Thursday, March 31, 2005

Official Windows Server 2003 SP1 on Windows Small Business Server 2003 response

There has been quite a few questions regarding Windows Server 2003 SP1 and it’s support on Windows Small Business Server 2003: I hope this post will clear up any of the confusion here. As always, if you have immediate questions, please feel free to ask them here and I will attempt to answer your questions as best I can.

Windows Server 2003 SP1 is supported on Windows Small Business Server 2003, but there are some known integration issues that are resolved in the Small Business Server SP1 (available within the next 60 days). With the Windows Server SP1 installed, you may encounter the known issues and our recommendation is to:

  1. Be patient with the issue and wait for Windows Small Business Server 2003 SP1

  2. Un-install Windows Server 2003 SP1, and wait for Windows Small Business Server 2003 SP1, which includes Windows Server SP1

Furthermore, a KB Article will be written to further address these issues, and I will follow up when the link to the KB when it is available.

In the mean time here is the short list of the known issues:

  • Remote Access Wizard hangs when creating the connection manager package

  • Small Business Server Change IP tool will fail

    • Change IP tool will continue to fail after un-install of WS SP1

    • Workaround: Remove WS SP1, disable DHCP, re-run CEICW

  • Power Users retain SharePoint Administration privileges even after the role is changed to Reader

  • Re-Install of Exchange fails

  • Re-Install of Intranet component fails

  • Fax Services won’t start and the Fax Configuration Wizard cannot be run after un-installing Windows Server SP1

  • DHCP service may not start after a restore

Please let me know if you have any further questions

Wednesday, March 30, 2005

Getting Ctrl+Alt+Del to work in different scenarios

If you haven't heard of a Microsoft MVP, you're not spending enough time in the community. These folks really help you out! Specifically the "blog-a-holic" Susan, or as known by her friends, the SBS DIVA.

Yesterday, she had a blog post, which I somewhat take for granted, mind you, I've been assimilated. :) How to Shutdown was posted on how to shut down a box remotely. But it goes further than this, really, what Susan is getting at is how to get to the Ctrl+Alt+Del box when you're in a remote desktop window and so forth. Not only can you shut down from here, but you can change your password, get to the task manager, logoff the box etc. Very useful screen.

Here are some of the ways to get to this box in some different scenarios:

  • On the local box - Ctrl+Alt+Del

  • In a Remote Desktop Window - Ctrl+Alt+End -or-Start -->Windows Security

  • In a Virtual Server machine - Right-Alt+Del

Enjoy your free access to the Windows Security dialog.

Tuesday, March 29, 2005

What causes that Open/Save dialog?

Have you ever wondered why for some files you get the Open/Save dialog when you are saving an attachment in Outlook, and for others you don't?

Now you have the power!

  1. Open Windows Explorer

  2. Go to Tools and then Folder Options

  3. On the File Types tab, select the extention type you are interested in and click Advanced

  4. You'll notice a check box called Confirm open after download. If this is checked you will get the open/save dialog, if not it will just open with the registered handler.

The settings you change here are saved in HKEY_CLASSES_ROOT in the registry for each specific extension. For example, if you change the .txt extension, the changes are saved in the \txtfile key.


Monday, March 28, 2005

Support Configurations

Some folks have asked how we test SBS and in what configurations. So I thought I'd write a little post on that.

First off, we base our install configurations on the network topology. SBS does really well if you plug in your network topology before you start your install. The SBS tools detect and lead you down the appropriate paths if you've pre-setup the hardware on your network. Moreover, if you're thinking about not using our tools, think again. So many things are done under the covers you wouldn't want to have to remember to do them all each time you do an install would you? Also, we make some changes to items that do not expose UI, so it's impossible for you to make these changes.

The 2-nic scenario
This is the birthplace of SBS. SBS being the firewall/NAT box on the network, one network card pointed out to the internet and another pointed in to the internal network. SBS 2000 ran like this, SBS 2003 also supports it. Some people like to toss a hardware firewall infront of the internet facing nic, but other than creating a DMZ, I'm not sure what this does, and can definately lead to confusion if you don't use different not-routable IP subnet masks on both networks.

The 1-nic scenario
This is new to SBS 2003. The support for routers and running without a specific firewall on the SBS box. You are relying on the configuration of an additional hardware router. Of course, SBS attemps to configure this via uPNP configuration standard, but many uPNP enabled routers have implemented the uPNP standard differently. This means that in some cases, what you expect to happen doesn't happen.

