Thursday, December 23, 2004

RPC over HTTP won't work

So, for the past 3 months my grandfather (my only other user on my home SBS system) has been complaining that he can't get his email via RPC over HTTP (Outlook via the Internet). I tried running him through some steps over the phone, the steps all looked right. Had to push him to OWA.

Well, I just figured out what the problem was, and I'm not sure how I got into this state, but the server was forcing the wrong type of authentication type! ".NET Passport Authentication". GRRRR

So, I simply changed it back to Basic and he started working again! Here's How:

  1. Open Server Management and expand Advanced Management, Internet Information Services, {ServerName}, Web Sites, Default Website

  2. Now right click on the Rpc virtual directory and choose Properties.

  3. On the Directory Security tab, click Edit under Authentication and access control.

  4. Ensure that .NET Passport Authentication is unchecked, so you can ensure Basic authentication is checked!

But don't worry! your password isn't really sent in clear text, since you're sending it through a 128bit SSL encrypted channel.

Making this change on the back-end, enabled my Grandfather to reconnect and download his e-mail.

Saturday, December 18, 2004

BillyG gave me some time with the family :o)

Well, it's that time of year. Bill has given me some time off to go back to the great white north and visit family. As a result, I will out catching the rays ... from the banks of snow and probably not consistently posting blogs again until the new year. As always if you're reading the blog, feel free to drop comments on the types of things you'd like to see here, and I'll see if I can't help out by figuring it out and posting it here.

Happy Holiday's and Happy New Year. May your SBS server run smooth over the holiday's. I certainly hope mine does. :)

Friday, December 17, 2004

New subnet? Use Change IP!

There's a reason for the SBS wizards. Primarily to ensure the right things happen. If take a second to step out of the Small Business world and look at the larger corporations and how they operate you realize. Hey, they have a server (or two or one hundred) just dedicated to running Exchange, they have a server dedicated to being a domain controller, they have another one for SharePoint, and yet another one for ISA.

And it doesn't end there, they have specialists that monitor and tweak these boxes, I would be some of these specialists know the product better than some developers who worked on the product!

Do you know the product this well?

The wizards are really your indepth knowledge and security to ensure the right things happen each time you want to make a change. I know that any of those large business admins try to run SBS, it's too complicated, because trying to do all the steps manually is far too cumbersome! Like the Change IP tool for example. Changing the IP address of a member server with a single task is easy, simply open up the network card properties and change it. But change it on SBS? You have Exchange issues, mobility issues, sharepoint issues, AD issues. Using the SBS wizards and tools will ensure the right things happen, every time. And to top it off, some changes don't even have UI, like service binding to the appropriate NIC!

So don't feel like you're not a real admin if you use a wizard. Use the wizard, save yourself some time, and use that time to provide more value to your end users, instead of figuring out why your clients cannot connect to Exchange after your simply changed the IP address of the server.

Thursday, December 16, 2004

Still Can't Synch? Troubleshooting tips here!

Sometimes, no matter what you do, you just can't sync your device to the server. A good place to start is with Microsoft's Troubleshooting tips on Mobility. This provides you with a number of troubleshooting techniques.

You might also be having an issue with the self-signed certificate. 2002 devices are notorious for being trouble makers when synching against SBS 2003. Luckly, there are some tools to help you figure things out.

Like the Adding a Certificate to the Pocket PC 2002

Or disabling the certificate check. This tool is handy in for both devices as a work around. It disables checking the validity of the certificate for ActiveSync ONLY. Pocket IE will still valid certificates after you've used this tool.

