THE OFFICIAL BLOG OF THE SBS DIVA

I was vaklempt today.  I heard that Harry B and Jeff Middleton are going to the UK to tour the home of where my MINI was born.  That's so sweet of them to travel all that way to go to the birthplace of my MINI.

SMB Nation Europe (December 5th, London) open for registration! « SMB Dude:
http://harrybrelsford.wordpress.com/2008/10/21/smb-nation-europe-december-5th-london-open-for-registration/

Oh.  It's not a tour of the MINI Cooper birth center?  It's SMBnation in London on December 5th?  Hmmmm maybe I can twist their arms into swinging by Oxford and Southhampton and taking pictures?  You think?

The other day Dana blogged about the top ten reasons why he'll be moving to SBS 2008 and challenged the rest of us to respond with what we considered our top ten wows.  You can read his top ten here: http://silverstr.ufies.org/blog/archives/001055.html

In his post he said he'll be upgrading as soon as he can. 

So here's my list of the top ten things I'm looking forward to in SBS 2008... but as the business decision maker in my firm I'll be flat out honest and tell you I'm not upgrading as soon as possible to SBS 2008 and I'll tell you why:

Because it doesn't match our technology plan.  We plan for changes in my office.  And I'll be upgrading to SBS 2008 according to our plan.

So here's our technology plan:

Every year we change out at least two to three workstations.  We then move those machines "down the food chain" to others in the office.  A computer stays with a "prime person" at least three years and then it gets moved down the firm.  Our main server (SBS 2003) has been in production since November of 2004 (and I honestly waited too long to put that into production).  I'm getting one more year out of the server hardware until next year as I'm not ready to change out the hardware/software this year.  Why?  Because the window of change is closing down for my firm.  At the beginning of this year I did the very latest change of technology/hardware for workstations that I've ever done.   I deployed two Vista workstations in January as I was ensuring that I'd catch Vista service pack 1.  We've changed out two more workstations this summer and both are 64bit.  In this process of beginning to deploy 64bit workstations, I've also ensured that the printers have 64bit drivers ready to go.  As a SA customer, I'll be getting media in November.  While I'll migrate the home box (after throwing more ram in it) to SBS 2008, the business decision maker/non geek side of my brain demands that I don't do change in my office so close to when we shut down that change window.  End of November is when I wrap up my technology changes for the year.

Now with all that said, here's why I'm planning to deploy it next year, why I'm looking forward to deploying it next year, and why I'm not going to wait until the end of next year and more likely do it during the summer months.  Which is again, according to our technology plans.

Here's my wow's that are totally different than Dana's wows:

1.  Windows 2008 and Vista make for a dynamic duo.  After the next 64bit Vista workstation is put in place we'll be a smidge more than a third of the way towards Vista's in the office.  File transfer speeds between Vista and 2k8 are pretty amazing.  Search features are very cool.  Vista and 2k8 work nicely together.  We'll be changing out two or three more Vista's next year. 

Yeah it copies THAT fast.

2.  Windows 2008 Event log.  This is one of those stupid little things that probably only makes the top ten list of me and Eric Fitzgerald.  Vista has it's snipping tool that is a cool little thing, Server 2008 has it's new and improved event logs where you can attach a task and send out an email for an alert.  And I can feed event logs of workstatins into the event log of the server.  There's some cool stuff that you can do with the Win2k8 event logs.

Yeah I know, but I'm into auditing and event logs so for me this is a cool feature.

3.  Exchange 2007 improvements.  Between OWA 2007 improvements, disclaimers that are now built in, there's a lot of "little things" that are wow.  The fact that the SBS dev team anticipated sucky app vendors and placed all the SBS web sites in it's own web sites and thus all those folks that have to deal with various vendors stomping on, and destroying the OWA of your Exchange 2007 in the process, that's another huge big wow.  The trusted cert wizard under the hood that ensures that OWA, Outlook over http is secure is another wow-ism under the hood.

