Thursday, December 23, 2004

RPC over HTTP won't work

So, for the past 3 months my grandfather (my only other user on my home SBS system) has been complaining that he can't get his email via RPC over HTTP (Outlook via the Internet). I tried running him through some steps over the phone, the steps all looked right. Had to push him to OWA.

Well, I just figured out what the problem was, and I'm not sure how I got into this state, but the server was forcing the wrong type of authentication type! ".NET Passport Authentication". GRRRR

So, I simply changed it back to Basic and he started working again! Here's How:

  1. Open Server Management and expand Advanced Management, Internet Information Services, {ServerName}, Web Sites, Default Website

  2. Now right click on the Rpc virtual directory and choose Properties.

  3. On the Directory Security tab, click Edit under Authentication and access control.

  4. Ensure that .NET Passport Authentication is unchecked, so you can ensure Basic authentication is checked!

But don't worry! your password isn't really sent in clear text, since you're sending it through a 128bit SSL encrypted channel.

Making this change on the back-end, enabled my Grandfather to reconnect and download his e-mail.

Saturday, December 18, 2004

BillyG gave me some time with the family :o)

Well, it's that time of year. Bill has given me some time off to go back to the great white north and visit family. As a result, I will out catching the rays ... from the banks of snow and probably not consistently posting blogs again until the new year. As always if you're reading the blog, feel free to drop comments on the types of things you'd like to see here, and I'll see if I can't help out by figuring it out and posting it here.

Happy Holiday's and Happy New Year. May your SBS server run smooth over the holiday's. I certainly hope mine does. :)

Friday, December 17, 2004

New subnet? Use Change IP!

There's a reason for the SBS wizards. Primarily to ensure the right things happen. If take a second to step out of the Small Business world and look at the larger corporations and how they operate you realize. Hey, they have a server (or two or one hundred) just dedicated to running Exchange, they have a server dedicated to being a domain controller, they have another one for SharePoint, and yet another one for ISA.

And it doesn't end there, they have specialists that monitor and tweak these boxes, I would be some of these specialists know the product better than some developers who worked on the product!

Do you know the product this well?

The wizards are really your indepth knowledge and security to ensure the right things happen each time you want to make a change. I know that any of those large business admins try to run SBS, it's too complicated, because trying to do all the steps manually is far too cumbersome! Like the Change IP tool for example. Changing the IP address of a member server with a single task is easy, simply open up the network card properties and change it. But change it on SBS? You have Exchange issues, mobility issues, sharepoint issues, AD issues. Using the SBS wizards and tools will ensure the right things happen, every time. And to top it off, some changes don't even have UI, like service binding to the appropriate NIC!

So don't feel like you're not a real admin if you use a wizard. Use the wizard, save yourself some time, and use that time to provide more value to your end users, instead of figuring out why your clients cannot connect to Exchange after your simply changed the IP address of the server.

Thursday, December 16, 2004

Still Can't Synch? Troubleshooting tips here!

Sometimes, no matter what you do, you just can't sync your device to the server. A good place to start is with Microsoft's Troubleshooting tips on Mobility. This provides you with a number of troubleshooting techniques.

You might also be having an issue with the self-signed certificate. 2002 devices are notorious for being trouble makers when synching against SBS 2003. Luckly, there are some tools to help you figure things out.

Like the Adding a Certificate to the Pocket PC 2002

Or disabling the certificate check. This tool is handy in for both devices as a work around. It disables checking the validity of the certificate for ActiveSync ONLY. Pocket IE will still valid certificates after you've used this tool.

Also, if you're Hosting multiple domains sometimes you can get into an issue with SBS not being able to find your mailbox. Say for example, I have two email addresses, seanda@fqdn.com & sean@fqdn.com, my logon name is seanda, but I enter in sean as my email alias. Exchange may not be able to find my email address. What you can do is to take advantage of the .local domain and force Exchange to look up on this domain. Simply by setting HKLM\System\CurrentControlSet\Services\MasSync\Parameters\SMTPProxy to the internal domain name of mycompany.local and doing an "iisreset" from the command prompt, Exchange will only look for mailboxes of that user linked to the .local domain, making it easier for Exchange to find the mailbox. This error problem is usually indicated by getting an HTTP_500 error on the phone

Finally, one of the more common problems is when you change the IP address of the server. For some reason, you want a different subnet on your internal network, if you simply go into the local network card and change the IP address, you'll have issues, what you'll want to do is use the ChangeIP tool provided for you on the Internet and E-mail snap-in of the admin console. This will ensure the IP restriction on the \exchange-oma virtual directory will remain intact. If that IP address doesn't match the IP address of the server, your sync's will get access denied.

Hopefully these tips get you mobile again.

Wednesday, December 15, 2004

What's in a Synch?

How does a Microsoft mobile device synch against SBS 2003? Let's break it down.

Microsoft Mobile Devices
A Microsoft mobile device such as a SmartPhone or a Pocket PC Phone Edition phone work in similar was (exactly the same way for Windows Mobile based phones (i.e. the 2003 versions). These devices will get an internet connection (via GPRS, CDMA or WiFi or BlueTooth, depending on the device) and then authenticate to https://www.fqdn.com/microsoft-server-active-sync .



Because Exchange is primarily designed for the larger companies; it expects a front-end server to accept the web requests and a back-end server where the mailbox stores live. SBS is both front-end and back-end server; because of this, the request received in teh MSAS virtual directory is sent (via a loopback) to the \exchange-oma virtual directory. While this data loop-back is not SSL encrypted, this virtual directory is IP restricted to the local box such that the non-SSL encrypted data is all processed locally.

It is very important not to change the ip restrictions on the \exchange-oma directory, or you could have users mail broadcasted in clear text via an OWA session

WAP 2.x Browse Phones
WAP 2.0 and higher browser phones can view their Exchange stor by browsing to https://www.fqdn.com/oma. Once authenticated, the user can browse their inbox in a hyper-text like format. Be warned though, many of these phones do not support the self-signed certificate that SBS provides (meaning they will not prompt you to accept an invalid certificate, but rather just complain and fail.

Once the authentication occurs, the same loopback to the \exchange-oma directory will occur.

Tuesday, December 14, 2004

Configuring Mobility on SBS 2003

Somewhat recently, I did a live mobility webcast (that you can now listen to on demand) I went through the steps to configure mobility on your SBS 2003. It's easy, but it's not hand-held. The steps are a little confusing to get all setup, so I'm going to run through them here on my blog in hopes to get you mobile.

Configure the Server
First you'll have to configure the server. This is a single-click configuration. When running through CEICW (Configure Email and Internet Connection Wizard). On the Web Services page, simply check the box that is labelled Outlook Mobile Access. When you complete the wizard, this will configure the following things:

  • Enable OMA inside Exchange by setting an Active Directory object to enabled

  • Configure the firewall to allow access on port 443 (SSL webport) if it's not already open for another web service

  • Configure IIS to un-restrict the IP restrictions on both the \Microsoft-Server-Active-Sync and \OMA virtual directories. These are restricted Out of the Box to ensure high levels of security and only the services in use are available to the users
Now the server is configured, let's get to work on the clients!

Client Configuration
Client configuration is the most confusing aspect of setting up a mobile device, primarily because it's not intuitive, but if you know what you're doing, it's super simple.

  1. First thing is to setup a user. While you're in the Add User Wizard setting up that users computer, Choose to deploy ActiveSync 3.7 (even though it's old) as this will install

    • ActiveSync 3.7

    • SBSMobCfg - The SBS mobile device configuration utility

  2. When this is complete, tell the user to log off and log back on. This will intiate the installation of the above tools

  3. When ActiveSync is installed, simply hook up the device as per the instructions that come with it (except there will be no need to install ActiveSync, since it was installed via the server)

  4. On the first connection of the device, you'll see the following screen appear:

    This step configures the phone with predefined defaults that the user can change during the Getting Connected wizard that appears.

Once you complete the Getting Connected wizard, the phone will start it's first synch.

It's probably a good idea to leave the device in the cradle for the first synch since this will be the biggest most expensive sync you have. Once this is finished, you're ready to go mobile! What was the saying?

Go Mobile ... or Go Home!

Monday, December 13, 2004

=Outlook Address Book

Outlook 2003 does a lot to help you out. Although sometimes it's too helpful for it's own good.

Let me give you an example.

I'm looking for the phone number for a co-worker, I know his alias. Lucky for me, Outlook provides a quick-lookup box for aliases in one of the tool bars. However, if I just type his alias "FLast" into the box, I get a selection box. Outlook kindly asks me if I'm looking for First Last contact, or First Last Direct Reports or First Last's hotmail address. Dang! All I wanted was the phone number out of the GAL contact object of FLast!

Well, here's a tip. Put the "=" sign in front of an alias, it will force Outlook to look for exactly that contact. In my example you would use =FLast. Now Outlook opens the contact information for that object and I can just dial the phone number without any more clicks of the mouse.

