THE OFFICIAL BLOG OF THE SBS "DIVA"

Now in honesty there are times that I will get frustrated with my server...but lately it's been due to issues with SP2 rather than anything else.... and there's a couple of lines in this blog post that I just had to respond to

http://wvconfidential.com/wordpress/?p=91

1.  Ridiculous reboot times - 30 minutes he says?  How about when I reboot my server I have just enough time to visit the ladies restroom before the server is back in operation.  Now granted, I'm a girl so there's a bit of primping that goes on (no Vlad not pimping.. primping...you know... putting another spackling of makeup on the face and what not) so that might make my visit to the ladies room longer than the time you guys take in the mens room, but you get the idea.  If it's taking 30 minutes to reboot your box, you have a DNS problem more often than not caused by a poorly set up dns that you aren't pointing your nics to your internal IP address.  Post a ipconfig /all in that blog and let's see if there's a problem with your DNS configuration.  I'll bet there is.

2.  Insane complications from having too many SQL instances on one server.  SBS monitoring is only supported on msde.  And yes, you can just stomp on the msde instances so that the memory stays in check if you are seeing that issue http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx once you do that your instances are happy as little clams.  I've never lost a SQL instance by patching a Sharepoint one.   Never lost monitoring.  Never lost Sharepoint.  Never lost a SQL instance period to be honest with you.  Now granted in fairness I've not installed SQL 2005 sp2 at this time because I don't install service packs at the drop of a hat and I wait for windows of maintenance and only finally did the SQL come out with the final post sp2 fix up patch, but I've never lost one sql instance due to patching another one?  I'd say we need to look at some event logs as to the trigger cause?

3.  Completely useless wizards to help average Joes set up their network!  Hmm.... sorry I just have to comment about that quip about MSCE type of folks.  More often than not it's the big server land folks that balk the most at the CEICW wizard.  If you want to do the following all by yourself.. you just go for it.. you can in fact set it up manually by hand if you really wanted to... and in fact if you want to knock yourself out ...here's the list you need to do:

1. Configuring the networking such as ensuring the binding order is correct on the server.
2.  Setting the DNS forwarders on the server.
3. Automatic certificate creation.
4. SSL enabling of web sites.
5. Configuring ISA access rules and web publishing if ISA is installed or via RRAS if no ISA.
6. PPPoE dial-up options.
7. Automatic scripting options
8. UPnP device provisioning.
9. Automatic removal of selected e-mail attachments.
10. Configuring Exchange recipient policy.
11. Configuring Exchange POP3 configuration.

and that's all done in under a minute.  If you think you can do it BY HAND in under a minute... you just go knock yourself out will ya?

4.  The most complicated firewall, ever. You know that CEICW thingy that you wanted to do by hand?  Yeah.  Go run that.  And then the 28 rules will be done for you. Think ISA is too hard?  You know we have a girl who's an ISA MVP who doesn't think ISA is complicated.. http://isainsbs.blogspot.com/  but you don't have to install ISA you know.  You can choose sonicwall or any other hardware firewall if you like.  And the most complicated firewall ever?  Ever?  I've seen some Cisco Pix and they are no walk in the park there.

So in all of this venting and ranting.. I do have to apologize.. I'm in a mood tonight.. one where I want you to continue to hate SBS.  Please.  Please hate it a lot.  Enough to stop installing it for your customer base.  Please just walk away from SBS and start installing Windows 2003 and Exchange and all that separate stuff.  Because if you are this closed minded, I don't want you to be installing screwed up SBS boxes for your customers.  Stick with something you know and manually set up please.  Stick with the parts you are used to.  Don't try to learn something new, or try something new, or get out of that routine you are used to.  Please, just stay where you are.

I don't want you to touch a SBS box if you've never even once gone to this blog site: http://blogs.technet.com/sbs/ 

I don't want you to touch a SBS box if you've never visited the newsgroups at http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.windows.server.sbs 

If you don't know what the Partner managed newsgroups are for SBS on the Partner web site, or never have said "Hi" to Marie McFadden in the partner managed newsgroups, please don't touch a SBS box.  Truly, just don't.

In fact, why don't you tell your clients that SBS is a horrible product that they will outgrow and you find it too limiting.  Why do I want you to do that?  Because if you do you just might have a client like I was about going on six years ago now when the consultants I interviewed said they didn't like SBS.  And I knew it was perfect for my needs.  Perfect for my firm.  And I walked away from the partners in my city that tried to talk me out of it.  Because I knew it was a great fit.  It's still too good of a value to my business to walk away from SBS.  But I walked away from those partners that wouldn't listen to my needs and instead gave me as a recommendation, what they were comfortable with.