4.  Remote Web Workplace wowism.  Being able to limit it down to THE workstation of the user.  Currently I type up a 'how to log into YOUR computer' instructions manual and specifically name the workstation with a name of the end user.  I even have little 'cheat cards" that I laminate and have the folks stick in their wallets.  It doesn't list their password of course, but it does list the exact workstation they need to look for.  If we have turn over in employees that are allowed to have remote access, that means I'm doing a name change on that workstation to make it easier for them to know what workstation to log into.  Kinda a pain.  Being able to limit the user's access to the ONE computer they need rather than having to tell them "Oh scroll down and find yours" is very cool.  And no more port 4125, I only need port 443.

See that blue box (I haven't yet set this up on the home server) but you specify the exact workstation right there.

5. The fact that SBS 2008 "is" supported virtually.  I still haven't decided if I'll do SBS on real metal or in HyperV honestly, but the fact that SBS 2008 "is" fully supported in a virtual platform is a biggie for this business decision maker.

6. SharePoint.  SharePoint Version Three.  Blogs.  Wikis.  Add ons.  I can use SharePoint 3 for all the internal knowledge base stuff now versus the SharePoint 2.  I'm looking forward to the migration as well as I can redesign our internal sharepoint.

7.  TS remote applications, and all of the TS improvements in Server 2008.  I already have a Server 2008 box in my current network and will be expanding it's use in SBS 2008.  There's an edge video here on it, but the ability to push a TS app all the way through to the RWW desktop.  Way way cool.  I don't have a image for TS remote apps on a RWW page, but just trust me on this one, it's cool.

8.  You don't need to know PowerShell.  Truly.  Don't let all that "you HAVE to know PowerShell in order to run Exchange 2007" talk get to you.  Oh, don't get me wrong, it will grow on you over time, similar to how you know how Ipconfig/all gives you the network card/configuration.  How exactly did you learn Ipconfig/all?  Don't remember do you?  And that's how PowerShell will grow on you.  And between SBS's PowerShell under the hood and Exchange 2007's hints of PowerShell you'll learn.  Don't worry.  And the fact that under the hood of SBS 2008 is Windows 2008 and Exchange 2007 means that you have all the tools of the platforms at your fingertips.  All of that PowerShell knowledge will come in time.  More and more providers of PowerShell are lining up as well.  IIS7 has a PowerShell provider as well.

9.  The fact that the firewall is my choice.  Seriously.  I get to make the selection of the firewall to match the needs of my firm.  I'm not forced into a cookie cutter one size fits all or a cheap Linksys router.  I can take the time and select the right firewall for my firm.  One from a company that embraces the small business markeplace.  One that doesn't consider me a corner case or a rounding error on a spreadsheet.  One that is looking out for me and my firm.

10.  Because Windows Server 2003 is getting old.  It was built for a differnt time, a different set of risks, a different set of security issues.  And at the end of the day I have the ultimate reason.  Next year we will change out the server in the office as per our technology plan and I do not put 5 year old operating systems on new hardware.  I just won't.   And that's a big wow in my book.  Add to that the wow of software assurance and SBS 2008/premium, that means I'll have a full standalone version of Windows 2008, SQL 2005 or 2008, and because I'm a SA customer, I'm getting a boatload of software to allow me to be very flexible in my upcoming plans. 

As I said at SMBnation, SBS 2008 is a bunch of little wows that accumulate.  All of the remote access upgrades are probably the biggest wow that as you work with the test version of the server you probably won't see that huge wow factors until you step outside that server and start using it remotely.

 So what about you?  What's your top ten 'wow' items?

Microsoft User Research is conducting a study to evaluate a product yet to be launched in the market from November 7 to November 13, 2008. It is important for you to know that you do not need to prepare anything for this. We want to learn from you, the experts, to determine what needs to be improved in our software. We highly value your feedback and will be offering you a gratuity option in appreciation of your time and participation.

 We are recruiting individuals who:

• Have experience providing proactive, outsourced IT services for multiple customers; this could include backing up data, installing patches, keeping AV software up-to-date, and management of other IT assets.

• Are available for a 2 hour study session in the week of November 7, 2008

• Can make it to Microsoft’s main campus in Redmond, Washington

 If you are interested or know someone who could be interested in participating, please email itusable@microsoft.com with MSP in the subject line.

