Tuesday, November 30, 2004

Why do I have an Auditing Policy on SBS for?

If you're playing more and more with Group Policy, and I know I am, you'll probably come across an Auditing Policy for the domain controller.

The policy includes the following information:

Why did we do this? Well, you'll have to read my long winded previous post on Error 800423f2. If you look at the bottom of that post, you'll notice how Directory Service Auditing must be disabled. Well, this is how it's disabled. Removing this policy will probably result in a much higher failure rate on your backups.

Monday, November 29, 2004

Update to the Backup Hack

So my first technical post to this blog was about how to change the backup from targetting a usb disk or tape. I've got a lot of feedback on this post being helpful. I wanted to create a new post to indicate a correction to this post, and minor modificiation. I decided to keep the post the same (for those of you who have linked to it from your blogs/websites/etc, and just added an updated section.

Click here to go and check out the update.

Users ... their own worst Enemy?

Sometimes the people that use your network make mistakes... heck, sometimes you make a mistake and wish you could get a file back. SBS helps you with this as it maintains previous versions of files on file shares out of the box.

What I think the coolest part is, users can do this themselves! That's right. No more asking "can you recover this file? I just deleted it".

Of course, this responsibility has it's draw backs. But here is the worst that can happen. A user accidentally overwrites a file with an older version, only the things changed on this file since the last update are lost. Not the entire file.

I think this is turn for the best, it means less administrative work for you, and more power for your users to do their job.

Thursday, November 25, 2004

So What Exactly is backup error 800423f2

If you've been running SBS 2003, and you've been a good administrator and you've been running backups, you've probably seen the backup error of dread!

Error returned while creating the volume shadow copy:800423f2
Reverting to non-shadow copy backup mode.

This error has good news and bad news. The good news is, before we shipped (like in the beta), this happened about 90% of all backups, now it happens about 0.01% of all backups. The bad news is, it happens on occation

So what is this error? Well, if you remember in my previous post I talked about VSS and how it works, primarily for snap-shots. I didn't mention what happens when you do a backup. Like I mentioned, doing a snap-shot for a backup is very much the same as doing a snap-shot for a previous version. But here is the difference.

In a snap-shot for a backup, the VSS service will call all the writers on the system. You can see how many writers you have on your system by opening up a command prompt and typing vssadmin list writers. Each application you install on your system should have a writer to work best with the backup.

First, What's a Writer?

A writer is built by the application for the application, it knows what to backup, and how to prepare the application for the VSS snap-shot. Of course, NTBackup doesn't use the first peice of information.

So how does the whole process work? Well, bkprunner is kicked off and launches NTBackup. NTBackup then tells VSS to do a snap-shot.

In order to get a backup where there are no open files, a snap-shot takes place, but for the backup, we want to make sure that all the data from all applications is no longer kept in memory, but rather is flushed to the disk. In order to do this, VSS performs these steps:

  1. Request Writers to Prepare for Backup - there is 1 minute alloted here for applications to write all their data to disk they want to have backed up

  2. Request Writers Freeze Applications - At this point, the Writers instruct their own application to hold all disk writes in memory. From this step, to the 6th step in this list, there is a hard stop at 60 seconds

  3. Request Filesystem Writer to freeze filesystem - This is when the file system is frozen and this writer will hold all writes to the disk from any application that doesn't have a Writer. From this step to the 5th step, is allotted only 10 seconds

  4. Take a snap-shot - This is where the actual snap-shot differential area is created an ready to accept new changes

  5. Thaw (or un-freeze) the filesystem - Write everything to disk that was held off before and allow more writes to the disk

  6. Thaw the applications - Allow the applications to start writing to the disk again
So now you know how it works? What's the error?

Well, the error 800423f2 happens when the system doesn't get through the above steps in the alotted time period. There are some handy tips and tricks on how to resolve this issue. The are located in the Backup Tips & Tricks section. Essentially, they boil down to:

  • Make sure you have enough disk space on your disks, the system needs some to play with during a snap-shot

  • The disk is not fragmented, there is a lot of disk activity during the start of a backup, if the disk is too slow, it can cause issues

  • The Event Log isn't set too big. Due to the architecture of the eventlog and the it's writer, when a backup starts, the event log is paged from disk into memory, and then flushed out to disk again, which is pretty disk intensive

  • Directory Auditing is disabled. Due to the nature of SBS being a single box all of the directory service authentication goes through this box. In the case of the backup, a lot of things are happening, and with directory auditing enabled, the box is just too busy to do the backup and all of auditing

There are some hotfixes out to making VSS work a little better:
KB 833167 - A Volume Shadow Copy Service (VSS) update package is available for Windows Server 2003

Now you know how it works, and knowning is half the battle!

