Hi there, According to the whitepapers/specs, the hardware requirement are quite huge (2gig of RAM, etc...) I was wondering, what kind of resources does LCS use on a SBS2K3 box ? (RAM, Proc time, etc..) TIA
Great, but what if: 1) I upgrade MSDE to SQL Server 2000 2) Remove all SBS Components 3) Reinstall all 4) I have a SQL Server 2000 on this instance, but - full-text search is installed but is disabled?? (no entries in EM, and also this options in spsca not work...)
Better to post in the SBS2k3 public newsgroup. I know that I personally have not installed it.
Why are you removing all SBS components?
The official Link to the MS Article is here: http://support.microsoft.com/default.aspx?scid=kb;[LN];823377 However, please note, that on various tests on different servers, we have had different results. We have found the following: Sometimes you need to install the SQL Server instance and SQL Service Pack more than once. Also, if you have already installed (or upgraded to SQL), you may need to stop the SQL Service for Sharepoint before running the "overwrite". The last point: "Install SQL Server 2000 Service Pack 3 (SP3) or later. When you install SQL Server 2000 SP3, you receive the SQL Server 2000 Service Pack 3 Setup dialog box that contains both the Upgrade Microsoft Search and the apply SQL Server 2000 SP3 (required) check boxes. If you want to have full-text search functionality on the server, you must click to select the Upgrade Microsoft Search and apply SQL Server 2000 SP3 (required) check box." This is what it says in the article, however, I have found that the checkboxes do not appear when using the SBS SQL SP3 install. But, it WILL install the Full Text Indexing at the end of the SP.
Susan, When attempting to delete the IIS temp files a message prompts that they are system files and deleting will cause system instalbility. (or similar) Patch 831464 is applied. Should I just accept and delete all of the files. They are mostly jscript and html files. Thanks, Bill V
I think you have to let the SBS machine be the DHCP server... I had clients as static IPs and you can't run the HOSTNAME\Connect wizard. So turn off DHCP on the sonicwall, and make sure that it's on by runnin EICW on the SBS machine (and check services too...) Make sure the clients are DHCP clients as well...
KB: 314045 [HOW TO] Windows 2000 ????? ?????????????
??: Tip for excluding your box from Google Searches
That command seemed to solve my dns problem in 99% of the cases... now, I had the feeling, that after a reboot these settings are lost. Is there a way to makes this command/setting permanent?
This helped tremendously!! We had a client that couldn't use blackberry.net within their network. nslookup timed out. Once we executed the dns fix on the MSKB all worked perfectly! I am also wondering if this is a static registry-type setting or if it has to be done on each reboot? Fow now, I am running a script on reboot, just to make sure. Thanks
one typo: on step 5, type "iisreset", not "iireset".
The link appears to be broken. I get "DotNetNuke Configuration Error ... Domain Name "www.smallbizserver.net/sbs2000" Does Not Exist In The Database"
Thanks...she moved the page!
Fixed! Thanks!
[KB] 830092:W32Time frequently logs Event ID 50 and cannot update the system clock in Windows Server 2003
CatRoot ???: Issues with Backup and installing drives for "Generic volume shadow copy"?
well we know this answer is NOT true. I have Messenger 6.1 installed on a lot of systems here (SBS2003, WS2k3) and in each case it DEMANDS that Messenger 4.7 be installed or it won't work. Gary D
Great!! I completely forgot about these settings!!
Hey Susan, did you know about PatchDayReview.com? It's a website that I run to combat the problem you specifically discuss here. Check it out, I'd like your feedback. http://www.patchdayreview.com/posts/MS04-007.aspx -Robert McLaws ASP.NET MVP
Excelent, I have around a thousand of these in the queue at any one time. Looked right past this one... Thankyou
Hey - thanks for that - I think it worked for me (fingers crossed). Have a drink on me next time you are out :-)
Windows XP SP2 RC1 is now available to everyone
This did not help browsing to mail.yahoo.com. Has anyone else seen this problem? I only happens with larger domains.
I hear you Susan I am in the same boat, I bought a DELL PE2600 with SBS2000 then bought the SA last summer and got SBS2003 when it came out. I did call and get Live Communication Server 2003 (in Canada though handled in the US) when I read about it and gave them a call. The operators didn't really know but after some time on hold they said I could get it. I also have no idea what the SA is good for, I got an ISA Server 2004 Beta 2 at an event, will I get this with the SA when it comes out? what about Yukon and Whidbey? My SA is good untill June 2005 but even that may not be enough. I have no idea how the SA works for the 5 included and 5 extra CAL's I have. The SA Faq brochure I got was not much help for a SBSer like me.
Alan, How does one copy a table from Microsoft Access to the A drive? I want to make a back up disk of my data. There has got to be a way, and if not, I bet you can invent one. Thanks, Mrs. Randle (Yes, the one who always believed you were a computer genius.)
I am going though the sus on sbs2k3 document and ran into a problem during the install process. When loading SUS (SUS10SP1.exe) on my 2003SBS machine I get the following error. "Microsoft Software Update Services can only be installed on a volume that is formatted with the NTFS file-system. Please choose a different location to install the files." Both the C and D drive are NTFS drives. When I run the program I get a box with extracting sussetup.msi and then a dos box with the msiexec.exe /i sussetup.msi message and then a seperate box with the message above appears. Any ideas? robert@pfannkuche.com
I just got mine on Friday from Amazon (took them a bazillion years to get it to me). Amazon said "paperback" when I pre-ordered it, but they later changed ISBN 0-7356-2020-2 to show hard-cover (which it is). The companion CD includes the entire book (627 pages) in PDF format (27.8MB) so it will easily fit on a SD memory card for reference on a Palm or other PDA. The text can be cut-and-pasted or searched, but not printed in Adobe Acrobat. The CD also includes 2 whitepapers on migration from 4.5 & 2000, sample GPO's, the free version of HFNetChkPro, some hyperlinks to resources on the web, and Adobe Acrobat Reader. I was kind of suprised to see "Installing ISA 2000 and SQL 2000" all the way back in Apendix B, but hey, I'm no author, so what do I know. At least they're there. ;-) Also, there are TONS of little "Caution, Note, Tip, Security Alert and Planning" notes in blue throughout the book. And I do mean TONS. You could probably cut and paste your way into one killer cheat sheet with those. This book won't replace the KB articles or newsgroups, because some common issues like Disc 3 are missing. But there is no way you can learn SBS from newsgroups alone. Advanced admins will only get marginal benefit from this book, but everyone else will get more than their money's worth. Two thumbs up!! -Tim
FYI - the actual tutorial isn't available until April 9, 2004. When you follow this link and download the file, it simply unzips an HTML page that states the "tutorial isn't available...". SteveT
That will teach me again to post without checking the link :-)
I WILL ASK THIS PATCH, I SEE THIS ERROR IN ANY SERVER SBS 2003 WITH XEON IN HYPERTREADING BUT I THINK THAT THE ANTIVIRUS COULD GENERATE THE PROBLEMS IF THERE AREN'T ANY DIRECTORY EXCLUSION. I USE INOCULATE IT 7.0 AND I CONFIGURED AN EXCLUSION OF THE C:\PROGRAMS\EXCHSRVR AND THE PROBLEM IS SOLVED. DOES ANYONE CONFIRM THIS SOLUTION? YOU CAN ANSWER TO ME AT M.BIANCHI@BVM.IT THANKS.
Hi, I am getting this error Bad Request (Invalid Hostname) whenever i try to access my internal webserver from a external source. I have a web/file server that sits behind my sbs 2003. I have all incoming port 80 requests directed to the server that hosts my internal site. From inside my network i can access the website just fine (using ISA to redirect). If i try to access my site using the external ip or domain name that points to the ip i get the above error. Just to give you a brief history i used to have a computer named "fileserver3" that was running win2k server. it was working just fine. I upgraded to a new server and replaced "fileserver" and "fileserver3" with a single server named "fileserver" that is running 2003 enterprise server. I have gone through my settings in ISA and thought that i changed everything that pointed to fileserver3 to point to fileserver but still no luck. If you have any ideas please let me know. I am desperate. Thanks Andy
NOW THERE IS THE FIX FROM MICROSOFT. ANYONE USED IT?
I patched my SBS server with Automatic Update, and was prompted for a restart. Do you /really/ need to restart for the patch to be in effect?
I have a comment and a question: comment: How do we sign up and log into this site? Question: I just went through installing SBS 2003. And when I try to access companyweb it prompts for user name and password. However, it does not recognize neither the administrators password nor another user that I have created. The same happens on the local machine or any other machine (there is two of them) on the network. I upgrades the MSDE to sql 2000 using CD 5. I was hoping to get some insight through looking at the database user names and password. I did find a user name with "SBS SP Admins". However, no clue on the password. Any help on this mater is appreciated. Thanks, Ramzi
Yes, anytime you apply a patch and it prompts you for a restart YOU MUST RESTART to be protected.
Thanks for clearing that up Susan. I've become desensitized to the 'You must restart your computer for the changes to take effect' dialogue :-)
Gary D I have the same problem... Did you solved it ? Best Regards
You have DNS issues. You need to ensure that the DNS of your workstations is pointing to the IP address of your server.
I have been awaiting the release of BizTalk 2004 for awhile now, especially since BizTalk Server 2004 comes with Visual Studio .NET and InfoPath licenses as well. Now that it is released and product fulfillment has setup the above web site for ordering the Partner Edition I am both disappointed and confused about what I found. When I went to order my copy (as I am both a SBS Premium Customer and Partner) I shook my head in disbelief to learn that InfoPath is included but VS.NET will not be. Please take a look at the following MS Press Release from Dec 17, 2003 titled "Microsoft Unveils Pricing and Packaging Details For BizTalk Server 2004" http://www.microsoft.com/presspass/press/2003/dec03/12-17PricingBizTalk2004PR.asp "All versions of BizTalk Server 2004 will include rights to Microsoft Visual Studio .NET 2003 and InfoPath for installation on a desktop. Providing rights to these products will increase developers' productivity by enabling them to create applications directly in BizTalk Server and allow business users to gather and input information into a business process linked to back-end systems by BizTalk Server." When Does All Versions NOT Mean All Versions ? I believe this was a poor decision on the part of MS to not honour this Press Release.
Do you have another router on the outside between you and the web site? Post your question in the newsgroups rather than here for better help http://www.microsoft.com/windowsserver2003/sbs/community/default.mspx
You may well have MSN Messenger 6.1 but you need Windows Messenger. Not the same thing.
I had this same issue on a Server2k3 Enterprise Edition multi-homed do-all play box. To fix, I actually just unchecked the Address Assignment box and restarted the RRAS server. If I'm not mistaken I can toggle the problem on and off simply by checking/unchecking and restarting the RRAS server. Unbelievable. I thought for days it had something to do with my Microsoft Wireless Device having mistakenly registered itself in DNS or something. Also, you might be interested to know that there is a fundamental issue on multihomed DC's which continuously registers the outside NIC in DNS even when advanced TCPIP settings are config'd not to. I rec'd an unsupported hotfix for this, but it IS Server 2k3 related moreso than SBS2k3.
I have another issue with the MMC snap in for Monitoring and Reporting, when i click the link im getting Snap-in creation failed. ive checked the standalone snapins and it definatly not in there, what is the easiest way to amend this problem? anyhelp would be most appreciated many thanks Robbie
So what you're saying is that even if I don't have SBS 2003, and I install Windows Messenger...then it should work..i.e. MSN 6.2...well, so that you'll know, I have gone to the trouble of uninstalling Windows Messenger...let me see if I install it again..
SBS2k3 is Windows Server 2003. Whatever hotfix you have received, is for us too. Do you remember the KB number?
Awesome to put this here, now how do I trackback to it? Anne
Just skimmed through it... a bit of a disappointment... many of the pieces I remember from Windows and .Net magazine.
I followed the instructions in the article to disable Digital Signing on my Small Business Server 2003 Premium, now none of the clients can connect, as it asks for authentication but will not accept any. When trying to get back into the Group Policy management on the server, it said access denied, so I modified the registry setting to dsiable the Digital Signing, which allowed me to go to the GP edit,. However no matter what settings I change, I can't get my clients back on the network?
You need to follow the instructions on that web site exactly... Look in the event viewer to see what error id#s you are getting to better troubleshoot this.
You forgot YABA - Yet another bloody acroymn. :)
Oh yeah.. one more... PSS - Microsoft Product Support - the wonderful folks who help us fix after we've screwed up these little guys...
Excellent tip. Running a backup right now.
I've installed this and still have a page rendering problem. The email display is corrupt if I open it, but if I hit reply or forward, I can read it. ANyone any ideas?
I completely sympathize with the guy vs. girl comment! :) I tried to access the taznetworks link in this post but it doesn't seem to work. May a small typo be the issue? :P Thanks!
His site is down right now... I'll have to ping him and see what's up.
I would agree with you on that, actually =) SBS rocks.
Now that I am re-using drives from last week, how do I set it to automatically over-write the old backup file (I know how to do this using the standard NT Backup utility)... otherwise this is a great way to backup!
i tried your fix and still get the same error. can't figure it out!?!?#$@#$
Your trackback thanks is great! Anne
Way to late for this one MS After sending out 100,000s of emails last year - I did many a search at MS and the wider web to see if I could find if this was a MS bug or a setup thing and finally bought a 3rd party POP connector, which is great as it cheacks every minute. This is the one very weak link in SBS and really needs some time spent on improving it. But thanks for pointing it out. CHawke
Tried to find the mskb.zip file, but no luck! Can you post it here Susan? TIA
What is affected by unchecking 'Allow NDR reports'?