(please keep in mind that they will not provide travel and lodging reimbursement for this)

Windows Virtualization Team Blog : System Center Virtual Machine Manager 2008 RTMs and what I’m hearing from customers and partners about Microsoft’s virtualization solutions:
http://blogs.technet.com/virtualization/archive/2008/10/21/system-center-virtual-machine-manager-2008-rtms-and-what-i-m-hearing-from-customers-and-partners-about-microsoft-s-virtualization-solutions.aspx

Download details: SCVMM 2008 – Evaluation:
http://www.microsoft.com/downloads/details.aspx?familyid=ed012990-6e86-4b43-9842-da5c02ff1c83&displaylang=en&tm

Short of erasing someone's memory, there is no surefire way to retrieve a missent e-mail. Microsoft Outlook has a "recall" function that can erase unread e-mails from the in-box of the recipient -- as long as the recipient is using the same mail client or server as the sender -- as does AOL, but only for messages between AOL users. (Both AOL and CNN are divisions of Time Warner.)

http://www.cnn.com/2008/LIVING/worklife/10/20/lw.recovering.email.mistakes/index.html

Just a fyi... never 'recall' a message in Outlook... especially one that you just sent out to a listserve or other group email list, as all it does is make everyone look twice at the original email.

Matus offers the following tips on avoiding e-mail embarrassment:

• Type out the person's full name when addressing your e-mail. If you type just the first few letters and let your e-mail program fill out the rest based on your address book, it could easily misroute your message without your realizing it.

• Double-check the addresses of your intended recipients before you hit "send." Do you really want all the people to get this particular message?

• Be sure to notify your company's legal department if there is any chance that governance, compliance or privacy regulations were violated as a result of something you sent by mistake.

• Immediately notify the person who received the e-mail that it was a mistake and, if possible, ask them not to read the message -- or at least to delete it right away

And sometimes, sleep on that email and wait until the morning before sending it out.  Sometimes a good night's sleep can make you realize that you shouldn't send the email in the first place.

http://blogs.technet.com/wsus/archive/2008/10/21/silverlight-now-available.aspx

On your WSUS tonight is Silverlight 2.0. 

For those that consider Java evil, Flash even more evil, consider that  Silverlight is the less evil one.  But regardless, until there is an overwhelming need to run an application, you can simply not approve the update.

It's a little on the big size... but if you want a Vista desktop gadget counting down until November 12... get it here:

http://www.thedreamserver.com/widget

http://sbs-mobility.blogspot.com/2008/10/here-are-definitive-answers-to-e.html

If you are looking for what is probably the definitive "how you can get SA" and "what are the part numbers", look no farther than Tim's blog recap post. 

I have to say a big thank you to Tim for being the one that was getting the best answers from his resources and keeping me in the loop when it became clear that the SA offering was a big mangled and we were trying to get clarification.

If you haven't added Tim's blog to your roster, do so.  And if you happen to be in the bay area.. check out his Bay Are Small Biz group -- http://basbits.org/default.aspx

For all of the concern about line of business apps and SBS 2008... for anyone wondering about the downgrade rights for EBS ....  they have a near similar story with one exception.. there's no prior product for them to downgrade to so you need to make sure your network can meet the requirements -- http://www.microsoft.com/ebs/en/us/downgrade-rights.aspx

EVENT # 10560 EVENT LOG System EVENT TYPE Error SOURCE VolSnap EVENT ID 21 COMPUTERNAME   BRIANNA TIME 10/19/2008 11:00:24 AM MESSAGE The flush and hold operation for volume F: was aborted because of low available system memory.
BINARY DATA   0000: 00 00 00 00 02 00 58 00 00 00 00 00 15 00 06 C0
0010: 03 00 00 00 9A 00 00 C0 02 00 00 00 00 00 00 00
0020: 00 00 00 00 00 00 00 00

So on Brianna (the SQL server for the blog) I'm seeing Volsnap issues and www.eventid.net points to the following hotfixes:

http://www.eventid.net/display.asp?eventid=21&eventno=5418&source=VolSnap&phase=1

http://support.microsoft.com/kb/940239/en-us VSS cannot create a volume snapshot even when VSS has sufficient memory space in Windows Server 2003

http://support.microsoft.com/kb/907875 Event ID 21 is logged when you create a shadow copy backup on a Windows Server 2003-based computer

http://support.microsoft.com/kb/826751 Backup Program Causes Gradually Declining Performance

Brianna is on SP2 already so it looks like a defrag and hotfix number 1 is the way to go.