Happy Thanks Giving Backup Song

I thought I'd share a song I came across in newsgroups about Backup. I'm not sure who the source is, but the "I'm Feeling Lucky" search on Google Groups returned a post by Willi El Goldschmied.

Anyways, hopefully no one spends their Thanks Giving recovering a server. Here is the song:

All those back-ups seemed a waste of pay.
Now my database has gone away.
Oh I believe in Yesterday.

There's not half the files there used to be,
And there's a milestone hanging over me
The system crashed so suddenly.

I pushed something wrong
What it was I could not say.

Now all my data's gone
and I long for Yesterday-ay-ay-ay.

The need for back-ups seemed so far away.
I knew my data was all here to stay,
Now I believe in Yesterday.

Wednesday, November 24, 2004

Understanding Volume Snap-Shot Services ...

Lots of people have asked, so here the short overview on how it works.

VSS, or Volume Snapshot Services, is used in two ways.

  1. To provide previous Versions of Files and

  2. To ensure backup applications don't have issues with open files

The two work in much the same way. At the specified intervals, a snap-shot is taken. Let's first talk about the snap-shot.

Taking a Snap-shot
A snap-shot occurs at the specified time of creating previous versions (defaulted to 7am and 12-noon), and at the time of backup (which is defaulted to 11pm).

A snap-shot takes usually less than 1 or 2 seconds to create. So how does it copy your entire hard drive in 1 or 2 seconds? It doesn't.

In actuality, it creates a hidden storage area to keep blocks of data. This storage area has a structure, (which takes up 10mb of space total), an area of size 300mb is created (hence why you can minimally create a 310 mb space for previous versions.

No files are moved.

What actually happens is from this point forward, the first time a file is changed, the differences in the files are stored in the hidden location, and the new changes are stored in the actual place on the hard drive. The next time it changes, the old-new changes are lost, as the new changes over write them. Only changes are copied the first time they change after a snap-shot is taken.

That's all there is to it? .... ok, so not all of it.

I bet the first question comes to mind. How come this just doesn't eat up your hard drive, 300 mb at a time?

Well, this is because on each snap-shot, if the space wasn't used, it's truncated, so it only keeps the smallest amount of data required to recover the original hard drive.

So using these snap-shots (or differential areas), at each snap time, the computer can re-construct a virtual hard disk of exactly what the hard disk looked like at that point of time. It does this using all the snap-shots that have occured after the point in time you want to look at the hard drive. This is because if a file has changed through time, the data for that file is contained in all snap-shots and needs to be read to be reconstructed.

So, if you're looking at the snap-shots, by right-clicking on a volume, going to properties and then choosing the Shadow Copies tab. It looks like this:

From here, you can create or delete snap-shots, you might notice if you delete one of the ones in the middle, you don't recover any space, but if you delete the last one, you recover the space. This is due to what I mentioned earlier, how all snap-shots ahead of the earliest one are required to create the virtual hard disk.

Now this process keeps going and going and going, retaining previous versions of files for all your users. It maxes out at the specified limit, or 60 snap-shots, whatever comes first.

Any questions? Feel free to ask in the comments below, and I'll dive into details.

Tuesday, November 23, 2004

Redirecting the Client Desktop to the Server

As some of you know, I have a strong interest in backing up data and making sure it's secure. Naturally, I took advantage of the My Document Redirection tool in Small Business Server 2003. I like it for a number of reasons:

  • My Documents and everything in my Documents lives on the server, so it's easily backed up

  • Using multiple PCs all have the same My Documents folder

  • I designed the tool :o)

But that's not enough. Recently, I've found that for the current things that I work on, I keep them on my desktop, until I'm finished, then I file them away in my Documents or delete them. So what's the problem?

My Desktop is not a safe place to store things!

It's not backed up, The data is only in one place, it's the most important data to me at that time.

