SBS is not the Infrastructure Master.
• NotDomMasterSection - This server running Windows SBS is not the Domain Naming Master.
• NoNSRecs3Section - There are no DNS name server (NS) resource records for the delegated _msdcs forward lookup zone.
• NoNSRecs2Section - There are no DNS name server (NS) resource records in the _msdcs zone for Windows SBS 2011 (for example: _msdcs.contoso.local).
• NoNSRecsSection - There are no DNS name server (NS) resource records in the forward lookup zone for Windows SBS 2011.
• NoDefaultDomainPolicySection - The Default Domain Policy group policy is missing.
• MaxCacheTTLSection - The DNS parameter MaxCacheTTL is not set.
• LeftSrcSvrinOUSection - The Source Server that is running Windows SBS still exists in Active Directory Users and Computers in the MyBusiness/Computers/SBSComputers organizational unit.
• LeftSrcSvrSection - The source server that is running Windows SBS still exists in Active Directory Sites and Services in the Default-First-Site-Name.
• IsSchemaMasterSection - This server running Windows SBS is the Schema Master.
• IsRIDMasterSection - This server running Windows SBS is the Relative ID (RID) Master.
• IsPDCMasterSection - This server running Windows SBS is the Primary Domain Controller Master.
• IsInfraMasterSection - This server running Windows SBS is the Infrastructure Master.
• IsDomMasterSection - This server running Windows SBS is the Domain Naming Master.
• IEHardenUsersSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Users group.
• IEHardenAdminSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Administrators group.
• ForwardDNSAllowUpdatesMSDCSSection - You should configure the forward lookup zone for the _msdcs.* zone to allow only secure dynamic updates
• ForwardDNSAllowUpdatesSection - You should configure the forward lookup zone to allow only secure dynamic updates.
• EDNSEnabledSection - Some routers and firewall devices do not support EDNS. You should disable EDNS on this server. To disable EDNS, from a command prompt, type dnscmd /Config /EnableEdnsProbes 0, and then restart the DNS Server service.
• DNSTimeOutsSection - The value of the DNS ForwardingTimeout registry key should not be the same as the value of the RecursionTimeout registry key.
• DNSRegEnabledSection - The internal network adapter is not configured to register its IP address in DNS.
• DNSAforInternalSection - The host (A) resource record points to an incorrect IP address.
• CheckFirewallSection - Windows Firewall is turned on in the default installation of Windows Small Business Server.
• CheckAdminSection - The built-in Administrators group does not have the right to log on as a batch job.
• PowershellAppPoolBitnessSection - The MSExchangePowerShellAppPool application pool is not running with the default Bitness level
• PowershellAppPoolPipelineSection - The MSExchangePowerShellAppPool application pool is not running with the default Managed Pipeline Mode.
• PowershellAppPoolFrameworkSection - The MSExchangePowerShellAppPool application pool is not running with the default .NET Framework version
• PowershellAppPoolIdentitySection - The MSExchangePowerShellAppPool application pool is not running with the default account.
• CheckAdminSection - The built-in Administrators group does not have the right to log on as a batch job.
• CheckFirewallSection - Windows Firewall is turned on in the default installation of Windows Small Business Server.
• DNSAforInternalSection - The host (A) resource record points to an incorrect IP address
• DNSRegEnabledSection - The internal network adapter is not configured to register its IP address in DNS.
• DNSTimeOutsSection - The value of the DNS ForwardingTimeout registry key should not be the same as the value of the RecursionTimeout registry key.
• EDNSEnabledSection - Some routers and firewall devices do not support EDNS. You should disable EDNS on this server. To disable EDNS, from a command prompt, type dnscmd /Config /EnableEdnsProbes 0, and then restart the DNS Server service.
• ForwardDNSAllowUpdatesSection - You should configure the forward lookup zone to allow only secure dynamic updates.
• ForwardDNSAllowUpdatesMSDCSSection - You should configure the forward lookup zone for the _msdcs.* zone to allow only secure dynamic updates.
• IEHardenAdminSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Administrators group.
• IEHardenUsersSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Users group.
• IsDomMasterSection - This server running Windows SBS is the Domain Naming Master.
• IsInfraMasterSection - This server running Windows SBS is the Infrastructure Master.
• IsRIDMasterSection - This server running Windows SBS is the Relative ID (RID) Master.
• IsPDCMasterSection - This server running Windows SBS is the Primary Domain Controller Master.
• IsSchemaMasterSection - This server running Windows SBS is the Schema Master.
• LeftSrcSvrSection - The source server that is running Windows SBS still exists in Active Directory Sites and Services in the Default-First-Site-Name.
• LeftSrcSvrinOUSection - The Source Server that is running Windows SBS still exists in Active Directory Users and Computers in the MyBusiness/Computers/SBSComputers organizational unit
• MaxCacheTTLSection - The DNS parameter MaxCacheTTL is not set.
• NoDefaultDomainPolicySection - The Default Domain Policy group policy is missing.
• NoNSRecsSection - There are no DNS name server (NS) resource records in the forward lookup zone for Windows SBS 2011.
• NoNSRecs2Section - There are no DNS name server (NS) resource records in the _msdcs zone for Windows SBS 2011 (for example: _msdcs.contoso.local).
• NoNSRecs3Section - There are no DNS name server (NS) resource records for the delegated _msdcs forward lookup zone.
• NotDomMasterSection - This server running Windows SBS is not the Domain Naming Master.
• NotInfraMasterSection - This server running Windows SBS is not the Infrastructure Master.
• NotPDCMasterSection - This server running Windows SBS is not the Primary Domain Controller Master.