Sorry Jason (I think that's your name) .. but you know what.. we can help.  Pull up a chair, and let's talk.  I still like SBS.  It still meets my needs.  It still it a good little product and no other released product has Remote Web Workplace goodness (and no, the PFM of beta of Home server doesn't count yet, as it's not a released product) .. No one. And there's still no better way that I've seen to securely and dependably remote into a network.

... and I still have just enough time to visit the ladies room when I reboot my SBS server, so if yours takes longer, how about we start there with a ipconfig /all and go from there, okay?

The email address here is sbradcpa(-at-)pacbell.net You can email me here on the blog as well.  Let's talk.

"Help and Support" feature is missing after you install Microsoft Windows Server 2003 SP2 on a computer that is running Windows Small Business Server 2003:
http://support.microsoft.com/kb/937231/en-us

A hotfix is not regression tested.... please do not place it on a production system without a good backup and testing, but I"ve never had issues with them in my network.

And I called to 1-800-936-4900 (USA) pressed 2 for IT pro and told the phone call person during the AFTER HOURS Biz crit time (hey if Microsoft's going to break my box after hours, I want to fix it after hours) and got the hotfix.

And as you can see... I got it FOR FREEEEEEEEE no charge and at 8 p.m at night.  And just to prove I did, here's the SRX email (details munged so you can't get the patch from here you will need to call in yourself and get it)

-------- Original Message --------

CASE_ID_NUM: SRX070531603166 
MESSAGE: 
Hello,

The hot fix for your issue has been packaged and placed on an HTTP site for you to download.

WARNING: This fix is not publicly available through the Microsoft website as it has not gone through full Microsoft regression testing.  
If you would like confirmation that this fix is designed to address your specific problem, or if you would like to confirm whether there 
are any special compatibility or installation issues associated with this fix, you are encouraged to speak to a Support Professional in 
Product Support Services.

The package is password protected so be sure to enter the appropriate password for each package.  To ensure the right password is
provided cut and paste the password from this mail.

NOTE: Passwords expire every 7 days so download the package within that period to insure you can extract the files.  If you receive 
two passwords it means you are receiving the fix during a password change cycle.  Use the second password if you download after 
the indicated password change date.

Package:
-----------------------------------------------------------
KB Article Number(s): 937231
Language: English
Platform: i386
Location: (http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/mundgedandallthatjazzbutinterestingit'saSP3fix)
Password: DoyouhonestlythinkIwouldpostthelinkandthepasswordheregetreal!

NOTE: Be sure to include all text between '(' and  ')' when navigating to this hot fix location!

Thanks!

I had to laugh about this....

The risk of passwords.... http://www.riskinstitute.org/PERI/PTR/Technology+Risks_LIB_1305.htm and in that document it warns about passwords ....

Are any of them in this list?:

• Asdf
• 1234
• admin
• password
• spooky
• buster
• webster
• machoman
• bootsie
• sparky
• badboy
• qwerty

And today when I was using Elcomsoft.com's Quickbook password cracking software apparently they thought passwords were too hard for their CPA as they had none

On the panel and Jeff's ITPro conference I said that folks needed "Engagement letters" and someone asked me what they were.  They are basically a letter that limits your liability.  I've just now posted up two sample engagement letters.  As always, review them, edit them, and take them to an attorney for review.

http://www.conference2007.sbsmigration.com/forum/comments.php?DiscussionID=10&page=1#Item_2

Dear AT&T... I nearly blew off this email as a malware attempt as the subject line read "Reminder: Important Security update" which sounds like the 40,000 other emails I get that say "your system is infected, run this tool that we're hiding bad things inside to clean your system up".

Well you might want to search for this email and read this VERY CAREFULLY as it may impact your SBS domains if you are in the AT&T/Yahoo area.

