THE OFFICIAL BLOG OF THE SBS "DIVA"

Brian Tankersley today talks about my soapbox issue. 

User rights.

I'm tired of the major accounting vendors setting such an horrible example of security.  We should be ashamed that our major accounting applications, the backbone our of financial records do this to us.  That they weaken our desktops so much as to introduce risk.

Dr. Jesper Johansson today talks about the story in his book where someone had administrator rights on their machines and one person did not.  One had a mess.  One did not.

Eweek did a study and 'found no persistent malware showed up on the system where the user was not an administrator'.

In the year 2006, that a major business accounting application can still code insecurely and be a top seller means that “we” the marketplace does not care. It's only when we do that things will happen.

There goes my mail again....  since my Netscape days at least once or twice a year there goes my Thunderbird and I have to reinstall it and set up a new database.

The annoying part of using an alternative place for my junky email account is that it blows up on a predictable basis.  Yeah yeah.... I should dump it into Exchange and pull it through the server...but it's just easier for me to dump this junky email account [which is not my business account] and keep all this risk outside of my server.  But in doing so I risk the integrity of a standalone mailbox database that just can't handle data integrity.

Boy if this would happen at the office with the firm email..the gang would kill me...but I accept it as being just the way it is.

Bottom line, I've assigned a risk level to this email that if the database blows I just build another one.  That's not what I do for the firm.  So the resources and risks that I will accept to the firm email are vastly different than what I do

 Windows 2000 is technically out of "mainstream" and into "extended" support as of June 30, 2005.

Microsoft Support Lifecycle:
http://support.microsoft.com/lifecycle/?p1=7274

Got any SBS 2000's out there?  You know... I'm sorry...but good enough isn't these days.  Now granted us SBSers are in a bit of a futurecast moment here.  SBS based on Longhorn will be 64 bit based.  So if you have a SBS 2000'er that is looking for the future remember our words of getting 64 bit stuff ready to go.  

Exchange 5.5 goes out of free hotfixes as of 12/31/2005.  Which since I 'think' that's the last supported part of SBS 4.5..... I think it just might be getting really really wheezy about now.

If you have any SBS 4.5 boxes...they are majorly on life support now....

I was at yesterday's TS2 presentation and only 6 people in attendance were using WSUS.  Remember SBS 2003 in the R2 era will have WSUS inside the box.

Now I will still honestly tell you I vastly prefer Shavlik's push, patch, done versus WSUS's setup, tinker, approve, review reports....but gang... you need to download WSUS on your own systems and start playing with it now. 

To me WSUS isn't just a patching program, this is risk management for that firm.  And if you are not helping that firm deploy patches, service packs...why not?\

Want to stay safe and secure?  You patch.  To me it's just a natural part of the computing process.  And as long as I've built in the processes to ensure I have a easy way to recover on the rare remote chance something might occur, patching is not an issue.

Today in the newsgroup someone said “I have an old backup”...I'm sorry but with USB harddrives as cheap as they are, given that you can hang one off a shared drive off a workstation, you have NO excuse not to have a backup.  As easy as the SBS wizard is.....shame on you for not doing what you can to protect your business.  You have a responsibility to yourself, your family, your employees families this Christmas time to keep your business operational.

Patching and Backups.  Two EASY ways to keep yourself in business.

We're pleased to announce the first of several webcasts dealing with integrating the Macintosh into an SBS environment. On Thursday, December 8, join me for a session that discusses basic Macintosh networking, accessingfile shares on an SBS server, and interacting with the SBS web services from the Macintosh. If you've never had a chance to work with Mac OS, or if you're still a little rusty finding your way around, this is an opportunity for you to see the Mac in action, not just in screenshots. The session will feature severallive demos as part of the presentation. Plus, you'll have an opportunity to post questions during the session and have them addressed at the end. There will be two sessions on December 8th. One at 8am EST for those of you "across the pond," and another at 1pm EST for those of us stateside. Atleast one of the sessions will be recorded for playback later if you cannot attend either session in real-time.

