THE OFFICIAL BLOG OF THE SBS DIVA

Hewlett Packard NEW Datavault (Vail) and SBS MVP Kevin Royalty Roadshow - coming to a city near you! - Blain Barton's Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/blainbar/archive/2010/08/30/hewlett-packard-new-datavault-vail-and-sbs-mvp-kevin-royalty-roadshow-coming-to-a-city-near-you.aspx

Join Microsoft SBS and Home Server MVP Kevin Royalty, (Cincinnati, OH), 
for an evening Roadshow event in conjunction with Hewlett Packard that 
is focused on the “New” upcoming DataVault based on codename ”Vail”.

He will also will be talking about other stuff in the HP stack for Small 
Business IT Professionals like G6 Servers, HP Laptops and more.

Free Food will be provided at All events in addition to a Special 
Discount code for All that attend in person for an HP DataVault.

New York:
http://hpdatavaultnews.com/sbs/newyork/index.html

Philadelphia
http://www.hpdatavaultnews.com/sbs/philadelphia/index.html

Tampa

http://hpdatavaultnews.com/sbs/tampa/index.html

Fort Lauderdale
http://hpdatavaultnews.com/sbs/ftlauderdale/index.html

http://msmvps.com/blogs/bradley/archive/2010/08/30/a-bit-of-group-policy-for-aurora.aspx

Oops I forgot a step.

One thing that SBS does for you in connect that Aurora does not is move the computer to the Organizational unit you set up.

Go into the active directory computers and users and right mouse click on that computer and...

...move it to the proper OU you set up

Again this is where you have to decide how you are going to enable group policy... in this demo I made it match exactly how SBS had set up it's Organizational unit structure.  You may not want to do this.  But bottom line, move the computer to the OU so that the group policy will kick in.

Like any good cook you'll want to have a recipe and customize it for your own.

http://social.technet.microsoft.com/wiki/contents/articles/small-business-server-code-name-aurora-build-document.aspx

While I've started a community wiki build document for Aurora, think of what your "dish" will look like and ways you might customize it.

One of the things you notice upon cracking open the current beta of Aurora is that while it has the Group policy management console it does not have group policy predone for you.  Given the small network marketplace I can kinda understand why they are making this decision (but nevertheless if I were in charge of the Universe I'd have the policies preloaded but just not enforced to make it easier to use group policy should you want to)  But no worries you can export them from SBS 2008 and put similar ones in Aurora.

Now you won't need the WSUS group polices as WSUS is not on Aurora, but you might want those handy dandy Win7 and XP firewall policies.

To export out of SBS 2008 and import into Aurora do the following:

Go down to the Group policy objects section and right mouse click on the group polices you want to export.  In this case we'll be exporting the following:

• Windows SBS Client - Windows Vista Policy (same as Win7)
• Windows SBS Client - Windows XP policy
• Windows SBS Client Policy

Right mouse click and click on backup for each one.  Dump it into a folder so you can get to it.

I renamed it aurora so I know what it is

Next we want to export out the WMI filters:

• Windows SBS Client - Windows Vista
• Windows SBS Client - Windows XP

Zip up the three group policy folders and copy the zip file along with the exported MOF files that are the WMI filters and move them to a flash drive or even a skydrive (after flipping IE ESC to off on the server to you can get the file off).  Now go to the Aurora server and log into the server itself.  Ignore the warning that you shouldn't be here.

Launch the group policy management console.

Expand the group policy by clicking the arrow keys. Go down to the WMI filter section.

Right mouse click on the section and click "import"

Insert the filters you exported (and renamed)

You'll see that it will confirm the wmi filter

Now comes the tricky part... scroll up to Group policy objects and click on New policy

Enter the name... Windows Aurora Client policy and press OK

Now right mouse click again and "import from settings"

Now drill down to that extracted zipped up folder of policies you borrowed from SBS 2008

And match up the policy you want with the name you entered, click next

It will check and make sure no UNC paths are messed up (there are none)

And it reminds you you'll need to reset up the WMI filters

Keep doing that again until you've imported all three group policy settings

As you can see you've now imported all three.