Small Business Server 2011 Essentials

• NotRIDMasterSection - This server running Windows SBS is not the RID Master.
• NotSBSDNSSection - The DNS client is not configured to point only to the internal IP address of the server.
• NotSchemaMasterSection - This server running Windows SBS is not the Schema Master.
• OldRootVerSection - The value of the RootVer registry key for .NET Framework may be incorrect.
• PingDCFailsSection - This server cannot ping one or more domain controllers.
• RDPPortSection - The PortNumber registry key for the Terminal Server port has been changed.
• SysvolRdySection - The value of the SysvolReady registry key is not equal to 1. This indicates that there is a problem with the domain.
• SysvolSection - The Sysvol share does not exist
• WarningDiskSpaceVeryLowSection - One or more volumes has less than 20% of free space available.
• WebGardensSection - The number of Maximum Worker Processes for the DefaultAppPool Application Pool is not set to the default value of 1.
• NotPreWin2Section - The Authenticated Users group is not a member of the Pre-Windows 2000 Compatible Access group.
• RWAAppPoolBitnessSection - The SBS Web Workplace AppPool application pool is not running with the default Bitness level
• RWAAppPoolPipelineSection - The SBS Web Workplace AppPool application pool is not running with the default Managed Pipeline Mode.
• RWAAppPoolFrameworkSection - The SBS Web Workplace AppPool application pool is not running with the default .NET Framework version.
• RWAAppPoolIdentitySection - The SBS Web Workplace AppPool application pool is not running with the default account.

Windows Storage Server 2008 R2 Essentials

• RWAAppPoolBitnessSection - The SBS Web Workplace AppPool application pool is not running with the default Bitness level
• RWAAppPoolPipelineSection - The SBS Web Workplace AppPool application pool is not running with the default Managed Pipeline Mode.
• RWAAppPoolFrameworkSection - The SBS Web Workplace AppPool application pool is not running with the default .NET Framework version.
• RWAAppPoolIdentitySection - The SBS Web Workplace AppPool application pool is not running with the default account.

Things to check if not getting the update offered:

• You need to be opt-in for Microsoft Update:
  Launch Windows Update and select the option to check online for updates from Windows update.
  Then click the option for "Get updates for other Microsoft products" and complete the process to opt-in.
  
  
  
  
  
  
  
  After completing this process, it might take 10-15 minutes before the initial synchronization completes. Launch the BPA after that time and the update should be detected.
• Verify that the following registry key is set to 1:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsServerSolutions\BPA\Update
• Verify that you are running the Windows Server Solutions BPA and not the retired Small Business Server 2011 BPA.

[Today’s post comes to us courtesy of Moloy Tandon and Wayne Gordon McIntyre from Commercial Technical Support]

By default Small Business Server 2011 Essentials does not install the DHCP Server role and DHCP duties are handled by your router. In some cases you may want to have the SBS 2011 Essentials server be the DHCP server instead of your router. To do so, first, you need to assign a static IP address to the server's network card. Installing the DHCP Server role without a static IP address is not recommended.