Here are the meeting-specific invitations:

Thursday December 8, 8am EST (1pm GMT)

  Subject: Integrating Macintosh into SBS (early session)

  Meeting URL: https://www.livemeeting.com/cc/winserver_usergroup/join

  Meeting ID: 2QHCXQ

  Meeting Key: WpM3&:G

  Role: Attendee

Thursday December 8, 1pm EST

  Subject: Integrating Macintosh into SBS (later session)

  Meeting URL: https://www.livemeeting.com/cc/winserver_usergroup/join

  Meeting ID: 2Q2DHH

  Meeting Key: g:z6N.d

  Role: Attendee

This meeting will broadcast internet audio directly to your computer.

Please ensure that you have Windows Media Player 9 or higher installed.

FIRST TIME USERS: Install the Windows-based Meeting Console before your

meeting:

This will all make sense after you listen to the SBSShow this week.

Just don't be drinking Mountain Dew.......you'll get it all over your Ipod...

So I met Stephen today... Stephen Cracknell at the local TS2 presentation.  And at the end of the four hours, after all the offers, links, invitations to email him, to cc' him, to ensure we gave him feedback, I think the about the only thing he didn't do was invite us over to his house for Christmas Dinner.

You know you get out of things what you put into it.  And there's a lot of offerings out there [yes, many of these have US only or are US centric but yo... I live in the USA so cut me a little slack, but do check with your local Microsoft office and community]

So what did the TS2 presentation go over?

• Build your pipeline by becoming a Small Business Specialist.
• Attend TS2 seminars on the web
• SBS hands on labs
• Get the 70-282 exam prep book [for the Small Biz Specialist]
• The action pack as of April has had virtual pc demos in there.
• Set up a partner event and have Microsoft deal with the invites [and even some organizing for a fee]
• Book a mobile event [but read Happy Fun Boy's blog series first on how to do it right]
• Free presales Tech support to help you close the deal
• Are you ready for SBA and BCM?
• Point of Sale
• Partner smallbiz site
• Partner resources
• Partner newsgroups
• Discounts
• ...and tons more....

But do you get it that all of this stuff starts with YOU becoming a Microsoft partner and better yet YOU becoming a Small Business Specialist?

Microsoft Antispyware gets an extension of time so you should start seeing this pop up in your systems.....

Want to look like IT is your profession?  Your business? 

Get a shirt.

Not just any shirt...but a logo on your shirt. Polo shirt, button down shirt, but stick a logo on there.  How do you do that? 

Easy.

1. Get a logo designed.  Locally or online, you can get one done easily.
2. Get shirts made.  Again, locally at a embroidery shop or online at LandsEnd's business outfitters, it costs about $75 or so to get the logo 'digitized'.
3. Use that logo EVERYWHERE.  Set up a cafepress.com store and get sweatshirts and mugs made.
4. Make business cards with that logo.  Go to vistaprint.com and get them made.

Bottom line, when I'm out and about and I see folks with a little logo on their polo shirt?  To me it just stamps that you mean business.  This is your profession, it's not your hobby.  You mean business. 

Back when I was in college, there was a “how to dress for success” book.  And it said you always dressed for the position you wanted to end up in.  When I see a person in a  “business suit of Tech” ...also known as a Logo'd polo shirt...now maybe this is just me as a female....but I tend to consider that person more professional, more ready to take on my business when I see them 'branded'.  Are you a MCP?  Get a MCP shirt.

I think it also affects how you act.  I know that if I'm in my “geek attire” I will act differently than I do when I'm in my CPA Business professional attire. 

I think in what you wear affects how you present yourself.  If your attire says “I'm a business too” you present yourself to that business owner.  You connect better.  I know that we have some clients that if the partner is going to meet one on one with them and they are in the profession of farming, for example, they will put the client at ease by going to their farms in jeans and boots themselves. 

I think dressing appropriately just states to that potential customer that you are ready for the job. 

And sometimes even “Code Monkeys“ is appropriate.