Now edit the policy to limit the 7/Vista one to just 7/Vista clients by linking at the very bottom on the scope tab to the WMI filter that matches it.

Do the same for the XP group policy.

It will say "are you sure" after you've linked them.

Now comes the decision about how SBS sets up the "My business" OU

I just find it easier on my brain to make consistent OU's so I went ahead and under the domain I made an OU and then under that set up the Aurora computers

I duplicated it and link the group policies you just made to that

I then linked the policies to that Organizational unit

So they end up with an Aurora Computers OU

Finally I clicked on "enforced" by right mouse clicking in that AuroraComputers section.

And there you have it.

Next up ... a group policy preference how to for deploying mapped drives and other cool things.

XChange: Microsoft Dangles Incentives To Cloud-Wary Partners:
http://www.crn.com/news/cloud/226900062/xchange-microsoft-dangles-incentives-to-cloud-wary-partners.htm;jsessionid=iuY3ZR+JHHQTrkrsav9bAA**.ecappj02

"This isn't just about signing partners up -- we want to make sure we are assisting partners to transform their business into the world of cloud," he said.

The ongoing industry shift to the cloud is even more dramatic than resellers that made the transition to being solution providers, but the good news is that the return is much larger, noted Martorano.

"The services revenue is six times the software revenue opportunity," he declared.

=======

Do you make money off of selling Microsoft licenses?  I'm guessing not.  I'm guessing it costs you more (as it does me) to figure out the licensing nuances than you make off of it.  And I'll bet many of you still make money off of desktop services even if you aren't "all in" on the cloud.

Now mind you it looks to me that the SBSC $500 is not the cloud services $500... so check out Mark's blog for another offer:

SBSC & MSP Buzz » Blog Archive » Microsoft MDF for SBSCs!:
http://sbsc.techcareteam.com/?p=470

TIF, TIFF, and MDI files are no longer associated with Microsoft Office Document Imaging (MODI) after you install Office 2003 Service Pack 3 or certain post-SP3 security bulletins:
http://support.microsoft.com/kb/967055/
After you install Microsoft Office 2003 Service Pack 3 (SP3) or certain post-SP3 security bulletins, the TIF, TIFF, and MDI files are no longer associated with Microsoft Office Document Imaging (MODI).

This problem is resolved in the Word 2003 hotfix package that was released on February 24, 2009. For more information about the hotfix package, click the following article number to view the article in the Microsoft Knowledge Base:
967054  (http://support.microsoft.com/kb/967054/ ) Description of the Word 2003 hotfix package (Modifileassoc.msp): February 24, 2009

http://www.minasi.com/newsletters/nws1008a.htm

The new kindle reviews are coming in.

In reading Mark's review of the new kindle, and now two days into ownership myself, the pros of the Kindle (or any ebook reader for that matter).. is the instantaneous gratification of an immediate book purchase.

But you know the one thing I miss... and I miss this in my Zune/iTunes experience as well, something I'm going to call the "art of the analog".  I'm of that old fuddy duddy generation that actually remembers what an Album cover looks like.  And as we've progressed into our march to all digital it's the art of the covers of things that I miss the most.

Take album covers.  Even in the cd era it's hard to replace the large square area of space that could be artwork on one side, and background stories on the other. 

And sometimes it's the dumbest album covers that stick in your mind.  When I was a very little girl my Sister had an album done by Bobby Sherman.  What?  You've never heard of Bobby Sherman?  Take Justin Bieber's hair, but make him older and is voice lower and you got Bobby Sherman.  Teenaged girls would faint in his presence.

My sister had his album cover in her bedroom and it was always creeping us out as his eyes felt like they were following you around the room.  Watching you.  Needless to say the album cover would invaribly end up on the bottom of the stack or flipped upside down so as to not weird us out.  Then there were the fold out inserts that was near book like in it's detail of the album.  CDs came close to duplicating that insert experience, digitial just doesn't have liner notes.  Oh sure Zune can have a link to a review, or album info, but it doesn't compare to pulling out the glossy insert and reading while the music you just purchased enters your ears.

