In the mailbox tonight [one last post....] Carl asks “ I couldn't connect from outside the router to the SBS2003 through Sharepoint. From inside, everything works fine. I turned on port 443 and 4125 on the router. How do I troubleshoot this?“

And Carl...your email address wasn't right so it bounced back...so I'm blogging back the answer.  Figure it's more productive then sending the email I'd really like to send to the Windows Update team right about now anyway.....

Remember if standard....port 444 also needs to be open from the outside on the router for Sharepoint.

If Premium there's a KB with instructions to get it to go through ISA...it's also here in the blog.

And that's it for the blog posts tonight folks...see ya tomorrow.

I'm an SBSer.  And I feel that I represent the SBS community to Microsoft.

I feel like I've let the community down today.

I didn't represent you well enough to the Windows Update team.  I didn't understand the impact of the 'normal' Windows 2003 service pack 1 was on our SBS boxes.  I didn't follow the beta closely enough to fully understand that it would have impact.  I didn't understand that a Service pack that has impact on our SBS boxes would be offered up to us top of the window in Windows Update today.

I let you down.  For that I apologize.

Going forward I'm going to make it my personal goal to ensure that the patching goals at Microsoft include a goal that if a service pack of any kind adversely affects us that it will be blocked in Windows Update and will not be offered up to you if you go to Windows Update.  [Update... the Service pack is no longer on Windows update -- Thank you Microsoft for being VERY agile and responsive]

Someone asked today how to set up a test network if all they had was a production one and you can [if you are a Microsoft partner...see why you want to be a Microsoft partner] get a subscription to the “Action pack” which is a bundle of software that would be perfect for a 'test' network.  But if you don't have the time for that ask in the communities about how the patch is working on systems.  We'll tell you.

This one should not be installed on SBS.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

From Sean Daniel, Windows Small Business Server

There has been quite a few questions regarding Windows Server 2003
SP1 and it's support on Windows Small Business Server 2003: I hope
this post will clear up any of the confusion here.  If you have
immediate questions, please feel free to follow up in the public
Microsoft Newsgroup at: microsoft.public.windows.server.sbs I will
attempt to answer your questions as best I can.

Windows Server 2003 SP1 is supported on Windows Small Business
Server 2003, but there are some known integration issues that are
resolved in the Small Business Server SP1 (available within the next
60 days).  With the Windows Server SP1 installed, you may encounter
the known issues and our recommendation is to:
a)      Be patient with the issue and wait for Windows Small
Business Server 2003 SP1
b)      Un-install Windows Server 2003 SP1, and wait for Windows
Small Business Server 2003 SP1, which includes Windows Server SP1

Furthermore, a KB Article will be written to further address these
issues, I will post it to the public newsgroup when it is available.

In the mean time here is the short list of the known issues:
-      Remote Access Wizard hangs when creating the connection
manager package
-      Small Business Server Change IP tool will fail
o      Change IP tool will continue to fail after un-install of WS SP1
o      Workaround: Remove WS SP1, disable DHCP, re-run CEICW
-      Power Users retain SharePoint Administration privileges even
after the role is changed to Reader
-      Re-Install of Exchange fails
-      Re-Install of Intranet component fails
-      Fax Services won't start and the Fax Configuration Wizard
cannot be run after un-installing Windows Server SP1
-      DHCP service may not start after a restore

Please let me know if you have any further questions

Here are Susan's suggested items on how to install a service pack on SBS 2003

• You don't install it on a production system, middle of the day during lunch time
• You don't install it before a weekend
• You don't install it before testing it yourself
• You don't install it before waiting for feedback from others [Community ...check with the community before installing it]
• You don't install it when it's Windows 2003 sp1 and we should wait for SBS 2003 sp1

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

Coming Soon: Windows Small Business Server 2003 Service Pack 1

5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA

Don't know what that is? 

That's the unique SBS 2003 GUID code for the SBS suite.  Do a search in the registry and you'll find it in a couple of places.

I'm sure you know you have SBS 2003.  You are an SBSer right?  But right now Windows Update doesn't know you are a SBS box.  It thinks you are a Windows 2003 box.  The good news is that it's not coming down on Autoupdate [thank goodness for that], but the bad news is if you run Windows Update on a SBS box it will indicate that you need this.  You don't.  Also watch out for SUS and make sure that the service pack isn't approved.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns.  And sorry too to the WU team.. I know you know what SBS is but you know us gals in the heat of the moment..stuff pops out.  Thank you for your quick action and response.