Amy asks if we should just choose the “Windows Small Business Server” now as our only WSUS option, and I'll double check, but I think the answer is “no”.  It's my understanding that the patches that come under that section are unique to SBS only patches.  We haven't had one in a while, but it's things like the POP connector patches or our Sharepoint only patch.

Stay tuned, I'll let you know for sure though.

You've seen it haven't you?  This:  The self signed cert prompt before getting into RWW.

So you are probably wondering why... with all my paranoia I don't go out and buy a third party certificate that I can trust from someplace like instantssl.com?

Because. 

Why do I trust them any more than I do my own box?

As it stands now I can make a workstation like my home one trust the certificate, I can easily click on View Certificate and examine that it came from my box, I can examine the SHA-1 thumbprint as I install it on my workstation.

An Expert on Encryption once came and did a presentation on the topic to our CPA group.  And he made the point that why do we trust any third party publishing certificate anymore than we do ourselves?  In the proper world of PKI and such topics, you should really meet a person face to face, swap identity information, and swap certificate information to ensure that you can confirm you got that certificate from that very person.  So if I can explain the process to my employees, if I tell them what the SHA-1 thumbprint is if they really want to be paranoid and check this, what's the risk of a self-signed certificate once I've installed it on a workstation to then accept the cerificate from my server?  Heck if I“m that paranoid I can type up the Thumbprint and have folks verify that.

Okay let's look how someone might trick me...or any of my employees that have remote access [remember not all do] with a self signed certificate especially if I've told them how to install it on their workstation once.

Okay they'd have to first build enough of web site that looked like the SBS front page.  They'd have to grab the DNS records and redirect those settings to their system. 

Do you get the idea that the risk of this...while ... I mean I can't honestly say it's non existent.... well let's just say that some bad guy is going to send a phishing email or trick one of employees to a web site to download malware is a greater risk.  The risk that employees today were using up your bandwidth to do Christmas shopping is greater.

So why would you need a third party certificate?

Do you need one for cell phones?  Nope.  You can add the cert to the phone.  In fact I do this all the time.

Do you need one for RWW for XP workstations?  Nope. As you can see above.

When 'might' you need one?  Macintoshes.  But even then we have a workaround for that too.

So why do we need to have a third party web site that we don't have control over be a verifier for my SBS box that I do have control over?  Some might say that using third party certs add more flexibility....but I just keep thinking about that padlock story.....

“There is a lesson here for security architects who worry at length about the number of bits of key to use in a cipher or the security of a CA, but not about the computer, operating system, protocol, human interface or physical environment of the application allegedly made secure by that cipher or PKI”

I'm spending my time and paranoia elsewhere thank you very much.....

Sometimes I get emails about someone having a problem with say.... OMA and RWW or OWA or whatever and they are unsure of how to go about fixing things without a total reinstall of SBS.

First off, It's my opinion that unless you get a virus, trojan or other security intrusion there is no need to reinstall a box.

So let's discuss some ways of troubleshooting shall we?

• First off.... when did it last work?
• What did you do between then and now? 

Now then this is where the rules in the Susan book of Admin-ing comes into play: 

Know thy system.

It's absolutely imperative that keep an eye on what's going on in your network. From looking at the daily 6 a.m. email, to knowing what got installed on your box, knowing your system is key.

The exact error message

Want to know my secret?  Google.  Hands down a search engine is how I know things.  These days I even google my own blog.  Just today in fact I was looking for the phone number to the Cingular data support toll free number and I knew I had blogged it so I googled my own blog to find it.  Copying down the “EXACT” error message and sticking in Google, Google groups is how you can find a lot of things.

Look for the events, the logs, the errors

I've joked that the Devs at the SBS development must have been beancounters in a past life, because they leave audit trails all over the place.  Scroll down in this page and you'll see what I mean.  Subscribe to www.eventid.net as a place to point you in the right direction.

And above all else......

When you get stuck, ask for advice

Don't bang your head on the wall, use your resources wisely.  There are issues that I will post to newsgroups, and then there are those issues that I will call Product support about.  Anne today points to an article about Support resources.  Use 'em.

Quick question?

