[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] August 2010 - Posts - THE OFFICIAL BLOG OF THE SBS DIVA

August 2010 - Posts

Now trying this:

The Root Certificates Update component downloads a cabinet (.cab) file to the temporary directory on the local computer, extracts the contents of the file, and then updates the root certificate list. It is possible there are corrupt files in the temporary directory. By default, the temporary directory is located at %userprofile%\AppData\Local\Temp. 

Please go to an affected workstation, clear the content of the temporary directory.

 In addition, the correct permissions must be applied to the temporary directory in order for the cabinet file to install correctly:

 Navigate to %userprofile%\AppData\Local\Temp.

  1. Right-click the temporary directory, and then click Properties.
  2. Click the Security tab.
  3. Ensure that the user account logged on to the computer has Full Control permissions.


 Event ID 11 — Automatic Root Certificates Update Configuration


 Then check if the error still occurs.

To see if it gets rid of this:

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          8/22/2010 3:06:21 PM
Event ID:      4107
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      BITZIEVISTA
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
    <EventID Qualifiers="0">4107</EventID>
    <TimeCreated SystemTime="2010-08-22T22:06:21.662671200Z" />
    <Correlation />
    <Execution ProcessID="1304" ThreadID="7324" />
    <Security />
    <Data>The data is invalid.


This didn't work.  Still searching for what this is, why this is, still for now, try to ignore this.

This blog post courtesy of Kevin James, SBS MVP

Now let's do our DSRM password sync a different way...


Use Group Policy Preferences to deploy a scheduled task targeting only Windows 2008 and Windows 2008 R2 Domain Controllers.



Windows Vista or Windows 7 with RSAT


Server 2008 or 2008 R2 Full with GPMC tools.


For this example we will be using Group Policy Preferences to deploy a scheduled task to all domain controllers. The objective of this task is to automatically synchronize the Directory Services Restore Mode password with a select Domain Account. In this example the default domain administrator account will be used and the command is supported only;

·         2008 SP1 with  KB322672

·         2008 SP2

·         2008 R2


Step 1. Group Policy Object creation

Using the GPMC, create a new Group Policy Object. In this example it is named DSRM Sync

Step 2. - Scheduled task creation

·         Select and right click on the new policy object and select “edit”.

·         Expand the Computer configuration, Preferences, Control Panel Settings.

·         Select the “Scheduled tasks” and right click to create a new scheduled task.



Step 3. – Scheduled task core configuration

·         Select “Create” in the Action drop down box. This action will initially create the task on the select computers.

·         Enter the task name in the “Name:” section. In this example “DSRM Password Sync” is used.

·         The command this example uses is ntdsutil.exe entered in the “Run:” field

·         Provide the necessary “Arguments:” to the image being run. In the example the complete image execution arguments are;

"set dsrm password" "sync from domain account <AccountName>" q q

Note: Proper execution of this command requires the quotes as shown and the <AccountName> substituted with the domain account name to be the password sync source.

·         Set the “Start in:” directory of %systemroot% and includes optional documentation in the “Comments:” Section.


Step 4 – Supply task execution credentials

·         Select the “Run as” checkbox and provide a domain username the task will use. In this example, an account with domain admin membership is needed.

·         Entered the “Password:” and “Confirm Password:” fields. 



Step 5. -  Configure Task run Schedule

·         Select the “Schedule” Tab.

This example configures the task to run at 1:00:00 AM Daily.


Step 6. – Configure Execution limitations

·         Select the “Settings” tab.

This task is expected to complete very quickly and the example configures the task to stop if it runs for 5 minutes.


Step 7. - Enable item level targeting

·         Click on the “Common” tab.

·         Check the “Item-level targeting. Check box.

·         Click on the “Targeting…” button.


Step 8. Add 2008 Domain Controller item

This example will target Server 2008 and Server 2008 R2 Domain Controllers.

·         In the “Targeting editor” window, click “New Item” and select “Operating System”


·         In the lower section of the targeting editor window, select the “Product”, Windows Server 2008.

·         Select the “Computer Role” of “Domain Controller”

·         Repeat this process adding another “New Item” Operating system this time Using the “Product” Windows Server 2008 R2” and “Computer Role” of Domain Controller.


Step 9. Configure the Item Options “OR” conditional

·         Select the second item and then click on the “Item Options”

The examples desired targets will be Windows 2008 Domain Controllers OR Windows 2008 R2 Domain Controllers.

·         Choose the “Or” ( F6 shortcut) item option

·         Click on “OK”

·         Click on “OK” at the “New Task Properties” window.

This completes the Scheduled Task Group Policy Preference configuration.


Step 10 – Review the new GPO

Review the configuration and close the Group Policy Management Editor window.

Step 11 – Link the GPO to the Domain Controllers OU

The new Group Policy object is ready to be linked to the desired Active Directory OU. Typically this would be linked to “Domain Controllers” OU. 

·         In the GPMC, Select the Domain Controllers OU, Right click and select “Link an Exiting GPO”


·         Select the DSRM Sync Group Policy Object and click “OK”

This completes the Scheduled task group policy preference configuration.  

Step  12 – Verification of deployment and operation

After the targeted domain controllers refresh group policies, examine each servers Scheduled tasks list.

In the example below the Domain Controller has received the New Scheduled task and the “last run result” reported a successful completion.



Posted Sat, Aug 21 2010 23:20 by bradley | with no comments
Filed under:

One upon a time in a land far far away...there was a castle with two Kings. 

One King was born before the other one and ensured that all in the Kingdom were safe in case something bad happened. 