I updated the link to my copy - it may need tweaking for the new kb structure though http://www.sbslinks.com/Files/MSKB.zip
Thanks for that, Susan. However, it is only a registry hack - the MSD2D site talks about registering a dll. I tried just entering mskb://kbnumber and it doesn't work. :(
I was hoping that would fix my problems but it my versions are the same... back to the drawing board! Seth sethAThollen.org
Ah yes, but what about Public folders?
Update to this be sure to include doing this on the Public Virtual Folder or you will get kicked out of Public Folders when you try to view them
Charles Anthe notes in his blog entry that the opportunity for relay is small. Are you sure you are not talking about SBS 2000? As that did indeed [and still does] have a potential for relay when using a global pop collector. http://blogs.msdn.com/canthe/archive/2004/05/27/143612.aspx
This actually makes sense. A low SCL value means a low probablility of it being spam. Conversely, a high SCL value means it's almost certain to be spam. I like to think of it as this formula: (SCL x 10) = % chance it's spam. If you set the threshold to a value of 8, what you're doing is telling IMF to filter out anything with a value of 8 or higher. So, with the formula above, if you have a mail that comes in and is stamped SCL=9 (think of that as 90% chance it's spam) you're going to filter it out. An SCL=7 (70% chance), we don't. Very conservative filtering. Set your SCL threshold too low (say 3), then you're going to be filtering out mail that is perhaps only 30% likely to be spam -- lots of false positives!
Okay so maybe it's just the wackobeancounter that thinks it's backwards...everyone else thinks it's fine. :-)
The hot fix doesn't really fix the issue. It just lets the backup program continue and it still logs this error in the event log and server performance logs as a critical error. Backup still does not back up non-simple SQL DBs and you need to use SQLAgent to export the DBs to a .bak file. The .bak file is a flat file that can be backed up by the MS backup program. Ron da@rrr.org
Hey Ron, I'll pass this on to Sean. I know my backup has been working.
Ah... okay I see what you are needing. As a beancounter who's SQL databases are not the "robust" databases that you probably do, the backup routine of SBS works just fine. If you need up to the minute backups so that you can do full restore via Full Recovery mode, you will either need third party or use the SQL Enterprise manager to "barf out" the flat file as you noted. In my case I'll be using the native STADMIN commands to flat file "barf out" the Sharepoint in a flat file as an additional "paranoid" backup. In fact, I think i might script it :-)
Susan, you truly are God's gift to SBSers. Thank you, thank you, thank you!
Is there a definitive guide to installing SP3 on Exchange 2003 SBS? For example, step by step stop the antivirus and backup services etc.? The antivirus, backup and exchange services seem obvious but anything else?
Brian check out http://www.sbslinks.com/exchange.htm and http://www.sbslinks.com/domain.htm The items you mentioned are fine, but I'll be honest on my test server, I shut off nothing and it went just fine.
Just ran BSA on SBS2k3 with SQL and ISA. Scan date: 03/06/2004 2:11 AM Scanned with MBSA version: 1.2.3316.1 Security update database version: 2004.6.2.0 Office update database version: 11.0.0.6517 Security assessment: Severe Risk (One or more critical checks failed.) And obtained the above even after a sucessful installation of Successful May 28, 2004 Critical Update for SQL Server 2000 Desktop Engine (Windows) on Windows Server 2003 (KB829358) DO I really want to install what they reccomend? MS03-031 Cumulative Patch for Microsoft SQL Server (815495) File version is less than expected. [C:\Program Files\Microsoft SQL Server\MSSQL\binn\console.exe, 2000.80.194.0 < 2000.80.818.0] PLEASE LET ME KNOW. Thanks to all the contributors. These pages have been very helpful.
The answer is NO. All of my testing has been on a newly built sytem using the March 2004 relase of SBS2k3 and the MSDN Dowload of Premium CD on May 25,2004 SQL installation succesful SBSmonitoring Instance Failed. Monitoring was not setup yet Sharepoint Instance failed. The system became unstable after this install. Certificates could not be created. System was rebuilt from backup.
I think something else went on there. There is a timing issue with sharepoint 840685 - An event ID 1000 error message is logged to the application event log when you restart Windows Small Business Server 2003: http://support.microsoft.com/default.aspx?scid=kb;EN-US;840685 But patching that instance should not cause your server to fall over like that.
The 840685 Regedit works well. The first install from your Blogs. The Certificate instability noted is caused by using PPOE aand ISA. When the work-around is finalized it shall be reported. The recommended BSA patch is older then the patch that had been installed. SQL2000-KB815495-8.00.0818-ENU.exe Date Published: 8/11/2003 Version: 8.0 SQL2000-KB829358-8.00.0884-ENU.exe Date Published: 1/20/2004 Version: 2000 Therefore the installation fails but only on the SQL Sharepoint Instance The installation passes on the SQL, SQL SBSMonitoring Instance SQL SP3A was reinstalled successfully but KB829358 still failed. No confidence in a successful removal of SQL Sharepoint with Add-Remove becuase of the number of left over entries in registry and elsewhere.
Susan - Try this next time sbradley (at) pacbell.net ;) Anne
I am not sure that I am doing this right, despite John Porcaro's input. Check it out http://thenorwichgroup.blogs.com/fieldnotes/#a0001542442#trackback
This issue is now covered by a KB article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;840685
We are running IMF on SBS 2003 without SP1 and it appears to be working. We have started with conservative settings (filter at server 8-9, client Junk E-mail 6-7). We will see how it goes. So far no false positives at the server level.
But it says it is for IE 5, I am using 6.0 on Windows XP
Doesn't matter.. Works on XP as well
AND it still works on XP sp2 :-)
Hi! RSS is great. That is how I found out about your great tip in the first place. The feeds and aggregators are a blessing for us information hungry/stressed people. And that is how i found out you blogged about me blogging about you blogging. :-) Btw I'm from Sweden. Both Dutch and Swedish have close ties to German so it was not a bad guess. I haven't got around to adding an English presentation yet. Again, the tool you wrote about is great. Especially now when there are problems with a couple of new bugs in MSIE. Cheers, /Lars.
Should have guessed with the .se what can I say ... I'm a geographically challenged Californian :-)
I am using forms based auth (FBA) so a lot of the things you say here don't apply to me but I wish they did. I needed a solution that would work with FBA so I wouldn't have to enter domain\username. Luckily, I have run the Configure E-mail and Internet Connection Wizard in SBS and have been happy to find that SBS adds a little bit of nice code to logon.asp that is used by forms based auth. WHY NO ONE HAS EVER BLOGGED ABOUT THIS CODE I DON'T KNOW. Without this little bit of code, you would have to enter domain\username everytime, but this code parses AD and puts in the domain\ for you when you press submit, very cool. Again, funny that no one has blogged about this. I have used this same code snippet for Exchange 2003 Non SBS and Exchange 2003 sp1 Non SBS. I have 2 files available if anyone wants them. One file is for Exchange 2003 pre sp1 and the other is for Exchange 2003 sp1. I posted the files at www.inteltech.com/downloads Just take these files and replace your current (backup original first of course) logon.asp in your exchsrvr\exchweb\bin\auth\usa folder Then do an IISRESET I have only tried this for the USA folder (I only speak english of course, much to my own chagrin) but I assume the same code will work for the other langs. Email me if you have questions jcook@inteltech.com
After rereading some of your stuff it looks like you did intend for your fixes to work with FBA. But as you may have found out, if you use FBA, the domain to authenticate against in IIS will always be reset to \. This is because ESM settings override IIS and the ESM settings sync against the IIS metabase every 15 minutes or so. I think the best bet for everyone is just to use the modified logon.asp code I put on https://www.inteltech.com/downloads. I didn't write this code, but I did do some cutting and pasting to make the same code work for sp1. I just used these files and I didn't have to muck with IIS at all. I think the reason that maybe not many other people have blogged about this is that maybe my Installation CD of SBS was a newer build that not too many people have used. That is my only guess but Anthe should be able to answer that for sure. Read my above post.
Tim Heuer has a RSS feed reader web part for Sharepoint that works great on Windows 2003 SBS. You can get it here - http://www.smilinggoat.net/stuff.aspx. It works very well. RSS is the fastest way to keep up with all the greats blogs out there.
The new skins are great and the gallery is not a big issue :) I'm pretty sure we can live without. Thanks for working that hard for us. I appreciate it very much...
Thanks Susan !
Speaking of the SBA For those in Vermont you might want to talk with Al Hall III, Economic Development Specialist with U.S. Small Business Administration's Vermont District Office. 802-828-4422 ext. 207 Al seems to have a few inside tips into the whole SBA process and is a lovely older gentleman with a soft manner.
In other words, they're "Making it more secure by removing the insecure applications instead of fixing the insecure applications" Way to go Microsoft!
Yeah...indeed way to go... because Terminal server is the equivalent of end users. Again, would you want end users sitting at your server using it for surfing and the gunk they do at their workstations? You cannot lock down a Terminal Server on a Domain Controller PERIOD. Wake up people. We CANNOT do thing as we once did. It CANNOT be made secure.
That's a great tale but you have to tell more of them.. A lot more of them. But it's only a small step. There's a pretty good story told for Enterprise and SMB customers but many decisions are driven by individuals, consumers and end-users. They need to see how the pieces fit and at the moment, they don't.
Jeremiah, Have you heard from anyone saying your replacement login.asp files didn't work? I had not luck with it. I just get a blank page... Robert Murray
No. It is not possible to run Terminal Services in Application Server mode on Windows Small Business Server 2003. This is a change from Small Business Server 2000. Running Terminal Services in Application Server mode on a domain controller may present a security risk to your network. If you want to use Terminal Services in Application Server mode, we recommend that you purchase an additional Windows Server 2003 license and install an additional server running Windows Server into the Windows Small Business Server 2003 domain. For more information, see "Deploying Windows Server 2003 Terminal Server to Host User Desktops in a Windows Small Business Server 2003 Environment" on the Product Documentation page </windowsserver2003/sbs/techinfo/productdoc/alpha.mspx>.
I think it's great Microsoft is trying to deliver more secure products. I also think they are obviously expoiting the opportunity to require more spending on the part of the buyers! Sure the SBS 2003 Standard product is about $600 less than the SBS 2000, but you have to spend than amount again plus the cost of another computer to support a few lousy term server connections. The part I like best is, they left the term services licensing component on SBS 2003, so you can pay for and install unusable licenses.
That's what I'd like to know, too :-)
You just shut down non delivery emails. In these day and age of spoofing emails, it's like the A/V notifications. They are totally meaningless.
That's for it to handle the licenses of the member server. Read the docs. Bottom line it's not secure dude. Never was, never will be. We asked them to be more secure. They delivered. And you are mad that they listened?
Quick BOOKMARK and then add to OneNote.. Perhaps this means I won't have to ping Susan with stupid where do I find type questions in the next few weeks. :) On the other hand Susan always puts in a twist and flare for a little extra so perhaps I will just ask more advanced queries..
Here is more information that might be helpful! I definitely talked with as many consultants as possible as this article was coming together, but like everything tech that just created more questions! http://www.cpatechadvisor.com/articles/2004/JuneJuly/backupfeature.shtm Cheers
So Susan, you figured out how to install that RSS feeder... the instructions are not the best ;-) Just tried it here, but I am getting nowhere :-)
The Microsoft Monitor page incorrectly leads the reader to believe that SharePoint Portal Server 2003 is part of SBS 2003, when in fact, it is not. SBS 2003 includes Windows SharePoint Services, but not SPS. Just thought I'd clear that up for your readers!
Here is one of my favorite hacks for searching...don't remember where I picked it up... Paste this into notepad and save it as a .reg file, then launch it. .... Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\Ggl] @="http://www.google.com/search?q=%s" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\MSKB] @="http://support.microsoft.com/?kbid=%s" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\WINFAQ] @="http://search.winnetmag.com/query.html?col=faq&qt=%s" .... Now I just type "ggl (my search string)" into the IE address bar and go or "mskb (kb number)" or "winfaq (search string)" Not an advanced search, but a quick start. Tammy's Google toolbar tips are just excellent - thanks! ...your's are too Susan :?)
You add the note about moving the log files, almost as an afterthought. Why would anyone want to move the databases but not the logs? Isn't it safer to keep these together?
So, what if we actually *NEED* a terminal server? And PAID for licenses that it INSTALLED already and won't let us use? Good thing we got the SBS for nearly nothing so we can shred the CD and toss it. As for the 'It's not secure dude. Never was, Never will be.' I quote Chandler Bing: "ya THINK?!" SBS was always a waste of money.
Well uninstall them and stick them on the separate TS box. If you think SBS is a waste of money you are a bit in the minority. There are many folks that are indeed seeing the cup 1/2 full and not the cup 1/2 empty. TS should not even be allowed on "normal" Windows 2003 Server on a domain controller. SBS is a frame of mind and a state of being. You either have it or you don't. :-)
OK, my frame of mind was very positive toward SBS until the removal of half the functionality. Every customer of mine that has small business server uses the terminal server feature on a daily basis, and it saves them thousands of dollars that would have to be spent on upgrading obsolete PC's. The term server allows them to keep their old PC's and work. What if a small business that has all thin clients wants to upgrade to SBS 2003 from 2000? Anyone have a calculator with enough digits to figure the cost of licensing??? Furthurmore, if you want to make a case for security and design issues, the Windows 2000 operations guide recommends having the domain controller, exchange server and term server on separate boxes, but that works just fine (and isn't necessary anyway). For the small amount of users SBS is designed to support there's not a reason in the world to disable the term server, except to help Microsoft's profit margins. After all, IT spending has been on the decline for years now, has it not?