Yes?  [btw ever notice how quick questions usually end up not being quick questions?]

Is there a way to stop a user from shutting down a machine?

Yes...but....are they a local administrator on that box?

Yes.

Ah, well then if they are admins, then no.  In order to do this you need to take back the rights on this machine.  Then if you do that you can do such fun things like removing the start button in group policy so they can't shut down.  But you need to realize that your stupid line of business applications more often than not will not run as a regular user and you'll end up hacking up the registry hives.

Can it be done?  Yes.  The issue was a person who used the computer shut it off and then another remote worker wanted to use the computer on the weekend.  Unless you want to spend the time and energy into making a technology solution....make a policy solution.

Stick a yellow sticky note to remind people to leave the computers on so that people can remote in, you can to maintenance.  Honestly I don't shut off my workstation these days at all and only reboot for patches.

So Amy on the mssmallbiz lists reports that the WSUS syncronization options now list SBS as an option

Hey, cool, remember how any of our unique to SBS patches are only offered up on Shavlik right now?

I have a box of Windows XP in my office.  It's a retail blue box.  And if [heaven forbid] the office burns down, I've lost that license.  I have to rebuy it.

The other day for our Business Insurance renewal I was asked to write down all the software licenses that I could not replace, that we'd have to rebuy all over again, and we were surprised that there's a lot of software that I have that I don't have to worry about scrambling to rebuy.

My office is by the airport and lets just pretend that the biggest jet airliner that goes out of the Fresno Airport [which is the UPS plane by the way] dropped on my office.

What software could I easily replace?

• My server software including the media.  I log into the Eopen web site with my Microsoft passport and I look up the contract number and immediately replace it.
• My Windows XP licenses - that also gives me the right to the next version - better known as Vista that includes additional features.
• My Office software including the media.  Again, I log into the Eopen web site. 

Next to my desk is a test Dell OEM server.  There's a server license on that box.  If the box dies, the server license dies with it.  It's not transferable.  But add software assurance within 90 days and I can move that software anywhere I want to.

If you are buying OEM or retail software boxes for your clients.

Stop.

OEM may be cheaper in the short term, but it's not cheaper in the long run.  Retail boxes means that you or your clients have to track those licenses and worst still, you lose those licenses if a disaster occurs.

Your small business clients need to ensure you have built in the flexibility they need, business continuity plans built in from the get go.

Check this site out:

http://www.noretailbox.com/

Okay if you are reading this you aren't the person I'm going to be ranting about.

You are here because you've gotten plugged in.  You've stepped up to the plate.  You are a person I would not mind sending a Small Business client to. 

And I apologize in advance to those of you this rant is intended for ...the ones that won't even been reading this.....but I think your technology customer deserves better.  You aren't listening enough.  You aren't taking the time to learn.  You aren't open for new ideas.

Have you noticed lately that many of you have been competing with a person that I'm not sure I would call an “IT Pro”?  A person that this is a side job, that it's not a career or a profession?  A person who idea it is that computers and servers are 'throwaway items'?  That in all the spin of “technology is easy” we've not realized that the only way for technology to get easier for the end user is to make it harder under the hood.  Yet there are folks I've seen posting in the newsgroup that I have to remember Grey's words to be more patient and kind to.  They come in with a “I know it all attitude” or they come in with a “I don't need to crack a book” attitude.

I don't mind the person entering the Small Business Marketplace that grabs a book, sets up a test network, reads a KB article...heck.. can attempt to Google up an answer.  I do mind the consultant who's not listening to their customer, who's not taking the time to practice a solution, or learn something new.  The one who sets up a box incorrectly and then complains that 'hasn't anyone ensured this works?“ when it's a misconfiguration that they've done to screw up the system.

I do mind the person who blindly says “Oh my customer doesn't need Exchange, will never use it“   Why do you say that?  Shared calendars?  They don't need that?

I do mind the person who blindly says “Oh my customer doesn't need Remote Web Workplace“.  Why do you say that?  Have you truly evaluated their needs?  Remote connectivity?  Heck we're leaving more and more of our workstations on 24/7 to remote back in.