So your sister has a Windows Mobile 3 that she loves.  The old Audiovox phone.  And they just moved to Exchange 2007 at the office and she's hoping to get the phone to sync up with the Exchange.  She doesn't want to get a new phone or an iPhone or a Blackberry or a Google phone or any other phone, she loves the size of the Audiovox device.  But the SSL cert they used has a wild card *.domain name and the Windows Mobile 3 and 5 do not like a wildcard cert.

So what's a girl to do?

Why get into the registry and fix it.

http://www.resco.net/smartphone/explorer/default.asp Download the registry app, install the app on the phone, and edit the registry on the phone.

http://forums.msexchange.org/m_1800388186/mpage_2/tm.htm

On the Windows mobile 3 device I went into the registry of the device and added a dword key to basically tell it to merely accept the SSL cert and not do a name check on it.

HKCU\Software\Microsoft\Activesync\Partners\ID for the Mobile 5 devices

HKCU\Software\Microsoft\Airsync\Connection\ for the Mobile 3 devices

Under that registry, in the second below with all the other information, merely add a dword value.  Then name of it will be secure and the value is 0 (zero), which look like 0x0 when it's done and on the device.

What this does is stops the device from checking the cert.  The connection is still fully SSL'd and secure.  I then put the SSL cert from the server on the device itself by going to the OWA web site, exporting the SSL cert from the web site, putting it via a usb sync cable to the device and installing the cert on the device itself.  And then voila.  It worked.

Picture is blurry as I took it from my other phone ...another still fully operational Audiovox device as well, but you can get the idea

P.S. when any geeky person says "simply browse to the registry key on a mobile device" and you wonder how do to that if the device doesn't have a built in registry editor, check out Resco's registry editor for mobile devices: http://www.resco.net/smartphone/explorer/default.asp

http://technabob.com/blog/2008/07/03/mini-cooper-usb-memory/

http://www.vavolo.com/main.asp,mode,1,,.htm  Rats, not yet on that web site

If anyone sees one in a store, let me know!

So when you move data in SBS 2008... where can you move it to?

Say you have hard drive set up like this:

Where will you be allowed to move data to?

(I had to double check... I thought it was disk drives but it's different partitions or drives)

http://technet.microsoft.com/en-us/library/cc513977.aspx

So what's that you ask?

If you use one of the registrars under the hood in SBS 2008 "or" you transfer your domain to them, and you use the Connect to the Internet Wizard, a dynamic DNS service will load up.

I know for sure that it will do a tzo.com like service phoning home every so many minutes ensuring that it's redirected a remote.domain.name to your server.

There's more about it here -- http://blogs.technet.com/sbs/archive/2008/10/17/introducing-the-internet-address-management-wizard-part-3-of-3.aspx

Dynamic DNS

SBS is able to keep external DNS records up-to-date by making a connection to the partner registrar that is hosting the customer’s domain name and DNS records.   SBS uses the “Dynamic DNS Client” service to query the partner registrar to see if the external domain IP address has changed (every 10 minutes by default).  If so, the service will use the new IP address in a second call to update the host A record for the domain.

The Dynamic DNS Service will ensure the following

• A Record – This contains the servers IP address, and is pointed to the FQDN FQDN.
• MX Record – This is pointed to the A record
• TXT Record – This is configured as if it were the IAMW wizard
• SRV record - _autodiscover._tcp.FQDN points to A record

After SBS 2008 setup completes, the Dynamic DNS Client service remains inactive until you choose to configure your domain with a partner registrar. Once you do, the service will be set to automatic and begin querying the registrar every ten minutes by default.

If the IP address hasn’t changed in 20 days, the service will refresh it at the registrar.  This will ensure the provider doesn’t shut down dynamic DNS updates without our knowledge.

If you have a static IP you can disable this service.

