THE OFFICIAL BLOG OF THE SBS DIVA

http://msmvps.com/blogs/bradley/archive/2008/07/25/how-many-of-you-have-sbs-monitoring-reports-that-as-of-lately-have-gotten-a-little-funky.aspx

For all of those folks that have had "funky" monitoring reports since about mid July on your R2 boxes, I want you to try on a box or two the following test:

If you're on WSUS v3, try running the server cleanup wizard from within 
'options' in the WSUS console. Only tick the first box (deselect the rest, 
for now), and be warned, this could take 24 hours (or more) to complete so 
just let it go.

See if the monitoring report works after the cleanup. You can also select 
the other boxes on a subsequent run of the cleanup wizard.

-- 
Les Connor [SBS MVP]
________________________
Get the SBS BPA here:
http://support.microsoft.com/kb/940439/en-us

You 'can ' do less than 4 gigs....

About 3.5 gigs in fact... and you can do less than 60 gigs... but it looks like it's 3.5 gigs on the SBS 2008 and 50 gigs on the hard drive are the "real" minimums.

BIND
CVE-ID:  CVE-2008-1447
Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.4, Mac OS X Server v10.5.4
Impact:  BIND is susceptible to DNS cache poisoning and may return
forged information
Description:  The Berkeley Internet Name Domain (BIND) server is
distributed with Mac OS X, and is not enabled by default. When
enabled, the BIND server provides translation between host names and
IP addresses. A weakness in the DNS protocol may allow remote
attackers to perform DNS cache poisoning attacks. As a result,
systems that rely on the BIND server for DNS may receive forged
information. This update addresses the issue by implementing source
port randomization to improve resilience against cache poisoning
attacks. For Mac OS X v10.4.11 systems, BIND is updated to version
9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version
9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this
issue.

Run a Mac? Go patch your DNS

Patch your Macs

The main issus with DNS is not so much if YOU have patched, but rather if your ISP and all their upstream servers have.

http://blog.metasploit.com/2008/07/on-dns-attacks-in-wild-and-journalistic.html

HDMoore's Austin ISP of AT&T didn't patch in a proactive manner.  If you are holding back on the patches on your SBS box for fear that they will have issues, we know the known issues (see http://blogs.technet.com/sbs). 

But please take mitigation action.  Consider flipping to opendns.org as your forwarders, stop and restart your DNS services.

Let's see if we recognize anyone on these lists:

MSPmentor 250 Managed Service Provider Experts, Part I | MSPmentor:
http://www.mspmentor.net/mspmentor-250-part-i/

Stuart Crawford who just released a free pdf on dealing with change http://blog.itsuccessmentor.com/2008/07/connecting-the-dots-to-business-success.html

MSPmentor 250, Part II | MSPmentor:
http://www.mspmentor.net/mspmentor-250-part-ii/

The MSPmentor 250, Part II of Our Managed Services Expert List | MSPmentor:
http://www.mspmentor.net/mspmentor-250-part-iii/

Amy Luby and Matt Makowicz, Curtis Hicks

MSPmentor 250 Managed Service Provider Experts, Part IV | MSPmentor:
http://www.mspmentor.net/mspmentor-250-part-iv/

Karl Palachuk

MSPmentor 250 Managed Service Provider Center | MSPmentor:
http://www.mspmentor.net/top-250-people/

Check it out

The Old New Thing : When I double-click an Excel spreadsheet, Excel opens but the document doesn't:
http://blogs.msdn.com/oldnewthing/archive/2008/07/30/8790272.aspx

So exactly why would one check the box that tells Excel  "Ignore other applications that use Dynamic Data Exchange", that ends up screwing up Excel's open up the file and Outlook opening up an Excel file?

Because when your Word based document that had an Excel linked file kept freaking out with an error message saying "a document with the name is already open" that's the exact instructions that I googled on a post somewhere...

Two days later when the guy couldn't open up and preview an Excel attachment in Outlook and I googled on that error I realized that the fix for one problem created a much larger one.

We now live with the Word/Excel link document warning.

The amazing thing about this issue is that it googles all the way back to like Excel 97...and we're running Excel 2007.

Oh yeah there was some other registry hack thingy I tried as well.. but bottom line if you wondered why anyone would do that "ignore DDE" it's because site tells you that it's what you need to fix another issue.  Trust me, it doesn't.  It makes another issue.

We temporarily interrupt this SBS themed blog to bring you the MINI post of the week .... okay lately more like day:

http://msmvps.com/blogs/bradley/archive/2008/07/29/back-at-ya-andy-and-ron.aspx

To answer Ron, to bring the newbies up to date, I ordered my MINI Cooper around July 5th.  I went to the MINIUSA.com web site and 'built' my baby and then took it to the Crevier MINI dealership in Santa Ana, California. 

