THE OFFICIAL BLOG OF THE SBS DIVA

When you install Exchange sp2 on a SBS 2008 any issues you hit will not be because of SBS or unique to the SBS tool but stuff you would hit regardless of the installation and are pure Exchange issues.

For example... one that Nick Whittome hit during his testing was an error that he got while installing SP2:

"Setup previously failed while performing the action "Install". You cannot resume setup by performing the action "BuildToBuildUpgrade".

http://www.google.com/search?q=You+cannot+resume+setup+by+performing+the+action+%22BuildToBuildUpgrade&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

As you can see this is an issue that "normal" Exchange has seen.  So if you hit issues, it's not unique to SBS and you may need to google on the exact error message you get.  Plan on about an hour for the download of the SP2 package (at least on my DSL speed) and about an hour to install SP2 on a box... and as I said before TAKE A BACKUP.  Go into the Backup console and kick a special one.

TAKE A GOOD BACKUP FIRST

Download details: Microsoft Exchange Server 2007 SP2 Installation Tool:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ffd2fe61-9278-489e-9b96-3816394c9cb6&displayLang=en

Keep in mind any SP2 installation issue that Exchange box might normally 
hit (and I'll blog later about the ones I've seen the normal Exchange 
folks hit) you may hit regardless.

It takes an hour to download the sp2
It takes an hour to install SP2

Book the time accordingly.

TAKE A GOOD BACKUP FIRST

(I'll blog more on this topic but I'm about to leave for LA/Disneyland for the New Year's weekend)

One of my users that has XP as a remote machine was saying that they couldn't log into RWW.  They would get to the TS Gateway and enter in the information and it would say that they were getting a bad password.  So I fired up a virtual XP to see if I could walk through the screens to see what they were hitting.

And I see the problem.  XP's do the log in one way, Vista/Win7's do the log ins differently.

On a XP machine when it gets to that TSgateway screen it does not enter in the DOMAIN\username like it automatically does in Vista and Windows 7.

So if your XP users are complaining that they can't log in and get a bad password, what happens is without the DOMAIN\username they end up on the local account on the box, not the domain account.  And of course, the password for the local account is not the same.

So in that screen make sure your XP folks know to type in DOMAIN\username.  I've typed up instructions for folks that access the firm remotely but apparently I missed that instruction.

We've built a beast.   Or building a beast.  We've built a business model (or lack thereof) that is destroying content.

With the Christmas holidays I missed the announcement that Brian Krebs was leaving Washington Post.  Another really good source of information from the traditional media that is now no longer at the place it used to be. 

Security Fix - Farewell 2009, and The Washington Post:
http://voices.washingtonpost.com/securityfix/2009/12/farewell_2009_and_the_washingt.html
Krebs on Security:
http://www.krebsonsecurity.com/
briankrebs (briankrebs) on Twitter:
http://twitter.com/briankrebs

The good news is that he's opened up a space on the Internet.  Here's hoping that he can continue to maintain the level of information that site has brought to security.  To make sure he does I clicked on that paypal and donated.

Back in 2003 the security researcher "Rain Forest Puppy" wrote this note -- http://www.wiretrip.net/rfp/txt/evolution.txt.  I think it still holds true today.

Don't lose sight of security.  Security is a state of being, not a state
of budget.  He with the most firewalls still does not win.  Put down that
honeypot and keep up to date on your patches.  Demand better security from
vendors and hold them responsible.  Use what you have, and make sure you
know how to use it properly and effectively.

And above all else, don't abuse or take for granted sources of help and
information.  Without them, you might find yourself lost or
inconvenienced.

Microsoft at International Consumer Electronics Show (CES) 2010 Virtual Pressroom:
http://www.microsoft.com/presspass/events/ces/

As we close out the old year, the new year and the Consumer Electronics Show is right around the corner.

For whatever reason I didn't realize it was next week.  We'll see what press comes out of next week.  Looks like Apple is planning an event at the end of the month and bypassing CES.

https://www.microsoft.com/licensing/servicecenter/Registration.aspx

So I'm closing out the year still without access to the MVLS web site and I know from others posting that they are in the same condition.

Granted OEM software distribution sucks (like we've had two Windows 7 consumerish newly purchased computers arrive and neither one had true media and you had to burn in your own), but you do have the software somewhere. 