And then there's the art of the front of the book.

The one thing I notice I miss the most when moving to e-readers is the cover of a book.  No more than 4 inches wide and 6 inches tall at times, it would give a glimpse into the magic of what lie ahead.  I remember when I was a teenager, during summers I would read books.  One summer was the "classics" summer and I tore through The Count of Monte Cristo, the Three Musketeers, Sense and Sensibility, Pride and Prejudice and so one.  But there was one book that I just never got into.  Great Expectations.  I still remember to this day that unlike my paperback versions of The Count of Monte Cristo and the other classics that had merely one dramatic color image of the action that lie inside in the book and in my imagination, Great Expectations had a white and black pencil sketch cover.  I just never could get excited about that book because the cover just never drew me into the story.

Shallow isn't it? 

Of course the image of Miss Havisham, rats and a dining room table may have lessened my zeal for Dickens as well.

So the digital lifestyle has a different and very good experience... but I'd still say that analog still has elements in it that just can't be replicated in electronic ink.

Not yet anyway.

Third Tier offering Technical Training at SMBNation PreDay Event! :: Third Tier:
http://www.thirdtier.net/2010/08/third-tier-offering-technical-training-at-smbnation-preday-event/

Planning to go to SMBnation?  Consider one of the preday events.  In addition to Karl's cloud sessions (see http://www.smbbooks.com/index.php?option=com_flexicontent&view=items&cid=48:seminars&id=140:walking-into-the-cloud&Itemid=89) Third tier will be having a deep technical preday event.

Check it out!

I didn't expect that my newly received Kindle would know I bought it.

It's already called "Susan's Kindle", it's hooked to my Amazon account and recommends a combo of security books and "chick flick" books.

Kinda cool but kinda creepy that it already knows who I am and what I read because it's prelinked to my Amazon account.

So I gotta ask.. is there a password on here or is there some other magic mumbo jumbo under the hood?

Rational Survivability: Amazon's Kindle: Some Interesting Security Thoughts:
http://rationalsecurity.typepad.com/blog/2009/02/amazons-kindle-some-interesting-security-thoughts.html

Ah I see someone else who works in cloud security has thought of this prior to me.

Robert Crane has started up a new podcast series and we kick it off with chatting about XP, Security, Microsoft security essentials, and the new betas in the house.

Computer Information Agency - Need to Know Podcasts:
http://www.ciaops.com/n2k

Check it out

Event ID 4107 or 11 is logged in the Application Log in Windows Vista or Windows Server 2008 and later:
http://support.microsoft.com/default.aspx?scid=kb;en-us;2328240&sd=rss&spid=14498

On a computer that is running Windows 7 or Windows Server 2008 R2, an error that resembles the following is logged in the Application log:

ME:  Resembles?  Resembles?  How about driving me insane it's logging so much in the Application log!

 Or, on a computer that is running Windows Vista or Windows Server 2008, an error that resembles the following is logged in the Application log:

 Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: Date and time
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Computer name
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab (http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab) > with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

This error occurs because the certificate "Microsoft Certificate Trust List Publisher" expired. A copy of the expired certification exists in the CryptnetUrlCache folder.

ME:  No kidding we kinda figured that one out but don't know how to fix this.

To resolve the problem, follow these steps:

ME:  Oh maybe please this sounds promising....

1. Start a command prompt. To do this, click Start
   click All Programs, click Accessories, and then click Command Prompt.
2. At the command prompt, type the following command and then press ENTER:
   certutil -urlcache * delete
   Note If the expired certificate is cached in the system profile, you must run the certuil command in the system context. To do this, follow these steps:
   1. Download the PSExec tool from the following Microsoft Web site:
      http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)
   2. Extract the tool.
   3. Start a command prompt and change to the directory where you save PSExec, and run the following command:
      psexec -i -s cmd.exe
   4. Run the certutil -urlcache * delete command

ME: Oh wow look at the certs that just got expired off and....