-------- Original Message --------

	Time is running out — update your email settings to help us serve you better Dear AT&T Yahoo! Member, We recently contacted you about some important security improvements we're making to your AT&T Yahoo! service. These changes will affect members who send or receive email from a desktop or mobile client program, such as Microsoft Outlook, Microsoft Outlook Express, Eudora, Apple Mail, or Thunderbird. To help us ensure the security of your email, you will need to change the settings on your desktop or mobile email client program. Please choose one of the three options: --> Make the Changes Automatically: To automatically make the required changes to Outlook Express, use the AT&T Self Support Tool. If you already have the AT&T Self Support Tool installed on your computer, simply select Cannot send/receive email from the Self Support Tool Main Interface to run an email settings check. When prompted to change your email settings, select Yes. If you do not have the AT&T Self Support Tool installed, download it and then follow the instructions above. Make the Changes Manually: To manually make the required setting changes in Outlook and Outlook Express, please view the detailed instructions here. Alternatively, you may take the following steps to change the settings on your desktop or mobile email client program: Open your email client program. Locate the email account settings for your particular client. Change the POP server to pop.att.yahoo.com. Change the SMTP server to smtp.att.yahoo.com. Check the option labeled Use an encrypted connection (SSL) and change the SMTP port to 465. Check the option labeled Use an encrypted connection (SSL) and change the POP3 port to 995. Confirm the above settings then click OK. The web-based version of AT&T Yahoo! Mail is not affected by these changes and will continue to be available at http://mail.yahoo.com/. Thanks for your cooperation. Sincerely, AT&T Yahoo! Customer Care 1-800-ATT-2020
	© 2007 AT&T Knowledge Ventures, L.P. All Rights Reserved.
	Please do not reply to this e-mail, as it will go to an unmonitored mailbox. SAFETY NOTE: AT&T Internet Services cares about Internet safety. We have included "clickable" links in this email as a convenience. Please note that it is always safer to copy and paste URLs included in emails directly into your browser to reach the referenced site. Learn more about ensuring a safe Internet experience at: www.sbc.com/safety. The safety of your computer depends on your staying up to date on the latest service packs and updates available to you. To find out more, please visit: http://help.sbcglobal.net/article.php?item=5140.

If you have Broadcom nics you might want to look for some driver updates... both Dell 
and HP and notifying that there are nic firmware updates. 

Your alerts 
 
HP NC-Series Broadcom Online Firmware Upgrade Utility for Windows Server 2003 ver 2.1.0.5B 
OpenView Patch Notification (OpenView login required)  
Priority: Recommended  
Products: HP BladeSystem Dual NC370i Multifunction Network Adapter,HP Embedded NC7761 
Gigabit Server Adapter,HP NC1020 Gigabit Server Adapter,HP NC150T PCI 4-port Gigabit Combo Switch Adapter,
HP NC320T PCI Express Gigabit Server Adapter  
OS: Microsoft Windows Server 2003,Microsoft Windows Storage Server 2003  
Release Date: 05/23/2007  
Description: This component contains utilities for the online upgrade of HP NC-Series Broadcom NIC boot, PXE, 
UMP and iSCSI code running under Microsoft Windows Server 2003.  
 
HP NC-Series Broadcom Online Firmware Upgrade Utility for Windows Server 2003 ver 2.1.0.5B: 
http://r.your.hp.com/r/c/r?2.1.HX.2XR.1LeACe.CnJOt2..T.Efl%5f.25g6.DZIKEZZ0  
HP NC-Series Broadcom Online Firmware Upgrade Utility for Windows Server 2003 x64 Editions ver 2.1.0.5B 
OpenView Patch Notification (OpenView login required)  
Priority: Recommended  
Products: HP BladeSystem Dual NC370i Multifunction Network Adapter,HP Embedded NC7761 Gigabit 
Server Adapter,HP NC1020 Gigabit Server Adapter,HP NC150T PCI 
4-port Gigabit Combo Switch Adapter,HP NC320T PCI Express Gigabit Server Adapter  
OS: Windows Server 2003 for 64-bit Ext Sys  
Release Date: 05/23/2007  
Description: This component contains utilities for the online upgrade of NC-Series Broadcom Gigabit 
Ethernet NIC boot, PXE, UMP and iSCSI code running under Microsoft Windows Server 2003 x64 Editions.  
 
HP NC-Series Broadcom Online Firmware Upgrade Utility for Windows Server 2003 x64 Editions ver 2.1.0.5B: 
http://r.your.hp.com/r/c/r?2.1.HX.2XR.1LeACe.CnJOt2..T.Efly.25g6.DbROEaT0      

So you get this idea that you will install.. say ISA 2004 sp3 remotely... and you get to the end and don't realize that it breaks the network connection and you are stuck as it wants a reboot to finish..what do you do?

Do what trick I learned from a SBSer at Jeff's ITpro conference this weekend.... schedule a reboot for an hour after you begin your Service pack install.  That way if you get the machine stuck, in a hour it should force a reboot, get the box back into workable state and you can continue on with what you needed to do.

Kewl idea, huh!

PROBLEM:
==========
Backup and Monitoring part cannot be viewed in server management console

CAUSE:
==========
Insufficient Permission

RESOLUTION:
==========
For monitoring:
---------------
1. Make sure there is no web.config file under C:\Inetpub\wwwroot
2. Correct the permission on C:\Inetpub\monitoring folder
3. Correct the permission on Monitoring Virtual Directory
4. following steps to reinstall Monitoring completely:

I.     Uninstall Monitoring
 
1.      Click Start, click Control Panel, and then click Add or Remove
Programs.
2.      Select Windows Small Business Server 2003 and then click
Change/Remove. The Setup Wizard appears.
3.      Click Next to start the wizard.
4.      On the Windows Configuration page, click Next.
5.      On the Component Selection page, in the Action column, change
Server Tools to Maintenance, change Monitoring component to Remove, and
then click Next.
6.      On the Component Summary page, click Next.
7.      Click Finish.
 