Let me say this loudly

IF YOU ARE RUNNING SBS 2003 WAIT FOR OUR SBS 2003 SP1  - don't install this when it shows up on Windows update like this:

Again, do not install this patch from Windows Update.

UPDATE - 4/2/2005 - Windows update no longer offers up SP1 to SBS boxes.   Thank you Microsoft for responding to our concerns. 

Note: Customers who have Automatic Updates enabled with automatic
download should be aware that Windows Server 2003 SP1 will be made
available through Automatic Updates (AU) as a High Priority update in
July 2005.

Services may stop abruptly when you shut down or restart a Windows Small Business Server 2003-based computer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;839262

Jeff from TechSoEasy reminds me of a registry fix that we SBSers need to do.  He had an issue with unexpected power issues and now has a bit of a messed up server.  It reminded me that he may have needed to put in that registry fix. Now this will be in the SBS 2003 sp1, but for now, do this registry fix manually.

Just a reminder...DO NOT install Windows 2003 sp1 on your SBS box [even if Windows Update is offering it to you]

For those of you running 'normal' Windows 2003, you can start testing on the SP 1 as it just 'RTM'd....

For those of us on SBS 2003 remember

In addition, Microsoft is announcing that Windows Small Business Server 2003 Service Pack 1 will also be available to customers within 60 days.

I'm putting that in Bold and in Color because I missed reading it the first time.  [ummm...sorry Jerry!... I tell ya going blind]

So folks... ours isn't ready yet.  Hang tight just a little longer.

Download details: Windows Server 2003 Service Pack 1:

Install Microsoft Windows Server 2003 Service Pack 1 (SP1) to help secure your server and to better defend against hackers. Windows Server 2003 SP1 enhances security infrastructure by providing new security tools such as Security Configuration Wizard, which helps secure your server for role-based operations, improves defense-in-depth with Data Execution Protection, and provides a safe and secure first-boot scenario with Post-setup Security Update Wizard. Windows Server 2003 SP1 assists IT professionals in securing their server infrastructure and provides enhanced manageability and control for Windows Server 2003 users.

Which includes
Security Configuration Wizard for Windows Server 2003:
This is actually a cool tool but we don't need to run it on our SBS 2003 boxes as we're very well tweaked just as we are right now.  Again for those on normal server, take a look at it. 

Understanding the Windows lifecycle policy (for all you IT Pros out there):
http://blogs.msdn.com/ie/archive/2005/03/29/403513.aspx

One last post before bed tonight... nice consise recap of what IE versions are supported on what platform.

SOMEONE IN MY OFFICE LEARNED TODAY ...oh sorry...

Someone in my office learned today that when she was Internal IMing the guy in the office and she used all CAPS [because you see in the tax software program she was using it's normal for us to use all caps] that she was shouting at him.

She didn't know that there's this 'rule of online' etiquette that grew out of email etiquette

“Send an e-mail in all UPPER-CASE. Use of upper-case words is the equivalent of shouting in some one's ear. ONLY use upper-case words when trying to make a point (such as I just did). Even at that, you should be careful with who you are exchanging messages.“

For your clients that are email newbies, you might like to let them know of these unwritten/written rules of online etiquette.  Obviously they don't need to learn l33t speak or anything like that but just a nice friendly 'here's what others expect of you online" is nice.

Ever notice how there's like four or five ways to do the same thing?

I posted about my Remote Web Workplace experience and wanted to know if there was a way to remotely shut down.  Matt posted in the comments "shutdown.exe" but there's a couple more.

Handy Andy said Start> run> “shutdown -r“

For one, once I have that Control-Alt-End which is the remote desktop equivalent of Control-Alt-Delete [the infamous three fingered salute -- no relationship to David just happen to share the same name]...bingo, I have a button there that says "shutdown". 

Duh.

Then Chad and Marina said, click on Start and Windows Security and sure 'nuff in a RDP session, Windows Security...which is the shortcut to the screen that gives you task manager, shut down, log off, etc. is right there. [Which is of course the same solution pointed out to me by Dave in the post that started this whole exercise in the first place  -- that once you RDP into a session either via RWW or onto a server, that the Windows Security shortcut is right there, just a mouse click away]

Learn something new every day!

One of the issues with Remote Web Workplace and especially with the interaction with a dual monitor system is the reality of 'letting go of static icon location”.

