[Today's post comes to us courtesy of Damian Leibaschoff, Justin Crosby and Chris Puckett]

You may notice an issue where the Windows Update (WUAUSERV) service will be spiking one of the logical CPUs on servers running Exchange 2007 with automatic anti-spam updates turned on. This will include any SBS 2008 installation where Forefront for Exchange was installed as part of the setup.  Please note that the service displayed will by SVCHOST, since WUASERV runs inside SVCHOST.EXE.

Read rest of the post here:

http://blogs.technet.com/sbs/archive/2009/04/25/svchost-may-spike-the-cpu.aspx

This method can only be used with self assigned certs (To request certificate from an Internal MS CA) and not with 3rd party certs. To get SAN for a 3rd party cert contact the vendor. (We can use the same .req file to request 3rd party SAN certificate).

There may be certain situation where we may need SAN Certs. example; Entourage 2008 prompting for SSL while configured with Exchange 2007.
Entourage 2008 utilizes web services if its connecting to an Exchange 2007 CAS with Service Pack 1 installed. This communication happens over port 80 (without SSL) or 443 (with SSL) as per the server side configuration. This content does not cover the configuration on Entourage part.

You may refer to the following links which gives some basics information;
http://www.microsoft.com/mac/itpros/default.mspx?clr=99-15-0&srcid=ba6801bf-4fda-4359-bbf8-531245df76811033&ep=9&target=d41b4196-4321-48f7-9900-cbf678ac819c1033
http://blogs.technet.com/amir/archive/2008/02/08/how-does-entourage-work.aspx
https://technet.microsoft.com/en-us/library/bb124251.aspx

There maybe more resources and it would probably help if you could email them to me via my blog. I’d be more than happy to update this post with them.

How to configure a CA to accept a SAN attribute from a certificate request:

By default, a CA that is configured on a SBS 2008 based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc && net start certsvc

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

To use the Certreq.exe utility to create and submit a certificate request, follow these steps:

Create an .inf file that specifies the settings for the certificate request. You can use the following sample code to create an .inf file.

=================================================
[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=remote.contoso.local"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

[RequestAttributes]
CertificateTemplate = WebServer
SAN="dns=autodiscover.contoso.local&dns=remote.contoso.local&dns=servername&dns=contoso.local&dns=servername.contoso.local&dns=contoso.com"
==================================================

Ø Save the file as Request.inf.
Ø You can add more SANs simply by adding &dns= between the quotes.
Ø Open a command prompt.
Ø At the command prompt, type the following command, and then press ENTER:

certreq -new request.inf certnew.req

This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

Ø You can check if the request has been created successfully by running the following command.
Certutil -dump certnew.req

Ø To submit the request,
Ø At the command prompt, type the following command, and then press ENTER:
certreq -submit certnew.req certnew.cer

Ø You will see a prompt asking you to select the certificate authority and since we only have one, you can click ok.
Ø Once you click ok, you will be asked to save it.
Ø Open MMC, Add Certificates (Local Computer), Expand Personal, Right click on Certificate and import the cert.
Ø Once done, double click the cert. and then go to the 'Details' tab.
Ø There, click on Subject Alternative Name and check if the desired SANs are there.
Ø Also make a note of the Thumbprint, we will need this to import the cert to appropriate exchange service.
Ø Now you need to assign this certificate to appropriate exchange services.
Ø From Exchange Command Shell type,

Get-ExchangeCertificates.

Ø Copy the thumbprint of the cert you want to import.
Ø Now run the following command to import.

Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"

Ø In the above command replace the <certificate-thumbprint> with the one in clipboard.

Once done, you can check from ISS or by browsing any of the websites to ensure the right certificate is visible.

Reference KB
KB 931351 How to add a Subject Alternative Name to a secure LDAP certificate
http://support.microsoft.com/kb/931351

Thanks to Ashish, Suren and Pradeep for their inputs.

To help our customers become more secure and up-to-date, Microsoft will distribute Windows Internet Explorer 8 as a high-priority update through Automatic Updates for Windows XP Service Pack 2 (SP2) and higher, Windows XP Professional x64 Edition, Windows Server 2003 SP2 for x64 and x86, Windows Vista for x64 and x86, Windows Vista SP1 for x64 and x86, and Windows Server 2008 for x64 and x86. This Blocker Toolkit is intended for organizations that would like to block automatic delivery of Internet Explorer 8 to machines in environments where Automatic Updates is enabled. The Blocker Toolkit will not expire.