What this has done for me is question deeply if I want to buy Open Value licenses in the future.  The value of Open Value to many is the upgrade, not the benefits of the platform itself. 

It's getting harder and harder to justify open value based on the time wasted to try and get access and the real (and not perceived) benefits.

So for all those of you that are still banging your head, keep the faith.

Or try to at least.

Event Details:
http://www.calcpa.org/Public/Catalog/CourseDetails.aspx?courseID=098092127A

REGISTRATION STATUS: OPEN

This FREE for CalCPA members webcast is being sponsored by the CalCPA State Technology Committee

As data systems become more complex, they become more valuable. CPAs, in particular, need to stay ahead of the curve if they want to keep their clients' data safe. This two part webcast is designed to provide you with the tools you need.

Part 1: Why keeping your clients' data private and secure matters 12:00 - 1:00 pm

Join Susan Bradley, CPA, GSEC, CITP, CFF and Dana Epp, Microsoft Enterprise Security MVP and CEO of ScorpionSoft as they traverse the legal and regulatory minefield of privacy regulations, laws, and "best practices". We'll cover what specific laws and regulation currently impact the handling of client data as well as warn you about the impact of upcoming laws and regulations. We'll provide you with guidance to identify and track personal identity information in your office and provide you with the guidance to set up your own security policy to protect that data.

Part 2: Implementing privacy and security of your clients' data 1:00 - 2:00 p.m.

Susan and Dana will guide you through the specific solutions to deploy to protect data at rest and in transit in your organization. We'll discuss software, hardware and the reasons to choose a solution and how to implement it within your organization.

I've done this twice now and it annoys me every time I do it.

I set up a server in a SBS 2008 domain.  I join it to the domain.  It initially goes into the SBScomputers OU that has a prebuilt group policy to allow for remote desktop and firewall exclusions for remote desktop.  I change the server from the SBSComputers OU to the SBSServers OU and if I don't remember to then manually go back in to the system/remote tab and edit the ability to remote into the server I've locked myself out.

So I built a group policy rule so I won't do that anymore.

First build a WMI filter:

Launch the group policy management console.  Go in the WMI Filter section, right mouse click and click new.  Title up the policy, put in a description, click add.

Leave the root\CIMv2 namespace as is and in the Query section copy and paste in:

Select * from WIN32_OperatingSystem where ProductType=3

You will note that in the Windows SBS Client the query value is like this:

select * from Win32_OperatingSystem Where ProductType!=2

The "!" stands for "does not equal" so that one reads "filter on everything BUT the Domain controller.  The one I'm building is specifically targeting Server OS's.

http://www.eventlogblog.com/blog/2009/10/useful-wmi-queries-to-filter-g.html

Workstation
Select * from WIN32_OperatingSystem where ProductType=1
Domain Controller
Select * from WIN32_OperatingSystem where ProductType=2
Server
Select * from WIN32_OperatingSystem where ProductType=3

Now we go into the SBSServer OU, right mouse click and click on "Create a GPO in this domain and Link it here"

 Call the group policy something descriptive.  Now go down to Computer Configuration, then to Policies, then to Administrative templates, then to Windows components, then to Terminal Services, then to Terminal Server, then to Connections,  and ensure that "Allow users to connect remotely using Terminal Services" is enabled. 

Next go to  Computer Configuration, then to Policies, then to Windows Settings, then to Security settings then to Windows Firewall with Advanced Network Security and go to inbound rules.

Right mouse click and click on "New Rules".  Choose predefined rules and choose Remote Desktop (TCP-IN), then Distributed Transaction Coordinator, then Windows Management Instrumentation.  You can thin these down if you like, but for me those three core ones allow me to manage the box remotely better.

So the resulting firewall will look like this:

So there you go, a specific group polcy for member servers.

Word of advice when setting up servers that later will be installed in an office or remote location.  Stick logmein free on there until you get the server stable and policies working just so.  You can accidentally log yourself out of RDP, but chances are the logmein beacon will still work just fine so you can figure out what you did and undo it.

Just a reminder when setting up a new server don't forget to flip the box.  When you go to scan for updates click on that little "Find out more" and flip it over to Microsoft update.  This ensures that you will get updates for all of the products on the box not just the operating system.

