It is a small world, isn't it?

Warning -- listening to the music at the beginning of this SBS Podcast may get it stuck in your brain....

I was listening to the SBS Podcast, who's theme is about community and I just loved some of the comments in the show this week about how we all win when we share.

Now I do need to clear up a few things... First off... I'm Lutheran and not Catholic....so .. you can probably skip the ring kissing and just tell folks to give me a hug instead  Now how I ended up not liking Coffee and addicted to Mountain Dew AND raised in the Lutheran church.... I have no idea..... google or msnsearch on the long standing relationship between Lutherans and Coffee...anyway.....and secondly... I'm just one person and one view.  You really want to hear and listen to a lot of people and not just me.  And you know what really rocks about the SBS world?  Is when we realize that we can sooooooo help each other when we reach out to one another.

I'm going to a user group meeting tomorrow night in Fresno.  Now its' not a SBS meeting, it's a IT techy one, so I won't get all that good SBS business processes stuff like Susanne and Amy talk about, but it's still a mini bit of my geek get togethers where I don't have to lower down the tech talk.  And there's usually an added benefit that we techs can play stump the techy sales guy.

Now what Chris did not tell you was how we two really met.  You see we first met virtually.  Both of us had gone to a CPA Tech conference and not met one another there.  But he did meet Anne.  So he, I and Anne started swapping emails post conference and it was finally AT SMBnation that I got to meet up with a kindred spirit.

And that's exactly what the SBS experience is indeed all about.  We are kindred spirits out here.

So point your browser to www.sbsgroups.com and find yourself a group of kindreds.

Speaking of Wireless

So are you up on your TLAs?  Three letter acronyms?  Wireless has TONS of 'em.  On the download center a document about wireless was just posted.

Presents two deployment methods for secure wireless access: one for small office/home office (SOHO) networks and one for small organizations.

Here at home I have the wireless on the 'outside' of my network but I am using WPA with preshared key.  I need to bring it inside the network but just haven't yet, mainly because I don't domain join this Tablet PC anyway....

It's mainly used for hotels, travel ...and .... for when the Evil Queen has to man the front door at Halloween.

I'm guessing Prince Charles doesn't have a Tablet PC

Well here I am... it's Halloween evening again..... Evil Queen...handing out candy at the door and in between the trick or treaters on the tablet pc connecting wirelessly to the upstairs network.  And sitting here in this garb got me thinking about how yesterday I read a CNN article about how Prince Charles is concerned about the environment and global warming [yes, good] but then he said ......

.....he was worried about the importance of technology in modern life.

"If you make everything over efficient, you suck out, it seems to me, every last drop of what, up to now, has been known as culture," Charles said in the interview, which was recorded last month in Poundbury, England.

"We are not the technology. It should be our ... slave, the technology. But it's rapidly becoming our master in many areas, I think," he said.

Funny because for me, technology has brought me more culture.  It's made me more aware of other countries, other cultures and customs.  It's opened doors for me and introduced me to people that I'd never meet otherwise.  Heck, many a time I've had conversations with people for many months before I ever meet them in person.  

So what about you?  Do you find technology opens more door?

Oh gotta go... I hear the trick or treaters at the door... 

Interested in CRM 3.0? November 10th in Vancouver is where you want to be!

Canada once again is first to the UserGroups for Scott Colson on CRM 3.0!

VANCOUVER: Microsoft Small Business Server User Group - Build stronger customer relationships with Microsoft CRM.  

Sign up here!

Date: November 10, 2005 6:30PM - November 10, 2005 8:30PM

Language: English

Location:

Microsoft Canada

1111 W. Georgia Street, Suite 1100

Vancouver, British Columbia

Canada

V6E 4M4

General Event Information

Products: Microsoft Business Solutions CRM, Small Business Server

Recommended Audience: IT Professional

Description:Microsoft CRM is a flexible and customizable platform

that can be configured to meet unique business needs. Join Scott

Colson of Autonomix Inc. to review the overall structure of

Microsoft CRM, explore its native Outlook experience, learn how to

create custom entities, and set up workflow rules to automate common

business processes. Demonstrations will be performed using Microsoft

CRM 3.0 installed on Windows Small Business Server 2003, with

highlights of new 3.0 features exclusive to the Small Business

Edition.

AGENDA

6:00 PM – 6:30 PM              Registration

6:30 PM – 8:00 PM              Presentation

8:00 PM – 8:30 PM              Questions and Answers

32 downloads later.... I'm back to my "Brett" condition

Okay so I feel a bit like Brett tonight.  I had a set back in deploying my new workstation.  You see I've come to the conclusion I'm not a hacker.  Not in the traditional definition.  One that can figure things out.  Because even though there's supposedly a hack to get yourself from a XP pro to a MCE 2004 or 2005, I was like a fellow SBSer Frank and could not get the hacks to work. 

So I flattened my workstation that I've been working on trying to migrate to for months now.

Yup, I repartitioned it and started over.

Not that I had done a whole lot to it... I was in the equivalent of putting together of categories on a blog like Brett is at when I decided to just start over and rebuild the box.  I could not get all the media edition stuff on there.  This is why they really and truly recommend that you only buy it OEM anyway as all the issues I had with finding drivers and WinDVD decoders so the Media edition would play.

So now I'm about back to where Brett is right now.  Media Edition is loaded up, patched up with 32 security patches.  The funny thing is that the Rollup Update wasn't in the section I would have thought it was, but instead down in the recommended section.  But so far it's finding the TV stations and tuning in like it should.

...so exactly what is Squeaky Lobster enabled anyway?

Things we can do to workstations that we shouldn't do to servers

I think a new server should have a “Care and feeding” document for new owners.  You know, those folks that have never seen or used a server before.  I'd make sure it said things like .....

• This isn't a workstation so don't have someone sit and use it as one
• This isn't meant to be turned off at night
• This isn't meant to be reformatted and reinstalled without a plan to recove the active directory.

You know my other concern of what I am seeing?  Underspec'd servers.  We're starting to put a lot on these boxes and we're not thinking at all about drive speeds, controller cards, SCSI versus SATA and all that.  I mean like there's no way I could put CRM [which is another MSDE database] on my home server with is already stressed with WSUS.

We've seen issues with underpowered servers not being able to handle ISA's MSDE database and it will stop the service at midnight.  Flip the logging to flat file and the server will be fine.  Treat the server with respect and it will treat you nicely.  Underspec it and you'll find you get some unusual errors.

I have ghosts

Stuck in my monitoring database are ghosts.  I didn't properly remove my usb harddrive so now at 5:50 my alert system hits me via email and IM and tells me I have low disk space.  but I really don't.  See those dates? It's an OLD alert and not a current one.  And I have yet to figure out a way to clear them out of the database other than rebooting the server so it will reset the counter.

So don't worry.. it's nothing to fear.. my server is not possessed... it's just a bit haunted by ghosts that's all.....

From:  <Administrator@domain.com>
To:  <sbradley>Subject:  Low Disk Space Alert on DOMAIN
Date:  Sat, 29 Oct 2005 17:49:10 -0700
>Alert on DOMAIN at 10/27/2005 5:49:05 PM
>
>The following disk is low on free disk space. Low levels of free disk space can cause performance problems and prevent users from saving files on the disk.
>
>Drive Letter: HarddiskVolume6
>Free Disk Space: 0.000000. MB
>% Free Disk Space: 0.000000.%
>
>You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.
>
>
>Kind regards,
>Administrator

I want to keep my system safe as possible

“I don't want to use exchange because I want to keep my system as safe as possible.“

Heh.  This must be “good enough security“ tonight or something.

The poster on the Lockergnome posting site should understand something about Exchange.  He's thinking that having Exchange running is adding 'insecurity' when I would argue that if you don't install it and use it's power to clean, despam, and protect from viruses, and instead use POP accounts to pull in email directly inside your desktops you are not using the power of the server to better protect you. 

In my network I pull off just about all attachments and only let those attachments that I need for absolute business into the desktop.  Then I ensure that I have an Exchange aware antivirus and it cleans the email before it hits my desktop. 

Bottom line thinking that a part of an operating system not used will make you more secure may not be the right thing.  You need to look at the bigger picture. 

In this case, fully utilizing what you have, I think will go farther to help you be more secure.

Good enough security

What's enough security?  What's good enough security?  We got to talking about this in regards to a couple of blog posts and patching.  I was attempting to remotely patch my SBS box over remote web workplace and because the SMTP service got stuck taking down IISadmin, remote web workplace also got a little smooshed in the process.  We got to talking about remote patching and how you can do it safely and dependably.  A terminal services connection will give you the most consistent and dependable patching connection.  But given Terminal services historial issues [TSgrinder comes to mind] how can you defend a well known port of 3389?

Well one thing that you can do if you add the premium edition is ISA server.  With the addition of the premium firewall you can set it up so that the TS port only responds to you the consultant.  With Remote Web Workplace, the firm's employees really doesn't need access to that straight TS port do they?

But what else can you do to give good enough security?

Passwords/passphrases. 

Today I toured the open house of a hospital with a new treatment center.  And as we were walking through the computer rooms, me being the geek I am, I was looking at what systems they were running.  And there on the screen was ... tapes to the screen.... the user name and password.  And it was quite a sucky password.  I mean ... the whole idea behind urging folks to write down passwords in the first place is to ensure that you choose better ones.  The one I saw today, written down, taped to the screen certainly was not in this category 

A long administrator password helps hugely to better protect that Administrator account.  The human brain has a limit to what we remember.  There's a limit in our brains of how much we can process and remember. 

Good enough security means taking extra precautions.... like passwords.

Adding more space

Hey, I didn't think of that one....

I asked a question on how the SBS Podcast gang felt about reparitioning domain controllers given our new ability to increase Exchange to 75 gigs....and Damian in the podcast recommends to simply 'add a volume' or mount a new drive to an existing space to make that Exchange partition bigger.  That reminds me of the blog poster and he had his Exchange on a Maxtor one touch.  Yes, you read that right, they were running their entire Exchange store on a backup device.  Now I would not consider that an optimal setup, but it showcases that the Exchange store can go just about anywhere.  Obviously it's preferred to be on a nice harddrive and not a usb connected device.

They also recommended when buying harddrives to get a drive that has a 3 or 5 year warranty .... that 'is' your Email, and the gang from the podcast are recommending considering putting it on another controller card if you do grow that database large.

It says they are seeing more performance issues as we start layering on databases... when you spec out and buy your server... consider that.

THE SBS Support Podcast ready for download!

SBA on SBS [revisited]

The other day in the comments to the blog, Greg posted the 'how to get SBA on SBS' and yes, while there is a whitepaper in the works, you know us geeks we want to try everything NOW... so without further ado here it is:

Exchange 2003 sp2 success on my home server!

[UPDATE] - SEE THE POST IN THE SHAVLIK FORUM FOR THE ANSWER AND MORE WORKAROUNDS

http://forum.shavlik.com/viewtopic.php?t=2612

Bottom line.. Exchange patches suck.  I can't wait until the next version of Exchange and for the Monad era.  In the patching world, in my opinion, Exchange is the 'drag'.

The other day I blogged about an issue I had on my home test server.  And with the help of the SBS engineers, first in the tier one level and then via escalation, we got it figured out.

So let's recap what was happening in my system.

First off when I installed it on my Dell OEM test system, I had no issues.  But when I came and did it on my home test system, it gave me an error during the install of Active Sync:

Setup failed while installing sub-component Exchange ActiveSync with error code 0xC0070643 (please consult the installation logs for a detailed description).  You may cancel the installation or try the failed setup again.

And when you hit cancel it completed and then sent a Dr. Watson report.

The error message pointed to one file.. MSXML3.MSI and when we went to manually install that I got the next error message of:

A network error occurred while attempting to read from the file:  C:\Program Files\Exchsvr\bin\msxml3sp5.msi

So in working with the SBS escalation team [and by the way, you know you are in trouble when they conference call you in to the Engineer in charge of the case and he goes, “Susan, Susan Bradley?“...uh... yeah...]  and well, it happens to be one of the gang on the SBSPodcast that you just listened to last weekend.  :-)

So we started a series of investigations to figure out exactly what was going on.  Remember the server was still functional, I'm still in 'test mode' so we started this process of swapping emails and me sending log files back and following the instructions [command line stuff...yuck...thank goodness for cut and paste]

And finally in the last set of instructions to build them a debugging log file so they could see what the installer was getting stuck on, we found the answer:

Shavlik HfnetchkPro

You see on this system at home I had installed Shavlik, unlike the Dell OEM and unlike my real baby at the office where it's installed on my workstation.  And because the Shavlik had installed it's own patched version of MSXML3SP5.MSI in a file location, the installer for Exchange 2003 sp2 couldn't handle an installer location differently than what it was expecting.  [Well that's my take anyway].  So the SBS gang had me export out a reg key [backing it up first of course] and we tried the install again.  So first asked me if it had this reg key

[HKEY_LOCAL_MACHINE

  \SOFTWARE

    \Classes

      \Installer

         \Products

             \45D60EC31B272B44BA064E72E78CE04F]

Yes it did

If it exists, it should have a value of ProductName set to Microsoft XML Parser.

Yup, and it looking at it you can tell it was installed by Shavlik

If it exists, export and delete the key.  Then reapply Exchange 2003 SP 2 to see if it installs without producing the error regarding msxml3sp5.msi.

It did.

Now because the Gods of computers are with me tonight, of course my SMTP service got stuck and would not nicely stop [which of course hung the Patch reinstallation], so I think when I do this for real, I'm going to be manually stopping that SMTP service 'FIRST', just to be safe.

So for that other guy in the German newsgroup?  You have Shavlik on your box?

"with a second installation on another system I have now the error:  0xc0070643 with the Inst. of the Unterkomponente ActiveSync!?!?"
"bei einer zweiten Installation auf einem anderen System habe ich nun den   Fehler:   0xc0070643 bei der Inst. der Unterkomponente ActiveSync   !?!?"

The moral of this story?

This was a free call because it was an issue with a service pack but honestly... it was an issue caused by a third party software installed on my server.  My real baby at my office, I tend to keep that box lean and mean with a minimum of extra software so I would have never hit this issue.  I have seen others get hit by this issue, like the guy in the German group, so one of the reason why I didn't blow this off and just go “oh well, the box still works, I'll just let it go” was to help the next guy down the road.  This “is” my test box so I could take as long as I wanted to.  Service packs don't need to be installed during lunch [or while you are taking a shower even, geeze ;-)  Unlike Security patches, I can take the time to test them and to understand fully a snag I hit in a test environment.  While this is a real box, I could have done a similar test with a VServer or VPC image.  And now with Exchange 2003 sp2 on the box, that's now officially supported in a virtual environment as well.  So, I now know that this issue will not be one that I'll see on my real baby, and I can let a couple of folks know that pinged me about that blog post to have them check on their boxes for Shavlik as well.

Calling into Product Support Services means that the issue will now be documented, my SRX case will be filed and the next time someone hits this issue it will be known immediately and that person fixed right up.

So the next time you have an issue with a Service pack or a Security patch... call. 

Guess who is the same age as Disneyland?

Wow, I didn't realize that someone was the same age as Disneyland.  Today is his birthday.

I mean who knew what started out as this, with a mug shot like that would end up affecting how we communicate. 

I just emailed with some of my friends..... friends that are in Australia and Canada.  I ping on IM a guy in New York.  I have more people on my IM that live outside of my state than in it.  Look at the communication we do that we just now take for granted.

So why don't you use a little bit of technology tonight to wish someone a happy day in honor of someone else's birthday today.

Getting ready for Exchange 2003 sp2

I want to do a very special backup before I install Exchange 2003 sp2.  I'm going to dismount the store and yank a copy of it off to a harddrive.

So how do I do this?

Well first...[it's been a long time since I've done this the last time so someone ping if I'm saying it wrong]  I fire up the Services [or in my case just click on the icon on the desktop as I dragged it out there] and I stop the Exchange store on ExchangeIS and also the SMTP service so mail doesn't queue up and then I'm going to Dismount the stores like this, and copy them somewhere.

I really don't HAVE to do this.  And so far my one test upgrade went absolutely fine....and....I think I know what my prior issue with my test Exchange server box was [stay tuned, will blog on that one next if what I/we think it is, is what it is].

But an offline backup doesn't hurt every once in a while, right?

Taking action

91 percent of Canadian small businesses see Software piracy as unethical, says the headline.

Unfortunately around the world, there aren't enough Canadians, I guess.  Because there are enough firms, enough folks that are going to screw it up for the rest of us.

What am I talking about?  The Microsoft “Action Pack”.  It's a software kit for Microsoft partners to use and install and LEARN the software.  And it's reasonably priced.  Very reasonably priced.  To the point where there are some folks willing to nit pick their way through the verbage to justify it's use in their business.

Recently on a list serve I'm on, one of these 'oh yes, I deserve it' situations came out.  The firm argued that becaue they devised and deployed Microsoft solutions for their own employees and independent contractors that they qualified.  That's like saying “Gee, because I write Excel Macros in my firm I qualify for Action pack because I deploy solutions”.

Give me a break.  The intent, the goal of the Action pack is to get consultants, resellers, Vars, Vaps more confortable with the product to in turn, drive more sales.  It's not to provide cheap software for some customer who's willing to bend the rules.  In my book, unless you are in the new MPAN program for Accountants, if you are a firm and you have to HAND the box to someone to install it, then you don't comply with the rules of this offer.

So if you are one of those folks that are bending the rules to get Action pack?

Don't.

Stop it.

You'll screw it up for those of us who are legal.

You in the Heartland?

Do you sell SBS boxes?  Sell to small and medium businesses?

Hey there's a blog for you if you do!

Welcome the the Technical blog site for the Heartland Area Small & Mid-Market partner community. The intent is for this to be your one-stop shop for the latest news, tips, tricks, and other items of relevance. Please provide your feedback and comments so that the site can be customized to provide the most value to you.

Thanks for visiting the Heartland Area blog for the latest updates targeted to our partners supporting small and midmarket customers in Michigan, Ohio, Kentucky, and Tennessee.

The site will be moderated by the Heartland SMS&P Partner Technology Specialist team of Steve Luper, Marc Malotke, and Terry Stein.

How does one move data?

How does one move data from one machine to another? 

A variety of ways...

OEM - Using OEM computers I use the XP file and transfer wizard to transfer settings from one computer to another and then I 'hang' the old drive off the inside of the new system to ensure that in case someone forgot something, I can go back and easily get a copy of that data.

OEM - Imaging - I've used a process of disk or drive imaging to move an exact image of a drive to a larger hard drive.  It doesn't even freak out product activation.

Non OEM - if the speed of the harddrives are the same, [why do I want the same speed?  Because if the newer computer has a faster drive I want to keep the faster drive in a machine and not replace it with a slower one....get it?] I will just image or even just move the harddrives.  If you attempt to just merely swap harddrives between two OEM systems [I was lazy one day... uh... don't do it ... you end up WPA [product activation] freaking out both machines.

Now... all of my critical business stuff is on the server.  All of the gunk that I'm dragging around from desktop to desktop is ...well..it's just gunk... service packs, ISOs, downloads and other crud.  But it's all the stuff I just 'might' need someday ... so I end up dragging it from one computer to another.

So what about you?  How do you migrate the 'stuff' of a high maintenance/packrat kind of a computer user?

So how long is that going to stay connected?

You know there's one thing that concern me about those new SATA drives that I am now getting in my office in our new computers..... those cables.  It just seems to me that they seem a heck of a lot flimsier than the old fashioned ones.  In fact on my home PC ....yeah, yeah .... the one I'm STILL building.... I've knocked off the data cable putting in cards a couple of times now.

And I think I need to start carrying spare SATA parts and certainly need to get a SATA ready USB enclosure.  One of the gang on the malware lists said that she was delayed a bit tracking down cables and hardware so she could work on an infested drive.

My normal trick of moving data from one computer to the other and then hanging the old drive off the new system isn't going to work this time without additional cables and connections.  It has no IDE cables inside the Dell Optiplex we just got. 

So how many spare parts do you have lying around?

MS Partner roadshow in Australia

This sounds so cool [especially the part about afternoon tea]

But look...presentations on ALL the cool stuff... SBS, Mobility, CRM 3.0, Office 12 and Vista.

Presentations by HP [I love my HP server by the way].

Sign up HERE!

• Specialised technical and sales training
• Improved access to support and resources and
• Customised marketing tools

CRM beta now live

http://mscrmearlyaccess.com

So...how about you go be a newbie, eh?

How to troubleshoot Windows Update, Microsoft Update, and Windows Server Update Services installation issues

How to troubleshoot Windows Update, Microsoft Update, and Windows Server Update Services installation issues:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;906602

For an excellent resource on WSUS, head on over to www.patchmanagement.org and sign up for the WSUS listserve over there.

Getting prompted for your Office 2003 CDroms?

I'm stealing this from a posting Dave Nickason did in the Public newsgroups

Questions have come up recently about being prompted for the Office CDs while patching with Microsoft Update or WSUS.  Since it's an obvious annoyance for a user or admin to be prompted for the CD while trying to work on something else, here's a way to avoid being prompted for the CDs.

