THE OFFICIAL BLOG OF THE SBS DIVA

Today in the mail many folks in my firm got a copy of Microsoft's Small Business Accounting software with a reminded that they can sign up for the MPAN program - the Microsoft Professional Accountant Network.  Signing up for the MPAN program means they are also eligible for Action pack... which means they get SBS 2003 (now SP1, soon to be R2)

So after October 15, that CPA firm has a window of opportunity for a new network to be installed. Why after October 15th?  Because that's extended tax deadline day.

So call up your US based CPAs, tell them to be on the lookout for a copy of Small Business Accounting and sign up for the MPAN program!

http://www.geekzone.co.nz/chiefie/1355

"My laptop (x1030AP), will be my mid-casual/business tool at the moment until it is replaced by an UMPC (TabletKiosk eo i7210). And when it is time to be replaced, it may serve as our home server running Microsoft Small Business Server 2003 (R2) Premium, mainly to operate Exchange server. My vision for this is have it running 24/7 with small footprint."

The floodgates have opened....  now we had a discussion about this earlier.... a laptop is a quiet computer, certainly quiet for home settings... and ... no one can argue that the fact that it has a "built in UPS" in the form of a battery power cannot be beat....and certainly we use laptops as demos and what not....but I just have a hard time wrapping my noggin' around running SBS "ON" a laptop with that being the hardware platform of choice.

I mean I'm trying to make people think more about virtualization and what not... but I'm still partial to things like SCSI drives and raid and big fans and what not.....I mean I know that I'm pushing people to think more virtual SBS and alternate ways to set up servers, but a laptop?

0x80070003

I don't speak numbers.  I speak English. A bit of geek.  And most nights I can figure things out.  But I get really frustrated when error codes and diagnostic messages don't tell me what I'm supposed to do.  It's no wonder that 'normal' folks are shutting off Windows update after patches that "break things" they don't understand, after WGA is shot down on their boxes without any communication ahead of time of what it's doing and any number of myraid things that they don't want to deal with.  Technology should work... and one of the most annoying things about when it doesn't is that even us geeky folks get frustrated with it.  And if we... okay ... if "I" get frustrated, it's no wonder others do too.

Just today in fact -- this was posted to the 2k3 newsgroup:

Is there a list of SBS2003 upgrades/patches - one that shows which ugrades

had problems and required patches? 

The last upgrades installed - we let the automatic windows installer do it

and that   messed up our computer.  Cost us much time and money to undo it.

We are just learning this system and are uneasy about the upgrades.  We know

they are critical, but we don't want to paralyze our system again.

I just checked online with Windows upgrade, and they are recommending 15

upgrades to our SBS2003.  How do i know which ones won't be an issue?

Any advice is most welcome!

Thanks.

I hated to tell that poster that once he flips over to Microsoft Update he's got lots more patches to deal with.

Nick (who I had the pleasure of meeting with at SMBnation this year) had a great blog post about their patch process. That's a pretty cool way to deal with patch issues is to build your own knowledge base in a firm.

Have you thought about building a patch database for your clientele?

How to set size limits for messages in Exchange Server:
http://support.microsoft.com/?kbid=322679
Exchange 2000 Server and Exchange Server 2003 Message Restrictions:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/Message_Restrictions.mspx
An e-mail message that is larger than the sending message size limit or the receiving message size limit is not delivered:
http://support.microsoft.com/?kbid=298572

The Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 global message delivery options Sending message size and Receiving message size do not provide the functionality that you might expect based on their descriptions.

Note If you have configured a size limit on either the Send or Receive sizes in global settings, the More Restrictive limit applies to both incoming and outgoing e-mail messages.

...interesting.. I did not know that...

Alert on DOMAIN at 9/17/2006 10:13:55 PM

The server restarted. If this event was not planned, check the Server Performance Report and Event Logs for information that can help explain the event.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.

------------

That's the sign that the server has been patched for Patch Tuesday.  But notice that I didn't patch on Tuesday, nor on Wednesday, nor on Thursday and not even on Friday?  Why?

Because I looked at them and checked the risk...