Download: Toolkit to Disable Automatic Delivery of Internet Explorer 8.
Note:

• For computers running Windows XP or Windows Server 2003, the Blocker Toolkit prevents the machine from receiving Internet Explorer 8 as a high-priority update via Automatic Updates and the Express install option on the Windows Update and Microsoft Update sites; Internet Explorer 8 will be listed as an optional update with the Custom install option.
• For computers running Windows Vista or Windows Server 2008, the Blocker Toolkit prevents the machine from receiving Internet Explorer 8 as an important update via Automatic Updates on the Windows Update and Microsoft Update sites; Internet Explorer 8 will be listed as an optional update.
• The Blocker Toolkit will not prevent users from manually installing Internet Explorer 8 as a Recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center, or from external media.
• Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 8, within their environment.
• If you used the Blocker Toolkit to block Internet Explorer 7 from being installed as a high-priority update, you need to use the Internet Explorer 8 version of the Blocker Toolkit to block Internet Explorer 8 from being installed. There are different registry keys used to block or unblock automatic delivery of Internet Explorer 7 and Internet Explorer 8.

There have been a couple of KBs around knows issues with Symantec End Point Security 11 like:

You may experience various problems when you work with files over the network on a Windows Server 2003-based or Windows 2000 Server-based computer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;923360

And
You experience slow file server performance and delays occur when you work with files that are located on a file server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;822219

I also blogged about long time ago here.

Now there is one more KB regarding the same;

Unable to access Shares "The specified network name is no longer available".
http://support.microsoft.com/kb/961293

Here are couple of heads up;

The link in that KB, http://www.symantec.com/business/support/endpointsecurity/sep11_faq_customer-installations-issues-with-resolutions_int_112007%20partner(3)).pdf 
is dead!

Here is the right link:
Symantec Endpoint Protection 11.0—Customer Installation Issues with Resolutions
http://www.symantec.com/business/support/endpointsecurity/customer_installations_issues_with_resolutions_int_112007_partner.pdf
(This might change again, since Symantec would keep updating it. Simply search for “Symantec Endpoint Protection 11.0—Customer Installation Issues with Resolutions” to get the latest link.)

Secondly the KB does not talk about MR3 update, it talks about MR1. And IMHO, before you uninstall Symantec End Point Security 11, try installing MR3 update and it may resolve all know issues. You could also try disabling it to identify if it is the cause.

Let’s not uninstall an investment in these difficult times…

This is probably my first and hopefully the last rant however if you feel the same about Apple updates as I do then read ahead. I’ve always hated companies trying to push additional software along with their software, like Google toolbar with Adobe flash. Just an example. Microsoft has also been accused of such acts however Apple goes beyond all this and shamelessly pushes additional software, which I find no logical reason to have on my PC, along with updates.

Now, all I’ve installed on my PC is iTunes and QuickTime but the Apple Software Update tells me there are new software available as well. Why should I install them?

I wish I had looked more earlier however tonight I decided that I would make sure I don’t see these again. If you look closer on the tools option on the top you’ll see an option to ‘Ignore Selected Updates’. Select the updates that you want to ignore and then click on this option. Hope fully Steve won’t bug you again!

The SBS UA team is pleased to announce that the following document is now available in the Windows Small Business Server Technical Library.

Title: Using Hyper-V with Windows Small Business Server 2008

URL:  http://technet.microsoft.com/en-us/library/dd239207.aspx

This document provides an overview of the use of virtualization in a Windows® Small Business Server 2008 (Windows SBS 2008) environment, and discusses scenarios in which Windows SBS 2008 supports the Hyper-V technology.

So here is my first look at IE 8 and I am impressed! The installation is simple and the customization is in two simple steps.

Some features that are really cool…

Accelerators are cool add-on's that help you do things..with just a couple of clicks. Take a look at how you can know where to go…

Simply highlight the address and use the Map accelerator to locate it.

Compatibility View assures you that you can still browse web sites that are not IE8 ready!

Check out the new facebook site;
Before ‘Compatibility View’;

After ‘Compatibility View’;

Private Browsing, aka Porn mode for obvious reasons, is another new thing in IE8.

InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This includes cookies, temporary Internet files, history, and other data.

InPrivate Blocking helps prevent the websites you go to from automatically sharing details about your visit with other websites. To help protect your privacy, some website content might be blocked.

Now remember that the product is still in beta so it may crash and hang but it recovers quite fast! ;)

There are more new features that make IE8 better that the rest. Try it out and see it yourself.