Also, if you're Hosting multiple domains sometimes you can get into an issue with SBS not being able to find your mailbox. Say for example, I have two email addresses, seanda@fqdn.com & sean@fqdn.com, my logon name is seanda, but I enter in sean as my email alias. Exchange may not be able to find my email address. What you can do is to take advantage of the .local domain and force Exchange to look up on this domain. Simply by setting HKLM\System\CurrentControlSet\Services\MasSync\Parameters\SMTPProxy to the internal domain name of mycompany.local and doing an "iisreset" from the command prompt, Exchange will only look for mailboxes of that user linked to the .local domain, making it easier for Exchange to find the mailbox. This error problem is usually indicated by getting an HTTP_500 error on the phone

Finally, one of the more common problems is when you change the IP address of the server. For some reason, you want a different subnet on your internal network, if you simply go into the local network card and change the IP address, you'll have issues, what you'll want to do is use the ChangeIP tool provided for you on the Internet and E-mail snap-in of the admin console. This will ensure the IP restriction on the \exchange-oma virtual directory will remain intact. If that IP address doesn't match the IP address of the server, your sync's will get access denied.

Hopefully these tips get you mobile again.

Wednesday, December 15, 2004

What's in a Synch?

How does a Microsoft mobile device synch against SBS 2003? Let's break it down.

Microsoft Mobile Devices
A Microsoft mobile device such as a SmartPhone or a Pocket PC Phone Edition phone work in similar was (exactly the same way for Windows Mobile based phones (i.e. the 2003 versions). These devices will get an internet connection (via GPRS, CDMA or WiFi or BlueTooth, depending on the device) and then authenticate to https://www.fqdn.com/microsoft-server-active-sync .



Because Exchange is primarily designed for the larger companies; it expects a front-end server to accept the web requests and a back-end server where the mailbox stores live. SBS is both front-end and back-end server; because of this, the request received in teh MSAS virtual directory is sent (via a loopback) to the \exchange-oma virtual directory. While this data loop-back is not SSL encrypted, this virtual directory is IP restricted to the local box such that the non-SSL encrypted data is all processed locally.

It is very important not to change the ip restrictions on the \exchange-oma directory, or you could have users mail broadcasted in clear text via an OWA session

WAP 2.x Browse Phones
WAP 2.0 and higher browser phones can view their Exchange stor by browsing to https://www.fqdn.com/oma. Once authenticated, the user can browse their inbox in a hyper-text like format. Be warned though, many of these phones do not support the self-signed certificate that SBS provides (meaning they will not prompt you to accept an invalid certificate, but rather just complain and fail.

Once the authentication occurs, the same loopback to the \exchange-oma directory will occur.

Tuesday, December 14, 2004

Configuring Mobility on SBS 2003

Somewhat recently, I did a live mobility webcast (that you can now listen to on demand) I went through the steps to configure mobility on your SBS 2003. It's easy, but it's not hand-held. The steps are a little confusing to get all setup, so I'm going to run through them here on my blog in hopes to get you mobile.

Configure the Server
First you'll have to configure the server. This is a single-click configuration. When running through CEICW (Configure Email and Internet Connection Wizard). On the Web Services page, simply check the box that is labelled Outlook Mobile Access. When you complete the wizard, this will configure the following things:

  • Enable OMA inside Exchange by setting an Active Directory object to enabled

  • Configure the firewall to allow access on port 443 (SSL webport) if it's not already open for another web service

  • Configure IIS to un-restrict the IP restrictions on both the \Microsoft-Server-Active-Sync and \OMA virtual directories. These are restricted Out of the Box to ensure high levels of security and only the services in use are available to the users
Now the server is configured, let's get to work on the clients!

Client Configuration
Client configuration is the most confusing aspect of setting up a mobile device, primarily because it's not intuitive, but if you know what you're doing, it's super simple.

  1. First thing is to setup a user. While you're in the Add User Wizard setting up that users computer, Choose to deploy ActiveSync 3.7 (even though it's old) as this will install

    • ActiveSync 3.7

    • SBSMobCfg - The SBS mobile device configuration utility

  2. When this is complete, tell the user to log off and log back on. This will intiate the installation of the above tools

  3. When ActiveSync is installed, simply hook up the device as per the instructions that come with it (except there will be no need to install ActiveSync, since it was installed via the server)

  4. On the first connection of the device, you'll see the following screen appear:

    This step configures the phone with predefined defaults that the user can change during the Getting Connected wizard that appears.

Once you complete the Getting Connected wizard, the phone will start it's first synch.

