THE OFFICIAL BLOG OF THE SBS DIVA

The outside refridgerator with the "car magnets" on them.

Some people decorate their houses, some people decorate their cars.

We do a bit of both with Mini Cooper Badges.  Decorate the fridge AND decorate our cars later.

(And yes we have window stickers that say "You've just been smoked by a clown car" and "You've just been passed by a girl".

When you use redirected folders in SBS (or in any Windows server) by default (unless you check the box) it's limited to only the user having access to the folder.  So if you are the admin you are prompted with a "I'm sorry, Hal, I won't let you do this". Now you can click through the prompt or take ownership of the folders but you might want to do this like Gerhard wanted to do.

 Using this blog post as a guide  --

How to restore Administrators’ access to redirected My Documents folders « My PKB:
http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

The first thing you do is to download the PsExec from the PSTools.  You don't have to download Powershell as it's already on the box.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Copy the script below and change two things:

$StartingDir= "E:\Users\shares"

The location of the redirected shares

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

The name and domain of the Domain admin account you want to give rights to.

Now save the file as permissions.ps1 (that's a number 1 not a L by the way)

So download the PsExec and extract it on the box.  Then here's the trick you have to remember.  Right mouse click on the command line icon and "run as administrator"

Now type in the command window to run the script

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"

And then the permissions/ownership will be changed.

And now you won't get the "I'm sorry I won't let you do that" when clicking on the folders.

Proactively you can change the group policy setting to not be as restrictive.

Right mouse click and edit

Under the SBS folder redirect policy (drill down under User Configuration, then Policies, then Windows Settings, the Folder Redirection

And then uncheck the "Grant the user exclusive rights to the Desktop"

The permission script is below:

====copy from here ====

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "E:\Users\shares"

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}

===== to here======

Dell Precision M90 Laptop Product Details | Dell:
http://www.dell.com/us/en/dfb/notebooks/precn_m90/pd.aspx?refid=precn_m90&cs=28&s=dfb

Interesting issue, I had upgraded my Sister's laptop from Vista to Windows 7 and afterwards while the wireless card driver was there and enabled, it wouldn't connect to the interest.  I upgraded the driver to the latest and ran the diagnoses and it said that the hardware "beacon" wasn't enabled.  Booted into the bios and disabled/reenabled the wireless and then it worked.

Weird.

I'm reblogging this as even though I blogged it before, I forgot to install this hotfix on a Vista workstation we have

After you disconnect from a remote desktop session to a destination computer that is running Windows Vista or Windows Server 2008, the default printer is changed when you log on the destination computer from the console:
http://support.microsoft.com/default.aspx?scid=kb;en-us;972600

You disconnect from a remote desktop session to a destination computer that is running Windows Vista or Windows Server 2008. When you log on the destination computer from the console, the default printer is changed on the destination computer. For example, you may notice that there is no default printer or that the default printer is changed to another printer.

Annoying little issue.

Want to know what Mark Minasi takes in his coffee?  Milk, cream or sugar?  Want to know what Security guru  Roger Grimes really would like to do to a hacker if he met them in person?  Has Active Directory expert Laura Hunter secretly run a peer to peer network at any time in the past?  Have Exchange gods Nathan Winters and Michael B. Smith ever screwed up PowerShell commands and lived to tell about it?

Want to go to an intimite conference where you can rub elbow and buy beers of the experts, not get overwelmed by the vendor swag booths.  Want to go to a conference where you come away with your head exploding of ideas that work, not vendor promises?  Want to come back from a conference with your email contact list multiplied ten fold?  This is the conference for you.  Lurk out on the Minasi forums and you'll see the brain power in action.  http://web2.minasi.com/forum/  It's these folks that build a conference that they want to attend.  Check it out.  It may be one that YOU want to attend for that reason.

(not to mention there's SBS and EBS session to boot)

http://www.minasiconference.com/

Mark Minasi is proud to announce the 5th Annual Minasi Internet Forum being held in Virginia Beach, VA May 2nd – May 5th 2010.