Simple, but effective. At least I think it is.

Friday, December 10, 2004

Tweak Out your System...

A couple of weekends ago, I went through the process of re-installing my System again.

One of the programs I realize that I just can't live without installing is TweakUI. It comes as part of the PowerToys that is available for Windows XP. This is what they say about it:



Tweak UI
This PowerToy gives you access to system settings that are not exposed in the Windows XP default user interface, including mouse settings, Explorer settings, taskbar settings, and more.




Well, that's pretty much what it does. The key things that I change are:

  • The Favourite location, although I'm trying to do this via Group Policy

  • The My Music location, again, I'd like to do this via Group Policy at some point

  • The shortcut icon

  • On some systems, I even use the auto-logon feature

  • The menu speed, I like it to be a little faster

  • The thumbnail size, for pictures, this is key for those digital photo people out there

  • The slide show speed. sometimes, 5 seconds is just too slow, I like 2.5 seconds honestly

  • I'd like to change the places bar, but for some reason, Office doesn't utilize this, so it's not that useful

  • Finally, the templates, what you see when you right click and choose "New"

It's gotta be custom baby!

Still waiting on Adobe? Speed it up!

So a while back I was looking for a copy of Adobe 3.0. Why? Because I was tired of waiting for Adobe to load just to show me a simple PDF file. How many plug-ins does Adobe have to load to show me a PDF?

Well, I came across a blog with the answer! Darrell Norton posted about how to move the plug-ins into the optional use for Adobe after it's installed. Wow, what a difference!

Here is the jist:

  1. In Windows Explorer, browse to c:\program files\adobe\Acrobate 6.0\Reader\

  2. In the plug-ins directory, you see all the plug-ins that get loaded (quite a few). Move the plug-ins that you don't wnat to load into the "Optional" directory and you're done!

So what are these plug-ins? Darrell's got you covered again.

In fact, to help out even more, here is the list of items that I have kept in my plug-in's directory:

  • Printme folder

  • AcroSign.prc

  • IA32.api

  • printme.api

  • Search5.api

  • Search.api

That's all there is left, and I don't even see the splash screen anymore it loads so fast. Finally, I can start using Adobe again.

Wednesday, December 08, 2004

MailTo: Made That Much Easier

I'm a big advocate of efficiency. It started to become cumbersome to me to be browsing the web, come across something I want to email out. Mouse down to the bottom of the screen, click outlook, mouse up to the top of the screen, click New Mail Message, mouse to the right of the screen, minimize Outlook, then start typing.

This had to change.

So, I created a new mail message shotcut in the QuickLaunch bar. Here's how I did it.

  1. Right click on the desktop and go to New, then click on Shortcut

  2. In the location of the item type in mailto: with the colon, then click Next

  3. In the name for the shortcut, type in New Mail Message and click Finished

Now you'll notice that you have a new shortcut, with the Outlook Icon. This just won't do.

  1. Right click on the icon and choose Properties

  2. Click on the Change Icon button on the Web Document tab

  3. Instead of looking in Outlook.exe for the icon, change the path to this file {systemdrive}\Program Files\Outlook Express\msoeres.dll

  4. Choose the new mail message icon and apply the changes

Ta-Da!

Now all that's left is to copy (or move) the shortcut into the Quick Launch bar. Now when you want to send a new peice of mail, you can simply just click on this icon, and a new mail message will open, ready to type in the recepient. Handy for people who send lots of email like myself.

Tuesday, December 07, 2004

Getting Dizzy Thinking about Circular Logging?

Here's the skinny. When SBS 2000 shipped, we shipped with circular logging disabled (meaning Exchange was going to do it's full logging). Our Product Support Folks (PSS) were struggling with the number of calls of people who run out of disk space. Why is this? No Exchange-Aware backup was being done on the box, and the log files will grow indefinitely. Finally, due to the nature of an SBS install (typically a single volume with everything on it) the DC and Exchange server would run out of disk space at the same time (since they are the same box).

This can spell out bad news.

So with SBS 2003, we did 2 things. First, we provided an inbox backup solution to make it easy for people who were scared of backup and didn't understand it to successfully setup a backup and actually do Exchange-Aware backups (yes, NTBackup is Exchange aware!). Second, we enabled circular logging out of the box (to prevent log files from growing out of control!), we re-enable it when you run the wizard, and never disable it again (even if you disable the SBS backup tools).

So what does this mean for you?

If you're using a 3rd party backup solution, that's Exchange-Aware, you're probably going to want to disable the circular logging to reap the full rewards of Exchange logging functionality. How do you do this? Well, you can run the SBS Backup wizard, then run it again and disable it. Or you can modify the setting directly. Simply:

  1. Open Server Management and expand Advanced Management, First Storage Group, Servers, {Servername}

  2. Right click on First Storage Group and choose Properties

  3. On the General tab, uncheck the Enable circular logging and choose OK

That's all there is to it. Now you're 3rd party backup application will tell Exchange to truncate the logs and you're all set.

Monday, December 06, 2004

Troubleshoot Group Policy

Group Policy is very much overkill for Small Business Server. So much in fact that many of the features won't even work on an SBS box because the relate to cross forest or cross doamin functionality. Having said that. Group Policy can still be cumbersome to troubleshoot within a single Domain and Site. What you need is troubleshooting tools.

There are a few primary tools I would want to call out around troubleshooting.

RSOP.MSC
This handy Windows XP tool can be run by simply typing "rsop.msc" from a client run box. It will gather all the details of policy running on that particular box and show it to you in a single GPEdit.msc console. It's not the easiest way to look at it, but if you're checking for a specific policy and whether it was applied or not, this is pretty easy. You even get funky red-x's if something failed to apply.

GPResult.exe
This handy DOS command can be run to roll-up and show you all the policies in your network and which ones are applied to the computer, and which one's aren't. Kind of handy if you were expecting a policy to affect a machine and it didn't.

GPMC "Policy Results" Calculations
If the user has ever logged into the client machine, you can go crack open GMPC (our handy Group Policy tool) and run a new query, it will take your computer/user combination and give you a nice roll-up of what's going on with that particular user. This is handy since it's an all-in-one familiar interface to view all the policies and how they are applied.

Happy Problem Solving!

Friday, December 03, 2004

Google finally picked up their own Blog!

As you probably know, this site is hosted by Google, it was primarily chosen because... well, there is no real reason, it has it's pro's and it's con's. It was available before MSN Spaces, it's not hosted on my own box and.... well here are the rest of my thoughts on that.

What I found most amuzing was that I couldn't find my blog on the Google search engine, heck the "search this blog" at the very top of this page didn't work!

Comon Google, it's your own blog.

Well, finally, it would appear that the search above is working and a search for seanda on Google returns this blog as the 3rd link!

Of course if you search for Sean Daniel you'll learn quite a bit about the director who shares my name, but never see this blog.

Well, onto the good news. You can search this Blog!

Group Policy Inheritance and Scope

Group Policy is pretty well defined, its so defined that it can be predicted in all cases, unfortunately there are so many different ways things can occur that prediction can get complicated if you complicate your GP settings.

I'm going to share the inheritance model with you.

The best way to think about it, is the closest policy to the object (user or computer) will take precidence. So OU Policies superceed Site Policies, which superseed Domain Policies. There are some exceptions to this rule, they are:

  • The local computer policy is always overrun by any other policy

  • If the policy prevents overruling (ie it's enforced), then it will superseed any policy below it. Although doing this will make it harder to debug what's going on, especially in an SBS environment, it's not really needed

Keep in mind that a GPO only makes changes to the objects that are in it's container.

Another thing to keep in mind is the link order. At each leve (Domain/Site/OU) each Policy has a link order. GPOs are processed in the number of their link order. i.e. link 1 is first, link 2 is 2nd etc.

Finally, Inside a Group Policy, the Computer side of the GPO is processed before the User side, so if you make a change in either side, the Computer side will take precidence over the user side. This one is handy to know if you've got roaming users inside your network.

Mobility Webcast on-demand now available

It would appear that the Mobility Web Seminar for Partners is now available for review on-demand.

The presentation can be launched from This link, simply enter a name and submit it. If for some reason this link doesn't work for you. Head on over to the Registration Page for the broadcast, register, and Microsoft will send you an email with a link to the presentation.

I will most likely publish some of the mobility related items directly to this blog as well, look for them in the future.

Thursday, December 02, 2004

Using an AudioTron in your SBS network?

I know it's not a common line of business application, but it certainly is at my house. I need ma tunez!

So I installed my Audiotron on my network at my house, only to find it could read shares from my client, but not from my server.

What the heck? Isn't that what servers are for? Storing Data and sharing stuff?

This had to be fixed. After searching for some time on the web, I managed to find that in Windows Server 2003, digital sign communications for all domain controllers is enabled by default. The Audiotron doesn't like this. So you have to disable it.