This hit me today.  One of my old migrated distribution group lists wouldn't work and when I went to edit them I got a 'Validation Error This field cannot be empty' when I tried to edit the members of the distributions groups.

Found the solution in the SBS 2008 newsgroups:

https://connect.microsoft.com/SBS08/community/discussion/richui/default.aspx

1. Open adsiedit.msc and connect to the Default Naming Context.
2. Expand Default naming context -> DC=domain,DC=local -> OU=MyBusiness ->
OU=Distribution Groups.
3. Find a group that was created post migration and view its properties.
Look for msExchVersion = 4535486012416. (Verify if the number list matches
this one or not. I suspect it will, but want you to be sure.)
4. Now go view the properties of a migrated group and look for
msExchVersion. It may not be there or it may be empty.
    - If it's empty, set it to the value 4535486012416 or whatever the group
you found in #3 was set to.
    - If msExchVersion is not there, you may have to click the Filter button
and alter the settings to see if it's not set to appear.
5. Once you've set msExchVersion to the appropriate value, click OK out and
then try your edits to the group.

Sure enough, that was the fix.

Through June 30, 2010, customers using applications that are not yet 
certified for use on SQL Server 2008 Standard, a copy of SQL Server 2005 
Standard will also be included in SBS 2008 Premium. SQL Server 2008 (or 
2005) Standard can be installed on either server: If you install SQL on 
the first server then you must install the management tools on another 
machine.

SBS 2008 Compare Features:
http://www.microsoft.com/sbs/en/us/compare-features.aspx
----------
That used to say December 31, 2009 as the cut off date.  Now it says June 30, 2010.  Thanks to the SBS team
for listening to a request to extend the automatic downgrade rights for SQL.

Somehow I think we had a huge failure of three light strands last night on our outside garland.

That is 82 light bulbs that are all burned out.  

I get this vision of the garland doing a Griswold flash of light at about 2 am in the morning or something.  So now I'm online shopping for for replacement light bulbs.  The strings aren't that old but when you have a severe failure of equipment you wonder if you should replace it completely.

If that was a server, I'd be calling the manufacturer and getting replacement parts.

I found that out personally when buying APC 1500 UPS's that look like this -- and found out the hard way that it would not keep the server up.  So then we purchased the SMART-UPS, also rated 1500 and that model would keep the server up.  

Mind you the normal 1500's were good enough to keep the old server up, but I had to get the SMART-UPS to support the new server.

So keep in mind all UPS's are not alike and spec accordingly.

So I was repurposing my HP ML 370 G4 from it's old job of being a SBS 2003 to another operating system.  And I threw on Windows 2008 64 bit to see if it would load.  While the box won't support HyperV (sniff) it may have a few years left to be a spare server duty out of it.  My first interesting factoid is that since it's been turned off for two weeks the controller card battery was low (this is why I plan for hardware change outs after five years).  The next thing I noted was exactly what is documented in this thread:

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1261799137682+28353475&threadId=1385979

Install using the smart start media and after you log into the OS the jet engines (better known as the fans on that sucker) turn on and do not turn off.

Do not use smart start. Set up the array without smart start and install the OS without smart start. Then install HP tools after OS installed

If you let it install ALL of the drivers, the jet engine sound will turn you deaf.

As that thread indicates, run 2003 on it, and it won't sound like a jet engine.  Put 2008 with the smart smart and wear ear plugs. 

So the moral of this story is.... sometimes you don't want to use that HP smart start media especially when you are putting server operating systems that are not the same "vintage" as the server is. 

As I always explain... sometimes you have to make sure you match the kids on the playground to ensure they are the same age to get them to play the nicest together.  That's why the vintage G4 + smart start + Windows 2003 plays nice and a G6 (my current model) and smart start and Windows 2008 works the best. 

and the first thing you want to install is CCH PFX Engagement 6.0?  Doesn't everyone?

(okay so like maybe it's just the beancounters on Christmas morning that are giddy with delight of installing tax and accounting software on Windows 7, but in general this is the best way to install line of business applications, older software, and just in general getting a new box set up)

Step one turn off UAC.

Yes, you heard me, turn off UAC.  Turn it off DURING THE TIME YOU ARE INSTALLING SOFTWARE.  Not turn it off on your Windows 7 permanently, silly.

I have personally found that if I leave it on during the install of software (especially beancounter stuff) it doesn't quite install right even if I run as administrator and run the application compatibility wizard and all that.