I do mind the person who blindly says “Oh my customer doesnt' need...... fill in the blank....“ Why do you say that?  Aren't you making decisions based on what you think their needs are?  Are you thinking ahead enough?

I do mind the person doesn't set up a SBS box with the wizards and thinks they are smart enough to know better to set them up without the wizards.  Sure, understand what they are doing, but you'd have a hard time convincing me that installing all the parts of SBS, manually configuring everything, that you can set it up as dependably as the wizards.

As a customer, I would rather you not learn 100% on the job on your client.  Do your homework for some of these things, you know?  These days as cheap as Virtual Server is {$99), there's no reason that things like your first install of a SBS box should be in your client's office.  There's no reason that your first Swing migration should be a clients.... practice on your own network with a copy of Microsoft's new Virtual Server.

In fact, I'd strongly recommend that you grab a copy of Virtual Server.  You can practice all you want on a variety of things in a virtual setting and keep copies so that you don't screw up a real server.    How about virtual hands on labs?

The point is ... go into your client with confidence.  Yeah you don't need to know everything.... but have the attitude that you are open for learning, open for new ideas ....

...but then again... the people reading this post already are open for learning and new ideas aren't they? 

The “toy server”. 

SBS has been called this by even some of my fellow MVPs as the “Toy Server”.  Yet under the hood is the same active directory, the same bits and code, the same parts as our big brother servers..... and as such we have the same abilities to do stuff as our big brothers.

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller:
http://support.microsoft.com/kb/255504

See that KB?  It doesn't matter if you are SBS or Windows Server... that command works.  The only thing we cannot do on a SBS server is take any one of those roles off our SBS box.  All 5 roles must permanently stay on a SBS box.

• Schema master - we only have one forest...heck barely a tree.. so no surprise there
• Domain naming master - role in a forest [again, we're a tree] and this role is required to add or remove domains to or from a forest
• RID master - and our SBS box is the one that needs  to hold the tools and updates to user accounts and computer passwords
• PDC emulator - one for each domain [hello we only HAVE one domain]
• Infrastructure master - again since we're the ones that do the forestprep/adprep in our wizard, we keep it on our box

Because our wizards/our SBS box does the dcpromo stuff, we don't see, don't understand what is going on under the hood.  Active directory in SBSland just works because it's been standardized for us.  Smarter folks than us have figured out how to set it up and standardize it. 

But here's the thing...because these roles must stay on the SBS box, because even as a “toy server“, we have all the glue, all the gunk, all the same things as our big brother servers we can easily replicate this information to another server in a process that big server land does all the time.

The funny thing about going through about 1/2 of a SwingMigration this weekend is that all my hanging around and unsuccessfully lurking in the Active Directory listserve is that other than that we don't have to WORRY about configuration or planning of active directory, it's the same gunk.

So far I've replicated the active directory to a temporary domain controller, disconnected the temp dc [important step as the edits and seizing you do next you want to make sure you are not replicating back to your still good and still running main server] and then seized the roles because the NTDSUTIL command first attempts to gracefully transfer and since you don't WANT to be taking the roles from the still running production network, this the utility says “Okay, whatever I'll just grab what I need“,

So those of you who know me, who know that I bought a kit and am doing this to move to a new server at home because it's so wheezy are probably wondering why in the world am I going through all of this for a home, 4 computer network?

Because of my sister's customized Disney desktop.  If I screw up her desktop one more time, or her Outlook settings, or her...anything on her machine, I'll probably be sleeping out in the garage.  It's that important that the burden in migration is on ME not on the end user [aka her].

So comparing a migration that I purposely did last year with a clean install to one using the FSMO copy roles aka the Swing Migration method?

I still would argue that migrations suck in general.

But as far as the attitude that some folks have that we're a “Toy Server”?  Not under the hood. Not where it counts.  It's the same active directory....and as such we can use the same tools as our big brothers to help us in migration, in disaster recovery, in all sorts of things.

Like Happyfunboy says...

SHAME ON YOU!