It will look like that.  It's been built and is Southhampton awaiting a ship from England to Oxnard, California.  It's the MINI Cooper S with the Hardtop.  My Sister got the convertible.

Once it leaves Southhampton, it will be put on a ship to arrive in Oxnard, California.  It will probably go through the Panama Canal but not cross the dateline or the equator (which if you talk to the Navy guy in the office means it won't get any unofficial Navy certificates.

After arriving in Oxnard it will go to the MINI distribution center, get looked over and from there on to Crevier in Santa Ana.

It's Pepper White (due to the heat/sun in Fresno, you want something in a light color....)

With a black contrasting roof with a sunroof (yeah yeah I know that kinda negates the white car factor but I'm planning to get the cab cover to help protect the interior from the heat.

Black stripes, and airconditioning (of course)

It will have those xenon headlights that I hate to be a driver opposite someone who has them (yes they do increase visibility but I still say they glare at other drivers)

The interior will be checkered cloth

I was debating if I would get Checkered rear view mirrors...but thought that was a little bit too much...so I didn't opt for that.

But there you have it.

Oh yeah... have the coffeeMug already... http://www.cafepress.com/minibee/3677483

So on SBS 2008 you want to open up the SBS 2008 monitoring database... okay so "I" wanted to... and when you click on the SQL Server management express you get this lovely error when trying to open up the SQL SBSMonitoring instance.

So the trick is to open up that SQL management tool with Run As Administrator.  Duh.

Okay so because it's clear that I'm lazy and can't remember which ones RunAs and which ones don't, I want to build a shortcut on the desktop that prechecks that.  Start, Programs find the SQL management program and right mouse click and "send to" "desktop, create shortcut" as the first step.  Now that we have the icon on the desktop.

Right mouse click on it and in the Compatibility tab, click on Run As Administrator and Apply

Now when you click on the ICON you will get a UAC prompt

And once you do that you can log into SQL instance for the SBSMonitoring

Remember the Forefront console needs this as well.

So if at first you get an error, try Run As Administrator.

http://blog.sbs-rocks.com/2008/07/29/the-mini-wars/

Andy and Ron are just going to have to wait to see.  Yes, personalized plates have been ordered.

Virtualization and Security: What Does It Mean for Me?:
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=991

The Spy Who Hacked Me!:
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=990

A Hackers Diary: How I Can Hack Your Vulnerable Services and How You Can 
Stop Me:
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=989

Windows Security Boundaries:
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=993

Windows Logins Revealed:
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=995&PUID=00014C00CFAE8A04 

A source that I really like is the EMEA web site that puts up some of the videos from TechEd and other Microsoft venues.  
The security ones are obviously some of my favs.  So sit back, get comfy, be in Air conditioning rather than sweaty humid Orlando and enjoy.

Aaron Stebner's WebLog : Link to System Update Readiness Tool for Windows Vista that can help fix Vista OS update install errors:
http://blogs.msdn.com/astebner/archive/2008/07/28/8786504.aspx

That's a keeper of a post.  If you have issues installing patches on Vista, check that out!

Windows Vista Team Blog : Windows ‘Mojave’ Video Posts:
http://windowsvistablog.com/blogs/windowsvista/archive/2008/07/29/windows-mojave-video-posts.aspx

"We did not use some geeked out or custom built PC. We used an HP Pavilion DV2500. It had 2GB of RAM and was running an Intel Core 2 Duo CPU T7500 @ 2.20GHz. The OS was a 32 bit version of Windows Vista Ultimate. "

We have that same model of laptop that we use as a floater at the office.  It is a very peppy little machine.

I've probably posted ranted about .NET before but a post in the newsgroup makes me revisit this.  The gentleman installed SBS sp1 and at the end of the install it had flipped the default web sites to .net 2.  I can't remember if sp1 includes .net 2 ( I thought it was in R2 that .net2 is in there) but regardless, run the www.sbsbpa.com afterwards to ensure what .NET version you end up with.

Anything hooked on to the IIS "default web site" should be on .net 1.1.4322

Okay so here's an interesting tidbit... WSUS 3 needs .net 2.0 http://technet2.microsoft.com/windowsserver/en/library/912b37d7-021e-4c95-b317-49dd15b4611c1033.mspx?mfr=true

but on my box, WSUS Administration is on 1.1.4322, Self update is on .net 1, but Inventory and content is on .net 2.0 on my box.  Hey it's working, I'm not complaining.