One final thought about security: none of the security-related calls I have fielded from customers have been caused by terminal services. In fact, they have all been due to people running ISA server without an external hardware firewall. ISA is supposed to BE the firewall, but it is garbage and basically paves the way for getting your server cracked and blacklisted.
I've never seen a box running ISA that is fully patched get nailed. Typically the security issues are because they are not up to date on patches. Sorry but I still disagree. TS on a DC is like having someone use the domain controller as a workstation. If that's how you want to run a network, that's your choice. The reality is it was insane before.
There is no need to turn off forms based authentication in Exchange System Manager IF you are using Entourage 2004. That's one of the cool new features of Entourage 2004 .
Hi Phil and Susan ;-) It´s a better idea to have them separated that way if databases HD is gone you can recover with the latest full backup and log files up to the point of failure without mail loss. Another reason is the system performance. Because of the way Exchange works (accesing DBs & Logs) it´s better to have them separate. Hope this help. PS. On a normal installation I use i.e. C for OS, D for Logs and E for databases; ideally C -> Mirror, D -> RAID 0+1, E -> RAID5 Saludos from Spain. Benji
>"[this hotfix now in Exchange 2003 SP1]" I don't think so. You have to download it. For some reason I can't access the exe from microsoft.com right now.
Sorry ..meant that it's a "requirement" and thus you'll get it whether your like it or not when installing Exchange 2003 SP1
Well.. finally got it... for those that go with the defaults... this is probably the command for you: C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN\STSADM.EXE" -o addwppack -filename "C:\Program Files\Smiling Goat\FeedReader\SmilingGoat.FeedReader.cab" -globalinstall -force
Did you find the way to correct this?
You do realize all of these options are available through the UI, too, right? No need to hack the registry for everything. :-)
I see tha analogy but it's not quite right.. We know what the place is AND how to get there, we just don't want the ride. Personally, I'd be quite happy to use the ride (wizard) because if for any reason it doesnt work I know how to fix it manually :)
Well, I cannot 100 per cent agree with your statement: <quote>If you really want to to do it manually... you could...</quote> I am coming from the Enterprise world and I made the mistake to change the TCP/IP address on the NIC properties of SBS 2003 as I usually do on a real Windows Server 2003. However, not knowning where else the SBS NIC wizard puts the IP address settings it broke many things which led me into a reinstall (thanks to a virtual machine for testing no problem). At my second attempt I figured out that the IP address is scatered around at many places (IIS for example and also companyweb). Since there is *NO* documentation what those Wizards actually do behind the scenes you are *REQUIRED* to use them. Otherwise the risk that you break SBS 2003 is very high. Once you know that it's ok to use the Wizards. However, my wish is that Microsoft would implement some kind of logging so that we could look up what each Wizard does behind the scenes. Otherwise it always leaves a bad taste for those guys coming from a strong Enterprise environment who know most of the products included in SBS 2003 from the ground up better than any Wizard can do. I still remember how the Windows 2000 DNS Wizard - not the SBS 2000 DNS Wizard - messed up the default DNS settings back in February 2000 when I installed my first production Windows 2000 Server. Since this day my reluctance for Wizards has not changed and will not until Microsoft tells me what each Wizard exactly does. Just my $.02US
Ah.. I remember with great fondness the issues suffered by many at the hands of the 2000 Server DNS wizard ;)
You guys realize that there are log files for those wizards all over the place?
No, I think the destination is often generally unknown, and so is the route. So many times, we see people stop short of a proper implementation, and then head off running setup.exe from a variety of locations. This is understandable, because outside of the SBS experience, that is the way it's done - that's what we were trained on, that is what we know. Those that think they know the destination, and the route - are either experienced with SBS and *do* in fact know these things (and trust the wizards); most all others are in for a dose of frustration and a potentially humbling experience. I don't like the term wizard, the name itself is part of the problem, I have a general distrust of anything 'wizard', that is a common sentiment that I believe most hold. In the case of the SBS wizards, they should be given a better name like XXX Configuration Tool. The biggest problem is the lack of publicly available *detailed* documentation is a problem that has been communicated to MS on more than one occassion. This could/should be resource kit or Technet type material. So far, TTBOMK the kind of detail requried only exists in internal manuals - but it does exist. We need to work on getting this stuff made available to a wider audience. The Configuration Tools (a.ka. wizards) are a marvelous piece of engineering and software development, anyone who gets to understand the inner workings will agree. But this in fact may be part of the hesitation on MSs' part to make the details more widely available. After all, the 'wizards' are essentially what makes SBS what it is - they are the glue that binds the matrix. A desire to protect this collateral is understandable in some ways. So be careful when you say you don't want the wizards, because without them, you haven't really got SBS. Les.
One last thing. The wizards were developed with lots of input from all kinds of folks, including Enterprise folks. Putting all these server apps on one box obviously wasn't a wizard driven process to start with. What we see today in SBS is the product of many many tedious manual configurations painstakingly recorded and scripted. At every new generation, more tedium is replaced by scripts, and more functionality is added. If you find yourself repeating configuration or monitoring tasks, then SBS dev wants to know about it - that would be a candidate for a new wizard, or an incorporation into an existing one. What we see in SBS is a direct result of what we have asked for. SBS delivers us from tedium. Les.
Before installing Service Pack 1 - make sure you install this patch 831464 - FIX: IIS 6.0 compression corruption causes access violations: http://support.microsoft.com/default.aspx?scid=kb;en-us;831464[I said in another post that it's part of Exchange 2003 SP1 and it's not ... it's...
When will MS patch the known exploits ??
I work on many development servers. Last month after thoroughly studying the Knowledge Base I selected 17 HotFixes for WinServer 2003 or/and SBS 2003. The HotFixes were intended to combat different problems on different servers on different networks. I called Redmond and the support representative agreed 17 was alot to ask for, but said it wouldn't be a problem. He gave me his email address and I emailed off the list. I requested a read receipt which I did receive, however, that was all I received. 24 hours later I emailed the same address asking for an update on getting to me the HotFixes - which I never received. As an MS Partner\ISV I seriously am annoyed. Even more so annoyed to think I am then expected to dance with what I can only describe as B E A U R O C R A C Y in order to produce... HotFixes! I chose not to tango. ...and MS wonders why so many people still play with Penguins.
That is unacceptable Mica. Do you have that person's contact info? I'm forwarding your comments to some people I know.
Susan, I am working on specifically this as one of the many projects I am doing at the moment. The problem is just time. It will be a video much list the example you give. However, before doing so, I am waiting on smiling goat's file manager. (I want to show that.) Cheers, Nick Whittome
The wizards do work properly most of the time. If you select a PPPOE connection watch out. A good description of exactly what is configured is available by searching Small Business Server Help and Information for "Default Settings" Fred
Hi Susan, Have you seen these guys? http://blogs.sqlxml.org/bryantlikes/category/18.aspx http://weblogs.asp.net/soever/category/1593.aspx http://weblogs.asp.net/mnissen/ (scroll down - some WSS specific stuff here) http://weblogs.asp.net/wkriebel/category/4089.aspx http://weblogs.asp.net/jan/category/2443.aspx Some of these guys are not very active but you might get something out of their blogs. I may be wrong but Sharepoint on WSS looks like the Portal and not just Sharepoint Services installed on WSS.
No doubt Susan is a true MVP to have actively assisted to correct this 'issue'... even on a Saturday! Thanks again. -Mica
Just FYI, I collect % confident for 5+ SCL score X-SCL: 5 72.63% X-SCL: 5 82.13% X-SCL: 6 86.33% X-SCL: 6 89.08% X-SCL: 7 92.88% X-SCL: 7 97.32% X-SCL: 8 97.54% X-SCL: 8 99.3% X-SCL: 9 99.61% X-SCL: 9 99.89% X-SCL: 9 99.9%
Ok, So I'm getting the same error and followed your instructions and it still is not fully rendering OWA in IE. This happens on every IE browser i test on externally. OWA works perfectly internally. Oh, and BTW it works perfectly without all the fancy OWA tricks in Mozilla Firefox. Go figure~ My certs are published fine, as is ISA rules. Am I missing a firewall filter somethere? Any thoughts?
That's correct, Norm. I need to get this updated with the full info on Entourage 2004, which I'm actively working on. Should have it available soon... -Q
I can't locate the NT AUTHORITY\NETWORK SERVICE in Active Directory. Please be more specific. Perhaps I'm just an idiot. I have looked high and low. I don't understand why I would be having this problem on the server when it's a new installation. I have two servers, both are AD servers, one being a backup. Nothing was wrong until this morning when I found this lame error annoying the hell out of me. All solutions point to the same thing posted here but I cannot locate any NT AUTHORITY\NETWORK SERVICE group or user. Mayday!
Thanks Eriq! Great site!! Question for you and/or Norm. With Entourage 2004, does the calendar update better than it had in Entourage X? I had bagged using Entourage X and went to Outlook 2003 in a VPC 6.1.1 XP Pro session because the calendar would take forever to update in Entourage X but does much better in cached mode in the new Windows Outlook 2003 client. In addition, I was finding IMAP would only update directories if you select them to view, otherwise they would stagnate - not a cool thing when you go to access an email on your PowerBook when offline. I was just going back in to my SBS 2003 box to disable the previous changes I had made to enable Entourage when I came across the updates Susan made here. Have already killed my Exchange profile in Entourage X, but if 2004 is more agreeable with SBS and Exchange 2003, then I'll give that a shot. Do you think it is ready for primetime power use yet?.. Thanks again for your site Eriq! Glad Susan ran across it. Steve
Have no fear, young grasshopper . . . So I'm applying Exch SP1 on the server here at the office (been running it at home for a little while). So I finish the install and notice that I can't access my Companyweb site . . .
Susan -- just had a good laugh. Did you notice that when you go to your Amazon link, under the section of what ocustomers interested in Threat Modeling may also be interested in, we find this: Customers interested in Threat Modeling (DV-Professional) may also be interested in: Modeling Talent Sought Job opportunities for all ages now available thru agencies nationwide! www.FashionRockNow.com Models and Actors Top agents looking for models & actors. Real World Melissa hosting www.callbacksinc.net Looking for Models Join the premier online marketplace We build your webpage for $9.95 www.StepOneTalent.com/
Susan, re: your link to the IE power tools, when I go there it was released on Aug 27, 2001 for IE5 -- any problems with using it on IE6???
Is this only an issue for SBS 2k? or should this be applied to 2k3 aswell?
None at all, works on XP sp2/IE 6
>> If you select a PPPOE connection watch out. That would be a DDT. Use two nics and let a soho router handle the pppoe and your life will be good. Les.
And remember - when you call PSS, that $245 doesn't get you a phone call - that $245 gets you a guaranteed resolution to your problem - I've had situations that have required multiple support engineers across multiple shifts. These guys & gals never let you down. Here's a tip - if you are troubleshooting an intermittent problem, and it appears that it has been solved, be sure to leave the case open when you get off the phone. These engineers will follow up with you at least once every-other day. This gives you the ability to ensure that the issue doesn't resurface, and if it does continue with the same support engineer who is the most familiar with the case . . . And for you small biz consultants - you're signed up for Business Critical Phone Support, right???
Personally, coming from a distinctly NON techie background, having the wizards (Configuration Tools) allowed me, from SBS2K on, to learn what to do and how to do it. Just upgrading to SBS2K3 went smoothly until my newly hired assistant (a true techie) tried to mess with settings without knowing SBS and fried the whole thing. This made us go through an entire reinstall and ALMOST lost everyones email and files in the process (luckily I had made backups the day before going out of town). He has learned his lesson and how valuable these Config Tools are.
Yup....
hmmm... it just hit me.. a Best Practise is to have a Virtual sbs2003 server and a virtual client loaded on me laptop. Then I can talk my cleints through when ever and where ever...... I wonder if my local SBS2003 user group could help me get a virtual SBS2003 image.....
To compare this minor vulnerability which is very unlikely to be exploited to IE is laughable: Read the following for an explanation: http://www.avencius.nl/
When you go to the security of the above directories, click add, then type Network for the user/group name and then Enter. This should show you a couple of names, one being "Network Service." Select and use it as stated above. Paul
This worked for me: 1) Go to Start/Server Management 2) Expand out Advanced Management/Internet Information Services/servername/Web Sites/Default Web Site and then right click on the /exchange-oma virtual directory and select Properties. 3) Make sure that the local path has the domain name that matches your Primary SMTP address from the Default Recipient Policy.. (or you could copy paste it from the local path setting of the /exchange virtual directory) 4) If you do change the /exchange-oma virtual directory, then go to a command prompt and run iisreset (keep in mind that this will temporarily stop/start your web sites (like companyweb) and parts Exchange) 5) Then restart the Microsoft Exchange System Attendant service from Start/Administrative Tools/Services
i have done that but the server says it is unable to write. please help
You may also want to include http:// www.wssdemo.com it has lots of cool WSS stuff.
If anyone is using microsoft products they are not concerned about security anyway. The customers i have that use SBS are between 10-30 employees, one of which is a factory that uses several thin clients in the plant for their applications to do work orders, shipping and that stuff. Its hat and dirty and pc's just will not last very long so they use max terms. We wrer planning to upgrade to SBS 2003 but without term support in app mode it's not gonna work. Anyway you can put the term user acounts in an ou and lock it down if you know what your doing.