...and.. please oh please make this stop...and...

<sigh>

Nope still occuring. 

http://social.microsoft.com/Forums/en/partnerwinclient7rc/thread/ad5ac163-3566-4fad-95a7-e4e34ae1c4a3

Hang loose I'll keep you posted.

P.S. the command is psexec cmd.exe -i -s and then another window pops up

One of the questions I've seen come up regarding the technical issues regarding SBS Aurora is where is the DHCP on the box.

Well it's on "a" box but not on Aurora as it will be shipped.  And the reason is that Aurora's intent is to be the first domain server after a peer to peer setting and that DHCP will be on the router/firewall.  To make it easier for the transition on Aurora you don't have to change the router at all, the server will have a dynamic IP and pick up the IP address from the server.

That doesn't mean you can't install it and enable it just like it is in SBSv7.  In fact it will be an item we'll be documenting in the Aurora build document. 

But to make it a painless transition from peer to peer Aurora will assume the DHCP is turned on the router. 

QuickBooks Support - Error: Qbw32.exe or AVMTimer:qbw32.exe application error, or QuickBooks has stopped working:
http://support.quickbooks.intuit.com/support/Pages/KnowledgeBaseArticle/899185

.net mangles Quickbooks

QuickBooks 2010 R8 : Practical QuickBooks:
http://qbblog.ccrsoftware.info/2010/08/quickbooks-2010-r8/

R8 is the release that will fix it.

Update for Windows Server 2008 R2 x64 Edition (KB2264080)
Install this update to resolve a set of known issues with Hyper-V. For complete details of this update, see the associated Knowledge Base Article. After you install this item, you may have to restart your computer.

Got HyperV?  Get that rollup that includes all the needed hotfixes to have a stable R2 HyperV box.

Metasploit: Exploiting DLL Hijacking Flaws: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

Application DLL Load Hijacking « Rapid7 Network Security Blog: http://blog.rapid7.com/?p=5325

http://threatpost.com/en_us/blogs/hd-moore-windows-dll-vulnerability-082310?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

http://threatpost.com/en_us/blogs/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

From the "patching is not enough" category is this latest issue.  Of which MS has released a security advisory on the issue.

http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2269637-released.aspx

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

From the blog by HD Moore

While working on the Windows Shortcut exploit, I stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. I was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.I contacted Acros and asked whether they were aware that this problem affected other applications and whether they would like to coordinate the disclosure process. The reply is quoted below.

“I don’t know if you saw the draft of our new commercial disclosure policy, but we essentialy gave up on alerting vendors for free. We’ve been providing free research to them for over 10 years and it hasn’t paid out well. What you’re seeing on Bugtraq now are the “remains of the old days,” so to speak :-) We’ve found better markets for this kind of information. To answer your specific question: no, we have not reported any issues in the products you mentioned – and have no intention to, should we come across one. So if your goal is to get credited for alerting them, you have nothing to worry about. I hope it pays off for you. As for the public status of this class of problems, it has been public for at least 10 years now (see the “ancient” NSA Windows NT security guide) and some developers were obviously not aware of it.”

Whoa...nice guys there Acros.

I'm still digesting figuring out what plan of action (if any) I will be doing.

Phishing Likely Behind Reports of iTunes Security Hole | John Paczkowski | Digital Daily | AllThingsD:
http://digitaldaily.allthingsd.com/20100823/the-real-itunes-fraud-vulnerability-gullible-users/

I would be so bold to say that I am a savvy person, and I know I have not clicked on any phishing scams.  I can also say that I scanned all of the computers in my possession and short of some new backdoor that is unknown, I challenge the view that this issue is bot related.  If so ...why in the world take "just" the iTunes access?