Sunday – May 2nd 2010

Pre-Conference event with Todd Lammle

08:30 – 12:30

12:00 PM – Conference Registration Begins

1 PM – Opening Session led by Mark Minasi

2 PM – Session 1: Mark Minasi – 10 (or more) things that you don’t know about Windows Server 2008 R2

3:15 – Break

3:30 – Eric Rux – “So, you want to be a writer, eh?:  Tips, tricks and other thoughts on getting into the writing game – with open discussion with the other authors in the audience”

4:00 – Mini Session – TBC

4:30 – Break

4:45 – Roger Grimes – Fighting off Malware, the latest attacks and ways to resist them!

6:00 – Welcome Reception in the Hunt Room

Monday  – May 3rd 2010

9:00 – Ultan Kinahan – Disaster Recovery With VMware SRM

10:15 – Laura E. Hunter – Active Directory Federation Services

11:30 – Break

11:45 – Aidan Finn – Using Virtual Machine Manager 2008 R2: How to manage Hyper-V

1:00 – Lunch (Provided)

1:45 – Claus Neilsen – Digging into PowerShell V2

3:00 – Mark Minasi – The Active Directory recycle bin.

4:15 – Break

4:30 – Expert Panel:  Project Planning, Design and Documentation (Bring Your Own Questions)

5:45 – Offsite Dinner Organized with Transportation

Tuesday – May 4th 2010

9:00 – Eric Rux – Using Windows in your Home! -  “More fun with Windows Home Server: How to use this versatile product for small business and home entertainment”

10:30  – Mini Session – TBC

11:00 – Roger Grimes – Server 2008 PKI – Certificates are becoming increasing critical – learn how to use them!

12:30 – Lunch (Provided)

1:00 – Nathan Winters – Protection and Compliance with Exchange 2010

2:15 – Break

2:30 – Michael B. Smith – Part 1 – Migrating from 2003 AD and Exchange to 2010 Exchange and 2008 R2 AD – Hands on Demonstration

3:45 – Break

4:00 – Michael B. Smith – Part 2 – Migrating from 2003 AD and Exchange to 2010 Exchange and 2008 R2 AD – Hands on Demonstration

5:30 – Dinner (on your own) at a local restaurant. Last chance to rub elbows.

Wednesday -  May 5th 2010

9:00 – Stacy Hein – SQL Server troubleshooting

10:15 – Short Session

10:45 – Break

11:00 – Joe McGlyn – A look at SBS and EBS – Doing IT right for the SME

12:15 – Closing and Lunch

1:30 – Unofficial Round Table

Robert in the comments points out a known issue with Exchange 2007 sp2 update rollup 2 that folks may need to be aware of:

"As a FYI, there was a bug in Update 2 where if you had a public folder retention setting, Exchange misinterpretted the value by a factor of 86400 (days instead of seconds) and if you value was large enough Exchange would be a integer overflow which caused all kinds of problems"

Keep in mind on a bog standard SBS 2008 migrated from a SBS 2003 this bug has no impact http://technet.microsoft.com/en-us/library/ff383368(EXCHG.80).aspx as there's no setting for msExchOverallAgeLimit

The issue is discussed here:

Issue Exchange Server 2007 SP2 Update Rollup 2 Item Retention Period "TimeSpan overflowed because the duration is too long:
http://social.technet.microsoft.com/Forums/en/exchangesoftwareupdate/thread/54be6a44-cb40-497b-8790-313518862779

Robert / Mike - Here is some more information about the problem and some workarounds

A bug in E12 pre-SP2 RU2 saved the public folder database item retention limit in AD as number of seconds.  Store expects this value to be number of days so messages end up never expiring (technically they will expire after 100s of years).  This is fixed in SP2 RU2 (KB 969230) by using days instead of seconds but any server that had previously set this value (in seconds) will now get an overflow exception. Internally this uses the System.TimeSpan structure and hence the maximum allowed value becomes 10675199 seconds or ~123 days (Reference: http://msdn.microsoft.com/en-us/library/system.timespan.maxvalue.aspx)

If you had initially set the retention period to something greater that 123 days, OWA will not startup after applying RU2. To fix this you will need to go to the Active Directory and change the value in msExchOverallAgeLimit from seconds to days (i.e. divide the value by 86400). This change has to be made for each public folder database. There are several tools which allow you to modify the AD including ADSIEdit (http://technet.microsoft.com/en-us/library/cc773354(WS.10).aspx)

 We will be updating the required KB article with this information soon.

