E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Dear Greg (and anyone else)

Dear Greg:

When I asked you and others to look at the SBS R2 webcast I wanted you to look at it from a "new client" viewpoint.  When you say that "how can I sell this to my existing clients?" you are right.  This will be a hard sell.

But I think all of the "Gregs" out there are missing the point on this release.  Regardless of how we feel about it, listen to the webcast again... hear how the emphasis is on new clients?

Can you answer one more thing for me?  Why is it that even to this day there is evidence that we have SBS 2003 boxes that don't have Service pack 1 on them?

I know I'm in the serious minority of how much a PatchAholic wacko I am, but you know what.... I shouldn't be.

That's what R2 is all about.  And yeah while some of the more talented in SBSland can roll out WSUS in nothing flat, it's pretty obvious to me that many of you guys and gals out here have not installed it, have not even tried it, and are not using it.

Now granted WSUS can't put SBS 2003 sp1 on that box, but if you haven't begun the process of getting a Patching process in place, then when that new client of yours shows up on that doorstep with a R2 box in tow, and you'll look at that WSUS going.... okay what the heck is this patching thing about anyway....needless to say you'll be starting off on the wrong foot.

Yeah, the first thing you should understand about me is that I will throw on a patch or a hotfix to a server or workstation without blinking an eye, but it will take me longer to roll out a Service Pack.  I'll wait, and I'll see, and I'll test on a test box, but I roll it out.

Right now the word on ISA 2004 sp2 is that we're seeing some issues with websites and downloads, and yeah if you must have it installed, the best advice is to delete the cache, install SP2, then disable the compression filter.  (Obviously not a biggie for us down here anyway).  Due to the time of the year at my office.... I have not installed it.  But the best advice I can give on patching in general is ....

• Get a test program in place
• Learn how to google for issues (hint put the KB article in the Google Groups box and chances are you'll hit someone talking about an issue)
• Install it on your machine...and then let it bake before rolling it out to others. Yes, Microsoft tests these...but the cannot test them with every line of business stuff you have.
• You don't have to be first. I still remember the day that Windows 2003 sp1 came out and someone downloaded it and installed it during the lunch hour.  I mean come on....

Service packs are a big change management.

So yeah Greg... don't look at this as something you'll necessarily need to get for your existing clients unless they are looking to get the SQL 2005.  Instead I'd be looking at those clients who could benefit from a member server running Windows 2003 R2 for your existing client base.  Or looking to upgrade folks from Standard to Premium (which of course is ONLY one cdrom, you do NOT need to start over and install the entire Premium cdrom set, all you need is the ONE premium disk and you install the SQL...like for example for CRM 3.0) 

But don't blow this release completely off.  Because for the PatchAholic that I am, this is a milestone for us.  Be proud that SBS showcases how far patching has come in Microsoft.  Realize how this means a lot of work has gone on under the hood.

Issues with connectivity?

Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

Lately some folks have been complaining about RWW 'dropping' out after someone sitting there and using it and there's two things you might want to check....first I've noticed sometimes with folks on Linksys routers getting that 'drop' issue...and secondly you might try that patch to see if that helps.

Download details: Update for Windows Server 2003 (KB898060):
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0245532-0ACE-4B85-85BF-758E936173DF&displaylang=en

And yes that's a Windows 2003 sp1 patch (which means it's still valid for us under the hood) and I've applied that here at the office and at home with no problems.

P.S.  I'm lifting up Alun's comment into the main post as another thing you might want to look at..

BCM and SBA service pack 2

Service pack 2

Kerberos errors revisited

So remember my Kerberos Errors post the other day?  J.P. posted back with the final resolution to his last one remaining Kerberos errors that he was getting.....and sure 'nuff... HP printer toolbox software... I'm blogging his resolution here for the next person who ends up with Kerberos errors all over their log files and time sync isn't the resolution....

Well, plugging right along, I eliminated the other three remaining kerberos
errors on login.  They were caused by (you guessed it), HP monitoring
"Toolbox"  software. 

With some trial and error on the client end with MSConfig I was able to
narrow it down to the HP Toolbox printer monitoring software.  In researching
the Toolbox software and it's known issues, I came across an article
describing the exact setup.  SBS Premium, XP SP2 workstations, kerberos
errors with firewall on, none with it off, HP printer on a workstation and
shared.

The fix was to go to a command prompt, navigate to c:\windows\system32 (or
the default system32 folder for your OS) and then enter the following command
"hpbpro.exe -regserver" (without the quotes) and if you still have the errors
follow the same process except use the command "hpbpro.exe -service"

No to all -- Seven times

Well I finally did it tonight.  Patched the real baby at the office with Exchange 2003 sp2.

I manually shut off the Trend Exchange antivirus

I shut off the server antivirus

I manually shut down the SMTPservice ...just in case....

And I hit the 'No to all” issue.  You know..the No issue.  When we SBS 2003 sp1 premium folks [that translates to having SQL 2000 sp4 on the box] install Exchange 2003 sp2 on our systems we get prompted along the way to replace existing files with older ones.  And...well... given that Exchange 2003 sp2 is 'supposed' to be the new kid on the block for a moment you scratch your head going... huh?

For the record you say “No to all” a total of Seven times.....

• One for catutil.exe
• One for athprxy.dll
• One for ftsqlpar.dll
• One for gathercl.dll
• One for mssitilb.dll
• One for nlhtml.dll
• One for mssearch.exe

For whatever reason the versions of the files that Exchange 2003 sp2 wants to put on are 9.107.8320.4 whereas the ones already ON my box are 9.107.8320.9

..bottom line folks...in the Patching world... Exchange needs to catch up with the other server platforms when it comes to patching.  I really have no idea if the difference between a .4 or a .9 is of consequence... I'll keep you posted on that one.

I like my Windows Server patches.  They install so much nicer.  Time to check the phone for syncing..and it looks like everything is working quite nicely!

P.S.  if you replaced them.. merely rerun the SQL 2000 sp4 installation from your SBS 2003 sp1 premium disk 3

Top support issues from the Partner newsgroups

Why you want...you NEED to be a Microsoft Partner...because you get resources like this...

TOP SUPPORT ISSUES

-----------------------------------------------------------

Issue 1:

********

Memory leak issues

Problem Symptom 1:

==================

Memory leak & Allocated memory alert

Suggestion:

Some of them are caused by the SQL memory processing mechanism:

http://msmvps.com/bradley/archive/2005/03/07/37868.aspx.

Memory leak caused by the Lsass.exe process:

821008 Windows Server 2003-Based Computer Becomes Slow and Unresponsive

After - http://support.microsoft.com/?id=821008

829993 Memory Leak Occurs in the Lsass.exe Process on a Windows Server -

http://support.microsoft.com/?id=829993

Other memory leak issues is most likely related to VSS (while be used with some 3rd party backup program, such as Veritas, Ultrabac.) What you expect to see in this kind of issue may be any of the following:

Poor and gradually declining system performance

Out-of-memory errors

VSS errors

If you do see the symptom listed above, I would suggest the following hotfixes be installed on the server, or you may want to apply SBS 2003 SP1 directly.

826751 Backup Program Causes Gradually Declining Performance -

http://support.microsoft.com/?id=826751

838864 A backup or a restore operation of Exchange 2003 storage groups

fails - http://support.microsoft.com/?id=838864

867667 The Beremote.exe process uses up to 100 percent of CPU resources -

http://support.microsoft.com/?id=867667

870973 A memory leak occurs in an application using the Volume Shadow Copy -

http://support.microsoft.com/?id=870973

831112 You cannot import a transportable shadow volume in Windows Server 2003

http://support.microsoft.com/?id=831112

833167 A Volume Shadow Copy Service (VSS) update package is available for -

http://support.microsoft.com/?id=833167

After the SBS 2003 SP1 installation, you still receive the memory allocation alert to indicate that store.exe is using an abnormal amount of memory.

This is actually the same issue described in the following KB: '867628 Monitoring programs report that the Store.exe process consumes -

http://support.microsoft.com/?kbid=867628

To completely fix this:

You can re-run the Configure Monitoring Wizard and it will also disable the store alert. Note that you need to choose 'Reinstall Monitoring features'

when running MCW (Monitoring Configuration wizard or disable the alert manually from the Health Monitoring page.

Issue 2:

========

Slow Shutdown issues on Exchange 2003 (installed on a Windows 2003 DC)

Problem Symptom

===============

When you shut down a Microsoft Windows Small Business Server 2003-based computer, the shutdown process takes longer than expected to finish.

Cause

=====

The problem of slow shutdowns is not actually a SBS specific one. It exists for every server which is both a domain controller and an Exchange server.