Of course, I should mention that the 1-nic scenario has two sub scenarios. DHCP on the SBS box, and DHCP on the router. I personally would recommened the former, disabling DHCP on the router and running this off the server. This is for a number of reasons:

  • There is no risk of failure due to an incorrectly configured DNS configuration on the Router

  • All routers support turning off DHCP in some form or another

  • Should you have a problem with a client, you can get to the IP address of that client directly from the server

I started running SBS with DHCP on my router and have since moved over to the SBS box so I can manage it all from the server.

The word of caution is, if you are going to leave DHCP on the router, please please please be sure to place SBS as the primary DNS server in the router configuration.

Friday, March 25, 2005

Thursday, March 24, 2005

How do I get Help from Microsoft?

The SBS "Diva" has a great post on how to contact Microsoft to get technical support.

But what she didn't mention is the great support provided in the newsgroups. Microsoft hosts some public newsgroups that can be used to get help.

Here is the beauty of it. You can get help simply by posting, Product Support may or may not answer your question, but the rockin' SBS MVPs may also answer your questions!

Now if you're not getting a response, you can simply register your posting email address and Product Support will guaruntee you an answer.

Tuesday, March 22, 2005

Configuring Delegate Access on Exchange (Part 2)

Yesterday, in part 1, I showed you how to create a delegate access from one user to another. But what if you want an account like "sales" or "info" shown on your website that you want multiple people to reply to?

You wouldn't want to use a Distribution List because that means everyone montioring that DL would get a reply, all slightly different (hopefully slightly anyways!). You need a single mailbox in order to maintain the state so you don't spam your customer with too much response (ie over customer serve).

Basically, you would follow the steps in yesterday's post to create a user and create access, but you'd have to do one more step, you'd need to exclude that account ("sales" or "info") from the Password Policy.

Here's how:

  1. On the SBS server, open Server Management and expand Advanced Management, Group Policy Management, Forest, Domains and finally {yourdomain.local} .

  2. Select the Small Business Server Domain Password Policy.

  3. In the right-hand pane, on the Delegation tab, click Add.

  4. Type in the alias of the "sales" or "info" account and choose OK, then give this user Read access for now.

  5. Make sure the account is selected and choose Advanced at the bottom of the right-hand pane.

  6. In the ACL box that opens, choose Deny in the Full Control box (which checks all the boxes under it. Then choose OK.

Now you are preventing this account from reading the policy, so the policy will never apply to that specific user. Thus the "sales" & "info" accounts will never need to change their passwords. That of course makes it ultimately important that you choose very strong passwords for these accounts that cannot be dictionary hacked.

And now you are complete, you can have multiple users manage a single mailbox and that makes it easy for there to be only one reply to the customer when they have a simple sales question.

Monday, March 21, 2005

Configuring Delegate Access on Exchange (Part 1)

[Warning, I'm in a rambling mood today]

Family is important. In my opinion, you should do whatever you can to help your family. As I think I've mentioned in the past, my grandfather, after he retired decided to keep his mind active by learning the computer. Now everyone might say "you can't teach an old dog new tricks". Well, my grandfather might be special, but you can actually teach him new tricks, you just can't teach him multiple ways to do the same trick. We've been working on email and reading news on The Globe & Mail website (Canada's top newspaper).

As any user with two computers and two pop3 accounts, he was struggling with email. My grandfather is what us Canadian's call a "snow bird", meaning he lives in Florida during the cold months, and Ontario during the warm months. This posed a problem, he got used to the idea of a "Toronto" and an "Florida" email address. He'd either not respond to email for months and months, or he'd tell people to email him at another email address during different months.

In my book, unacceptable. Enter SBS.

I set my grandfather up with an account on my server here in Seattle, then while on vacation with my grandfather on Vancouver Island, BC, I managed to convince him he needed a new computer (to upgrade from Win9x to WinXP with Office 2003), we ordered it from Dell over a dial-up connection (wow those things are slow!). The next month, I was in Toronto unpacking and moving his data to the new computer. I configured the new box to point to my server in Seattle using RPC over HTTP for email. After ironing out a few kinks (upgrading his ISP's DSL modem), he was up and running.

Originally, I had left his outlook checking both email accounts. Unfortunately, what I didn't realize was that he was getting 15-20 peices of spam a day, and maybe 1 or 2 emails every 3-4 days!

So being the good grandson I offered to check my grandfather's pop3 email for him, and send him any non-spam email. My grandfather didn't seem to mind the invasion to his privacy, and I set it up.

For the first little while, I'd just forward email to him that was not spam, until one day he decided to reply. *I* got the reply! Whoops!