Office 2003 has a feature called "Local Installation Source."  The last step in the Office install is to choose whether or not to remove the installation files.  If you allow the installer to leave the files, they are left on the workstation, typically in C:\MSOCache.  (On systems with more than one partition, the files may be cached elsewhere based on space considerations). The recommended practice would be to leave the files after installation, but you may have already installed Office and removed the files, or you may be dealing with an OEM install where the files were not cached.

If you allow the Office installer to create the Local Installation Source, that should keep you from needing the Office CDs for Detect and Repair, Demand Install (features set to install at first use), Maintenance Mode Setup (running a repair or adding features from Control Panel Add/Remove), and patch and SP installations.  See this KB:  http://support.microsoft.com/default.aspx?scid=kb;en-us;825933.

If for whatever reason Office has already been installed without caching the installation files, or if you want to change their location, the Office Resource Kit offers a free utility, aptly called Local Installation Source Tool.  When you download and run the tool, one option is Enable, which will create a new LIS for an existing Office install.  At least theoretically, running this tool should be the last time you're prompted for the Office 2003 CDs.  In addition to providing the CDs for Office, the LIS Tool will want them for any additional Office product installed on the PC, such as OneNote.

Get the Local Installation Source Tool from  http://www.microsoft.com/office/orkarchive/2003ddl.htm.  (Bookmark this page - it's where you get all the ORK tool downloads).

Local Installation Source FAQ:  http://support.microsoft.com/default.aspx?scid=kb;en-us;830168

Inside SBS Podcast - THIS FRIDAY

Coming to you straight from the heart of Texas, Inside SBS is recording
live this Friday. This will be our sixth week, and we're just getting
started!  The audio equipment is finally all in place, the soundboard's
tweaked, and the mic's are ready.  Please join us for a discussion on
all things SBS.

The show starts at 11:00 AM CST.  Going forward, we're probably going to
start alternating showtimes to allow different people here to
participate.

Phone number for the live call-in portion of the podcast:

(866) 500-6738
Use participant code: 5362361 (changes weekly)
 
You can also reply to the blog, send email to sbspod@microsoft.com,
or leave voicemail at 206-984-0184.
	
Thanks to all our listeners who have promoted us, offered feedback and
advice, and supported us thus far.  I hope to make this a meaningful,
regular contribution to the SBS community.

Cheers,
Mark

whoohoo another 'clean the house and listen to the gang about SBS weekend' for me!!  

These shows are really cool and great for listening while traveling to a client or other stuff.

Is there CRM 3.0 in the air?

Well I don't think it's here yet, but there's a page where you can sign up for early {BETA don't use real stuff} access to Microsoft CRM 3.0.

A couple of interesting CRM blogs to watch

• Anne Stanton
• Scott Colson
• Sonoma Partners
• Friends of CRM

Well the SDK is out anyway :-)

If you have an OEM computer...check your time zone

It's that time of year when all those new OEM computers you bought will suddenly put appointments an hour off.  Don't believe me?  Trust me.  I haven't met a bog standard OEM installed OS yet.  The fun will be next year when daylight savings changes and Microsoft and other vendors have to patch our computers to fix this.

So why do I say check your time zone in an OEM computer?

Because that little box down there that says “adjust for time change“ will not be checked in an OEM system and your computer/laptop whatever will stay on whatever timezone it was set on.  So you may be on 2 p.m, but the server is on another time.  It makes for a REAL mess.

So just do me a favor, click that and check [well.. you can if you are running with admin rights, otherwise flip to admin and check]

I'd like a little management with my SBS please?

Yo?

Yes?

The other day when we were swapping out that harddrive in the member server did you bump the UPS's on the big server?

Maybe, why?

Because my 6 a.m. email said it had a power drop in power supply 2 on the HP server and I was just wondering if it's because you bumped the UPS's or something.  The issue corrected itself, but I thought I'd check.

Now that I think of it, yes I did.

Okay, no prob.

That's about a transcript of the conversation I had the other day regarding some errors I saw in the log files.  Addicted to IT talks about the process of being 'proactive'.  Of knowing what your clients are doing.  Of being one step ahead.  Of managing and not reacting.  Because my system tells me what's going on I can check on things before they are unhappy and turn into messes.

But there's more.....lots more than this....that's just technology of break/fix. And break fix is stupid.  It's reactionary.  It guarantees in my part of the world that I will end up calling my clients and saying “oh gee, we had a Security incident [virus, worm, fill in the blank] and something might have happened to your identity“.  But managed services means you proactively monitor your clients, help build solutions that don't just install a server, but bring business value.  VOIP and our new kissin' cousin CRM are two new markets for SBS.

I do have to disagree with one thing in that new document ...it says...

If you are a Gold Certified Partner with Microsoft Competencies in Security, Infrastructure, or Advanced Infrastructure, you have the core skills needed to build a comprehensive managed services offering. Even if you are not a Gold Certified Partner, having at least two Microsoft Certified Systems Engineers (or equivalent) on staff can mean you are ready to build a managed services offering that can provide more predictable revenue for you and a more cost-effective solution for your customers.

You don't have to have two MCSE's on staff, you just have to have a bit of business savvy and see a need that needs to be fixed. 

Show me an office, a small office and I will show you a business process that has not been updated in years.  Lord knows there's stuff in mine that I can only change so much.  That's a small firm for you.  But at the same time, when we do make a decision, we make it quickly.

A prior document on managed serivces is here and Amy Luby is interviewed in a CRN article about it and Vlad quotes her here.

So are you thinking about more than just SBS?  More than just break fix?  Because if you aren't.... well....

The updated "how to get Quickbooks to run as non admin" how to

QuickBooks Community - Running QuickBooks 2005 as a Restricted User (Admin Rights FIX):
http://www.quickbooksgroup.com/webx?14@@.eeb323b/9

And yes it still needs these hacks for the 2006 version.

Remind me to send them a copy of the Nineteen Deadly Sins of Software, will ya?

Remote web workplace and IE7 - you know it IS a beta you know

If you are running IE 7 and trying to access your SBS via Remote Web Workplace...well..it's kinda not working as confirmed in a number of posts.

But remember this “IS” a beta.

So how can you USE the browser on a real machine and not screw up RWW in the process?

Dual browsers hack, that's how.

I loaded up Vista in dual boot mode [it's pretty cool, you just have a partition on your system and Vista can automagically set up the dual boot process.  Except now I need to find network card drivers, somehow it doesn't recognize the onboard NICs in the motherboard on my newly built [and one of these days moved to the domain] new workstation.

So just remember.... it still is a beta.....

So ya wanna be a consultant?

So Matt in the mailbag says that he's planning to become a consultant in the next 6 to 8 months and is studying right now for the Small Business Specialist exam.

Matt....here are some more ideas to help you in your journey....

• Join a partner group - the web site at www.sbsgroups.com lists the locations around the world for a group in your area to meet and talk with your fellow consultant.  Find out what they do and how they do it.
• Sign up for the Microsoft partner program.  Get the action pack and roll up your sleeves and start learning.
• Follow the blogs and forums at www.mssmallbiz.com
• Sign up for the SBS listserve resources:
•      sbs2k@yahoogroups.com for the technical one
•      smallbizit@yahoogroups.com for the sales/business one
•      mssmallbiz@yahoogroups.com for sales/licensing, etc.
• Use the WOW factor.  Set up SBS yourself and use it.  Get a Audiovox or other Mobile device that seemlessly connects to SBS.  Show the WOW.

Not bad, SBS

Scroll down....Reseller Advocate Magazine names SBS as Best Channel Product

In case you’re one of those who didn’t vote for SBS in this category and have been living in solitary confinement for the last three years, Small Business Server 2003 is Microsoft’s integrated suite of server products optimized for running intranet and Internet applications. In the Standard Edition, this includes the Windows Server 2003 OS, SharePoint Services v2, Exchange Server 2003, Outlook 2003, and Microsoft Shared Fax Service. Premium Edition adds SQL Server 2000, Internet and Security Acceleration Server 2004, and FrontPage 2003. The package is aimed at companies running up to 75 workstations and is practically mandatory for any business wanting to standardize on a Windows platform.

To all of those who have asked me "have you downloaded Skype?"

To all who have emailed and asked “do you have Skype”... I have four little words for you today.

GO GET AN UPDATE.

Now you can show me a Skype security report all you want, but I'm still not convinced.  I still want Skype not inside my network, thanks.....

So what's your backup plan?

Being the victims of the NTT/Verio shared web hosting meltdown over the last couple of days was a stark reminder of how important it is to have full redundancy at a different location for our very small business. We don't need much and we can't afford much, but we do need a small business server solution that can get us running again in a few hours, not in a few days or weeks when the earthquake hit (assuming that we humans survive, it is fair to assume that the hardware will be destroyed). We've been going around in circles with this and SBS2003. What we really need is the ability to configure and regularly update an exact mirror but on a completely separate machine at some other site, so that if we have to do disaster recovery all we need to do is run a restore of the last data backup. And it should be a

supported solution. It should also be affordable, in line with the size and value of the business. Everything I read on this topic ends up costing many times more than the server and basic SBS2003 license, e.g. set up additional server (each with high license costs, of course, buy enterprise software designed for much bigger operations than ours, etc.). I don't want to resort to stupid pet tricks like trying to one of the Raid 1 discs off to spawn a new Raid on another computer. For one thing, I doubt it would work. Ghosting also doesn't appear to be an option since the activation scheme will prevent the copy from running on the backup system. So, is there a solution (not counting the redundant hardware, of course) that does not involve stupid pet tricks and that costs no more than the original SBS2003 license, say under $500? And that does not require dozens of hours of expensive consulting? Because if there is none, we'll be better off scrapping SBS to go with open

source and paying the consulting fees to someone who can do exactly what we need. Hint to the Microsoft SBS Product team: Here is an opportunity... A

lot of people would be happy to pay twice the SBS2003 license if it supported backup through a redundant offsite machine, with the clear understanding of course that only one can be running as "the" server at any given time.

From the newsgroup today comes that question.....and in light of the Hurricane[s] Katrina, Rita, Wilma, the earthquakes yet to be, I think it's a good time to think about our own disaster plans.

• Cluster - Can we cluster SBS?  No.
• Imaging - Can we Image our domain controller?  Well it's like this.  The been there and done that crowd will tell you that YES you can image your domain controller and get it back up on even different hardware.  But technically, in the Motherships of the Big Server land and even SBSland they will warn you that Imaging a domain controller freaks them out.  The only saving grace as to why we 'can' do it, is because most of the time out here we are not following a best practice [whatever that means] and doing multiple domain controllers.  Because we are most of the time Single DCs, we don't have the USN Rollback issue that our big brother servers have to deal with.  Les recommends Paragon Drive Backup to do a live image.
• Redundant hardware - I do parts.  In fact I need to buy another part since my member server dropped a drive yesterday.  And did we skip a beat?  Not really.  But this time I remembered my lessons from last time and had that drive handy.  One of the guys in the office needs to swap out a harddrive and he's missing a power cable to the drive.  So the lesson here is ...have parts ready to go.
• Have a plan.  If you have SBS on software assurance you can have what's called 'cold server rights' where you can have a second copy of SBS on a second server ready to be fired up and restore the data.  Should it be automagical and a lot easier than it is now? Probably.  But it is an option nonetheless.

Should all this be easier?  More automagical?  I would argue yes, even for the home user and a standalone PC.  Is it going to be as cheap as you want it, or without a bit of expertise.  Not right now anyway.  As the gang in the big server land say when it comes to restoring servers and especially Domain controllers, you want to test this when you are calm and have a checklist, not in a panic when you really need it.

There's a nice checklist here to think about Disasters here. [Yeah I know I hate checklists but sometimes they get you thinking]

Domain level? Exchange Level?

From a question from the mailbag today [of which I answered one from an Exchange viewpoint] the question was “What's SBS's domain level?”

A default SBS will have a Domain functional level of “Windows 2000 Native” and a Forest functional level of Windows 2000. 

Windows 2000 DOMAIN of mixed mode will support Win NT 4/Win2k and Windows 2003.  Windows 2000 native will support 2000 and 2003.  A Windows 2003 “interim“ will support NT and 2003 domain controllers, and of course, last but not least Windows 2003 functional level will support Windows 2003 only.

Now for SBS you can only raise it to Windows 2003.  You can swing up from a NT domain controller using a variety of methods, but honestly I think I'd want anything NT based to be just a member server and not part of my domain controller structure.  You are introducing all the lack of security on those NT platforms in my opinion.

A default install will have an Exchange of Mixed mode.  Now I've raised it to Native Exchange since I have no need to connect to an Exchange 5.5 box.

Resetting the OWA screen

thisismyreallylongandconvoluteddomainname/username

Have a firm that has a domain name that's really long?  Why do we pick domain names that are really big anyway? If you've picked some convoluted thing and after Exchange 2003 sp2 the OWA screen goes back to saying Domain\Username and your employees and clients will freak there is an easy way to fix it as SeanDaniel.com posts.

and you installed it BEFORE breakfast...boy I tell ya....

Now personally I only use RWW so I never see that anyway...but...

Oh COOL!

What's a best practice?

In the MVP world we have camps.  I swear we'd have cheerleaders even if we had a chance.  Football games possibly with the Windows team playing the Office team.  But instead we have blogs and newsgroup postings for our playing fields.  And there are times we lob volleys across the wall at one another.  One MVP will indicate the 'differences' between SBS's Sharepoint and “normal Windows” Sharepointfor example.

In a blog Dr. Tom posted today about a situation where someone got help in setting up a VERY unususal ISA configuration that entailed getting a normally corporate domained laptop out the door of another different domain, he says “The ISA firewall product has enough problems getting traction in the marketplace without having to deal with what looks like an enemy within. “ and the funny thing is, in the book “Protecting your Windows Network by Steve Riley, and the very gentleman with the unususal firewall setup that wrote that blog, they actually stated that ISA server was a very very GOOD firewall and even went so far as to say that even on a server it was layered on the Windows tcp/ip stack in a manner to be able to protect. The enemy here is certainly not within when in literature they are on record as praising it. 

I'm not sure if Dr. Tom has read the book, but he'd see that the authors actually praised ISA server and were certainly not dissing it. They even talk about how SBS 'might' just 'might' be more secure than larger firms because we'll have admins that don't mess around with the firewall and make unnecessary adjustments.

It gets back to my rants about 'best practices'.  Best for whom?  For you?  Does that checklist you are following really understand your firm?  The entry points into your network?  In this day and age where you can shove just about anything out the universal access port 80, I still argue that it's the awareness of the network that makes me safe.

I'm in charge of my network.  My sister's firm does some of those 'security best practices' and yet she comes home with more stories of security issues than in  my network.

...so I'm still out here saying ... how about we don't compare my network threat model with the Department of Defense threat model.  Mine is different from Dana's who is different from Chad's who is different from...well ..we are all just different.  And Security doesn't have a yes/no answer nor a checkbox.

A lot of it indeed is PEBAK based - problem exists between the chair and keyboard. 

It's me.  It's the decisions I make that are the biggest risk to my firm....but one of those decisions, being an aware Admin, that's one that I would argue that is better than a lot of so-called best practices and checklists.

P.S.  Make no mistake.  I CHOSE SBS.  I did it in 1998, I did it again in the 2000 era and once again in 2003.  A compromise to me is not accepted but not wanted, I'm making a choice of this platform as a result of a settlement.  A balance.

Someone posted the following about SBS and in particular about ISA on SBS ....

SBS is a security compromise by definition:
"Something accepted rather than wanted."
"something that somebody accepts because what was wanted is unattainable"

No, I chose SBS because it has things in it no other platform has and I do want it.  If given the same decision tree, the proper balance, I will choose it again.  If you define 'compromise' as what it is in reality, a balance.... then yes, indeed SBS “is” a security compromise.  But it's one that is CHOSEN because it IS a balance by businesses all over the world.  I didn't want to attain anything else.

SBS KBs of interest

How much of a control freak are you?

Dan [name changed to protect the innocent and the fact that I'm going to rag on his boss in this blog post] in the mailbag today asked a question about 'hosted' Exchange.  He said that his boss wanted him to look into hosted Exchange [asp] as an alternative to moving their MX records to their SBS box.  The problem is that the boss did not want to leave the server on 24/7.  Dan said that he only agreed because he didn't have the environment to run a high availability server.

Dan?  Boss of Dan? Come over here... see my network? Do you see my older 'member' server?  It used to be my main SBS box but now it's the TS/member server box.  That server is 5, maybe 6 years old... now I personally think the sweet spot of server hardware is about 3 to 4. You know what happened to me today?  Another drive on the RAID 5 array on that old server dropped off.  You know how much down time that affected me?  About 45 minutes.  During my lunch hour no less.  And about 15 of that 45 minutes was on hold with Adaptec [delay due to the Hurricane because all calls are going through Millpitas and not shared between California and Florida] because the drive had to be zapped off again [it did this the last time I lost a drive on that older server about a year ago and I couldn't remember the commands] and then brought back into the array as a hot spare and then it slid into the location where it's supposed to be and drive 0,1 in the three drive array.  And other than the screaming like a banshee sound that it makes while one of the three drives has dropped off the face of the earth, the server is still running, still serving, still doing it's thing.  In fact, many folks say that you want to leave your servers up and running, that it's the spinning up and spinning down that does more wear and tear on them.

I keep a spare harddrive [in fact now need to order a new one] just so I can slide a new one in with no issues.  High availability to a firm doesn't mean a datacenter.  It means just reasonably nice hardware.  Server hardware.  It's certainly not the overgrown desktop hardware that is running the DELL OEM I bought for testing purposes. [It is literally the absolute CHEAPEST model I could get and it's basically an overgrown desktop with one drive].

It means ...that even if you DO go the route of some of your parts being 'hosted', I would argue that you STILL want true Server class hardware.  Now these days, I'm not convinced it's SCSI all the way... I think it can be SATA as well.  But there's a RAID in there so you could drop a thing or two along the way like I did during lunch and it would not matter one bit.

Next reason why you want your SBS box on 24/7.... remote connectivity.  There's many a time I go off to a conference and go 'oh shoot I forgot that' and can remote back into the office 24 hours a day, 7 days a week. Remote Web Workplace 'is' the killer app of SBS. 

Next reason why you want your SBS box on 24/7.... patch management.  I have and do scan and patch my network in my jammies from home.  Now then, if you turn your system off...how can you do that?

So ...okay... next... about that Boss not wanting to point the MX records to the SBS box... okay so the Gang at the SBS podcast will hate me for this but here comes....come closer.... you know about that POP connector that is supposed to be a transition tool?  The one that you are only supposed to use temporarily?  Well like they said in one of their podcasts... folks have been transitioning on that sucker since SBS 4.0.  I use the pop connector at home all the time. 

And what about the MX records and all that.... you know that with a service like TZO.com you can have a backup MX record so that if 'IF” your SBS box goes down the email will stay in your backup MX holder and then forward it again when it's back up.

Okay ..so like WHEN would you want hosted Exchange?  I think you'd want hosted Exchange ...and hosted SBS for that matter.... if you are

• Not a control freak like I am
• Live in an area that you need to be nimble and move out of harm's way

I think [hint hint] Vlad in his blog need to post about advantages/disadvantages of hosted Exchange and ways to connect [VPN, RPC over HTTPS [I vote that one even with real SBS]. and whether you should stop Exchange to free up resources [remembering of course that again, if you have a real server, it can handle this stuff just fine].  For me I'm just waaaaayyyy too much of a control freak to handing Exchange not being in my office under my control.

This nimbleness I know came in handy for one of Jeff Middleton's tech support clients.  He helped them backup their data and they sent it off to the software vendor that in addition to having a PC based application also had an ASP version.  This allowed them to quickly get back online.

So Dan's boss?  Leave that server turned on please?  You don't need to turn it off and night and reboot in the morning.  This is a server, not a workstation.  Heck we're even leaving workstations on 24/7.  And bad guys can break into you via the Internet just as effectively if you are stupid on setting that box up during the day as well as during the night.  While turning a machine off and encasing it in cement, dropping it to the bottom of the ocean probably does increase security of your system greatly, it kinda doesn't help much to boost productivity.

Leave it on, Mr. Boss.

Okay so my drives are THIS big and Exchange needs to be THAT big, now what?

Okay so you built your server, and you partitioned off your server back when Exchange was 16 gigs..... so.... uh...now that Exchange can expand as high as 75 gigs for both the public and private stores..... uh....now what?

Repartition is the name of the game [I can just see the SBS Podcast gang  possibly wincing on this one so I might ping this up to them as a question for this week's podcast -- so gang... how do you feel about repartitioning a domain controller?].

If you have a Dell system..there's a specific Partition utility you need to get... it's called the ExtPart.exe file to do this.  Call Dell and they can send you this to you.

The ExtPart utility:  

Windows 2000, Windows Powered, Multi Language, Multi System, v.1.0.4, A01 
The ExtPart utility provides support for online volume expansion of NTFS
formatted basic disks in Dell PowerVault/PowerEdge
stand-alone or cluster configurations with Dell OpenManage Array Manager
installed. This is a self extracting file that will install
the extpart.exe utility. No reboot is necessary.
Before installing ExtPart and extending a volume, ensure you have a working
back up of your operating system.
This will allow you to quickly restore the previous operating system
configuration in the event you need to troubleshoot
your system. See your System Administrator's Guide for more information on
creating a system state backup. Systems
Affected: Dell PowerVault/PowerEdge stand-alone or Cluster SE400, FE300 or
FE400 configuration.
Dell PowerVault 750N, 755N, 770N & 775N Please see the extpart.txt file for
system requirements, limitations and usage instructions. 