Allen... there isn't a OS in the world that doesn't need patches and maintenance. Wake up and smell the vulnerability notifications, dude. Read the Security Res kit... would you want to have an employee sitting at that domain controller and surfing? Not to mention...you have to remove the Enhanced IE lockdown. Sorry folks, you guys just don't get it. We can't do business as usual around here folks. Get over it.
I also get a blank page only.
great :-( i have a client (behind a customised Linux firewall with content filtering), they have 5 users, small budget, old workstations and have bought a small HP Proliant SBS 2003 server and 5 Terminal Services Licenses and 5 office licenses, all they want to do is use a few small accounting apps and office 2003. The HP has redundant drives and they have a daily tape backup routine so I am not particular concerned about the staff using the SBS server as a TS. Now I have installed the licenses and activated the licensing server but cannot change Terminal Services Configuration to application mode (as per the microsoft documents listed in earlier posts). However, why does it let me install Terminal Services Licenses and have a Terminal Services Licensing server if I cant acctually use the server as a Terminal Server? Is there a workaround for this as the reasons listed for not running TS on SBS2003 are not applicable here, running Terminal Services on their SBS box is. If anyone can help please reply or e-mail me at josh@xanteq.com
Perfect down to the letter fix here good job!!!
A similar tool is available at http://www.jasons-toolbox.com/programs.asp?Program=Trust%20Setter. It add buttons to the toolbar to add or remove a site
Let's see.... Where to start and with whom... Susan you win that prize. First let me asked you a? Do you understand that computers are nothing more then 1 and 0? In simpler terms (on, off switches). The reason I ask this is because with everybody crying about Microsoft security and with them listening. It is just going to make them build more [on, off switches] you know the ones we all hate called wizards! Thus having them take away more of the control from us ( You know something like big brother ) Hell maybe they should just have us as network administrators fill out a questionnaire in the beginning of the server setup and not give us the right to change anything after that. This way any dumb ass can do one. Now with that said. Let me doing a little backing on my part. I am a network admin of 170 SBS 2000 Domains all over the U.S and what I have read about why Microsoft has taken away Application mode on SBS 2003 is just plane (BS!) Now I know you are sitting there asking your self what gives me the right to say this. Well let me tell you what gives me the right. 1. All of my SBS 2000 servers are in TS application mode. 2. None have ever been restarted or shut off by the end user. 3. None have ever had pop up's 4 None have ever had a virus. 5. None have ever been broken into. 6. None have ever had a single setting changed by the end user. Do you know why? IT'S CALL NETWORK ADMINISTRATION! You know the thing we get paid for. Let's stop asking somebody else to do are job, and do it are selves before it is so easy we are not needed! Oh, one more thing I loved this line you said (Bottom line it's not secure dude) Well dude it's not secured because you (the network admin) has not made it secured! Mad consultant, I agree with everything you say except the ISA part. My servers all also use it as there main firewall. And again none have ever been broken into. I feel the software is only as good as the one who administrating it. I have seen many hardware firewalls setup wrong.
Pat it's not business as usual anymore. Look at what's going on the Internet right now.. SMTP auth attacks, unpatched IIS5 machines used to infect desktops. Guys... wake up and see the writing on the wall. Once upon a time we had an average of 300 days between patch release and exploit in the wild. Now it's less than a month. There's no use arguing over this. There not putting it back because it flat out doesn't meet the Security threshold. End of story. They aren't putting it back. You cannot do the steps that you are supposed to do to lock down TS on a SBS2003 box. Flat out cannot be done. Period. You guys are not understanding the facts we can't do business as usual. Look at what is being done in XP sp2. The changes that are being made because we cannot run our machine "the way we are used to doing them" The world demanded that Microsoft step up to the plate and be more secure. They delivered. End of story. SBS2003/VMware or Virtual Server running a virtual Win2k3 TS that can be made secure. That's "Network Administation" in this day and age. Proactive and not reactive.
The 16GB limit is outdated. That was an old Exchange 5.5 or maybe even 5.0 limit. Come on. Those were the old days. You gotta give us something. And the price difference between standard and enterprise, A WHOPPING $4,000. Come on Microsoft. That just aint right. How about Exchange 2003 SP2 giving us 32GB of storage on Standard? That would be great.
Err.. Like basic stuff and MS are missing the boat.. Does anyone fancy doing a Blog on what they considder to be the CURRENT load sequencs and patches needed? I have my own but am looking for a second opnion... +-------+------------------------------------------------------------------------+ | Patch |Notes | +-------+------------------------------------------------------------------------+ | |Base server install | +-------+------------------------------------------------------------------------+ | |Main SBS applications (Exchange & sharepoint) | +-------+------------------------------------------------------------------------+ | |ISA server install (Premium technologies) | +-------+------------------------------------------------------------------------+ | |SQL 2000 installed (Premium technologies) | +-------+------------------------------------------------------------------------+ | |SQL 2000 SP3a (part of Premium technologies) | +-------+------------------------------------------------------------------------+ |819696 |Installed by base SBS setup | +-------+------------------------------------------------------------------------+ |822132 |Installed by base SBS setup | +-------+------------------------------------------------------------------------+ |822742 |Installed by base SBS setup | +-------+------------------------------------------------------------------------+ |822743 |Installed by base SBS setup | +-------+------------------------------------------------------------------------+ 822744 Installed by base SBS setup ---------------------------------------------------------------------------------- 822745 Installed by base SBS setup ---------------------------------------------------------------------------------- 822925 Installed by base SBS setup ---------------------------------------------------------------------------------- 823559 Installed by base SBS setup ---------------------------------------------------------------------------------- 823980 Installed by base SBS setup ---------------------------------------------------------------------------------- 824073 Installed by base SBS setup ---------------------------------------------------------------------------------- 824105 Installed by base SBS setup ---------------------------------------------------------------------------------- 824139 Installed by base SBS setup ---------------------------------------------------------------------------------- 824146 Installed by base SBS setup ---------------------------------------------------------------------------------- 825117 Installed by base SBS setup ---------------------------------------------------------------------------------- 826238 Installed by base SBS setup ---------------------------------------------------------------------------------- 826936 Installed by base SBS setup ---------------------------------------------------------------------------------- LSI Raid Power Console Plus 5.00i-2 installed MegaRAID Service Monitor Power Console Plus MegaRAID Client [lsilogic_PC Plus 5.00i-2.zip] ---------------------------------------------------------------------------------- Enable and start “Windows Time Service” as this gets disabled by the internet connection wizard. Set time service to update clock from our ISP “Net time \\server-2 /setsntp:time.aaisp.net.uk” It was time.windows.com,0x1 ---------------------------------------------------------------------------------- 831464 IIS 6.0 compression corruption causes access violations. Update to Fix Outlook Web Access Pages Display Issues Install this update to resolve page rendering problems or access issues with Outlook Web Access (OWA) and Microsoft Internet Information Services (IIS) 6.0. Reboot required [WindowsServer2003-KB831464-x86-ENU.exe] ---------------------------------------------------------------------------------- Re-ran ICW selecting ‘direct connection’ (instead of ‘router’) as time service not working properly. Now seems to be updating correctly ---------------------------------------------------------------------------------- Exchange Server 2003 Service Pack 1 [E3SP1ENG.EXE] ---------------------------------------------------------------------------------- Exchange Server 2003 Service Pack 1 (SP1) Online Help [exchelpupdate.msi] ---------------------------------------------------------------------------------- Set Exchange Relay restrictions. Disabled ‘relay for clients that authenticate’ ---------------------------------------------------------------------------------- 843539 Update for Integration Issues Caused by Exchange Server 2003 Service Pack 1 Install this update to remedy minor integration issues caused by the installation of Exchange Server 2003 Service Pack 1 on Windows Small Business Server 2003. No reboot required [SBS2003-KB843539-X86-ENU.EXE] ---------------------------------------------------------------------------------- 835734 Update for Microsoft Connector for POP3 Mailboxes Causing Unexpected Outbound Messages Install this update to correct an issue with the POP3 Connector that causes unexpected outbound messages to appear in the SMTP Queue. No reboot required [SBS2003-KB835734-X86-ENU.EXE] ---------------------------------------------------------------------------------- 830801 Update to Remove Non-English Characters From English Help and Support Install this update to display characters correctly in the Windows Small Business Server 2003 Help and Support Center No reboot required [SBS2003-KB830801-X86-ENU.EXE] ---------------------------------------------------------------------------------- 831664 Update for Backup Attempts Failing With a Tape Device That Supports Multiple Tape Types Install this update to correct the issue of NTBackup incorrectly choosing the backup tape type on a drive that supports multiple tape types. No reboot required [sbs2003-kb831664-x86-enu.exe] ---------------------------------------------------------------------------------- 833992 Update for Microsoft Connector for POP3 Mailboxes Consuming 100% of CPU While Downloading Messages Install this update to correct an issue with the POP3 Connector consuming 100% of CPU time when downloading messages No reboot required [SBS2003-KB833992-X86-ENU.EXE] ---------------------------------------------------------------------------------- 832759 NOT APPLIED.. Update stated that the service pack version we are running (sp1) is newer.. Security Update: Vulnerability in Exchange 2003 Server Could Lead to Privilege Escalation Install this update to improve the security of your Exchange server. [Exchange2003-KB832759-x86-enu.exe] ---------------------------------------------------------------------------------- 870669 Critical Update for ADODB.stream (KB870669) - (Posted Date: July 01, 2004) Download size: 104 KB An issue has been identified that could allow an attacker to compromise a computer running Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [Windows-KB870669-x86-ENU.exe] ---------------------------------------------------------------------------------- MS04-013 837009 Cumulative Security Update for Outlook Express for Windows Server 2003 (KB837009) - (Posted Date: April 09, 2004) Download size: 605 KB A security issue has been identified in Microsoft Outlook Express that could allow an attacker to read files on your computer, or cause a program to run. You can help protect your computer by installing this update. After you install this item, you may have to restart your computer [WindowsServer2003-KB837009-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-004 832894 Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB832894) - (Posted Date: January 30, 2004) Download size: 2.9 MB Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system. For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don’t run Internet Explorer as your Web browser). After you install this item, you may need to restart your computer [WindowsServer2003-KB832894-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-016 839643 Security Update for DirectX 9.0 (KB839643) - (Posted Date: June 04, 2004) Download size: 443 KB A security issue has been identified that could allow an attacker to cause DirectX, or applications using DirectX, to become unresponsive. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [DirectX90-KB839643-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-015 840374 Security Update for Windows Server 2003 (KB840374) - (Posted Date: May 07, 2004) Download size: 643 KB A security issue has been identified that could allow an attacker to compromise a computer running Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB840374-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-014 837001 Security Update for Windows Server 2003 (KB837001) - (Posted Date: April 12, 2004) Download size: 3.8 MB A security issue has been identified that could allow an attacker to compromise a computer running Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB837001-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-012 828741 Security Update for Windows Server 2003 (KB828741) - (Posted Date: April 09, 2004) Download size: 2.8 MB A security issue has been identified that could allow an attacker to compromise a computer running Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB828741-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-011 835732 Security Update for Windows Server 2003 (KB835732) - (Posted Date: April 09, 2004) Download size: 1.8 MB Multiple security issues have been identified that could allow an attacker to compromise a computer running Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB835732-x86-ENU.EXE] ---------------------------------------------------------------------------------- MS04-003 832483 Security Update for Microsoft Data Access Components (KB832483) - (Posted Date: January 30, 2004) Download size: 2 MB An identified security issue in Microsoft Data Access Components could allow an attacker to compromise a Windows-based system and take a variety of actions. For example, an attacker could execute code on the system. By installing this update, you help protect your computer. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed [ENU_Q832483_MDAC_x86.EXE] ---------------------------------------------------------------------------------- MS04-006 830352 Security Update for Windows Server 2003 (KB830352) - (Posted Date: February 09, 2004) Download size: 355 KB A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows Internet Naming Service (WINS) and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB835732-x86-ENU.EXE] ---------------------------------------------------------------------------------- 829358 This patch does not implement on our system. I suspect that it is being miss-reported by windows update as we have sql server. Critical Update for SQL Server 2000 Desktop Engine (Windows) on Windows Server 2003 (KB829358) - (Posted Date: May 07, 2004) Download size: 3.2 MB This update addresses issues with Microsoft SQL Server 2000 Desktop Engine (Windows) when used with Windows SharePoint Services as discussed in the Microsoft Knowledge Base (KB) Article 829358. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed [SQL2000-KB829358-8.00.0884-ENU.exe] ---------------------------------------------------------------------------------- MS03-043 828035 Download size: 366 KB A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® Server 2003 and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB828035-x86-ENU.exe] ---------------------------------------------------------------------------------- MS03-044 825119 Security Update for Microsoft Windows Server 2003 (KB825119) - (Posted Date: October 13, 2003) Download size: 330 KB A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® Server 2003 and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB825119-x86-ENU.exe] ---------------------------------------------------------------------------------- 828026 Download size: 2.8 MB This update contains a change to the behavior of Windows Media Player’s ability to launch URLs in the local computer zone from other zones. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsMedia-Q828026-x86-ENU.exe] ---------------------------------------------------------------------------------- MS03-041 823182 Security Update for Windows Server 2003 (KB823182) - (Posted Date: April 09, 2004) Download size: 449 KB A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it. For example, an attacker could execute code on your system. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB823182-x86-ENU.exe] ---------------------------------------------------------------------------------- MS03-045 824141 Security Update for Microsoft Windows (KB824141) - (Posted Date: October 13, 2003) Download size: 532 KB A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. To attempt an attack, the attacker would have to be able to log on to the computer. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [WindowsServer2003-KB824141-x86-ENU.exe] ---------------------------------------------------------------------------------- 837272 Update for Windows Media Player 9 Series (KB837272) - (Posted Date: June 04, 2004) Download size: 2 MB This update addresses an issue when copying music media files between Windows Media Player and a supported portable device. As the number of items in the Media Library increases, so does the copy time. You can help improve the transfer time by installing this update. After you install this item, you may have to restart your computer [WindowsMedia9-KB837272-ENU.exe] ---------------------------------------------------------------------------------- DirectX 9.0b ---------------------------------------------------------------------------------- MS04-016 839643 Download size: 443 KB, < 1 minute A security issue has been identified that could allow an attacker to cause DirectX, or applications using DirectX, to become unresponsive. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer [DirectX90-KB839643-x86-ENU.EXE] ---------------------------------------------------------------------------------- Install Windows 2003 Support tools [suptools.msi] ---------------------------------------------------------------------------------- 843539 Update for Windows Small Business Server 2003: KB 843539 Microsoft has identified two issues that occur after Service Pack 1 for Microsoft Exchange Server 2003 is installed on Microsoft Windows Small Business Server 2003. These issues are: When you log on to Microsoft Outlook Web Access (OWA) or Microsoft Outlook Mobile Access (OMA), you must include a domain name when you enter a user name. For example, you must enter domain\username instead of only username. The monitoring tools in Windows Small Business Server repeatedly send a critical alert regarding store.exe consuming memory. Installing this update resolves these issues in the following manner: When you log on to OWA or OMA, you no longer need to include a domain name when you enter a user name. The monitoring tools no longer send the critical alert. Instead, the Performance Counter called “store.exe Private Bytes” is disabled by default.