I needed a new method to just make this work for him so he can't tell the difference. Delegate access was the way to go! I had to drag & drop the actual messages into his inbox so he could just hit reply and it would come from his email address.

So I set out to accomplish this task. Outlook help probably saved me about 15-20 minutes. Here are the steps that I followed:

  1. Log into the mailbox as my grandfather using Outlook in RPC/HTTP mode (not that it matters)

  2. I went to Tools,Options, and the Delegates tab

  3. Click the Add... button

  4. Select the user from the GAL you want to have delegate access

  5. Change the permissions that person has on the different parts of Outlook. In my case, I only wanted access to the inbox, so I changed that to Editor (can read, create, and modify items).

At this point, I was finished with the users inbox, so I closed it up. I then opened mine since it was me that I gave access to. I then followed the steps to add the mailbox to my Outlook view:

  1. In my Outlook, I went to Tools, E-Mail Accounts and clicked on View or Change existing e-mail accounts and clicked Next.

  2. With the Microsoft Exchange Server account selected, I clicked on Change.

  3. Then More Settings on the Exchange Server Settings Page

  4. On the Advanced Tab, I clicked Add and typed in the alias of my grandfather

At this point, I have my grandfather's mailbox showing up in my Outlook folder list, but if I try to expand it, I get an error. I thought I'd be done at this point, but apparently there is one more ACL you have to change, as an admin, on the server.
Here's how:

  1. On the server open Server Management and browse to the Userssnap-in.

  2. Right click the user in question and choose Properties.

  3. On the Exchange Advanced tab, click on the Mailbox Rights button at the bottom.

  4. In here, I had to add myself to my grandfather's mailbox and give myself Full mailbox access. There may be a lesser permission you could do here, but my grandfather trusts me, so this is fine.

That's it! Now I can expand my grandfather's mailbox in my Outlook view and drag and drop any mail in there I want! Now when I get mail from his pop3 service, I can drop it into his actual mail box, and he's able to hit reply.

The only other thing you might want to do, is if you are using strong passwords on your network (which I strongly recommend), and the account is not logged into, you'll have to exclude it from the password policy to make sure that the password doesn't expire on that account and no one can access it. But I think I'll save that for tomorrow's post.

Part 2, is available here!

Friday, March 18, 2005

Hacky Hack - Outlook & Exchange on the Same Server

Wow, so I spent some time this morning to really understand why you can't run Outlook and Exchange on the Server. Seems to result in badness for Outlook more than Exchange. And to be quite honest, you can't say we didn't warn you. If you install Outlook on your Exchange Server, and try to launch it, you'll get the following warning:

Good times.

Outlook may appear to run, but there will probably be send and receive functionality with Outlook, and perhaps some problems with Exchange, I didn't have time to try *all* the features :o)

In speaking with a co-worker here at the office I managed to get pointed to a rather interesting MSDN article on the End of DLL Hell. In reading it (although I just got the info straight from my buddy), it says that if you create a folder called executable.exe.local in the same directory as the actual executable.exe, the OS helps the exe find it's own copy of the DLL, to make applications function on the same box.

So naturally, I turned to my favourite no Outlook on the server problem.
After an install of SBS 2003, with Exchange, I proceeded to do the unthinkable (it was a test box, so it's ok). I installed Outlook 2003 on the server (from the server which made the install rather quick I might add). Before Opening Outlook, I copied "C:\Program Files\Common Files\System\MSMAPI\1033" over to "C:\Program Files\Microsoft Office\OFFICE11\Outlook.exe.local". What little I tried, all appears to be functional.

I do want to write a little disclaimer, which is important, so I'm going to change the font colour.

Outlook 2003 and prior are not supported running on Exchange Server 2003 and prior

There I said it. Use this tip at your own risk. This isn't something I've done at my house either.

But I know some folks live more on the wild side than I, and wouldn't mind taking a few risks. :)

Thursday, March 17, 2005

Don't forget your attachment!

I've been reading on KC on Exchange & Outlook and came across a really cool post on a little macro you can write within Outlook to make sure you don't forget to attach files. The simple version (which of course you can customize to suite your own typing style) is here:

Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)
  Dim lngres As Long
    If InStr(1, Item.Body, "attach") <> 0 Then
      If Item.Attachments.Count = 0 Then
        lngres = MsgBox("'Attach' in body, but no attachment - send anyway?",
          vbYesNo + vbDefaultButton2 + vbQuestion,
          "You asked me to warn you...")
          If lngres = vbNo Then Cancel = True
      End If
    End If
End Sub

Of course you'll have to know where to place this macro

  1. Start Outlook

  2. Tools | Macros | Security

  3. Choose “Medium”, which will prompt you on whether or not you want to run macros (VBA). You may need to restart Outlook at this point in order for that setting to take effect.
  4. Tools | Macros | Visual Basic Editor

  5. Doubleclick on This Outlook Session on the left, which will open the code window on the right

  6. In the code window, paste the code

  7. Optional: View | Immediate to make the immediate window show up

  8. Put the cursor in the middle of the code you just pasted

  9. Press F5 to run it

And of course, the source of this wonderful macro is KC, and her blog post is here.