When you shut down the Windows Small Business Server 2003-based computer, the Active Directory directory service shuts down at the same time that the

Microsoft Exchange Server services shut down. Therefore, Active Directory becomes unavailable when the Exchange Server services shut down. For

example, this problem causes Exchange Directory Service Access (DSAccess) searches to time out and to return errors. Additionally, the DSAccess

searches sleep and then restart several times. Therefore, the Exchange Server services that wait for the DSAccess searches to finish are delayed.

Resolution

==========

Apply SBS 2003 SP1, as mentioned in the KB article

http://support.microsoft.com/?kbid=887539

or  If you don't want to apply SBS 2003 SP1 currently, please get the Hotfix

887539 from CSS.

or Manually workaround this issue by either modifying the

WaitToKillServiceTimeout value

(http://support.microsoft.com/default.aspx?scid=kb;en-us;555025)

or scripting the Shutdown sequence

(http://www.msexchange.org/tutorials/Accelerating_Exchange_Shut_Down.html).

Issue #3 - Hot Issue

====================

S2S PPTP VPN gets disconnected after SBS 2003 SP1 Premium (ISA 2004)

installation

Problem Symptom

===============

Site to Site (S2S) PPTP VPN connection gets disconnected after the SBS 2003 SP1 (ISA 2004) installation. The scenarios we've seen so far are listed

below:

Linux VPN server <à SBS 2003

Linksys VPN ß> SBS 2003

Netopia VPN ß> SBS 2003

Watchguard ß> SBS 2003

Analysis

========

The key things to zero in on are the GRE Call IDs (that control data flow) and whether the PPTP Echo Reques/Reply process over TCP port 1723 is working

(which keeps the connections connected). We encourage you to get a Netmon trace from the VPN server to try and figure out if there is GRE Call-ID

mapping going on upstream from the ISA server. It will turns out that the remote device is not following the RFC 2647. So we fail because ISA's

pptpfltr.dll is being strict with RFC.

Solution

========

1) Don't use the NAT module in the router. Get a .252 block address from their ISP that allows then to set up routing rather than use NAT. (This

should give you one IP address for the router, one for the ISA server and a network and broadcast address)

2) Contact the router vendor and get an updated firmware that fixes the NAT problem. (That is if one exist) You can always try the latest firmware.

3) Buy another router that does not have this NAT/PPTP compliance issue

Appendix 1 - Why Windows XP doesn't have the same issue

You may find that you can make solid PPTP connections through the router by placing the client PC (XP SP2) on the network that is connected to the

EXTERNAL ISA interface and the INTERNAL router interface - effectively the DMZ for this network. It's because the PPTP module in the Windows RAS client

has a different design, it does not check the Call ID in the packet. It just accepts it.

Appendix 2 - RFC 2637

RFC 2637 - http://www.faqs.org/rfcs/rfc2637.html:

Appendix 3 - If it's a ISA 2000 box, not a ISA 2004

Make sure the you have ISA SP2 applied which contains the hotfix 831531. In addition, according to the hotfix 'FIX: Outbound PPTP connections may

disconnect after 60 seconds if the ISA Firewall Service is running - http://support.microsoft.com/?id=831531', the problem should be fixed without changing the binding order.

If remote is not an ISA server, change the local value InactivityIdleSeconds to 30 seconds to ensure that the server's timer always expires first. (See

Q262990 for instructions): '262990 RRAS VPN Dial-On-Demand Failover Mechanism - http://support.microsoft.com/?id=262990 '.

840654 Your VPN connection is disconnected after several minutes in Windows XP - http://support.microsoft.com/?id=840654

UPS attached to a ProLiant ML150 and your CPU at 100%?

There a fix for ya

When an HP T700 or HP XR5500 Uninterruptible Power Supply (UPS) is connected to a ProLiant ML150 G2 server through the serial port using a serial cable, the CPU utilization will remain constant at 100 percent. As soon as the serial cable is removed, the CPU utilization immediately returns to normal levels.

Any ProLiant ML150 G2 server running System ROM Version 1.10 (or earlier) and is connected to a HP T700 or HP XR5500 Uninterruptible Power Supply (UPS) via a serial cable.

To prevent the processor utilization from immediately increasing to 100 percent when a UPS is connected to the serial port, upgrade the ProLiant ML150 G2 System ROM using the Single Point Solution Systems ROMPaq Firmware Upgrade Diskette for HP ProLiant ML150 G2 Servers, available at the following URL:

ftp://ftp.compaq.com/pub/softpaq/sp31001-31500/SP31081.TXT

ftp://ftp.compaq.com/pub/softpaq/sp31001-31500/SP31081.EXE

Thanks Jaime for the follow up!

SBA on SBS [the unsupported instructions to get the datafile ON the network]

So you build a Small Business Accounting Program and you call it a multi user version...and then you don't install it on SBS in such a way so that the msde datafile is 'on' the server, but rather on a desktop inside the office.

Okay ....lemme get this straight... why does EVERYONE see the word 'multi-user' and translate that to “Peer to Peer” except for me?  I WANT that datafile ON the Server.  I mean that's WHY I have a network you know so that data can be better protected over there.  I don't see peer to peer networks as being of value to me.  I WANT a server.  I WANT the active directory goo.  I WANT the control.  So what's a gal to do? 

She gets advice from her fellow geeks who hack up the way to get it on the server. 

So here is the unofficial, unsupported instructions to get SBA on SBS 2003.

“What I have done is install Small Business Accounting on SBS2003.  This results in an MSDE instance called MICROSOFTSMLBIZ being installed there.  The instance can host the BCM database as well.  You would install BCM on your workstation, set it up for sharing and add users.  Then shut down Outlook and SQL on your workstation, copy the BCM database and log file to the server and use SQL Enterprise Manager to attach them there.  Restart SQL and Outlook on the workstation.  You should now be able to redirect Outlook to the copy of the database on the server.

Unfortunately this method is not supported by Microsoft as I mentioned in the meeting.  In fact, if you have SBS Premium you can upgrade the MSDE instance to full SQL to remove any database size or number of user limitations.”

Remind me to email Dennis Clark and give him feedback to take back that they DO start supporting SBA on SBS.  I mean... it just makes sense, you know?

Messing up that morning email with a few extra printers via a TS session

Every morning when you view the 6 a.m. view of the network, you get that annoying “error” message that isn't an error message at all... it's just YOU logging into the server via Remote desktop and the system will want to 'add printers”... well so... how do you fix this annoyance?

Event Type: Error
Event Source: TermServDevices
Event Category: None
Event ID: 1111
Date:  8/27/2005
Time:  12:56:08 PM
User:  N/A
Description:
Driver Amyuni PDF Converter 2.07 required for printer Intuit Internal Printer is unknown. Contact the administrator to install the driver before you log in again.

Easy. When you launch the RDP connection, before you enter the password and get to that remote console, click on options on the right side to expand down the view of your options, then into “Local Resources“ tab and untick Printers. 

Fixed.

While in there... see the other options you have.

Allocated Memory Alert

After you install SBS 2003 sp1 you 'may' get a monitoring error saying you have an 'allocated memory alert'.  There are two possibilities of this issue that are VERY easily fixed.  I've personally had both happen to me and both times just put a little 'governing' value on the ISA sql instance and the SBSMonitoring instance and the system was happy as a clam afterwards.

Here's the two past posts to review regarding the issue:

http://msmvps.com/bradley/archive/2005/02/04/34984.aspx
http://msmvps.com/bradley/archive/2005/05/22/48500.aspx

A post in the newsgroup today made me stick this blog post in here to capture both links so I can just point folks to this one now.  If the memory alert is due to Sharepoint, you'll need to call Product Support and work through the issues, but if it's ISA or SBSMonitoring?  Stomp on 'em with absolutely no side affects.

...for those trivia buffs... I really should have said “Happy as a clam at high tide”

So where's the change IP address wizard?

There are times I think we need wizards to tell us there are wizards.  You know something that would say “You know..before you do that... you do realize we have a wizard for that?”

The change IP address wizard is like that.  On server management is buried under the Email and Internet section

Change Server IP Address  Enables you to change the IP address of the server's local network adapter and update all network services on the server to use this new address.

But yet this simple wizard makes it easy to change the IP address of the server and not forget a step.

Service pack - revisits

First off, a REMINDER that if you happen to load up Windows 2003 SP1, and you are a SBSer, you aren't done yet... right in that “Windows 2003 SP1“ page it says:

Important

• If you are running Windows Small Business Server 2003, please install using the instructions at, Windows Small Business Server 2003 Service Pack 1 web page.