On Wednesday, September 24^th, Mark Russinovich will host a virtual roundtable for IT pros worldwide to  explore top of mind performance issues, common misconfigurations, and tips on how to fix them. From boot times and applets to disk performance and battery life, this is chance for IT pros to find out how to optimize Windows Vista and what they can do to improve overall system performance.

As part of the “virtual” experience, IT pros will be able to submit their questions about performance and optimization to the panel live during the event—or submit questions in advance to vrtable@microsoft.com.

Add it to your Calendar!

Springboard Series Virtual Roundtable
Under the Hood: Windows Vista Performance...Need Answers?
Join Mark Russinovich and a panel of industry experts for a LIVE virtual roundtable to explore your top of mind performance issues, common misconfigurations, and tips on how to fix them. From boot times and applets to disk performance and battery life, find out how to optimize Windows Vista and what you can do to improve overall system performance. 

Submit your performance questions live during the event or send them in advance to vrtable@microsoft.com.

Save the date!
Wednesday, September 24, 2008
9:00am Pacific Standard Time

Find answers to your Windows Vista adoption questions with resources, tools, monthly straight-talk articles, and upfront guidance based on early adopter and community feedback. To learn more, visit www.microsoft.com/springboard,

Springboard Series: The resource for Windows desktop IT professionals

I love this little utility from Sysinternals.

Desktops v1.0

By Mark Russinovich and Bryce Cogswell

Published: August 21, 2008

Introduction

Desktops allows you to organize your applications on up to four virtual desktops. Read email on one, browse the web on the second, and do work in your productivity software on the third, without the clutter of the windows you’re not using. After you configure hotkeys for switching desktops, you can create and switch desktops either by clicking on the tray icon to open a desktop preview and switching window, or by using the hotkeys.

Now you can IM me from my blog. Drop in and ask me a question or just say hi!

Talk to you soon!

The day I never wanted to see is closing!

End of sale does not mean end of support. Read more on;

Curious George on TechNet and more...: Windows XP end of sales date is 30th June 2008 - so what does that actually mean?

Join Microsoft Technical Fellow Mark Russinovich and a panel of IT professionals and security MVP’s as they discuss Windows Vista deployment, security configurations, challenges and real-world solutions. Ask your questions live during the event or email them in advance to vrtable@microsoft.com.

Register today to join the discussion in June. This event will be broadcast live on this site, at 9:00am Pacific Standard Time, June 18, 2008, available on demand shortly after its conclusion.

Rest of the details and registration on: Springboard Registration and Login.

Disclaimer: This is not a Microsoft recommended step nor is it a whitepaper. This is simply my attempt to learn.

Ubuntu needs no introduction nor does SBS. :)

What do you need?

> SBS 2003 SP2.
> Ubuntu 8.04, Updated!

Ensure Network Connectivity:

After you install Ubuntu 8.04, ensure that you have network connectivity and you have Internet connection. Check for updates, using Update Manager and install all the updates.

On SBS, you don’t really need to do anything however you could add a host record in DNS for the Ubuntu machine.

On Ubuntu 8.04, open Terminal window and type the following commands;

ping servername.domain.local
and
ping servername
and
ping domain.local

Make sure that you can resolve the small business server by all the above methods. If you cannot resolve these names then do the following;

sudo nautilus [sudo because you will need to be root in order to edit and save the host file.]
Enter your user password.

Once you are in nautilus navigate to /etc/host and open it. Add entries like this;
Example:
192.168.0.1 domain.local
192.168.0.1 servername.domain.local
192.168.0.1 servername

Install Likewise Open:

Likewise Open enables Linux, Unix and Mac authentication on a Microsoft network using Active Directory. A user can now interactively log in to the Linux, Unix or Mac machine using Active Directory credentials, and can access any kerberized services that the non-Windows machine hosts.

More on the company website.

To install likewise open, do the following;

sudo apt-get update

then run the following command;

sudo apt-get install likewise-open
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
krb5-config krb5-user libkadm55
The following NEW packages will be installed:
krb5-config krb5-user libkadm55 likewise-open
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 4421kB of archives.
After this operation, 12.3MB of additional disk space will be used.