I'm checking to see if you can increase the service to include a "mail store and hold" feature. that I'm not sure of but bottom line, built into SBS 2008 is a tzo.com like service under the hood.

http://technet.microsoft.com/en-us/library/cc546055.aspx

--------

Setting up your Internet address is an important step in configuring your server. You must complete this task if you want to use Remote Web Workplace, or send and receive e-mail over the Internet.

To configure the technologies that the server uses to enable these key network features, Windows SBS 2008 includes the Internet Address Management Wizard. To run this wizard, click the Set up your Internet address task from either the Home or Connectivity pages of the Windows SBS Console. The wizard guides you through a number of steps that help you configure your Internet presence.

The following sections describe these steps and outline the choices that you must make.

Before you begin

When you click the Set up your Internet address task in the Windows SBS Console, the Internet Address Management Wizard appears. This page advises you about prerequisite information that you should have on hand before you proceed.

Network users will use the Internet domain name that you specify in the wizard to access their e-mail and your organization’s internal Web site. You can also use your Internet domain name to direct Web traffic to an Office Live Small Business Web site or to another business Web site.

Do you want to register a new domain name?

When you use the Internet Address Management Wizard to configure your Internet address, you remove much of the overhead and risk that is associated with configuring these settings manually.

If you do not have a domain name, the wizard makes it easy to find and research a variety of domain name providers who have partnered with Windows SBS 2008 to offer their services. These partners must meet rigid standards for being able to keep your domain records current. If you already own a domain name, the wizard can configure that name for you as well.

On this page, select one of the following options:

• I want to purchase a new domain name.
  
• I already have a domain name that I want to use.
  

How do you want to manage your domain name?

On this page of the wizard, choose whether you want the server to monitor and maintain your domain status, or whether you want to manage the domain status yourself.

Select one of these two options:

• I want the server to manage the domain name for me.
  Choose this option if you want the server to monitor and maintain the status of your domain and to alert you if there is a problem.
  

  Note

  This option requires your domain name to be registered with one of the domain name providers that the wizard recommends. If you currently use a provider that is available to select in the list that appears later in the wizard, you should continue to use that provider to ensure that your domain name is available on the Internet as quickly as possible. If the wizard does not list your current domain name provider, select another provider to whom you want to transfer your domain name. By doing this, the server can manage your existing domain name.

  If you choose to have the server manage the domain name for you, the wizard configures these components:
  
  • Domain Name System (DNS)
    
  • Certificate Authority
    
  • Internet Information Services (IIS)
    
  • Simple Mail Transfer Protocol (SMTP) mail policies for Exchange Server
    
  • The UPnP architecture, if supported by your router
    
• I want to manage the domain name myself.
  If you choose this option, the server does not monitor or maintain your domain name, and it does not alert you if there is a configuration issue. You might also consider this option if any of the following are true:
  
  • No partner domain name providers are listed for your country or region.
    
  • The partner domain providers listed do not support your domain name extension.
    
  • The wizard does not list the domain name extension that you want to use, but the extension is available from a domain name provider that is not currently a partner.
    

If you choose to manage the domain name yourself, you must add the DNS resource records that are listed in the following table.

Note
The settings in this table assume that you choose “remote” as the host prefix for your server. The table references the domain contoso.com as an example. Replace instances of contoso.com with the domain name that you purchased.To customize the host prefix, click the Advanced settings link on the Store your domain name information page of the Internet Address Management Wizard.

 

Resource Record Name	Record Type	Record Setting	Description
Remote	A	Static IP address of the Wide Area Network (WAN) side of your router or firewall	Maps your domain name to the WAN IP address (provided by your Internet service provider (ISP)) of the router or software firewall that helps protect your network from the Internet. It is recommended that you lease a static IP address from your ISP.
MX	Alias (CNAME)	Remote.contoso.com	Provides e-mail message routing for e-mail@contoso.com to arrive at your Windows SBS 2008 mailboxes.
SPF	TXT	v=spf1 a mx ~all	Resource record that helps prevent e-mail sent from your server being identified as spam. Note Some domain name providers offer SPF building tools that you can use.
_autodiscover._tcp	SRV	Service: _autodiscover Protocol: _tcp Priority: 0 Weight: 0 Port: 443 Target host: remote.contoso.com	Enables Office Outlook 2007 with Service Pack 1 and Windows Mobile 6.1 e-mail clients to automatically detect and configure Outlook Anywhere (RPC over HTTP).

