Tuesday, February 24, 2009

How to Synchronize the DSRM password with a Domain User

[This post courtesy of Paul Fitzgerald]

If you have a disaster and you need to recover, are you going to be able to log into your system?  When using the Directory Service restore Mode (DSRM) Administrator password, you may not be able to remember it!  This could lead to a whole whack of problems, as great as not having access to log into your machine to recover data!

In Windows Small Business Server 2003, the product itself kept the DSRM Administrator password in sync with the Administrator account on the system.  So whenever that password was changed, so was the DSRM password.  Making things super easy for you.

With Windows Small Business Server 2008, the built in administrator account is disabled, so this functionality was never implemented.   However, a new feature is available for download for you to choose which account the DSRM password is sync’d with.  KB Article 961320 talks about what’s needed to download.  You can download the patch by clicking on the:

  image

icon (it will probably be included in Server SP2), and then the command line that you need to run to choose which domain account to sync it too.

That’s all there is to it!

Friday, February 20, 2009

Keys to Success in SBS 2003-2008 Migrations

The Official SBS blog has put out some notes on how to make sure you’re migration from SBS 2003 to SBS 2008 is successful.That blog post is here.

From my own experience, the documentation, is very very complete, and very thorough.  The catch of course is, this isn’t like normal SBS documentation where you can skip steps, every part of every step is crucial.  If you’re not reading every word and doing every step, then your failed migration on your head.  READ and then READ again!

Check out the Official Blog post.

The Importance of a Strong Password

I can’t emphasis enough how important creating a strong password is. Lots of people have easy to remember passwords that are just not secure.  The most notable ones are bank PIN numbers.  The difference here is you have to physically have the card to use the password, in an environment where you only have a username and password, the password is super important.  It’s quite likely that your username is right there in your email address, so the password is all that keeps those hackers out.

If you like the idea of having something “physical” that you are required to have with you, you can add these technologies to Windows Small Business Server.  Using 3rd party software, you can either take advantage of SmartCard authentication built right into Windows, or use something designed specifically for SBS, called Auth Anvil, which requires you to have a FOB with a random number on it when logging into Remote Web Workplace.

If a low cost solution is required, you can jack up the password policy requirements on your network and require users to have super strong passwords.  Below is the password policy out of the box with Windows Small Business Server 2008. 

image

You can change the frequency of when the password needs to change, which prevents brute force attacks (as those usually take time), and change the number of characters.  When you enable password complexity requirements, you’re forcing the following:

  1. Not containing the user’s account name or parts of the user’s full name that exceeds 2 consecutive characters
  2. Contains letters from the following:
    1. English Uppercase A-Z
    2. English Lowercase a-z
    3. Base 10 digits 0-9
    4. Non-alphabetic characters (e.g. !, $, #, %)

The trick of course is to educate your end users to remember these passwords.

Microsoft has a great article on Strong Passwords: How to Create and Use them.  Creating (and remembering) a strong password is far easier than you think.  Microsoft calls out these 5 easy steps:

  1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My son Aiden is three years old."
  2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.
  3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: "msaityo".
  4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden's name, or substituting the word "three" for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become "My SoN Ayd3N is 3 yeeRs old." If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like "MsAy3yo".
  5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".

If you want Microsoft to check how secure your password is, you can use the handy password checker.  I would recommend going for at least a password that indicates a Strong or Best green rating.  Weak passwords are usually compromised easily either by brute force attacks, or simply by knowing a bit about you.

Training on Migration – 5W/50

Tuesday of this week, our own Migration PM, Chris Almida, did a 5W/50 training session on Migrating from SBS 2003 to SBS 2008.  You might remember Chris from the first video he did for TechNet Edge, blogged about here.

As mentioned earlier, we have a whole bunch of 5W/50’s planned, and you can point your new IE8 browser to the Training Site to view the training on demand after it’s record.  The one that Chris did on the 17th will be up and available on demand shortly.  The session was going to be “Migrating from SBS 2003 to SBS 2008 on the Same Server Using Microsoft Virtualization Technologies”, however, due to feedback, this was changed to a “SBS 2008 Migration – common issues and potential failure points”

image

Friday, February 13, 2009

Embedding Live SharePoint Data into an Excel Spreadsheet

[This post courtesy of Chris Almida]

Windows Small Business Server includes Windows SharePoint Services by setup by default.  We use SharePoint daily at Microsoft to collaborate as a team.  One of the greatest benefits seems to be sharing a spreadsheet or List of items.  The beauty of SharePoint is multiple people can work on it at the same time.  Unlike with Excel, if you put it on a share, only one person can open it in Read/Write to make changes, or if you’re e-mailing it around, knowing which version has all the information in it.