So turn off UAC.  You will be prompted to reboot your Windows 7.  Then install the SQL 2008 (this is on the Engagement CD) and then install the PFX Engagement 6.0 from the MSI file (not autorun).

Remember Vista and Windows 7 have .net installed already.  Once you do that the program will run just fine.

Then go back and move UAC back up (mind you as a Vista veteran I move it all the way to the top but the default is one notch from the top).

Windows 7, CCH, pfx Engagment 6.0

Have a pc that says it has an old version of Trend on it but you don't see it in add/remove?

http://esupport.trendmicro.com/Pages/How-do-I-remove-old-or-new-versions-of-Trend-Micro-products-in-my-comp.aspx

Use that tool to totally remove the antivirus from the registy.

One of my favorite movies is the various versions of Christmas Carol.  And I've always liked the part where the idea is presented that if you can wish a Merry Christmas to a person that doesn't seem to be that Christmasy then you know you have the Christmas spirit always in your heart. 

I'd like to wish a Merry Christmas not to to the employees of Microsoft.   They all work very hard, very tirelessly and very passionately.  Without them, without the hard work of people like Eric Ligman who is blogging on Christmas eve we'd be in more mess than we are now.  It's the employees of Microsoft that I am extremely grateful for.  They are the Bob's of this Christmas tale working tirelessly.  They have my deep thanks for being there, for fighting the good fights, for doing what they do, many times being the front line person who gets the flack for something.  And many times they don't deserve the venting of the frustration that we give them.  They are just there to be the ones to hear it.

To all of the employees of Microsoft, my sincere and deep thank you for your tireless work towards helping the customers of Microsoft.

But it's the corporate policy that is the Scrooge I'd like to wish a Merry Christmas to. 

Microsoft SMB Community Blog : Microsoft Volume License Service Center (VLSC) Update and Partner FAQ:
http://blogs.msdn.com/mssmallbiz/archive/2009/12/24/microsoft-volume-license-service-center-vlsc-update-and-partner-faq.aspx

Between Windows Genuine Advantage, Office Genuine Advantage and now the increased security of the VLSC web site, there are times I wonder if Microsoft the corporation wants customers at all.  The manner in which these "enhanced" security measures of the web site have been pushed out just is a bit unreal in terms of customer service.  I always felt that Volume licensing was for the big firms to begin with, and I was better served for my firm just going OEM or retail, but this "upgrade" reinforces it even more.

Add to that, as someone said, do we really want to rely on Microsoft as a cloud vendor if they screw this up this badly?  When I screw up at my firm, it's my server I'm rebooting on Christmas eve.  When these large vendors screw up in the cloud, it has a major impact.

I don't know if some of this is our fault for not paying more attention to the upgrade of the VLSC web site.  I personally knew that eOpen was going to be merged with the MVLS/VLSC web site, but I sure don't remember reading anywhere about the "increased" security measures ahead of time so I could make sure I knew BEFORE the upgrade exactly what business email was connected to the site, or contact my softwareone reseller ahead of time rather than bump up against the Christmas holidays when everyone is taking off for vacations.

So to the policies of Microsoft, I want to wish you a Happy Christmas.  I am sincere in saying that I hope you understand that in the year 2010 when the company of Microsoft makes changes and upgrades that you understand that communication ahead of time is key to ensuring a successful event. 

Happy Christmas everyone!

I use a product called policy patrol that adds custom disclaimers to Exchange.  And I needed to edit the disclaimer message.  No prob, just launch the console.  But here was the weird thing it was working fine but I couldn't adjust the disclaimer templates.  Weird, they were working last week when I set them up.  So I emailed support at Red Earth Software and they emailed me back.  Today.  Christmas Eve.  Wow.  Talk about customer support.

So when we ran the repair install I think something got a bit mangled.. as suddenly I got this message:

The Microsoft Exchange Mail Submission Service is currently unable to contact any Hub Transport servers in the local Active Directory site. The servers may be too busy to accept new connections at this time.

Uh.  Okay.  On a SBS box unless we have backpressure going on, that's a bit impossible for the Mail submission service to not find a hub transport since it's on the SAME server.