It's probably a good idea to leave the device in the cradle for the first synch since this will be the biggest most expensive sync you have. Once this is finished, you're ready to go mobile! What was the saying?

Go Mobile ... or Go Home!

Monday, December 13, 2004

=Outlook Address Book

Outlook 2003 does a lot to help you out. Although sometimes it's too helpful for it's own good.

Let me give you an example.

I'm looking for the phone number for a co-worker, I know his alias. Lucky for me, Outlook provides a quick-lookup box for aliases in one of the tool bars. However, if I just type his alias "FLast" into the box, I get a selection box. Outlook kindly asks me if I'm looking for First Last contact, or First Last Direct Reports or First Last's hotmail address. Dang! All I wanted was the phone number out of the GAL contact object of FLast!

Well, here's a tip. Put the "=" sign in front of an alias, it will force Outlook to look for exactly that contact. In my example you would use =FLast. Now Outlook opens the contact information for that object and I can just dial the phone number without any more clicks of the mouse.

Simple, but effective. At least I think it is.

Friday, December 10, 2004

Tweak Out your System...

A couple of weekends ago, I went through the process of re-installing my System again.

One of the programs I realize that I just can't live without installing is TweakUI. It comes as part of the PowerToys that is available for Windows XP. This is what they say about it:



Tweak UI
This PowerToy gives you access to system settings that are not exposed in the Windows XP default user interface, including mouse settings, Explorer settings, taskbar settings, and more.




Well, that's pretty much what it does. The key things that I change are:

  • The Favourite location, although I'm trying to do this via Group Policy

  • The My Music location, again, I'd like to do this via Group Policy at some point

  • The shortcut icon

  • On some systems, I even use the auto-logon feature

  • The menu speed, I like it to be a little faster

  • The thumbnail size, for pictures, this is key for those digital photo people out there

  • The slide show speed. sometimes, 5 seconds is just too slow, I like 2.5 seconds honestly

  • I'd like to change the places bar, but for some reason, Office doesn't utilize this, so it's not that useful

  • Finally, the templates, what you see when you right click and choose "New"

It's gotta be custom baby!

Still waiting on Adobe? Speed it up!

So a while back I was looking for a copy of Adobe 3.0. Why? Because I was tired of waiting for Adobe to load just to show me a simple PDF file. How many plug-ins does Adobe have to load to show me a PDF?

Well, I came across a blog with the answer! Darrell Norton posted about how to move the plug-ins into the optional use for Adobe after it's installed. Wow, what a difference!

Here is the jist:

  1. In Windows Explorer, browse to c:\program files\adobe\Acrobate 6.0\Reader\

  2. In the plug-ins directory, you see all the plug-ins that get loaded (quite a few). Move the plug-ins that you don't wnat to load into the "Optional" directory and you're done!

So what are these plug-ins? Darrell's got you covered again.

In fact, to help out even more, here is the list of items that I have kept in my plug-in's directory:

  • Printme folder

  • AcroSign.prc

  • IA32.api

  • printme.api

  • Search5.api

  • Search.api

That's all there is left, and I don't even see the splash screen anymore it loads so fast. Finally, I can start using Adobe again.

Wednesday, December 08, 2004

MailTo: Made That Much Easier

I'm a big advocate of efficiency. It started to become cumbersome to me to be browsing the web, come across something I want to email out. Mouse down to the bottom of the screen, click outlook, mouse up to the top of the screen, click New Mail Message, mouse to the right of the screen, minimize Outlook, then start typing.

This had to change.

So, I created a new mail message shotcut in the QuickLaunch bar. Here's how I did it.

  1. Right click on the desktop and go to New, then click on Shortcut

  2. In the location of the item type in mailto: with the colon, then click Next

  3. In the name for the shortcut, type in New Mail Message and click Finished

Now you'll notice that you have a new shortcut, with the Outlook Icon. This just won't do.

  1. Right click on the icon and choose Properties

  2. Click on the Change Icon button on the Web Document tab

  3. Instead of looking in Outlook.exe for the icon, change the path to this file {systemdrive}\Program Files\Outlook Express\msoeres.dll

  4. Choose the new mail message icon and apply the changes

Ta-Da!