• http://support.microsoft.com/default.aspx?scid=kb;en-us;922582 that one is for a blue screen that I'm not getting - no rush there.
• http://support.microsoft.com/default.aspx?scid=kb;en-us;921883 that one was rereleased for an issue seen with servers running Navision accounting software and I was not seeing that issue (and had the patch already on the server) - no rush here.
• http://support.microsoft.com/default.aspx?scid=kb;en-us;907747 that's updating the IMF filter - okay so the spam gets a few days head start... no biggie.
• http://support.microsoft.com/default.aspx?scid=kb;en-us;920685 this one.. since I don't expose the server as a true web site I judged this to be of lesser risk -- and the risk is more that an unpatched indexing server will be used to inject malware into IE.. but here's the real reason that I judged this one to be of lesser risk....the service isn't running on my SBS box.  Not running means that while I will patch the code in case I do ever turn it on, I'm not at risk right now.
• http://support.microsoft.com/default.aspx?scid=kb;en-us;890830 and that's the normal malicious software removal tool - and on a well run box should not find anything anyway.

So based on that, I knew I could wait and patch when I had the best patch opportunity.

Down at the bottom of each post now is a "Share this" feature that you can now email or link to a tagging service posts on this, or any other blogger on this site.  Thanks to Brian Desmond (who has his own blog but the blog posts also cross post to here) for the help in fixing it up after I screwed it up a smidge.... for those that caught the blog during the slight 'error' window, yes, I custom edited that error message as you can see here.

So what's that you ask?

It's staged paranoia is what it is.... the RWW-Guard interface will add two factor authentication to SBS's Remote Web Workplace interface... so like why is that so cool?

You want to add more security to that Administrator account?  You set up that server so that only the Admin accounts have this one time password, you point the radius server back to the var/vap office and you can manage the administrator account access easier when your technicians come and go.  In these days where CPA firms are requiring confidentiality agreements...that's really cool to be able to pick those users that need a smidge more paranoia.

So try it out this weekend of beta testing if you are a beta tester...otherwise stay tuned for a public release opening up on Monday

And see how you can just add paranoia to the Administrator account and decide the risks to other accounts.  Pretty cool, huh?!

Microsoft Watch reports that Microsoft and Disneyland are planning a House of the Future.  NPR had a program on in the past talking about Microsoft's home of the future on the campus.  For those that know that I'm a Disneyland nut, you'll probably not be surprised that I can tell you exactly where the foundation is for the old Monsanto's House of the Future which is still in Disneyland next to the Ariel's Grotto. Sounds like the current plan for Microsoft's House of the Future is in the Innovention building ...the old Carousel of the Future location.

I still remember the Carousel of the Future ride, it's one of those rides like It's a Small World where the song gets stuck in your brain.  I hope that the rumors are true that the WDI gang get their way and the Carousel of the Future comes back.  It was a fun ride.

Oh yeah.. my sister also own a Herbie the Love Bug as well.  We're definitely Disney fans.

http://shavlik.typepad.com/

Mark Shavlik of Shavlk, the patch management and spyware company (who's company provides a great resource for the www.patchmanagement.org listserve) blogs.

I did not know that...

Apparently everyone is into Beta testing this time of year.... but just a reminder just like Susanne says, make sure you hit that "Dr. Watson" feedback when it prompts you and when an installer does something dumb... like the SCE 2007 beta that apparently doesn't like to have spaces in the password... make sure you bug it.  So far the early reports from the beta testers of SCE in the smbmanagedservices yahoogroups are that it's getting stuck on installing SRS on SBS.  It sounds like the CRM issue we've had.

Already the SCE blog is noting some of the issues they've found -- http://blogs.technet.com/caseymck/archive/2006/09/11/455424.aspx 

Also check out their WIKI for more tips -- http://sce.editme.com/

P.S.  the next time Susanne says she's not technical can someone go hit her?  (nicely, of course)

0x80070057

I'm getting really tired of that error code.

Okay got the emulator set up including putting certificates on it for my server (and use the PocketPc image and not the smart phone as it's in an "unlocked" state so you can use the "shared folder" option in the emulator to then get the cert on the device.  Place another person's info into the emulator and it syncs just fine.  Put mine in and I get the following:

And googling only gets me...

If you are seeing error: 0x80070057 this is because (it appears) BY DEFAULT the Microsoft Exchange Server – Active Sync has no READ Permissions be sure to Enable READ permissions

Okay thanks folks but other phones DO work so it's not read permissions.... so I kicked up verbose logging on the emulator and I notice that not only is it doing an active sync with my inbox ...it's also hitting my RSS feed folder....