Custom Instructions for ExtPart.exe:

Download

1. Click the "Download Now" link to download the file ExtPart.exe.
2. If the Export Compliance Disclaimer window appears, click the "I agree"
link to accept the agreement.
3. When the File Download window appears, click "Save" to save the file to
your hard drive.

Extract Files

1. Browse to the location where you downloaded the ExtPart.exe file and
double-click the file to unzip the download package.
Two files are included in this package, a text file and the utility
(extpart.txt and extpart.exe).
2. The default extract location is c:\dell\ExtPart. You can specify a
different location to unzip the files.
3. Click on the unzip button to extract files.

Before extending a volume using extpart.exe, ensure you have a working back
up of your operating system. This will allow you
to quickly restore the previous operating system configuration in the event
you need to troubleshoot your system. See your
System Administrator's Guide for more information on creating a system state
backup.

SBS IT podcast -- CHECK IT OUT - This is so cool!

Ooooh the guys at the SBS Support podcast has competition!

Vlad and HappyFunboy [aka Chris Rue] have the FIRST SBS Podcast

This is very cool!

Gosh...they sound so impressive don't they?

I'm vaklempt...once again!

Got an issue with your Windows update? Here's how to figure it out

Okay so you've gone to Windows Update or Microsoft Update and it grinds and grinds and then it fails.  So you go to a newsgroup or listserve and ask... It's broken, how do I fix it?  But you forgot the most important thing...up in the corner is a code number.  See that?  Make sure you tell someone that code number..or ...better yet... go find the answer yourself....for example, say we have the error code of 0x80072EE2.

Fire up Microsoft Update, and look in help and support.  Now click on troubleshooter, and in the search box put in that 0x80072EE2

And you'll find you get back this....

*Problem description*
This error may occur if your Internet connection or configuration is preventing access to the Update site.

A misconfigured Proxy/Firewall can cause this problem. Double-check the Proxy/Firewall settings.
Add the following urls to the exception list within your Firewall/Proxy:
http://*.update.microsoft.com
https://*.update.microsoft.com
http://download.windowsupdate.com
For help configuring Proxy/Firewall refer to documentation or contact the manufacturer

The KB article they point to is....You receive an "Error 0x80072EE2" error message, an "Error 0x80072EFD" error message, or an "Error 0x80072f76" error message if you try to use the Microsoft Windows Update Web site or the Microsoft Update Web site: http://support.microsoft.com/?kbid=836941

See?  That wasn't so hard now was it....

Can I export out the blocked sender list and use them in another server?

I all started when someone in the newsgroup wanted to export out an existing blocked sender list and import it into another SBS box.  And it seemed a reasonable request.  Who knew it would lead me down the path of IMing Active Directory gurus.  To add a list of senders that you want to block from sending you junk...you can add the senders here...but what happens if you built up a list and you want to copy that list to another server?  Or you blew up your server, but you have the file in a .text file?  Can you stick it back in somewhere?

Can it be done?  Yes...and on this web page is the How to... it's stored in Active Directory...Took an AD guru of Brian Desmond to help out the cause as well... his instructions are up on his blog.  Another set of instructions are here:  http://www.webservertalk.com/message155871.html

Man does that need a GUI front end.......

This is the section in my server at home... see that msExchTurfListNames?  That's the value that corresponds to the list of excluded names.  Now you can enter them one by one....but if you have a listing of domains that you've built up in one client that you want to them put in another....well...there ya go....

Using server: kikibitzfinal.Kikibitzrtm.local
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=Kikibitzrtm,DC=local

dn:CN=Default Message Filter,CN=Message Delivery,CN=Global Settings,CN=KIKIBITZR
TM,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Kikibitzrtm,DC=local
>objectClass: top
>objectClass: msExchSMTPTurfList
>cn: Default Message Filter
>distinguishedName: CN=Default Message Filter,CN=Message Delivery,CN=Global Sett
ings,CN=KIKIBITZRTM,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Kikibi
tzrtm,DC=local
>instanceType: 4
>whenCreated: 20031114195547.0Z
>whenChanged: 20051024020843.0Z
>uSNCreated: 21532
>uSNChanged: 1585305
>showInAdvancedViewOnly: TRUE
>name: Default Message Filter
>objectGUID: {F785B680-45FF-49B5-AF67-204BA8062D03}
>versionNumber: 7638
>systemFlags: 1073741824
>objectCategory: CN=ms-Exch-SMTP-Turf-List,CN=Schema,CN=Configuration,DC=Kikibit
zrtm,DC=local
>dSCorePropagationData: 20031114205848.0Z
>dSCorePropagationData: 20031114200645.0Z
>dSCorePropagationData: 16010101000417.0Z
>msExchTurfListNames: @doofus.com
>msExchTurfListNames: @reallywacko.com
>msExchTurfListNames: @reallyreallywacko.com
>msExchTurfListNames: @wacko.com

Basically you use a script to export out the info...

Oh and btw do you notice the IMF tab is in this section too?  That's where it moved to.

P.S.  Joe would be proud... Brian showed me how to use Joe's ADfind to get that extracted information.

P.S..... apparently there is really is domains called http://www.doofus.com/ http://www.wacko.com/ and unless I take that out of the Exchange I just blocked getting email from those domains .....

Happy Birthday SBS!

Microsoft Small Business Server - Wikipedia, the free encyclopedia:
http://en.wikipedia.org/wiki/Microsoft_Small_Business_Server

So where were you October 22, 1997?

If you were SBS... it's the day you were born!

More questions on Exchange 2003 sp2

Rob asks in the mailbag.....

The blocked senders list in IMF is a nice function. I would like to use it again after I install Exchange SP2.  Have you found a way to re-use the blocked senders list in the new version of IMF in Exchange SP2 after the upgrade?

I kept a backup text file of all the blocked senders that I have put in and would like to re-use the list. <OR> does the sp2 upgrade retain the old list???

I have SBS2k3SP1-standard
Thanks,
Confused:(
Rob

And I think Rob answered his own question....but Rich indicated too that it should stay without any changes as it's not an IMF function.

Like Vlad says, we've seen SQL file replacement and I hit a MSXML issue, but one of the things that I'm not sure I've found yet is a full offline version of the Exchange 2003 sp2 help file offline... or I should say online on the web.  It's inside the program once you load it...but us out here in SBSland like to read... well we SHOULD read the documentation before we shoot this out to our servers.

“How to Use the New Features - For information about how to use the new user interfaces and tasks, see the Exchange Server 2003 SP2 online Help“

Okay who searches while they IM people?

I'm just taking an unofficial survey of how many folks have

• Accidentally typed in an Adminstrative password in an IM window [after it grabs the screen] and sent it off to a friend [hopefully friend anyway]?
• Accidentally hit the search button instead of send in MSN 7?
• Accidentally invited half of your entire IM listing to a chat?  [and in my case that's a BIG list]
• Accidentally typed in the conversation of one chat into the window of another causing the person in conversation A to wonder where you went and the person in conversation B to wonder what the heck you are talking about?

...and other follys of IM?

...and exactly WHO searches and IMs with someone at the same time anyway?

.... uh... I don't know about you... but...uh... googling... it's kinda a private solitary thing... ya know?  I search alone.  I don't get this 'buddy search thing'. I mean I'm into sharing things with the community ...but searching?

Configure Database Size Limits

Configure Database Size Limits

By default, the size limit of each database on a server running Exchange Server 2003 Standard Edition is 16 GB. After installing Exchange Server 2003 Service Pack 2 (SP2), the default size limit for each Exchange database is 18 GB. Additionally, you can configure database size limits of up to 75 GB per database on servers running Exchange Server 2003 SP2.

By default, the size limit of each database on a server running Exchange Server 2003 Enterprise Edition is 8,000 GB. This size is generally a theoretical limit. The actual limit of an Exchange database is limited based on your server hardware and on the hardware of your storage sub-system. After Exchange Server 2003 SP2 is installed, you can customize the database size limit to a value up to 8,000 GB.

The Application log on an Exchange server will log warning and critical events as you approach or reach the database limit you have configured. The following procedure shows you how to customize the settings related to database size limits to meet the needs of your organization.

Important   This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To configure the database size limit for a database:

On the computer running Exchange Server, start Regedit.exe.

Open one of the following registry keys:

To configure the database size limit on a mailbox store, open the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store GUID

To configure the database size limit on a public store, open the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Public-Public Store GUID

Right-click Public (or Private) Store GUID, point to New, and then click DWORD Value.

For the new value name, type Database Size Limit in Gb.

Only use 75 gigs if you have that much room... make sure you only adjust this to the space you have available..you may need to move/adjust partitions to do this... oh and don't be a do-do brain like I was...thanks to Scott Korman for catching that I did the first demo screen shot with a “hexadecimal value“ and not what it's supposed to be... a Decimal one!

Double-click Database Size Limit in Gb. In Value data, type an appropriate value for maximum database size in GB. For Exchange Server 2003 Standard Edition, type a value between 1 and 75 (the default is 18 GB). For Exchange Server 2003 Enterprise Edition, type a value between 1 and 8000 (the default is 8000 GB). Click OK.

Right-click Public (or Private) Store GUID, point to New, and then click DWORD Value.

For the new value name, type Database Size Buffer in Percentage.

Double-click Database Size Buffer in Percentage. In Value data, type a value between 1 and 100 to specify when you want events to be logged to warn you that you are nearing the maximum size for a database. The default value of 10 will result in warning events to be logged when you have 10 percent capacity left before you reach the maximum size for that database. Click OK.

Right-click Public (or Private) Store GUID, point to New, and then click DWORD Value.

For the new name, type Database Size Check Start Time in Hours From Midnight.

Double-click Database Size Check Start Time in Hours From Midnight. In Value data, type a value between 0 and 23 to specify when you want Exchange to check the database size. The default value of 5 results in Exchange Server checking the database size 5 hours after midnight (5:00 AM). Click OK.

Close Registry Editor.

Before you edit the registry, and for information about how to edit the registry, see Microsoft Knowledge Base article 256986, "Description of the Microsoft Windows registry."

What's the difference between WSS - Sharepoint and SBS - Companyweb?

I'm stealing this from an email Chad made about the difference between WSS and “our” Sharepoint: 

Please note, if you have been told that the SBS sharepoint questions should only be answered in the SBS newsgroup, I do have to apologize for our Communities sometimes.  We do tend to be territorial sometimes.

You want to know the difference between WSS Team Site on SBS & the default WSS Team Site  on a straight Win2k3 box?  Here you go:

Document Libraries:

• WSS on Win2k3 includes a ‘Shared Documents’ library.
• WSS on SBS includes a ‘General Documents’ library, ‘Projects’ library, ‘Archived Documents’ library, and a ‘Presentations’ library.

What’s the difference between these libraries?  Nothing.  It’s the exact same result as if you created each of these libraries in WSS on Win2k3 using the default Document Library Template.

Now WSS on SBS also has an Incoming Faxes document library, which as we know integrates with the SBS Shared Fax.  This is a regular document library that has been customized – but only in the sense of customizing the fields.  The SBS Shared Fax does all of the heavy lifting for integrating with WSS – not the other way around.

Photo Libraries –

• WSS on SBS includes a ‘Company Photos’ photo library.  This was created using the default WSS Photo Library template.  Nothing special.
• WSS on Win2k3 does not include any pre-created Photo Libraries.

Lists –

WSS on SBS includes a Help Desk and Vacation Calendar.  WSS on Win2k3 includes a Contacts list and a Tasks list.  So what is the Help Desk?  Nothing but a customized Issues list.  Create a new Issues list, remove the Category, Related Issue and Comment fields.  Add an Assigned To field (lookup on the built-in Users list), a % Complete field (number value in Percent format), a Description field (multiple lines of text / allow HTML content), and a Due Date field (Date/Time).

So what’s the net change?  Besides having a few different items pre-created for us (which are no different than the ‘Shared Documents’, ‘Contacts’ and ‘Issues’ lists pre-created on WSS on Win2k3), we have two custom lists (‘Incoming Faxes’ and ‘Help Desk’) that are saved as templates.  There is ZERO code variance between WSS on SBS and WSS on Win2k3.  As a matter of fact, anyone running WSS on Win2k3 could manually create the exact WSS environment on Win2k3 that we have on SBS – and that would not compromise their ability to get support or complete normal WSS administration tasks include backup and restore.

Okay I have a problem with my Exchange 2003 sp2

Nothing like a little live bloggin.  I went to install Exchange 2003 sp2 on my beat up home server and I got an error message.. hey a Dr. Watson send off even.  Very cool!  The “~” will be lovin' that one.  So I'm calling Microsoft Product Support because I had an issue with a Service Pack....I'm pressing “2” for IT Pro support and then again for Server issues.

The first thing we are doing is setting up TS into the box and a 'shadow' session.  He remoted in, I remoted in and I went into Terminal Services Manager, found the RDP session and we're working through the issue.

Event ID 11316... it couldn't read from the MSXML file is in the event log.

So we go to manually install the msxml3.msi file and up pops the error message that it can't read from the file.  And we try removing a funky XML 4 and SDK I have on the box [lord knows where I got that one].

Is Exchange functional while we are investigating this?  Yup.  Has the engineer documented all the steps he took to kick this up to the next level?  Yup.  Was this a free call because it was due to the Service pack install?  Yup.  Am I worried about deploying this on my real box at the office?  Not really.  For one thing this is my beat up beta box so it's no wonder it's freaking and the Dell OEM at the office did just fine.  It just means I'm not going to be doing the real baby yet that's all.

Then I could tell this one was going to be a stumper as I wasn't googling a resolution.  When ya can't google it... it's a new issue.  So we're going to work through it and get to the bottom of it.

And to those readers of the blog... this is just a post to let you know that even with the error message and the Dr. Watson I have a functioning system.  I have a strong feeling this is just beta bits leftovers and  gunk.... but I'll keep you up to date.

Working through the issues.. remember that for issues with a Service pack like this... it's a free call.  Don't be hesitent to get help when you get stumped.

Web parts and IM

Sarah in the blog comments asks..... I searched your blog for &quot;web part&quot; and didn't find what I was looking for, but I thought I'd ask you anyway....

How safe are non-microsoft webparts for Sharepoint? Do you have any recommended sites for finding these? And specifcally, have you ever heard of an in/out board web part? (Because what SBS2003 company can afford Live Communications Server?)

Well.. you mean this SBS company because I 'caught LCS' on Software assurance but yes, LCS 2005 is WAY too expensive for SBS and honestly... I think WAY too much overkill.

Any Sharepoint webpart is just fine for SBS... for another idea for an internal only IM system

Read Vlad's blog for some ideas...

Vladville - Secure & Affordable IM for Small Business:
http://www.vladville.com/articles/smallbizim.asp

The SBS Podcast is here!

It's Saturday and the SBS podcast from the gang at the SBS Support blog is ready for download!!!

Cleaning the house and geeking out to the SBSPodcast.. what better way to spend a Saturday!!

Lots of news on Exchange 2003 sp2!

Why doesn't Microsoft say that?

“....why doesn't Microsoft say that?“

It was a question I was asked earlier this week in response to an email I sent to a journalist. 

...and you know what... I really don't know why someone from Microsoft in their PR department didn't just say what happened.  The truth.  But for some reason the truth, the facts didn't get out to the public.

And the sad thing is, the truth would have made the public more secure, would get rid of the fears, the doubts.  But because that message didn't get said, because the words weren't said, I think Security was affected.

Security is defined as Freedom from doubt, anxiety, or fear; confidence.  .

And in the WindowsUpdate newsgroups, some people had a lot of questions about a 'buggy” patch.  Even on non affected Windows XP machines.  Even one of my fellow MVPs emailed and asked if anyone had any links to information about a “buggy” patch.

But here's the thing that is amazing.... you see the patch wasn't buggy at all.  The bad effects of this patch that the press talked about was mostly as a result of Administrators who had made security settings, tightening to registry keys, called 'hardening'.  But here's the thing.... these settings are actually not recommended by Microsoft at all.  They really are not supported.  So anyone following these guidelines, knew, they understood that they had responsibility for their network. They knew they would need to test. 

So I can't understand why, when the press starting writing their stories about the effects of this patch why someone from Microsoft didn't just say the truth.  That it was the people chosing to set up their network this way that got the most affected.  Now I'm not saying that people that were not running Windows 2000 and did not adjust permissions didn't have patch issues, but I think all of their specifc issues got passed over by the headlines regarding this so-called 'buggy patch'. We lost the real story of what was happening with this patch because of the overwhelming press that got stuck on the issues with the patch that were inflicted by the Administrators themselves.

And all of this confusion could be done away with if the Public Relations of a company just said the truth of what happened.  Truth didn't get said.  People got confusion instead.

Sometimes I don't understand the world of marketing and Public relations.  In fact, sometimes when I'm faced with a hard slick sell, it turns me off.  Big time.  In fact, give me truth.  Tell me the warts of something, because if you don't I'll find them in the product.  And believe me, if you didn't tell me about the truth of a product, and I find out about it after I've bought that product, I'll feel like you didn't tell me the truth and never forget that.

I was talking today with another guy about a software product I have at my office.  Bread and butter, line of business application.  One that I moved from one to another a few years ago, a competing product.  When I was talking about the issues I had with it, and comparing to a competitive product, the gentlemen and I that were discussing these products were commenting that we couldn't beleive that both products hadn't done better things for the customer.  That they had been in the marketplace this long and neither one was perfect.  Both had software 'warts'. And if I had known about the software warts of each platform, rather than just getting the salesman 'speel', I think I would make the same decision I made, but I wouldn't feel ... well... slightly abused by the 'speel' I got from the Salesman assuring me the software was perfect.  But because no customer was in the role I was, truly comparing the two, no one had recently made the migration, I didn't get the real facts.  I got the slick ads. 

So here I am, in a software program that works, but isn't perfect.  And if the salesman had been more honest with me I wouldn't feel the way I do now.  “Sold“ to.  Owner of a product that doesn't quite work like it was advertised.

Trust is defined as Firm reliance on the integrity, ability, or character of a person or thing.

I don't understand why firms don't understand that the best way to build trust with me and my business is to be honest. If you want me to be a long term customer, don't sell to me, be honest with me.  I moved from that other Line of Business application because they kept promising and not delivering.  And jumped from one that kept under deliverying to another software that kept pushing back a release date to the point where the ship date missed an entire tax season.  We were told one thing, when the truth was another.  And while the salemen were on the phone lines assuring me that the product was shipping, when I called tech support on this product, they said “oh it won't ship until May“.

Why do we accept what we do from Salesmen?  Why do we accept the slick ads?  I've chatted with many a folk who buy a software product only to find that once they peel back the onion layers and the software doesn't work as advertised they feel like a bit abused.   Why is it that the human folly is that we need Madison Avenue to convince us to buy things we don't need?  Isn't the obvious example of this perfume?  It's fragrant, colored water that more is spent to package it, advertise it, than it does for the ingredients for the product itself.

Sorry if I'm rambling a bit tonight.  But several conversations this week have led to this rambling blog post.  Today at lunch with a good friend, the two of us were chatting that we're not sure the press or the public relations of a firm control the message anymore.  We agreed that in this day and age of blogs, newsgroups, communities and word of mouth, even the three major networks didn't control the message anymore.  All it takes is someone who will never forget a bad experience and will tell this in a public online forum such as this and there goes a dent in all that good public relations you've built up. 

I don't know, maybe I“m being naive here, but I think being honest and truthful goes a long way.  I thnk it builds the trust.  I'm not convinced we need all the slick packaging that we end up getting.  I think being honest to the business owner... building that trust... I think that's a stronger, more long term sale.  You might not see the immediate “Madison Avenue” benefit, but I think that honesty will reap a longer term relationship. 

A funny thing happened the other day to showcase how a bit of honesty changed a conversation. I was hanging out in Andy Goodman's MCP chat the other day and was using my usual online alias and at one point in time started chatting with a poster arguing strongly about the advantages of SBS 2003 over SBS 2000.  I said that it was obvious in the recent patches where Windows 2003 was not a readily vulnerable as Windows 2000 proved that it was time to get off that platform.  And at one point in time when the poster was challenging me, he said “what have you drunk too much Microsoft Koolaid or something?“ and it took me aback a bit.  There are times people think I choose Security too much.  But here's the funny thing, once I had 'outted' myself and told the chatter exactly who I was, he recognized me from the blog and his attitude changed.  He was listening to me, not as a “koolaid seller“ but as someone who had earned ...well hopefully anyway... a little respect.   I had changed the relationship by being honest with him of who I was. 

And speaking of chosing Security over Business is that I don't think we choose Security enough over business needs.  Because at the end of the day John Q. Business Owner doesn't want things blocking him from doing his job, his business.  He will find ways to go around that barrier if it stops him from doing his job.  So security better just work.  And it better be honest.  And the technology salesman shouldn't 'spin' the product promising that the product will do things it won't do.  And we'd better not have to buy more 'things' to get the products to work the way they are advertised in the slick magazine ads. 

