THE OFFICIAL BLOG OF THE SBS "DIVA"

Shavlik Technologies has released updated XML files for Shavlik HFNetChkPro.
XML data version = 1.1.2.105 
Last modified on 5/31/2004

 This update includes the following changes:
 - Added detection for Exchange Server 2003 SP1

(we are still testing the deployment instructions for this SP, thus the package
is not available for download and deployment at this time.  We will release an
updated XML file when this SP is available for download and deployment via Shavlik
HFNetChkPro.)

- Added detection and deployment for ISA Server 2000 SP2

I'm not surprised that the Exchange file is not ready to deploy.  I've seen some people having a bit issues with the install and it needs the GZIP patch prior to installation.  Plus post installation we need to adjust some settings.

Today we had Ice Cream [old family recipe], which means this is the start of Summertime in California.....and I just looked at Weather.com and yup, we're definitely going to get hot next week.

6 eggs [I now use eggbeaters since this is a non cooked ice cream recipe]

2 cans of evaporated milk

2 cans of sweetened condensed milk

2 tablespoons of Vanilla along with scrapings of vanilla beans

1 teaspoon of orange extract [can also be lemon extract or even better Grand Marnier liqueor

Mix and pour into a 4 or 5 quart ice cream container, fill remaining space with whole milk, half and half, and some cream in whatever proportions to your taste

Load up in the electric or hand crank ice cream maker, cover with ice, enough rock salt to melt the ice and about 45 minutes later... voila.  So good, you don't even need chocolate syrup. 

Now back to our regularly scheduled SBS blog....  ;-)

In the newsgroups today, a person updated his SBS 2000 and was prompted that the TS in application mode would be removed during the upgrade.  He went through the upgrade and then posted back in the newsgroups asking how to turn on Application mode again.......

Well... it can't be turned back on again..... and we should not have been allowed to do it in the first place. 

Let's determine why shall we?

Okay first and foremost, would you agree that allowing your employees to sit at your server and use it as a workstation is a good idea?  Probably not right?  Well that's what you are doing when you do TS in application mode.  You are allowing people to log onto that server, use possibly “leaky“ applications that may require you to reboot the server, and in general, expanding greatly the threat vectors on that server.

Take for example - Internet Explorer.  You have to remove the Enhanced IE security [go into add/remove programs to remove this on a normal server].  Michael Howard [MS Security dude] talks about the threat modeling that they did on Windows 2003 server.  Near the end of the project they did a “threat model“ brainstorm and asked themselves what was a potential issue....and the threat that came back was surfing on that domain controller.  So the Security folks pushed through that Enhanced IE [you know that box that prompts you the web site you are wanting to go to is not in a trusted zone?].  Andrew Duthie talks about the settings on his blog.

Right now my security issues are the spybots and gunk that are going after Internet Explorer.  Just last night in talking “geek“ with my friends from LA that were up for a visit, Pierre talked about having to track down a browser hijack program [He wanted  to do it manually, but he could have used the CWshredder tool].  Now ask yourself, do you want to do that on your one and only domain controller?  Think of what you do to clean up your separate desktops. 

So the next time someone says “But it's dumb, I want my TS in application mode back!“ remember that we can't do things the way we used to.  That was then, this is now. 

Now, there is one way that this can be better.  Documentation and information. 

In one of the listserves I'm on we were chatting about the lack of documentation on this issue [and I'd add the lack of documentation of WHY we shouldn't do it]  Now granted, we women would argue that guys don't read, but I do agree with my fellow listmates that the information about the lack of TS in application mode should be WAY more obvious.  The information of how it is no longer supported or included and why it's not safe and secure to have it there in the first place needs to be way way more obvious.  In fact it should be part of the sales and marketing stuff because to me, it shows better than anything else that Microsoft is indeed “walking the walk, talking the talk“.  We asked them to make the products more secure.  They responded.  This should be a selling point that they are making it more secure, not a “What happened to TS?“ question in the newsgroup.

Documents that discuss TS in application mode removed .....