...and then it hits me what's doing it....

THAT STUPID RSS FEED FROM THE SITE ALLBUSINESS.COM SCREWED ME UP

Okay so a few days before SMBnation, the RSS feed for Allbusiness.com had really funky codes up in the subject line.  So much so it was taking two lines on the RSS reader.  I didn't think anything of it at the time.  But those funky codes were what was causing activesync to fail.  Once I deleted the subscription to Allbusiness.com's RSS feed, my syncing is now working.

Because that header was in my folders... I couldn't sync.....

So if anyone else has any weird sync issues... check your RSS feeds or weird emails in your inbox.... because it might just work after you delete that RSS feed/folder/email.

http://blogs.technet.com/kevin_beares/archive/2006/09/15/456685.aspx

Okay so all of us who want to make finding resources easier... nows your chance to tell Kevin how to do just that. Besides beta testing ...this is the second best way to have impact on SBS... on how people find things.

Take 5 minutes out of your Saturday (or Sunday if the clock is there already where you are) and help guide how people find stuff.

Want to have impact?  Give Kevin some ideas of what you think needs to be done to that resource page.

Issue Description:

A driver is installed that causes stability problems with your system. This driver will be disabled. Please contact the driver manufacturer for an update that is compatible with this version of Windows.

Contact Information:

Web Site: http://go.microsoft.com/fwlink/?LinkId=26320

I appreciate that you want to protect me ...but right now I just want to get an emulator to install so I can debug my phone okay? I was just going to do the version 3 from Peter's post but now I think I'll have to use the version 5 from Chris's.

D&H had these at SMBnation --

SBS 2003 SKUs

OEM-System Builder

• OEMSBS2K3SR1PK - OEM SBS 2003 Standard w/ SP1
• OEMSBS2K3PR1PK - OEM SBS 2003 Premium s/ SP1
• OEMSBS2K3R2S1PK - OEM SBS 2003 Standard R2
• OEMSBSK23R2P1PK - OEM SBS 2003 Premium R2

Open Business

• T7201675 - Open Business SBS 2003 Standard R2 license only
• T7200111 - Open Business SBS Standard License and Software Assurance
• T7501529 - Open Business SBS 2003 Premium R2 License only
• T7500144 - Open Business SBS 2003 Premium R2 License and Software Assurance

Open Value

• T7200882 - Open Value SBS Standard License and Software Assurance
• T7500927 - Open Value SBS Premium License and Software Assurance

Now I'll be honest with you.... I like the three year SA plan for a couple of reasons.

1. It's the only one that will let you spread the payments over three years
2. It's the only one that sends you the media automagically (which is really nice, no digging up sku codes to call about)
3. It gave me a bit more breathing room to 'catch' the R2 upgrade.  If I had done 2 year software assurance I would have not gotten any upgrade during that two year window.  Thus a three year SA gives some 'sliding room' for Longhorn.

Well my Audiovox stopped syncing right before SMBnation and no matter what I did I couldn't get it to sync, so I said I'd deal with it after SMBnation....well I'm dealing with it tonight... or more like it's dealing with me.  So I called PSS support ensuring that I called before 6 p.m. when the business critical only kicked in and I went down all the steps that I'd done to troubleshoot and rattled off all the error messages I was giving.... so he wanted to fire up the emulator and see if he could connect.

"So can you provide me with your credentials".

and I said.... uh... hmmmmm...... lemme go reset that password....

In the State of Calfornia we're seeing that CPA firms are being mandated by their Insurance companies to have a confidentiality clause in their managed services contracts.  When it comes to allowing remote access by support personnel there's a couple of cardinal rules to live by