Take this morning for example, I went to log back into RWW and there's a brief moment where there's a black screen and a blinking icon as the desktop 'takes back control' from the closed remoted session....well.. it's supposed to be brief anyway.  This morning it got stuck on that black screen and I had to do a hard reboot.  And man, did the icons on the desktop not like that one bit.

Now 1/2 of my icons are on the other screen.  Normally I fix this by going into display properties, pulling the display back to merely one screen and then reenabling the second screen.  That's probably the one thing you really need to kinda get use to when dealing with dual monitors.

Get over the 'My icons must be IN THAT EXACT SPOT”.  Get used to them kinda blowing up and moving around every now and then.

One other burning unanswered question that I had about RWW that is now answered [thanks to SuperG and Dave] is how to do a control-alt-delete on RWW.

SuperG:  Control-Alt-End

Dave:  Windows Security icon in the start menu that brings up the Control-Alt-Delete dialog.

Oooh I forgot to ask if RWW can be rebooted remotely. That's another one of my questions.  Stay tuned.

	Law #1: Nobody believes anything bad can happen to them, until it does
	Law #2: Security only works if the secure way also happens to be the easy way
	Law #3: If you don't keep up with security fixes, your network won't be yours for long
	Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
	Law #5: Eternal vigilance is the price of security
	Law #6: There really is someone out there trying to guess your passwords
	Law #7: The most secure network is a well-administered one
	Law #8: The difficulty of defending a network is directly proportional to its complexity
	Law #9: Security isn't about risk avoidance; it's about risk management
	Law #10: Technology is not a panacea

In case you need a little reminder of the laws of Security Administration. 

That reminds me too that Brett pinged me via the mailbag today and wanted to know if admins can join the Communities of SBS.

Heck yes!  Many of them attend the user group meetings as well!

You definitely are welcome in the communities of SBS

SBS2k [which includes all flavors of SBS]

Mssmallbiz

You probably don't need the Smallbizit one as that's the business side.

Welcome Brett to SBSland!

Russ in the newsgroup picked up a new SBS client and they didn't write down the POP connector password.  He asked “Anyone know of password programs that unhide password in 2003?  All I can find are the ones for XP?”

As Russ found out it wasn't even that hard.  Load up a little Ethereal program, sniff the tcp/ip packets and that password will travel from the server to the pop box at the ISP in clear text.  You see a 'elho' command and then the lovely phrase 'password' and it's pretty obvious what the password is. 

Remember, physical access means the ultimate lack of security.  With physical access I can even reset the local admin password [only do this on desktops, not on the server]

http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Tonight on the download page, there's a ton of IPsec downloads.  This is another of my 'gee I need to learn more on this topics”.  For now I'll just list the links I found:

• Download details: Interoperability Considerations for IPsec Server and Domain Isolation:
• Download details: Introduction to Server and Domain Isolation with Microsoft Windows:
• Download details: A Guide to Domain Isolation for Security Architects:
• Download details: Domain Isolation Planning Guide for IT Managers:
• Download details: Domain Isolation with Microsoft Windows Explained:
• Download details: Setting Up IPsec Server and Domain Isolation in a Test Lab:
• Download details: Server Isolation with Microsoft Windows Explained:

Happy getting paranoid!

A couple of times, clients have come into the office and we've needed to get data off of their laptops.  So they've turned them on and we typically these days use usb thumb drives to pull the data off.  And each time a 'newer' computer is turned on, one that has wireless automagically enabled, it 'finds' the wireless access point at the office.

Is it an open, unprotected by WAP access?  Nope.

Could it be?  Yup.

Why?  Because I purposely put it in a place that would first and foremost give me a secondary backup to high speed access when taking down the server [Rule of Susan, always ensure you have a connection to the newsgroups or IM].  So it's on the outside of my SBS network hanging off another port in the 4 port dsl modem/switch.  It handles it's own DHCP and does not interfere with the DHCP of the SBS since its hanging off of the DSL modem/switch.

It hands out addresses in a range that doesn't match the internal address of the network.  I do all this because we don't really need 'true' wireless at the office to the internal network and I'm not yet ready to see if SBS can handle PEAP [I think it can...don't tell Jason or Charlie I need to re-read the chapter on wireless in SBS in the SBS 2003 Admin's book because I can't remember it.