This KB   and read Page 44 in this document

842438 - ISA Server 2000 performance may be reduced if the Exchange Server 2003 server is processing unusually heavy traffic:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;842438

837366 - The Active Directory Migration Tool displays a "RPC server is unavailable" error message in Windows Small Business Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;837366

841487 - You receive a "Command line option syntax error" error message when you install SQL Server 2000 SP3:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841487

811176 - You cannot remove suspicious folders from the FTP file structure:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;811176

Let's not forget Exchange 2000

Download details: Update Rollup for Exchange 2000 (KB836488):
http://www.microsoft.com/downloads/details.aspx?familyid=43f5cdf6-d1e6-4476-b5f2-e17371236c3c&displaylang=en

Download details: Windows SharePoint Services 2003 Software Development Kit (SDK):
http://www.microsoft.com/downloads/details.aspx?familyid=1c64af62-c2e9-4ca3-a2a0-7d4319980011&displaylang=en

Random musings is the title of Charles Anthe [SBS Release Manager] latest blog entry and talks about upcoming changes to SBS2k3.  Remember when you have a newsreader inside of Outlook like Newsgator or IntraVnews, that blog entry gets pushed to your inbox into a folder.  Really cool. 

He also talks about a tool that he's testing that notifies you of downloads.  Right now the way I do it is through the Thundermain scrape of the Microsoft Downloads site.  If you click on that link it looks like goblety gook, but in an RSS reader it shows me what new stuff has hit the download site.....

speaking of which.... next post...

1.  You need to install the GZIP patch from 831464 first

831464 - FIX: IIS 6.0 compression corruption causes access violations:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q831464

2.  Can't install because of an issue with Search

If you are getting Dependency Manager: ***ERRORLOG EVENT*** :
CDependencyManager::ValidateDependencyStates() : The dependency of
Microsoft Exchange Messaging and Collaboration Services on Microsoft
Search is not satisfied.

Look under this key "HKEY_LOCAL_Machine\Software\Microsoft\Search\Install"
and if all you have is [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Search\Install]
"InstallPath"="C:\\Program Files\\Common Files\\System\\MSSearch"

Then add the following :

   Major Version: REG_DWORD: 0x9
   Minor Version: REG_DWORD: 0x6b
   Version: REG_SZ: 9.107.5512

Then reboot

3.  Forgot to add, when I'm installing a big SP like this, I'll manually shut off the Services to the “things“ that I know will be affected... in this case shut off all services with Exchange in the name, all A/V services, all IIS services.  Go into start, control panel, admin tools, services, and “stop“ the service.

And added a new post category of “Needed Patches/Tweaks” to capture all the items needed to finish up an install “after“ the box is loaded with SBS2k3.

I'm stealing this disclaimer from Les [Les is More]

Be aware that this list is a compliation of all hotfixes and configurations.
They do not all apply to all installations, do not use them out of context.
Use only what is required for your installation.

Patch for BCM with SBS2k3 - http://msmvps.com/bradley/posts/7228.aspx

Tweak for change in Domain\User after Exchange 2k3 sp1 - http://msmvps.com/bradley/posts/7156.aspx

Memory switch tweak  http://msmvps.com/bradley/posts/7147.aspx

Exchange 2003 sp1 -  http://msmvps.com/bradley/posts/7084.aspx 

POP3 Connector patch - http://msmvps.com/bradley/posts/6920.aspx

ISA Server 2000 - sp2 http://msmvps.com/bradley/posts/6868.aspx

Tweaks that “I“ personally do - http://msmvps.com/bradley/posts/6193.aspx

Installing Trend - http://msmvps.com/bradley/posts/6038.aspx

Hotfixes - now included in Exchange 2003 sp1 - http://msmvps.com/bradley/posts/5295.aspx