For information about how to add DNS records to your server, open Windows Help and Support, and then search for the topic “Add a Resource Record to a Zone.”

Contact your domain name provider and ask them to help you configure the domain name records properly.

Type the domain name that you want to register or use

Your domain name is a critical piece of information. It identifies your business name and the nature of business both internally and on the Internet. It is also an essential component of the network settings that your server configures.

Important
If you plan to publish your Remote Web Workplace Web site, specify only the domain name (for example, contoso.com), and do not precede your domain name with the “www” domain prefix. This way, your Remote Web Workplace Web site will be available to remote users.

If you plan to register a new domain name or to use a domain name that you already own, type that name in the text box, and then select the domain extension that you want to use. For more information, see Choosing an Internet domain name.

If you do not plan to establish an Internet presence for your organization at this time, you can specify any domain name. If you decide to register a domain name later, perform the Set up your Internet address task again at that time.

Choose a domain name provider

After you specify the domain name that you want, the wizard returns a list of potential domain name providers that work with Windows SBS 2008. The list is composed of partner providers who collectively represent all available domain name extensions for the country or region that you specified in the company information settings for your server. To learn more about a provider, click the associated Web link.

As an option, you can also send your postal address information to the provider. This can help the provider suggest alternate domain names if the name you want is not available. For more information, see Choosing a domain name provider.

Choose a different domain name

If you choose a domain name provider from the list, the wizard contacts the provider’s server and requests information about that domain name. Every Internet domain name must be unique, so the provider checks to see if the domain name is available to register. If the name is not available, the provider returns a list of possible alternate domain names. You can either select one of the alternate names or search for different name.

Register and purchase the domain name

After verifying that a domain name is available to register, the wizard displays the domain name and domain name provider that you chose. At this time, you can choose to register or transfer the domain name. This opens the domain name provider’s registration form in a new browser window.

Important
Do not close the wizard. You must return to the wizard after you register your domain name to complete the server configuration.

Store your domain name information

If you choose to have the server automatically monitor and manage your Internet domain name, type the user name and password that you registered with your domain name provider. Windows SBS 2008 stores this information on the server and periodically sends it to your provider to maintain your domain. The wizard provides a link to the privacy statement for your review.

Important

By default, the Internet Address Management Wizard configures a domain prefix of “remote” for your server. To change the prefix, click Advanced settings. However, you should not leave the Domain prefix box blank or use a prefix of www. If you leave the Domain prefix box blank or use a prefix of www, the wizard configures your Web site to be located on your server. This configuration prevents you from having your business Web sites at other locations, such as Office Live Web sites.

One of the adjustments I just made to the SBS 2008 server is this command

auditpol /set /subcategory:"logon" /success:enable /failure:enable  (ensure that you run the command window with elevated rights)

That changes the auditing of logon to both success 'and' failure.

Just for grins I also set up an alert for when an admin logs into the TS console on the server -- you can find it here:  http://www.codeplex.com/sbs/Release/ProjectReleases.aspx?ReleaseId=18512

More info and resources regarding Auditing on the 2k8 platform is here:

Ask the Directory Services Team : Introducing Auditing Changes in Windows 2008:
http://blogs.technet.com/askds/archive/2007/10/19/introducing-auditing-changes-in-windows-2008.aspx
How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.:
http://support.microsoft.com/kb/921469
Description of security events in Windows Vista and in Windows Server 2008:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226
Download details: Security audit events for Windows Server 2008 and Windows Vista:
http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>auditpol /set /subcategory:"logon" /success:enable /failure:
enable
The command was successfully executed.