Because if you aren't truthful with him, he'll remember.   

If you aren't truthful with me, I'll find out and not forget either.

...so coming back ...hopefully full circle.... to this rambling post of mind tonight that you've indulged me in tonight [well not that you had any choice in the matter... I was in a mood],

Say Micosoft?  How about just being honest and saying that you had a bunch of “Buggy Admins“ who forgot that at the end of the day the responsibility for their network is theirs, not yours.  And if they chose to move away from a supported position, then it was their job to test that patch.

At the end of the day, I'm the one who's in charge of my network...not Microsoft.

The buck stops here.

In case you read this on the MSExchange site

http://www.msexchange.org/tutorials/First-Look-Exchange-2003-SP2.html

Part III ---

ATTENTION Kmart Shoppers...that part is totally wrong.  We are right now supported on this Service pack and can install it now without having to wait, thank you very much.

Installing Exchange 2003 sp2 and it prompts you to overwrite files?

Seven of Nine has commented in the blog [and others in our gang] have reported that when you have SQL 2000 sp4 on the box it indicates that the files it's trying to install from Exchange 2003 sp2 are older than the ones on the box.

“Seven” said “okay to replace” but then reinstalled SQL server sp4.  We're hearing that you can just say “keep newer” and you'll be fine as well.

Apparently the files have to do with MSSearch.

Wow... Seven of Nine, eh?  Who knew she ran an SBS box on the Enterprise........ maybe the Enterprise is run by an SBS box?

So ya wanna backup your ISA configuration?

So you've tweaked ISA and it's just so and you want to back it up....

Export, Import, and Backup Walk-through Procedure 1: Back Up a Complete Configuration

Follow this procedure to back up a complete configuration, to save in case of a catastrophic failure.

1.	Right-click the name of the ISA Server computer, and click Back Up.
2.	In Backup Configuration, provide the location and name of the file to which you want to save the configuration, and click Back Up. Choose a meaningful name, and consider including the date in the name of the file, such as Cleveland Branch ISA Backup 16 April 2004.
3.	When you back up a configuration, you are exporting confidential information, such as a password that is encrypted. You therefore have to provide a password for the backup file in the Set Password dialog box, and then click OK to start the backup operation.
4.	When the backup operation has completed, click OK. Note Because the .xml file is being used as a backup, a copy of it should be saved on another computer, in case of catastrophic failure of the ISA Server computer.

SBS Podcast/call in tomorrow to the SBS support gang

http://blogs.technet.com/sbs/archive/2005/10/20/412809.aspx

The SBS Podcast gang is at it again tomorrow!!

We'll be recording episode #5 tomorrow at 11:00 AM CST.  This week's main topic will be Exchange SP2.

Phone number for the live call-in portion of the podcast:

If you are wondering why Office 2003 sp2 is not coming down automatically on MU

The WSUS blog explains why....

In the previous update release of Office 2003 SP2, some AutoUpdate and Microsoft Update customers experienced installation failures, in most cases due to a damaged Local Installation Source, which in some cases is required for the SP2 installation.  Because user interaction is necessary to resolve this problem, we have decided not to distribute Office 2003 SP2 to users whose AutoUpdate client connects to Microsoft Update

Exchange SP2 "Vladville Blog" goodness

Exchange 2003 SP2 on SBS
http://www.vladville.com/articles/exchangesp2sbs2003.asp 
 
Enabling IMF 2 in Exchange 2003 SP2
http://www.vladville.com/articles/exchangesp2imf.asp 
 
Easy guide to Changing Exchange Store Database Limits
http://www.vladville.com/articles/exchangesp2newdb.asp 
 
Modifying the Outlook Web Access Login Page
http://www.vladville.com/articles/exchangesp2logon.asp 
 
[btw this is hit and miss for us...
some have said that they don't get reprompted
 for the Domain\User login [I didn't] and some do
Some folks say rerun the CEICW.... your mileage may vary...]
 
 

Okay so I read the release notes that are inside the Exchange 2003 sp2 download

...and they say....

The release notes for Microsoft® Exchange Server 2003 Service Pack 2 (SP2) are available on the Exchange Server 2003 Service Pack 2 Release Notes Web page.

© 2005 Microsoft Corporation. All rights reserved.

Okay...that's one thing I can check off as reading.....

A post for The "~'s" and the "V's" and all the rest.

There's a person I'm going to refer to as The “~”.  Now while I'm going to speak specifically about this one person... in reality he represents a type of a person. 

His job is to fix things.  Find things.  Get things to break.  Figure things out.  Analyze things.  Thus, he's the type of guy that would be installing Exchange 2003 Service pack 2 today.  Now.  In fact, I'm surprised he wasn't up at midnight installing it on some box somewhere.  And in fact if things go smoothly ... he might be a bit disappointed.  He and those like him actually like breaking things.   Because then they learn more about the thing they are breaking.

There's another type of person I'm going to blog about.  This person is the IT Pro.  The Consultant.  I'm going to call him The “V's“.  Now he's a bit like The “~”, but a smidge different.  You see he wants to figure things out, but he wants to ensure once he's installed something, understands it, it's reproducable in a solid manner to his clientele.  So he'll install Exchange 2003 sp2.  Document it.  And quite quickly in fact, but he's probably going to go through the dry run steps of a 'best practice for deploying Service Packs” checklist.

He'll make sure he's read the documentation, he'll make sure he's backed up the Exchange Store.  He'll understand that for his clients that depend on email, Service packs deployments on Exchange are upgrading a Jet database.  Thus he'll make sure he builds in a rollback strategy.  But he's going to to a dry run on a test machine and recreate as best as he can the steps and checklists he'll use for deploying this Service Pack.  He's then probably going to watch that box for a few days and monitor the log files and just make sure everything is as it should be.  And then he'll start rolling it out.  Mainly because his clientele are near the max of those 16 gig limits right now and they are busting at the seams.  And he'll read the documentation on how the default store goes up to 18 gigs but above that needs a manual registry adjustment.

He's also probably going to “triage“ this service pack and only deploy it to those clients who are near that 16 gig database limit.  The ones that need that registry edit.  You see he's probably already in the process of deploying SBS sp1 and he'll want to give is clients a bit of a breather on that for a bit before fully rolling this one out.

Then there's me.  And it's this personal view from my Patch Deployment Central.  It's this view that I post to this blog.  My role in my office is to not introduce risk.  My role is risk mitigator.  So I'm not going to be the one downloading the patch at midnight installing this on my box.  I'm waiting.  I'm going to first install it on my home server, again following the guidance of The “V's”, and I'm going to watch the log files.  I'm going to then pick a date in my office that it's a good time for me to deploy this.  In my office my traditional time for deployment is Friday night, after the office closes at 5 p.m.  I'm going to ensure I have a rollback plan.

And what if you don't have a home server to test this on?  What if you are a DIY admin and you only have your one SBS box?  Well, you can be rest assured of the following....

• The “~'s“ have done it and are running just fine [well it will be as soon as he installs SBS]
• The “V's“ have done it and are running just fine
• The patch has been certified for SBS boxes by Mothership Redmond and Los Colinas [there is no need to wait for a SBS only service pack]
• and soon I'll be doing it here

In my earlier post I talked about how one shouldn't patch at lunchtime.  There's a running joke that we are so confident in patching that we'll just blindly install patches before testing.  If you don't have a test machine, but only a real production one, just keep this in mind... follow the recommendations.  Have a backup.  Remember you have to have SBS sp1 on the box “before” applying this Service pack.  And honestly you really should consider a Service Pack like a near new operating system.  You don't have to be first.  You can wait for all those “~'s” and “V's”.      

Need some guidelines and ideas for Patch [and a bit of Service pack] testing?  Here's some things I've gathered up along the way...

• Identify the operating system subject to testing.
• Identify the service pack level.
• Identify the hotfixes installed on your systems (if in addition to security fixes).
• Identify critical third party applications.
• Identify third party applications that have had patching historically.
• Identify those files used in patches that may have causes issues in the past. Are the included in this current patch? Assign testing resources appropriately.
• Study the bulletin to determine if you can uninstall the patch. If not, determine if additional resources for testing or imaging need to be in place before approving the patch.
• Test the installation of the patch both manually and via your automated patch technology. Can you uninstall the patch using add/remove program or your patch tool?
• Review the processes of your line of business applications. Are they performing as expected? Attempt to replicate a production environment using imaged data. Having an exact image provides the best testing bed.
• Set up performance and monitoring tools to review your testing machines43 such as PerfMon, tools from Sysinternals and review all log files.
• Confirm the installation of the patches via registry review or other means.
• (OPTIONAL) Confirm the effectiveness of the patch using testing code.
• Follow any additional procedures your situation requires.
• Approve the patch for release.
• PREPARE BACKUPS. [Oh yeah did I say prepare backups?]

The Infraguard Technology Risk checklist also includes the following:

• When applying a patch to any system vulnerability, verify the integrity of, and test for the proper functioning of the patch
• Verify that the patch will not negatively affect or alter other system configurations
• Test patches on test beds before being released into the network
• Backup your system before applying patches
• Conduct another vulnerability test after you apply a patch
• Keep a log file of any system changes and updates
• Prioritize patches prioritized
• Disseminate patch update information among the organization's local systems administrators Add timetables to patch potential vulnerabilities
• Require that external partners deploy all non-critical patches within 30 days
• Require that external partners deploy critical patches to servers and clients within 48 hours

So if you are one of “The “~'s“, go ahead, deploy it.  The rest of us mere mortals will type up a checklist and at least make sure we have a backup in place.

CCH PerForm Plus having issues with 05-052

Microsoft Security Bulletin MS05-052: Cumulative Security Update for Internet Explorer (896688):
http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx

So invariably several days 'after' applying the security patches that I find things.... CCH PerForm Plus is not functioning.  Remove the patch, it works.  Deploy the patch and it says it needs active X running so obviously those additional active X blockings in that security patch is affecting this program.

Calling CCH... will update the blog with the resolution.

This KB with some fixes doesn't appear to apply...

“Due to a recent Security patch, users of PerForm Plus.....” ... “please go to support.cch.com for further details“

Uh huh...they know about it

Issue

When clicking on a forms library link, CCH perform plus II does not launch.

Cause

A recent Microsoft security update (KB896688), obtained from the Microsoft Update site or automatically installed as part of the Windows Automatic Updates service, prevents CCH perform plus II from launching in certain configurations.

Resolution

This issue can be resolved by adding the CCH website to your Internet Explorer’s list of Trusted Sites.

Resolution Steps

1. Launch Internet Explorer.
2. Go to Tools > Internet Options.
3. In the Internet Options window, click the Security tab..
4. Click the green Trusted Sites icon to highlight it.
5. Click the Sites button.  The Trusted Sites window displays.
6. Uncheck the "Require server verification (https:) for all sites in this zone" checkbox.
7. In the "Add this Web site to the zone:" field, type in "files.stf.com" and click the Add button.
8. In the "Add this Web site to the zone:" field, type in "*.cch.com" and click the Add button.
9. In the "Add this Web site to the zone:" field, type in "*.cchgroup.com" and click the Add button.
10. Verify that files.stf.com, *.cch.com, and *.cchgroup.com show up in the "Web sites:" window below.
11. Click OK to close the Trusted Sites window.
12. Click Apply in the Internet Options window.
13. Click OK to close the Internet Option window.
14. Close Internet Explorer.
15. Restart Internet Explorer and log into the CCH web site.
16. Launch CCH perform plus II.

Exchange Service Pack Destroys Reading Ability

Yes, the thing I was ranting about earlier this week..the sensationalist headline I'm using here for a reason.

Got ya to read this blog post didn't I?  Didn't I?

It's apparently obvious to me that the sight of a new software patch destroys all ability for folks to plan and read documentation.  Marina and Mariette have said time and time again [even to me when I forget] that we need to SLOW DOWN and READ.

Already getting folks pinging the blog after... AFTER... apply the patch and folks, I don't know about you but I cannot imagine that you have

• Read the release notes
• Read Vlad's blog
• Backed up your Exchange store SEPARATELY from the normal backup [In fact stick it someplace special on a harddrive somwhere just for this purpose]
• Anticipate that once again, the Exchange patch, since it's coming out from the “normal“ Exchange folks would once again flip our OWA login from just plain user to domain\user [or so one poster to the blog says happens... you mileage may vary ... I haven't tried it so you early adopters will have to see, word is from the gang that the User name only stays and works -- it's just the OWA page that 'says' Domain\user name.  It will still work fine with just “User“.  Nick says the SBS gang fixed the underlying SBSized plumbing so Exchange won't stomp on us anymore after you apply SBS 2003 sp1]

IMHO, either ... give up fixing that stupid domain/user thingy... train your users to go through RWW and never use straight OWA..... or try applying the previous fix/up patch that did the trick with Exchange 2003 sp1 when it did that to us.  Honestly I think we need to just give up our SBS customizations if Exchange or any other patch is going to stomp on them all the time.  When I picked my domain name, I picked it nice and small.  To me, I'd rather stay with a 'standardization' of patching.  So if Exchange is going to constantly reset that .. I say... fine .. let's stop fighting it.  Flip it to domain\user and we won't have to worry about fixing it anymore.  It's honestly an end user education issue anyway.  I'm starting to be a big fan of patch standardization.

So, can we read first please? 

Planning for the Exchange 2003 sp2

Remember there is no need to be the first on the block with this.....

First off ensure you READ the release notes [and given right now that the notes point to the pre-release release notes, I'll probably wait for that to be updated first]

Looks like similar to last Exchange 2003 sp2, it needs another patch on the box first,

Important   Ensure that Hotfix 898060, " Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail ," has been installed on your system. You can determine whether this hotfix is installed by running the Microsoft Exchange Server Best Practices Analyzer Tool, which checks for the hotfix being installed, and then reviewing the output log. If you do not run the Exchange Server Best Practices Analyzer, you must manually verify that Hotfix 898060 is installed on your system. If this hotfix is not on your system, you must install it now.

Then you MUST be on SBS's SP1 in order to install this

Important   Make sure that, if you are installing SP2 for Exchange Server 2003, you are running on either of the following operating systems: Microsoft Windows Server™ 2003 Service Pack 1 (SP1), or Microsoft Windows® 2000 Server Service Pack 4 (SP4). For information about an update rollup to Windows Server 2000 SP4, see " Update Rollup 1 for Windows 2000 SP4 and known issues ." For more system requirements for Exchange Server 2003 (Pre SP1 and SP2), see System Requirements for Exchange Server 2003 .

And lastly, early word is that the sp2 resets [again] the OWA page to the Exchange default of domain\user.

Since 99.99% of my gang just use RWW as their entry point anyway.... I think I'm going to leave it as domain\user.

And above all else... HAVE A BACKUP. 

But the best bet is to let us install this on our tester boxes and get the 'street view' first.

I swear ..if any SBSer downloads this during lunchtime...

Yes the Exchange 2003 sp2 just RTMs as reported live by HappyFunBoy.

Download details: Exchange Server 2003 Service Pack 2:

And ... if I hear of any SBSer downloading this during their lunch hour and installing it......... where's my 2x4?

Remember Exchange updates are ONE WAYS...that means you have yourself a good backup.

Yes, this means we can now store 75 gigs of junk mail, but READ and understand first and TEST THIS SUCKER.  Yes, it's supported on SBS but yo, folks... this isn't a rush to see who can install it the fastest and blow up their production machines. 

Make a backup of that Exchange first please, okay?

Homework first....

You Had Me At EHLO... : More details on Standard DB limit size increase in Exchange 2003 SP2:
http://blogs.technet.com/exchange/archive/2005/09/14/410821.aspx

You Had Me At EHLO... : Storage limit changing in Exchange 2003 SP2 Standard:
http://blogs.technet.com/exchange/archive/2005/06/06/405933.aspx

WSUS and ISA 2004

http://www.microsoft.com/downloads/details.aspx?familyid=ab72eb03-09cf-4cfb-9af5-1a7dc9c80bc9&displaylang=en

This paper describes how to deploy WSUS and ISA Server 2004 to manage remote clients.

Thanks James for the heads up on this whitepaper on the download site....

Missed the SBSMigration web cast and others?

In case you missed these web casts

Jeff Middleton's SBSmigration presentation is available on the web at this link  - and his SBS migration technique can be found at www.sbsmigration.com

Join us as we talk with Chad Gross, SBS-MVP about using Windows Sharepoint Services as a business application development platform to increase customer efficiency and satisfaction while providing additional revenue for partners

In this web seminar we will discuss the management perspective to CRM. [This is Anne Stanton's presentation]

In this webcast we will be having a conversation with a partner about Microsoft CRM. [This is Scott Colson -- Mr. CRM's presentation]

In this web seminar we will talk about the security update patching for servers and workstations. Susan Bradley, MCP, GSEC is a Microsoft MVP for both Small Business Server and Security, she currently writes the Patch Watch column for Brian Livington's Windows Secrets newsletter, and was a co-author of the Harry Brelsford Advanced Small Business Server book. In real life she gets a thrill in reading security patch bulletins

[I was pinged about that SBSMigration webcast so I thought I'd dig out the rest]

Disabling the XP sp2 firewall

DON'T.

Next blog post?  Okay....okay... I'll give you my reasons....

Okay let me explain why....well first let me give you why you shouldn't disable it.  Today in our world, your workstations are on that edge of the Internet just as much as your servers are.  And if they get infected by some bad gunk, the faster that bad thing will run though your network.  In any network we have a pretty gooey inner core, yes even in SBSland with out XP sp2 firewalls intact we leave a bit of goosh [file and printer sharing] ready and open.  But our SBSized XP SP2 does at least let our workstations help out as much as they can in the bad guy fight.  And given that many SBS workstations are running as local admin anyway, the applications that want access will, more often than not, build their own exceptions.

So... if you really want to shoot yourself in the foot.  Go ahead, lower your defense in depth.  Don't have your workstations part of a security strategy.  Don't do all that you can to protect client data. 

Okay so now that I've laid the guilt trip on ya.....

How to disable that group policy

Okay see this .....and in particular this view

See that “link enabled” that's checked there... all you have to do is unclick it and then force the update by at a command prompt typing in gpupdate /force at the server, and for XP machines, gpupdate /force as well.

Now.. if your policy isn't releasing we got some troubleshooting to do.

Step one...Let's see what's enforcing that policy...

At the workstation type gpresults >gp.txt  [review the additional settings here if you want to do this command remotely]

Now...can you see where that workstation is picking up on it's policies?

Some other troubleshooting steps are here...but start first with that gpresults.  See what's laying down that policy.

ETrust and the XP sp2 firewall

Greg posts that he's having trouble with two things regarding the XP sp2 firewall and SBS...

Here's part one to his solution.... Etrust.  Dave in our SBS group uses ETrust and he wrote.....

eTrust has a little utility that you can run on each workstation that adds the eTrust Local Scanner, Realtime Monitor, and RPC Server to the Windows Firewall exceptions.  It's easy enough to do that I haven't bothered to figure out the GPO.

eTrust pulls the signature updates from the admin server or the eTrust FTP site, so I believe (not 100% sure) that eTrust will update signatures without the firewall exceptions.  For sure you won't be able to use any centralized management or reporting without adding the exceptions.

Thanks Ron in the comments...he points to the solutions for E-trust!  Keep in mind that the file and printer sharing is automatically enabled with the XP sp2 firewall settings in SBS.

Hey looks like some Small Business Accounting groups are starting

On Yahoogroups.com looks like there's some Microsoft Small Business Accounting groups starting...

 Small_Business_Accounting_Advisors  -  This group is for CPAs, accountants and other specialists who install or advise their clients regarding *Microsoft* Office *Small* *Business* *Accounting*. The Group will answer questions and offer advice concerning installations, training and the variety of Independent Software Providers that have applications that integrate with *Small* *Business* *Accounting*.

 Small_Business_Accounting -  For users of *Microsoft* Office *Small* *Business* *Accounting*, this group will answer questions and offer advice on taking full advantage of the software's features. Discussions will include integrating *Small* *Business* *Accounting* with the other members of the *Microsoft* Office Family

 WA_SBA_Users_Group -  For Washington State users of *Microsoft* Office *Small* *Business* *Accounting*. This group will answer questions and offer advice on taking full advantage of the software's features plus will deal with issues specific to Washington State *business*es. Discussions will include integrating *Small* *Business* *Accounting* with the other members of the *Microsoft* Office Family.

Join in and participate!

Need a little filtering?

http://www.scorpionsoft.com/blog/archives/2005/10/sbs_firewall_da.html

The first thing was on the need for the product itself. From the results of our survey, 96% of the SBSers out there find their logs tedious to go through, and would love a dashboard view of their (or their customer's) firewall events.

---------

And this is just the firewall logs mind you....Dana's obviously struck a cord with the SBS consultants who want a better handle on the monitoring of firewalls.  I've been lurking [unsuccessfully I must admit] on the ActiveDir listserve and it all started with a thread on knowing when somone was deleted and they didn't set up auditing.  The discussion that occurred showed the problem of scale [we in SBSland can handle the daily monitoring email report] as comparing us little guys to the big guys.  But the minute the consultant starts adding more and more SBS boxes, it doesn't scale does it?