Error #50070 STS_Config - http://msmvps.com/bradley/posts/4292.aspx

Change REG key http://msmvps.com/bradley/posts/4283.aspx

Disk quotas/permissions http://msmvps.com/bradley/posts/4040.aspx

Faxes not opening right? http://msmvps.com/bradley/posts/4025.aspx

Sharepoint slow to open? http://msmvps.com/bradley/posts/3799.aspx

Error 800423f4 in backup log? http://msmvps.com/bradley/posts/3792.aspx

Install SUS http://msmvps.com/bradley/posts/3074.aspx

POP Connecter taking all resources? http://msmvps.com/bradley/posts/2540.aspx

Install GFI faxmaker http://msmvps.com/bradley/posts/2155.aspx

VSC and SQL server issues http://msmvps.com/bradley/posts/1239.aspx

Tweak ISA http://msmvps.com/bradley/posts/1221.aspx

Disable NDR http://msmvps.com/bradley/posts/1220.aspx

Hooking MACs into you LAN? http://msmvps.com/bradley/posts/1161.aspx

Add ISA to the console http://msmvps.com/bradley/posts/1112.aspx

Flat file backup of Sharepoint http://msmvps.com/bradley/posts/1103.aspx

Sharepoint fix http://msmvps.com/bradley/posts/1089.aspx

Outlook over HTTP http://msmvps.com/bradley/posts/1043.aspx

Anti Virus fix http://msmvps.com/bradley/posts/932.aspx

Enable Full text search http://msmvps.com/bradley/posts/822.aspx

Hotfix for Travan drive http://msmvps.com/bradley/posts/808.aspx

Get Sharepoint through ISAhttp://msmvps.com/bradley/posts/796.aspx

Exclude site from Google Searches http://msmvps.com/bradley/posts/618.aspx

Sharepoint on first launch http://msmvps.com/bradley/posts/599.aspx

I think that's all the funky patches and tweaks that us SBSers need for post installation.  Do I need any more?

Fellow SBSer Tavis Patterson has a SBS/SMB blog located at http://www.taznetworks.com/rss/webblog.html with the RSS feed for it http://www.taznetworks.com/rss/tazrss.xml

If you haven't found the power of RSS feeds and newsreaders, this is the time to get cracking.... I personally like newsgator but there is also IntraVnews

Advantage of IntraVnews - free for personal use

Advantage of Newsgator - plug ins that post to blogs, read and post NNTP newsgroups

UPDATE - THIS WORKAROUND ISN'T GOING TO WORK 100% - SO JUST HAVE YOUR CLIENTS TYPE IN DOMAIN\USER - THE SBS TEAM IS WORKING ON A PERMANENT FIX

820378 - Outlook Web Access session unexpectedly quits when forms-based authentication is used:
 http://support.microsoft.com/?kbid=820378

If you want to change OWA so that you don't have to type in domain\user after the application of Exchange 2003 sp1, Matt Gibson in the public newsgroups says --

“Go into IIS admin, go to your OWA website, right click on the exchange dir
and go to "Properties".  Then go to the "Directory Security" tab, and click
on the "Edit" button under the "Authentication and Access control".  At the
bottom of the new window, you'll see "Default Domain" and "Realm".  Just
change "Default domain" to your domain, and you'll be good to go.”

Update by Roger Crawford --  
 
Update to this be sure to include doing this on the Public Virtual  Folder
or you will get kicked out of Public Folders when you try to view them
 
Update from the newsgroups --
 
Just try reruning the CEICW which will setup the proper settings as OMA is messed up as well
 

Then I would like to explain this issue in more detail for you:
By default, after running CEICW in SBS 2003, the component will set the 
Default Domain property on the corresponding IIS sub-directories (under 
Authentication -> Access Control) as following:

1) /Exchange/: \                    (cerntainly you can change it to SBS 
domain name so you do not need to input the domain name any more. Since you 
had mentioned that you do not need to input the domain name in the 
previous, you may change this by yourself in the previous)
2) /Microsoft-Server-ActiveSync/: SBS domain name
3) /OMA/: SBS domain name

This is considering the fact that PPC or mobile phone cannot use the 
reverse backslash character when inputting credential. 
(This is why I say your workaround that you had found is correct and the 
best solution because this is just the correct setting for OWA and OMA)

The Exchange 2003 SP1 may change the settings back to the default (/OMA/:  
\ ). And this cause the issue on your system.
Or 
 
A poster in the newsgroup says that he used the following workaround -- 
“I used the "Default domain" entry box via IIS management, Exchange and OMA 
websites, Authentication and Access Control to set a default domain. After 
that, the logon process for OWA and OMA work like they did pre-SP1.“

I put together some screen shots here to help out -- 

http://www.sbslinks.com/domain.htm

http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx   Well the EHLO blog comes through once again with a cool post about how the SCL [spam ranking] can be exposed to help a user better understand the filtering process. 