For about a two week period we were suffering from an annoying issue where early in the morning and late in the afternoon/evening, random workstations would suffer a tiny little drop in network connectivity.  Not enough to freak out Outlook or Word or Excel but enough to really impact any database application on the network.  That meant any Quickbooks, or major database app would drop, indicate it had a problem connecting to the network/reading the hard drive and need to be relaunched.  It was never consistent, very very random.  The needle in the haystack type of issues that you need an Information Technology partner to debug.

I may be the "SBS Diva" (the nickname given to me/stuck to me by David Coursey when he reviewed SBS 2003 in an online journal and mentioned me in the contents as Susan the "SBS Diva" in case you are wondering about the tag line on the top of the blog), but when it comes to hardware, and you start talking about back planes and raid controllers and intel mobos and model numbers of the latest HP models and I start glazing over.  I'm not the hardware diva at all, that's for sure.  So I'm lucky that I know a local technology partner firm of Federico.net led by Jim Federico that is that trusted partner in the hardware department. 

After I had:

• Upgraded the network firmware driver
• Updated the bios
• Disabled RSS and TOE in every GUI window I saw
• Followed this http://support.microsoft.com/default.aspx/kb/951037 and disabled the NetDMA in the registry
• Entered these commands -- /netsh interface tcp set global autotuning=disabled
  netsh interface tcp set global chimney=disabled
  netsh interface tcp set global rss=disabled
• Changed the cable to the Server
• Changed the server to another jack
• Saw that the existing switch was showcasing drop packets on three locations so moved them to the second switch (we had two 24 port managed switches)
• 
  Stuck pins in a voodoo doll of the person who invented the Internet 

I then emailed Jim and went down the list of all the things I tried and he said "let me loan you a switch we have in stock so you can rule that out".  Knowing that this is our busy season he arrived on the next day (a Saturday) and waited patiently while we got to a time where people could easily and safely be "kicked off" the network (lunchtime) with no impact to the network.

Knock on wood, it's now been an entire week and not a single drop.

The moral of this story is that no matter how technically savvy you think you are, every small business needs a technology partner that they count on and can trust.  Even as (or perhaps even more so) as we move to the cloud, having someone to know what works, cut through all the marketing and hype and to guide you to the proper solution is needed.

Joe comments:

  Aside from being necessary to remote into the server when the DNS service isn't operating, do you ever find that using DNS names for devices is a bit more managable than IP addresses?  I mean, there's a few ways you can address devices:  a)  static IP address on the device, b)  DHCP-reserved IP address, or c)  DNS name specified on the device.  I find using DNS names for printers seems to be preferable, because it pretty much dead simple to add a printer into the network, let SBS pick it up by the DNS name, and not have to preconfigure an IP port driver or set it up in DHCP.  Likewise, it doesn't matter if SBS reassigns a new IP to it when the lease expires.

I have a wireless access point that acts as a DHCP "guest" obtains an IP address from SBS, and connected wireless PC's get IP's from SBS also.  I use the same option for it - specify a DNS name in the device, so I don't have to remember if I set up an IP address on it or in SBS, and what it would be.  Names are just easier.

YMMV though.

FYI:  I have never found an instance where I needed to specify an additional DNS entry on SBS for name resolution for any device that supports specifying it in the firmware.  I once saw an old printer that did network printing but didn't have a built-in print server that needed additional configuration though, but it was about 8 years old.