  1. In GPMC, find the Default Domain Controllers Policy

  2. Edit this policy, and drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options

  3. In the list on the right, find Microsoft Network Server : Digitally Sign Communications, and change this to disabled

Of course you're going to have to run gpupdate /force to get this to take effect immediately on the server.

Now you're AudioTron can view the server and read music off it.

Wednesday, December 01, 2004

Mobility Web Seminar for Partners..

Tomorrow morning I will be presenting in a web seminar on how to connect your mobile device to SBS 2003. Here are the details. I believe it's only for partners at this time, but why not register?

Event: Windows Small Business Server 2003 and Mobile Devices
Date: 12/2/2004
Time: 9:00am PST
Duration: 60 mins
Description:
Learn all about connecting a Windows Mobile device to Windows Small Business Server 2003. In this session we will discuss the server setup, client setup and mobile device setup aspects of joining a Microsoft Mobile device to the network, enabling users to maintain connectivity and stay productive while away from the office.

The seminar will be hosted via Live Meeting, but you can register by finding the presentation on the MS Readiness Upcoming Broadcast page.

To register for my specific event, follow this Link.

Hopefully see you there tomorrow!

Keeping Track of your Backups... The Easy Way

Wayne Small, an SBS MVP and fellow blogger told me a tip over IM the other day. I gave him about a month to post it to his blog, and he hasn't. I find it very useful in my day to day life, so I thought I'd share.

Wayne uses rules in Outlook to easily identify what's going on with backups on his clients servers, for me, that's 3 servers, my home server, the server at work and also my cousin's SBS box over in Great Falls, MI.

Wayne configures an Outlook rule to search for specific strings within the body of messages as they come in, those specific strings are:

  • Backup: Did not run

  • Backup: Completed successfully

  • Backup: Started but has not finished

  • Backup: Failed

Choosing flag colours for these strings and how they appear in the body of the message, will help you, "at-a-glance" figure out if the backup failed or succeeded.

If you're like me, and are short on rules because you have so many, then you might want to use a single rule and just put last two items in it and mark it red as I have done


Now you can determine the backup status of an incoming Server Status Report in the blink of an eye.

Tuesday, November 30, 2004

Why do I have an Auditing Policy on SBS for?

If you're playing more and more with Group Policy, and I know I am, you'll probably come across an Auditing Policy for the domain controller.

The policy includes the following information:

Why did we do this? Well, you'll have to read my long winded previous post on Error 800423f2. If you look at the bottom of that post, you'll notice how Directory Service Auditing must be disabled. Well, this is how it's disabled. Removing this policy will probably result in a much higher failure rate on your backups.

Monday, November 29, 2004

Update to the Backup Hack

So my first technical post to this blog was about how to change the backup from targetting a usb disk or tape. I've got a lot of feedback on this post being helpful. I wanted to create a new post to indicate a correction to this post, and minor modificiation. I decided to keep the post the same (for those of you who have linked to it from your blogs/websites/etc, and just added an updated section.

Click here to go and check out the update.

Users ... their own worst Enemy?

Sometimes the people that use your network make mistakes... heck, sometimes you make a mistake and wish you could get a file back. SBS helps you with this as it maintains previous versions of files on file shares out of the box.

What I think the coolest part is, users can do this themselves! That's right. No more asking "can you recover this file? I just deleted it".

Of course, this responsibility has it's draw backs. But here is the worst that can happen. A user accidentally overwrites a file with an older version, only the things changed on this file since the last update are lost. Not the entire file.

I think this is turn for the best, it means less administrative work for you, and more power for your users to do their job.

Thursday, November 25, 2004

So What Exactly is backup error 800423f2

If you've been running SBS 2003, and you've been a good administrator and you've been running backups, you've probably seen the backup error of dread!

Error returned while creating the volume shadow copy:800423f2
Reverting to non-shadow copy backup mode.


This error has good news and bad news. The good news is, before we shipped (like in the beta), this happened about 90% of all backups, now it happens about 0.01% of all backups. The bad news is, it happens on occation

So what is this error? Well, if you remember in my previous post I talked about VSS and how it works, primarily for snap-shots. I didn't mention what happens when you do a backup. Like I mentioned, doing a snap-shot for a backup is very much the same as doing a snap-shot for a previous version. But here is the difference.

In a snap-shot for a backup, the VSS service will call all the writers on the system. You can see how many writers you have on your system by opening up a command prompt and typing vssadmin list writers. Each application you install on your system should have a writer to work best with the backup.

First, What's a Writer?

A writer is built by the application for the application, it knows what to backup, and how to prepare the application for the VSS snap-shot. Of course, NTBackup doesn't use the first peice of information.

So how does the whole process work? Well, bkprunner is kicked off and launches NTBackup. NTBackup then tells VSS to do a snap-shot.

In order to get a backup where there are no open files, a snap-shot takes place, but for the backup, we want to make sure that all the data from all applications is no longer kept in memory, but rather is flushed to the disk. In order to do this, VSS performs these steps:

  1. Request Writers to Prepare for Backup - there is 1 minute alloted here for applications to write all their data to disk they want to have backed up

  2. Request Writers Freeze Applications - At this point, the Writers instruct their own application to hold all disk writes in memory. From this step, to the 6th step in this list, there is a hard stop at 60 seconds

  3. Request Filesystem Writer to freeze filesystem - This is when the file system is frozen and this writer will hold all writes to the disk from any application that doesn't have a Writer. From this step to the 5th step, is allotted only 10 seconds

  4. Take a snap-shot - This is where the actual snap-shot differential area is created an ready to accept new changes

  5. Thaw (or un-freeze) the filesystem - Write everything to disk that was held off before and allow more writes to the disk

  6. Thaw the applications - Allow the applications to start writing to the disk again
So now you know how it works? What's the error?

Well, the error 800423f2 happens when the system doesn't get through the above steps in the alotted time period. There are some handy tips and tricks on how to resolve this issue. The are located in the Backup Tips & Tricks section. Essentially, they boil down to:

  • Make sure you have enough disk space on your disks, the system needs some to play with during a snap-shot

  • The disk is not fragmented, there is a lot of disk activity during the start of a backup, if the disk is too slow, it can cause issues

  • The Event Log isn't set too big. Due to the architecture of the eventlog and the it's writer, when a backup starts, the event log is paged from disk into memory, and then flushed out to disk again, which is pretty disk intensive

  • Directory Auditing is disabled. Due to the nature of SBS being a single box all of the directory service authentication goes through this box. In the case of the backup, a lot of things are happening, and with directory auditing enabled, the box is just too busy to do the backup and all of auditing


There are some hotfixes out to making VSS work a little better:
KB 833167 - A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003

Now you know how it works, and knowning is half the battle!

Happy Thanks Giving Backup Song

I thought I'd share a song I came across in newsgroups about Backup. I'm not sure who the source is, but the "I'm Feeling Lucky" search on Google Groups returned a post by Willi El Goldschmied.

Anyways, hopefully no one spends their Thanks Giving recovering a server. Here is the song:

Yesterday,
All those back-ups seemed a waste of pay.
Now my database has gone away.
Oh I believe in Yesterday.

Suddenly,
There's not half the files there used to be,
And there's a milestone hanging over me
The system crashed so suddenly.

I pushed something wrong
What it was I could not say.

Now all my data's gone
and I long for Yesterday-ay-ay-ay.

Yesterday,
The need for back-ups seemed so far away.
I knew my data was all here to stay,
Now I believe in Yesterday.

Wednesday, November 24, 2004

Understanding Volume Snap-Shot Services ...

Lots of people have asked, so here the short overview on how it works.

VSS, or Volume Snapshot Services, is used in two ways.

  1. To provide previous Versions of Files and

  2. To ensure backup applications don't have issues with open files

The two work in much the same way. At the specified intervals, a snap-shot is taken. Let's first talk about the snap-shot.

Taking a Snap-shot
A snap-shot occurs at the specified time of creating previous versions (defaulted to 7am and 12-noon), and at the time of backup (which is defaulted to 11pm).

A snap-shot takes usually less than 1 or 2 seconds to create. So how does it copy your entire hard drive in 1 or 2 seconds? It doesn't.

In actuality, it creates a hidden storage area to keep blocks of data. This storage area has a structure, (which takes up 10mb of space total), an area of size 300mb is created (hence why you can minimally create a 310 mb space for previous versions.

No files are moved.

What actually happens is from this point forward, the first time a file is changed, the differences in the files are stored in the hidden location, and the new changes are stored in the actual place on the hard drive. The next time it changes, the old-new changes are lost, as the new changes over write them. Only changes are copied the first time they change after a snap-shot is taken.

That's all there is to it? .... ok, so not all of it.

I bet the first question comes to mind. How come this just doesn't eat up your hard drive, 300 mb at a time?

Well, this is because on each snap-shot, if the space wasn't used, it's truncated, so it only keeps the smallest amount of data required to recover the original hard drive.