If you run cat 5e/cat 6 wiring in your office, you can pretty much be certain that it's a bit easy to know where it starts and where your 'physical access points' end.  The RJ45 connection in the wall.  Now at Micrsoft where physical security of a 'campus' means they have tons of wiretaps, so they use IPsec [more on this in the next blog post] to protect those physical taps [remember don't use 802.1x to secure wired connections]

But where's the physical access limitation of a 'wireless' connection.  Yup it's as large as you are broadcasting.  Remember I've said before to check and make sure how others see you by visiting grc.com and seeing what ports you have hope are the ones you expect to have open? 

Don't forget to do the same with your wireless connection.  Take a laptop that is enabled for wireless... walk your perimeter.  How far do you broadcast?

One of my long time SBS mentors and 'big brothers' Cris Hanna is starting a SBS partner group in the St. Louis area.  Join him online and in person for a 'in face' community.  I still remember the first time I met him in person with my fellow SBS MVPs, Cris found me talking to a bunch of FoxPro mvps, tucked me under his wing and started the introductions to people I'd never met in person but already had a bond with.

It's the “bounce” factor.  Talking to someone who works in the same area you work in, does what you do, sees what you see.  Join Cris for a bit of live community.  I think you find he'll tuck you under his wing and make you feel as welcome as he did me.

I'm not one of these, but I need their talents.

I'm not one of these, but I rely on them.

I'm not one of these, but I value their expertise.

But sometimes, I need more information targeted for ME and not for them.  What am I?  I'm an admin, not a coder.  I'm a CTO, not a developer.

And the blogosphere [if I'm reading this right] just acknowledged the different between my world and theirs.

The Microsoft blogs used to all be on MSDN, that's the Microsoft Developer Network....but, you see, I'm not a Dev, I need admin-y stuff.  But now I think Microsoft just started a place for “us” to start watching the blogs for 'my world”.

Technet has opened up [I think you call it a soft opening] of their TechNet blogs.

Just in time before TechEd in Orlando comes the place where us admin geeks can follow the latest and not get posts that talk about Hungarian coding and posts about VB classic versus .NET.  Don't get me wrong, I find such posts interesting, but when you have a blog that spits out discussions of how to handle something managed code versus unmanaged code, and they put that gunky stuff [as I call code] in the blog posts, I start saying to the waiter “Check please? It's time for me to move on to another blog”.

Bottom line now I think I'll be able to find more 'admin-y' posts directly. I'll keep watching if what I think they are doing is what they are doing. 

So you Microsoft folks that aren't of the Dev world?  Start blogging folks, because you now have a home just of your very own.

America West has this feature that you can go to the Internet, log in and print out the boarding pass. So the guy at the office who is in Arizona gets ready to fly back, goes online just like he did at the office, checks in, confirms his booking and goes to confirm it and realizes.......

Um...He has no printer.

Now I have seen printers that offered IP based printing in the hotel rooms [but I've never been quite confortable with that], but he didn't have any such options. 

 I guess you “could” cart around a portable photo printer, or as I was joking with him as he related the story, print it to Adobe PDF and then when he got to the Airport, turn on the laptop and say “here's my pass”, but somehow the instructions on the print out that says 'cut here' might not work on a laptop screen...you'd have to have some really sharp scissors to cut the pdf off the screen, me thinks.

Speaking of airports, someone mentioned that they lost their roller blade allen wrench going through security.... 'course... I have to wonder about someone that packs roller blades for business trips [seriously they probably just forgot it in their pocket], and my sister one time had to mail back an manicure kit that she forgot in a carryon bag.  She forgot and threw it in there at the last minute.  Fortunately she had enough time to get out of the security line and find a mailboxes etc in the airport but I guess the world is a little safer from Allen wrench and Fingernail file toting Airplane passengers.

In case you are wondering, the list is here of prohibited items and 'lighters' were just added to the list.  Now mind you, I'm not so sure that given that anything “I” can't stick in carryons I now place in checked bags that I want a butane lighter in a checked bag.... to me that doesn't sound too brilliant of an idea as well.  It's clear from the list that you aren't even suppose to check it.  So just remember folks... when traveling... check those cattle prods and brass knuckles.  It interesting that it does say that fingernail files can go in carryons.  Go figure.

Bottom line..just remember there are limits sometimes as to how truly portable you can be.

It's not too late to catch the hottest tour around.  This tour ROCKS!  Get autographs!  Get a backstage pass and more!  Talk one on one with the tour members!  What is this?  What really cool tour is this?