Taken from this page at the bottom.

Remember we aren't 'just' Windows 2003 sp1.  We're a Dagwood sandwich and we have parts.

Next if you are a Dell customer..remember to check the Dell Support site regularly (put in Service Tag then go to downloads and all downloads available for their server will be there). There is a recent Service Pack release which fixes a few problems is what I've heard.  I'll have to go check it out myself.  As an HP customer I get weekly emails of new fixes and releases [that's really cool, I like that]  Dell has the notification email too!

If you have an OEM installation of SBS 2003, you must use a special procedure to install WSUS

Slow logging into RWW?

So Jeff had a network where logging into a Terminal server box was really slow... but if he logged in with domain admin rights it was fast.

So we were thinking at first that this was RWW into desktops..but it wasn't...it was RWW into a TS box...and once we figured out what he was logging into, a google into the newsgroups and several posts on point

It's a 'ghost' server that was left behind in AD.

Mucked it out of there and all was well.

So how to be pinged on IM about your server

From the mailbag today comes the question of how do I get 'pinged' on IM about by server.  Well technically, I'm getting 'pinged' by getting an email message on MSN Hotmail.  I use MSN 7 these days and it's my “hotmail” email address account.  ...so.. in the monitoring wizard setup on SBS, not only do I make sure I put in the 'inside' email address, I also put in my hotmail address... AND.. for extra paranoia, I stick in the SMS number of my cell phone... 559#######@att.wireless.net.  So when the server sends out a 'ooh that failed' message, I get email, I get a 'you have mail' popup on MSN, and my cell phone buzzes me.  Now I do this for 'my' baby.  And maybe you don't want to do this for every server you manage.  But it's certainly something that if you are watching a server having issues, change that mail notification so that it 'hits' you where you get the message in an immediate fashion.  Rerun the wizard and put in additional contact email addresses where you want to be notified.

Since I tend to be logged into MSN IM a lot [all the gang on my IM list will attest to that one] no matter where I am, home, office, conferences, ..... uh... Disneyland..... if there's a critical alert that the system has fired off, I'll get a notification.

So what do I call myself?

The case of the FFS

I have a problem coming up in my office... I can see it now.... we're not quite ready to be storing Excel and Word documents in a SQL database... okay... let's correctly put that sentence in the proper context shall we?  “I'M” not ready to be storing Excel and Word documents in a SQL database.  But yet I can see that the way we are yanking files around now just probably not a good long term solution at all.

For one we have traditionally fought the FFS.. fatal finger syndrome where accidentally dragging and dropping  a file or a folder will be dropped under another one.

People will blame viruses... harddrives...etc. but it's FFS.

Nigel pointed to a possible solution..... I just may have to try that on certain computers at the office...

Disable the Drag and drop or copy and paste files option in the Internet and local intranet zone. To do this, follow these steps:

a.	In Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
b.	In the Select a Web content zone to specify its security settings box, click Internet, and then click Custom Level.
c.	In the Settings box, locate the Drag and drop or copy and paste files option under Miscellaneous. Make a note of your current setting.
d.	Under Drag and drop or copy and paste files, click Disable, and then click OK.
e.	Click Yes, and then click OK two times.
f.	Repeat these steps for the local intranet zone by clicking Local intranet instead of Internet in step 2b.

It's raining

It's raining today.  Which normally isn't a bad thing at all and in fact I love rain...but ....well.. I should have done some maintenance on my car.  You see the windshield wiper blade is fraying and ...well...when you have nearly a month of 100 degree temperatures and Sunny days, you just don't have an urge for doing maintenance for wiper blades.

But I should have...because you see one wiper is now fraying...and because my maintenance was not done, can turn into an emergency situation.  Okay it's not 100% an emergency as the rain isn't that heavy..it just makes it more steamy...but the point is I should have fixed it when I was warned about it..not now when I really need it.

Your server is that way too.  Daily it sends you a report telling you how it's doing.  Some machines even have additional diagnostic emails that can be sent from the system to monitor drives, temperature and what not.  Your antivirus has [or it SHOULD HAVE] a centralized console that will keep track of A/V status [I do which Trend would email me reports though of not only MY centeralized a/v status but that of employees in the office that remote in so I can keep track of them as well.  I also track security patch status.

So what do you monitor on your server?  On your workstations?

What would you want to add to your list?

Getting RID of that annoying wallpaper

I was remoting into a Dell OEM to test Sean's instructions [and yes, the work but I'd recommend that you put the data files on a D: or other drive] and got majorly slowed down by that annoying Dell wallpaper that takes forrrevver to resolve while you are remoting in.... UGGGHHHHH and remembered that Eriq Neale had the info on taking that sucker off...

Courtesy Eriq Neale

To remove the Dell wallpaper image:

1. Open Regedit on the server.

2. Go to HKEY_USERS\.DEFAULT\Control Panel\Desktop.

3. Look for the Wallpaper value in the right-hand pane. It will
probably point to C:\WINDOWS\system32\DELLWALL.BMP.

4. Double-click on the Wallpaper value.

5. Delete the contents and click OK.

6. Close Regedit.

MS05-039: Zotob.A Internet Worm -- In-the-wild

Fellow MVP Harry Waldron reports that first sightings of a virus/worm bundled up to take advantage of the recent security patches on Tuesday have been sighted:

MS05-039: Zotob.A Internet Worm -- In-the-wild:
http://msmvps.com/harrywaldron/archive/2005/08/14/62663.aspx

From the Fsecure write up....http://www.f-secure.com/weblog
"However, Zotob is not going to become another Sasser. First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, majority of Windows boxes in the net won't be hit by it." 

More info...

MS05-039: Zotob.A Internet Worm
http://forums.mcafeehelp.com/viewtopic.php?t=52307

ISC information
http://isc.sans.org/diary.php?date=2005-08-14

Important facts so far from the ISC write up:

- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.

----------------------------------------------------------------------
                      FrSIRT / Security Alerts
----------------------------------------------------------------------
      The French Security Incident Response Team 24/24 & 7/7
----------------------------------------------------------------------
                         - 14 August 2005 -
----------------------------------------------------------------------

- A worm (Zotob.A) exploiting the MS05-039 flaw discovered in the wild

 Zotob.A is a worm that exploits the recent Plug-and-Play vulnerability
 (MS05-039) using TCP port 445. The worm targets only Windows 2000
 machines [...]

 http://www.frsirt.com/english/advisories/20050814.ZotobA.php

SBSized translation:

Your Windows 2000 machines are most vulnerable.  While port 445 [a file and printer sharing port] is not open from the outside, it is fully open on the inside [inner goo].  Most SBS networks were not too typically nailed by Sasser and Blaster because at that time we were not doing a lot of remoting in.  I think we're doing a lot more.  Your remoting-in machines that you or your consultant do not monitor the patch status on are your weak spots.  I'm still not in panic mode... but then again... I'm fully patched via the use of Shavlik at the office and WSUS here at home so I can type this up all high and mighty and not care a twit. 

Want to be 'twit-carefree' like me?  Turn on that automatic updates on workstations.  Install WSUS.  Buy Shavlik.  Do something .....but get a tool so that patch Tuesday is actually the 'control thrill of the month' in your network.  I use it as my 'check my network day'.  Automate it.  Blonde it.  But get 'twit-carefree' like me about patching.

About that defraggin....

Apparently defragging is a hot topic because it got a ton of feedback including this gem from David... so ya might not wanna be quite to quick to defrag folks....

Don't forget that unless you've taken special steps to prevent it, defragging a Windows / SBS 2003 server partition with Volume Shadow Services enabled will wipe out your entire stock of shadow copies. See http://support.microsoft.com/kb/312067.

Blue Screen of Death with Symantec A/V 10

Blue screen error when Symantec AntiVirus 10 is installed

From the listserves comes the report that on rare circumstance you might see a BSOD on machine getting Symantec 10 installed when....

Problems with older Symevent drivers

Conflict with Roxio Easy CD Creator 5.3.5... to work around that one ..remove the read only attribute from the L3codecx.acm file.

Don't know what a BSOD is? It's basically a sign from Bill Gates that you really need to call Product Support Services, get dump/debug session set up and have someone look at that error and save you from hours of hunting down and googling...Now Roger Otterson argues that as a Microsoft Partner we shouldn't know about how to do a basic blue screen dump file debugging session...as it's in your clients' best interest to use that business down support ability to get that customer back on his or her feet as quickly as possible.  Others I know will argue that as IT Professionals we should know this stuff.

I do know if you download and install the debugger files and open up the help files...they are really cool....