With a SharePoint List, multiple people can work on different sections of a spreadsheet, but this causes the problem of what if you want the power of Excel behind your data to do graphing, or calculations on that data?  Well, you can build an Office Connection to download the latest data each time the spreadsheet is opened!

It’s super straight forward, here’s how (at least with SharePoint v3 UI):

On the SharePoint site

  1. Navigate to the list you want to update from within Excel.
  2. In the top right-hand corner of the sheet drop down the View box and choose Create View.
  3. In the page that shows, choose a Datasheet View.
  4. Give the view a friendly name so you can find it, for this demonstration let’s just call it “Datasheet View”, and click OK.
    1. Feel free to scroll down and apply any filters to strip data out depending on the purpose of the spreadsheet you’re building.
  5. Once you’re looking at your new Datasheet view, you want to go to Actions and then choose Task Pane. A task bar will open on the right (you can also use a little gray arrow on the right if you want).
  6. click Query List With Excel, and Excel will automatically open image

In Excel

  1. Choose to Enable the Data Connections (as for security reasons they are typically blocked, but we trust our Internal SharePoint site, so it’s ok).  Once you Enable the data connection, all that Data goodness from SharePoint comes flying into Excel, ready to be worked with.  If you wanted a one time connection, you’re done and you can stop now.  If you want to create a connection you can use over and over again, continue on.
    1. If an Import Dialog shows, make sure it says New Workbook at the bottom
  2. Let’s go and Export the Office Connection so we can use it over and over again
    1. On the Data tab of the ribbon, click on Connections image
    2. On the Work Book Connections pop-up, you’ll see a randomly named connection, ensure it’s selected and click Properties image
    3. Give the connection a friendly name under Connection name as I have done above.
    4. Select the Enable background refresh and Refresh data when opening the file.
    5. After you’ve made these changes, switch to the Definition tab and at the bottom, click Export Connection File.  Save this file with a well known name in a well known place.  I use the Connection Name I defined earlier as the file name as well, then click OK.

Using the Saved Connection in a new Excel file

  1. Now that you have the connection to SharePoint saved as an Office Connection, simply open a new or existing excel spreadsheet, and select the A1 cell (the headers will come in with the connection, straight out of SharePoint!
  2. Click on the Data tab and click Existing Connections and then Browse for More … and navigate to the saved Office Connection.image
  3. On the Import Data  select OK, and the Data from SharePoint just seamlessly Jumps into the Spreadsheet.

Now every time you open that Excel file, it will re-query the SharePoint site for the latest data.  Updating data only in one place saves time and energy.  You can program Excel to make calculations on the data, graph the data and show the data in different pivots as you see fit within Excel.

As a side note, my manager uses this remote data methodology to also download tables from the Internet for his fantasy baseball league to help him make his weekly picks!  If anyone generates a spreadsheet as sophisticated as his, let me know….. No, I can’t give his out, because I don’t have it!

Thursday, February 12, 2009

My Favorite Windows 7 Features

image

Windows 7 has been getting some good press.  I won’t lie.  I definitely like it.  I’ve upgraded 3 of my 4 primary working machines from Vista to Windows 7 Beta.  Two of those three machines are super powerful 4gb of RAM machines that ran Vista really, really fast.  They are even faster with Windows 7, and a clean install (I haven’t tried an upgrade yet) has all of the drivers detected, and there was very little thought on installing it. 

The 3rd machine that I installed Windows 7 on was actually a NetBook.  One of those new fancy machines that is ultra portable, designed for running a browser and not much else.  I have the Acer Aspire One, It ships with Windows XP Home edition installed on it.  I have to say when I first booted it up, I was thinking “Wow! I forgot how old Windows XP was!”.  Anyways, I backed it up via my HP Media Smart Server, attached a USB DVD drive with Win7 Beta in it, and hit GO!  It’s Blaaaaazing fast, and has all the drivers (minus the Wi-Fi driver) detected out of the box.  The good news is the Wi-Fi Driver is a known issue that should be fixed before RTM.  The other good news is installing the XP driver seems to work perfectly fine, and hey, it’s a beta anyways right?