What did I do? I simply just re-directed the desktop to the server. Here's how:

  1. On the SBS server, open Server Management, Advanced Management and Group Policy Management

  2. Now decide were you want this policy. I would put it in the Users OU under: Expand Forest, {domain name}, My Business and Users

  3. Right click on SBSUsers and select Create and Link GPO Here...

  4. Give your GPO a name, I usually start with who created the GPO, followed by what's in the GPO, for this example, I'll use "Seanda - Desktop Redirection"

  5. You'll see the newly created GPO appear in the SBSUsers OU, right click it and choose Edit

  6. The Group Policy Object Editor opens, let's drill in to User Configuration, Windows Settings, Folder Redirection and right click on Desktop and choose Properties

  7. Here is where we will instantiate the policy. On the Target tab, change the Setting to Basic - Redirect everyone's folder to the same location

  8. In the Root Path type in the location to redirect to: \\{servername}\users.
    • In this example, I'm redirecting to the built in Users' share, since the ACLs are set correctly, if you want to redirect to a different share, you should read help topic in the "More Information" button on the My Document Redirection tool

  9. On the Settings tab, you can choose a number of things:

    • Grant the user exclusive rights to desktop - if this is checked. Administrators cannot get into this folder without taking ownership

    • Move the contents of Desktop to the new location - if this is checked (and I think you should keep it checked), the contents of the current desktop, will move to the new location, this is so your users don't know what you've done. :)

    • Finally, Policy Removal will tell policy what to do if you ever delete this policy in the future

That's all there is to it. The next time your users log in (might be 2 times for XP clients, due to asynchronous logons), the users desktop will exist on the server & automatically included in your SBS backup!

So what's the draw back? Well, the items on the desktop will all get the funky blue icon saying that it is synchronized for offline use in the event the server goes down.

Enjoy the redirected life

Monday, November 22, 2004

Out-of-Office sent.. Out of Office

Some people like to have additional security around Out-Of-Office response e-mails. Those are the e-mails you automatically receive when you e-mail a person and they have set their Out-Of-Office in Outlook, or OWA (Exchange 2003 only).

Some companies (including Microsoft) make it corporate policy not to send these Out-Of-Office messages out of the company. I'm not exactly sure *why* you would want to do this, but I'm sure you have your own reasons.

Regardless, following KB Article 262352, I was able figure out a set of steps (mainly because they are provided) to disable this as this functionality is enabled by default on SBS 2003.

Here's how:

  1. Open Server Management, then Advanced Management, First Organization (Exchange), Global Settings and click on Internet Message Formats

  2. In the left-hand pane, right-click Default which is the * domain and choose Properties

  3. On the Advanced Tab, un-select the Allow out of office responses

It seems confusing, but if you sit back and think about it, you're working primarily with the Internet Message Formats, and this is an Internet thing.

Oh, one last thing; Restart the Simple Mail Transfer Protocol (SMTP) and the Microsoft Exchange Routing Engine services for the change to take affect.


Friday, November 19, 2004

Catfood, Dogfood it all Tastes Good

Sidebar: I appologize for not posting the past couple of days, I ended up taking a class, and also having an offsite. Combine that will a common cold, and there really isn't much free time to sit infront of a computer. As a result, I'm posting twice today (to kind of make up for lost time)

Microsoft has been dogfooding their own products for years. This means that Microsoft uses their own products first, in beta, release candidate and then finally in RTM. What many people don't know is that the Small Business Server team does the same thing, except we call it Catfooding.

Why Catfooding?

Well, it's a long story, let me explain, since I think it's kind of fun.

Microsoft also uses code names for each of our products because we start working on the product long before deciding what to call it. Windows Server 2003 has the codename Whistler (yes, after the mountain). When we sat down to give SBS 2003 a code name, we decided, well, it was built on top of Windows Server 2003, so why not pick a run on the mountain. Bobcat won the majority vote.

Since the choice of Bobcat as the code name, many things fell out of this

  • Bobcat Orange - for those of you who installed the beta 1, you probably remember it

  • FC Bobcat - The indoor soccer team that consisted of co-workers

  • and Catfood - the dogfooding network for Bobcat

So now you know what Catfood is, what do we do with it?