To find out your current TCP/IP settings, launch an elevated command prompt and run the command ipconfig, and make a note of the IPv4 address, Subnet Mask and Default Gateway.

Launch ncpa.cpl from the run menu or an elevated cmd prompt, which will load the Network Connections control panel. Right click on your network card and select Properties which will bring up the following screen as shown below.

Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties

You will want to enter an IP address within the same network range as noted earlier (e.g 192.168.15.2). Additionally, add the exact same subnet mask and default gateway that was identified earlier when running ipconfig, and lastly enter the IP address of the server as the preferred DNS server and then click Ok and then Close.

To install the DHCP Server role on SBS 2011 Essentials follow these steps:

1. Launch Server Manager
2. In the left pane of Server Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens.
3. In Before You Begin, click Next.
4. In Select Server Roles, in Roles, select DHCP Server, and then click Next.
5. In DHCP Server, click Next.
6. In Select Network Connection Bindings, in Network Connections, select the IP addresses that are connected to the subnets for which you want to provide DHCP service, and then click Next.
7. In Specify IPv4 DNS Server Settings, in Parent Domain, verify that the name of the DNS domain that clients use for name resolution is correct.
8. In Preferred DNS Server IPv4 Address, ensure that the IP address matches the IP address of the SBS 2011 Essentials server, and then click Validate. In Alternate DNS Server IPv4 Address, leave it blank and then click Next.
9. In Specify IPv4 WINS Server Settings, select WINS is not required for applications on this network, and then click Next.
10. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens.
11. In the Add Scope dialog box, type values for all required items. You should specify a starting IP address and ending IP address that does not conflict with your static IP assignments. Also ensuring the range is large enough to accommodate the number of devices on your network. The Subnet mask should match the subnet mask of the server, and the Default gateway will be the IP address of your router. Check Activate this scope, and then click OK. This returns you to the Add or Edit DHCP Scopes page and click Next. Sample screenshot below.
    
12. In Configure DHCPv6 Stateless Mode, select Disable DHCPv6 stateless mode for this server, and then click Next.
13. In Authorize DHCP Server, select Use current credentials to authorize the DHCP server in Active Directory Domain Services (AD DS) using the credentials supplied for the current session click Next.
14. In Confirm Installation Selections, review your selections, and then click Install.

Once you have successfully installed and configured the DHCP Server role on SBS 2011 Essentials, you need to turn off DHCP on the router. To do this, follow the instruction manual that came with the router. Next, you need to renew the IP address on the clients. To do this, launch an elevated command prompt on the workstation and run ipconfig/release && ipconfig/renew.

Lastly, you may want to stop and disable the Windows Server LAN Configuration service on the client machines since its function is no longer required. To know more about this service, check out this great blog post from Sean Daniel: The Basics of Local DNS for Small Business Server 2011 Essentials

[Today’s post comes to us courtesy David Fabritius from Windows Server Marketing]

Last year we introduced the Windows Small Business Server 2011 Premium Add-On, which offers a more flexible solution to our customers’ needs for running line-of-business (LOB) applications and other workloads. Today we are happy to announce that starting September 15, 2011, we have pushed that flexibility even further: you may now use the SBS 2011 Premium Add-On in SBS 2008 environments! The SBS 2011 Premium Add-On includes an additional license for Windows Server 2008 R2 Standard, which allows you to deploy another server in your SBS 2011 or SBS 2008 network, and SQL Server 2008 R2 for Small Business, which contains a range of features that can help businesses maximize the value of their information with greater capabilities in development, manageability, business intelligence, and data warehousing. SQL Server 2008 R2 for Small Business has exactly the same capabilities as SQL Server 2008 R2 Standard, however it is only available to use in SBS 2011 and SBS 2008 environments.

Starting today our customers who have SBS 2008 Standard but need the additional functionality of the SBS 2011 Premium Add-On to improve the way they run their businesses can take advantage of this opportunity to add premium functionality without fully upgrading to SBS 2011. And customers who already have SBS 2008 Premium can add an additional SBS 2011 Premium Add-On server to their network should that need arise.