In SBS 2003 I always made sure that computers had an identifying name of the person who RWW'd into it because they never knew what they were remoting into.  So to make it easy I would name the computer a variation with the name of the person.  Now with SBS 2008 it makes no difference because you can 'mask' the computer so the person remoting in never ever sees the list of the workstation, they just immediately go to the computer they are assigned. 

When you VPN in from the outside on SBS 2008 one thing you'll find is that you need to put in computername.domain.lan in the remote desktop windows.  Computername alone no longer cuts it.  I still find that I reserve IPs for computers printers and set them up with IP addresses.  I also find that I don't remember which server is on what IP with the exception of the main SBS box.  That one I have the IP address burned into my brain, but the rest of the servers, I know them more by name than IP.  Not to mention in the Active Directory Users and Computers, which is the tool I typically go to view remotely the  event logs of the workstations, I see the servers and computers by name, not by IP.

So for me.... computers and servers I know by name

Printers, managed switches and the main SBS box I know by IP.

The Official SBS Blog : Returning Small Business Server 2008 to a Supported Network Topology:
http://blogs.technet.com/sbs/archive/2010/02/26/returning-small-business-server-2008-to-a-supported-network-topology.aspx

This hit me today.. couldn't get the outlook mail enabled public folder contacts to show up in the contact section if my life depended on it....

Found this post:

Know this is a bit old post.  But as i just had the same problem, and no one here got a solution to why the favorites did not show up under the contacts.

After digging a bit around, i found this page http://www.outlook-tips.net/howto/commandlines.htm

/resetnavpane

Clears and regenerates the Navigation Pane for the current profile. Removes all Shortcuts and Favorite Folders. Has the same effect as deleting profilename.xml in your user directory.

Start Outlook with a switch > Start > Run > Outlook /resetnavpane

It removed the previous ‘favorites’ and when added again, it now shows the other contacts. 

http://social.technet.microsoft.com/Forums/en/office2007deploymentcompatibility/thread/2301cbea-7585-461a-adb7-d0cd8b16fc62

 Reset the navigational pane and voila.  There's my public folder contacts in their proper spot as favorites.

From the sometimes you just want to kill Outlook moments

From the mailbox this morning a post from Ian.....

I have two boxes, the first with sbs 2008 and the second has Win 2008 R2. We’ve just purchased an Iomega Nas with the intention of using it for backups etc.

 As soon as I started using it we hit problems with sbs2008. The box would hang whenever I made much use of the mounted iSCSI disks (no blue screen, screen doesn’t respond, mouse doesn’t respond, etc) . On top of this, after rebooting the volumes wouldn’t remount and I’d have to manually dismount and remount them. I was beginning to think the Iomega was a dud.

 After a couple of days of problems I decided to leave our poor production sbs in peace and switched over to our test box. Surprise surprise everything works. I was able to copy over a couple of hundred Gb in no time at all without problems. SBS hadn’t managed to copy more than a Gb without hanging.

 So switching my attention back to sbs I found that the iSCSI initiator bundled with sbs doesn’t have any updates, though MS does have a more recent version which is used in R2. However there is this hotfix:  http://support.microsoft.com/?scid=kb;en-us;970658&x=10&y=10 , which solves the problem for me at least.

Since the hotfix applies to Win2k8 sp2 it won't be on the box unless you apply it.  Remember SBS 2008 has Win2k8 on it not the R2 bits.  So thanks Ian as I'm sure this will help someone else!

iSCSI Initiator dialog box displays a reconnecting session status after you disconnect and then reconnect the physical connection to the iSCSI target on a computer that is running Windows Server 2008 or Windows Vista:
http://support.microsoft.com/?scid=kb;en-us;970658&x=10&y=10

Prerequisites

To apply this hotfix, your computer must be running one of the following operating systems:

• Windows Server 2008
• Windows Server 2008 Service Pack 2

http://msmvps.com/blogs/bradley/archive/2010/02/24/revising-my-rule.aspx

So here's the results of my new rule set up to automatically approve Exchange 2007 update rollups.

I now have a windows update icon down in the system tray

And when you click on it... you can see it's update rollup 2 waiting to be installed

Voila!