Well, using a single SBS box, we host roughly 70 users. Trust me, we're power users. Moreover, we probably have the biggest Active Directory you've every seen on a single box! So what hardware do we use? nothing too powerful

  • Dual Processor 2.8 GHz

  • 1 GB of Ram

  • RAID 5, SCSI disks

Sure it's a pretty heafty machine, but hey, it's got a pretty heafty load. Still, I've seen machines like this out there for 10 users! Wow! Administration is a little slow, but the users don't have any problems with use.

Catfooding is where it's at

Disabling RPC/HTTP UI in Outlook

I was trying to figure out why I couldn't configure RPC over HTTP for Outlook 2003, I had XPSP2 installed, I was running Office SP1, It's all supposed to be functional.

Apparently, because of my wacky installation point, I had a registry key set which prevented the UI from showing up. Frustrated about this, I got to thinking. Some people out there like to disable things they don't want their users to play with, so I thought I'd post it here.

In the registry key HKCU\Software\Microsoft\Office\11.0\Outlook\RPC there is a DWORD EnableRPCTunnelingUI. If this DWORD is set to "1", the UI shows up regardless of how the server is configured. If the DWORD is set to "2", the UI will not show up.

Seems simple now. I guess that's why they say hindsight vision is 20/20.

Tuesday, November 16, 2004

Using Templates ... not your brain

SBS 2003 has a feature that Windows Server does not have... ok it has a few features standard server doesn't have, but in this particular post, I wanted to share with you the wonder of using user templates.

You may have noticed that SBS has 4 templates out of the box

  • Administrator Template - template to create additional administrators, consider using this template sparingly

  • Power User Template - users who can add users and have limited administrative functionality

  • Mobile User Template - template to create users who can use VPN/dial-up functionality of the server

  • User Template - This should be the most common template for users. All of these users can use the Remote Web Workplace

What is so cool about templates? You can make as many as you like!

I spend time building templates and then when I add new users to my system, I can simply use the standard Add User Wizard and choose the appropriate template, each user will be added to the correct distribution groups, security groups, quotes, etc.

Play around with templates, get to know them, they can help you keep your environment consistent.

Monday, November 15, 2004

Browsing a Pocket PC versus a SmartPhone

I've been using mobile devices for some time now. I like to do heavy customization, to ensure that the device is mine, and not a cookie cutter view of a graphic designer in building 118. I change the backdrop, the ring tones, the start menu, all to make my life easier so the device is more available to me.

How do you browse a device?

Simply doc it to your workstation, and click Explore on ActiveSync, or open My computer and open Mobile Device.

This is handy to browse the phone and copy files to and from your device. I typically get a picture and size it to the screen size of the device, and use it as my device backdrop.

So what's the key difference?
On the Pocket PC, you can copy files to any location on the device (at least the ones that I've played with), on the SmartPhone, you are limited to your Storage Card or your Storage directory on the phone (IPSM on Smart Phone 02 devices).

This is ok, as the OS will search the entire device for files of the correct format for what you're looking for.

I just wanted to mention it since it caused me some confusion when I was trying to customize my SmartPhone.

Thursday, November 11, 2004

How to spot the Microsoft Guy ...

I thought it would be kind of fun to point out a few things that Microsoft folk seem to do. How would you spot the Microsoft guy in a crowd?

  • The Microsoft t-shirt toutes an internal url.

  • The words "free food" take on a whole new meaning

  • People ask how to fix anything, even though you don't work on it

  • Lots of toys.

Enough said.

Wednesday, November 10, 2004

Smarthosts .... The good, The bad, and The Ugly

Using DNS to route email is a great idea, except perhaps if you're on a dynamic IP Address like myself. Sure it works great for receiving mail, the problem is sending it.

Some domains on the internet consider mail from dynamic IP addresses to be spam, and the message is just rejected. But you're not a spammer (neither is Susan Bradley). What's going on here?

Well, the remote host is doing a reverse lookup on the IP address, which of course, since the SBS server is on a dynamic IP address, won't return the proper domain name. Bam, spam filtered, or so the remote host thinks.

How do you fix this? Smarthost.

Usually ISPs provide an smtp server, that is a Smarthost IP restricted to the IP addresses that they give out. Simply run CEICW and choose "forward all email to the specified host" and put the ISPs smarthost into the box.

Now you're problem is fixed!