DNS issues

Per was having issues with a client on a random basis not resolving web sites and what not.... and when he tested the problem out by putting a bogus IP address in the Primary DNS forwarders, he realized that the secondary ones were not kicking in......

So changing the value in this key did the trick...

HKLM\System\CCS\Services\DNS\Parameters\RecursionTimeout = 15 sec

Now what's interesting is that on a pre SP1 box this apparently gets set to 5 seconds... a post SP1 box this gets set to the value of 15.

The moral of this story?

Apply Service pack 1.

And just to let you know... while there are a few gotchas  to look out for and known issues, we'll always leave the light on in the newsgroup for you and remember...you Microsoft Partners have those support options.

APC's understatement of the year

On the APC web site is this tech note

“In order for PowerChute Business Edition to remain functional, users must upgrade to any version of 7.x. Due to expiration of the Sun Java Runtime Environment certificate, versions 6.x of PowerChute Business Edition will cease to operate normally as of July 27, 2005. Failure to upgrade will result in PowerChute Business Edition no longer providing monitoring and graceful shutdown of your system.“

What it really should say:

APC?  Be a bit more honest about this... I'm not looking forward to next Tuesday when we'll have that possible forced reboot for a patch day coming up.  Remember this only nails you after you've been forced to reboot.

Spyware for the Server?

From the mailbag tonight comes the question...”What spyware protection and registry maintenance do you recommend for the SBS 2003 server?”

...uh..dude?  You surfing at that server so it needs spyware protection?  Don't.  Let's nip that right in the bud dude and stop doing that.  That is the absolute worst thing you can be doing is surfing at that server, logged in as domain administrator on your domain controller.  I don't put spyware protection on the server because I don't surf at the server... it's not getting in at the server...spyware comes from CLICKING end users on workstations.

In fact that's why there's that annoying Enhanced IE thingy on the server that you shouldn't remove.  That's the Michael Howard annoyance factor to make you want to go back to your own workstation.  Pretty darn effective isn't it?  But the point is when the threat modeling was done for the server they knew the worst thing would be to have an admin surf at a server.  Don't.  Don't need antispyware.  It's that simple.

Registry maintenance?  The last time I installed software directly ON the server... was... I don't know what it was.. it was so long ago...the only thing I install these days is security patches.  Only server applications that I've installed went on there ages ago as it was built and pretty much everything else is installed from a workstation pointing to the server so it's not going into a 'registry' per se.

Most will also say..don't defrag.  As long as you keep about 20% ish of your drives free NTFS will be just fine.

Bottom line... your server is ...just that .... your server....and really does the best when it's just left to be ....your server and doesn't need all the tweakage you may be doing on workstations.

Security Patch Tuesday heads up

If you think your SBS 2003 server shuts down a smidge slower after SP1?

You are right.

Live with it [see note below for reasonable shut down times]

Microsoft Issues Fix for SBS 2003 Slow Shutdown:

The shutdown process takes longer than expected to finish on a Windows Small Business Server 2003-based computer:

Now what I don't quite understand is the file on my 'non patched' SBS 2003 sp1 box is the same version as in that KB article.  But I haven't gotten around to requesting the hotfix to see what's 'really' in it.

A little shadowing of our sessions

Just a heads up ...from the ever useful blogger SeanDaniel.com comes the answer to a question I've seen a few people ask about. 

How can I 'shadow' a session to show the person on the other side what I am doing when I take over their computer?

SeanDaniel.com blogs on how.

Check it out.

WSUS resources

At the SMB technology network in Los Angeles I did a presentation on WSUS [Windows Software Update services] and I want to make sure everyone has a heads up about a new resource for WSUS:

The WSUS blog:

WSUS Product Team Blog:
http://blogs.technet.com/bobbie_harder_msft/

Don't forget the WUS listserve and the Patch Managment listserve as well...both signups located here.

 http://blogs.technet.com/wsus/

Forget that Bobbie_Harder blog......THIS is the REAL WSUS product team blog where we will be posting product information, tips and tricks, best practcies ,and other tidbits we find and hear not only from us, but from across the community! 

A little uninstall... a huge step forward for patching

Did everyone catch this KB?

Information about the ability to uninstall Office updates:
http://support.microsoft.com/?kbid=903771

The security update for Word 2002 that is described in the Microsoft Knowledge Base article 895589 was the first Office update that included the ability to remove the update. Security update 895589 was released on July 12, 2005. Office updates that were released after July 12, 2005 also include the option to remove the update, unless otherwise noted in the release documentation.

Bottom line we're now moving closer to where nothing will be uninstallable anymore.  This is a huge step forward in patch management and is cool to see the change in patches occuring.

Okay...so I realllllyyy need a life.......

How to fix an application that isn't working after 05-026

Microsoft Security bulletin 05-026 broke our “help” file that is inside the CCH Tax preparation program...you go to help...and there's nothing there....but there's an easy fix that is listed in this KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;896054

• Click on Start
• Run
• Regedit
• Find HKEY_LOCAL_MACHINE
• Find the subfolder of SOFTWARE
• Find the subfolder of Microsoft
• Find the subfolder of HTMLHelp
• File the subfolder of 1.x
• Now click on that 1.x folder and right mouse click
• Now click on 'new' and then on 'key' and add a new key
• Type in ItssRestrictions
• Hit enter
• Click on the subfolder of ItssRestrictions
• Right mouse click, click on 'new' and then on 'dword'
• In the “New value“ box, type in MaxAllowedZone
• Hit Enter
• Click on that “MaxAllowedZone“ and right mouse click
• Click on “Modify“
• Change the value data from 0 to 1
• Click OK
• Close the Registry

Try CCH tax software again.  Your help files should now work as expected.

When you get done the left side should look like this

The right side should look like

P.S.  This KB article is actually referred to from a “caveat” link at the top of the Security bulletin that points to known issues.  Always review the “Known issue” for the issues that have already been found and fixed.

UPS, unexpected power losses and oh? Have you done this registry fix?

Services may stop abruptly when you shut down or restart a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;839262

Jeff from TechSoEasy reminds me of a registry fix that we SBSers need to do.  He had an issue with unexpected power issues and now has a bit of a messed up server.  It reminded me that he may have needed to put in that registry fix. Now this will be in the SBS 2003 sp1, but for now, do this registry fix manually.

Just a reminder...DO NOT install Windows 2003 sp1 on your SBS box [even if Windows Update is offering it to you]

Um...so how do I "know" when something is running slower?

HANG LOOSE - THIS PATCH ISN'T INSTALLING AND A FILE INSIDE OF IT APPEARS TO BE A VERSION OLDER THAN WHAT WE ALREADY HAVE ON THE SYSTEM.  I'VE ASKED FOR CLARIFICATION ON THIS PATCH

FIX: Performance is slower on multiple-processor computers in the .NET Framework 1.1 Service Pack 1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;884041

SYMPTOMS

CAUSE

Allocated Memory Alert on Domain

If you are seeing that like I am I think we're hitting a threshold and we need to bump it up but I still have a SRX [PSS] call open on this.  As you can see tonight WHILE THE BACKUP WAS RUNNING [and mind you mine backs up two machines] and remoting in...and setting up a new monitoring alert [more on that later] and I think I was doing just a smidge too much.  Remind me to call back and see if they want me to kick up the health monitoring a bit.  We've seen a smatterings of them lately and they tend to be Xeon's or Dual Processors.

Just keep an eye out for them and we'll keep you posted.

RAY-ISM: So you want Outlook to stay with POP being the default on the client not Exchange?

While I think POP pulling into a workstation is silly as you should use the power of your server, if you absolutely positively MUST have your Outlook on your workstations individually POP AND do Exchange you'll want to make the POP be the “main honcho” of the mailbox.

A post in the newsgroup and a response from Les reminded me of this reg fix [originally posted by Ray-the Man Fong so I'm categorizing it under Ray-ism in honor of Ray Fong who graciously and patiently put up with a bunch of rowdy SBS MVPs in Charlotte, North Carolina]

At the client, create the following registry key:

Location: HKLM\Software\Microsoft\SmallBusinessServer\ClientSetup
Name: NoTransportOrder
Type: REG_DWORD
Data: 1

Loading up Remote Web Workplace or ConnectComputers on a brand new XP sp2

I make it a rule to merely add the web site of the SBS server I am going to either connect to internally or connect to externally in the trusted zone in Internet Explorer.  IE, Tools, Internet Options, Security, Trusted Sites, sites and then enter the web site like http://domain/connectcomputer or https://www.domain.com/remote  for the connect computer wizard or Remote Web Workplace respectively.