SharePoint V2 (default to SBS 2003) is on 1.1.4322

SharePoint v3 will want .NET 3.0 http://blogs.technet.com/sbs/archive/2006/11/30/wss-v3-0-installation-on-sbs-2003.aspx

So if you have SBS 2003 R2 with SharePoint v2 adn v3 in a side by side install, you will have .net 1, 2 AND 3 all on one box, all there happily until you go to install Service Packs.  When .net offers up a .net Service pack the question has been asked of me when should one approve it and install it.

My answer:  When I"m in a really really really calm, zen mood, which obviously doesn't happen often.  With .net they tend to be troublesome so just be mentally prepared that they will barf and then when they don't be very pleasantly surprised.  If you get stuck you can always use Aaron's tool to rip them out and reinstall them.  http://blogs.msdn.com/astebner/archive/2006/05/30/611355.aspx   Okay yes I'm overstating the issue here, but with service packs and patches the idea that they will get magically "fixed" my Microsoft when the .net issue is with your machine, I guess what I'm saying is that this idea that all patches all the time will be perfect and with no issues and we'll all have happy servers is not reality.  We have crusty boxes with third party software that is always like your College professors that thought they were the only people that gave you assigments so you ended up coming out of classes going "will I ever finish these lab assignments!"

The right time to deploy .net service packs is when you are prepared to handle issues with them should they arise.  Be prepared to uninstall the .net specific instance and reinstall it.  Be prepared that installing a new .net version may want to flip the older ones to the new ones.  Sometimes this happens.  Run www.sbsbpa.com after each service pack would be my best recommendation.

But bottom line be prepared.

Seriously, why should you? 

When the 'Wisdom of Crowds' turns on itself: IMDB Edition | The Web Services Report - CNET News.com:
http://news.cnet.com/8301-13515_3-10000650-26.html

Whenever I get asked to give feedback, the first concern I have is am I the right person to be the sample for that vendor.  It concerns me sometimes that vendors are listening to the wrong voices.

Like the article above showcases, should folks listen to the vocal minortiy rather than the silent majority?  The web breeds a lot of "peer pressure" keeping up with the Scobles mentality and sometimes we all have to step back and realize that the stuff that bubbles up on the techmeme top list is from a bunch of folks, running dot com firms funded by other people's money, tech sites that need your eyeballs, and Silicon Valley folks that never did live in the same business world as the rest of us folks. 

Beware of listening to what you think is the crowd, because it might not be the feedback you need for your business, your area of the country or world, and your needs.  Sometimes the people making the noise are a small subset and not what's real for you.

So yes, that means that sometimes you should disagree with me because you don't live where I live, deal with the issues I see, work with the clients I do.  Just be aware of that and always, make up your own mind from the input you get from the local community around you.

Vista, 2 weeks on...... - Nick Whittome - The Naked MVP - MSMVPS.COM:
http://msmvps.com/blogs/thenakedmvp/archive/2008/07/28/vista-2-weeks-on.aspx

I first saw Nick's post and then this Vista tuning PDF:

http://download.microsoft.com/download/2/8/8/28869476-67ec-4bec-a8f7-1ded39d3f161/Windows%20Vista%20Performance%20and%20Tuning%20-%20Final.pdf

Read that PDF.  It seems to me that if they can build a crash analysis wizard,  I agree with Nick that they should be able to build some sort of wizardy page or tool that can run consumers through a checklist of reviewing things to optimize Vista.

It's nice that they did put this document together of things to do and check.

Making configuration changes that help a computer feel more responsive when you use it.

 Using hardware to boost the actual physical speed of a computer.

 Making configuration changes that help a computer to start faster.

 Making the computer more reliable may help increase performance.

 Monitoring performance occasionally so that you can stop problems before they get too big.

The other day on a standalone NOD32 3 install on shut down I got a blue screen of death.  Using the handy dandy Crash Analysis wizard (from the MDOP suite), it said that the crash was due to NOD32.

Nice!  So the very thing that I use for protection nails me.  I'm not yet ready from a risk analysis standpoint to pull of a/v from that particular machine, but it's getting to the point that I'm not "sold" on any one vendor these days like I used to be.  And lately all of the new products get increasingly "weighty" on an OS. 

We consider Norton evil, Trend not as good as it used to be, NOD32's version 3 certainly not as good as version 2.7, I mean who wants to upgrade these days when the newer version of something doesn't feel as solid as the old stuff?

But Antivirus is not the solid software it once was.  Plan accordingly.