Ok, time for some more information, what is a smarthost exactly? A smarthost is an email host that will an email from any email address and forward it to any email address. Sounds like a spam server eh? Yup, that's what it is. ISPs generally use IP restrictions and extensive logging to make sure that you're not spamming from within their network. A report from someone on spam can result in your account being disabled.

So what you don't want to do, is turn your SBS server into a smarthost, but what you might want to do have one SBS server forward mail to another SBS server. How do you do this? On the server you want to be the smarthost, follow these steps:

  1. Open Server Management, expand Advanced Management, {Servername} (Exchange), Servers, {Servername}, Protocols and SMTP>.

  2. Right-click Default SMTP Server and choose properties.

  3. On the Access tab, click the Relay... button.

  4. Click on Add, and add the IP Address of the other SBS server which will use this computer as a smarthost.

**Important: Be extremely careful which IP addresses you add, and do not add any more than neccessary, you wouldn't want your SBS server to be a spam relay server

One last note that when SBS server 1’s IP changes, you’ll have to re-do this sequence.

Enjoy the limited relay

Tuesday, November 09, 2004

XBOX Live & Routers

So I've had a few issues recently connecting to games via XBOX live. This of course is no fun at all, especially when you want to play instead of troubleshoot networking issues.

Hopefully this post will help out.

My issue was, I was able to connect to XBOX live, and see my friends, and the games they were trying to host, then for some reason, when I attempted to connect to the game I would get "The game is no longer available".

Struggling and surfing the net for a while, I found that opening port 3074 (UDP) and pointing it to your XBOX will fix this issue.

Monday, November 08, 2004

SBS Backup Event Logs

I see all too often posts in the newsgroups and Yahoo groups about SBS Backup failing with Event log ID 5634. This is not a surprise, Event ID 5634 means that backup failed.

Let me take a step back here and tell you how the reporting mechanism works.
A program called bkprunner.exe will launch via Task Scheduler and drop event 5632 into the event log, thus marking the start of the backup process. At this point bkprunner.exe will read a bunch of registry settings to figure out what to do. Using the registry, bkprunner will call NTBackup.exe with the correct parameter set according to the registry settings.

NTBackup performs the actual backup. Bkprunner.exe will simply just wait for NTBackup to finish it's task.

Hours later, NTBackup happily exits and bkprunner comes alive. At this point, bkprunner will look for any NTBackup errors scattered around the system, if it finds one, it logs Event ID 5634 as an error, if it doesn't find one, it logs 5633 as a successful backup, then reports the result to the admin console passing along the NTBackup log file.

So, what does this mean? "SBS Backup failed with Event ID 5634" does not mean anything other than it failed. The best way to find out WHY your backup failed, is to actually read the NTBackup log file from the Backup snap-in.

Don't forget that there is a tone of information in the Backing up and Restoring whitepaper. Also, if you're stuck, you should check out the Troubleshooting Backup & Restore online.

Friday, November 05, 2004

Don't just use Outlook, Conquer it!

Outlook 2003 does so many tiny things to aid your productivity. I wanted to share with you a few tips that I use to move around Outlook (which is really the application I spend the majority of my time in).

Let's not waste time, let's just jump right into the tips!

  • If someone sends you an email and asks you to setup a meeting, what's the easiest way to do this? Simply drag the mail with the right mouse button onto the "Calendar" button, you'll get a menu, like this one:

    and you can choose to copy the text of the email into a new calendar request. This tip works the same way for tasks and contacts. Play around with it!

  • Quickly jump around Outlook without using the mouse. You can use the CTRL+# key's to jump to sections, CTRL+1 is mail, CTRL+2 is calendar, CTRL+3 is contacts, and so on.

  • Everyone knows that you can use CTRL+N to create a new {whatever section you're in}, but what if you want to create a new contact, do you have to press CTRL+3, CTRL+N? Seems like too many keystrokes. I guess the Outlook team thought so too:

    • CTRL+SHIFT+M - New mail message

    • CTRL+SHIFT+A - New Calendar item

    • CTRL+SHIFT+C - New Contact

    • CTRL+SHIFT+B - Open your Address book

    • CTRL+SHIFT+U - New Task (Also CTRL+SHIFT+K)

    • CTRL+SHIFT+N - New Note

    • CTRL+SHIFT+L - New Outlook Distribution List

    • CTRL+SHIFT+I - Change to the Inbox from anywhere

    • CTRL+SHIFT+O - Change to the Outbox from anywhere

    • CTRL+SHIFT+F - Advanced Find

    • CTRL+SHIFT+X - Open a new Fax

    • INS - Toggle the flag on a mail message

Hopefully this will make you more productive with your primary email tool. I know it's nice for me not to have to move my hand over to the mouse every time I want to see what's coming up on my calendar.