So using these snap-shots (or differential areas), at each snap time, the computer can re-construct a virtual hard disk of exactly what the hard disk looked like at that point of time. It does this using all the snap-shots that have occured after the point in time you want to look at the hard drive. This is because if a file has changed through time, the data for that file is contained in all snap-shots and needs to be read to be reconstructed.

So, if you're looking at the snap-shots, by right-clicking on a volume, going to properties and then choosing the Shadow Copies tab. It looks like this:


From here, you can create or delete snap-shots, you might notice if you delete one of the ones in the middle, you don't recover any space, but if you delete the last one, you recover the space. This is due to what I mentioned earlier, how all snap-shots ahead of the earliest one are required to create the virtual hard disk.

Now this process keeps going and going and going, retaining previous versions of files for all your users. It maxes out at the specified limit, or 60 snap-shots, whatever comes first.

Any questions? Feel free to ask in the comments below, and I'll dive into details.

Tuesday, November 23, 2004

Redirecting the Client Desktop to the Server

As some of you know, I have a strong interest in backing up data and making sure it's secure. Naturally, I took advantage of the My Document Redirection tool in Small Business Server 2003. I like it for a number of reasons:

  • My Documents and everything in my Documents lives on the server, so it's easily backed up

  • Using multiple PCs all have the same My Documents folder

  • I designed the tool :o)

But that's not enough. Recently, I've found that for the current things that I work on, I keep them on my desktop, until I'm finished, then I file them away in my Documents or delete them. So what's the problem?

My Desktop is not a safe place to store things!

It's not backed up, The data is only in one place, it's the most important data to me at that time.

What did I do? I simply just re-directed the desktop to the server. Here's how:

  1. On the SBS server, open Server Management, Advanced Management and Group Policy Management

  2. Now decide were you want this policy. I would put it in the Users OU under: Expand Forest, {domain name}, My Business and Users

  3. Right click on SBSUsers and select Create and Link GPO Here...

  4. Give your GPO a name, I usually start with who created the GPO, followed by what's in the GPO, for this example, I'll use "Seanda - Desktop Redirection"

  5. You'll see the newly created GPO appear in the SBSUsers OU, right click it and choose Edit

  6. The Group Policy Object Editor opens, let's drill in to User Configuration, Windows Settings, Folder Redirection and right click on Desktop and choose Properties

  7. Here is where we will instantiate the policy. On the Target tab, change the Setting to Basic - Redirect everyone's folder to the same location

  8. In the Root Path type in the location to redirect to: \\{servername}\users.
    • In this example, I'm redirecting to the built in Users' share, since the ACLs are set correctly, if you want to redirect to a different share, you should read help topic in the "More Information" button on the My Document Redirection tool

  9. On the Settings tab, you can choose a number of things:

    • Grant the user exclusive rights to desktop - if this is checked. Administrators cannot get into this folder without taking ownership

    • Move the contents of Desktop to the new location - if this is checked (and I think you should keep it checked), the contents of the current desktop, will move to the new location, this is so your users don't know what you've done. :)

    • Finally, Policy Removal will tell policy what to do if you ever delete this policy in the future

That's all there is to it. The next time your users log in (might be 2 times for XP clients, due to asynchronous logons), the users desktop will exist on the server & automatically included in your SBS backup!

So what's the draw back? Well, the items on the desktop will all get the funky blue icon saying that it is synchronized for offline use in the event the server goes down.

Enjoy the redirected life

Monday, November 22, 2004

Out-of-Office sent.. Out of Office

Some people like to have additional security around Out-Of-Office response e-mails. Those are the e-mails you automatically receive when you e-mail a person and they have set their Out-Of-Office in Outlook, or OWA (Exchange 2003 only).

Some companies (including Microsoft) make it corporate policy not to send these Out-Of-Office messages out of the company. I'm not exactly sure *why* you would want to do this, but I'm sure you have your own reasons.

Regardless, following KB Article 262352, I was able figure out a set of steps (mainly because they are provided) to disable this as this functionality is enabled by default on SBS 2003.

Here's how:

  1. Open Server Management, then Advanced Management, First Organization (Exchange), Global Settings and click on Internet Message Formats

  2. In the left-hand pane, right-click Default which is the * domain and choose Properties

  3. On the Advanced Tab, un-select the Allow out of office responses

It seems confusing, but if you sit back and think about it, you're working primarily with the Internet Message Formats, and this is an Internet thing.

Oh, one last thing; Restart the Simple Mail Transfer Protocol (SMTP) and the Microsoft Exchange Routing Engine services for the change to take affect.

Enjoy!
Sean

Friday, November 19, 2004

Catfood, Dogfood it all Tastes Good

Sidebar: I appologize for not posting the past couple of days, I ended up taking a class, and also having an offsite. Combine that will a common cold, and there really isn't much free time to sit infront of a computer. As a result, I'm posting twice today (to kind of make up for lost time)

Microsoft has been dogfooding their own products for years. This means that Microsoft uses their own products first, in beta, release candidate and then finally in RTM. What many people don't know is that the Small Business Server team does the same thing, except we call it Catfooding.

Why Catfooding?

Well, it's a long story, let me explain, since I think it's kind of fun.

Microsoft also uses code names for each of our products because we start working on the product long before deciding what to call it. Windows Server 2003 has the codename Whistler (yes, after the mountain). When we sat down to give SBS 2003 a code name, we decided, well, it was built on top of Windows Server 2003, so why not pick a run on the mountain. Bobcat won the majority vote.

Since the choice of Bobcat as the code name, many things fell out of this

  • Bobcat Orange - for those of you who installed the beta 1, you probably remember it

  • FC Bobcat - The indoor soccer team that consisted of co-workers

  • and Catfood - the dogfooding network for Bobcat


So now you know what Catfood is, what do we do with it?

Well, using a single SBS box, we host roughly 70 users. Trust me, we're power users. Moreover, we probably have the biggest Active Directory you've every seen on a single box! So what hardware do we use? nothing too powerful

  • Dual Processor 2.8 GHz

  • 1 GB of Ram

  • RAID 5, SCSI disks

Sure it's a pretty heafty machine, but hey, it's got a pretty heafty load. Still, I've seen machines like this out there for 10 users! Wow! Administration is a little slow, but the users don't have any problems with use.

Catfooding is where it's at

Disabling RPC/HTTP UI in Outlook

I was trying to figure out why I couldn't configure RPC over HTTP for Outlook 2003, I had XPSP2 installed, I was running Office SP1, It's all supposed to be functional.

Apparently, because of my wacky installation point, I had a registry key set which prevented the UI from showing up. Frustrated about this, I got to thinking. Some people out there like to disable things they don't want their users to play with, so I thought I'd post it here.

In the registry key HKCU\Software\Microsoft\Office\11.0\Outlook\RPC there is a DWORD EnableRPCTunnelingUI. If this DWORD is set to "1", the UI shows up regardless of how the server is configured. If the DWORD is set to "2", the UI will not show up.

Seems simple now. I guess that's why they say hindsight vision is 20/20.

Tuesday, November 16, 2004

Using Templates ... not your brain

SBS 2003 has a feature that Windows Server does not have... ok it has a few features standard server doesn't have, but in this particular post, I wanted to share with you the wonder of using user templates.

You may have noticed that SBS has 4 templates out of the box

  • Administrator Template - template to create additional administrators, consider using this template sparingly

  • Power User Template - users who can add users and have limited administrative functionality

  • Mobile User Template - template to create users who can use VPN/dial-up functionality of the server

  • User Template - This should be the most common template for users. All of these users can use the Remote Web Workplace


What is so cool about templates? You can make as many as you like!

I spend time building templates and then when I add new users to my system, I can simply use the standard Add User Wizard and choose the appropriate template, each user will be added to the correct distribution groups, security groups, quotes, etc.

Play around with templates, get to know them, they can help you keep your environment consistent.

Monday, November 15, 2004

Browsing a Pocket PC versus a SmartPhone

I've been using mobile devices for some time now. I like to do heavy customization, to ensure that the device is mine, and not a cookie cutter view of a graphic designer in building 118. I change the backdrop, the ring tones, the start menu, all to make my life easier so the device is more available to me.

How do you browse a device?

Simply doc it to your workstation, and click Explore on ActiveSync, or open My computer and open Mobile Device.

This is handy to browse the phone and copy files to and from your device. I typically get a picture and size it to the screen size of the device, and use it as my device backdrop.

So what's the key difference?
On the Pocket PC, you can copy files to any location on the device (at least the ones that I've played with), on the SmartPhone, you are limited to your Storage Card or your Storage directory on the phone (IPSM on Smart Phone 02 devices).

This is ok, as the OS will search the entire device for files of the correct format for what you're looking for.

I just wanted to mention it since it caused me some confusion when I was trying to customize my SmartPhone.

Thursday, November 11, 2004

How to spot the Microsoft Guy ...

I thought it would be kind of fun to point out a few things that Microsoft folk seem to do. How would you spot the Microsoft guy in a crowd?