C:\Windows\system32>auditpol.exe /get /Category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success
  System Integrity                        Success
  IPsec Driver                            Success
  Other System Events                     Success
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         Success
  IPsec Quick Mode                        Success
  IPsec Extended Mode                     Success
  Special Logon                           Success
  Other Logon/Logoff Events               Success
  Network Policy Server                   Success
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     Success
  Authentication Policy Change            Success
  Authorization Policy Change             Success
  MPSSVC Rule-Level Policy Change         Success
  Filtering Platform Policy Change        Success
  Other Policy Change Events              Success
Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Distribution Group Management           Success
  Application Group Management            Success
  Other Account Management Events         Success
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                Success
Account Logon
  Kerberos Service Ticket Operations      Success
  Other Account Logon Events              Success
  Kerberos Authentication Service         Success
  Credential Validation                   Success

C:\Windows\system32>

EBS2008 - A TS2 Presentation Virtually - Peter Gallagher's TS2 Blog:
http://ts2blogs.com/blogs/petergal/archive/2008/10/17/ebs2008-a-ts2-presentation-virtually.aspx

A TS2 Presentation - Virtually - Peter Gallagher's TS2 Blog:
http://ts2blogs.com/blogs/petergal/archive/2008/10/17/a-ts2-presentation-virtually.aspx

(and no not the actor Peter Gallagher,

 more like the MS Peter Gallagher)

The Official SBS Blog : Introducing the Internet Address Management Wizard: Part 3 of 3:
http://blogs.technet.com/sbs/archive/2008/10/17/introducing-the-internet-address-management-wizard-part-3-of-3.aspx

The Official SBS Blog : You Receive a “Target Principal Name is Incorrect” Certificate Error in Outlook 2007 When Connecting to Either POP3 or IMAP4 on SBS 2008:
http://blogs.technet.com/sbs/archive/2008/10/17/you-receive-a-target-principal-name-is-incorrect-certificate-error-in-outlook-2007-when-connecting-to-either-pop3-or-imap4-on-sbs-2008.aspx

Josh's Stuff: How to fix Hyper-V error “Failed to add device Microsoft Synthetic Ethernet Port”:
http://joshrobi.blogspot.com/2008/06/how-to-fix-hyper-v-error-failed-to-add.html

So don't scan your HyperV's.... got it?

After the install of XP sp3 you will see that the TSactiveX client gets disabled.  Normally you'll be able to go into the addins and merely enable it. 

You cannot connect to a remote computer or start a remote application when you use Terminal Services Web Access or Remote Web Workspace on a Windows XP SP3-based computer:
http://support.microsoft.com/default.aspx/kb/951607/en-us

If you have issues you might want to check out this and reregister it....

Also you can install the RDP client v6 from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=26F11F0C-0D18-4306-ABCF-D4F18C8F5DF9&displaylang=en

-------------------------------
From the description, I understand the issue is that you can not make
remote desktop connection to work,and get an error message. If I am off
base, please don't hesitate to let me know.

I.Let us refer to the following steps to troubleshoot the issue:

1.Please register the mstscax.dll again according to the following KB
article.

After you apply a Windows XP service pack, the remote desktop session fails

http://support.microsoft.com/kb/928055/en-us

2.Please make sure that both mstsc.exe and mstscax.dll are the same
version,they are located at windows\system32

you should check the two files's version first.

Please locate the windows\system32 folder and check the version of the
mstsc.exe and mstscax.dll files. You may boot into Safe mode and expand the
files from the I386 folder to replace files and test the problem. The
command is:
expand <CD-ROM>:\i386\mstscax.dl_ c:\windows\system32\mstscax.dll

after replacing files in safe mode,then restart xp machine.

3.if issue persists,please Install the latest version of Remote Desktop
Connection
=================
Remote Desktop Connection is a build-in component on Windows XP system, and
the version of Remote Desktop Connection on Windows XP SP2 is 5.1.2600.
The latest version of RDC can be installed from a Windows Server 2003 CD.
To install the latest version of RDC, please refer to the following steps:

a. Insert a Windows Server 2003 CD into the CD/DVD-ROM.
b. Navigate to \Support\Tools folder.
c. Double click on MSRDPCLI.EXE file to install the RDC.

Note: You must access the new client by going through Start\All
Programs\Accessories\Communications\Remote Desktop Connection. If you go
into the Start\Run and type MSTSC in to the run dialogue then hit Enter, it
will bring up the original version of the RDP client (build 5.1).

II.If the issue persists, please help me collect the following information
for analysis:

1. DO all XP client machines have the same problem or just one xp client
machine?

2. what are the two file's version?