>>> ANNOUNCEMENT: NNTP BRIDGE (forum client) now available! <<<:
http://social.microsoft.com/Forums/en-US/partnerfdbk/thread/4cf232da-054b-4f81-b9cb-2f5a8f0cf49e

According partner's feedback, we have worked out this NNTP Bridge to enable offline reader function while using Microsoft Partner Technical Community. You are encouraged to download and test it. If you have any feedback to the specific application, please contact our management team at pngfd@microsoft.com and we will follow it up promptly.

==============

We are excited to announce that the Microsoft Forum NNTP Bridge Version 1.0 has been released by the Server & Tools Online (STO) team via Connect web site.

The NNTP Bridge is an application created and maintained by the Microsoft Forum team. This application emulates an NNTP server to the extent of allowing NNTP newsreader clients to read data from and write data to Microsoft forums. It is a custom solution built on top of the standard NNTP protocol and expects communication from an NNTP newsreader client; therefore it does not necessarily support all NNTP command input. The NNTP Bridge acts as a medium of data transportation between the newsreader client and Microsoft forums. As a result, the user’s experience may change depending on the newsreader client.

The NNTP Bridge officially targets the following three newsreader clients:

·         Windows Mail

·         Windows Live Mail

·         Outlook Express

While other clients were also being tested during the development process (including Forte Agent and Thunderbird), bugs not pertaining to the three targeted clients are not guaranteed to be fixed at this time.

The installation of the application and the limited UI of the application itself (basically a start button, a stop button, and WLID sign in page) are only available in English.  However, when the Bridge is running, you are free to connect to forums of any language and read/post in any language you select.

Besides, some more resources are for your reference:

NNTP Bridge Troubleshooting Guide

http://connect.microsoft.com/MicrosoftForums/content/content.aspx?ContentID=15478

NNTP Bridge Frequently Asked Questions

http://connect.microsoft.com/MicrosoftForums/content/content.aspx?ContentID=13816

Respectfully yours,

Your Partner Online Technical Community Support Team

 
=======

The Official SBS Blog : Installation of the Intranet Component May Fail in Small Business Server 2003:
http://blogs.technet.com/sbs/archive/2010/02/25/installation-of-the-intranet-component-may-fail-in-small-business-server-2003.aspx

A bit of history... back in November of 2003 right around Thanksgiving we started seeing installs fail with SharePoint failures.  Someone posted in the partner forum that the file sqmcfg.dll had an expiration date of November 24th.  For those in Australia you will also remember this as the Press launch of SBS 2003 when the install would fail (because of course Australia being ahead of the rest of the world they hit the bug before us).  We found that if you set the date back on the clock and installed it would work as well.  Of course that's not the wisest to do on a domain controller :-)  So they released an update/fix to solve the issue and all was well.

(Historical post regarding the original issue is linked below:)   Installation/Reconfiguration Issue with Windows SharePoint Services and Windows Small Business Server 2003, help, FAQ, forums, question, answer, advice, opinion and howto for Windows, Linux and Mac OS X:
http://www.generation-nt.com/us/installation-reconfiguration-issue-windows-sharepoint-services-windows-small-business-server-2003-help-49087492.html

So we go on our merry way until November 24, 2009.  When once again we started seeing folks hit a failure of the Intranet when they went to install the SBS box with the original media.  http://www.vistax64.com/sbs-server/264945-its-back-expired-certificate-sbs2003-install.html

The key to NOT his this again is to not use that old media

However, the scope of the SBS 2003 media affected by this issue has effectively changed. You now need to use SBS 2003 with SP1, SBS 2003 with SP2, or SBS 2003 R2 media to have a successful installation. Any older media will encounter the problem, no matter the version of SQMCFG.DLL present on CD 3.

This problem may occur if one of the following used to install the Intranet component:

1. Original CD3 Media.
2. Any SBS 2003 media that does NOT include SBS 2003 SP1 preinstalled.
3. Replacement CD3 Media obtained to replace an original CD3.
4. Downloaded versions of WSS 2.0 that contain pre sp4 versions of WMSDE

These days you can use hardware independent restores (Storagecraft) to move existing SBS 2003's to new hardware if you need to keep the box on 2k3 for line of business purposes.  If you are installing a brand new SBS 2003 refresh, check that media before you go to install the system.