Just a reminder, unless you are like Aaron and have a TAP program client, http://www.varvid.com/2008/07/sbs-2008-rc1-ha.html a release candidate should not be run in production.  If you want to play with it at your office, SBS 2008 rC is near complete, but if you want to go from RC to final RTM you are on your own.

Granted you can follow the SBS 2008 to SBS 2008 migration document to get youself there, but you are on your own and if you get stuck, you won't have any official Microsoft support to get you from RC to RTM.

So the question also came up, if a client needs new hardware RIGHT NOW and you can't put any more duct tape and safety pins on their old server, and you have them buy SBS 2003 on Software Assurance because you know that both myself and Handy Andy will consider you insane if you don't because it's such a good deal right now, how do you get them from SBS 2003 when it's installed on that new hardware and then migrated to SBS 2008 when you get that media when it comes out. 

First off you won't be inplace migrating that as there is no implace upgrade from 32 bit to 64 bit.  So what you will be doing is cloning/imaging/whatevering that SBS 2003 onto some box or laptop or something somewhere (Storagecraft or Acronis come to mind to "hold" that SBS image to have it be there when you start the migration process on the existing box.  That existing box will be flattened and the new OS installed on it.

Read those migration documents for SBS 2003 to SBS 2008 and start writing up your own checklist and cheat sheets.  Where are you going to take images, what supplies will you need (usb 2.0 harddrives), and get ready for what this will entail.

If you want to run a VMware test of SBS 2008 and EBS 2008 just keep in mind for SBS 2008 that while it says 4 gigs it can load up in less than that, you have to click through a warning.  However if you have a 2 gig platform and then plan to put vmware on top of that and THEN the SBS 2008, that's not going to cut it.

I have gotten EBS 2008 up in a 6 gig vmware platform.  What I did was to build each piece with max ram that they needed and then slide them back and starve them for RAM.  It's not pretty.  You'd never ever ever want to do this in real life, but if you want to see what SBS and EBS is like, it is possible...

http://blog.chrisara.com.au/2008/07/sbs-2008-rc1-is-out.html

And like Chris says... download and start reading.

My Dad called yesterday after reading a blog about the fact that they are selling MINI's so fast that they only have about a day's worth of inventory otherwise you need to order a car http://www.autoblog.com/2008/07/22/no-new-minis-for-08-manufacturers-tapped-dealers-sold-out/  Which, IMHO as this blog post attests to (http://www.jwardell.com/mini/2006/10/05/tracking-an-ordered-mini/) , I think it's way more fun to track the progress of the automobile in route.

As newspapers are indicating that they are having to change to compete, when even my Dad now has an Auto blog that he's following, you can tell this is a changing world in how we get our information. 

Not to mention... a newspaper article comparing the driving of a go-kart against a MINI just doesn't have the same impact as when you see the visual: http://www.autoblog.com/2008/07/22/video-mini-clubman-vs-go-kart 

But for all that visual, is the Internet damaging our reading comprehension?  http://www.nytimes.com/2008/07/27/books/27reading.html?_r=1&partner=rssuserland&emc=rss&pagewanted=all&oref=slogin  I think it is.  I think some of our technology frustrations these days is increased by the fact that we don't read like we used to.  As someone said, the last time they had really good sales from a Technology book was back in the Windows 98 era.  Now we google and expect quick fixes. 

If you have kids do you monitor and limit their time on the web?  Do you take the time (especially this year with all the new products) to devote time to read?  What's the last good book you read? 

When I set up a Vista or a Server 2008 one of the things I do is to "flip" it to be able to manually look at Microsoft Update.  Behind a SBS 2008 (or even SBS 2003) the server will look to the WSUS box for it's patches so it's a little tricky to 'flip' it.

Remember Windows update only gets Windows patches, Microsoft Update gets patches for everything else.  Thus to ensure that when you want to manually scan the box for patches that it scans for all patches, I recommend "flipping" the box to Microsoft Update from Windows update.

Step one...

Click on Windows Update and get to the GUI-ish WU console.

Now you would think that you could "flip" to MU by clicking on that Change settings.. but that's not how you do it.

As you can see, merely going into that setting, there's no ability to flip to Microsoft Update merely in that console

Go back to the "check for updates screen"

And click that "check online for updates from Windows Update

Immediately after doing that, you'll see that you'll get an option to "Get updates for more products"

You get get the EULA

Accept the Terms of Use and click next

The minute you do that, the Server and Vista will now be able to manually run Microsoft Update

And voila.. in addition to being able to get patches via WSUS from the server, your workstations now point to Microsoft update so that you can manually run Microsoft update and confirm patches on your test (or real) boxes.