This ensures that the active X scripting occurs as it should and I can join computers to the domain with no issue.  If you don't, you might not spot the tiny “info bar” at the top that is jumping up and down yelling at you to download the Active X control.

Just stick it in the trusted zone and all is well.

The ports of SBS

From the mailbag today comes the question from Alex... is there a way to publish Companyweb without opening 444?  And the answer is.... No.  You must have 444 for external access to CompanyWeb [Sharepoint].

SBS bascially requires the following ports:

If you need access to Sharepoint .... you MUST go through port 444.  For RRAS, the Sharepoint is automagically enabled if you merely click the box, for ISA they thought we'd be a bit more paranoid so you have to manually publish it.

What are the three things... oh wait...two things I do on my SBS servers?

Back in May I posted of the three things I've done on my SBS servers.  But I'm here for an update because I only do two of them now:

• To ensure that file locking doesn't occur on databases and Quickbooks
  Disable oplocking http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264
• Lastly this turns off the annoyance of XPs and 2k's have of “falling“ off the LAN and then needing to be clicked to be reconnected.  In our little lans I turn this off.  Disable autodisconnect http://support.microsoft.com/default.aspx?scid=kb;EN-US;138365

Time Syncing

One important thing in a DC setting is to make sure everyone is on the same “watch”, timeclock, in sync and happy.  For those running SBS 2003 Premium, just a reminder that the packet filter automagically built by the wizard is set to TCP not UDP for port 123 which is what is needed.  Therefore, follow this KB to set it up correctly:

The server cannot synchronize with an external time source after you run the Configure E-mail and Internet Connection Wizard on Windows Small Business Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887355

Then follow the excellent documents from Mariette on the SBS site:

Smallbizserver.Net > SBS 2003 > Server issues > How to fix time synchronization errors:
http://www.smallbizserver.net/Default.aspx?tabid=156

So I have a SBS and I'm supposed to download Windows Server 2003 SP1 right?

WRONG.

First off, it's still a beta - it's only a release candidate so DON'T PUT IT ON YOUR PRODUCTION NETWORK.

Next off, while the “normal” rule is that any patch that is “normal” server is okay for us, we're going to get our own special version of Windows 2003 sp1 as part of our SBS 2003 sp1 combo.  The plan right now is to release “our” SP about the same time as our big brother server patch.

“Our” SP will also have [for premium customers] the eagerly awaited ISA 2004 upgrade.  At this time, while I'd probably [and I honestly need to do this myself] is to start PLAYING in a NON PRODUCTION setting with ISA 2004, you DON'T [yes, I'm shouting] want to install this on your client's servers or even YOUR production network.  Word is that the SP will be for shipping/handling/media costs.

So don't download this Server sp release candidate.  Patience.  Wait for ours.

Two more patches you might need

There are two other patches that came out today... one is a re-release of the GDI+ patch that affects Visual Basic, .NET framework and Windows Messenger.  The other is a patch for the XP sp2 firewall and is available on Windows Update.  Since it's not deemed a Security patch, I'm not sure it will be on Shavlik.

Don't forget we still need to apply the mitigation patch for ASP.net for our Sharepoint and Remote Web Workplace.  There is still a final security patch in the works but this will fix us up ship shape and keep us protected for now.

SBS2003/Exchange/Messages stuck in pending submission issue with Trend Micro

Finally got the resolution on an issue that's been hanging around the SBS community since before September's SMBNation.  I think it was around the 04-025 IE patch time frame that we started seeing issues with stuck mail with SBS boxes and Trend.

Today I receieved word that there's a new patch for SBS2003/Exchange/Messages stuck in pending submission issue. 

PROBLEM: Outbound messages would hang in the pending submission queue
CAUSE: A function inside the registry monitor thread of Trend's SMEX
RESOLUTION: Trend has released a hotfix to address this issue. "SMEX621_WIN_EN_HFB1127.exe"

I have an email into Trend because I do not see that link on their web site so look for a followup post to this posting.

UPDATE THE LINK IS LIVE -- CALL AN THE HOTFIX HERE http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=22654

I just added a bit of insecurity to my network

Windows 2003 by default does not turn on, doesn't even install ftp service.  To get my network back “exactly” to full working order by Monday I had to install ftp service and enable it.  Now after my old server is reincarnated as a member server I think I'll enable the IIS/FTP on it and move this to the member server...but in general here's the info to get the a Konica copier to do scanning and printing

OH and one more thing... you don't NEED all those attachments

Just a reminder... your end users.. your customers? 

THEY DON'T NEED TO OPEN EVERY ATTACHMENT THEY GET.

They don't need .scr or .exe or .pif or any of that gunk.  Go into Scanmail and click on “enable attachment blocking“.  Click on the “Ok“ that says turn this off after the incident.  Blow that off.  You want this setting on ALL THE TIME.  Now click on settings and  click “block specific attachments“ adjust to those items that you want to block.  Here's a sample from a University of what they block.  Figure out those minimal attachments you have to have for business and block everything else.

P.S.  In that same screen make sure the quarantine is on a large place.  Those bad files locations can fill up.  Exchange 2003 sp1 no longer saves “badmail” which is a good thing these days.

Antivirus anyone?

When I first got my other server, SBS 2000, I actually delayed the roll out of that server because you had to either wait for Exchange 2000 sp1 or do a funky registry workaround.  Because you never want to put a server in production without

• Antivirus
• Patching
• Firewall
• Backup

Fortunately for SBS 2003 we had antivirus protection AND Backup AND Firewall from Day 1.  The entire industry is working on the patching part [patience].

I like to have a server based antivirus that watches the server, the workstations and Exchange.  You don't want to have your workstations get the gunk... you want to block it at the server BEFORE it hits your desktops.

Loading up Trend and you can either follow Les's info or Amy's. 

Remember at the end, you have to add website of officscan into the Trusted site zone of your Internet Explorer.  Tools, Internet Options, Security and Add that website to the trusted site zone to get the web site to work.

Next make sure you exclude Exchange files AND exclude our SBS Cal file locations. Since I moved my Exchange server files to my E: partition, I had to adjust Les's exclude info.

The Exclude for the CAL location is:

• File - %windir%\system32\licstr.cpa
• Folder - %windir%\windows\system32\lls

We do this because if you scan those files you “may” end up only having 5 cals in the morning as the anitivirus corrupts the files.  They are similar to Exchange files that you want to make sure are excluded.  [and no this doesn't happen in all cases but I'm a paranoid nutcase who likes to be prepared - noticed I said “may“ and not “will“ - it doesn't always occur - and it's also caused sometimes by hardware issues]

Remember to enable the spyware setting in Trend as well and to ensure that Quaranteed virus files don't mess with your backup.

P.S.  To whomever thought to name the files that do the license counting.with the extension of .cpa ... was that a coincidence or did you just figured it had to be a boring beancounter to keep track of the licenses?

;-)

P.S.S.  Don't forget to go into the Scanmail console [I use the not web based for this as I don't want to load JAVA on the server] and make sure it is set to update every hour on the hour.

Group policy anyone?

Thought I'd show you what I did to enable the NoLMHash

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases:
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656

First I opened up the Group Policy from start, programs, administrative tools, group policy management and went down to the Domain Controller section and right mouse clicked to “Credit and link an GPO“ here.

Next I named it what it was doing [LAN Manager Hash] so I could know that was the policy doing the “pushing“.  Next I right mouse clicked on the name and clicked “Edit“

Now we drill all the way down, computer configuration, then expand windows settings, then security settings, then local policies, then security options and click on that section.

On the right hand side you should see a list of things you can do, scroll down to the “N” section and look for this setting:

Now double click and ENABLE that setting.

When you get all done the “resulting window should look something like this:

The last two patches and a Security tweak

Hmmmm..... there's two patches that won't push down from MBSA/Shavlik so I'm doing them manually.  The first is the .NET 1.1 sp1 and the second is the 03-31 for the SBSMonitoring SQL/MSDE instance.  One tweak I'm putting in place is the “Dr. J Password security tweak“.  What?  Don't know what I'm talking about? 

If you have a full Windows 2000/XP network OR have made your 9x clients use the active directory add on, you can turn off something called Lan Manager Hash.  What's that?  It's a legacy leftover from IBM that we really don't need to keep turned on if we have up to date networks.

In this KB it talks about how to ensure that this hash is not saved.  Why is this important?  Because if you've ever played with LC4 or LC5 or John the Ripper, you know how fast and quickly passwords can be retrieved if these hashes are saved. It's mere seconds that someone can retrive your passwords if they are saved in this manner.  I've seen LC5 nail a 9 character dictionary word in mere minutes.