Deploying the SBS 2011 Premium Add-On in an SBS 2008 environment requires an additional SBS 2011 CAL Suite for each user that connects to the SBS 2011 Premium Add-on server. Also note that the total number of SBS 2011 Premium Add-on CALs must not exceed 25 for SBS 2011 Essentials environments and 75 for SBS 2011 Standard or SBS 2008 environments.

For more information, please visit http://www.microsoft.com/sbs.

[Today’s post comes to us courtesy of Damian Leibaschoff and Justin Crosby from Commercial Technical Support]

Issue Description and Symptoms:

Last Tuesday (9/13/2011), KB2494001 “MS11-074: Description of the security update for Microsoft SharePoint Foundation 2010: September 13, 2011” was released to Microsoft Update.

By default, the update will be automatically approved for installation on SBS 2011 Standard. However it will still require administrative action to be installed.

As with all SharePoint Foundation 2010 updates, you must complete the update process by running psconfig after the update is installed. If your server is not yet running SP1 for Windows SharePoint Foundation and you do not run psconfig after installing this update you may encounter the issues described in http://blogs.technet.com/b/sbs/archive/2011/07/06/potential-issues-after-installing-sharepoint-foundation-2010-sp1.aspx. The most common issue is that SBS backups start failing.

The symptoms and behavior are described here in more detail:

• 2580174: Receiving SharePoint Health Analyzer alerts in SBS 2011 Standard
• http://blogs.technet.com/b/sbs/archive/2011/07/06/potential-issues-after-installing-sharepoint-foundation-2010-sp1.aspx
• http://blogs.technet.com/b/sbs/archive/2011/05/24/you-must-manually-run-psconfig-after-installing-sharepoint-2010-patches.aspx

Resolution:

To resolve this issue you must run psconfig as described in this blog:

1. Open an Administrative command prompt.
2. Change directory to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN
3. Run PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures

SBS 2011 Standard UR1 Improvement:

Since Windows SharePoint Foundation 2011, included in SBS 2011 Standard, is the first version that requires psconfig to be launched manually we expect that this is an issue that will linger for the foreseeable future.

To address this issue we have introduced a new feature in SBS 2011 UR1. SBS 2011 Standard Rollup Update 1 was released yesterday (9/15/2011) and when installed, it adds warnings in the console and the desktop that will help identify this situation and provide documentation on how to recover.

After installing the rollup, a new scheduled task will be created; this task is set to run every day at 1:15am.

This task scans the event logs to see if the SharePoint Health Monitor that is scheduled to run at 12:00am has detected a situation that requires the databases to be upgraded using psconfig.

When the issue is detected, a Domain Wide group policy that is created by the UR is enabled to show the message on logon to any Domain Admin login on to any domain workstation. When is no longer detected, the User configuration settings are disabled.

When the issue is active, this is what a domain administrator will see when logging on:

Note: this message will only be cleared after the issue is resolved and the schedule task runs again that night. If needed, you can re-run the scheduled task in Task Manager, under Microsoft\Windows\Windows Small Business Server 2011 Standard.

The task writes a log called WSSPsconfigurationNotification.log in C:\Program Files\Windows Small Business Server\logs.

We also have the more traditional console alert, if configured, an email will be sent when this alert is detected.

The alerts point to Kb2580174 Receiving SharePoint Health Analyzer alerts in SBS 2011 Standard

[Today’s post comes to us courtesy of Justin Crosby from Commercial Technical Support]

Windows Small Business Server 2011 Standard Update Rollup 1 has been released and is available for download. You can read about the issues this rollup addresses in KB2555251. Windows Small Business Server 2011 Standard UR1 can be installed via Microsoft Update or WSUS.  We will be discussing some of the changes in more depth in upcoming blog posts.

More Information

• http://support.microsoft.com/kb/2555251

[Today’s post comes to us courtesy of Gagan Mehra from Commercial Technical Support]

Windows Small Business Server 2011 Essentials Update Rollup 1 has been released and is available for download.  You can read about the issues this rollup addresses in KB2554629.  Windows Small Business Server 2011 Essentials UR1 can be installed via Microsoft Update. 

In addition to the sever-side update KB2554629, a second client-side update has been released.  This update is documented in KB2554657.   You can use Microsoft Update to install this on each of your SBS 2011 Essential client machines.  The client-side update supports Windows XP SP2 and later.

More Information

• http://support.microsoft.com/kb/2554629
• http://support.microsoft.com/kb/2554637