The time gets disabled by the option you chose in the CEICW. Broadband turns it off. I've tried to capture all of these in the "Needed patches" section http://msmvps.com/bradley/category/475.aspx
yeah.. I had spent the effort to read there, and used that to help build my list. But nowhere can I find a difinative 'this is what you need' list. I bet I'm missing something in my list, but then if my list helps one bod it's gonna save them days trawling the net.. Perhaps there's call for a more precise blog on this.. I know that MS keep promising. I cornered one of the senior 2003 project managers on this subject at their security roadshow and they promise.. but don't deliver.. One interesting thing I did note was that the external OWA didn't work untill I re-ran CEICW and selected broadband with router (rather than direct).. odd one.. I later re-ran and picked direct and all was fine.. Very odd. But yes Microsoft.. Lets have a single page that simply lists the 'currently needed hotfixes and security patches' David
Hey Steve. I've had MUCH better luck with Entourage 2004 than with any previous version, or any version of Outlook since Microsoft removed Exchange connectivity from the client. I'm looking into an issue with WebDAV and Entourage2K4/SBS. There may be some updates to the links soon. -Q
Shavlik also falsely report when scanning a completely up-to-date Windows XP system that I have one missing patch - TOOL03-039, deemed to be critical. This tool is far from critical, and Microsoft even say that it won't be needed unless Nachi and/or Blaster was detected on the system. I have spoken to Shavlik about this "false positive" and they still insist that it is a needed tool. The alternative suggestion was to ignore this report. Neither of these are correct. If the tool isn't critical nor required, Shavlik's HFNetChk Pro should **NOT** report it as critical and missing. This is poor coding. Nothing else. I am waiting for this to be addressed, and if not, they will be added to the ThreatCode.com site for falsely reporting missing tools. (And yes, it is a tool, not a patch.) - HiltonT
I disagree Hilton, you do a WU on that system and it will say that it's missing too. Shavlik is just doing what WU would do. I pushed those down to my machines.
I *always* do a WU, and it has never suggested that tool. Never. Not once. Actually, Microsoft does not recommend that this tool is installed regardless of its need. If you have a look at http://support.microsoft.com/?kbid=833330 in the "Download and setup information" section you will see where Microsoft clearly states "Note If you use Automatic Updates, this update will be automatically installed if it is needed. You do not have to take any additional action". I have not found anywhere on the Microsoft website nor in any of their documentation that I have here - including their Security Bulletins - where Microsoft recommends that this tool (it is not a patch, it is a worm removal tool) be installed regardless of whether the computer has previously been infected. If you can find some recommendation by Microsoft, I'd be glad to see it. Shavlik was unable to provide any proof of this. Shavlik therefore falsely report that this tool is critical and missing. It is neither.
I've seen it on WU.
Yes, but, as per the Microsoft KB article I referenced, this will only appear if the machine had previously been infected by Nachi and/or Blaster. If that is not the case, then Microsoft clearly states that the tool is unnecessary and far from critical. Shavlik need to learn to read the KB articles more closely, and report the facts, not their version of them.
No I've gotten that on machines that never had either. I'd rather have the tools there than not there. Sorry but they can stick that KB on my machines. Protection in any form is wise these days.
Hi Susan, That tool provides no protection. None whatsoever. All it does is remove crud left over after Blaster/Nachi has been disabled. Also, Microsoft clearly state in that KB that this tool will *only* be offered if one of these two worms has been detected (and removed). No other time will tyhe tool be offered in WU. I'd say, then, that these machines must have been infected and you didn't know it. Microsoft says that is the case, and in this aprticular instance, I believe them. :) Again, if a tool is unnecessary, then I'd rather not install it. Simple security reasoning here.
A single page that lists everything would be nice - As would an SBS service pack. Its not too bad on a fresh build - I'll throw everything I can find on the box. The problem is once that box goes into service; Then it's trawl around and make sure other people have had no issues with the patch before applying it.
Yep, Unfortunately, some of us still have to have it. In my case, the cost of upgrading some software and service subscriptions to be fully internet enabled far outweighs the cost of upgrading to SBS2003. Not a happy situation, but I'm definitely not sticking modems in the users PCs again... sigh...
Being picky, but the title is Inside Network Security (I know Amazon.com list it as above). I say this , because Amazon.co.uk couldn't find it listed as that and they call it Advanced Network Security! http://www.amazon.co.uk/exec/obidos/ASIN/0735620334/qid%3D1089712790/202-9583423-0981403
I'm not sure where Amazon got that screenshot, maybe from an older MS Press pic, but the copy sitting 2 feet from me on my kitchen table says "Assessing Network Security".
I have the book in front of me.. it's clearly "Assessing Network Security"
Great to know about the new Microsoft Blogs home page! Now I get to blog about it and track back. Some how track backs remind me of ping pong.
Susan: What is the IE shortcut toolbar? I looked through a bunch of your previous posts and couldn't find a reference to it.
http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.mspx
I do not find 'NT AUTHORITY\NETWORK SERVICE'. If i type network only 'NETWORK' comes!!! :( Evan
I'm not sure if that comment is true - anymore. I agree that a year and a half/2 years ago most home users had no idea what spyware is and didn't care, but all of the time now I get people walking up to me, calling me, IMing me, asking "what is this evil spyware thing and how can I get it off of my computer?" And these people are far from being, well, technologically advanced ;) (in other words, <cough>AOL)
hai any body can help in adding additional cals in sbs2003 (w2k3).When i am goin to licensing It is saying that you have to choose license manager optoin .But if I am going to the same I am getting same message over there. My emial id is sunillakshmikant@yahoo.com
Good idea, but aren't those internal Microsoft links?
Not any more ;-)
Outlook 2000 barfed on that calendar link.
(but thanks)
Did this person post why they only use one nic? I also use hardware firewalls most times, but I do this to offset the load on the server since it is already running exchange, sometimes sql, and fp services. Not to say that ISA is a bad firewall as I have used it on a few SBS installs.
Does ISA 2000 Feature Pack 1 have the blessings from the SBS People at MS? And have you installed on a production machine? Norm
Typically the one nic setup is perceived to be more secure because the "hardware" firewall is perceived to be more safe. I disagree as I would argue that firewall isn't patched as much it it's a hardware firewall. Honestly this bit of "unloading the server" the ISA server can be tweaked to only use 10% of memory anyway. It doesn't overtax the server.
there is now a w2k3 version of this article http://support.microsoft.com/default.aspx?scid=kb;en-us;297684&Product=winsvr2003 or http://tinyurl.com/4qwmc Gordo
Yes you can put the feature pack on SBS2k and 2k3.
"The download you requested is unavailable."
http://www.lookoutsoft.com/Lookout/download.html Well you can also get it there
I just needed to comment on this... If only the rest of the world realized how great "HIGH SECURITY ZONE" really is... In taking my CEH classes a couple of weeks ago, I got the opportunity to play with the tools that alot of these hijackers are using... Nasty stuff... What boggles my mind is how OPEN things are on any XP box (or any other flavor of windows to say that matter prior to Server 2003) is on default. I'm happy to see that Microsoft is FINALLY taking on a proactive attitude to security issues (as seen through XP SP2). Still, however, they have a long way to go. They need to remember, that 90% of the computer users in this world don't have a clue of what they need to do to protect themselves (and in turn, all of thier friends, family, neighbors, co-workers, and strangers). Personally, someone needs to pipe up and remind everyone that it's not YOU that you need to protect, it's the guy in the cubicle next to you! Robert Hantson CTO / Network Operations Director QBOS, Inc.
Here's something for you... What if you bought a 5pack CAL, installed it, and it just "disappears"? Just had that recently happen to me, and you can't "reinstall" the CAL's to the server!
Does your server have 4 gig of RAM? Today a poster asked if we SBSers need to follow this KB or not: 823440 - You Must Use the /3GB Switch When You Install Exchange Server 2003 on a Windows Server 2003-Based...
Susan, You are a wealth of information! I look forward to reading you blog posts daily and appreciate all you have done and are doing for the SBS community. All the best, Bill V SBS Rules!
Susan, Now if only I could get it in the budget... Maybe once SP2 is in the OEM channel. Thanks, BV
proactive is not putting an SBS server live to the web full stop, code red and code blue showed the validity of seperate external firewalling. ....Pat I'd be touching wood while posting that.
Susan, Apparently SP1 affects the Trend ScanMail program. There's a post in the newsgroup today, 7/30/04 about it. Any thoughts? Thanks, Bill V
Proactive is patching. Code Red and Nimda proved the value of patching. If we would have patched in time, we would have been just fine.
our clients were all behind nix firewalls, didnt get touched by them :-)
http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe Interesting log parser for Port Reporter log files.
If you had port 80 closed, nix firewalls or windows based firewalls, you wouldn't have been touched with code red/nimda period. If however PORT 80 WAS OPEN.. let me repeat that because it does not matter what firewall you are operating... if the port is open and listening and unpatched ... whether you had a Firewall built on ANY OS it would have gotten nailed with Code Red/Nimda. Don't depend on "a firewall". You have to know what openings you have in the wall to protect your system.
But Susan ..... the fix? Does this install on Windows 95? ;~) OK, ok not funny.
Here is one that doesn't as far as I can tell :-) http://www.pgp.com/products/desktop/pgp8.1.html I can't download pgp?
Put the web site into your trusted site zone and volia!
Type NETZWERKDIENST
Wot about me :-| http://flaphead.dns2go.com/blog/category/14.aspx
Of course you forgot people! How could you not :) Which reminds me I should probably post a similar post with all the blogs I read that Susan forgot ;~) By the way the reason I mention this is because I can be mixing and mingling within the technical sector in New Hampshire and happen to drop Susan Bradley's name and bingo people are impressed. She really is an incredible resource to an incredible number of people. Thanks Susan for being one of the two people I struggle to keep up with although the people who struggle to keep up with me can't imagine that such a person can exist.
You posted "Wot about me :-| http://flaphead.dns2go.com/blog/category/14.aspx" You are in the list above ;) look again or perhaps Susan did an edit while we were not looking.
I did an edit :-)
News to know if you are installing Exchange 2003!!! 823166 - Overview of Exchange Server 2003 and antivirus software: http://support.microsoft.com/default.aspx?scid=KB;EN-US;823166 Okay do those 822158 - Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain...
I installed the patch. SBS is still sending out NDRs for addresses that it shouldn't. What should I do?
So if my SBS2003 server has more than 2GB of RAM should I install this change?
I would. Some folks have said they have and they haven't and seen no difference....
Billy Ray Cyurus
That's the guys name! Thanks! :-)
Hi Susan, Any chance of locating a Whitepaper on SBS 2003 Group Policy?The whitepaper on Windows 2003 Group Policy doesn't really get into the "How to's" that much. Just discusses the design of GP. Thanks, Bill V billv@raylon.com
Hi Susan: I agree with you whole heartedly about not surfing on a server machine, but ... I use Win2003 on my development machine because it puts me in the same environment that my code executes in, and I also become familiar with where all the widgets and thingies are in case I need to go to a client site and fix a problem. So I do some surfing from a 'server' machine. In any case, if a vulnerability exists on a server machine, even in an area where a user should DDT, it still sounds critical to me. After all, one mistake can bring down production.
Oh don't get me wrong... I'll patch.. but this analysis affects the "timing" of my patching that's all.
If that is the case how come MS state this on the SBS pages at http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx "There can be only one Windows Small Business Server 2003 server in a domain. Each Windows Small Business Server 2003 server is typically connected to the Internet either directly, or via a firewall. Windows Small Business Server 2003 does not support trusts between domains; therefore, user names and resources could not be shared between those Windows Small Business Server 2003 servers. Further, Windows Small Business Server 2003 installs at the root of the Active Directory forest, and it cannot be demoted, or have the flexible single-master operation (FSMO) roles removed." With this in mind, Nick is correct and this is the single greatest weakness of an otherwise greate product.