Ok, so now for the part where I tell you my few favorite features, that drive me NUTS when they aren’t there on my last remaining Vista box:

  1. Win+P shortcut – This brings up the *built in* external monitor control applet, allowing you to choose how to present on your laptop, or just use the external monitor as an additional screen
  2. Libraries – built right into Windows Explorer, allow you to show more than one directory in the same view.  If you’re like me and store some documents on your Home Server, and some documents on your local PC, you wont’ be able to live without Libraries!  The local PC is the default save location, but you can choose any location you like. Here is a handy screenshot: libraries
  3. The new Windows Task bar – Place the icons in the quick launch where you want them.  Like Outlook for instance, I always like having it to the left most.  Now no matter what order I open programs in, Outlook is always on the most left, and if I close it, the quick-launch button is right there to re-open it.  And along with quick view, you really can’t go wrong.  I haven’t seen this thing not be snappy either! taskbar

I can’t wait to see what they do after the Beta!  And don’t forget, if you’re trying out the Beta, and you run out of time you can extend it a little bit, yes it works with Win7 too!

Wednesday, February 11, 2009

Installing a GoDaddy Standard SSL Certificate on SBS 2008

Many providers offer inexpensive SSL certificates for domain-only validation. GoDaddy seems to be a popular choice given just how inexpensive the certificates are. GoDaddy’s inexpensive cert is called Standard SSL certificate.

Before we dive in, let’s recap the certificate story in Windows Small Business Server 2008. There are two "types” of certificates and four “states” your certificate can be in. Those are defined on TechNet in the Managing Certificates section of the SBS documentation. The two types are “Self-Issued” or “Trusted”, and by default, SBS 2008 ships using a self-issued certificate infrastructure, which is used to authenticate the server to the client, and encrypt the traffic between the remote client and the server. The obvious downside here is there is extra work with the certificate installer package on your remote/non-domain joined clients, and Windows Mobile devices. At some point there are enough of these to warrant the low cost to upgrade to a 3rd party Trusted certificate. With a 3rd party trusted certificate, the client computers and mobile devices already trust the root of the 3rd party certificate, as these are maintained by Microsoft Update (and various other solutions for non-Microsoft based clients/devices).

As you probably read when you learned about the Internet Address Management Wizard, we have a number of domain name providers, eNomCentral, GoDaddy, and Register.com. All three of these providers are very well equipped to sell you and facilitate installing a trusted certificate for your small business network, so feel free to shop around!

I’ll be going through the steps for GoDaddy today as they are the only provider that requires intermediate certificates, which is a bit more challenging. The process is the same for all the providers, except for eNomCentral and Register.com, you can skip the intermediate certificate steps, and naturally the UI would be different. On a final note, I have not had luck with the GoDaddy certificate and Windows Mobile 5 (Update Below), if you have Windows Mobile 5 devices, you may want to consider one of the other partners, but the best thing to do here is open the certificate store on your WM5 device and validate the root cert for the provider you’re going with is available in the certificate store.

While Matt Williamson’s Installing GoDaddy SLL Certificates on IIS7 talks generically how to install the GoDaddy SSL certificates, it isn’t detailed enough for SBS 2008. The steps below should provide detailed steps, specific for SBS 2008:

  1. In your Windows SBS Console on the server, navigate to the Network tab and the Connectivity sub-tab and launch the Add a Trusted Certificate connectivity task
  2. Click Next on the welcome screen and choose I want to buy a certificate from a certificate provider and click Next.
  3. Verify this information is correct. This information will be encoded in the request to the certificate provider, and cannot be changed without buying a new certificate. Additionally for some certificate requests this information could be used to contact you to validate the ownership of the domain name. Then click Next.
  4. Once you get to the screen below, you are now going to deal with only the certificate provider, with the encoded certificate request shown in the gray box. Since most providers have you paste this into a web browser, you should click the Copy button to place this into your clipboard. image
    1. IMPORTANT: It’s important not to click back or next-back on this page, as it will re-generate a new encoded string, which will not match the request you make to your cert provider.
  5. Once the encoded string is copied safely (I paste it into Notepad so I don’t loose it during the process) Let’s close the Trusted Certificate wizard for now to get it out of the way and prevent errors now that we have that encoded text in the clipboard (and hopefully in Notepad). Let’s click Next and then select My certificate provider needs more time to process the request, and click Next again, the wizard will show a warning that it could not import the certificate into Remote Web Workplace.
    1. You will also notice after you click Finish, that the console now shows Request Submitted and you have an option to Remove this Certificate, which we don’t want to do unless we want to go back to the beginning.
  6. At this point, go to your providers website and follow the instructions for purchasing a certificate. The provider will most likely ask you to purchase the certificate before they collect the certificate information (encoded text above) from you. Notes:
    1. The provider may try to sell you other services, feel free to browse, but the server doesn’t require additional services
    2. The server does not require a wildcard certificate, port numbers (such as 987) are used to save you the cost of purchasing a wildcard certificate
    3. You should get a confirmation email with instructions on how to install the certificate. My particular email has this section in it, stating to log into the website to obtain my cert: image
  7. Once I log into my account, It’s abundantly clear that I have a certificate set up waiting for me: image
  8. I log in to my account using the ID and choose to use your certificate credit image
  9. Next you will want to go to the Manage Certificate Control Panel: image
  10. In the control panel, select your certificate credit and click Request Certificate image
  11. Now you are prompted to insert the CSR, or Certificate Signing Request, which is all of the information you copied out of the trusted certificate wizard (and put into Notepad right?)
    1. IMPORTANT: Make sure you select the server software to be Microsoft IIS.
    2. Note: the actual domain name you are requesting for is encoded in the string from within the Trusted Certificate wizard
  12. Validate the information in the cert is correct, once you confirm it, it’ll cost more money to do this over again, and then click Confirm.
  13. Once you confirm, an email gets sent to the email account on file for that domain name, once you get that email, there is a verification link inside that email that needs to be clicked. Click it and approve the request, some more email will come into that account you just checked. One to tell you that it was approved, and one to give you the link to go and get the encoded text.
    1. One thing to note here is there are two things to download, the signed certificate itself, and the intermediate certificates which must also be installed on the website.
  14. Validate the install type is IIS and click Continue, then proceed to the Download Signed Certificate link and save the certificate to the desktop of the server.
  15. Then click the IIS Installation Instructions link to open up the installation instructions. It’s important to use these instructions for installing the Intermediate Certificate Bundle. You can follow the Installing the SSL certificate steps as well, but it will change the flow through the Trusted Certificate wizard shown later in this instruction set.
    1. So follow the steps from GoDaddy.com, but I’m going to paste and modify them for SBS 2008 here for you as well… These are of course subject to change without notification!!!
      1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC). Agree to the UAC prompt
      2. In the Management Console, select File; then "Add/Remove Snap In."
      3. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
      4. Choose Computer Account; then click Next and Finish.
      5. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
      6. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
      7. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
      8. Follow the wizard prompts to complete the installation procedure.
      9. Click Browse to locate the certificate file (gd_iis_intermediates.p7b). You’ll have to change the file filter at the bottom right to PKCS #7 Certificates.
      10. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
      11. Click Finish.
  16. Once this is imported, we can go back to the Trusted Certificate wizard in the product
    1. Click Add a Trusted Certificate in the console to re-launch the wizard if you closed it (as recommended above), and click Next on the welcome page.
    2. Click I have a certificate from my certificate provider and click Next.
    3. Since GoDaddy provided me with a file, I’m going to browse to the file (alternatively if the provider gave back encoded text, that could be pasted into the wizard too) that matches my domain name, in this case, remote.seandaniel.net. and clicking Next. image
    4. We’re finally done, click Finished! Now remote clients will get the benefit of a trusted certificate, and the console reports Trusted as the certificate type.

It’s important to use the Trusted Certificate wizard for the last step, to ensure that the certificate is bound to the correct IIS website, as well as TSGateway for remote desktop access. If you followed all the steps from GoDaddy to install the certificate, simply run the Trusted Certificate wizard and choose I want to replace the existing certificate with a new one, and you’ll get shown the trusted certificate and the self-issued certificate for your domain name, just choose the appropriate one based on the type and the expiration date:

image

On a final note, renewing your certificate after the year, just click that Add a Trusted Certificate link in the console but this time through choose I want to renew my current trusted certificate with the same provider, and follow the instructions!