Now all that's left is to copy (or move) the shortcut into the Quick Launch bar. Now when you want to send a new peice of mail, you can simply just click on this icon, and a new mail message will open, ready to type in the recepient. Handy for people who send lots of email like myself.

Tuesday, December 07, 2004

Getting Dizzy Thinking about Circular Logging?

Here's the skinny. When SBS 2000 shipped, we shipped with circular logging disabled (meaning Exchange was going to do it's full logging). Our Product Support Folks (PSS) were struggling with the number of calls of people who run out of disk space. Why is this? No Exchange-Aware backup was being done on the box, and the log files will grow indefinitely. Finally, due to the nature of an SBS install (typically a single volume with everything on it) the DC and Exchange server would run out of disk space at the same time (since they are the same box).

This can spell out bad news.

So with SBS 2003, we did 2 things. First, we provided an inbox backup solution to make it easy for people who were scared of backup and didn't understand it to successfully setup a backup and actually do Exchange-Aware backups (yes, NTBackup is Exchange aware!). Second, we enabled circular logging out of the box (to prevent log files from growing out of control!), we re-enable it when you run the wizard, and never disable it again (even if you disable the SBS backup tools).

So what does this mean for you?

If you're using a 3rd party backup solution, that's Exchange-Aware, you're probably going to want to disable the circular logging to reap the full rewards of Exchange logging functionality. How do you do this? Well, you can run the SBS Backup wizard, then run it again and disable it. Or you can modify the setting directly. Simply:

  1. Open Server Management and expand Advanced Management, First Storage Group, Servers, {Servername}

  2. Right click on First Storage Group and choose Properties

  3. On the General tab, uncheck the Enable circular logging and choose OK

That's all there is to it. Now you're 3rd party backup application will tell Exchange to truncate the logs and you're all set.

Monday, December 06, 2004

Troubleshoot Group Policy

Group Policy is very much overkill for Small Business Server. So much in fact that many of the features won't even work on an SBS box because the relate to cross forest or cross doamin functionality. Having said that. Group Policy can still be cumbersome to troubleshoot within a single Domain and Site. What you need is troubleshooting tools.

There are a few primary tools I would want to call out around troubleshooting.

RSOP.MSC
This handy Windows XP tool can be run by simply typing "rsop.msc" from a client run box. It will gather all the details of policy running on that particular box and show it to you in a single GPEdit.msc console. It's not the easiest way to look at it, but if you're checking for a specific policy and whether it was applied or not, this is pretty easy. You even get funky red-x's if something failed to apply.

GPResult.exe
This handy DOS command can be run to roll-up and show you all the policies in your network and which ones are applied to the computer, and which one's aren't. Kind of handy if you were expecting a policy to affect a machine and it didn't.

GPMC "Policy Results" Calculations
If the user has ever logged into the client machine, you can go crack open GMPC (our handy Group Policy tool) and run a new query, it will take your computer/user combination and give you a nice roll-up of what's going on with that particular user. This is handy since it's an all-in-one familiar interface to view all the policies and how they are applied.

Happy Problem Solving!

Friday, December 03, 2004

Google finally picked up their own Blog!

As you probably know, this site is hosted by Google, it was primarily chosen because... well, there is no real reason, it has it's pro's and it's con's. It was available before MSN Spaces, it's not hosted on my own box and.... well here are the rest of my thoughts on that.

What I found most amuzing was that I couldn't find my blog on the Google search engine, heck the "search this blog" at the very top of this page didn't work!

Comon Google, it's your own blog.

Well, finally, it would appear that the search above is working and a search for seanda on Google returns this blog as the 3rd link!

Of course if you search for Sean Daniel you'll learn quite a bit about the director who shares my name, but never see this blog.

Well, onto the good news. You can search this Blog!

Group Policy Inheritance and Scope

Group Policy is pretty well defined, its so defined that it can be predicted in all cases, unfortunately there are so many different ways things can occur that prediction can get complicated if you complicate your GP settings.