• In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options
• In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change
• Click Enabled, and then click OK

So why are passwords important?  Let's think of all the ways and places that we rely on password for the first line of defense of security.

• Banks and online banking.
• ATMs and Debit cards and PIN numbers
• Websites and online shopping

Don't you hope that all those places where YOU store passwords would enable that setting too?  [Granted you are probably not putting your password into a AD environment when you log in...but you get the point.] What other places do you put passwords in a computer system and probably don't know what procedures they have for protecting them?  I've seen places like Tmobile and ATT wireless airport signups demand that the password that I chose matched a secure policy.  I don't even want to admit how lame my Amazon.com password is.  Hmmmm... reminds me.... I should go change that sucker.  Excuse me while I go do that after I just admitted how lame it was  :-)

So I'm patching both my new server AND my hair

Finishing up the patching on the server and it was kinda getting a bit boring waiting for the patches and the reboots so I started multitasking and highlighting [patching] my hair at the same time [the blonde streaks were growing out].  Even with my Shavlik Patch tool there's a couple of patches that are not patched by Windows Update, MBSA, or HfnetchkPro and you must go to the download site to get.

The key ones to remember I'll pull out here:

• The patches to allow us to do SP2
• Backup issues with Travan tape drive
• Having SP2 be the automagic SP rather than SP1 [remember this update cannot be undone]
• Fix the Truncate error in Group policy
• Fix some issues with Exchange
• The ASP.Net patch that we need for Sharepoint and Remote Web Workplace
• One Pop connector fix
• And another pop connector fix
• Remove non English characters from help and support

You may also need some of these that can be obtained FOR FREE from Product Support.  Call your local Microsoft office and obtain the patches.

• Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the security log of Windows 2000 and Windows Server 2003 domain controllers:
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;824905
• Time-out errors occur in Volume Shadow Copy service writers, and shadow copies are lost during backup and during times when there are high levels of input/output:
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;826936
• A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003:
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;833167
• The Exchange Intelligent Message Filter does not scan e-mail messages on your Exchange Server 2003 computer:
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;873434

P.S.  Andy reminded me of a couple of others [check the feedback section and one in particular]

• Services may stop abruptly when you shut down or restart a Windows Small Business Server 2003-based computer:
  http://support.microsoft.com/default.aspx?scid=kb;en-us;839262

So you think you are patched, revisited

Pauli commented in “is there a Microsoft approved way to keep our boxes patched up?“

Yes, actually

• Windows Update
• Following the patches on our download site page

If you use, like he does, only uses Windows Update and MBSA, you'll miss the asp.net vulnerability mitigation patch and the ISA server patch and some “fix up“ patches like our Exchange 2003 sp1 post patch. 

For Pauli, I'd recommend continuing what he's doing, WU and MBSA, but add visiting that Download page.  I do need to ping back to Microsoft that the ISA server patch isn't yet listed on that page but it was “just“ rereleased the other day to fix up an issue that they were having.

There is currently a public beta going on of something called WUS or Windows Update Services but its a BETA, at this time does not include SQL server or ISA server, and SHOULD NOT under any circumstances be run on a production box.  We're still on our way to “patch heaven”.   We're not there yet, so we'll have to be a bit more patient.  Aligning all the products to use two patch engines and getting them into a “one engine” patch mechanism has taken time.

I personally would recommend that you check out Shavlik.com's HfnetchkPro.  It's still my way way way preferred method of patching.  Through the kindness of their hearts they offer a free version that patches 1 server, 10 workstations.  About three years ago or so, I bought and put on maintenance their Hfnetchpro.  You'd have to pry my dead fingers off that interface.  I do wish they would have a per seat pricing structure, but even the 25 user version is only $24 per computer.  Look at it that way, and my data is way worth more than $24!  I do a combo of HfnetchkPro AND the download page to keep me patched up.

Thanks Pauli for the comment and I hope this helps?

Disk full? I think not.

So the other night I'm saving some files up to the server that I needed to load on the server and it gives me the message, disk full.  Disk FULL?  No way.  Well remember this is my play baby server here at home and I never turned off the disk quotas so I was being limited by the “quota” on the drive.

Guess what I turned off.  You got it. Disk quotas.  I don't go around limiting peoples space on the hard drive.. we just buy bigger disks that's all. 

To disable disk quotas

1. Open My Computer.
2. Right-click the disk volume for which you want to disable disk quotas, and then click Properties.
3. In the Properties dialog box, click the Quota tab.
4. On the Quota tab, clear the Enable quota management check box, and then click OK.

Notes

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated an assignment of administrative responsibility to a user, computer, group, or organization.

  For Active Directory, an assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.

  For DNS, an assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.

  the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

• To open My Computer, click Start, and then click My Computer.
• If the volume is not formatted with the NTFS file system  or if you are not a member of the Administrators group, the Quota tab is not displayed in the volume's Properties dialog box.

If you are on SBS 2000 with ISA 2000 with sp2 and want to do an inplace upgrade...

Download details: ISA Server 2000: Required Updates for Windows Server 2003: 
http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

..if you haven't checked out the Secunia.com web site..

The Secunia.com web site is an excellent resource for Vulnerability and patch information by product.  Nice search engine, nice graphics, cool information.  There's still a need for a place, a product that will patch EVERYTHING on the Small Business Server box.

Windows Update does not patch everything on the server.

SUS does not patch everything on the server.

Shavlik's HFnetchkPro only covers security related patches.

This site lists the SBS specific patches.

But there isn't one page, one site that I can send people to for ALL the patches they might need for a SBS box.

It still needs to be easier to maintain a SBS box out here.

Fix for Exchange 2003 SP1 issues - SBS's download 'em

...so you want to support ISV's better?

So over on Mary Jo's blog she's been talking in the past about how Microsoft is making a bigger push for supporting ISV's [you know,  Developers, developers, developers....] and just today the “blog” worked in a mysterious way.  The other day I posted about how to get hotfixes.  And I admit when I call, I'm normally getting one hotfix at a time AND I'm in the USA where I can call an 800 number 24/7.  Today in the comment section, I got a post from Mica about how he was an ISV/OEM and he had gone through the KBs and tracked down a whole bunch of hotfixes that he needed for a project that he is developing.  He had called PSS and the contact there had asked Mica to email him the list of patches.  The PSS contact forwarded the request to the Windows 2003 server group and that's where the ball got dropped. 

Bottom line Mica never got his patches.  So I asked Mica for the PSS contact and then started a series of follow up emails and bottom line Mica now has his patches that he needs [thanks Brad].

But here's the /rant part of the email:

It shouldn't be this hard.

Why can't there be a web site that an ISV or OEM uses an authenticator ...say passport [yeah I know, we all hate to use it for authentication but get over it] to get into and then can download whatever hotfixes they need.  We all know they aren't regression tested.  We all know that we should test them first [for the record I've historically had more good experiences with hotfixes than Service packs ...but that's another story].

Make it easier for ISV's and OEMs to get these hotfixes.  I totally understand that there is no such thing as “perfect“ software and never will be, but I would want my manufacturer to have the ability to ensure he's got the latest “whatever“ he needs to build me the best system ever.

I can't believe I'm posting this.....

But if you have Windows 98 machines still connecting to your SBS 2003 [cough cough ick], call and get this hotfix:

323466 - Availability of the Active Directory client extension update for Windows 98:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323466

And then do the following for maximum connectivity ~

 Registry change:

Add the following registry key on the Windows 98 clients to force them
to use NTLMv2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa (you may need to
create the Lsa key)

Value Name: LMCompatibility
Data Type: REG_DWORD
Value: 3

Shavlik posts that it's updated it's XML file

Shavlik Technologies has released updated XML files for Shavlik HFNetChkPro.
XML data version = 1.1.2.105 
Last modified on 5/31/2004

 This update includes the following changes:
 - Added detection for Exchange Server 2003 SP1

(we are still testing the deployment instructions for this SP, thus the package
is not available for download and deployment at this time.  We will release an
updated XML file when this SP is available for download and deployment via Shavlik
HFNetChkPro.)

- Added detection and deployment for ISA Server 2000 SP2

I'm not surprised that the Exchange file is not ready to deploy.  I've seen some people having a bit issues with the install and it needs the GZIP patch prior to installation.  Plus post installation we need to adjust some settings.

So I just moved around the furniture a bit...

And added a new post category of “Needed Patches/Tweaks” to capture all the items needed to finish up an install “after“ the box is loaded with SBS2k3.

I'm stealing this disclaimer from Les [Les is More]

Be aware that this list is a compliation of all hotfixes and configurations.
They do not all apply to all installations, do not use them out of context.
Use only what is required for your installation.