Now I'm going to assume that you have a laptop running Windows 2003 and it's not your production, domain controller.....but if it is STOP DOING THAT!

You are introducing risks in your firm and you more than likely removed the Enhanced IE security that makes Windows 2003 server immune to the latest security advisory.

So I just went through part of Jeff Middleton's process designed to move the domain roles from one server to another...something that big server land does a lot of but we don't down here.

I'm just putting you guys in AD on notice .... in a very public way....via this blog..... you gotta blonde this down before we're forced to upgrade to 64 bit.

I understand the process going on with the transfering of the FSMO roles and the process of moving the server to where the desktops don't even sense that a change has been made, but let's get real.  Not all of us SBS 2003 owners are going to want to migrate...what they have will be 'just fine'.  I'm sure it's like the consultant crowds are seeing a bit now.... those networks/owners where things are “just fine” are still on SBS 2000.  But for those of us that do... and for even folks that use a consultant..... many of the IT Pros out there have never done this before.  Heck even Brian Desmond ensures that people go through apprenticeship before letting folks loose. 

Let's review our current options for migration

• Inplace - oooh yuck - leftover permissions and junk and running on possibly underpowered hardware  [and remember this one we can't do in 64 bit era]
• ADMT - Microsoft mothership approved...but you rename the domain and rip everything out and your Exchange mailboxes size may grow [not quite the issue these days...but still]
• Clean install - another rip out the domain glue
• FSMO transfer role with drop in of Exchange store- [aka Swing] Joe may like command line ...but if this is going to go from only being done by IT Pros to being done by reasonably intelligent DIYers....sorry Joe but I think this could be made a lot easier with a good gloss of GUI on top.  And I'm not sure at all we'll be able to do that 'trick' of 'drop in the Exchange store' reconnect and we're done.

Get the idea that migration sucks in general?

I like nice pretty gui screens that ...yeah...while I might not read them .... are designed to keep me from being stupid [or hopefully try to be].  Server "kikibitzfinal" knows about 5 roles

Schema - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

Domain - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

PDC - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

RID - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

Infrastructure - CN=NTDS Settings,CN=KIKIBITZFINAL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kikibitzrtm,DC=local

And yeah I can drill into the Active Directory Users and Computers and check the status of the FSMO roles, and I can use ntdsutil to view them... but Mr. AD people?  Gotta get it easier than this....that's for sure.

The old server at home is getting very wheezy and needs to be upgraded and I was going to move it over to the glowing blue baby server but his fan is making a racket and sister says ... 'uh that's not going in our house is it?' and it's probably been bumped around once too often and I need to replace the fan... so she says “if we're going to do this.... do it right“.... okay...... so I go to Dell to buy a cheap server and ....you know?  You can't order the server with a spare nic at all!  They force you into the Sonicwall firewall solutions whether you like it or not.

So my Sister says ...why don't you check out HP?  All the servers we are getting at my office these days are HP.....

Now keep in mind this is a home server and thus if this was 'for real' I'd at MINIMUM throw in another drive for software RAID [in fact I might do that anyway].  Honestly I prefer 10,000 rpm, hardware controller card raid rather than software for a 'real' server.... but for home.... it's at least better than the annoying noisy glowing blue baby server....that's for sure....

Hey... you can even get ILO on that too!

HP ProLiant ML150 G2 3.00GHz/1GB, 1MB, 160GB - Hot Plug SATA Server
Intel® Xeon™ 3.00GHz/800MHz, 1MB Processor
1GB of Advanced ECC PC2700 DDR SDRAM DIMM Kit (2x512MB)
4 port SATA Adapter in a PCI slot
160GB SATA hard drive
Broadcom 5721 PCI-Express Gigabit NIC
Hot Plug Drive Cage (4 x 1" SATA drives)
High Speed IDE CD-ROM Drive
1.44MB Floppy Disk Drive
Limited warranty includes 1 year parts, 1 year labor, 1-year on-site support

1GB Total PC2700 (1x1GB)
HP NC1020 PCI Gigabit Server Adapter