This is interesting... this seems backwards to me “This array allows you to choose how aggressive or conservative you want your spam filtering to be by selecting a threshold value above which you consider a message to be spam. If you want to aggressively filter spam, you can choose a fairly low threshold, such as an SCL value of 5, which would catch a higher number of spam messages. However, a higher number of false positives would also be caught. To filter spam more conservatively, you can choose a higher threshold, such as an SCL value of 8, which would catch fewer spam messages, with a lower number of false positives being caught.“

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/e2k3/e2k3/ast_spam_confidence_level.asp

So putting a higher value on that SCL setting does not mean that you'll catch more spam, it actually means you'll catch less spam.

Do you have over 1 GB of RAM?  Did you notice this in the release notes...

Event 9665: Update to recommended memory settings for running Exchange 
Server 2003 SP1 on Windows Server 2003.

When you are running Exchange 2003 SP1 on Windows Server 2003 with more than 
1 GB of RAM, it is recommended that you set the SystemPages registry key to 
zero. This recommendation contrasts with the recommendation for Windows 2000 
Server, which is to set SystemPages to a value between 24000 and 31000.
The recommended memory settings for Exchange 2003 SP1 on Windows Server 2003 
with more than 1 GB of RAM are as follows:

If you host mailboxes or public folders on a server with more than 1 GB of 
RAM, make sure that the boot.ini file contains the /3GB switch.
When you use the /3GB switch, add the /userva switch to the boot.ini file 
and set the switch to a value between 2970 and 3030.
When you use the /3GB switch, set the hexadecimal value of the following 
registry key to 0x00040000:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\HeapDeCommitFreeBlockThreshold
Set the decimal value of the following registry key to zero:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\SystemPages
If you set SystemPages to the Windows 2000 Server recommended value of 
between 24000 and 31000, an Event 9665 will appear in the event log.

-Trevor

...and you are probably looking for an archive manager tool right?  The EHLO blog comes through, once again with a downloadable from the Gotdotnet web site an IMF Archive manager..

http://blogs.msdn.com/exchange/archive/2004/05/26/142366.aspx 

Download details: Exchange 2003: Badmail Deletion and Archiving:
http://www.microsoft.com/downloads/details.aspx?FamilyID=782aaf0f-6239-40ad-adda-97863d852ff7&DisplayLang=en

Oh I've died and gone to heaven .... look at all this Exchange stuff!

http://hellomate.typepad.com/exchange/2004/05/lots_of_goodies.html

Download details: Exchange 2003: All-In-One Tools Download:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e0f616c6-8fa4-4768-a3ed-cc09aef7b60a&DisplayLang=en

*YCST is the abbreviation for “You can script that!”, Jeff Middleton's favorite saying.  And it looks like they did just that... scripted that Badmail deletion!

Oooh... more streaming audio of interest..this one is techy related...

http://www.microsoft.com/technet/community/tnradio/default.mspx

This one is more general and salesy

http://www.itconversations.com/

And lots of XP sp2 webcasts coming this way...

http://msusapartnerreadiness.com/webcast/webcasts.asp#windowsxp

Catching up on TechEdBloggers feed and spot this....

Paul Robichaux writes "Very cool news: the Exchange Intelligent Message Filter is out, and it's available at no cost to all Exchange 2003 customers. Microsoft had previously said they would only offer it to SA customers, which generated a lot of discontent. I'm glad to see them reversing their stance..."

http://www.microsoft.com/exchange/downloads/2003/sp1.asp

And YES you should install this on SBS 2003 boxes!