I'm going to share the inheritance model with you.

The best way to think about it, is the closest policy to the object (user or computer) will take precidence. So OU Policies superceed Site Policies, which superseed Domain Policies. There are some exceptions to this rule, they are:

  • The local computer policy is always overrun by any other policy

  • If the policy prevents overruling (ie it's enforced), then it will superseed any policy below it. Although doing this will make it harder to debug what's going on, especially in an SBS environment, it's not really needed

Keep in mind that a GPO only makes changes to the objects that are in it's container.

Another thing to keep in mind is the link order. At each leve (Domain/Site/OU) each Policy has a link order. GPOs are processed in the number of their link order. i.e. link 1 is first, link 2 is 2nd etc.

Finally, Inside a Group Policy, the Computer side of the GPO is processed before the User side, so if you make a change in either side, the Computer side will take precidence over the user side. This one is handy to know if you've got roaming users inside your network.

Mobility Webcast on-demand now available

It would appear that the Mobility Web Seminar for Partners is now available for review on-demand.

The presentation can be launched from This link, simply enter a name and submit it. If for some reason this link doesn't work for you. Head on over to the Registration Page for the broadcast, register, and Microsoft will send you an email with a link to the presentation.

I will most likely publish some of the mobility related items directly to this blog as well, look for them in the future.

Thursday, December 02, 2004

Using an AudioTron in your SBS network?

I know it's not a common line of business application, but it certainly is at my house. I need ma tunez!

So I installed my Audiotron on my network at my house, only to find it could read shares from my client, but not from my server.

What the heck? Isn't that what servers are for? Storing Data and sharing stuff?

This had to be fixed. After searching for some time on the web, I managed to find that in Windows Server 2003, digital sign communications for all domain controllers is enabled by default. The Audiotron doesn't like this. So you have to disable it.

  1. In GPMC, find the Default Domain Controllers Policy

  2. Edit this policy, and drill down to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options

  3. In the list on the right, find Microsoft Network Server : Digitally Sign Communications, and change this to disabled

Of course you're going to have to run gpupdate /force to get this to take effect immediately on the server.

Now you're AudioTron can view the server and read music off it.

Wednesday, December 01, 2004

Mobility Web Seminar for Partners..

Tomorrow morning I will be presenting in a web seminar on how to connect your mobile device to SBS 2003. Here are the details. I believe it's only for partners at this time, but why not register?

Event: Windows Small Business Server 2003 and Mobile Devices
Date: 12/2/2004
Time: 9:00am PST
Duration: 60 mins
Description:
Learn all about connecting a Windows Mobile device to Windows Small Business Server 2003. In this session we will discuss the server setup, client setup and mobile device setup aspects of joining a Microsoft Mobile device to the network, enabling users to maintain connectivity and stay productive while away from the office.

The seminar will be hosted via Live Meeting, but you can register by finding the presentation on the MS Readiness Upcoming Broadcast page.

To register for my specific event, follow this Link.

Hopefully see you there tomorrow!

Keeping Track of your Backups... The Easy Way

Wayne Small, an SBS MVP and fellow blogger told me a tip over IM the other day. I gave him about a month to post it to his blog, and he hasn't. I find it very useful in my day to day life, so I thought I'd share.

Wayne uses rules in Outlook to easily identify what's going on with backups on his clients servers, for me, that's 3 servers, my home server, the server at work and also my cousin's SBS box over in Great Falls, MI.

Wayne configures an Outlook rule to search for specific strings within the body of messages as they come in, those specific strings are:

  • Backup: Did not run

  • Backup: Completed successfully

  • Backup: Started but has not finished

  • Backup: Failed

Choosing flag colours for these strings and how they appear in the body of the message, will help you, "at-a-glance" figure out if the backup failed or succeeded.

If you're like me, and are short on rules because you have so many, then you might want to use a single rule and just put last two items in it and mark it red as I have done


Now you can determine the backup status of an incoming Server Status Report in the blink of an eye.