The second server has to be a Win2k3. Simple as that, no other "SBS" box. It can always have a backup domain controller, it' just can't do trusts with a second [or other domains]. We do have to have all the FSMO roles. You see it as a weakness, I see it as not being an issue. A properly built server/system doesn't have issues with this setup.
Hi Susan, I see it as a weakness in that, if a company has a lot of small offices with less than 6 people per office, it means that SBS can only be installed in one office and a VPN needs to be used for all other remote office users. This is a problem with international offices where the lines can be slow. It would have been better if many multiple SBS servers could be installed as long as there was a Win2k3 server amonst them. This would enable SBS to be used more effectively -- all on the same domain -- to the maximum of 75 users in that domain. Barry
You have a backup domain controller in those remote sites. SBS2k3 is still needing to be the main one, but you can do other servers as local domain controllers.
Hi Susan, Yes but not additional SBS servers. Any attempt to "join" multiple SBS into a single domain is not supported. So for "small" offices, it is not cost effective unless you have ONLY one office. So, if you want to install the very same functionality for office #2 (4 people) we would need to purchase: win2k3 server Exchange 2k3 server Sharepoint portal server SQL server CRM server (again) additional CAL's as the ones on the original SBS box cannot be used. Hmm. SBS == Single Office Server Barry
No, Single domain controller in the second office and then you hook back into the main SBS for your Exchange.
This is happening to me with SBS2003 and the Trend CSM SMB Suite. I have had a case open with Trend for a month now. I checked and changed the key. Hopefully that fixes it.
Hmmm. that did not happen to me at home. What case number do you have?
Or..... You can have totally independant SBS Sites, and use RWW to "chat" amongst the sites. However, I would normally have a second DC and use OWA for the remote users email. In this config, you can also have three or four sites, each with their own email domain that can talk to each other. We have one site that uses sub domains for each site. Granted, this is not ideal, but this is SBS.... not the enterprise products.
Hi Susan, So in other words SBS is Small company, one office. Case closed. Thanks for the input. Barry
No. Small Company, mulitple offices. You arent seeing the opportunities. SBS is the main server in the head office, backup DCs in the branches. They look back to the SBS for the Exhange. We do in SBS land.
Susan, Have you figured out how to get this working? Nick.
In reference to the tweaks: PopupMgr is a REG_SZ with the values "yes" and "no".
ISA Server 2004 Standard Edition (which would be the candidate for SBS) has already RTM'd (mid-July IIRC) and is available on MSDN Downloads and the volume licensing sites. Enterprise Edition will be coming later in the year.
In SBSland since we don't have the SBSwizard I don't consider it "RTM'd" for us ;-)
Hey - how can you complain about the luggage being EARLY. I once had my luggage trail me before some work in Dothan, Alabama.... Ever try to find anything approaching fashionable for a big guy in the "other LA" (e.g. Lower Alabama)? Not happening! I think I did that audit in a golf shirt and a pair of wrinkled chinos. We have Wifi now at the Krystal near UT (that's the University of Tennessee, for you Texans). If we have Wifi on Rocky Top, LAX should as well. Get with the program, guys! BTW, last time I was at LAX, my friend and I couldn't get a drink at the airport bar to save our lives - and after a week in Yuma, our lives depended on it - so it's not like LAX has ever been very useful to me in the first place.......
Oh please. The issue isn't the "difficulty" of SP2, it's the INCOMPATABILITY. The redesign of the DCOM subsystems and the security "enhancements" are going to break a LARGE amount of applications out there. I'll concede that the developers of such applications should not have designed their software around the base security settings of windows, however the ROOT of this problem is Microsoft's deployment of insecure operating systems. Now that they've released SP2, it is going to cause more headaches than the miscellaneous spyware bugs that our users have to deal with. If you've deployed your network properly, you should also be able to minimize the threat presented by viruses. I'm not discounting the danger of various internet threats out there, but It's one thing to have to deal with "My Web Search" bars installing themselves, and pop-up windows irritating end users. It's another issue when an AUTOMATIC UPDATE FROM MICROSOFT breaks your business' system critical applications. MS has delayed the deployment of this SP for months due to incompatability issues, hell, it even causes problems with SBS 2003, and SMS!!! It breaks their OWN software. In my opinion, these fixes absolutely need to be implemented, but there has to be a better way than to force so many of the various ISVs to scramble to react to an update that MS is going to push out to the users. I am in the service business so don't get me wrong, I appreciate the fact that MS is going to pump up my monthly revenue. Looking at it from a business owner standpoint however, if an automatic update brings my company down... someone's head will roll. Regards, theGeek
No application I am using has broken under SP2.
Don't get me wrong folks - there's no QUESTION I want to BE at SMB nation. It's only a matter of can I AFFORD to get to SMB Nation. However, after reading the conference schedule - can I afford NOT to be at SMB Nation???? Gav
Oh one more thing.. as a tax advisor you obviously know this is a business expense and if you are self employed in the US the true cost is only 50 cents on dollar [after the tax effect] But I understand hesitation, but seriously, consider bunking up. It's way more fun anyway!
Barry, just read your comment. SBS IS small company, but NOT one office. You can happily have SBS Sites all talking to each other, just not the same way as the full enterprise products (trusts). You can either do what Susan suggests, or you have do what I suggest further up the post. Point in fact, I have one company here in Ireland that has 5 SBS Sites. They all have independant domains, and all work together using the SPS Services, OWA, OMA, Exchange etc. Not one complaint yet. Each site is setup well, with SUS, Central AV. The companies IT person can connect to any machine on the networks, files are shared, email is sent. Why would a small company want anything more? I do grant you all one thing. I would like to see the allowance to have SQL / ISA / Exchange on seperate boxes. Even these small businesses are managing to hammer the bejesus out of the servers. Cheers, Nick.
This is helpful information for NetAdmins who want to turn off the beep on all domain controlled machines. So far I don't see gpo options that will make this change for me so I'll have to distribute reg updates.
Would love to go, but I'm installing a new Shipping System that Monday. Would be great if Microsoft could take this kind of meeting on the road. Reading, PA would be great. BV
There does seem to be a problem with XPSP2 and the WINPcap drivers. Check out the Pen-test mailing list @ securityfocus.
SP2 killed our phone system (http://www.artisoft.com/smalloffice.html) voicemail clients died after I loaded SP2 up and tried it on a test machine in our office. After typing, Televantage SP2, into Google I found: http://www.teamits.com/start/winxpsp2.php It says they'll be coming out with a fix. However, until then this is a big reason not to upgrade around here. Everyone uses the voicemail client many times a day. -Jeremy
Fair enough, And there you go, real facts not FUD. Anytime I hear a vendor say "we need to test it", I think, no "I" need to test it.
Hi Bitz, I'm afraid that donnez moi une coupure doesn't mean anything in french. In that case, I think that "Foutez moi la paix" will be more appropriate :) Cheers
MBSA 1.2.1 ??
<soapbox> Actually, most of the information that Microsoft sends us through Windows Update seems like FUD to me. The same goes for the security bulletins that get sent out. Lately, I have found myself thinking, "sheesh! they sent me two screens of stuff and the only thing in there that was of any use at all was the hyperlink to the KB". Someone at MS has really lost the plot on these security bulletins. Why can't MS just tell us what the patches are supposed to fix, right there in Windows Update? Sorry, but "Trust us. This patch fixes a problem" doesn't do it for me. I think this is insulting the intelligence of the average user. Let me give a specific example: Take the recent bulleting for MS04-020. There are exactly two lines of useful information: "This bulleting has undergone a revision increment" and a hyperlink to the bulletin. There are 110 lines of PGP signature, summary, technical support information, Additional resources (all of which are presumably available on the web page). That is a signal to noise ratio of about 1%. What is not there is the information I really need to see, namely the details of what the bulletin was originally supposed to fix, what systems are vulnerable and so on. </soapbox> --Tim Long
Did you try to disable the network adapter and re-enable it. I have sometimes found that happens with either wireless or wired, when resuming from standby. The adapter sometimes does not fully "wake up". It does not happen often, but often enough. It happens on my Thinkpad, my Toshiba Tablet, and my wife's Dell Inspiron. And it has happened with XP sp1. I was hoping that SP2 would fix it, but it has happened since applying SP2.
Tip doesn't work, whem i want to start a backup sbs 2003 crashes.
Hey Susan, Thanks for all the communication today. I apologize for not getting back to you sooner, but I have been swamped checking out a lot of email on the subject from others, including yourself. Instead of responding to everyone individually... I have constructed a post on my blog to explain what is going on. You can read it at: <A HREF="http://silverstr.ufies.org/blog/archives/000674.html">http://silverstr.ufies.org/blog/archives/000674.html</A> Thank you again for the information, and the kind words about the blog. I do hope you will continue to enjoy and find use of it.
Great! I feel the same way when there isn't an ISA firewall protecting the network. I had a conversation with an enterprise admin for a fairly large satellite communcations company last week and he said he had reservations putting a "software firewall" at the edge of the network. I said that sounds good and that we'll work well together, because I would never even plug my laptop into a network that had only a packet filter like PIX "protecting" it! We had a good laugh and he realized that he had swallowed the "hardware" firewall pill. If you think there is still some "hardware firewall" marketing poisoning in your system, then check out: http://isaserver.org/articles/2004tales.html I also agree with ISA not require touching. On one of the gateways in our office (won't tell you how many we have :-) There is an ISA firewall that was setup in in January 2001. It has been restarted a couple of times for reasons I don't recall, but running uptime.exe shows: \\exetert2 has been up for: 177 day(s), 16 hour(s), 1 minute(s), 44 second(s) (and don't give me any bunk about hotfixes, I'll get around to installing them when I have time ;-) Finally, the Windows Firewall see ICF, is a HOST BASED firewall -- the ISA firewall is designed to be a NETWORK firewall. Host based firewalls and network firewalls are two completely different animals which serves some common, but mostly different purposes. OK, that's enough writing for free today :-)) Thanks! Tom
Tried the fix for 842693 amd still have a site where I get Service Unavailible with the Backup, Reports and Monitoring and the companyweb. This one has been one that has been a fun one to fix........NOT
Ahh..... It all becomes clear now I didn't realize all the wizard actions were logged :) If that's the case then using them is kind of a no brainer - no point doing extra work when you dont have to right? ;) In my defense, I dont go the long way because I think I know better. I actually do know all the steps and like to verify them as I go along but if the wizard logs everything it does, I just saves myself a heap of work.. Shame they dont come with WS 2003 Enterprise Edition :(
They will be :-) Windows 2003 sp1 ..those security role wizards? Whom do you think they got THAT idea from :-) And for anyone looking at the wizard log files if you see it stamp something as an "error" it may not mean that, it's just indicating that it found what it needed and went on.
We've seen lots of these notifications during a clean install (swing migration) and have had to answer 'Yes' to continue after each. Is this a result of the particular media being used? We have not experienced this in the past. It is present when using CD1 and CD2. The source of this media was MS from the Sweet Success Program (for retail SBS2K3 Premium). Checking other servers using SBS2K, SBS2K3 clean install and SBS2K3 inplace upgrade show the value as 00 as noted above. Thanks for posting this. It is somewhat comforting to see we are not the only ones to come across this oddity.
Dang! I didn't even think to pull out all the Geek toys! But then this is my first year and as such I am a bit of a newbie.. At least I have a heads up to have a bunch of "cool" stuff to share.
My Thoughts... I was going to purchase SBS 2003 for a client, but due to the removal of TS Application mode I won't. They were going to be using it as the main (only) server, the included 5 CAL's is enough, they have three employees in total ! It was going to replace Windows 2000 Server but using the same hardware. They currently use TS on the 2000 Server and it IS secure as it's used by one user to access an accounting application from home in the evenings over an 3DES IPSec VPN. That user cannot surf the net through the Terminal Session, and to be honest would not want to when already connected to the net via broadband from home. No way will they want to lay out for another server just so one user can use the application from home, in the evening, when no-one else is using the server. And who can blame them, they are a SMALL business, isn't this who SBS is supposed to be aimed at ?
I wonder how the user accounds are implemented on this site? I would love to be able to publish a sharepoint site that users can 'self register' on, and have them able to create alerts and all, but without having to create domain accounts for them.
Can the type font for this be made bigger? The feedback can hardly be read without changing the IE text size default.
It's the style sheet, I'm not sure I have that much control.
"... Disable CRL Checking on your IIS 5.0 Server..." hoops ..... Is it a joke ? In fact, there are realy critical side effects (on IIS and client certificate managment) after the installation of ms04-011 on W2000 SP3. - CTL failures - CRL failures - CRL cache managment trouble - CRL managment with LocalMachine\CA store (need IIS restart) - Winhttp proxy settings configuration (it seems there is an interaction with Wininet settings) Xavier.
Xavier ... I have 04-011 on a Windows 2000 sp4 machine and have no issues. Get fully patched. If you are experiencing problems with a security bulletin, call Microsoft PSS it will be a free call. GET PATCHED. GET PROTECTED.
You know that happened to my server two weeks ago when I was away on an install, AND to one of my clients last week!!!! It's a freaking epidemic! By the way - that alarn is a GREAT way to scare the crap out of your technician when you know he's bending over the back of the server to plug in a USB cable Gavin - Blog: http://interprom.blogspot.com/atom.xml
Susan, you're right, using CTL and CRL with IIS works is "OK again" with SP4. Am just a bit "perplexed" when i read this kind of solution (disable CRL Checking) and when a security patch have so much side effects on key security features. Thanks.
good shit
This will not let me disable the Windows Firewall. I do this and it is still greyed out under the control panel option. It also asks me to save a file. Does it matter where this goes?