Do you want to continue [Y/n]? y

Get:1 http://in.archive.ubuntu.com hardy/main krb5-config 1.17 [16.1kB]
Get:2 http://in.archive.ubuntu.com hardy/main libkadm55 1.6.dfsg.3~beta1-2ubuntu1 [146kB]
Get:3 http://in.archive.ubuntu.com hardy/main krb5-user 1.6.dfsg.3~beta1-2ubuntu1 [131kB]
Get:4 http://in.archive.ubuntu.com hardy/main likewise-open 4.0.5-0ubuntu3 [4129kB]

Fetched 4421kB in 32s (135kB/s)

Preconfiguring packages ...
Selecting previously deselected package krb5-config.
(Reading database ... 113352 files and directories currently installed.)
Unpacking krb5-config (from .../krb5-config_1.17_all.deb) ...
Selecting previously deselected package libkadm55.
Unpacking libkadm55 (from .../libkadm55_1.6.dfsg.3~beta1-2ubuntu1_i386.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.6.dfsg.3~beta1-2ubuntu1_i386.deb) ...
Selecting previously deselected package likewise-open.
Unpacking likewise-open (from .../likewise-open_4.0.5-0ubuntu3_i386.deb) ...
Setting up krb5-config (1.17) ...
Setting up libkadm55 (1.6.dfsg.3~beta1-2ubuntu1) ...
Setting up krb5-user (1.6.dfsg.3~beta1-2ubuntu1) ...
Setting up likewise-open (4.0.5-0ubuntu3) ...
* Starting the Likewise-open auth daemon [ OK ]
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
root@Ubu13:/home/grajan# ping fareast.corp.microsoft.com
PING fareast.corp.microsoft.com (157.60.222.63) 56(84) bytes of data.
--- fareast.corp.microsoft.com ping statistics –-
13 packets transmitted, 0 received, 100% packet loss, time 12035ms

This installs Likewise.

Joining the Domain.

Use the following command;

sudo domainjoin-cli join microsoft.local Administrator
Joining to AD Domain: microsoft.local
With Computer DNS Name: U11.microsoft.local
Administrator@MICROSOFT.LOCAL's password:
SUCCESS

Now run the following commands to make likewise services run at startup;

sudo update-rc.d likewise-open defaults
sudo /etc/init.d/likewise-open start

Now when you reboot you should be able to login to Ubuntu using domain credentials. You may have to use DOMAIN\user as username.

You should be able to see your computer in Active Directory.

After you create a user account you should be able to login to Ubuntu with your domain account. You will have to supply the credentials as DOMAIN\user.

Once you login you should be able to see your home folder under nautilus (File Browser for Ubuntu)

Some issues that I ran into;

After rebooting when I tried to login I got the following error;

Busted! had to rebuild Ubuntu. Could not find a way out.

In another instance I got a message asking me what I would like to do. I choose the repair damaged packages option and after the reboot, I was able to login fine.

Accessing Email, companyweb and shares from Ubuntu.

Configuring default email client, Evolution, to receive emails.

Simply click ‘Forward’ on both of these unless you want to restore from a back where you would use the restore option.

Here choose server type to be Microsoft Exchange.
Further you can enter the username. The user name in my case was simply ‘user’.
For OWA URL: https://servername/exchange
In my case since server name is SBS2003. Make sure you type https if you have ran CEICW on SBS and configured IIS with a certificate.

Once you click on Authenticate and enter the password, you should be able to see the “Forward” button. It would no longer be grayed out.

Next you have receiving options, you can fill appropriate response here, no rocket science here, actually anywhere in this article!

Now when you click on ‘Apply’, Evolution will open and ask for password again;

Once you check on “Remember this password” you should not be asked for it again.

You will see the new mail icon once configured cos you have two email from SBS administrator! :)

Accessing companyweb

Here you simply need to enter the URL and enter the password once.

You can choose to remember the password, so that you wont have to enter it all the time.

Done!

Adding shares.

You can add commonly used share simply by going to Places>Connect to Server.

Now you can easily access the shares.

Windows Essential Server Solutions pricing* is as follows:

• Windows Small Business Server 2008 Standard Edition software, including five CALs, $1,089 (U.S.); additional CALs $77 each (U.S.)
• Windows Small Business Server 2008 Premium Edition software, including five CALs, $1,899 (U.S.); additional CALs $189 each (U.S.)
• Windows Essential Business Server 2008 Standard Edition software, including five CALs, $5,472 (U.S.); additional CALs $81 each (U.S.)
• Windows Essential Business Server 2008 Premium Edition software, including five CALs, $7,163 (U.S.); additional CALs $195 each (U.S.)

Read more on;

James.Random() - SBS 2008 and EBS 2008 Pricing Announced

Press Release;

Microsoft Announces Public Preview and Pricing for Windows Essential Server Solutions

Sysinternals Site Discussion : Updates: Autoruns v9.2, Process Monitor v1.33, AccessChk v4.1