Monitoring is one of the most important security tasks you can do, yet how well do we do it?  As I wrote offline to someone yesterday....

The problem I see is there needs to be a balance between data overload, a good artificial intelligence to weed out the false positives, but ... I think....that in the end that there still needs to be a trained pair of eyes making a final decision.  Like the PSS/CSS guys that pull that server analysis.  Because they are getting daily re-inputs into what's occuring in the world, they can look at log files and have an idea of what is 'baseline'.  But in the end it comes down to a pair of eyes looking at the log files making the final determination. 

And that's the hard part isn't it?  We need that knowledge that we currently don't have a good feel for.  To weed out the excess information. 

Information overload.  We even have it on our servers, don't we?

Sometimes it 'is' the last thing you try

So I have the big hunking HP Pavillion Harmon Kardon has the built in 10 key on the keyboard that we beancounters drool about, weighs about 9 pounds dripping wet, monster in for a checkup, installing an update to the Trend antivirus [and just realized this doesn't have Microsoft antispyware, shame on me] and what not and for the last two days I've been off and on trying to troubleshoot a problem with it.

You see about every 30 seconds on both the wired and the wireless connections I was trying it would fall 'off' the connection.  I always enable the network connection icon down in the system tray and I would see it drop the connection and then reenable the connection. 

I'm thinking viruses?  Spyware?  Nic drivers?  and trying to troubleshoot a device when it's falling off the Internet every 30 seconds isn't fun, you have to google msnsearch on another machine, find the drivers or software patches you need and then copy them over.  Needless to say I was just about stumped and about to call in the hardware gurus.  And flat out honestly, I'm a software gal.

So one last ditch effort I boot into safe mode to see if I can see if the nic drivers are acting up under safe mode and realize you can't enable the network icons in the system tray in safe mode.  So I reboot into normal windows and ...for whatever reason that escapes me now.... I hover over the far right icon which is the 2Wire network connection monitor for the Home DSL modem that this monster laptop normally connects to.  And again, maybe it was annoyance with icons or something...but I made the monitoring software temporarily exit the program.

Two days.  I've been scratching my head off and on for two days trying to figure out why this has been dropping off the wireless and the wired network at the office and it was the fact that the 2Wire wasn't able to phone home to it's DSL modem was why this laptop kept dropping off the Internet.

It is always the last thing you try isn't it?

Now given that we're about to insert in a Linksys or equivalent at home [where this monster normally parks itself] so that the DSL can be shared out with the Granddaughter on another computer [and not this one that I'm typing this blog post on to confirm with myself that the connection is solid], so that she doesn't mess with this clean, pristine laptop, I'll probably have to permanently disable that monitoring software of dubious reliability.

I'll also have to figure out the best way to protect Granddaughter.  I'll see what I can do with restricted user mode and the fact that when she visits...she wants to play games. And unfortunately game writers have yet to fully embrace the “Secure by Design, Secure by Default, Secure by Deployment” mantra.

Yup, sure enough... rock solid connection.  So exactly again ...why do I need a network connection monitoring program that 'causes' network connectivity issues when it's not connected to what it's wanting to be connected to?

Patching related KBs

Event ID 1015 is logged in the Application log when you use the OHotFix program to install Office updates:
http://support.microsoft.com/?kbid=907341

You receive a "The expected version of the product was not found on your system" error message when you install Office 2003 Service Pack 2:
http://support.microsoft.com/?kbid=909074

You receive an error code and the copy of Microsoft Windows is not validated when you try to use Windows Genuine Advantage to validate your copy of Windows:
http://support.microsoft.com/?kbid=908440

James was hitting an issue where his Windows 2000 machines would not validate via Windows Genuine Advantage and I think that last KB is what is causing the issue....

Roaming anyone?

From the mail bag the other day comes a question about roaming profiles and I thought I'd throw some links up here about setting up roaming profiles....

First start off by reading this one.....

How to configure a user account to use a roaming user profile in Windows Server 2003, Windows 2000 Server, or Windows NT 4.0:

Roaming Profile Creation in Windows Using the "Copy To" Command:

Now you remember that SBS has our specific 'My documents“ redirection wizard...but here are some more tips from SeanDaniel.com with more redirection...

SeanDaniel.com on SBS 2003 & other Tech-stuff: Redirecting the Client Desktop to the Server:

SeanDaniel.com on SBS 2003 & other Tech-stuff: There Can Be Only One (copy that is):

So James?  Does that help?

1,500 now, 85,000 and more to go

CRN | News | Executive Shuffle In Microsoft's Partner Biz:
http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=172301780

Part of Leland's challenge going forward is finding a way to cultivate partners in the Small Business Specialist program that are adequately skilled to sell into this voluminous space. To date, nearly 87,000 partners have expressed interest in getting certified as a Small Business Specialist by Microsoft, with just north of 1,500 actually doing it. However, many of those 87,000 are not where they need to be with respect to technical, sales and marketing skills to gain the designation, according to Watson.

You know what....I've taken that exam and while I would argue that the Small Business Specialist segregates you from the rest and helps you stand out from the crowd...at the end of the day it's the relationship you make with your client that makes you unique.

Know the small biz market.  Know that it's not 'cut down' and 'limited'.  Know that there are clients that will not see the value in technology, and those that do get IT.  And those are the firms, the clients you want to find.  The culture in that firm is embracing of technology, not one of still running Windows 98.

Want to search the SBS2k yahoogroups?

I hate the searchability of Yahoogroups.  Okay so 'hate' is a strong word.  How about I very seriously dislike the searchability of Yahoogroups?  Someone once said that for a search company they make a lousy listserve search engine.  Shout out to ATZ who took the SBS2k listserve and made it into a decent searchable database:

http://www.sbsarchive.com/

Very very cool!

For those wanting to share out BCM "on" your SBS 2003

How to troubleshoot a shared database in Outlook with Business Contact Manager Update:
http://support.microsoft.com/?kbid=901164

There are some troubleshooting tips in this KB article.

SBS KBs of interest

CHAT: SBS Live! Tuesday, Oct. 18, 7 p.m. Eastern

CHAT: SBS Live! Tuesday, Oct. 18, 7 p.m. Eastern

Got Small Business Server and want to get help administering it
or help others to get the most out of it? Share you SBS stories
with others this Tuesday, Oct. 18 at 7 pm; Microsoft MVP and SBS
expert Andy Goodman will be there as master of ceremonies:

http://chat.mcpmag.com/chats/default.asp#chat

To join, to learn how to join a chat, to read the rules of conduct,
or to obtain a transcript of a past chat, go to
http://MCPmag.com/chats. If you're using a chat program, such as
Microsoft Chat 2.0 or mIRC, you can join by going to the
#MCPmag.com room on the chat.mcpmag.com server.

uh...they had Tuesday, October 17th the first time... I've fixed the date...

You know this really isn't as widespread as you think

Headline reads Critical Windows patch may wreak PC havoc

Geeze Mr. Editor.....Excuse me but it's in one particular instance where the permissions are set down too tight.  Can the IT world not "Chicken Little" folks and getting them all riled up?

It's one issue with permissions ...come on folks..this isn't universal....In the WindowsUpdate newsgroup there's newbies in there freaking out over there Win machine running with full admin access thinking their PCs are going to flame out with this patch.

Can the headline writers be a bit more real world?

Critical Windows patch may wreak PC havoc

Patch to fix serious Windows flaws can lock users out of their computer,
prevent the Windows firewall from starting, block applications and cause
other trouble.

http://ct.zdnet.com.com/clicks?c=581185-2072731&brand=zdnet&ds=5&fs=0

And no, Indy... Admins had to adjust those permissions...not end users.  Let's understand EXACTLY how this issue is caused.  That's a customized permissions that was not set by end users.  I'm talking about the mis-information that this headline is leading folks in the consumer side into thinking that they will have a problem with this patch when it's a limited subset of computers.

This advisory is for admins.  It's not for the home user and yet they are the ones freaking out...

Need to rekick Windows updates?

Here's some pointers for getting Windows update to work if it's failing on you at the SBS box.

• Stop the Automatic Updates service from services.mmc.
• On the SBS, go to %systemroot% (typically Windows)\SoftwareDistribution
• Delete the *contents* of the DataStore and Download folders.
• Start the Automatic Updates service.
• Run Windows Update (and switch to Microsoft Update in the process).

The items needed should be re-detected, re-downloaded, and installed.

Windows Geniuine...working or not?

James in the comments says that on about 1/2 of his Windows 2000 boxes they are not validating going through Windows Genuine [I'm assuming that even though that's a post from March, he's hitting that issue now].  I don't have any 2000's to test on.

I'm with ya James.. I'm not crawling on the floor...but I found that I didn't have to.  There was a way to say 'user alternative validation' and then I said I had a Dell from Dell and it went through.  Now mind you, this was on the XP platform, but I''ll be right behind you saying ..”No, I'm sorry... I'm not crawling on the floor with a magnifying glass, thank you very much”.

How about the rest of you?  Is WG working?

[Update] I think Windows Genuine error is a red herring here as 2000's don't go through WGA.  James is getting me some screenshots and log files, but it looks like it's not related to WGA but might just be a 'run' on the Update servers?  I'm guessing on that one ...but we've been complaining they've been a smidge sluggish this week and we've been getting reports of errors in the log files saying “Update is not allowed to download due to regulation.”

Sometimes... one doesn't have to type a single word...

Oh... Krissy [my dog - a toy poodle]?  I think I need to buy something for you for Halloween....

I think there's a disturbance in the force again

If you suddenly are not getting emails from yahoogroups.com or getting notices that you can't send emails.. you might want to make sure you are not bouncing emals.... and excuse me?  Since when do I not have a sbradcpa-at-pacbell.net account Mr. Yahoogroups.com?

We are unable to deliver the message from <sbradcpa@pacbell.net>
to <mssmallbiz@yahoogroups.com>.

Your email account has been bouncing mails.  This means that emails
sent to your account over several days have been returned to us.
This is sometimes because mail boxes are filled up, or because of
configuration problems.  To reset your Yahoo! Groups account, please go
to http://groups.yahoo.com/myprefs?edit=2
  
For further assistance, please visit http://help.yahoo.com/help/us/groups/

** Description **

----- The following addresses had permanent fatal errors -----
<sbradcpa@pacbell.net>
(reason: 554 delivery error: dd This user doesn't have a pacbell.net account (sbradcpa@pacbell.net)
[0] - mta115.sbc.mail.mud.yahoo.com)

----- Transcript of session follows -----
... while talking to mx1.sbc.mail.yahoo.com.:
>>> DATA
<<< 554 delivery error: dd This user doesn't have a pacbell.net account (sbradcpa@pacbell.net)
[0] - mta115.sbc.mail.mud.yahoo.com
554 5.0.0 Service unavailable

** Delivery Status **
Reporting-MTA: dns; flpvm22.prodigy.net
Received-From-MTA: DNS; n9.bulk.dcn.yahoo.com
Arrival-Date: Thu, 13 Oct 2005 16:41:35 -0700

Final-Recipient: RFC822; sbradcpa@pacbell.net
Action: failed
Status: 5.0.0
Remote-MTA: DNS; mx1.sbc.mail.yahoo.com
Diagnostic-Code: SMTP; 554 delivery error: dd This user doesn't have a pacbell.net
account (sbradcpa@pacbell.net) [0] - mta115.sbc.mail.mud.yahoo.com
Last-Attempt-Date: Thu, 13 Oct 2005 16:41:40 -0700

Yeah, there's probably a group policy setting that I should go find for this - the temp file issue

Annoyance 101 - Temp files.

When you receive an email and there's a file attached... why is it that the default location for the files is some buried obscure location on your hardrive?

I mean it's an attachment, right?  Why can't I have a “My Attachments” folder rather than some Temp file location?  I mean Temp file to me means that it's temporary.  Yeah you are supposed to do a 'save as' and get it out of there, and from a security standpoint it probably would be wise if you clean that out you know...but in reality... how many times in a small firm does stuff get stuck in the temp folder and we never realize where it is?

Yeah we can do Desktop search and all that to find it, but wouldn't it be better if something popped up when we went ot save and said “you do realize where this is being saved, right?”

So?  How many times have you found stuff of clients in temp folders?  Is it an education problem?  Or should we be adjusting where our email programs dump those temp files? 

I say ..fix the program.  What about you?

What's normal?

Okay there are times I need to stop reading event log files.  It could drive one to stop drinking Mountain Dew.  On a daily basis I have three SBS boxes that I can compare side by side.  Now mind you ... none of the three are doing the same things task wise... one is the 'real baby' that handles real requests, real data and real computers, one is my overgrown desktop at home that handles two workstations and a dog, and one is a Dell OEM for testing purposes that sees no real clients at all.  And I've come to the conclusion that establishing a baseline on these little guys is quite interesting.  Like my issue last night where one system [and only one] threw off that DCOM permission error. And with chatting with the gang they've found that error on various machines. 

So how do you know what changed?  What's baseline when something is happening on one and not another?  I've noticed some differences on my Dell OEM that are it's “baseline” value.  In fact Dell says there's a whole list of events that are 'normal'. [see page 11 - 16 here]  I'm honestly not sure I agree with that list for a non Dell OEM box.

This one for example... I've only seen on my Dell OEM and never on my real baby or the one at home [both installed from open value or retail media]:

Event Type: Warning

Event Source: MTA Connections

Description: Verify that the Microsoft Exchange

MTA service has started. Consecutive ma-open

calls are failing with error 3051. For more

information, click

http://www.microsoft.com/contentredirect.asp.

This one that I got once on 11/14/2004 and then now just recently after my last two reboots after this weekend [I patched Friday night for security patches and then Saturday for Sharepoint sp2] is also just fine for us....

Event Type:    Error
Event Source:    MSExchangeDSAccess
Event Category:    Topology
Event ID:    2114
Date:        10/15/2005
Time:        11:38:32 PM
User:        N/A
Computer:    YOURSERVERNAMEHERE
Description:
Process INETINFO.EXE (PID=1136). Topology Discovery failed, error
0x80040952.

For more information, click http://www.microsoft.com/contentredirect.asp

As per the experts....this is one where IIS/Exchange starts before DNS/AD is fully up, can usually be ignore if it only happens upon startup.  ......Yeah but does it have to suddenly 'start' showing up right after bootup only after the latest batch of patches?  I mean what's up with that?  I think sometimes my baby at the office likes to mess with my brain and keep me on my toes.

It would be cool if there was somehow you could add a metadata value to indicate when a file or binary got touched or permission changed... but then again... if they did that I'd be in Frys every weekend buying terrabytes of harddrives.  I once set up Tripwire on my SBS 2000 server monitoring a bit too much and the amount of moving parts, log files, harddrive accesses was quite interesting to see. 

So...what's normal to you?

Okay so we barely have a tree ...let alone a forest

So I was listening to Eileen Brown regarding Exchange and active directory and it reminded me of some comments that folks made at the summit regarding backing up and restoring active directory and how you really really never wanted to Image a domain controller and reintroduce it back into a network.  The guys at the SBSPodcast even talked about how ...while we can do ghosting and imaging in SBSland.... it's really not supported at all and they don't recommend it.

One of the interesting things that we don't 'quite' have to worry about like our big brothers is the issue of Tombstoning in AD.. a process whereby.Active directory cleans up after itself and pre Service pack 1, the default is 60 days.  Any server set up that has SP1 included from the get go has a new value... 180 days.

And what's cool about the AD guys... is rather than like the Security guys in SP 1 where the “SynattackProtect” value in SP1 is “enabled by default“ but you can't see it... the value in a SP1 box [remember installed from the get-go with SP1] with the new Tombstone value is 180 and you CAN see it in action on a newly pre SP1 installed box.

Well.. you can see it if you download and register the adsiedit.msc that is...

Once you do you can drill down and see the values.... in a SBS box like my real baby that has had sp1 'added', the value is < Not Set > meaning it's the default of 60 days.  On a box that has SP1 already installed from slip media, the value is “180”..... like so...

Ulf talks about this here as well... and...uh... I guess I could have scripted my answer as well by the looks of his blog post...

Now what does all this mean for us SBSers?

Uh...not much... as every night I take a full backup of my Active Directory anyway so it's not the big thing it is in big server land... just something interesting to see that they have changed in SP1 ...that's all

If you've ever wonder what goes on behind those Dr. Watson 'send' things

In my office I've sent my fair share of Dr. Watson error messages, and this video showcases exactly what happens when I send those Dr. Watson errors.  It shows that the Programmers and Developers really do understand and share our pain.  Take a look at this video about the process... I think from now on you'll want to send more of those errors up to Microsoft.

{requires logging in via Microsoft Passport... don't be drinking liquids while viewing in front of a computer screen}

Getting a DCOM 10016 right after reboot?

Checking the server I notice right after reboot last night [and I didn't spot it until the “6 a.m Hello I'm your server, here's how I'm doing, how are you?” email that I got this right after reboot....

Buried in all the 'oh my gawd you just rebooted me'  and the “oh I'm adding a printer that I don't have that you have because you are TSing into me [remind me to unclick that printer thing in my RDP to the server box, will ya?]“ freak out messages that you have to weed through and realize it's just my server reacting to Shavlik shutting down IIS and patching things was one that didn't make sense....

Event Type:    Error
Event Source:    DCOM
Event Category:    None
Event ID:    10016
Date:        10/14/2005
Time:        10:45:45 PM
User:        NT AUTHORITY\SYSTEM
Computer:    YOURSERVERNAMEHERE
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{9DA0E106-86CE-11D1-8699-00C04FB98036}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hmmm.....what the heck is that?  I don't remember that as normal at all.... and I asked the gang and Wayne reminded me that Marina had spotted that after the Service Pack 1 install.

Sure enough...she did.  Follow the instructions and...hmmm.. yup something got a little wacked there.... my screens on my server don't look like hers at all.  I have no Admin or System user in that window at all.  I need to look at the computer at home as well.  See if I missed the clues there too that something happened.  Looks like it didn't hurt anything ...but you know us SBSers and our need for clean log files.

< Please note - it's been reported on SBS no sp, SBS with sp, and not after any particular patch that we can tell... so if you don't get it this go round... don't worry... and if you do... fix it right back up >

Don't do that... they mean really DON'T DO THAT

I'm listening to the SBS podcast they remind me of the uniqueness of SBS... don't ...don't ever...rename the domain and expect to live through the experience.

Like the comments... active directory domain name does not equal your email domain name... and only YOU the administrator cares about the domain name.

Like Peter days... DDT.... don't do that.

Oh ... it's there.... the SBS Podcast is THERE!

Okay so I really ..... I mean... I really need a life.... it's confirmed...because I'm eagerly downloading Podcast #4 on the SBS Support Gang. 

Click to go to their blog and then download the MP3 from the link.  Listen using Windows Media and .... geek out audio podcast Saturday with the SBS gang here I come!!!!

So you patched all your servers/computers... don't forget there's an rollup to MCE 2005 waiting for you at home

Well that's a DDT Event now, isn't it?

The delete functionality in the System Policies folder removes the Exchange 2003 object from the configuration naming context of Active Directory:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841516

Well that's a button that needs a “I'm sorry Dave, I'm afraid I can't do that“ now doesn't it.  Was chatting with an AD guru last night while I was patching and we were discussing that KB article and the impact one little wrong click had.  Ouch.  And since I'm native mode here myself that reminded me of something one of the PSS/CSS folks in Charlotte once said about such one way events that were not pleasant at all... DDT events... Don't Do That.

Sometimes in parts of the operating system there needs to be more 'hey, let's protect this person from their stupidity' wizards.  I've said this before about SBS...when people go to set things up manually there should be a little “Hal“ voice that says “you do realize we have a wizard to do that for you, right?“.  I think in Exchange...where mail and communication is King...anytime the admin hits a DDT moment ...Hal should say “are you sure you want to do that?“.

Post patching procedures

I'm in my PPP time now.   Post Patch Procedures... where I'm checking the server... sending email just to make sure all is okay and I also Microsoft update on the server to see that 'it' sees all patches are applied when Shavlik says they are and I notice that Microsoft update finally has Sharepoint SP2 [KB 887624] on the update screen.

Now this one is a bit interesting since it's DEMANDING to be installed all by itself.

And lets see if it needs a reboot shall we?  Others have already installed this and it's certified by Mothership Redmond for our boxes.

I do get a notification that it's shutting down the W3SVC service..but it's not asking for a reboot.

Hmmm...this has nothing to do with this latest round of patching... I've noticed the last couple of times I've rebooted my server that SQLAgent$SBSMonitoring service which is set to “Automatic” is not automagically starting like it should.  I need to call PSS on that and see what's up with that.  Right now I've been manually starting the service...but I need to figure out what's up with that.  Other than that... everything looks normal.

Clean Slate

So when do you give a vendor or a person a clean slate to start over.

A new page?  Start from square one.

I was thinking about this tonight in regards to a couple of conversations and sometimes I wonder if sometimes...just sometimes...we let the word of mouth... the Church of the Customer not let us make up our own minds.  Now don't get me wrong.  Word of mouth ...the been there and done that can be the greatest piece of information and knowledge sharing you can get, but isn't there sometimes when evaluating something it might be better coming into it with an open mind from the beginning and then letting the facts let you come to your own conclusion?