• Never give them your real password.  If you are like most folks, you have passwords that are variations of main passwords.  So if you go give them your REAL password, be prepared to reset it and never use that variation again.  I went in and set the password to a real sucky one for a temporary basis and then reset it back to the long strong one when done.
• Always set up an account with admin rights that you will offer up to remote technicians that is not your main admin account, not the built in admin account, and one that you only enable for them and then disable once they've hopped off the box.  Reset the password on that one as well.  You want to ensure that you leave accountability in your log files.  I have a disabled admin account called "Msoft".  With a password that I invarably forget what I've set it so I just reset it to what I need. 
• If you are like me and don't set up straight TS access to the web and only do VPN, they do have other ways to 'get on' your box.  If you don't feel comfortable with offering up TS or VPN credentials, they can use things like an remote Office Live meeting session.. it's a little bit awkward and icky for them, but if you are not comfortable, just say so as they do have options.  But at a minumum, if you do give a technician a username and password on the system, the minute you are done, reset the password, disable the account.
• When troubleshooting a mobility issue and you attempt to test a connection over a non SSL connection JUST FOR TESTING PURPOSES... remind yourself that you have a router between you and the outside world... a router that has port 80 closed.....yup... I was attempting to do a non SSL connection to port 80 and 80 wasn't open to use for debugging purposes.
• So when the support guy told me to delete the user account and set it back up again.... I sort of went ... uh... hmmm....that's MY account that I'd have to be setting back up again... how about I try a couple of things offline and get back to you?  Bottom line, if something goes beyond what you want to rip out at this time, don't be afraid to stop the process and try more things on your own.  They'll give you a phone number and an SRX to start the case up again with.

So Vlad came up with an excellent debugging suggestion... I knew that others in the office were still syncing just fine...just not mine.  And in the IIS log files he couldn't see the phone hitting the server.  I also knew that just today I had totally swapped phones, switching SIM cards, taking them back to fresh out of the box phones, reinstalling the cert and starting all over again and when I moved another SIM to my old phone, that ActiveSync worked just fine.  But the Sync still got stuck on the 'new' phone.  So we knew the issue wasn't physically connected to the device.  I also tested that the phone could get out to the Internet.  So Vlad said "why don't you sync to another person's mailbox that you know is syncing just fine" and still the same errors, the same messages.

We think now the phone's SIM card has gotten horked up.  I have my other cingular aircard for the computer that has a chip, I may go home and try that to see if the phone still screws up.

Error messages are 0x80004005, 0x80070057

.....sigh... synchronization failed....try again later..  Yeah I think I'll pack it in for the night.  I think I'll fire up an emulator at home and just make sure it is the SIM card...or at least appears to be.

..... I want my phone back .... I miss my email on my phone.... my poor little phone... sigh

P.S. KB to keep in one's pocket http://support.microsoft.com/kb/330463/EN-US/

We've been chatting about an issue that we've been seeing (and posts like Vlad's alude to) that rebooting sometimes doesn't ...or other patch issues that may be an issue to your remote clients.  We're seeing that the reboot mechanism in Microsoft update... well.. it just isn't... and when the server doesn't come back, you have to madly attempt to get back into a workstation to send it a remote reboot command.

Remote into an internal workstation, and issue "shutdown -r -t 0 -m \\server\\servername

-r = reboot
-t 0 = timeout of zero
-m = name of remote machine you want to reboot (in this case the server)

Some are recommending ILO cards to be able to get on that box no matter what.

But I think all these workaround and hacks we are doing to get into the box after Patch Tuesday doesn't points to an underlying issue with MU's reboot mechanism that isn't getting looked into.

What about you?  You seeing this issue on Servers and Workstations?

A Windows Server 2003-based terminal server stops responding to new connection requests, and the logon window does not appear:
http://support.microsoft.com/?kbid=923630

I just called the 1-800-936-4900 phone number and got this because we've been noticing this issue occuring annoyingly on our SBS boxes.

Call and get that hotfix -- if you are international, call your local Microsoft location.

When ISA Server 2004, Standard Edition receives lots of requests, the program stops responding to requests:
http://support.microsoft.com/kb/922946/
Why Exchange Server 2003 will not run on the x64-based versions of Windows Server 2003:
http://support.microsoft.com/?kbid=924046
A memory leak may occur when you use ISA Server 2004 to publish a Web site that uses link translation:
http://support.microsoft.com/?kbid=922790
You receive a blank page when your Web browser submits a POST request to an ASP Web site over an ISA Server 2004 access rule that requires client authentication:
http://support.microsoft.com/?kbid=922851
A message remains unsent in the Outbox folder when you try to send a message in Outlook 2003:
http://support.microsoft.com/?kbid=924788
The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections in Microsoft Windows Small Business Server 2003 Premium Edition SP1:
http://support.microsoft.com/?kbid=923836
Error message in Windows Server 2003: "STOP 0x000000D1 (fe320000, 2, 0, b988bc11) DRIVER_IRQL_NOT_LESS_OR_EQUAL":
http://support.microsoft.com/?kbid=924703
You experience intermittent communication failure between computers that are running Windows XP or Windows Server 2003:
http://support.microsoft.com/?kbid=904946
When you start a Microsoft Windows Installer (MSI) installation in Windows Server 2003 by using Msiexec.exe, you may receive an error message: "Error 1303":
http://support.microsoft.com/?kbid=924876
In a dual-boot configuration, Windows XP does not start if you subsequently format or delete the partition on which Windows Vista is installed:
http://support.microsoft.com/?kbid=922809
FIX: EAP reauthentication may not occur and the Wireless Zero Configuration service may not work correctly when you try to use a third-party application in Windows XP:
http://support.microsoft.com/?kbid=923154
A program that uses Internet Explorer to show an MPEG movie may stop responding on a computer that is running Windows XP:
http://support.microsoft.com/?kbid=921619