It was obvious from other error messages that the Policy patrol and the transport service was fighting and causing issues as in the system log I saw this:

Application popup: EdgeTransport.exe - Fatal Application Exit : EXITING APPLICATION

A little uninstall and reinstall and Exchange is happy and Policy Patrol is happy.

Official NORAD Santa Tracker:
http://www.noradsanta.org/en/index.html

It's that time of year when that guy from the North gets a bunch of reindeer together and heads out to make the journey around the world.   For those that are sticklers of science, don't look for the red nose of Rudolph, but rather the doppler shifted purple nose as Santa gets up to light speed to make that journey around the world and down all of those chimneys.

Not to be left behind in the social media craze, Santa apparently will be twittering as he's going down those chimneys.  He also has a facebook you can 'friend' as well.

And if you are out and about, download the mobile app so you can search for him so you can be asleep before he gets to your area of the world.

There's an old saying... "Fool me once, shame on you, fool me twice, shame on me!"

So a few days ago I got several matching comments posted on my blog and I thought it was from an IT firm asking a solid question...

http://msmvps.com/blogs/bradley/archive/2009/12/19/can-anyone-recommend-the-top-performing-network-management-software-for-a-small-it-service-company.aspx

The comments were all over my blog and I thought the guy or gal was desperately seeking the best answer in the upcoming days before the end of the year to make a decision.  We actually got folks giving some good advice.  So tonight I get another series of emails that are all way way too familiar:

[THE OFFICIAL BLOG OF THE SBS "DIVA"] - What is the best IT automation tool out there?
Date:  23 Dec 2009 21:05:57 -0600
From:  MSMVPS.COM - Automated Email <postmaster@msmvps.com>
To:  sbradcpa@pacbell.net

A Comment has been posted to THE OFFICIAL BLOG OF THE SBS "DIVA": Can you do Direct Access with SBS 2008? by INEPLERERY: 
 

Can anyone recommend the best Remote Management & Monitoring program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: <a href="http://www.n-able.com"> N-able N-central it consulting

</a>? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

--------------------------------------------------------------------------------

This Comment was Not Published (Spam Score: 0).

Use the links below to publish or delete this comment:
Approve | Delete

This time I take the time to follow the "poster" link when I follow it makes me realize that I've been fooled. 

Badly. 

Embarrassingly so. 

So to all of those who posted on that thread I apologize as well.

I've been scammed.  The poster hitting my blog with these comments asking for the 'best IT tool" or the "best patch management tool" is http://a5web.com/.

What is http://a5web.com/?

With over 200 clients all on top 10 of Google, Yahoo, MSN and countless local search engines, rest assured that our white-hat SEO techniques are PROVEN, are transparent and really work. Read our testimonials to find out more about the search engine optimization results we have provided our clients with.

It's the death of social media indeed when you trick bloggers or use spam links to 'up' your google/bing ranking. 

Dear vendors:  Here's a novel thought to getting more customers:

BUILD A BETTER PRODUCT THAT PEOPLE USE.

Trust me.  If you build something I LIKE you don't have to pay me, you don't have to bribe me, you don't have to do anything but get out of my way and let me gush all over and talk about it.  I'm an insane person who likes to talk about things that I like doing or that I'm interested in.

See my Mini Cooper?  I like love my car.  No one from Mini Cooper USA or BMW pays me to bake Mini Cooper shaped gingerbread cookies and blog about it, I just insanely gush like this because I like the product.  Conversely why do I blog so much about SBS?  Microsoft doesn't pay me.  I just use the product in my business and I use the blog as a journal of the tweaks and stuff that I do.  The customization that I've done to make Remote Web Workplace have our firm logo, the fact that I've got SBS 2008 humming nicely, it makes me feel good to know that my migration was such that no one on the inside suffered any downtime.  The folks on the outside remoting in they were very impressed with the new landing page and like that Outlook Web Access is much faster than the old platform. 

The virtualzation platform that I picked is also a really really REALLY cool way to deploy SBS 2008 and the VERY cool thing about SBS 2008 versus SBS 2003 in the virtualization space is that it's 100% supported on HyperV.  Unlike SBS 2003 which due to Exchange is not. 

But seriously,  I'm this insane to just blog about this geeky stuff that makes me gush all the time. 

But don't you DARE try to trick us me and use Search Engine Optimization techniques and spamming blog sites to get your product up in the search engine.

Shame on me for falling for it...hook... line and blog spam.