I did have my paypal account hooked to the iTunes.  Mind you it was relatively recently that I had hooked it to Paypal in a mistaken idea that that was safer than having my credit card in there.  So I challenge the idea that this is my fault and gullible users were at play here.

"Phishing likely behind reports of iTunes Security hole"

http://www.pcworld.com/article/203979/itunes_scam_how_to_protect_yourself.html?tk=hp_new

 iTunes users often don't know how their accounts were compromised, but it seems that many are simply handing out their user names and passwords without realizing it. Sometimes, they're doing so in hopes of getting a good deal -- by buying unauthorized iTunes gift codes online, for example.

Sorry folks I didn't drop off the turnip truck yesterday.  I had mine hacked for $60 via paypal and phishing was NOT behind my issue.  Now then apple does send an email when your password is reset. 

Bottom line there is 'something' still at play here and Phishing is so not it.  I know what I click on, I know what I enter, I do not buy iTunes gift codes online.  Keep digging journalists out there because you are doing a disservice to your readers to keep blowing us off.

Want to learn more about Small Business Server Code Name “Aurora”? - The Official SBS Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/sbs/archive/2010/08/23/want-to-learn-more-about-small-business-server-code-name-aurora.aspx

Download the videos there...

https://connect.microsoft.com/sbs

Go there

https://connect.microsoft.com/programdetails.aspx?ProgramDetailsID=2292

If you don't have a LiveID sign up there - https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1282630963&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2Fconnect.microsoft.com%2Fprogramdetails.aspx%3FProgramDetailsID%3D2292&lc=1033&id=64416

Now once you are signed up go to https://connect.microsoft.com/sbs

Ensure you are signed in with your LiveID

And now you should be able to click on this link and get into Aurora's download

https://connect.microsoft.com/SBS/Downloads/DownloadDetails.aspx?DownloadID=30362

If you don't see

Title  Windows Small Business Server Code Name 'Aurora' Preview  
Release Date  8/16/2010  
Size  4,842.05 MB  
Version   
Category  Build  

Then you didn't sign in with LiveID.  Holler if you have issues getting into the beta.

One more part to finish off our Fairy tale of DSRM passwords and domain admin accounts and kingdoms.

When you log into dsrm mode you may fail to remember exactly HOW you are supposed to log in. 

When you get to the login window, don't forget you are no longer the second King to the Kingdom but the first one.... so you don't log in as Domain\Administrator name but rather use .\Administrator instead as it wants the machine name, not the domain name when logging in.

Yes, that's a period there, then a slash, then the admin account.

http://msmvps.com/blogs/bradley/archive/2010/08/21/once-upon-a-time-about-7-years-ago.aspx

We're revisiting our Fairy tale because we have a different ending to tell for SBS 2003 that came to light when discussing the issue with other members of the Kingdom.

Remember in SBS 2008 SP2 in order to set up the sync task to sync up the DSRM password and the Domain admin password we have to set up a scheduled task.  The key point for SBS 2008 is that you have to have SP2 -OR- the hotfix I linked to.  If you already have installed SP2 you have the item you need to sync 'any' account to the DSRM password.  The local admin normally syncs, in SBS 2008 you want to hook it to the secondary account set up by the install routine.  While it does this upon first install, to make your life easier, set up the task to keep it sync'd after that..  The good news is we don't mess up SBS boxes like we used to and don't need this password as often.

For SBS 2003 however the evil spell was broken a bit earlier than I thought. 

There's a file called dsrestor.dll that got updated with Windows 2003 SP2.  SBS 2003 post sp2 will continue to sync the Domain admin password and the DSRM admin password and in fact uses a slightly different means that Windows 2008 to keep the two passwords sync'd.

So there you have it... SBS 2003 sync's already... SBS 2008 you can set up an easy task to keep them after they are set the same after the first install.

Need wifi where there is no wifi?  Need it on the basis that you need?  I didn't realize that they are now bundling the mobile broadband on a pay as you go basis.

Great for those times you just need something...and then the rest of the time when you don't.