  • The Microsoft t-shirt toutes an internal url.

  • The words "free food" take on a whole new meaning

  • People ask how to fix anything, even though you don't work on it

  • Lots of toys.


Enough said.

Wednesday, November 10, 2004

Smarthosts .... The good, The bad, and The Ugly

Using DNS to route email is a great idea, except perhaps if you're on a dynamic IP Address like myself. Sure it works great for receiving mail, the problem is sending it.

Some domains on the internet consider mail from dynamic IP addresses to be spam, and the message is just rejected. But you're not a spammer (neither is Susan Bradley). What's going on here?

Well, the remote host is doing a reverse lookup on the IP address, which of course, since the SBS server is on a dynamic IP address, won't return the proper domain name. Bam, spam filtered, or so the remote host thinks.

How do you fix this? Smarthost.

Usually ISPs provide an smtp server, that is a Smarthost IP restricted to the IP addresses that they give out. Simply run CEICW and choose "forward all email to the specified host" and put the ISPs smarthost into the box.

Now you're problem is fixed!

Ok, time for some more information, what is a smarthost exactly? A smarthost is an email host that will an email from any email address and forward it to any email address. Sounds like a spam server eh? Yup, that's what it is. ISPs generally use IP restrictions and extensive logging to make sure that you're not spamming from within their network. A report from someone on spam can result in your account being disabled.

So what you don't want to do, is turn your SBS server into a smarthost, but what you might want to do have one SBS server forward mail to another SBS server. How do you do this? On the server you want to be the smarthost, follow these steps:

  1. Open Server Management, expand Advanced Management, {Servername} (Exchange), Servers, {Servername}, Protocols and SMTP>.

  2. Right-click Default SMTP Server and choose properties.

  3. On the Access tab, click the Relay... button.

  4. Click on Add, and add the IP Address of the other SBS server which will use this computer as a smarthost.

**Important: Be extremely careful which IP addresses you add, and do not add any more than neccessary, you wouldn't want your SBS server to be a spam relay server

One last note that when SBS server 1’s IP changes, you’ll have to re-do this sequence.

Enjoy the limited relay

Tuesday, November 09, 2004

XBOX Live & Routers

So I've had a few issues recently connecting to games via XBOX live. This of course is no fun at all, especially when you want to play instead of troubleshoot networking issues.

Hopefully this post will help out.

My issue was, I was able to connect to XBOX live, and see my friends, and the games they were trying to host, then for some reason, when I attempted to connect to the game I would get "The game is no longer available".

Struggling and surfing the net for a while, I found that opening port 3074 (UDP) and pointing it to your XBOX will fix this issue.

Monday, November 08, 2004

SBS Backup Event Logs

I see all too often posts in the newsgroups and Yahoo groups about SBS Backup failing with Event log ID 5634. This is not a surprise, Event ID 5634 means that backup failed.

Let me take a step back here and tell you how the reporting mechanism works.
A program called bkprunner.exe will launch via Task Scheduler and drop event 5632 into the event log, thus marking the start of the backup process. At this point bkprunner.exe will read a bunch of registry settings to figure out what to do. Using the registry, bkprunner will call NTBackup.exe with the correct parameter set according to the registry settings.

NTBackup performs the actual backup. Bkprunner.exe will simply just wait for NTBackup to finish it's task.

Hours later, NTBackup happily exits and bkprunner comes alive. At this point, bkprunner will look for any NTBackup errors scattered around the system, if it finds one, it logs Event ID 5634 as an error, if it doesn't find one, it logs 5633 as a successful backup, then reports the result to the admin console passing along the NTBackup log file.

So, what does this mean? "SBS Backup failed with Event ID 5634" does not mean anything other than it failed. The best way to find out WHY your backup failed, is to actually read the NTBackup log file from the Backup snap-in.

Don't forget that there is a tone of information in the Backing up and Restoring whitepaper. Also, if you're stuck, you should check out the Troubleshooting Backup & Restore online.

Friday, November 05, 2004

Don't just use Outlook, Conquer it!

Outlook 2003 does so many tiny things to aid your productivity. I wanted to share with you a few tips that I use to move around Outlook (which is really the application I spend the majority of my time in).

Let's not waste time, let's just jump right into the tips!

  • If someone sends you an email and asks you to setup a meeting, what's the easiest way to do this? Simply drag the mail with the right mouse button onto the "Calendar" button, you'll get a menu, like this one:

    and you can choose to copy the text of the email into a new calendar request. This tip works the same way for tasks and contacts. Play around with it!

  • Quickly jump around Outlook without using the mouse. You can use the CTRL+# key's to jump to sections, CTRL+1 is mail, CTRL+2 is calendar, CTRL+3 is contacts, and so on.

  • Everyone knows that you can use CTRL+N to create a new {whatever section you're in}, but what if you want to create a new contact, do you have to press CTRL+3, CTRL+N? Seems like too many keystrokes. I guess the Outlook team thought so too:

    • CTRL+SHIFT+M - New mail message

    • CTRL+SHIFT+A - New Calendar item

    • CTRL+SHIFT+C - New Contact

    • CTRL+SHIFT+B - Open your Address book

    • CTRL+SHIFT+U - New Task (Also CTRL+SHIFT+K)

    • CTRL+SHIFT+N - New Note

    • CTRL+SHIFT+L - New Outlook Distribution List

    • CTRL+SHIFT+I - Change to the Inbox from anywhere

    • CTRL+SHIFT+O - Change to the Outbox from anywhere

    • CTRL+SHIFT+F - Advanced Find

    • CTRL+SHIFT+X - Open a new Fax

    • INS - Toggle the flag on a mail message

Hopefully this will make you more productive with your primary email tool. I know it's nice for me not to have to move my hand over to the mouse every time I want to see what's coming up on my calendar.

Thursday, November 04, 2004

Give SBS the 'Bling-Bling' Shell

Ever wonder why the SBS server is all gray, and your Windows XP box looks cool, slick and shiny new? The themes service isn't started. Why isn't the themes service started? because it uses RAM. Servers generally are quite do-gooders that sit in the courner. They don't have to be pretty, they just have to help each user on the netowrk get their job done.

Well, in my case, I wanted to make sure SBS was as bling-bling as it could be, plus I had the extra ram.

Here is what I did:

  1. Click on Start, Run, and then type in services.msc and hit Enter

  2. Scroll down in the list until you find the Themes service, right-click it and choose Properties

  3. Enable and Start the service

That's all you have to do, now you can right click on the desktop and choose a bling-bling theme. I choose the silver one just to make sure I don't confuse it with my client.

if you've got the RAM, and you want to put a face on your SBS box, choose bling-bling baby!

Wednesday, November 03, 2004

Essential Free Downloads

As you have probably have guessed, I spent far too much time on the computer. One thing I'm a big fan of, is free downloadable software that makes my life easier. I wanted to list a few peices of software that I install on every clean install of Windows XP.

  • Open Command Prompt Here - right click on any folder in Windows Explorer and choose to open a command prompt directly at that location

  • Tweak UI - Change tones of registry settings customizing your system from one all encompassing UI

  • Image Resizer - Resize images directly from the shell, doesn't keep pictures the highest quality, but perfect for resizing pictures for the web

  • The Google Toolbar - This was more important pre-XPSP2 for the pop-up blocker, but now it's just handy to search from the web. I feel inclined to mention the MSN Toolbar, depending on which search engine you want to use

  • Win Zip - I used the Windows XP shell zip for about a year after Windows XP shipped, it does everything you need. Winzip provides a few cool features around creating folders, and installing zipped applications that are quite good. (mostly free)

I also install Office, Image library software and some other things, but these are the free ones.

Tuesday, November 02, 2004

MSN Messenger Face lift?

Are you an MSN User? I am, and the emoticons, while good, got a little old for me. I decided to upgrade them and get some new icons.

I can't say that there are all "clean" but they are definitely cool icons. Click here to check out the largest MSN icon library that I have found on the Internet.

Happy messaging!

Monday, November 01, 2004

Killing Nasty Spyware!

My last post was on Layers of Spam Protection. Reducing spam makes you a more productive person. But Spam isn't the only thing that can get in your way. Spyware, that is installed along side many of the applications you download from the internet.

That's right, you may think you are just getting a disney software screensaver, but in reality, you're getting the screensaver, a handy pop-up opener application, a hard drive crawler designed to slow your system to a crawl and plug in for Outlook that reads your contact list (this is just a nasty example).

How can you clean your system of such horrible applications?

The hard-way
If it's running, it's doing something, stop all the services you don't need, stop programs from running in your registry, start menu, win.ini file. Delete un-neccessary plug-ins from Outlook, IE, etc, scrap the registry for signs of spyware applications and remove them... Pretty tedious *and* you have to know what you're doing in order to be successful.

Luckly, there are other people on the Internet that hate spyware as much as I do. Microsoft helps point these out with Security at Home: Fight Spyware!