Wednesday, March 16, 2005

Abusing the Logon Script

So you're getting your server status reports, and notice you have some KERBEROS errors that show up from some clients, or you just happened to notice the time is different on the server than it is on the client.

First things first, make sure the Windows Time service is enabled on your server. The next thing you have to do is to re-synch the time with all the clients on the network.

Woa! That could be up to 75 client computers! (even with more than 5 it's a pain)

So, you need a way to run a command line on each client on the network. The specific command line is

net time /set \\permit /y

The joy of SBS, is that each time someone logs in, and logon script is run, you can simply modify this by

  • Opening SBS_LOGON_SCRIPT.BAT from C:\WINDOWS\SYSVOL\sysvol\DanielFamily.local\SCRIPTS

  • Adding a new line with the command line shown above

  • Saving the file

Now each time a user logs in, this will get run and just set the time on the users PC to match that of the server.

Once you get the time service synchronized, then you can remove this from the logon script as it's really superfluous.

I'm sure you might also want to run other things on the client, feel free to use the logon script for that also!

Tuesday, March 15, 2005

Using Public Folders for Contacts

Admittedly, Small Business Server 2003 gives you plenty of space to store contacts. I mean look at it, it's a contact storing MACHINE!

Ok ok ok, so there isn't much direction as to where to store your contacts, you have

  • The Active Directory

  • SharePoint

  • Public Folders

  • Outlook Personal Contacts

So what should you choose?

Active Directory
Shows up in the GAL and is easily searchable, but you need an admin to add each and every contact. I also find that if a contact changes an email address, it's not as easy as Outlook to change it.

SharePoint is great, but you can't add the contacts to an e-mail message if you're not in the office (or on a VPN connection)

Outlook Personal Contacts
This is a great way to store personal contacts, but you can't share them with your co-workers

Public Folders
In my opinon this is the best way to store contacts. An Admin makes the public folder, and any user can add or change contacts inside the folder. One other gotcha is any Distribution Lists the admin must create. When using OWA you have to select the public folder from the drop down list in order to email contacts from it.

And there you have it, the ways to store contacts on SBS!

Monday, March 14, 2005

Blocking MSN Messenger with ISA

Wow, it's been a while since I posted. Last week I was on vacation and somewhat, disconnected. And of course I'm sure you all know what the week before you go on vacation is like, needless to say, blogging dropped to the bottom of my priority list for the two weeks.

Well, now that I'm tanned nicely, I figured I'd start blogging again.

I was browsing one of the many communities that I stay active in, and it occured to me that not everyone wants to have MSN messenger enabled on their business network. This could be either because you don't want company secrets being sent out via clear text to the Internet, or just because Mom doesn't need to talk to her son all day. I'm not going to get into the politics because I believe people should have all the tools neccessary to do their jobs, if it's deamed that IM is not one of them, Microsoft has provided a slick KB article on How to Disable MSN Messenger 6.0 traffic in ISA 2000.

Seems pretty simple, so I'll leave it at that.

Tuesday, March 01, 2005

What is RSS?

Wow, so today I realized (after I got a question) that I haven't stepped back to say how to use RSS feeds. I know you can find this on the web, but hey, I thought I'd try to explain it a bit here so you have it.

RSS stands for Really Simple Syndication. Microsoft provides an indepth explaination of of what RSS is. Basically, it is an xml formatted page that specific readers understand to download content from a website to your inbox, so you don't have to go to the website just to read the updates.

You simply look for websites with the all too comon picture. Once you have your news reader installed, you click on this link and subscribe to the feed.

News Readers
So now you're probably wondering what is a news reader? Well, I typically look for ones that plug into Outlook. I want to have Outlook as my central information gathering program. I use NewsGator, but there are others like IntraVNews that are free. I use NewsGator myself. I can right click on the graphic and choose Subscribe in NewsGator. Newsgator analyzes the feed and boom, news articles start pouring into your Outlook.

Why don't you try to practice as I believe there is one of those graphics on this page. Can you find it?