It's not supposed to let you disable the firewall. This allows you to group policy it. If you want to disable it, http://msmvps.com/kwsupport/archive/2004/08/27/12477.aspx follow that. This file noted above needs to be applied on the SERVER.
OK. This may seem like a silly question. But how come you can disable the firewall on a standalone system, but not one that is on a domain? I was assuming there was a way to handle this from the server.
You can ... via group policy. Apply that xp2 policy patch AND the group policy editing patch and then edit the domain policy on the server. When the machine comes "off" the LAN they are using their own policy, when they go "on" the lan they are on the domain policy.
My server must be controlling this. I ran that reg hack that you linked to and everything remains the same. What are the patches I need for the server?
You've rebooted? This is the other hotfix you need. 842933 - "The following entry in the [strings] section is too long and has been truncated" error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000: http://support.microsoft.com/?kbid=842933
That's what I thought you meant. I downloaded it and applied it to the server. Then i ran mmc from the server, made the changes outlined. Rebooted the server and the workstation. I still get the same thing. This is strange.
I just noticed the settings in my workstation's registry have changed back to "1" in both the "EnableFirewall" areas. So it does appear the server is controlling this.
Hi Susan, After following very similar instructions which I think were re-posted on a NG, I now only have one Server Certificate (publishing.fqdn.local). I've tried re-running the IECW again and again and all I can see is the single cert. Could the publishing rules be causing this to happen? How can I re-create the certificate outside the IECW?
Sorry, forgot to say thanks. P.
I would love to view the webcast but viewing them live is not always an option. I've seen some webcasts that are downloadable. Are the webcast all downloadable for offline viewing? Do you have a link for archived webcasts? Thanks, BillV
All webcasts are available for viewing on demand http://www.microsoft.com/seminar/events/webcasts/ondemand.mspx
Susan, Thanks for the link. I've been there before. Seems like a lot to go through just to view a previously taped webcast with the registration and all. Also, needs to be viewed online. Prefer to download and watch offline. A good enhancement for the SBS'rs out there would be to add a webcast option to the http://www.microsoft.com/windowsserver2003/sbs/default.mspx page. This way all SBS specific webcasts could be easily viewable. The on-demand page lists all webcasts. A bit cumbersome. Just my 2 cents... Thanks, Bill V
Here are some screenshots I took, showing the firewall settings being disabled in the GPO. There is also a screenshot of the firewall settings (in the control panel) still having the disable option greyed out. http://www.alltech-computers.net/screenshots/Image1.jpg http://www.alltech-computers.net/screenshots/Image2.jpg http://www.alltech-computers.net/screenshots/Image3.jpg
Finally! Here is the fix: http://support.microsoft.com/default.aspx?kbid=872769 Download the file and apply it to the SBS 2003 Server. Yod do not need to reboot the Server. When I ran "gpupdate /force" from the command prompt on the workstation, the changes still had not taken effect. After I rebooted, Windows said that my firewall was turned off, I just went into the settings and said I had a firewall and would monitor it myself. You will also need to follow the instructions by Susan at the top of this article. I did this first. That's it. I hope this helps others out there that may be experiencing the same problem.
That's our SBS enabled file that would come down via Windows update anyway. Sorry I assumed you already had installed that. That's part one, now go get the group policy hotfix as well.
I'm not sure if I ticked you off, or if you're happy I am pushing SBS to its "default configuration" limits :) Thanks for the all the information. Its been quite enlightening. As you know... I figured how to get around the issue by using a virtual adapter via a loop back interface. The box is locked down tight, and I will now slowly release the constriction to get a security best-practices system in place limiting packet traversal throuh ISA. Actually, I have found a couple of interesting ways to use ISA for pre authorization to provide another level of protection for OWA on a SBS box. As I work all this out I will document it on my blog so other SBSers can take advantage of my experiences. Susan, you are a SBSer with passion. Never let that stop.
Nah... you keep pushing. I'll keep reading your blog [as I hope others do too. My philosophy is that it's not the OS that makes you secure, it's the person driving the box. Stick that SBS box in 5th gear Dude! :-)
It all seems to be working now. For some reason, I had to hack the registry also. I just wanted the stinking Windows Firewall off. And now it is, so I'm happy. I don't know if GPO is working properly or not. At this point it works, so I'm letting it be.
I agree surfing your dc as a wkstn is a bad idea however for the smaller businesses SBS is a very attractive option.Using Terminal services on your DC isnt supported by microsoft for SBS and they also recomend that you have a seperate licensing server. I personally thank that you can secure the DC a little better for the SBS users over TS by the way of group policy's, I myself have done this to great success. The only thing that still stands is the simple fact of Flakey programs constantly crashing! Rebooting a server is a pain in the arse and annoys the best of people but I think you have to make a decision over cost vs the impact on the business! for a 10 User SBS setup I see no major problems as rebooting the server wont have too much of an impact. But lets face it MS is crap! its very easy to use but very easily goes wrong! and is also very costly!
MS is crap? Very easily goes wrong? We are talking about Windows 2003 and XP right? I have more hardware issues than I do software. And you youself have pointed out it's the stupid APPLICATIONS that are the issues here. Very costly? Have you tried firmwide patching of LInux with a free patching tool? Guess what there is no SUS for Linux. http://www.forbes.com/2004/08/31/cz_dl_0831msft.html “For years customers griped that Microsoft was gouging them. Now, thanks to IBM, Novell, and Red Hat, customers are learning what it is that Microsoft charges them for--upgrades, patches, research and development, indemnification, integration of disparate programs. Some, like the folks in Newham, are discovering that Microsoft isn't ripping them off at all.”
I would add that with product activation of XP/server03 we also can't use RIS.
Email them! :-)
I did email them along with a link to your blog. :-) I would include older versions of the software as well, ie. sbs2K so we can practice migration etc. Most would be glad to pay for the media. I use MSDN for this now but the MAPS could really make it more affordable. Actually another point is MSDN is geared to the development community. What about the network consultant? XP on MSDN is tagged with Activation also. :-( One last complaint why doesn't M$ promote how cheap their Charity open lic is? I mean with a 501.3c office for $80 and xp of $60 ish. what church wouldn't be using M$. I have seen many 501's purchase office via company card @ office depot for $500. WOW they could setup six desktops for that. Love the Blog
Exactly what experience does this journalist have with SBS...Google could have saved him alot of embarrassment in the sbs community. I get so frustrated with those that don't realize SBS is much more than WS03 with Exch03 etc. keep up the good work.
Have done what Dana was attempting but did not see the point in worrying about whether the server had to have another NIC or not to get the Wizards working proberly, at $20 for a sacrifical internal NIC its not worth my time to play with workarounds and loopbacks. I used the server for remote access users only as there aren't any internal users for this company. I am revisiting this, as an interesting point SBS 2003 licensing would indicate that I can create a Web Server with unlimited external access, just wondering if that extends to the use of the SQL server as well for data storage for the Web sites.
The EULA won't let us host web sites for clients [as in an ISP].
But what if I was setting up a store front for my business the cost of using IIS/SQL standalone is quite a bit more expensive than say a sbs server in my dmz hosting my eBusiness.
But you can't sell websites to customers like an ISP. Think of webhostforlife.com which is where this blog is at. They couldn't run SBS 2003 as their platform. You can't host "web sites for others" but you CAN for yourself.
Another "smarty", the journalist, who doesn't need to read the documentation. Thanks to the MS SBS2003 team for an excellent product, time saving wizards and comprehensive documentation. Thanks to the SBS2003 community for ongoing support. Keep up the good work.
GPO adjustment worked fine if you follow Susan's great instructions. OB1FoShoB's screenshots should give newer players a hint of where to look in the GPO.
And I am just bringing my office.. My handy laptop that goes with me everywhere and that has a keyboard that allows me to type faster than I think. Of course I have added new software to it in the last few days. Tools that help me get the job I need done, done.
The only? I bet if you dug into Intuit you would find a few more.
Well per news articles last year he was the only one ;-)
Hi all - just a comment from the user side. My brother was sold SBS 2003 as part of a package to run 5 TS sessions servicing an MYOB enterprise package. Noone from MYOB to the vendor who sold him SBS2k3 licenses mentioned that you needed a second SBS license to run TS. After many attempts to make things work we discovered SBS2k3 was limited to 2 "remote administration" sessions. So 5 TS CALs were purchased and installed on the server - still no joy! I'd just like to thank you for your discussion here - without which we would never have discovered where things were going wrong. Microsoft haven't made it clear anywhere I looked that you can't do it without a second SBS2k3 server, and the vendor who cheerfully sold him the initial licence then the additional TS CALs didn't seem to know either - MYOB certainly didnt mention it when they were pushing their product. SBS 2k3 even misleads you by saying that all you have to do to activate app mode is go to windows setup - doesn't say you cant do it on a DC. Neither was there any indication that additional seperate licenses were needed for TS when he purchased 2k3. Can a SBS2k3 server be set up as a stand alone server and then have TS run on it without setting up another server? Or is membership in a domain a necessity for 2k3 server and/or TS for authentication? Thanks for any info.
Ping me at sbradcpa-at-pacbell.net with the vendor name and contact info. We need to get this to the source of the mis-information out there. No SBS cannot be set up as a standalone. It can't be set up at any time with TS in application mode. When you say that "SBS misleads you" are you talking about the help menu inside? SBS has to be a domain controller. SBS cannot do TS in application mode. Your vendor was totally wrong.
One more thing to think about --- If the server is "beefy" enough you can always consider Virtual server to run that "normal" Windows 2003 server.
Great article! But in reference to point 9, which section of the EULA covers this? I had a quick look through but unless it's burried deep in legal-speak, I can't find it. :)
In addition to #4 i try and use the second drives of variouos workstations as storage pods for sbs onsite backups. I have even went as far as installing vlans and second nics on the workstations so i can backup on the "backup/restore" lan. Remember you should also leave the 2nd drive invisible to the workstation of regular joe users. Once backup is completed i have a quick copy of the data on a workstation. This also means that the local in house it guy (not joe user) doesn't have to plug his usb/firewire harddrive into sbs to get the offsite storage for the week he can use the workstation and never have to unlock the closet to the sbs box. Thanks for all the great postings.
another great way for the user questions of "how do i send from a different company name." You simple set up the pop accounts to store email inside of exchange thru want i cal reverse stuff. Then when sending you choose to send via the appropriate smtp server..ie the one associated with the 2nd company. How many people that want to do this aren't using public hosting of www and I guarantee all have access to smtp/pop3 mail on the public hosting of www.
a few corrections: ",,exchange thru what I call reverse stuff." Ooops what version is offerring spell check?
I adjusted the EULA section so it's more obvious the wording about the "no hosting like an ISP"
5. You can't reasonably backup ANY server to a dvd drive. ? Are you sure? I was under the impression that you COULD backup to a DVD drive if you always formated the DVD's first and you configured the backup routine (manually configured) to back up to said drive. By the way this is an example of a great Blog post! I definitely need to do more of those. Anne http://thenorwichgroup.blogs.com
But I have more gunk than will fit on a DVD drive. Now while i might be up at 2 am in the morning, I'm not at my office and don't want to change the dvd media. :-) Bottom line... a "normal" working server won't fit their data on a dvd drive. Get a usb harddrive enclosure and throw in a leftover hard drive.
Dear Mr. Schnell, As has most eloquently been pointed out Susan Bradley, you are definetely ignoring a large part of the market. Sure the single invoices may not be as big, but I think you would be pleasantly surprised by the volume of smaller invoices. Please reconsider your current position. Regards Gordon Ryan Australian based small business consultant
Amen ! Benjain Mateos. Exchange consultant based on Spain.
I try to be open minded and entertain arguments against MS products - after all, if there is a better alternative, I want to know about it. It's just that I haven't found a better alternative to SBS yet - and Mr. M. Park Hunter doesn't provide any substance to this argument. I think the one thing that is apparent is that he is much more familiar with the alternatives he touts than he is with SBS and MS server products in general. This is where I fell off my chair: "Most people wouldn't think of Microsoft as a firewall vendor, but that's exactly what the ISA component of SBS promises. If you're looking for an alternative, consider a firewall appliance. Even inexpensive home-office firewalls intended for cable or DSL can be plugged into a router and T-1, delivering robust firewall services plus surprising bonuses such as VPN and demilitarized zones. I have used Netgear's products in libraries and small manufacturing plants with good results." Dude - get a clue! I mean really - ISA is in a completely different league than those products - not to mention ISA doesn't require CALs (like most decent hardware firewalls do). That's so outrageously absurd that I'm just shaking my head in disbelief . . . And what about that picture? That's not over-done is it? That angle, with what I'm assuming is supposed to be a 'thoughtful look to the future' with the blue sky background? Judas . . . I'd still like to see a TCO comparison of an SBS2k3 Premium network complete with 10 XP Pro desktops (completely locked down)+ Office 2k3 + Shavlik's HfNetChk Pro versus his 'alternative' that provides file sharing, email (including group collaboration, web access, mobile access, intranet integration), database server, firewall (with policies based on user / group membership), an intranet that can be completely administered and developed by the end users, and a patch management solution . . . :^)
Here's where I fell _my_ chair: "I've been around OS X and sorry ... it's not as easy as everyone says it is." Fundamentally it's unix. It's the dream OS for the vast majority of the geeks out there. Lots of great unix stuff is being ported to OSX. Without a doubt, it's the most beautiful implementation of unix on the market. You claim that it's form over substance, but it's got both. If you can't figure it out...... well, 'nuff said.