A fresh start; another chance after wiping out old offenses or debts. This idiom often appears as wipe the slate clean. For example, Henry's boss assured him that the matter was finished and he could start with a clean slate, or He wished he could wipe the slate clean, but it was too late to salvage the relationship. This expression alludes to the slate boards on which school work or tavern bills were recorded in easily wiped-off chalk. Since 1850 or so the term has been used figuratively, and it has long outlived the practice of writing on slate.

I still remember going to a movie that the critics loved.  Their 'word of mouth' regarding that movie meant that I had certain expectations in mind.  I sat in the movie theater ...waiting for the movie to get to that part that the critics said was wonderful.  And I sat.  And sat.   And sat.  And soon the end credits rolled.  And their word of mouth, set my expectations so badly that ...to this day... I can tell you exactly the movie that I sat through thinking.... did I see the same movie they did?  Did I wander into the wrong theater? 

Don't get me wrong... I think the “been there and done that” and “word of mouth” is valuable, but sometimes...just sometimes... you might want to do something I call the “To kill a mockingbird” effect.  Walk across the street.  Turn around.  Now look at the view from the other angle.  That word of mouth you are getting is just that... a view.  And maybe...just maybe..... making up your own mind ...without expectations might also be of use.  Maybe the view is just what happened to them.  A one-off.  Maybe the view is that from a long time ago [like me and that movie]

I will never forget a movie that horribly set my expectations. 

So tomorrow in my part of the world in the end of the week and Sunday to me, is the beginning of the new week.  It's the day we get to 'start over'.  Now I'm not saying I'll be watching that movie next week.... but just maybe I'll start Sunday morning with a clean slate and pick a new movie to watch and decide what I think about it.

How about you?  How about you pick something or someone and start off next week with a clean slate?  A new view.  Another chance. 

And this time... make up your own mind from what you expect...not from what others have set for you.

I'm patching are you?

Firing up my handy dandy Shavlik Netchk to patch those machines who have end users that I patch for... Member server has been patched and as soon as the last one goes home tonight I'll be patching the server.

Yes, even though the due date for tax returns is Monday, I am deploying patches tonight.  Why?

Because it's my normal patch window of opportunity for one.  If I have issues I know I can get myself back into a position where things are working over the weekend and I won't have that opportunity during the week, and....

for two... I'd rather...even though I am on way way more protected XP sp2 and Windows 2003 SP1, to be in the best defensive position I can be.

So right now I'm clicking and patching those workstations that need the patches...  I'll have to check the computers I have running as Limited users but I'm not expecting any major issues.... I've tested the patches already on several workstations.

Issues with 05-051/902400 and running as "Restricted User"?

Folks are finding that “Bypass Traverse Checking” needs to be enabled for Authenticated users on machines that are running in “least user privileges' mode that have this permission disabled.

KB 823659  and the Threats and countermeasures guide discusses this.

From the PatchManagement.org listserve....

Here is the response from MS tech person I just received in reference to the
issues we were having with some desktops and the 05-051/902400 patch.
Essentially, on some of the machines we locked things down to much in the
security policy causing the issue.

Here is the response:

--

According to MS tech rep:

The solution will be available at http://support.microsoft.com/?id=909444,
and will be linked to from the MS05-051 bulletin - hopefully within the
hour.  Feel free to communicate the cacls solution to anyone you come across
until then. This is not a "known issue" or "problem" with the patch, but a
"complexity with the increased security provided by the patch when running
on systems where settings have been incorrectly changed from the default
settings".

P.S.  link is now live:

Various problems may occur after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC:
http://support.microsoft.com/?id=909444

Want to put the BCM data file [MSDE] ON your SBS box?

831747 Overview of the Business Contact Manager for Outlook 2003 update:
http://support.microsoft.com/?id=831747

So why those pesky alerts don't show up like they are supposed to....

Amy points out why those pesky alerts in ISA don't show up like they are supposed to.  And she learned about this from the SBS Podcast number 2.  You know.. THE Podcast.  Where THE UBER SBSers .... SBS Escalation Engineers who do things to their home boxes you'd never ever dream of doing, answer questions and discuss the issues you might see about SBS.  There's one tomorrow as a matter of fact!  Check it out and then download the podcast.  It's a mp3.  I'm building a SBS mp3 library myself.

Top support issues from the Partner newsgroups

Why you want...you NEED to be a Microsoft Partner...because you get resources like this...

TOP SUPPORT ISSUES

-----------------------------------------------------------

Issue 1:

********

Memory leak issues

Problem Symptom 1:

==================

Memory leak & Allocated memory alert

Suggestion:

Some of them are caused by the SQL memory processing mechanism:

http://msmvps.com/bradley/archive/2005/03/07/37868.aspx.

Memory leak caused by the Lsass.exe process:

821008 Windows Server 2003-Based Computer Becomes Slow and Unresponsive

After - http://support.microsoft.com/?id=821008

829993 Memory Leak Occurs in the Lsass.exe Process on a Windows Server -

http://support.microsoft.com/?id=829993

Other memory leak issues is most likely related to VSS (while be used with some 3rd party backup program, such as Veritas, Ultrabac.) What you expect to see in this kind of issue may be any of the following:

Poor and gradually declining system performance

Out-of-memory errors

VSS errors

If you do see the symptom listed above, I would suggest the following hotfixes be installed on the server, or you may want to apply SBS 2003 SP1 directly.

826751 Backup Program Causes Gradually Declining Performance -

http://support.microsoft.com/?id=826751

838864 A backup or a restore operation of Exchange 2003 storage groups

fails - http://support.microsoft.com/?id=838864

867667 The Beremote.exe process uses up to 100 percent of CPU resources -

http://support.microsoft.com/?id=867667

870973 A memory leak occurs in an application using the Volume Shadow Copy -

http://support.microsoft.com/?id=870973

831112 You cannot import a transportable shadow volume in Windows Server 2003

http://support.microsoft.com/?id=831112

833167 A Volume Shadow Copy Service (VSS) update package is available for -

http://support.microsoft.com/?id=833167

After the SBS 2003 SP1 installation, you still receive the memory allocation alert to indicate that store.exe is using an abnormal amount of memory.

This is actually the same issue described in the following KB: '867628 Monitoring programs report that the Store.exe process consumes -

http://support.microsoft.com/?kbid=867628

To completely fix this:

You can re-run the Configure Monitoring Wizard and it will also disable the store alert. Note that you need to choose 'Reinstall Monitoring features'

when running MCW (Monitoring Configuration wizard or disable the alert manually from the Health Monitoring page.

Issue 2:

========

Slow Shutdown issues on Exchange 2003 (installed on a Windows 2003 DC)

Problem Symptom

===============

When you shut down a Microsoft Windows Small Business Server 2003-based computer, the shutdown process takes longer than expected to finish.

Cause

=====

The problem of slow shutdowns is not actually a SBS specific one. It exists for every server which is both a domain controller and an Exchange server.

When you shut down the Windows Small Business Server 2003-based computer, the Active Directory directory service shuts down at the same time that the

Microsoft Exchange Server services shut down. Therefore, Active Directory becomes unavailable when the Exchange Server services shut down. For

example, this problem causes Exchange Directory Service Access (DSAccess) searches to time out and to return errors. Additionally, the DSAccess

searches sleep and then restart several times. Therefore, the Exchange Server services that wait for the DSAccess searches to finish are delayed.

Resolution

==========

Apply SBS 2003 SP1, as mentioned in the KB article

http://support.microsoft.com/?kbid=887539

or  If you don't want to apply SBS 2003 SP1 currently, please get the Hotfix

887539 from CSS.

or Manually workaround this issue by either modifying the

WaitToKillServiceTimeout value

(http://support.microsoft.com/default.aspx?scid=kb;en-us;555025)

or scripting the Shutdown sequence

(http://www.msexchange.org/tutorials/Accelerating_Exchange_Shut_Down.html).

Issue #3 - Hot Issue

====================

S2S PPTP VPN gets disconnected after SBS 2003 SP1 Premium (ISA 2004)

installation

Problem Symptom

===============

Site to Site (S2S) PPTP VPN connection gets disconnected after the SBS 2003 SP1 (ISA 2004) installation. The scenarios we've seen so far are listed

below:

Linux VPN server <à SBS 2003

Linksys VPN ß> SBS 2003

Netopia VPN ß> SBS 2003

Watchguard ß> SBS 2003

Analysis

========

The key things to zero in on are the GRE Call IDs (that control data flow) and whether the PPTP Echo Reques/Reply process over TCP port 1723 is working

(which keeps the connections connected). We encourage you to get a Netmon trace from the VPN server to try and figure out if there is GRE Call-ID

mapping going on upstream from the ISA server. It will turns out that the remote device is not following the RFC 2647. So we fail because ISA's

pptpfltr.dll is being strict with RFC.

Solution

========

1) Don't use the NAT module in the router. Get a .252 block address from their ISP that allows then to set up routing rather than use NAT. (This

should give you one IP address for the router, one for the ISA server and a network and broadcast address)

2) Contact the router vendor and get an updated firmware that fixes the NAT problem. (That is if one exist) You can always try the latest firmware.

3) Buy another router that does not have this NAT/PPTP compliance issue

Appendix 1 - Why Windows XP doesn't have the same issue

You may find that you can make solid PPTP connections through the router by placing the client PC (XP SP2) on the network that is connected to the

EXTERNAL ISA interface and the INTERNAL router interface - effectively the DMZ for this network. It's because the PPTP module in the Windows RAS client

has a different design, it does not check the Call ID in the packet. It just accepts it.

Appendix 2 - RFC 2637

RFC 2637 - http://www.faqs.org/rfcs/rfc2637.html:

Appendix 3 - If it's a ISA 2000 box, not a ISA 2004

Make sure the you have ISA SP2 applied which contains the hotfix 831531. In addition, according to the hotfix 'FIX: Outbound PPTP connections may

disconnect after 60 seconds if the ISA Firewall Service is running - http://support.microsoft.com/?id=831531', the problem should be fixed without changing the binding order.

If remote is not an ISA server, change the local value InactivityIdleSeconds to 30 seconds to ensure that the server's timer always expires first. (See

Q262990 for instructions): '262990 RRAS VPN Dial-On-Demand Failover Mechanism - http://support.microsoft.com/?id=262990 '.

840654 Your VPN connection is disconnected after several minutes in Windows XP - http://support.microsoft.com/?id=840654

Seeing two patches for 902400 in your WSUS console?

Torgeir reports that the two patches are for Windows XP sp1 and Windows XP sp2 that you might be seeing in your WSUS consoles needing approval. 

He says....

Hi,

The one with Update ID 8768e086-9d42-41df-8577-76f820c39364 is for
Windows XP SP1.

The one with Update ID e0a7fc7e-ff6e-4559-990b-4b4a01f0ad39 is for
Windows XP SP2.

If you have both WinXP SP1 and SP2 computers, you will need to approve
both.

I have informed Microsoft that the service pack requirement should be
added to the WSUS metadata to avoid confusion, and from the feedback
I got, hopefully this will happen in the near future.

Regards,
Torgeir

Torgeir posted this to the WSUS listserve [you can sign up at www.patchmanagement.org site]  902400 is MS05-051 that should be quickly patched to your Windows 2000 boxes [remember the threat to 2k3 and XP sp2 is much less].

Two SBSers reported ......

 "This morning four users reported that after booting up, their desktop PCs did not respond to ctrl+alt+del. They had to cold boot them, at which point everything worked normally. Nothing logged.

I'm thinking the Tuesday patches got applied by SUS yesterday without reboot, so these were the first startups after the patch applications."

It's Stump the gang from the Official SBS Support Blog time

This Friday you can have your chance to stump the gang on the Official SBS Support blog when they do this week's Podcast/Live Meeting.

Remember that's 11 a.m Central Standard Time.

Send your questions to sbspod-at-microsoft.com or voice mail at 206-984-0184.

Incidents.org reports the 'chatter' around Security bulletin 05-051 is getting louder

Why I ask for "the exact error message"

Coworker - my computer at home isn't working? Got any ideas?  It won't boot?

Me - what's the error message?

Coworker - it's a long one.

Me - yes, but what is it?

Coworker - I have to write it down?

Me - yes, is it a BSOD - a blue screen of death?

Coworker - no.

Me - okay so when it happens, can you write down 'enough' of the message you are seeing...otherwise I can't search for an answer.

So he brings in the handwritten note of the message.  The primary part of it being the “UNMOUNTABLE_BOOT_VOLUME”  and of course, within seconds we have our answer.  Yeah, it's not a blue screen...uh huh... yeah.

I see so many times folks will say “my computer just bugchecked” what does this mean?  What's this error code?  And yeah, I can google msnsearch and point you to the Debugger Tools with the help file and all that ... and I might be able to give you a hint or a clue ....but you know what?  There's an easier way.  Support.  It's called support.  An for you guys in the partner program you have even more options for support.  And all it takes is one trained person to review that file and more often than not they can tell you exactly why that machine errored out and where to look for a fix [if it's hardware driver based] or give you a hotfix.

Now I'm not saying that you are guaranteed a free call or anything ...but honestly... isn't your firm worth the $245 call?  And depending on the issues, there have been times that I've ended up being 'comp'd' that call.

Getting the right help gets you back in business quickly.

Why aren't you taking advantage of the resources you have access to?

Wanna listen geek?

Eriq Neale is doing a radio show!  Cool!   eOnCall will air at 10am Central time today on Apostle Internet Radio ( http://www.apostleradio.org ). Later this evening, the show will be available for download from the show site ( http://www.eoncall.com ) if you were not able to listen during the broadcast.

Check it out!

05-049 is only important, not critical [WSUS not quite reporting properly]

If you are WSUSing and doing so based on Criticality... 05-049 [kb 900725] is showing up on WSUS as critical and the bulletin says it's Important.

But honestly... patch anyway...since you are there WSUSing... if you've tested it and are ready for approval.  I'd say, go ahead.

I just realized today

I just realized today...that all of my “Thanks Les!” settings got blown off during the SBS 2003 sp1 install [or... something removed them and I'm blaming it on that anyway].  All I know is that I had made some settings adjustments in there and they are no longer inside my Exchange server. 

No problem...fortunately due to the handy dandy blog I know what I changed.  {Well I do have network documentation as well but it was just easier to fire up the blog and review what recommendations Les had here}

Security Bulletin 05-051 - keep an eye on Windows 2000 and XP SP1 machines again

Intrusion Prevention, Vulnerability Assessment & Network Security:
http://www.eeye.com/html/company/press/PR20051011.html

"Eeye discovered the vulnerability and provided a cookbook to write an exploit as part of its advisory. Shouldn't take too long to see this exploited."  -- http://isc.sans.org/

Oh gee...thanks eEye for that one.  Like the business of the Exploiters needs any more head start.  I mean eEye.... come on...there are BUSINESSES now targeting us.  This isn't script kiddie games anymore.  Why do you need to give folks a road map?  Gentlemen... start our testing....

Microsoft Security Bulletin MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400):
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

*Could the vulnerability be exploited over the Internet? *
Yes, by anonymous users on Windows 2000 and Windows XP Service Pack 1. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site <http://go.microsoft.com/fwlink/?LinkId=21169>. IT professionals can visit the Security Guidance Center Web site <http://go.microsoft.com/fwlink/?LinkId=21171>.

On Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1, an attacker must be able to log on to the specific system that is targeted for attack. An anonymous attacker cannot load and run a program remotely by using this vulnerability on these operating system versions.

But remember this looks like the Zotob one...XP sp2 and Windows 2003 will be better protected from Windows 2000 and XP sp1 machines.

Patches this month

Microsoft Security Bulletin MS05-044 (Moderate)
Vulnerability in the Windows FTP Client Could Allow File Transfer
Location Tampering (905495)
http://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx

Microsoft Security Bulletin MS05-045 (Moderate)
Vulnerability in Network Connection Manager Could Allow Denial of
Service (905414)
http://www.microsoft.com/technet/security/Bulletin/MS05-045.mspx

Microsoft Security Bulletin MS05-046 (Important)
Vulnerability in the Client Service for NetWare Could Allow Remote Code
Execution (899589)
http://www.microsoft.com/technet/security/Bulletin/MS05-046.mspx

Microsoft Security Bulletin MS05-047 (Important)
Vulnerability in Plug and Play Could Allow Remote Code Execution and
Local Elevation of Privilege (905749)
http://www.microsoft.com/technet/security/Bulletin/MS05-047.mspx

Microsoft Security Bulletin MS05-048 (Important)
Vulnerability in the Microsoft Collaboration Data Objects Could Allow
Remote Code Execution (907245)
http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx

Microsoft Security Bulletin MS05-049 (Important)
Vulnerabilities in Windows Shell Could Allow Remote Code Execution
(900725)
http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx

Microsoft Security Bulletin MS05-050 (Critical)
Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx

Microsoft Security Bulletin MS05-051 (Critical)
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution
(902400)
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

Microsoft Security Bulletin MS05-052 (Critical)
Cumulative Security Update for Internet Explorer (896688)
http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx

Updated Malicious Software Removal Tool
http://support.microsoft.com/?kbid=890830

Getting there

“Tech for Non Profits” blogs talks about getting to SBS 2003 and I agree with blog post one.... that moving from a domain to another domain in a pain... I guess he didn't know about our swing solution at sbsmigration.com...but there's a couple of things I think need a little clarity in post number 2.

First off... DON”T give up on centralized virus management... excuse me.... you want the dat file coming into the server and autodeployed.  Get the corp editions of that for that purpose...not the yellow box standalones.

Next, the firewall can be adjusted by you at the server...or you can edit the policy to let the workstations manage the firewall [see here for the policy to be adjusted]

Next...get off of pop email...please?  You do realize that you can't use Exchange IMF or any of the cool server spam tools.  And just because you are small doesn't mean you can't do full smtp email with tzo.com forwarding your email [I've blogged about this before...I'm not going to bore the regular readers with the details...but they've probably heard this rant before anyway]

Next you don't have to have local admins on the workstations... once the install of the programs are deployed...shut those workstations back to standard user.  Easy.  I mean, I don't know about you but I don't redeploy Outlook 2003 sp1 every day.

Larry... migration from a domain to another domain isn't easy.  From peer to peer is the easiest method and the /connectcomputer will migrate the settings of the profiles. 

Yes, DNS is sweeter when you let SBS do it's thing...but that's AD.  I love the AD glue and so will you.

Part of the problem is there are many ways to set up networks.

...and Larry?  What updates?  as the SQL one normally doesn't like to install unless you've run the monitoring wizard. 

Not only were you wearing a nametag....

Nick shares the story of well....take a look....

And Nick...not only were you wearing a nametag....but you had on your 'walking billboard' shirt for SBS MVPdom.

sniff...sniff.... I'm vaklempt!  Way to go dude!

You ISA 2004 folks? Did you listen to the second Podcast?

So geeking out this afternoon and multitasking by listening to the #2 of the SBS Podcast while doing work and the discussion of an issue where ISA 2004's tcp/ip connection limits per client are being hit....

Listen to this podcast regarding ISA alerts... they say to reset those ISA alerts as it's not as dynamic as it should be.

And hmmm.....maybe we should remove that 160 limit?

Bottom line if you are seeing issues with SSL web sites... mess with that setting.

The migration issue

Richard in the comments brings up an excellent point about databases.  The migration issue.  Historially SQL has been this “thing” that sits over there and some of us use and and some of us don't.  But I think that day of where we really don't care what is under the hood will be soon changing.  In the newsgroup today someone said that the fact that the “R2” era version of SBS 2003 will only have the Workgroup edition of SQL Server 2005 wasn't well known.  Now granted, I'll grant you I'm a bit more plugged in, but the information is indeed out here.  Been to SMBnation?  Well it was talked about there.  Seen the FAQ site on microsoft.com?

'Windows Small Business Server 2003 R2 will be an update release to Windows Small Business Server 2003 with SP1, providing new features and functionalities. Windows Small Business Server 2003 R2 will offer increased productivity and functionality by adding automated patch and update management, increasing mailbox limits to 75 GB and adding SQL Server 2005 Workgroup Edition for Premium Edition customers.'

Now before anyone asks the difference between Workgroup edition and Standard edition in the 2005 era....

SQL Server 2005 Features Comparison 

SQL 2000 Standard vs SQL 2000 Workgroup Feature Comparison

SQL Server 2000 Standard Edition

Standard Edition is the data management and analysis platform for small and medium-sized organizations. It includes the essential functionality needed for e-commerce, data warehousing, and line-of-business solutions. Standard Edition’s integrated business intelligence features provide organizations with the capabilities needed to manage and analyze their data.

Reporting Services provides robust business intelligence features. Analysis Services provides data mining features and the core OLAP (On-Line Analytical Processing) functionality.

Some of the features that Standard Edition includes are:

• Analysis Services
• Data Transformation Services (DTS)
• Enterprise Manager
• Full-Text Search
• Import/Export
• Replication (snapshot, transactional, and merge)
• Reporting Services
• Stored procedure development and debugging tools
• SQL Profiling and performance analysis tools

I'm tired of following best practices

This all started on the WSUS patch management listserve where someone said “Oh you MUST install SQL on it's own box” and started us talking about how one firm, one person's 'best practice' didn't always fit for another firm.