(remember all of this good stuff in in the Microsoft partner managed newsgroups)

RECENT ISSUES AND TROUBLESHOOTING TIPS
-----------------------------------------------------------

ISSUE
-----------
.Net Framework 2.0 installation broke SBS websites. Got the following error
message when trying to access companyweb on the SBS Server Console:

Server Error in '/' Application
Runtime Error
Description: An application error occurred on the server.

CAUSE
--------
1. All Windows Small Business Server Website and Virtual Directories work
only with .Net Framework 1.1 and are no support with 2.0
   - Default website
   - Exchange (OWA)
   - Remote (RWW)
   - ActiveSync
   - OMA and all
   - Companyweb
   - SharePoint Central Administration
   - Microsoft SharePoint Administration

2. When installing.NET Framework 2.0 on Windows Small Business Server, all
the websites are automatically switched to use .Net Framework 2.0 which they
are not intended to work with.

RESOLUTION
---------------
1. Uninstalled .Net Framework 2.0 but all the other websites except Default
Website were still broken and were switched to .Net Framework 2.0.
2.  Followed instructions in KB Article # 871149:

871149    The version number that is in Site Settings is not updated to
6.0.2.6361 after you install Windows SharePoint Services Service Pack 1
http://support.microsoft.com/default.aspx?scid=kb;EN-US;871149

cd /d %commonprogramfiles%\Microsoft Shared\Web Server Extensions\60\Bin
stsadm -o upgrade -forceupgrade


3. All the web sites started working.
4. Installed .Net Framework 2.0.
5. Checked all SBS 2003 websites to make sure they are working on .Net
Framework 1.1 from the properties of every website and Virtual Directory.
6. Tested all the websites (RWW, OWA and Companyweb) they worked normally

(RWW, OWA and Companyweb should be on .Net 1.1.. check their version after you've gone to Microsoft update)


ISSUE
-----------
One client workstation cannot join into the domain. Error is the domain
controller cannot be located.

CAUSE
--------
Norton Internet Security was blocking the traffic.

RESOLUTION
---------------
Disabled Norton Internet Security and machine successfully joined to the
domain.




ISSUE
-----------
If you restart Windows Small Business Server 2003 the server may boot to a
gray screen and appear to be hung. The server may respond to a ping but you
cannot access it any other way.

CAUSE
--------
CA Antivirus signatures 303.3.30.52 and 303.3.30.54 identify lsass.exe as a
virus and delete or quarantine the file depending upon client configuration.

Link the CA website regarding this issue:
http://supportconnect.ca.com/sc/kb/techdetail.jsp?searchID=TEC405236&docid=405236&bypass=yes&fromscreen=kbresults

The issue is that lsass.exe is being identified as infected and quarantined.

RESOLUTION
---------------
We need to recover lsass.exe. You want to get LSASS.EXE with the SAME
Service Pack version that was on the system; we can try copying it from
DLLCACHE (if still present) as outlined in the steps below.
Please note the following if you have OEM media: You might not able to boot
into the recovery console with the OEM media, if this is the case, please
use different media to boot up to the recovery console, such as Windows XP
SP2 CD.