Thursday, November 04, 2004

Give SBS the 'Bling-Bling' Shell

Ever wonder why the SBS server is all gray, and your Windows XP box looks cool, slick and shiny new? The themes service isn't started. Why isn't the themes service started? because it uses RAM. Servers generally are quite do-gooders that sit in the courner. They don't have to be pretty, they just have to help each user on the netowrk get their job done.

Well, in my case, I wanted to make sure SBS was as bling-bling as it could be, plus I had the extra ram.

Here is what I did:

  1. Click on Start, Run, and then type in services.msc and hit Enter

  2. Scroll down in the list until you find the Themes service, right-click it and choose Properties

  3. Enable and Start the service

That's all you have to do, now you can right click on the desktop and choose a bling-bling theme. I choose the silver one just to make sure I don't confuse it with my client.

if you've got the RAM, and you want to put a face on your SBS box, choose bling-bling baby!

Wednesday, November 03, 2004

Essential Free Downloads

As you have probably have guessed, I spent far too much time on the computer. One thing I'm a big fan of, is free downloadable software that makes my life easier. I wanted to list a few peices of software that I install on every clean install of Windows XP.

  • Open Command Prompt Here - right click on any folder in Windows Explorer and choose to open a command prompt directly at that location

  • Tweak UI - Change tones of registry settings customizing your system from one all encompassing UI

  • Image Resizer - Resize images directly from the shell, doesn't keep pictures the highest quality, but perfect for resizing pictures for the web

  • The Google Toolbar - This was more important pre-XPSP2 for the pop-up blocker, but now it's just handy to search from the web. I feel inclined to mention the MSN Toolbar, depending on which search engine you want to use

  • Win Zip - I used the Windows XP shell zip for about a year after Windows XP shipped, it does everything you need. Winzip provides a few cool features around creating folders, and installing zipped applications that are quite good. (mostly free)

I also install Office, Image library software and some other things, but these are the free ones.

Tuesday, November 02, 2004

MSN Messenger Face lift?

Are you an MSN User? I am, and the emoticons, while good, got a little old for me. I decided to upgrade them and get some new icons.

I can't say that there are all "clean" but they are definitely cool icons. Click here to check out the largest MSN icon library that I have found on the Internet.

Happy messaging!

Monday, November 01, 2004

Killing Nasty Spyware!

My last post was on Layers of Spam Protection. Reducing spam makes you a more productive person. But Spam isn't the only thing that can get in your way. Spyware, that is installed along side many of the applications you download from the internet.

That's right, you may think you are just getting a disney software screensaver, but in reality, you're getting the screensaver, a handy pop-up opener application, a hard drive crawler designed to slow your system to a crawl and plug in for Outlook that reads your contact list (this is just a nasty example).

How can you clean your system of such horrible applications?

The hard-way
If it's running, it's doing something, stop all the services you don't need, stop programs from running in your registry, start menu, win.ini file. Delete un-neccessary plug-ins from Outlook, IE, etc, scrap the registry for signs of spyware applications and remove them... Pretty tedious *and* you have to know what you're doing in order to be successful.

Luckly, there are other people on the Internet that hate spyware as much as I do. Microsoft helps point these out with Security at Home: Fight Spyware!

The easy-way
I used to do the hardway, but there are so many spyware programs that this could take forever, let alone me being able to detect all the different forms of spyware. I leaned on the website above, and found Lavasoft Ad-Aware and Spybot Search & Destroy. I've used both of these applications, and they both do an excellent job for free! I like the name Search & Destroy, so I typically use Spybot as a result of my mindset when I get a pop-up that I wasn't expecting.

But keep in mind, that not all pop-ups come from spyware, some come from the website you're browsing. XP SP2 comes with a free pop-up blocker, and there are other tools out there too like the Google Toolbar or the MSN Toolbar.

Safe Computing!