The easy-way
I used to do the hardway, but there are so many spyware programs that this could take forever, let alone me being able to detect all the different forms of spyware. I leaned on the website above, and found Lavasoft Ad-Aware and Spybot Search & Destroy. I've used both of these applications, and they both do an excellent job for free! I like the name Search & Destroy, so I typically use Spybot as a result of my mindset when I get a pop-up that I wasn't expecting.

But keep in mind, that not all pop-ups come from spyware, some come from the website you're browsing. XP SP2 comes with a free pop-up blocker, and there are other tools out there too like the Google Toolbar or the MSN Toolbar.

Safe Computing!

Friday, October 29, 2004

Layers of Spam protection

If you aren't already running the Exchange Intelligent Message Filter you should get on it. It strips about 10-15 messages from my inbox a day! This message filter isn't rule based, so it doesn't require updates as much as some rule based spam filters.

But like security, it's always good to have layers. Why not have 2 spam filters?

I also use a public RBL site (spamcop.net, there are more but this is the one I chose) to reverse look-up spammers and strip even more spam from my system.

When do you this, keep in mind tha the IMF will happen first, then this filter, so your IMF spam folder might contain messages that are on known spam lists, but that's a good thing right?

Here's how to configure it:

  1. In Server Management, expand Advanced Management, First Organization (Exchange) and Global Settings

  2. Right-click Message Delivery and choose Properties

  3. Since we're going to spam filter on connection, change to the Connection Filter tab to add the RBL info

  4. Click Add... to add a new filter

  5. In Display Name type the name of the filter so you can recognize it (It also appears in a default NDR message shown later in this bullet), like SpamCop. In the DNS Suffix of Provider is where you do your leg work to find the RBL sites DNS suffix, for example, spamcop.net's suffix is bl.spamcop.net, so I added this in there. In the final field Custom Error Message to Return I leave blank since it will return an email in the form of {Sender IP Address} has been blocked by {Display Name}.... I do not use the Return Status Code

  6. Now we've created filter, we need to tell Exchange to use it. Drill down into Servers, {Servername}, Protocols, SMTP and right-click on Default SMTP Virtual Server and select Properties

  7. On the General tab, choose Advanced

  8. Highlight All Unassigned and choose Edit

  9. Check the box Apply Connection Filter, and click OK until you're back to Server Management

That's all there is to it, Exchange will now check each message against spamcop.net to not let it into your inbox if spamcop knows the sender as a spammer.

Two layers is better than one!

Note: instructions provided by Chris Ard. Also, don't forget to donate to spam.cop if you like their service!

Thursday, October 28, 2004

Outlook Mobile Access acting up?

Outlook Mobile Access is pretty cool, you have to admit. Checking your email, calendar or contacts on your phone over the air? that's awesome. I'd have to say my favourite part is not having to re-enter all your contacts on the phone, followed closely by being able to know what your calendar is. Of course E-mail is fun, but I'm not sure I'm *that* important. :)

However, Outlook Mobile Access (OMA) doesn't have a lot of the same functionality as Outlook Web Access (OWA) around mailbox creation & mailbox lookup. Here are some tricks that I've picked up along the way.

  • If you add additional e-mail addresses to users and additional domains, OMA can get confused as to how to find your mailbox. Force OMA to look up which mailbox to check by making it always check the .local domain email address. Set the value in HKLM\System\CurrentControlSet\Services\MasSync\Parameters\ create a string value called SMTPProxy and make it the value of your internal domain, internaldomain.local . This will help the mailbox lookup process

  • Another trick is to ensure that you're checking the correct domain in the virtual directory:

    • Open Server Management, expand Advanced Management, Internet Information Services, {servername}, Web sites, and Default Website

    • Right-click on exchange-oma and choose Properties

    • On the Virtual Directory tab, in the Local Path it should read a string like \\.\BackOfficeStorage\{Internaldomain}.local\MBX. Delete the internal domain and put in the external domain.

    • Open a command prompt and do an iisreset

  • Changing your server IP Address. Tisk tisk if you just jump into the local network card properties and change the IP address. Use the Change IP Tool!!! Using this tool changes more than just your IP address to keep your internal network functioning. One of the things it does is change the IP restrictions on the \exchange-oma directory

Those are my tricks if you can't get it working. Of course they are work arounds to things you might have changed from the out of the box scenario, but hey, it's all about customization right?

Wednesday, October 27, 2004

IMAP(ing) your way to multiple inboxes

I have SBS 2003 running at my house, the curious thing is I have Exchange running at my house too. As you probably know, you cannot have two Exchange servers configured in a single Outlook profile. Sure you can have multiple profiles, but who wants to shut Outlook down to check if you have email at home? I didn't.

I just turned on the IMAP folders on SBS and added an IMAP server to my Exchange profile, now I can check both email accounts without having to close and re-open Outlook.

Here's how I configured the IMAP server:

  1. in the services.msc snap-in, I just started the Microsoft Exchange IMAP4 service by setting it to automatic and then started

  2. Open port 143 (TCP only) and ensure it's pointed at the server (if you're using a router box)

That's all there is to it.

Now from your Outlook client or Mobile device client, you can set-up a new email server and check the email from both the Exchange server, and the IMAP server (other Exchange server).

One more point, in Outlook if you're trying to delete messages and they are only getting stroked out, be sure to check out Edit, Perge Deleted Messages to actually remove these from the server. They will be permanently deleted though.

Also, all sent email via the IMAP server (change this by chosing the Accounts button on the new mail message window) will end up in the Exchange Server's sent items, instead of the remote IMAP servers sent items.

Tuesday, October 26, 2004

Hosting Multiple Domains on SBS 2003 (Part 4)

This tip doesn't exactly pertain to hosting multiple domains, but it could if you want to get creative.

Customizing the text on Remote Web Workplace
If you're like me, and you don't want the Remote Web Workplace to say one domain and not the other, you want to change things up a bit. Also, if you followed the steps in Part 3 around UPN enabling, Remote Web Workplace still asks you for your user name instead of an email address.

You can change this text, pretty easily infact! In c:\inetpub\remote, is all the files the remote web workplace uses for website. This includes the text file web.config. This is probably one of the most important files for the functionality of Remote Web Workplace, so make sure you back this up before you start editing it.

However, if you open it up in a text editor, like Notepad, you'll be able to see in the {appSettings} section there is a list of all the strings. If you know a little bit about coding, you can go in and change strings in the 'value=' section. Just becareful with special characters, especially quotes as they might muck up the whole file (which is where the backup comes in handy). If you want to use quotes, be sure to use the html version of these like "&__" for the special charactor your looking for.

If you want to change the string "Username" to "E-mail address" scroll down the list until you find the L_LOGON_USER_NAME and change the string between the quotes for value= to "E-mail address".

You will have to do an iisreset.exe at the command prompt to make the changes take effect, and all of your users will be logged out of Remote Web Workplace each time you make an edit to this file.

But hey, it's fun to play with. If you're feeling risky, you can even go in and edit the ASPX code to say ..... add your own logo?

Monday, October 25, 2004

Connecting to the Internet, chat with the Pros!

Sure, I run SBS, I worked on SBS 2003, but do I know everything? Heck no! There are plenty of problems that you could run into that I haven't yet. How do you solve these? Tune into a live chat tomorrow (October 26) to as questions to the SBS Product team (yes, I'll be there).

Here's how:
Small Business Server 2003 Configure E-mail and Internet Connection Wizard [October 26, 2004, 2:00-3:00 PM PDT]
Join Microsoft experts to discuss how the SBS 2003 Configure E-mail and Internet Connection Wizard (CEICW) can help you configure your network.

Click Here to see about upcoming Chats. What to skip straight to the chat because you trust me? Then Join the Chat

P.S. Part 4 of hosting multiple domains will be available tomorrow.

Hosting Multiple Domains on SBS 2003 (Part 3)

Now you are hosting multiple domains (by following Part 1 & Part 2), your users are all confused on how to log in, what their email address is and where to go. How do you seperate these things?

Well, you use UPN Suffixes.

UPN stands for User Principal Name, which is essentially a fancy computer-lingo'd way of saying: use your e-mail address to log in.

When you enable this, users will be able to go to the Remote Web Workplace and log in using their email address, instead of just their username. Might make it easier to give some users their email address instead of explaining the username versus email address idea.

How to set it up:

  1. Click on Start, Administrative Tools, Active Directory Domains and Trusts

  2. In the console that loads, right click on the root node called Active Directory Domains and Trusts and choose Properties

  3. Add your domain suffixes in in the format domain.com

Now your AD knows that it is the root domain controller responsible for these domains.

Close out this console and go back into Server Management. In the Users snap-in, we need to tell the AD what the primary suffix is for each user:

  1. Right-click a user and choose Properties

  2. On the Account tab, change the drop down box for the User logon name to be the suffix you want this user to have. Note it will add the '@' sign for you, if you see 2 '@' signs, you've done the first step wrong

  3. Choose OK for that user

You'll have to repeat this for all the users in your AD, but when you are finished, you can give your users an email address and a password, they won't need that funky "username".