Why the SBS Partner tour of course and there is only four venues left!  Tavis gives his recap of the tour on the stop in Michigan.

Seriously if you are 'into' SBS, thinking about SBS, interested in SBS you need to get yourself to one of these events.  You won't be disappointed. 

• March 28 - Omaha, Nebraska - 11802 Pacific Street, Omaha, NE 68154
• March 29 - Irving, Texas - 7000 State Highway 161, Irving, TX 75039
• March 30 - San Antonio, Texas - 4522 Fredericksburg Road,A79, San Antonio, TX 78201
• March 31 - Denver, Colorado - 4643 South Ulster Street,Suite 700, Denver, CO 80237

REGISTER NOW

Hey you know ..I haven't seen any photos from these venues... we're just going to have to see if someone has been taking some!

SEMINAR AGENDA:
The following are covered in the FREE, two-hour evening event:

• The Small Business Customer – Data and Trends
• How Partners are making money with SBS 2003
• SBS 2003 SP1 overview and what it means for you and your customers
• SBS 2003 demos
• Product strategy and roadmap

This is a FREE event sponsored by your local SBS User Group. Beyond the valuable and timely information that follows a TS2 event content, you'll also receive:

• 128mb USB pen drive – Microsoft Partner Program Branded
• Leather Pad-Folio embossed with Windows Small Business Server 2003
• Official SBS 2003 Partner CD from the Microsoft Windows Small Business Server team (just released!)
• An invaluable overview of the soon to be released SBS Service Pack 1 from top level SBS team members
• Helpful information on how SBS Partners make money in the SMB Space
• The latest research covering what and who the SMB customer is, and how you can reach customers based on this latest data
• An invaluable opportunity to network with other local, successful SBS focused Partners (and their local SBS Partner Groups)

With my “I'm going to be patient and see if this works today” cap on I'm surfing over to Fedex.com's web site to see if I can update my credit card today.  Last night I was about to throttle some Java web site coders.

I can log in fine, go over to make payments online...I can go into preferences, then into update my credit card.  I've entered my credit card information... here we go about to see if they got their stupid Java site working [I think it's java anyway...if it's some other web coding let me know..it appeared to be a jsp page]

Ah... yes as you can see below... they haven't fixed it.

Now while I can understand that their web site admin folks probably don't want to work on the weekend, but it is a bit annoying that their web site isn't working.

For all of our 'this has more security than that platform' religious wars that seem to go on around security, the bottom line is that Fedex is getting real close to losing my business. 

Right now I don't care about security, I don't care what platform you are on, just FIX it so I can update my credit card and ship what I need to when I need to.  {I still owe Charlie Russel a Microsoft Bob that I have that I've been meaning to send to him and just keep forgetting to do it}

Man do I hate logging in to all the online places and updating credit card information.  I've got quite a few 'auto pay' things set up and it's a pain in the rear to dig up all of the places to go in and update [assuming I remember the password I used for the site in the first place]

So Charlie?  As soon I get my credit card updated...and Fedex gets their web site working expect a Bob on your doorstep.

The RFC info is cool, but guys?  How about just working?

--------------------------------------------------------------------------------

Error 500--Internal Server Error

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.5.1 500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

First off I have to explain..I've been doing knock offs of Shakespeare ever since I briefly caught the interview of Denzel Washington on GMA in his role of Brutus in Julius Caesar on Broadway.....the “To Be or not To Be“ is from Hamlet anyway....we now return you back to the blog....

DNS ...to forward or not to forward...that 'tis the question...whether tis nobler in the mind to suffer the slings and arrows of potential DNS poisoning or to merely use root hints..... 

uh...sorry...where was I?  Oh yeah...

Muffy in the newsgroups indicates that when she ran the Connect to internet wizard that she 'did not' put in any ISP's DNS entries in there where the wizard indicated and the network is resolving to the Internet just fine.  Is this okay, she asks?

And yes, indeed as is showcased here it is truly not necessary to put in ISP forwarders...as the built in DNS root hints pick up the ball and just work.

In fact, many are now arguing that we should 'not' put in DNS forwarders anymore due to DNS poisoning attacks.  The only thing I have seen that we need sometimes is adjustments to EDNS0 support evidence by not being able to get to some websites.

So next time you are playing around with your test server... try taking out those forwarders...see what happens... you'll probably find like Muffy did that everything magically still works just fine.

P.S.  Check out Eric's comments for some items to think about when choosing between forwarding or no forwarding.