Patch for BCM with SBS2k3 - http://msmvps.com/bradley/posts/7228.aspx

Tweak for change in Domain\User after Exchange 2k3 sp1 - http://msmvps.com/bradley/posts/7156.aspx

Memory switch tweak  http://msmvps.com/bradley/posts/7147.aspx

Exchange 2003 sp1 -  http://msmvps.com/bradley/posts/7084.aspx 

POP3 Connector patch - http://msmvps.com/bradley/posts/6920.aspx

ISA Server 2000 - sp2 http://msmvps.com/bradley/posts/6868.aspx

Tweaks that “I“ personally do - http://msmvps.com/bradley/posts/6193.aspx

Installing Trend - http://msmvps.com/bradley/posts/6038.aspx

Hotfixes - now included in Exchange 2003 sp1 - http://msmvps.com/bradley/posts/5295.aspx

Error #50070 STS_Config - http://msmvps.com/bradley/posts/4292.aspx

Change REG key http://msmvps.com/bradley/posts/4283.aspx

Disk quotas/permissions http://msmvps.com/bradley/posts/4040.aspx

Faxes not opening right? http://msmvps.com/bradley/posts/4025.aspx

Sharepoint slow to open? http://msmvps.com/bradley/posts/3799.aspx

Error 800423f4 in backup log? http://msmvps.com/bradley/posts/3792.aspx

Install SUS http://msmvps.com/bradley/posts/3074.aspx

POP Connecter taking all resources? http://msmvps.com/bradley/posts/2540.aspx

Install GFI faxmaker http://msmvps.com/bradley/posts/2155.aspx

VSC and SQL server issues http://msmvps.com/bradley/posts/1239.aspx

Tweak ISA http://msmvps.com/bradley/posts/1221.aspx

Disable NDR http://msmvps.com/bradley/posts/1220.aspx

Hooking MACs into you LAN? http://msmvps.com/bradley/posts/1161.aspx

Add ISA to the console http://msmvps.com/bradley/posts/1112.aspx

Flat file backup of Sharepoint http://msmvps.com/bradley/posts/1103.aspx

Sharepoint fix http://msmvps.com/bradley/posts/1089.aspx

Outlook over HTTP http://msmvps.com/bradley/posts/1043.aspx

Anti Virus fix http://msmvps.com/bradley/posts/932.aspx

Enable Full text search http://msmvps.com/bradley/posts/822.aspx

Hotfix for Travan drive http://msmvps.com/bradley/posts/808.aspx

Get Sharepoint through ISAhttp://msmvps.com/bradley/posts/796.aspx

Exclude site from Google Searches http://msmvps.com/bradley/posts/618.aspx

Sharepoint on first launch http://msmvps.com/bradley/posts/599.aspx

I think that's all the funky patches and tweaks that us SBSers need for post installation.  Do I need any more?

Patch to get BCM working with SBS2k3

Don't want to type in domain\user after Exchange 2003 sp1?

UPDATE - THIS WORKAROUND ISN'T GOING TO WORK 100% - SO JUST HAVE YOUR CLIENTS TYPE IN DOMAIN\USER - THE SBS TEAM IS WORKING ON A PERMANENT FIX

820378 - Outlook Web Access session unexpectedly quits when forms-based authentication is used:
 http://support.microsoft.com/?kbid=820378

If you want to change OWA so that you don't have to type in domain\user after the application of Exchange 2003 sp1, Matt Gibson in the public newsgroups says --

“Go into IIS admin, go to your OWA website, right click on the exchange dir
and go to "Properties".  Then go to the "Directory Security" tab, and click
on the "Edit" button under the "Authentication and Access control".  At the
bottom of the new window, you'll see "Default Domain" and "Realm".  Just
change "Default domain" to your domain, and you'll be good to go.”

Update by Roger Crawford --  
 
Update to this be sure to include doing this on the Public Virtual  Folder
or you will get kicked out of Public Folders when you try to view them
 
Update from the newsgroups --
 
Just try reruning the CEICW which will setup the proper settings as OMA is messed up as well
 

Then I would like to explain this issue in more detail for you:
By default, after running CEICW in SBS 2003, the component will set the 
Default Domain property on the corresponding IIS sub-directories (under 
Authentication -> Access Control) as following:

1) /Exchange/: \                    (cerntainly you can change it to SBS 
domain name so you do not need to input the domain name any more. Since you 
had mentioned that you do not need to input the domain name in the 
previous, you may change this by yourself in the previous)
2) /Microsoft-Server-ActiveSync/: SBS domain name
3) /OMA/: SBS domain name

This is considering the fact that PPC or mobile phone cannot use the 
reverse backslash character when inputting credential. 
(This is why I say your workaround that you had found is correct and the 
best solution because this is just the correct setting for OWA and OMA)

The Exchange 2003 SP1 may change the settings back to the default (/OMA/:  
\ ). And this cause the issue on your system.
Or 
 
A poster in the newsgroup says that he used the following workaround -- 
“I used the "Default domain" entry box via IIS management, Exchange and OMA 
websites, Authentication and Access Control to set a default domain. After 
that, the logon process for OWA and OMA work like they did pre-SP1.“

I put together some screen shots here to help out -- 

http://www.sbslinks.com/domain.htm

Exchange 2003 SP1 - released

http://www.microsoft.com/exchange/downloads/2003/sp1.asp

And YES you should install this on SBS 2003 boxes!

If you are using the POP Connector in SBS 2003 - Get this patch

835734 Many unexpected outbound e-mail messages appear in the SMTP queue in
http://support.microsoft.com/?id=835734  [that link not quite live as of 12:45 on Friday... should be shortly though....]

Download details: Update for Windows Small Business Server 2003: KB 835734:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7b1ff109-092e-4418-aa37-a53af7b8f6fc&DisplayLang=en

There is a problem with how the POP3 connector processes certain messages downloaded from a POP3 server. This problem could result in the POP3 connector accidentally re-sending certain messages to recipients who are not part of the SBS server e-mail domain.
This may happen only in the cases where the POP3 connector is used to download mail from an external POP account. Customers using Exchange to host their mail internally will not experience this problem. This update resolves this issue.
All SBS customers are encouraged to install this update.

ISA Server 2000 SP2

 Download details: ISA Server 2000 SP2:
http://www.microsoft.com/downloads/details.aspx?familyid=c8d3d98b-1cd4-406a-a04a-2aa2547d09a3&displaylang=en

Now do I install this Friday night...or wait until right before Memorial Day weekend...hmmm.... ;-)

There are three things I've done on my SBS2k"fill in the number" servers

This first one is to help with an issue of file transfers

1. Disable digital signing http://www.smallbizserver.net/DesktopDefault.aspx?tabid=98

This second one is to ensure thatr file locking doesn't occur on databases. 
2. Disable oplocking http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264

Lastly this turns off the annoyance of XPs and 2k's have of “falling“ off the LAN and then needing to be clicked to be reconnected.  In our little lans I turn this off.
3. Disable autodisconnect http://support.microsoft.com/default.aspx?scid=kb;EN-US;138365

HOw to install Trend Antivirus on SBS 2003

..yes this should be installed on a SBS 2003 box

A recent rollup patch just came out for Exchange server 2003.  The first question that comes up is “Is this for SBS 2003“?  The answer is anything that is for “normal“ Exchange 2003 is for us. 

838236 - How to obtain the Exchange Server 2003 post-RTM Store rollup:
http://support.microsoft.com/?kbid=838236
This includes the fix for the Titanium error [event 8331] as well.

Also the EHLO blog has a “customized Mailbox limit - quota messages” for Exchange post today!  Check it out here http://blogs.msdn.com/exchange/archive/2004/04/20/117024.aspx

KC Lemson also talks about it on her blog here:  http://blogs.msdn.com/kclemson/archive/2004/04/20/117027.aspx

[update] These are also included in Exchange 2003 sp1

Are you getting an error referring to #50070: Unable to connect to the database STS_Config?

From a post in the newsgroups....

“Based on my research, this problem could be caused because the SharePoint
Timer Service failed to contact the SharePoint database while the SBS is
rebooting. In SBS 2003, the SharePoint Timer Services is used to send
notifications and performs scheduled tasks of WSS. It needs to access the
SharePoint database when starting. Since the Veritas Backup exec software
is installed on the server box and several backup exec related services
have started during the reboot, these services could cause the SharePoint
database from being mounted in a timely manner, thus, causing the problem
to occur.

I reproduced this problem in my test machine. After the MSSQL$SHAREPOINT
service has stopped, this error message will be logged in the application
log. You may now try to manually start this service to see if the problem
will still occur.