It made life less confusing for my grandfather, that's for sure. :o)

One last thing. Since SBS shares the AD with all domains, you cannot have two aliases the same, so you should use combination usernames of first and last name, instead of just "dave" or "sean", otherwise user on domain1 might have the "cool" user name, while user on domain2 does not.

Read on to Part 4.

Friday, October 22, 2004

Hosting Multiple Domains on SBS 2003 (Part 2)

In Part 1 of this discussion I talked about how to add additional e-mail domains to your SBS 2003 Server. In this post I want to focus on adding websites. I am not planning on covering any security concerns in this post, as the security of your SBS box depends on how the webpage is developed.

Adding more websites to your SBS Box
IIS is really quite a cool application that makes it very easy to add additional websites to your SBS box without much effort. Here's how:

  1. Open Server Management, expand Advanced Management, Internet Information Services, {ServerName}, and Web Sites

  2. Right click on Web Sites, and choose New, Web Site

  3. Click Next on the Welcome to the Web Site Creation Wizard

  4. Type in a description to help you easily identify the website and click Next

  5. Leave the IP address as All Unassigned and the port as 80. But put in a host header, this is what will tell IIS to answer web requests using this virtual server. You should put in the domain name you would browse to such as: www.mydomain.com, if you spell this wrong, IIS will not serve up the webpage to the requesting browser

  6. Choose the location for the actual files (it's best if you can keep this away from the system drive, for security reasons), and choose if you want anonymous access or not, depending on what type of website you are trying to create

  7. Finally, choose the permissions for the website. Since you're running on your Domain Controller, and Exchange, I suggest leaving the default, read and run scripts

  8. Finish the wizard

You will see you're newly created website appear in the list with the description you gave it. Now just start plugging webfiles into the directory that you chose and you're hosting multiple websites on your sbs box.

Too easy? Why did you read the entire post then? ;o)

Troubleshooting Tips
I thought I'd toss a few troubleshooting tips in here, since I ran into these:

  • If the webpage shows up as your default web site, your host header doesn't match what the browser is asking for, and the default web site will answer all un-answered calls

  • Get a page not found? your default start document is probably not one of the ones IIS will choose, try using default.htm or default.asp. You can change the default document in the properties of the website too

  • If you want SSL encryption, you're going to have issues with the SBS self-signed cert. Change your website to a new port that's not in use and ensure the port is open on your firewall (SSL bypasses host headers since the data is encrypted as it passes into IIS). But your users will always get a pop-up since the certificate on your SBS box is programmed to be linked to the primary domain via CEICW, and will always pop-up when the domain is different


Read on to Part 3.

Thursday, October 21, 2004

Hosting Multiple Domains on SBS 2003 (Part 1)

If you're like me, you own a couple of domains and you want to have SBS answer for each domain. How do you do this?

In the next few posts, I'll outline exactly what you need to do to have SBS answer for multiple domains on the Internet.

Let's start with E-mail
For E-mail, the first thing you need to do is make sure your Internet domain's MX records are pointing to your SBS server's IP address, feel free to use backup a MX record, or even dynamic dns (I do!), depending on your own situation.

For the first email domain, follow the normal SBS wizards (Primarily CEICW) to configure your first and primary domain that you will want to use. Congratulations, your first domain is configured! :)

Adding additional domains to Exchange
To do this, we're going to edit the default recipient policy:

  1. From Server Management, expand Advanced Management, First Organization, Recipients and select Recipient Policies

  2. Right-click on the Default Policy and choose Properties

  3. On the E-Mail Address (Policy) tab, click the New button

  4. Select SMTP Address from the list and click OK

  5. Type in the name of the domain in the format @domain.com and choose OK. Leave the check box checked

  6. Check the box next to your new domain in the Default Domain Properties window, and click OK

Now that you've added this into the policy, Exchange will become aware of this domain and start responding to mail from it. This change will take effect the next time Exchange updates its policies, let's not wait that long.

  1. Select the Recipient Update Service from the console

  2. Right-click on both policies on the right and choose Update Now

This forces Exchange to update the policies now, so you don't have to wait.

You will now be able to notice all of your users have an 3 email addresses:

  • user@domain.local - added by SBS for your internal domain. It's suggested you keep this email address for this user as it is used by some SBS tools

  • user@domain1.com - this is the first domain you added using CEICW

  • user@domain2.com - this is the second domain you just added

That's as far as I went, since I wanted all my users to receive email from both domains, but what if you don't want this?

Micro-manage!

To micromanage which users have which email addresses simply:

  1. Change to the Users' snap-in and right-click on a user

  2. On the E-mail Addresses snap-in, uncheck the box at the bottom that says Automatically update e-mail addresses based on receipient policy

  3. Remove any email address you don't want the user to receive email at and add any additional email addresses in your configured domains. Don't forget to keep the domain.local e-mail address!

  4. Set the primary one to be the email address the user will send email as

There you have it, if your domain MX records are configured correctly, the SBS box will receive e-mail for both domains!

You can add any number of domains using this process. Moreover, you can add any number of email addresses to a specific user within a given domain using micromanage tactics.

Read on to Part 2.

Wednesday, October 20, 2004

More Registry Fun with SBS Backup

An MVP asked me the other day; "how do I make backup appear like it's not been run?". It occurred to me to post a little note on the registry key:

HKLM\Software\Microsoft\SmallBusinessServer\Backup

I'm not going to tell you what all the settings do, as I think the names are pretty intuitive, but this is the location in the hive that the Backup Configuration Wizard uses to store all it's settings. If you remember my SBS Backup Hack on how to swap between tape and disk for the backup target, all I did was manipulate the registry.

How do you make Backup look like it was never run, just delete the entire /Backup registry, the wizard will run like it's brand new.

Of course you'll also have to navigate to %sbsprogramdir%\Backup in the shell and delete the Backup Results.xml and Small Business Backup Script.bks to give it a completely fresh start.

Tuesday, October 19, 2004

Super secret hidden disabled items

So I'm running Lookout on my laptop, I can't get it to appear in the tool bar. Works like a champ on all my other machines. In resolving this one, you know what I find? A new place in Outlook (very uncomon for me to find a new place in Outlook) that disables "items".

Once an item gets into this list, Outlook owns you, the item will never appear, no matter how many re-installs of the app you do.

Check your list:

  • In Outlook go to Help, About Microsoft Office Outlook

  • Click on the button Disabled items at the very bottom of the page

  • Is that plug-in you can't get loaded in the list?, Remove it from the Remove list

Now we're back in business, and in my case, full text search.

Monday, October 18, 2004

Make it So ... (much faster!)

Outlook usually connects faster if you're on the local LAN, but sometimes that's not possible. Ever. You are stuck out in Outlook via the Internet land (RPC over HTTP). How do you make this connect faster? Tell Outlook to connect via RPC over HTTP even on fast networks!

  • In Outlook, go to Tools, Email Accounts...

  • Select View or Change Existing Email Accounts and choose Next

  • Select the Exchange Profile and choose Change

  • Choose More Settings

  • On the Connection tab, choose the Exchange Proxy Settings button at the bottom

  • Finally, check the box that says On fast networks, connect using HTTP first, then connect using TCP/IP

There you have it! Outlook will try RPC over HTTP first, so if you're outside of the network more often than inside, you can have a faster experience.

Friday, October 15, 2004

Looking for Something?

Search; I've never really paid that much attention to it in the past, but I'm starting to realize how important it is. When you think of search you probably think Google but I'm not talking about searching the Web. I want to search my local LAN!

I've calculated that I have roughly 30gb of data stored on my LAN that I want to search through; that's a lot of time waiting on that Windows XP little dog to dig and wag it's darn tail and Outlook isn't much better!

I needed something faster, something Google fast.

Naturally, I checked out the beta of Google's Desktop Search. As expected, Google fast, but here's what I don't like about it (although it is in beta):

  • You have to open IE to search your hard drive (why can't you just search from the task bar?)

  • It only searches your local machine, not the entire LAN, this is big for me, since I have a server to search!

  • Finally, the privacy statement about what they search on your hard drive is a little skimpy, what do they actually consider private?

I still haven't found the exact tool I'm looking for (I feel like a Jedi: "This isn't the tool you're looking for"), but there is something close! A plug-in for Outlook called Lookout.

This plug in requires Outlook 2000 or later, which is the bad part (wish it just sat in the task bar). The other bad part is it doesn't search the web. The good news is, you get lightning fast searches of email, local documents, shared documents (UNC), SharePoint and public folders! Moreover, it keeps all the documents, emails, contacts, etc intact so you can still use them in their respective form. Double click on the item and it'll open in Word, or Excel, or Outlook, just like you're used to.