I'm tired of big server land 'best practices' to be used to compare to my small network.  I mean...show me a big firm and I don't think they are any better than I am. 

But one thing that I think is for sure is that you can't use big server world's best practices to set “MY” best practices.  They don't compare.

Let's see some of the myths of best practices and see if they fly in my network....

• Best practice number one - Never put IIS inside your network.  Okay if we follow this lovely one, we can't run WSUS or other such tools that actually help me to be more secure.  Folks that say this one are back in the IIS 4.0 days.  IIS 6.0 has proven to be solid. 
• Best practice number two - always put SQL on it's own server.  Well in SBSland, the first thing we will do is violate our EULA.  Does it freak out the gurus to have all our services on one box?  Oh sure.  But excuse me?  Look around at what is happening in the virtual server world.  They just announced some changes to Virtual licensing going forward.  Does anyone else but me see that 4 servers on one physical server sounds kinda like what we do in SBSland?  We just don't have the fences between the children on the playground is all.
• Best practice number three - Always put a firewall on an external device.  The problem with this one is that invariably the issues with firewalls is how they are set up and not necessarily where they are positioned in our space of SBAland.  Have you left the default password on it?  I also find that I patch the ISA one a heck of a lot more regularly and the monitoring report [even though I'm not 100% fond of it], makes me view it more.  A Linksys on the edge just doesn't give me the 'in your face' information I need.

so ...what other best practices do you think ...well....just aren't necessarily best?

What procedures do you do when an employee leaves?

Bill has an excellent list of things to think about.

If the employee has left in um...well....unusual circumstances... you may want to keep the harddrive on the workstation intact and build a new one.  [I'm not even going to comment on the fun of licensing issues regarding OEM computers] but it's something to think about if you might need that harddrive and files at a later date.

UPS attached to a ProLiant ML150 and your CPU at 100%?

There a fix for ya

When an HP T700 or HP XR5500 Uninterruptible Power Supply (UPS) is connected to a ProLiant ML150 G2 server through the serial port using a serial cable, the CPU utilization will remain constant at 100 percent. As soon as the serial cable is removed, the CPU utilization immediately returns to normal levels.

Any ProLiant ML150 G2 server running System ROM Version 1.10 (or earlier) and is connected to a HP T700 or HP XR5500 Uninterruptible Power Supply (UPS) via a serial cable.

To prevent the processor utilization from immediately increasing to 100 percent when a UPS is connected to the serial port, upgrade the ProLiant ML150 G2 System ROM using the Single Point Solution Systems ROMPaq Firmware Upgrade Diskette for HP ProLiant ML150 G2 Servers, available at the following URL:

ftp://ftp.compaq.com/pub/softpaq/sp31001-31500/SP31081.TXT

ftp://ftp.compaq.com/pub/softpaq/sp31001-31500/SP31081.EXE

Thanks Jaime for the follow up!

It may not be supported....but...

I have a domain at home... I have a new computer that would be perfect as a Media Center Edition... well it will be as soon as I get a Hauppauge card, that is.  I obviously live in the technology store wasteland of the Central Valley of California [aka no Frys in a nearby radius] as I had to order the card from NewEgg.  Remember that while it officially can't join a domain ...it can.

Card should arrive in a day or so... I'm planning to fully migrate over to that one next weekend... I'll let you know how it goes.

Oh and pssst.. I don't want extenders... I don't play games.  I just want a Tivo/home media like device hanging of my domain.  I want the glue.  I want it firmly in the active directory where I can control it.... I mean why wouldn't you when you are a control freak like I am?  :-)

Is ISA too complicated?

Rich in the comments asks me if I think ISA is too complicated... honestly...no I don't with only a couple of exceptions....

There was a couple of things I wished the SBS team would have made better in the Premium version of SBS 2003 sp1

• FTP access in SBS.  This has to be the number one edit we do.  The default for SBS is to have that FTP read only which blocks FTP access.
• TCP connections per client.  Right now mine's at 160...but if you upgrade it's at 40.  The fix is here.
• The reporting ...yeah yeah you can say ISA does monitoring out of the box...but until you send me info...you are not 'reporting'.  Andy has an article on how to set this up.

So what do I really not like in how ISA reports?  It reports that I first connect, and then I authenticate.  So for every connection, there's two entries for me in the graphical reporting.  I just want my name.  You know, after I authenticate.  I want a 'bosses' view of ISA.  Give me the full detail when I want it ...but can I just see authenticated connections only?  I don't seem to be able to do that... ergo... Dana's survey for interest in a better ISA summary reporting tool.

I think there's a need. 

Well... at least I need it anyway....

Lessons from Big Server land

Brian Desmond and I were chatting and he was mentioning that the way we SBSers deploy servers would drive him crazy [okay so I'm paraphrasing ...he just said he'd find a way to do it smarter so they could be standardized and rolled out faster] and a post in a listserve about how one Var/Vap did not push a standardized product, but rather customized the server to the job made me start thinking of ways that I see the “Big server land” folks do things that are very much unlike the way we do things in SBSland.  Conversely the manner in which Big Server land does some things drives me crazy sometimes[at least in some of the deployments I see anyway where they still do a lot of local admin and still running Windows NT 4 servers, but anyway....]

What are some of the things we could take a page out of big server land?

Deployment of servers through standardization.  So many times I get asked if there's a way to RIS out a SBS box and I don't think many folks take the time to get a handle on the OEM preinstall SBS kit.  I know they don't take time to check out the Bob the System Builder stuff.  They even have a specific OEM kit to preinstall SBS on boxes.  And I don't think we take the time to look into that one.

Then there's Dell or HP's pre install.  Granted I know that OEM install has some issues [OEM install issue with WSUS comes to mind], but it seems like if the Var/Vap had either a better feedback mechanism to how Dell/HP sets up the images ...or... a mondo magic script tool to move folders... people might trust that preinstall more.  Instead ...show me a Var/Vap and they flatten that box.  Brian would be setting up a standardized image and deploying that.  He'd be using MOM or LevelPlatforms to manage his boxes.

How many of you guys in the managed plan space are thinking about a SBS Menu item?  I mean think about it.  Maybe customization isn't the way to go.  Maybe it is?  I don't know.  I guess it depends on how you run your shop.  Do you want to be an exclusive French restaurant that only serves the finest cuisine....or are you McDonalds?

Hard to say. 

Like take this guy for example.... I think he needs a BigMac and Fries and not an 8 course sit down dinner.

So what tools and methods are you using to add more customers to your base?  Do you want more SBS customers? Are you deploying as 'smart' as you can?

P.S. for some of the links to the Bob the Builder stuff you need to be a registered partner....and if you aren't?  Get your buns over there and sign up, will ya?

If you aren't into NNTP [newsgroups]

Just to let you know if you aren't into NNTP or newsgroups we do have other options....

Web based ones include

• SBS forum on Daniel Petri's site that is moderated by Steven Teiger
• M&M's forum on Smalbizserver.net
• Nick Whittome's Forum on Mark Minasi's site

Another link ...another blog...and I got goosebumps!

I've got goosebumps...there's another SBS blog that just popped up!  Another from the Gang in SBS Mothership Support home base of Los Colinas.  This time it's Peter Gallagher who's opened up a blog.

Subscribed and put the link on the side of the blog!

I'll have to update our community link cards!!

Peter?  Lemme at that business owner... SBS 4.5 is broke as it doesn't get security patches anymore and I really hated rebooting that box.

Want to move stuff from Novell to Exchange?

A new one, an old one

Two announcements... we have a new SBS MVP from Brazil!  Carlos Fernando Paleo da Rocha  [Latin America domination next!]

and then one of our existing SBS MVPs has been spotlighted on this month's insider, Jeff Loucks.

SBS Podcast number 3 [aka this is SOOOOO COOL!]

This is soooo cool.  The SBS support team in Los Colinas have episode number 3 of the SBS Podcast and they have some really cool discussions this week on virtual server, and the one we argue about alot... the issue of an additional domain controller.

They just commented that you don't have to have a real life big server to have an additional DC, it can be even on a virtual server inside a workstation.  Hmmm... something to think about....

Vlad recaps it here and the SBS support blog corrects one statement {Exchange will be supported in Virtual Server after sp2}

You can download the podcast to your computer and listen to it in Windows Media player.

And yes, you can put it on your ipod too!

Check out Amy's notes regarding ISA

The new phishing filter

When you install Office 2003 sp2 and the Junk filter update for this go 'round, you get a new box inside of Outlook 2003 that is automagically selected.  See that “Don't turn on links in messages that might connect to unsafe or fraudulent sites” box there?  That's prechecked for you.

Cool huh!

Are you excluding enough?

Since someone's blog is a bit ...well....undernourished.. I'm stealing a post from him from a listserve instead.....this all started when a fellow SBSer had a Event 13552 and 13555... you know ... these:

 The File Replication Service is unable to add this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" This could be caused by a number of problems such as: -- an invalid root path, -- a missing directory, -- a missing disk volume, -- a file system on the volume that does not support NTFS 5.0 The information below may help to resolve the problem: Computer DNS name is "WA.client.local" Replica set member name is "WA" Replica set root path is "c:\windows\sysvol\domain" Replica staging directory path is "c:\windows\sysvol\staging\domain" Replica working directory path is "c:\windows\ntfrs\jet" Windows error status code is FRS error status code is FrsErrorMismatchedJournalId Other event log messages may also help determine the problem. Correct the problem and the service will attempt to restart replication automatically at a later time.

 The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed: Recovery Steps: [1] The error state may clear itself if you stop and restart the FRS service. This can be done by performing the following in a command window: net stop ntfrs net start ntfrs If this fails to clear up the problem then proceed as follows. [2] For Active Directory Domain Controllers that DO NOT host any DFS alternates or other replica sets with replication enabled: If there is at least one other Domain Controller in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative. If there are NO other Domain Controllers in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and choose the Advanced option which marks the sysvols as primary. If there are other Domain Controllers in this domain but ALL of them have this event log message then restore one of them as primary (data files from primary will replicate everywhere) and the others as non-authoritative. [3] For Active Directory Domain Controllers that host DFS alternates or other replica sets with replication enabled: (3-a) If the Dfs alternates on this DC do not have any other replication partners then copy the data under that Dfs share to a safe location. (3-b) If this server is the only Active Directory Domain Controller for this domain then, before going to (3-c), make sure this server does not have any inbound or outbound connections to other servers that were formerly Domain Controllers for this domain but are now off the net (and will never be coming back online) or have been fresh installed without being demoted. To delete connections use the Sites and Services snapin and look for Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS Settings->CONNECTIONS. (3-c) Restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative. (3-d) Copy the data from step (3-a) above to the original location after the sysvol share is published. [4] For other Windows servers: (4-a) If any of the DFS alternates or other replica sets hosted by this server do not have any other replication partners then copy the data under its share or replica tree root to a safe location. (4-b) net stop ntfrs (4-c) rd /s /q c:\windows\ntfrs\jet (4-d) net start ntfrs (4-e) Copy the data from step (4-a) above to the original location after the service has initialized (5 minutes is a safe waiting time). Note: If this error message is in the eventlog of all the members of a particular replica set then perform steps (4-a) and (4-e) above on only one of the members.

Uh huh ...Yeah...one of those...where we in SBSland go....uh...now what?  And Eventid.net said “oh just delete the jet databases and restart them” which of course ...makes a few AD guys I know go pale [and they already don't get enough sun as it is] and we got to talking in our SBSlist about the things that might cause a Jet database corruption and one of the things is scanning of some of the files on our Domain Controllers by antivirus engines.  Honestly, I don't think that I follow this KB article of 822128 that lists all the places we need to exclude from scanning. 

Wow look at that listing. 

Exclude the following files:

I know I don't do all of those exclusions.  Probably should revisit that and see what I'm missing and review my a/v file blockings and exclusions as well.  Too bad a/v vendors can't just know they are being stuck on DCs and just wizard themselves into excluding the right things from the get-go.

Do you review antivirus settings once you've set them up?  I mean we call antivirus the 'set it and forget it' but maybe we should review it at least on an annual basis of those things we've set up?

P.S.  Oh wow... I didn't realize ...he really did spent a lot of time setting up categories, didn't he?

The new Office UI

Oooooh I just thought of something... what is that new Office UI going to do to my customized normal.dot drop down toolbar that allows my firm to be EXTREMELY effiicient in pulling up Word files that we use over and over again....

You do know how to add custom toolbars now don't you? 

Speaking of Office... it's patch Friday in my office and I'm patching Office 2003 up to service pack 2 which includes a anti-phishing toolbar now.

Manually doing it on this system before I deploy it through the office...ooh needs a reboot...when I come back I'll take a snapshot of the new anti-phishing option.

Using a dynamic IP

From the mailbag Stew asks

“I  was wondering if you had any white papers on setting up a SBS 2003 server with two NIC cards using a dynamic IP. I'm setting this up in my home for "practice" and my cable company does not offer static IP's. I am using a linksys cable modem with a Belkin pre-n router.

P.S. I have a web domain name.“

Well Stew...as far as I know the best we have right now is this white paper on Peer to Peer migration but it assumes you have a Static IP.  But let me make it easier for you.

Ingredients -

• Linksys router that has TZO.com service [most do]
• SBS 2003
• Dynamic IP from your cable company
• Domain name

Okay we ready?  Here we go....

First set up your SBS 2003 ...feed it the cdroms..install everything.  Okay when you get to the “To Do“ list and you are ready to run the Connect to Internet Wizard, if you are using a one NIC setup , it will find that Linksys and help you configure it.... [I personally still like 2 nics even at home].  But what it won't do is put in a little bit of code to let that dynamic IP of yours check back in with a server somewhere to 'act' like a static IP.  I personally use tzo.com but there are many others like dns2go.com.  You sign up for a service and you put in the username/password INSIDE your Linksys router in the place where it has the boxes.  Then ...every time your router changes an IP address, it will 'phone home' to tzo.com and say “Hey ... I moved... I'm over here now“ so that all I need to remember is https://www.domain.tzo.com/remote and voila... I'm in RWW.

Now then, as you run the connect to Internet wizard, put in your email address, and decide if you are going to POP pull into your box or use real live SMTP.  Again, like I've blogged before, you can even use full SMTP even on a dynamic IP addy.  Javier even did a blog post about it.

Now trick number 3.  Because you are a dynamic IP, chances are you will need to choose smarthost and bounce your email out using that.  When you are running the connect to Internet wizard, chose smarthost, put in the smtp.yourisp.com [or whatever they give you as info to send email out] and then you need to manually enter in a user name and password.  Open up the System Manager, click on the SMTP connector and drill to where you need to add the username/password authentication as shown here.

So Stew... I don't think there is an all encompassing white paper for ya ...but maybe this blog post will help put the pieces together.

P.S.  I forgot one more thing.. sometimes there are ISPs who block inbound port 25 to pull in email, all you need to do is route your email using tzo.com through an alternative port and then have the SBS box pick it up from there...say port 2525 rather than port 25.

Have you seen views of the new Office format?

I'll be honest that in Office 2003 I was a bit surprised that Excel and Word weren't 'spiffier'.  I mean Outlook was cool, but the rest really hadn't changed.

Well hold onto your seats folks.... and check out this Office UI blog!

Man ...where do I get all this junk on my workstation?

I upgraded my computer yesterday...well...not exactly... I did a Drive image of my existing disk [120 gigs] over to a 300 gigs [which doesn't say 300 on the “My computer” by the way, because I was nearly out of room and the poor drive was file swapping like crazy to keep up with me.  So I imaged the old one to the new one and then moved the new one [putting the necessary jumper block in place] to be able to boot off the new disk flawlessly.

Hands down this is the easiest way to migrate...but at some point in time, I'll want to migrate cleanly and it's still a pain....Which reminds me I need to grab a TV tuner card for my workstation at home [the new one I havent' migrated to yet] so I can throw MCE on it.

Dell just called about the workstation I ordered....for FREE they can upgrade that 80 gig harddrive to 160 gigs.... okay...whatever... 160 gigs of stuff that will have to be moved in the future... fine.....

The vendor issue

Earlier today, David Litchfield wrote an open letter to Oracle users recommending that they get on the phone, send an email and demand better security response and an improvement in quality of their security patches.  Cesar on the SecureFocus list echo'd Mr. Litchfield's comments as well [you can read David's comments below Cesar's in the post].  Now most of us SBSers don't run Oracle, but as Mr. Litchfield points out.... our data is probably on such a database somewhere.

Dr. Jesper Johansson posts about a similar issue... vendor support of patches.  When a vendor puts us at risk like this .... it's unacceptable. 

And of course my favorite software that forces me to make insecure choices... Quickbooks which demands local admin rights.

Vendors know that they have us in a bind...upgrading and migrating to a new software is a pain in the rear.  But at the same time we HAVE to start waking up to the insecurities these vendors are placing at our doorsteps.  The decisions they are making on our behalf.  The risks they are forcing us to accept.

Mr. CEO... how about you lose $1 of your salary for every time you put my personal data at risk?  Maybe if it hurt you personally in the pocket book more you'd care and force your employees to read Secure Coding and the Deadly sins of Software? 

I have.

...and I don't even code anything....

SBS Partner group tour

Speaking of another group tour, the SBS Partner group tour is kicking off shortly!

The Microsoft SBS Product and Development teams have announced plans to visit 12 U.S. cities this October as part of the second U.S. SBS Partner Group Tour. The goal of this tour is to take the Small Business Partners and Microsoft Team Members to the next level of partnership and create even greater success with SBS going forward. In an effort to better connect with the SBS Partners, Microsoft team members will be guests at each of 12 Partner group meetings. As an attendee at this two-hour free event, you will learn first-hand the benefits of moving your customers to SBS 2003 and the opportunities that await you. Microsoft will also be soliciting your feedback on your future needs. Make a connection with the Microsoft team, see the potential of SBS, and make your voice heard!

Oct 10, 2005

5:30PM-8:30PM Downers Grove, Illinois

Oct 11, 2005

6:00PM-9:00PM Madison, Wisconsin   

Oct 12, 2005

6:00PM-9:00PM Eureka, Missouri   

Oct 13, 2005

5:30PM-8:30PM Indianapolis, Indiana   

Oct 17, 2005

6:30PM-8:30PM New York, New York   

Oct 18, 2005

6:00PM-8:00PM Waltham, Massachusetts 

Oct 19, 2005

6:00PM-8:00PM Washington, D.C. 

Oct 20, 2005

6:00PM-9:00PM Greensboro, North Carolina   

Oct 24, 2005

6:30PM-8:30PM Alpharetta, Georgia   

Oct 25, 2005

6:00PM-9:00PM Orlando, Florida   

Oct 26, 2005

6:30PM-8:30PM Tampa, Florida   

Oct 27, 2005

6:00PM-9:00PM Fort Lauderdale, Florida 

CRM 3.0 Roadshow

Just found out [unfortunately too late for the Southern California guys, sorry] that MS CRM 3.0 is putting on a road show at the end of which you'll get a VPC of the new 3.0 product.  COOL!

I know a ton of SBSers just chomping at the bit for info on the new CRM product.  Check it out!

Rememeber when Bill talked about antispyware at RSA?

There's an update... Steve Ballmer and Mike Nash announced that the corporate version of the Antispyware is being worked on and a beta will be out later this year.  The Swiss Security blog talks about it.

Cool!

Do you like the native ISA log files?

So I was talking to Dana about how I really ....uh... disliked...the native ISA logs and reporting and he being the coder that he thought of ways to fix the issue.

I think it's a cool idea personally!

Hey guys,

Recently Susan Bradley and I were talking about how we really dislike the ISA firewall logs, especially in how complex it is to really show what is going on in the box. We realize how difficult it may be to decipher the logs and really understand what sort of attacks are happening on your SBS box, if at all.

Instead of complaining, I thought I might do something about it... especially since I already have code doing some similar things for other logs on SBS for myself.

I was wondering if I could get some feedback from the group on how you feel about it. Instead of wasting bandwidth on this list, I was hoping many of you would go through a quick 7 question survey I put up on Zoomerang (http://www.zoomerang.com/survey.zgi?p=WEB224P5CUPMJD). The survey will stay running for the next 7 days. I do hope you will participate.

Thanks a lot!

Patches next week

Dell ... if I'm a corporation ...I'm not buying XP HOMES!!!

If Dell Optiplex “Means Business” as the headline reads...why then as I am spec'ing out a new desktop for the office does it DEFAULT... DEFAULT mind you to XP Home.  Dell WHY are you shoving XP HOME machines down my fellow small business owners when the Optiplex line is supposedly for business?  Do I now have to go to the Precision line of desktops which appear to be all XP Pro based machines?

Then on the Precision lines... they are putting 160 gig to 250 gig harddrives on those local drives.  In a business setting...where the desktops are not getting as backed up as they should... why do we need a 250 gig harddrive?  Shouldn't we instead be making sure that we're backing up all critical data on the server?

Then, the default is to not give me a resource cdrom for drivers.  Again, for disaster recovery purposes ...why would I not want such a cdrom?

Then what drives me crazy as an admin is the size of the minimum harddrives.  I don't want a workstation to have 80 gigs of storage.  Why do my workers need that much?  For the mp3 files they are not supposed to be downloading?  The Precisions are even worse with a minimum of 160 gigs of storage as default.