Method 1:
a) Boot to Recovery Console.
b) Enter the number for the install you want to log on to.
c) Enter the LOCAL Administrator password for this machine.
d) Enter the following commands:
e) Copy C:\windows\system32\dllcache\lsass.exe
C:\windows\system32\lsass.exe

NOTE: If you get a "System cannot find file specified" message when running
this command, then it will be necessary to copy LSASS.EXE from a working
machine to a floppy disk or to extract it from a Service Pack and place it
on a floppy disk. If LSASS.EXE can be copied to a floppy disk; you can then
run this command:

Copy A:\lsass.exe C:\windows\system32\lsass.exe )

f) Boot to SAFE MODE
g) Disable all the AntiVirus services (use MSCONFIG; go to the Services tab;
click Hide all Microsoft Services; uncheck all the AntiVirus services.)
h) Reboot and update the CA signature

**************************************************************************************************************************************************

Method 1a:
Alternate steps: - This disables the ETrust services through Recovery
Console.
a) Start in Recovery Console
b1) Type the following commands:

1) Disable "realtimeservice"
2) Disable "jobservice"
3) Disable "Etrust Rpcservice"

(If you don't disable it, Etrust will delete it again on reboot).

e) Copy the lsass.exe to c:\windows\system32\dllcache and
c:\windows\system32

NOTE: If you get a "System cannot find file specified" message when running
this command, then it will be necessary to copy LSASS.EXE from a working
machine to a floppy disk or to extract it from a Service Pack and place it
on a floppy disk. If LSASS.EXE can be copied to a floppy disk; you can then
run this command:

Copy A:\lsass.exe C:\windows\system32\lsass.exe )

f) Reboot and update the CA signature.

If you are getting ACCESS DENIED when trying to copy from the floppy, do the
following commands on the recovery console:
Set allowallpaths = true
Set allowremovablemedia = true

If this does not help, sometimes using the XP SP2 recovery console helps
(You will need the media).

Don't forget to provide your controller drivers when booting up to the
recovery console if needed. You can usually tell you need them if when you
get to the recovery console you are not prompted for a Password.

Other means of getting the right version of LSASS.EXE:
1.  Extract lsass.exe from a Windows CD (with the appropriate service pack
level).
2.  Copy the file from a server that is not experiencing the issue and is at
the same SP level.  (lsass.exe is only 13KB in size so it will fit on a
floppy)
3.  If you did a parallel installation then you can service pack it if
necessary and then copy lsass.exe from the parallel installation.

IF RECOVERY CONSOLE CANNOT BE USED, it may be necessary to place a parallel
install on the system to get in.

Note 2:  If lsass.exe has been removed from c:\windows\system32\dllcache you
will need to copy it both c:\windows\system32 and
c:\windows\system32\dllcache


ISSUE
-----------
Scenario:

{LAN}==={SBS}=={Internet}==={Remote VPN Client}

SBS domain name: sbs.local
Remote VPN client domain name: remote.local

For example, on the DNS Server at the SBS side, we create a new zone which
is authoritative for aol.com, and then add some A records in this zone for
internal usage:

www.aol.com 192.168.1.1
login.aol.com 192.168.1.2

From the LAN clients within the SBS network, they can resolve www.aol.com
and login.aol.com without issues.
When remote clients VPN into the SBS Server, they get an IP address in the
192.168.1.x IP segment and the DNS/WINS address is pointing to the internal
IP of the SBS box which should be correct. The binding order for [Remote
Access connections] is also moved to the top. However, when they launch
nslookup and try to resolve www.aol.com and login.aol.com, they found that
the name resolution is performed by their LOCAL DNS Server (not the SBS one)
and these two addresses are wrongly resolved to the public IP address.

Note: There is an exception in this sample: the VPN client is still ABLE to
resolve the sbs.local domain name. Although the VPN client will first use
its local DNS Server for name resolution, the local DNS Server will fail to
resolve sbs.local (it's not a valid public domain name). After that, the VPN
client will try resolving this name using ALL the preferable DNS servers
assigned on ALL the network adapters, which means the SBS DNS Server
assigned on the PPP adapter will still have the chance to resolve this name
but the user may experience a little delay.)

CAUSE
--------
This is a known issue in Windows 2000/XP Pro.


RESOLUTION
---------------
On the VPN client:
1. Click Start, click Run, type regedit32 in the Open box, and then click
OK.
2. Click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
3. In the right pane, double-click Bind.
4. In the Value data box, select the "\Device\NdisWanIp" item, press CTRL+X,
click the top of the list of devices, and then press CTRL+V.
5. Click OK, and then quit Registry Editor.

Related KB:
Cannot Change the Binding Order for Remote Access Connections
http://support.microsoft.com/kb/311218/en-us