I did want to call out that NetoMeter.com has a 4-step video process on how to do add GoDaddy SSL certificates to your SBS 2008 server, but a $30 monthly subscription is required to view it, which might be worth it depending on how much help you need with your SBS 2008 server, or might not be worth it if this is your only challenge.

Update – Windows Mobile 5

GoDaddy has e-mailed me regarding support for Windows Mobile 5 devices. WM5 devices older than the AKU2 update only need to have this patch installed. If it is an older WM5 device it needs to be unlocked to allow certificate installation. Once you meet all of these criteria, GoDaddy has provided steps to install the required certificates on your Windows Mobile 5 device. I will copy them here for convenience, although as a reminder, always check with GoDaddy for the latest steps!!

To install the root certificate on your Windows Mobile 5 device:

  • Download the root certificate to your PC in DER format with a .cer file extension (i.e., valicert_class2_root.cer"). The root can be downloaded from the Go Daddy repository.
  • Copy the downloaded root certificate to your device using ActiveSync.
  • On your mobile device, locate the imported file using File Explorer and click on it.
  • The device will display the following prompt: "You are about to install valicert_class2_root.cer certificate issued by http://www.valicert.com/. Do you want to continue?" (If you saved the root under a different name, that file name will show up in the prompt.)
  • Accept the prompt to install the root certificate on your device.
Update: This post also applies to SBS 2011 Standard. But it does not apply to SBS 2011 Essentials

Wednesday, February 04, 2009

A Perfect Small Office Server?

In many cases, a small office makes a decision about a server solution that isn’t actually what they need.  Windows Standard Server will meet their needs, but it’s an expensive solution with generic features not specifically designed for a small office.  In some cases, a simple client computer (Windows XP or Windows Vista) dropped into a corner, to act like a server, can provide a file sharing solution for a small office, but there is lack of security, throughput and simplified management.

There are certainly a lot of things to consider for a small office server.  NetworkComputing.com has an article on all server hardware you should be thinking about. But what server solution do you use to take advantage of all this hardware?  One not extremely well known solution is Windows Small Business Server

Windows Small Business Server includes a simplified management experience, On Premise e-mail and web sharing content, as well as exceptional remote access functionality, all for close to the same price as that Generic Windows Standard Server, perfect for a small office wanting to centralize on a server.  Small Business Server is specifically designed to provide a a simple solution for Small Offices (of less than 75 computer users), and provides plenty of features for end-users, administrators, and new with the 2008 version, customers via Office Live.

Not sure about where to start? try contacting one of the Small Business Specialists. Small Business Specialists dedicate their lives to putting servers into small offices. In fact, Dana Epp, one of the security focused specialists, and also a Most Valuable Professional, as a blog and discusses the top 10 reasons to get SBS 2008.  Some great features include:

  1. Managing rooms and equipment in your company providing a simplified scheduling technique
  2. Remote access to your desktop in the company securely
  3. Simplified user management through templates
  4. Directory quota’s to ensure company data on company
  5. Centralized data storage
  6. Secure and private email solutions

… and many more items.

Windows XP and Windows Vista, while able to share files, aren’t set up for performance access to shares for a small office, and Windows Server Standard server doesn’t provide simplified management, on premise email and easy to understand remote access for your office workers.

In addition to Windows based solutions, you can consider other operating systems, like a small office Linux server. but you have to ask yourself, what’s the cost of ownership? The biggest problem I have with Linux is total cost of ownership.  Sure the solution is “free”, like a free puppy up front, and it seems like a good deal, but how much time do you want to spend on It versus running your business?  Small Business Server opens an easy to use, friendly console right when you log in.  on Red Hat, you have to type “control-panel” at a shell window?  I mean if you want to make a change to the server 2 years later, do you want to re-learn how to use the system?  Don’t get me wrong, I like Linux as much as the next person, but I have to re-learn it every time I touch it.  The article talks about cost, and it’s true they talk about hardware costs only, and no operating system cost, but costs are not calculated in money only, they are calculated in time.  Computer hardware is cheap compared to a salary for someone to manage a server.  I just don’t believe Linux works as a small office server since you essentially need to keep an IT person on staff to manage it.