Now granted one could take advantage of the new Small Business SKU and buy XP Home on those boxes and then add Windows XP Pro with software assurance...but that just seems a bit cumbersome as well.

SBS Podcast this Friday

The SBS Customer Support gang in Texas are at it again this Friday with the SBS podcast....way cool!  I really liked listening to the past two episodes!

If you want to stump the experts you can call in, email or post to the blog!

Phone number for the live call-in portion of the podcast:

One SKU, one Single SKU

Sign up here for the web cast

Dr. Watson to the rescue

So tonight my Word blows up and a Dr. Watson asks me “would you like to send a report to Microsoft?“  Of COURSE I'll send a report to Microsoft!  Because more and more these days I'm getting a little link that says “follow me and I'll tell you why you blew up“ and sure 'nuff.... today's explosion says that the reason why I blew up is because I haven't updated this workstation at home with Office 2003 sp2!

Microsoft Online Crash Analysis - response:

Well looky there.

...and yeah... just don't tell Dana I haven't approved the WSUS updates on the home network will 'ya?

Also notice that Office SP's are now cumulative.  Cool, huh?!

Yes the bad things on the Internet "is" a big business

Too many times in small businesses we say “who would want me?”  “I'm not a target”.  But we are.  We have computing processing power that can be used by folks.  The Incidents.org web site has a post today about the 'business' of the skum on the Internet.

No longer is it the teenagers and script kiddies.  This is business.  This is war.  And each of us needs to remember that we can either be foot soldiers in the war against this skum.  Or helpers in the process.  One of the interesting stats I vaguely remember reading was the percentage of stuff bought off these web scams.  It was still a pretty high amount.

If we all do our part, we can put them all out of business.

Yes you can add a SBS 2003 to an existing domain

Roy says in the comments... “Yes, you can add SBS to an existing domain but not forever. In the KB article you mention is this comment: "This retirement process must occur within 14 days of adding the new SBS 2003 computer to the domain or the new SBS 2003 computer may display warnings and shut down periodically."

Uh Roy... that's only for migrating from one SBS to another or for moving the FSMO roles.  You “CAN” add a SBS 2003 to an existing AD domain and as long as you ensure that the SBS is the Primary domain controller and all the FSMO roles are on that SBS box you 'CAN' add a SBS 2003 to an existing AD domain.  The gang out here has done it before.  Check out the info on sbsmigration.com as it's basically doing a similar process.

Yes Roy, you can add a SBS 2003 to an existing domain...forever.  You just have to get rid of the 'normal' AD domain stuff off the prior DC and make sure all of it is on the SBS box.

It can be done.

Remember what that KB article says..... it's not meeting these conditions that make it shut down...

The following conditions must be true after you install the new SBS 2003 computer in an existing domain or the new SBS 2003 computer may display warnings and shut down periodically:

• The new SBS 2003 computer must be a domain controller that is installed on the root of the domain.
• The new SBS 2003 computer must hold all the Flexible Single Master Operation (FSMO) roles.
• The new SBS 2003 computer must be a global catalog server and must be the licensing server.
• There must not be any existing domain trusts or child domains.
• Only one SBS server can exist on the domain. If SBS 2003 is installed, no other SBS 2003 or SBS 2000 server can be installed on the same domain.

Failure to meet these conditions may cause the SBS 2003 server to shut down.

Are you a Microsoft Partner and don't know your Support offerings?

How about some assistance with that presales question that has been keeping you up at night? Ever have a licensing question and tried to get a straight answer? Building boxes and could use some advice? Coding for your add-in and stuck? What about some navigation through all the partner service offerings? Relief is here! Attend this web cast to obtain an overview of services we provide to each level of partner and how you can maximize on them for the benefit of your customer and your business. Ask questions – get answers!

Sign up here

I'm shocked sometimes about how people signed up in the Partner program don't know about their support options.  This webcast should be a must listen/watch for all US partners [keep in mind that not all Countries have the same offerings..but be patient...]

Virtually SBS

No, I'm not talking about running SBS on Virtual server [which on a side note when Exchange 2003 sp2 hits the streets, the Standard SBS will be fully supported on Virtual Server], I'm talking about a hosted SBS.  Vlad and I were swapping emails with a vendor who was offering 'hosted' SBS solutions and Vlad pointed out that this was already being done and he had some articles about it.

• An overview
• The tech details

Interesting, huh?!

I love my Lunch time menu internal communication system

Steve has a problem.  He has a small network and because he wasn't wacko like me, didn't catch Live Communication Server.  So now he's looking for INTERNAL ONLY nothing going out the firewall thank you very much [no MSN hotmail need apply] for an internal IM system. 

In fact I need to load up LCS 2005 with it's new communicator thingy...but I've not got around to it because I don't really need all those VOIP, forward to cell phone, internal routing of calls do-dads-thingy-whatchamacallits-wingdings here.  We like plain phones that just work, thank you.  And IM is really just for the 'ping' for “what do you want for lunch” and “hey, there's a call on line 2, you want to cut that one you are on short?”

Sometimes..like with the Audiovox 5600 phone geek toys are WAY cool.  But sometimes simple is just better and all we need.

Vlad blogged about his same problem earlier.

Keep in simple, that's all we really need.

Got any other ideas for Steve?

Mr. Minasi we can do that too!

Met up with Mark “oh SBS is evil because it can't have a secondary domain controller” Minasi at the MVP summit and it reminded me that we recently got a clarfication on how we CAN have a secondary domain controller and all you need to have to cover the licenses of that secondary DC is plain ol' SBS cals.  You don't need Windows server cals.  The SBS license specifically allows us to have our member servers and even our additional domain controllers covered by a SBS cal.  So all you need to have in order to set up and be legal for an additional DC is the server CAL that came with the Server OS [and yes if you buy Open License version of Windows 2003 server you can buy it with one and only one CAL] and then your SBS CALs.

So to review....

• SBS CAN have a secondary/additional DC
• The CALs for it are merely ONE Windows server OS CAL [you know the one you get with the OS itself]
• and then it's covered by the SBS CALs.

The Enterprise IT pro white paper even talks about this.  “You can add a computer running Windows 2000 Server or Windows Server 2003 as a replica domain controller to a local or remote office for redundancy in the event that the server running Windows SBS is unavailable. Replication with the server running Windows SBS keeps Active Directory up-to-date on the additional domain controller even in the remote-office scenario, provided there is a link between the offices. Users can then log on to the network normally until the server running Windows SBS is brought back online.”  Personally I've found that what's more important is the DHCP than the Domain controller per se...as workstations that can't find a domain will merely log in via cached credentials. 

Bottom line.. buy good hardware and normally is a non issue in a small office.

Yes, you can do that Mr. Enterprise IT Pro.

In a white paper on the download site about “Introduction to Windows SBS 2003 for Enterprise IT Pros“ it says

“I feel the need to repeat this, so here it is: there can be only one machine running Windows SBS in a domain! In sum, that means that the only kind of domain that a Windows SBS computer can be part of is its own. You can’t add it to an existing Windows Server domain, and you can’t add another Windows Server machine to a Windows SBS network as the primary domain controller. (You can add extra machines running Windows Server to a Windows SBS domain as replica domain controllers, line-of-business (LOB) application servers, or servers that have Windows Server 2003 Terminal Server enabled, but we’ll cover that later in the "Common Scenarios" section of this paper.)”

And I'd like to point out that one sentence “You can't add it to an existing Windows Server domain”... which is... well...it's just plain wrong.  You see you can add a SBS box to an existing domain.  You see there's a KB article out there .... 884453 in fact that is titled up as "How to install Small Business Server 2003 in an existing Active Directory Domain" that is right on point telling you how you can do that.

“You should use the steps that are described in this article as an outline for how to install a new SBS 2003 computer in an existing domain to maintain the existing Active Directory directory service infrastructure.“

Needless to say I'll be finding a way to give feedback on that document because that one part in particular is a bit wrong.

<psssst.... whitepaper already updated on the web....dang you guys work fast...>

The SBSPodcast likes Windows Media Edition

Listening to the SBS Podcast and here's a couple of things I've found....

First off it does best on Windows Media and sounded funny on MusicMatch.  The minute I flipped it to Windows Media the sound was perfect.  Remember you can put these on a mp3 player and listen to them later.  The team has a Podcast email addy at sbspod@microsoft.com and you can email them your questions in advance.

This is really cool!  I subscribed to the RSS feed for it as well.

BTW you really should listen to the first one that talks about the Exchange 2003 sp2 and the issues with drive space.  Make sure you listen and read the EHLO blog about this transition.

A little explanation is in order...

So Wayne spilled the beans about last week's ... uh... well let me explain.  So it's like this.  Last Friday I took Steve Foster up to Yosemite for the sights.  I mean why come to America and just see Los Angeles and Fresno, I mean really!  And then we decided to go up to San Francisco for the day.  We rented a car and even before we left, Mick Malloy had arrived from Australia.  We got up to the bay area and Mick had already found a bar with some locals.  Well... local to him anyway, as the patrons were from his home country.  Steve Foster and I arrived and we proceded to walk about Union Square and then we rode the cable cars.  There's nothing like the smell of burning wood of the breaks on the cable car as it slows down from it's ride down the hills.  On the way down to Fisherman's wharf we rode on the inside but on the way back we did the true tourist thing and rode on the “Standees” only step hanging off the cable car.  I had to laugh as I think it's the first time I've ever done that.  All the times as a little girl when riding the car my parents would never let me hang off the outside of the cable car.  We rode by the historic Cable car barn where the massive cables are powered and give the cars their ability to ride up and down.

Down at Fisherman's wharf we stopped by Ghiradelli Square [got some free Chocolate] and then bought bread at Boudin Bakery [and yes during the Xmas season I regularly buy bread online from them]  Day two we went and saw Tim Burton's Corpse Bride and being the geeks we are, fired up the laptops at the Metreon wireless internet cafe.  So that evening we're waiting for the bus at the Amtrak bus stop on Market Street right outside the Shopping Center.  [you take a bus from downtown San Francisco to Emeryville to pick up the train].  And we were there a bit early.  Mick, me, Steve and a woman drinking a Starbucks coffee. 

About that time a lovely specimen of San Francisco's finest walks up and starts to pick me up... then she hits on Steve...and then Mick.... and at one time she asks of Steve and I “are you two married?”  Now I'm not a coder, but you know how they call these forks in the code “decision branches” or “decision trees”?  Well for whatever reason I looked at the options I had and thought by going down an unexpected path that would stake out territorial rights of community properlty, marital status, jealous rages of looking at other females and other such potential female territorial rights, might just make this street person back off. 

... so I said “Yes, we are” and as Steve tells the story afterwards “I just about fell out of my chair”.  Well the plan to stake marital claim didn't work and she still proceeded to annoy us.  Fortunately about that time, an earlier Amtrak bus arrived and we jumped on the bus to get over to the safety of the Emeryville train station.

..... and so this began the running joke of the MVP summit...the marriage of “Mrs. Foster and Mr. Bradley“.  The first marriage of SBSers in the history of Microsoft.  

I had talked Steve into taking the train from San Francisco to Seattle.  24 hours...as he puts it .. on the slowest commercial train in the world.  A blazing 40 miles per hour in speed.  We entered the sleeping compartment that was already set for the evening and as Steve puts it... “you had to go out in the hall to change your mind”.  The upper bunk had a tiny sliver of the window at the base of the bed, the rounded edge of the roof was above the bed.  While it had a belt system to ensure you didn't roll out of the bed, as Steve put it... “only Kate Moss or other similar lean super model had a chance of rolling out of that bunk”.  If you weren't claustrophobic before, the space in the upper bunk might be enough to push you over the edge.  Steve slept down below where the metal edge of the fold up desk bashed into his side all night long. 

You know how they talk about the relaxing clickty clack of the train?  They don't tell you about the annoying squeak of the train wheels that keep you up all night.  At 8 a.m when the conductor blasted over the loudspeaker that breakfast was going to be served we felt like hitting him.  Groggy... we got up .... washed up ... as Steve said with the smallest towel he's ever seen and had breakfast.  One cool thing about the sleeping car is that meals are included in the fare and we had a fun time talking to several folks during the travel.  Uh...yes... the entire train does indeed know about patch Tuesday after I geeked out during breakfast, lunch and dinner.

All in all it was a very fun trip, and had fun meeting Ben's mother among other things...but ... I think I've experienced the sleeping car ...... okay so maybe if I do it again we'll get two roomettes instead of one.....that upper bunk was a smidge squishy.

oh...and given our uh... well... “marital status“....Steve and I are investigating how a long distance marriage lasts...me in Fresno...he in England... he suggested that we meet half way in Walt Disney World in Florida....and I warned him that I had promised my “first born“ to several folks on the Security team at Microsoft ... you know... “If you guys do this I'll give you my first born“....as I'm apt to do.... so I told him we'd need to plan on triplets at least....

...signing off for this blog post.....

Mrs. Foster.

SBS Kbs of interest

Word does not save changes or you receive an error message in an Office program after you install Adobe Acrobat 7.0:
http://support.microsoft.com/?kbid=906899

You may experience slow performance by some programs on a computer that is running Windows Server 2003 with Service Pack 1:
http://support.microsoft.com/?kbid=900609

You receive an "HTTP_500" error message when you try to synchronize a mobile device with a server that is running Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=906512

My favorite KB has to be this one... okay “what“ unexpected behavior?  And keep in mind that we do have LCS on some SBS boxes without issues... so it would be nice to know what to expect unexpectedly...

You experience unexpected behavior when you install Live Communications Server 2003 on a domain controller:
http://support.microsoft.com/?kbid=906598

Issues with Syncing and you have CRM installed?

You receive an "HTTP_500" error message when you try to synchronize a mobile device with a server that is running Windows Small Business Server 2003:
http://support.microsoft.com/?kbid=906512

CRM 3.0 will even have a special version that sits on top of SBS..... cool!

SBS podcast now live

Way cool!!

Click here for the SBS blog for the podcast!

Hey.. they did two of 'em and even had a call in phone number!!  Dang... missed it!

It's an Acer TravelMate C110

I think I've singlehandedly sold three laptops this afternoon.  As I've sat here working on my laptop several people have stopped and asked what it is.

Acer Travelmate.

It's small and compact and really easy to travel with.  Now granted I should have travelled a bit more with it yesterday.... okay I have to out myself. You know how I said that I kept physical security of my laptop.... uh well... in sleep deprived weakened moment I left my laptop with a Microsoft employee and a Thwate notary.  Didn't lock the workstation.... didn't shut it off...just left it there with the two of them after I asked them to look after it....

Word of advice..never leave a laptop with two geeks .... instead of being “outted” for a stupid insecurity by Dana in front of an audience.... your computer will be used to send and email to a DL listserve 'outting' you for leaving it unlocked and insecure.

You'd think I'd learn....

The lowercase "c"

I'm sitting in Portland with a couple of hour layover before I go home after a couple of days in Seattle.  And in my slightly sleep deprived state as I wait for the time to get the next leg of my flight, it’s always a bit of a reflective time as those of us in this “community” all scatter back to the corners of the globe...there's a couple of thoughts I need to express.  This summit feels a bit transitional for me as I’m part of the “old guard” these days.  No longer the newbie, I’m the one who now gets the pride of seeing that newbie ‘oh wow’ glow of a new MVP coming to Seattle for the first time.  THe one who beams when a fellow MVP makes the connection with a product group to help grow the connection between customers and a large company.  This is also a good time to self reflect on what exactly is this thing called community.

To me, I think there are two “communities” out there.  One with a capital “C”, one with a lowercase “c”.  The “C” one is the one seen by the business side of folks.  This is the one that the “buzz” words are thrown out around… you know… we’re going to “leverage this and that” as the business side of “C”ommunity is apt to say.  To me this one is the one that has the logos and the swag handouts.  The “C” is the one that is seen in the business world as a conduit for viral marketing and word of mouth.  The one that Madison Avenue tries to harness.

But there’s another Community out there.  The lowercase “c”.  The voices that I think large companies need to make sure they are listening to.    The lowercase “c” one is the one that folks like Paul Thurrott, I think, missed seeing.  Since he posted about the MVP summit, I'm going to publically comment about some of the issues he brought up....He said that “I'm a bit freaked out by the sense of entitlement I get from many MVPs. Many of these people are fantastic and are true experts in their respective categories. But as in any large group, there is a minority that kind of ruins it for anyone.”  I think he saw the “C” part of the community, not the “c” part.  He saw the minority that do it for personal reasons and not the “c” ones that look at this insane thing we do as ‘paying it forward’ kind of thing, or a calling to keep Microsoft honest.

Another journalist that was at the event didn't want me to introduce them to Microsoft employees.  He said that he didn't want to get too “close“ because of his journalism role.  I guess I see it differently than he does.  Because in my view there are times that I feel I can yell louder when I am known by people behind the wall.  You know how you can argue more passionately and strongly with family members than you can with strangers?  I think there's a bit of that going on.

When meeting with Folks this week, many of the things we asked for were things that the gang has asked for for three summits now.  And the funny thing is, in many cases, the items we’re asking for,...the really obvious stuff like tools to help transition the break/fix businesses into managed care plans are already in the marketplace.  Level platforms comes to mind as one such tool that’s already there making an impact.  It’s often been said that a large percentage of features requested in office are already in the product but people don’t know they are buried under the hood. 

I think Paul was right in that he should be freaked out by the “entitlement” view he saw.  I get freaked out by it too.   In fact embarrassed a bit by it sometimes.  I also strongly feel that the “MVP” view is only one of many data points that Microsoft as a company should look at.  We’re just one datapoint, one set of voices and I would hope that Microsoft is not just listening to MVPs or journalists like Paul.  In fact, there are times, we're not the right “voice” to listen to. 

In all honesty there's been a bit of a concern about Paul Thurrott being an MVP as he says.  He is after all a journalist.  And as a journalist, how can he sign NDAs on the one hand in the MVP program and write about the latest and greatest stuff at Microsoft.  Does Paul Thurrott need to have access to Microsoft in the role that he has.  Definitely yes.  Does he need to be one datapoint as a feeder of information that has impact.  Absolutely.  But is it even fair to him to put him and others in this catch22 of a situation where it's his job to report on the latest and greatest and even not yet released Microsoft technologies and then bind him by a NDA? 

Can a member of the press who's role it is to report, is it fair to him or her to put limitations that might have to be investigated as a potential “leak“.

But I'll be the first to admit when I signed up to the Blackhat brieflings under a Press Pass [that I later on had to back out on going to].... I'll be the first to say that saying I was a member of the “Press“ due ot my Patch management articles I write felt weird.  Interestingly enough I didn't feel independent 'enough'. 

Is the Press a member of the “C“ommunity or a member of the “c“ommunity?

I tend to find that the lowercase 'c' of community are not silos of information and I'm not sure we're pushing enough to get the parts of a large company to better communicate. We had a presentation on Exchange and our SBS group considers Outlook just an extension of Exchange...it's just that platform's communication conduit.  Thus having Exchange be even more aware of Outlook and Outlook of Exchange is key.  Sometimes all of us work in silos of information and don't look at the bigger picture.

I'd argue to Paul that the MVP program is indeed important.  We give a voice to a group. But honestly,the lowercase “c” of community is obviously just fine without us MVPs.  Questions are still being answered, topics are still being discussed even though we were pretty much offline.  Because while the uppercase “C” of Community might have a finite size, a budget, swag and all that... but the lowercase “c” is bigger than that.  

But at the end of the day it is just one voice...one datapoint.  Sometimes I get embarrassed by folks saying that this is “THE“ Susan Bradley.  But what they miss is that I wouldn't be “THE“ Susan Bradley if they rest of you weren't doing what you do.  

And then we get asked “If Microsoft is the richest company in the world, why do guys do this?”  Bottom line it's the 'pay it forward' for many of us.  The 'attaboys'. We'd still be doing what we do even if Microsoft didn't invite us up every now and then. 

A person who has this 'pay in forward' attitude isn't taught this....it's part of the fabric of their personality, twisted that it may bel....

You, the lowercase “c” of community makes me into the Uppercase “C” of Community.

For that I thank each and everyone of you that read the blog, send me questions every now and then so I don't run out of blog topics.  Yeah one could argue always that the MVP program is awarded for past community work, but I think Microsoft gets the most out of me when I'm representing their current customers.I wouldn't be a MVP... a person who represents voices in the community without having people to listen to in the first place.

It's my hope that when I'm in various places as a representative of you, I don't embarrass you so that Paul can't be talking about any SBSer including myself when he says “some MVPs”  have a sense of entitlement.

I still say when you stop worrying about “what's in it for me”, you get rewards ten fold...not to mention an online relationship that is unique and special.

For everyone of you that make the lowercase “c” into the community that it is,....

Thank you.

You have mail!

To all those in meetings where you bring in your laptop....can you shut off the sound?  One of the Vista features is a presentation mode that shuts off the sound and IM and changes the desktop to being “more PC”.  [Politically correct that is....]  But I'd argue that there should be a meeting mode..... because there's nothing more annoying to be in a meeting and somone logs in to their computer and you hear the music.

Next to me in the Portland airport is a guy who just got is email.  I can tell because the voice just said “You have mail”.

So folks... can we turn off the audio please when you are in meetings and traveling?  It's just a smidge annoying...