From the mailbag this morning....

"Can you assist or point me in the right direction please.
I am following the MS guide v3 and have got an error with "Move Exchange Server Public Folders" section. pg40

When i right click on the public folder store and then click move all replicas I get an error as follows

An existing connection was forcibly closed by the remote host.
Facility Win32
ID no: c0072746
Exchange System Manager

I have ignored and carried on in the meantime and am currently at page 49 Migrate internal website.

I cannot find any resolutions for this error on the web.

I have tried using ADSI Edit and removed msExchSecureBindings using port 443 from the source server & checked destination but it was not set there.

Can you help? IS this a show stopper or can i ignore. we do not use the public folders here"

---------

First off the ADSIedit should work... I'd start by retracing the steps to make sure that the 443 truly is removed

A good blog post that recaps the issues is here:  http://blogs.technet.com/sbs/archive/2009/06/21/sbs-migrations-troubleshooting-moving-public-folder-replicas.aspx

PROBLEM: Public Folder Migration

RESOLUTION:

Go to Start - Programs - Support Tools - Tools and launch ADSI Edit.
>> In the left side pane expand the Configuration container.
>> Next expand CN=Configuration
>> Then CN=Services
>> CN=Microsoft Exchange
>> CN=" "your organization name here>
>> CN=Administrative Groups
>> CN=First Administrative Group
>> CN=Servers
>> CN=Protocols
>> CN=HTTP
>> CN=1
>> Right Click on CN=Exadmin and choose Properties.
>> In the Properties dialog box observed that msExchSecureBindings was set to 443
>> Removed the entry 443 from msExchSecureBindings
>> Close out of ADSI Edit,
>> Restarted IISadmin service.


That should fix the issue, if it doesn't we have additional options.....

We can workaround the issue by doing the following:

Move Content Replica back to SBS 2003
Verify Item count and size in outlook
Export to PST from outlook
Move Replica back to SBS 2008
Import PST from outlook (Do not import dupe)
Mount Blank PF database/Or delete PF Database from ADSIEDIT Manually.

Using Outlook and exporting out to PST is actually a step that many do as a safety net anyway...

The common issues that trigger public folder replication issues during migration are

Smarthost on SMTP Virtual Server
Outbound Security on SMTP Virtual Server
Outbound Port on SMTP Virtual Server
Blocked Senders list
Authentication on SMTP Virtual Server

More resources include:

842273    How to troubleshoot public folder replication problems in Exchange 2000 Server and in Exchange Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;842273
Understanding Public Folder Replication
http://technet.microsoft.com/en-us/library/bb629523.aspx
Three Part Troubleshooting Series
http://blogs.technet.com/exchange/archive/2006/01/17/417611.aspx
http://blogs.technet.com/exchange/archive/2006/01/19/417737.aspx
http://blogs.technet.com/exchange/archive/2006/01/23/417974.aspx



If you don't use public folders though you can just plow on after this step and go on and ignore the error.  It's only when you really DO use public folders that you are sweating bullets when this step doesn't work.

So plow forth my friend and let me know how the migration goes.

(Special thanks to Damian and Wayne and Jim who all contributed to this post with some very timely information to enable me to make a more complete answer for everyone)

Note to the bad guys infecting the banner ad in a web page I went to when looking for a better task/sync directly to Exchange via iPhone as mine works but my Sister's does not.

It's spelled HARMFUL.  One "L" not two.

Go back to school so you can earn a decent living and be paying for the deficit for the rest of our lives like the rest of us.

http://msmvps.com/blogs/bradley/archive/2010/02/23/building-a-custom-approve-rule-in-wsus.aspx

I'm testing a new rule.  I think I can have a check for this and check for that rule.

I have this one set for "if update rollups" and "if Exchange 2007" then auto approve.