1. Start-->Run-->Type 'services.msc' (without the quotation marks) and
press Enter.

2. In the Services console, stop the 'SharePoint Timer Services'. Check the
status of the 'MSSQL$SHAREPOINT' service, make sure it has been started and
then restart the 'SharePoint Timer Services'. The problem should be
resolved.

If there is no problem with the manually service startup, we can set a
service dependent of the SharePoint Timer Service. Please try the following
steps:

1. Start-->Run-->Type 'Regedit' (without the quotation marks) and press
Enter.

2. In the registry editor, navigate to the following registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPTimer

3. Right-click the blank area in the right panel, click
'New'-->'Multi-String Value'.

4. Input the value name 'DependOnService' (without the quotation marks) and
then double-click the newly created value. In the value data area, type
'MSSQL$SHAREPOINT' and click 'OK'.

5. Close the registry editor and reboot the server box.“

An action item for all SBSers - change a Reg key entry

Heads up for all SBSers... this KB is something you need to look at and take action.  It talks about a registry key change that needs to be made on all SBS2k3 boxes.  The reg key was entered wrong and you have to delete it out and correct it.  I'll post up some screen shots later on to show you where this reg key is located:

839262 Services may stop abruptly when you shut down or restart a Windows
Small
http://support.microsoft.com/?id=839262

If you are having issues with saving files on your SBS2003 check this:

If you can't save any files into your folders check two items:

First, ensure your permissions are set right:  http://www.sbslinks.com/permissions.htm

Next ensure that disk quotas aren't causing issues - review this KB for information on Disk quotas and adjust them or turn them off if needed

326212 - HOW TO: Manage Disk Capacity and Usage Using Disk Quotas in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326212

Are faxes not opening right on your SBS 2003?

If your faxes are not opening right, it's probably because Quicktime was loaded up. Try uninstalling Quicktime or the following steps:

1. Save a .TIF file on the Desktop.
2. Right click on the .TIF file, move to Open With, and then select Choose Program.
3. Select Windows Picture and Fax Viewer from the list. 
NOTE: Place a check mark from Always use the selected program to open this kind of file. 
4. Click OK to open the photo image with Windows Picture and Fax Viewer. 
5. Close this window, and then test if this problem is solved.

Take a look at these:

319196 OFFXP: Cannot Preview Scanned TIFF File in Windows Picture and Fax Viewer
http://support.microsoft.com/?id=319196
329270 You Cannot View TIFF Images Using Windows Picture and Fax Viewer
http://support.microsoft.com/?id=329270

An option put forth by Kevin W. in the newsgroups is to load alternative TIF viewer programs:

Check out:
http://www.alternatiff.com/  or http://phoenix.gov/tiffview.html

Gavin reports that alternatiff has lots more options for viewing and he's considering loading this up on all his installs.

Sharepoint slow to load when first opening it up? Tweak it!

Error 800423f4 in your backup log file?

SUS on SBS2k3

http://www.microsoft.com/downloads/details.aspx?familyid=5f1cc6f0-79b7-4a95-bcab-49bee6d5df13

Having issues with POP connector yanking all the resources?

Installing GFI Faxmaker 10 in SBS2k3

If you are having issues with SQL server and Volume Shadow Copy, you may need this fix

Tweaking ISA's memory useage

Need to disable NDR in your Exchange?

Hooking MACs into your SBS2k3?

Mac OS X 10.3: How to Look Up ".local" Hostnames via Both Rendezvous and Standard DNS:
http://docs.info.apple.com/article.html?artnum=107800

Better yet - don't call your server .local, call it .LAN

Adding ISA to the management console

If you want to add ISA to the console....
1. Right-click itprosbsconsole.msc from Documents and Settings\All 
Users\Application Data\Microsoft\SmallBusinessServer\Administration
2. Select Author.
3. Click File -> Add/Remove Snapin. 
4. Add the ISA snapin to anywhere you like. (You can double click Home 
Page, Advanced Management. Then put it below Migrate Server Settings).
5. Save the file and close the snapin.

Flat file backup of Sharepoint

Sharepoint Fix

 This critical update corrects the issue “Installation of intranet component and browsing to http://companyweb fail in Windows Small Business Server 2003” (KB832880). Installations and upgrades performed after November 24, 2003 may be affected by this issue.
http://www.microsoft.com/downloads/details.aspx?familyid=cb7e90a1-de9d-4a83-85f8-951e9f055bf0

[UPDATE - just go to Windows update after installing the server and get this hotfix]

Outlook 2k3 over http - get this hotfix.

331320 - Outlook 2003 Performs Slowly or Stops Responding When Connected to Exchange Server 2003 Through HTTP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q331320

[note this is for the XP workstations]

Fix for A/V causing issues with Remote Deskop

Publishing Sharepoint through ISA

Now officially documented here:

838304 - How to publish http://Companyweb to the Internet by using ISA Server 2000 on a server that is running Windows Small Business Server 2003, Premium Edition: 
http://support.microsoft.com/?kbid=838304

Enabling Full Text Searches in Sharepoint by upgrading to SQL

To enable full text search you will need to do the following..

1) Upgrade the SharePoint named instance of SQL to full SQL Server 2000.. 
be sure that you install/add Full-Text Search.. (listed in the steps in the 
premiuminstallsteps.htm on the Premium cd)
2)  Once SQL Server the named instance is upgraded and service packed, then 
go to Start/Administrative Tools/SharePoint Central Administration  scroll 
down to the Component Configuration section and click on the Configure 
full-text search link.  Then click the checkbox to enable full-text search 
and index component..

Once that is done if you then go back to the companyweb site then you 
should see a text box in the upper right corner of the page (with a 
magnifying glass icon to the left.. ) to enter your search criteria.

Hot fix for Travan tape drive mis-identification issue

http://www.microsoft.com/downloads/details.aspx?familyid=776e1f61-0c9d-43ac-9936-49154995f596

Hotfix needed for the SBS2k3 to fix a "help and support center" issue

If you are getting script errors in OWA in SBS2k3... get this fix:

831464 - FIX: IIS 6.0 Gzip Compression Corruption Causes Access Violations:
http://support.microsoft.com/?id=831464

[UPDATE - THIS IS NEEDED PRIOR TO INSTALLING EXCHANGE 2003 SP1 AND IS IN THE INSTALL PACK [I think anyway, I'll check]

Tip for excluding your box from Google Searches

Some customers may wish to exclude their SBS 2003 installation from the
scope of Web search sites such as Google.com.  This may be because you would
prefer to restrict knowledge of your installation only to those who can use
it, or, you may want to keep some portions of your site (e.g. Business Web
site) searchable while keeping other portions under the radar of Web search
sites.

There is a way to do this using the Robots Exclusion Protocol.  By placing a
simple text file at the root of your Web site, you can tell Web search
robots which parts of the Web site are open for search.

I've attached two versions of robots.txt that I've whipped up for my SBS
2003 server:

  1.. robots.txt - Allows search of your business Web site but hides
SBS-specific sites from search robots.
  2.. robots2.txt - (Must be renamed to robots.txt) Denies search of your
entire Web site.
For more information, check out these sources:

http://www.robotstxt.org/wc/robots.html

http://www.searchtools.com/robots/robots-txt.html

http://www.searchengineworld.com/robots/robots_tutorial.htm

Many Web sites implement this functionality.  For example, you can check out
http://www.cnn.com/robots.txt.

Please respond to this post if you have any questions or comments - let us
know how this works out for you!

Thanks,
Alan Billharz

Program Manager, SBS 2003

# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to allow search engines to catalog your Business Web site, but not catalog the other 
# SBS-specific Web sites. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 


User-agent: *
Disallow:   /_vti_bin/
Disallow:   /clienthelp/
Disallow:   /exchweb/
Disallow:   /remote/
Disallow:   /tsweb/
Disallow:   /aspnet_client/
Disallow:   /images/
Disallow:   /_private/
Disallow:   /_vti_cnf/
Disallow:   /_vti_log/
Disallow:   /_vti_pvt/
Disallow:   /_vti_script/
Disallow:   /_vti_txt/

# Place this file at the root of the Default Web Site (%system drive%\inetpub\wwwroot) 
# to prevent all search engines from cataloging your Web site. 
# 
# Note that you must choose to publish the root of your Web site to allow the search 
# engine robot to read this file.  In the Configure E-mail and Internet Connection Wizard, 
# choose to publish Business Web site (wwwroot). 

User-agent: *
Disallow: /

Is your Sharepoint a big sluggish on first launch?