II.   Uninstall Microsoft SQL Server Desktop Engine (SBSMONITORING)
 
In Add or Remove Programs, select Microsoft SQL Server Desktop Engine
(SBSMONITORING) and then click Remove. A dialog box appears. To confirm
that you want to remove, click Yes.
 

III. Rename the folder
 
Start Windows Explorer, and then locate and rename C:\Program
Files\Microsoft SQL Server\MSSQL$SBSMONITORING folder to C:\Program
Files\Microsoft SQL Server\Old.MSSQL$SBSMONITORING
 
 
IV. Use Registry Editor to delete the following registry key:
                       
HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer\Monitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\SBSMonitoring
 
 
V.    Install the Monitoring component
 
1.      In Add or Remove Programs, select Windows Small Business Server
2003 and then click Change/Remove. The Setup Wizard appears.
2.      Click Next.
3.      On the Windows Configuration page, click Next.
4.      On the Component Selection page, in the Action column, change
Server Tools to Maintenance, change Monitoring component to Install, and
then click Next.
5.      On the Logon Information page, click Next.
6.      On the Component Summary page, click Next.
7.      Click Finish.


For backup part.
---------------
1. Check the C:\Inetpub\backup folder permission as same as monitoring
folder
2. Check the backup virtual directory permissions in IIS manager as same as
monitoring folder except the IP address and domain name restriction
section. In this section you need to make sure that "Denied access" is
selected, and only server internal NIC IP address and 127.0.0.1 is located
in the IP list below:

There are some questions you need to ask yourself... 

1. Has the server/client/product ever worked?

2. If so, what changed?

3. What service packs and updates were applied?

4. What are the steps to reproduce the problem?

5. Does it happen the same way on any other systems?

And if you want folks to help out... when you go to forums or other online help venues...

6. Please provide the exact error message with any screenshots, if possible.

...the EXACT error message please!

http://blogs.msdn.com/rockyh/archive/2007/05/23/jesper-johansson-at-tech-ed.aspx

TLC - Securing the Small Business

They've got little money to spend on security, and big demands. Minimal staff and zero tolerance for disaster. The risks aren't reduced because it's a small business. The risk can actually be greater than for a large network. Join us as we look at the unique challenges small businesses face and show you successful methods to help secure them. Securing the small business doesn't need to cost a lot of money!

Saw this TechEd session and had to laugh... some of us have enough budget and reduce our risks better than our big serverland bretheren.  Some of us down here "get" security.  What we do preach about though is not getting caught up in the "you must do this to meet this regulation" when the regulations are murky and not defined.

If you were at the ITPro Conference and heard Grey Lancaster talk about Home server and wanted to check it out you can join the beta via this link

http://forums.microsoft.com/WindowsHomeServer/ShowPost.aspx?PostID=1219741&SiteID=50

...and yes...like Grey said there are indeed some Russian folks that are on the development team... and like Grey said "you know how those Russians can do anything with harddrives".... definitely some PFM going on in that product...

The other day in New Orleans I talked about how I hadn’t changed my patch management strategy in 6 years.  Never patch on Patch Tuesday, wait for Dead Body Wednesday  and don’t install service packs until later.  This “patch management” strategy is the “managed services model”.  When I was speaking with an attendee (and forgive me I can’t remember  who I was talking to on this) and they said they were installing patches the other day and it was a bit difficult to break them up and know what issues were caused with what patch as they were installing like 64 of them.

“64?” I said, “why so many?” And it was because they were a break fix client they said. 

Bear with me here… and I don’t mean to sound like you shouldn’t be aware of the consequences of what I’m about to say, but I would like to throw this out on the table.

If a client is a break fix client, I think you do a disservice to that client to not enable automatic updates.  The patching process works the best when you take patches in monthly chunks.   Installing 64 patches in one afternoon, if you did have some interaction, you’d never figure out which one of the 64 patches was the one that caused the interaction.

While you could easily argue with me that turning on automatic updates on a break fix client was a disservice to that client, I think NOT enabling automatic updates on a client that you only see once a year is also a disservice.

At a minimum I think you should ensure they sign a document that indicates they know you are leaving with updates turned off and that they understand that they are accepting the risks of that setting.

So what do you think?  I think if you don't see that client, that they should take the risk of automatic updates versus the risk of 64 patches in one afternoon.  Patches are best consumed in little bits.