That will give me a more granular approve rule set

I want to build a rule that automatically approves the Update Rollup category of patches for Servers.  The reason is I want the Exchange updates to get approved (remember patches on the server get downloaded but not auto installed).  It pains me/annoys me/frustrates me/saddens me when people hit issues that can be addressed by updates that are there, but not installed.  The rollup patches for Exchange are this category.  And they are not getting installed on SBS boxes unfortunately.

So here's how we do it.  We launch the native WSUS interface on the SBS 2008 box.  Click in the section of Automatic approvals and write a new automatic approval rule:

Click new rule

We're going to add a rule for a specific classification

We're going to set this rule for just the server category

Selecting the category

This is what the rule looks like

And we specify the name of the special rule

Click apply and then okay.

(testing this out at home to ensure it does what I think it will do, will report back tomorrow)

http://msmvps.com/blogs/bradley/archive/2010/02/22/tomorrow-the-quot-other-quot-patch-tuesday.aspx So by tonight you should see on your server the icon indicating that patches have been downloaded.

Click there and you can see what updates have been downloaded.

Once you've launched the Microsoft update interface click on view updates

You can then uncheck a patch if you don't want to update it.

Remember on a server the updates do not automatically install,  so you need to ensure that you

a. review and approve

b. install

And before you ask, but Susan how do you know what patches are good and which ones aren't?  In the detail of each security patch is a Known Issues section. It will document the known issues.  If there's a patch that really hurts, I'll let you know here or at www.windowssecrets.com where I write articles on Patching.  There's a great community of patchaholics at www.patchmanagement.org as well.

Description of Software Update Services and Windows Server Update Services changes in content for 2010:
http://support.microsoft.com/kb/894199

Tomorrow is the "other" patch Tuesday.  The one at the end of the month that I consider the Vista/Win7 second patch day as well as being the clean up day for the month.  It's when I look at all of those updates I said "oh I'll deal with later" and decide if I'm going to deal with them this week.  If you do not have a third party patching tool (Kaseya, Zenith, Shavlik in my case), or even if you do, you might want to review this WSUS patch on the SBS 2008 on a sample of your boxes to ensure you aren't missing patches that should be on your machines.  I also use Microsoft update on the server as another "check and verify" of what I think should be installed is actually installed.

Remember the first thing I want you to do is flip to MU.  In the Windows update window on the server, check that you are flipped to MU.  If you are not there's a tiny little message that says "Get updates for other Microsoft products.  "Find out more".

Click on the Find out more.  It launches you to http://www.update.microsoft.com/microsoftupdate/v6/vistadefault.aspx?ln=en-us where you agree to Microsoft's terms and ensures that when you do a manual scan from the box you will get offered up the Windows, Exchange, SBS, SQL you name it patches.

But there's also the native WSUS on the box.

On the SBS console click on the last tab, the security tab.  Now click on Updates.  In this console will be the updates for ALL of the network not just the Server.  Remember there are two levels of settings on the server.  Patches for servers are automagically set to download but do not install if they are security, critical, definition updates and all Windows SBS update rollups.  Service packs are not automagically approved, nor does it appear that Exchange rollup updates are either (hmmm another blog post tomorrow night to post about how to adjust that).  Remember that in wsus the server is set to sync all products but it doesn't download all patches for all products, it's just looking to sync up all the products.

So look at this list on your server.  When you find a patch that you want to install, go up on the right hand side and click on "Deploy the update". 

 Please note that on the server for patches ON the server this only approves the update for download this will not autoinstall and reboot the box.

When you click okay, all this is doing is approving the download.  For an update that goes on the server you then need to come back at a later time after it's downloaded and then click on the windows update downloaded update icon on the desktop.

Again, don't panic, on the server this won't get automatically installed.  It will only get downloaded. 

(ergo this is one reason why on a server many times I'm lazy and just MU it up there).  But on workstations while the process is exactly the same, for these the default setting is to  approve all security, critical, definition updates and service packs, and the default is to automatically install the updates.