Other than having to open Outlook & the lack of searching the web; Lookout Rocks.

Please be sure to read the comments of this post. Apparently I didn't learn all the features of the Google Desktop before expressing my opinion. Moreover, I have modified this post to reflect any miss-conceptions. Thank you to my readers for clearing up the confusion.

Recovering that we shall not speak of

So you just hosed your SharePoint site, your boss is breathing down your neck because his kids pictures he shared with everyone are now gone.

Don't panic, SBS' got your back.

That's right, by simply completing setup (As Mir puts it) and following the To-Do list, you've got a great backup of your SharePoint site in your SBS backup and you don't even know it. No, I'm not talking about having to run that funky stsadm.exe command every night (because even though I gave you the steps, I forgot to do it .. whoops!).

So how can you recover SharePoint from just a bunch of WMSDE database files? Give these steps a try:

  1. Un-install the SharePoint WMSDE instance

  2. Un-install SharePoint

  3. Install the Intranet component again using Add/Remove for SBS (Also known as maintenance mode)

  4. Un-extend the virtual server using the stsadm.exe command:
    stsadm -o unextendvs -url http://companyweb

  5. Detach the databases from the clean install:
    osql -E -S {server}\SharePoint
    this will connect you to the osql console, then run these commands:

    • sp_detach_db 'STS_Config'

    • sp_detach_db 'STS_ServerName_1'

  6. Attach the old database files (which will require you to restore them first)

    • sp_attach_db 'STS_Config', '{path to original dbs}\STS_Config.mdf', '{path to original dbs}\STS_Config_log.ldf'

    • sp_attach_db 'STS_ServerName_1', '{path to original dbs}\STS_ServerName_1.mdf', '{path to original dbs>\STS_ServerName_1_log.ldf'

  7. Almost there, now just Extend the virtual server using the command: stsadm -o extendvsinwebfarm -url http://companyweb -vsname companyweb

That's all there is to it, you should be able to browse to http://companyweb and impress your boss with your mad DOS typing skills.

I've had trouble gotten this to work when using a funky downloaded web-part. If this is your case, you can still browse into the Companyweb via WebDAV and extract all the files, that's at least something!

Of course the easiest way to backup and restore your SharePoint site are scheduling a task to run this command:
"%SystemDrive%\Program files\Common files\Microsoft shared\Web server extensions\60\Bin\Stsadm.exe" -o backup -url http://Companyweb -filename {target_path} -overwrite
Then you can simply follow the steps in the Backing Up and Restoring Small Business Server white paper, starting on page 16.

Thursday, October 14, 2004

All Work and No Play, Doesn't Get your Door Swapped for a Prison Door

You heard me correctly. I spent much of my time at work building a product known as Small Business Server 2003. But sometimes, an opportunity just presents itself to deviate from the norm ... Like when your manager leaves for his honeymoon, that's an opportunity!

Seizing opportunities is probably the single most important thing you can do in life. So, consider opportunity seized.

Welcome to married life ... Boss


PS. I can neither confirm, nor deny I had anything to do with this
PPS. MVPs, what number is that? I think you printed it on a shirt?

What's up with Self-Signed certificates? Why do we need 'em?

Security is important. We all know this, but how can we get the best security and keep our wallets fat?

SBS 2003 provides the ability to create and self-sign it's own certificate.
Why is this good?
If you try to purchase a signed certificate from Verisign today, you're looking at over $600 for a .cer file!!!! that's crazy, just to get 128-bit encryption. SBS gives you similar security included in the price of the server.
Why is this bad?

  • Any user browsing to your SSL website will get a security pop-up complaining the site is not trusted by a trusted authority

  • Some SmartPhone 2002 devices will never synchronize against the server

So how do Certificates work?
Windows (and mobile devices) ship with major root certificates built into the root certificate store. Curious as to which ones there are? Check 'em out:

  • Start, Run, mmc.exe

  • File, Add/remove snap-in...

  • Click the Add button on the Standalone tab

  • Choose the certificates for the computer account

  • Choose the local computer & OK out of the boxes

  • Back in the MMC snap-in, expand the Trusted Root Certificate Authorities and then click on Certificates

On the rigth hand side, you can see all the certificates that your PC currently trusts.

When you purchase a certificate from one of these companies, once they have verified you are who you say you are (and you're not a spy), they issue you a certificate. Placing this certificate on your website, will have browsers check:

  • The certificate is still valid and hasn't expired

  • The certificate name matches the website you are trying to visit

  • The root certificate from the website matches a root certificate already in the local store

If one of these items fails, the user will get a pop-up and be asked if they want to continue, continuing will use the certificate for 128 bit encryption.

What's this problem with SmartPhones?
I get asked this question a lot, so I wanted to clairfy this. SmartPhone 2002 OS does not understand the type of certificate SBS creates, and cannot be added to the phone. Pocket PC Phone Edition can be configured to work using KB 322956. On the SmartPhone, you have to disable the certificate verification. This will still use SSL for the connection, but will just not verify the 3 items mentioned above before performing the sync.

I still say the benefits to the 2003 devices, over the certificate issues are worth the upgrade. Verizon and AT&T bot can upgrade the Samsung and M200 devices to 2003, so have it done!

And now you know how certificates work.

Wednesday, October 13, 2004

Argh! Outlook won't save my password when it connects via the Internet!

If you're like me, you wonder why that Outlook 2003 Authentication box doesn't remember your password when using Outlook via the Internet (also known as RPC over HTTP).

I was frustrated by this, so I wanted to find out why. Turns out it was pretty simple reasoning.

If you follow the instructions on the Remote Web Workplace for your Small Business Server 2003 box, you'll probably be setting the Proxy Authentication Settings to Basic Authentication. Basic Authentication will send the password in clear text over the internet. Don't fret! you're still SSL encrypted, so it's not really clear text!. Basic Authentication is not remembered via the system, (since it would also store the password in clear text). This could give hackers or Spyware that runs on your system a chance to get this password and send it out to another source.

The other option in this drop down is NTLM Authentication. This type of password is encrypted, and hence can be stored by the system. The problem is, NTLM authentication isn't good at passing through firewalls. Seeing as there are a lot of firewalls on the Internet (chances are if you're running XP SP2, and your server is SBS your going through at least 2 firewalls, possibly 3 or even 4!).
So while Basic can work through any number of firewalls that it may encounter, it cannot store this on the system (for security reasons), NTLM has the exact opposite problem. In many cases, NTLM won't even connect, so it doesn't matter it can save your credentials.

So that's why you can't save your password in the Outlook 2003 RPC/HTTP dialog box.

Tuesday, October 12, 2004

Do you want to be a Keyboard Kowboy?

I remember back in University, my friends and I used to race to see who could do things faster on a computer. I usually lost, and it wasn't because I wasn't movin' that mouse, it was because I didn't know all the short cut keys. Since then I've stayed more on the keyboard than the mouse.

Windows provides a lot of shortcuts to help you be productive, you just gotta know them. Learn your tools, they will make you productive. :)

Here's some shortcuts for you to know as an IT person

  • Win+L - Lock workstation

  • Win+E - Open Explorer

  • Win+R - Open the Run dialog

  • Win+F - Search (although I can't say I use this one much)

  • Win+B - focus on the system tray (although I can't see what's going on, but if you start pressing enter and use the arrow keys, you'll launch things from the system tray, seems like this is a good idea, but needs some improvement)

  • Win+D - Toggle minimize all, and restore all windows (I suppose it's "D" for desktop)

  • Win+M - Minimize all windows

  • Win+Shift+M - restore all windows

  • Win+U - Utility manager (pretty cool, the PC starts speaking to you!)

  • CTRL+SHIFT+ESC - Launch the task manager

  • CTRL+ESC - Open the Start Menu (you can also just press "Win", but some old keyboards don't have this shortcut)

  • Win+Break - System properties Window

  • ALT+Enter - Display the properties (commonly used in Windows Explorer)

  • ALT+Space - Window Menu (follow the keystroke by an "n" to minimize the single window)

I'm sure there are more system ones, but I wanted to share some IE ones also:

  • Backspace - Back button

  • CTRL+mousewheel - Change the font size (this only works if the font size is not specified on the page using a "pt" font size)

  • F6 - Jump to the Address Bar (Also can use ALT+D)

  • Home - Top of the page

  • End - Bottom of the page


That's all for now. Did I miss some? Drop them in the comments and let's all become keyboard kowboys together!

Monday, October 11, 2004

RFC: What do you want to see here?

Well, by now I've probably amassed 1 or 2 RSS'rs to my Blog (If I'm lucky). I'm not fresh out of posts yet, but I'm taking a pole. What do you want to see here? Write me a comment and let me target my posts to you! I'm trying to stick to the genre of SBS, Windows and other productivity applications. Now is the time for you to ask you questions, if I can get to it, I can do the research and post the answer here.

And before it starts; I don't know anything about Longhorn ;o) . Isn't it a bar at the base of Whistler?