It doesn't run the programs for my industry. It doesn't have a SUS/Shavlik patch tool well 'nuff said.
Here's where I fell_my_chair: I used to know the link to where ISA 2000 had been certified as blah (some level of security) for implementation in the US government. Anyone familiar? And i am sure those SOHO firewalls easier to configure? or easier to get a grasp of how they work? :-)
>It doesn't run the programs for my industry. >It doesn't have a SUS/Shavlik patch tool My condolences. The original article did address those sorts of concerns - very tactfully, I thought. Some applications do require Microsoft. But for those small offices that don't need those applications, there are simple solutions which are not being attacked by every hacker on the planet. I love Microsoft. If it weren't for them, I wouldn't have anything to do all day. I'd just sit around and chat with happy Mac users. <grin>
On Item #1... don't mean to be picky, but I have used Popbeamer for over 4 years on around 10 or so installs. I can adjust the download time to 1 minute if I want. I generally leave at 5 minutes. I have never had an issue of malformed email with this setup. Popbeamer creates a lock file, so it can tell when it is downloading from the previous session. Popbeamer has worked flawlessly for me without a complaint. Can't say that about pop3connector, especially on a dialup connection. I love SBS but pop3 connector has always been a thorn in my side. Also I love your list and am keeping it by my side when visiting customers. Thanks for the good info.
In my world I don't know of small offices that work without Windows. For one, tech support on MAC in my city is practically non-existent and networking help is pretty low too. Plus, given the number of MAC users to Windows users ratio, there's not very many of them to talk to. As far as "non existent vulnerabilities" another non existent one came into my emailbox today: SecurityTracker.com Archives - Mac OS X CoreFoundation Buffer Overflow and Library Loading Bugs Let Local Users Gain Elevated Privileges: http://www.securitytracker.com/alerts/2004/Sep/1011174.html My point is, show me a CPA firm and we can't run Linux or MAC nor Unix. And as I stated earlier migration from "X" to "Y" isn't easy period. We have Excel macros and customized toolbars that we'd lose in the migration.
There seems to be alot of muck throwing and FUD in this article. Surely a product should be judged on it's merits and SBS 2003 is very good product. One of the great things about it is the fact if you just set it up as per wizards etc it's so easy to look after, wizards do it all for you. But if you want to do some really wizbang things you basically have the full products to play with with a few options disabled. From what I can see from the article the author is talking about a solution that has a number of products from different suppliers. This I see as a weekness for support and ease of integration. Though I would like the ability to have ISA installed on a seperate server in an SBS enviroment without having to purchase an ISA licence. In regards to systems crashing, I actually don't remember the last time my Win XP laptop crashed and it's used probably 10 hours a day 7 days a week, maybe I am lucky. I don't believe I would want the author looking after my systems as he if doesn't go near his customers for months how does he know if the systems are patched correctly and may I add it's not good business. I always check my customers systems at least every week, checking logs and ensuring everything is working correctly but then I can do this remotely and SBS sends me emails daily with system info. I also like to pop in on my clients and see how they are going, it's amazing the amount of business this can create. Maybe I provide to good a service to my clients. Anyway back to the point in hand I would also like to see a alternative product to SBS mainly as a way to keep MS honest, competition is a great thing. Just presently for ease of use and power at the price there doesn't seem to be a player with a competing product. The comments about patches make me laugh, I keep forgetting that there are only security issues and fixes required for MS software, everyone else writes perfect code.... :-)
right...!
Have enjoyed reading your heated debate. Can any of you tell me where I can get detailed information on how to set up a PDC with a BDC using w2k3? I would be much obliged. Gregor
I like this comment from Andy... "The comments about patches make me laugh, I keep forgetting that there are only security issues and fixes required for MS software, everyone else writes perfect code.... :-)" I have been around long enough to know that it doesn't matter what O/S you prefer to use it is the applications that are the key for most SMBs. The bottom line for me is that my clients need the applications that work for their businesses, and they have little concern over the infrastructure needed to support it. The vast majority of my clients use applications that MUST run on a Microsoft O/S so I use Microsoft products. The SBS solution is great for the majority of my clients - it is stable, secure and managable - as long as it is maintained and administered correctly. The fact that I can offer my SMB clients a cost effective, scalable, secure and accessible environment that can be administered remotely is a huge positive. Sure there are alternatives to SBS out there but the reality is that very few, if any, of my clients could use them. The apps determine the O/S. Just my thoughts, SteveT
lol. If you call that a party then I had a block party...one of the support techs wanted a credit card number for a hotfix and I was like, wha???? I believe it was for that exact same KB# too.
Many (most) of us are 1 man shops.
Well, unfortunately I have had to halt my deployment of SBS 2003 for a while. I really don't WANT to, but I seem to have pushed SBS to its limit in regards to my particular needs. To be honest, the limitation isn't actually in SBS, but in ISA 2000. Let me give you some background so you can see what I have come up against. As you may have previously read, I have a need for a SBS 2003 machine that is hosting Outlook Web Access (OWA) and Outlook Mobile Access (OMA) for external parties, clients and virtual employees around the Net. The idea is that I can create a virtual office in our DMZ without having to expose critical business resources not needed by these users to the outside. SBS 2003 looked like a perfect solution, and I went hunting. To reduce the attack surface of the machine while ensuring strong audit trails, I require that ALL connections coming into these services (actually ALL services except incoming SMTP) be authenticated to Active Directory. My goal is to eliminate the potential compromise of unknown threats that may be exposed from vulnerable code or services that may exist along the code execution path between the OWA front end with IIS to the Exchange backend. It also reduces the risks of poorly configured or unknown services that may be running when they shouldn't be. Since the circle of trust for this group of users is quite small, I have a relative level of assurance that I can mitigate most risks by simply removing the ability to connect to the server anonymously and do bad things that they shouldn't. Be removing the ability for an adversary to even throw a connection request to the IIS box without authenticating, I get that assurance level. Anyways, I have had the opportunity to discuss with Microsoft my needs, my concerns, and my deployment requirements. What I found out was that there is a design limitation in ISA 2000 that prevents this from working correctly. *sigh* I am told that the ISA dev team is already aware of this and they made big changes in ISA 2004 to address this. This enhances the security for remote access to OWA by preventing unauthenticated users from contacting the OWA server at all. Knowledgebase article 838704 discusses how this now works in ISA 2004. So, looks like I am out of luck until ISA 2004 is freely available to work properly with SBS 2003. The GREAT news is that as Susan has reported from her findings at SMB Nation, ISA 2004 will be available FOR FREE with SBS 2003 SP1, and will include new wizards to support it. Only issue is that the roadmap has the availability of SP1 in the beginning of next year. So what do I do now? Well, knowing Microsoft's normal roadmap delays, I simply cannot wait until then for this project. Chances are thats a year away. (Go ahead and debate the roadmap all you like... I am STILL waiting for W2K SP5 that was supposed to be delivered at the beginning of the year, which includes the new filter manager code) As such, I am going to look at the impact of manually rolling ISA 2004 onto SBS 2003. This has the potential of breaking some security policies on SBS, so I will need some time to reflect on the impact of this. I notice all the SBS sites warn that running ISA 2004 on SBS is "unsupported", but no one says it can't be done. Guess we will see what happens....
If you are looking for a fully secure connection to RWW, including a secure connection using the RDP protocol at the application layer, better than the network layer VPN, look at RemoteWorkplace. Much better and more secure.
Under Windows Server 2003 the NETWORK SERVICE user is under the IIS Worker Process Group (IIS_WPG), if IIS_WPG has the above permissions you need to look elsewhere for resolution, much like I'm having to now >:-(
I agree 100% about the "Stupid" 98's, unfortunately I'm currently one of the companies with such a network. Hopefully not much longer. It's all about the money in a small biz. I have 38 PC's on my internal network and another 11 on a VPN/PRN at remote store locations. All are Win 9X. Here's a question that I've been trying to find a solution for. My users are ALL at best novices. The only thing they need is Email (outlook), MS Office, an Internet connection, and access to our internal Inventory Management software. My store locations ONLY need access to the Inv Mgmt software. They are basically POS stations. The stores and 8 of the users on my internal network are NOT on the SBS network. They connect via an IP address on the VPN. It would be great to limit Windows to only provide the software that is neccessary to the end users. Possibly this could be achieved via a GPO (that's why I've been searching for an SBS specific doc on GPO's). I know Citrix can "publish" apps like this but that is way overkill for our business. Do you know if there are other ways to achieve a limited use structure with Windows? I'll bet there are other SMB's like me with users that only need to do simple basic work but don't need all the bells and whistles that Windows provides. Limiting users interaction with Windows to me is a huge concern. The less they see the less likely they're are to mess something up. This would definitetly help out the help desks of a 1 person IT admin dept like mine.
who may give exploit, please send it to supdialer@hotmail.com
You want an exploit? Gimme a break dude. How about you go to college and learn how to do secure programming rather than looking for exploits... geeze.
There are an increasing number of social scientists engaged in technology related research. Anthropologists and social psychologists are the most numerous but a few sociologists are cropping up in places like Intel.
well, the popup blocker stays if you uninstall sp2. the only way to disable it in ie is this way.
You go, girlfriend! Mark Bradley Based in Schaumburg, IL - USA
I can second that! I'm an e-author too! Book Two is on it's way.
SBS ROCKS because of Grey. SBS ROCKS, PSS ROCKS, Development ROCKS, heck, even the newsgroup engineers in another country ROCK - all because of Grey's wisdom and leadership at the head of this family. Grey's contributions to the SBS community will always lead us to work as SBSers - together and helping each other. Thanks Grey.
Wait I just had a chance to meet Grey! You younger MVPs better live up to his standards!
We downloaded your first chapter. Great Job. Also thanks for your seminar at SMB Nation, as well as being so cordial to all us mvp want-to-be's.
Everyone who supports the SBS way is a MVP in my book.
Well Susan...now I have mascara running down my face too. Unfortunately I can't get up and go to the ladies room because some not so bright customer is blathering in my ear. Luckily I too learned southern graciousness from Grey and I will kindly let him blather and I will be nice and fix his problem. Grey has truly been a part of the SBS family and I already miss that family ever since they took the Lead role from me, but I am so glad to keep in touch with all of you. Hopefully there will still be MVP training sessions in Charlotte so we can all go to the farm and eat BBQ! Much love - Kristin
...well, before you think about hooking those appliances to your SBS, better make sure that Shavlik can path 'em . . . ;^) I was just joking with Steve that who knows - in a few years I may have a home media server along with wireless internet access on flights - so we wouldn't be tied to the in-flight entertainment - just RWW back to your SBS at home and pull up the movie / program of your choice from your media server . . . Now *THAT* would rock! And as for the smart home - I'm all for it. Connect all the appliances, light fixtures, thermostat, garage door opener, security system, etc. God knows I could use some appliance related alerts - like when the lint trap is full, the dishwasher is out of rinse aid, the furnace filter needs changed, the water softener is low on salt, etc. The potential is virtually limitless . . . just think, control anything electric in your home from anywhere with your PDA . . .
Susan this is awesome, Thanks!
Hi Susan,thanks for the tips on the other SBS blogs.BTW I'd check out www.synop.com Sauce Reader - it has a search engine built in that enables you to create 'search folders' just like Outlook does over the blog feeds/comments it has downloaded - check out more discussion at my general blog here:http://www.ecademy.com/node.php?id=30415Regards,Ed
Super useful info Susan - as per. Especially the RSS feed for SBS - yay!!! Very timely now that you have me all NewsGator'd (and longtime LookOut fan) - perfect, highly recomended combo. GreggB
Meant to add - the SBS feed had me see an update that I'd not seen reference to (I know - living under a rock...) - the update so BCM works with SBS. I had not followed up on this after discovering BCM effectively disabled on SBS installation. My clients and I send humble thanks in your general direction :) GreggB
Actually the reason EHLO isn't listed is probably because I forgot to add it to the internal registration tool that makes blogs show up in that list. :-) I'll add this to my list.
umm... Susan - I saw this cool thing on Microsofts research site some time back about home automation. It even had a demo of a person forgetting to close the garage door, they connected back to home via a web interface, told the door to close, and then in a few minutes recieved an email from the home system complete with a video of the door closing. I've been playing with something like this at home here - nothing fantastic just yet, but still cool just the same. Now - does that mean port 80 will need to be open to the home server.... <ducking to avoid the 2x4>
We met a lot of new friends and learned a lot about the great features of SBS and how it can help accelerate companies from good to great.
Two things: 1. Confidence 2. Connect with people who think in the same space
I would just like to say thank you. I have been having that stupid "root certificate" error for ages with Entourage and thanks to you it has disappeared. Thank you again, Anon
Turns out that that the tool is available after 8 AD reviews? Hourly rate for services xxx.xx. Time for 8 webcast reviews of some kind of quality - 20 mins each, total of 2h 40m. Leatherman cost < $80. I'm sorry i only just found out about this, or it would be a shoe in... -J xx
Wow! RWW looks amazing - a seriously cool collection of features. An RDP Proxy!? I'll be grabbing an SBS2003 server and trying it out tomorrow - thanks for showing me the easy option!
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")
THE OFFICIAL BLOG OF THE SBS "DIVA"