The other King ran the Castle.  The two Kings shared all their most key secrets including secret information known only to the Kings.  Things like secret passwords.  They ensured that these passwords were kept in sync so should the people of the kingdom come to them one day they wouldn't have to guess at what the secret passwords were.  The Kings would share these passwords to ensure that the Kingdom was never put at risk.

Then one day an evil spell was cast over the Kingdom. 

This evil spell separated the two Kings.  No longer were they able to share the secret information they once did.   

The Kingdom was kept in this state for many years.  There were times that the people of the Kingdom went to the one King and they couldn't access what they needed to. 

Then one day the spell was broken.  A fairy godmother broke the evil spell and put back the ability to the two Kings to share their secret information. 

To make sure that the two Kings always kept the secret information like passwords safe, she gave the power to the people of the Kingdom to prevent this evil spell all they had to do was to say the words "Abra Cadabra, bibbity bobbity boo, I see a KB, what about you?"

(Okay so maybe I was watching the movie Enchanted on TV, a bit too much tonight)

A long time ago.. or rather about seven years ago which is a long time ago in Computer years.... Windows 2003 had the ability to sync up on a regular basis the DSRM admin's password with the Domain Administrator password.  Why is this important?  Because if you need to to a system state restore or restore a DC you need to log into the Directory Services Restore mode ...and ...and here's the kicker...you need to remember the DSRM Admin password.  What is this DSRM password?  It's a password entered by you when you make a server a DC.  Now, for "normal" servers where you've dcpromo.exe'd a thousand times you know the screen I'm talking about where it asks you to set the DSRM password.  In the SBS world however, you don't because the dcpromo process is done for you. 

The SBS install routine (and this is true for Aurora, EBS,  and SBS) the DSRM password is the same as the Domain admin password you inititally set.   SBS 2003 pre sp1 used to have a routine that automatically synced the DSRM password up with the Domain Administrator password so at all times, that DSRM mode password was one and the same as the Administrator password. 

When Windows 2003 sp1 came out that added more security, this feature was 'broken' and no longer sync'd.  So that DSRM password was the first password you set on the server, but thereafter, it never synced again.  Now if you don't know it... there is a way to reset the DSRM password, but life is easier with this autosync in place.

Now...here's where the fairy breaks the evil spell.  http://support.microsoft.com/kb/961320 puts the feature back.  If you have SBS 2008 and you've applied SP2 you have the bits under the hood to set a scheduled task to automatically sync these two passwords back again.

Enter in the SBS 2008 (or Aurora, or SBS v7) the following sync command --  ntdsutil "set dsrm password" "sync from domain account <AccountName>" q q

The <AccountName> should be the Domain Administrator account name.

Go into the computer and launch the task scheduler

On the right hand side we want to create a task

We call it something

We set a schedule.. once a month..once a week, something reasonable to resync the passwords

Confirm the schedule


You will start a program

And it's brilliant enough to parse it for me.

And enter it in properly

And there ya go.  The two Kings... uh.. I mean the DSRM admin account and the Domain Admin account will now sync up their passwords to each other.

Migration Preparation Tool (SourceTool) fails to update the schema on the source server:

The Terminal Service Gateway may randomly disconnect machines:

SBS 2008 Installation on Hyper-v Server fails with an Error "The User Role Cannot be found. Select a different User Role":

SBS2008: Windows SBS Console may crash because of incorrect Environment Variables:

Posted Sat, Aug 21 2010 0:33 by bradley | with no comments
Filed under:

From the SBS2k list came an interesting question regarding if Aurora counted the Administrator account and any vendor app accounts in it's 25 user limits.

Good question.

Hmmm I don't think so but it's one of those questions ...and others like it that you can probably get answered in the http://connect.microsoft.com/sbs Aurora beta sign up where you can also sign up for the Aurora newsgroup/forum.

For the record... just for grins I added 25 users via the console and 3 pretend vendor app accounts.  I don't see it freaking out.  But again a question best asked in the forum - https://connect.microsoft.com/SBS/community/discussion/richui/default.aspx

SeanDaniel.com - Home, Small Business Server and Related Technology: Our first Aurora add-in, which also works on Vail:

What concerns me a bit with all the new SMB servers coming to pass is that it's going to get confusing as to what work with what server.  I'm seeing folks working and builidng things for  "Aurora" and shorten it to the slang of "SBS".

Just to be clear there are two SMB servers coming out.. one is 1/2 premises, 1/2 email/Sharepoint in the cloud, the other is the traditional on premises SBS with Exchange/SharePoint on the DC.  Aurora shares the same console code with Vail (aka the next version of Home server), but SBS v7 does not.  Thus console add ins for Aurora won't work at all in SBS v7.  So when people start talking about SBS these days be sure you are clear which one they are talking about.

http://go.microsoft.com/?linkid=9738897 There's a nice product overview comparing the two servers that showcases better this difference between the two upcoming products.

Posted Thu, Aug 19 2010 23:31 by bradley | with no comments
Filed under:

A Guide to Troubleshooting Outlook Certificate Warnings/Authentication Prompts in SBS 2008 - The Official SBS Blog - Site Home - TechNet Blogs:

Normally when you see "I'm getting prompts from Outlook" and we knee jerk say to install rollup 8 or later or SP3.   But you can see from that blog post there are lots more reasons for it.


Posted Thu, Aug 19 2010 23:18 by bradley | with no comments
Filed under:

With Vail and Aurora, Microsoft Throws a Curveball to Small Businesses:

"So Aurora may seem like the obvious choice for most small businesses. And that's true, except for one wrinkle: Aurora can't be added to existing domains. If you go the Aurora route, you can do so only for new domains. Vail, which operates outside of domain management, is in this way a better choice for in-place, departmental storage, as well as those smallest of small businesses."

Paul, dude, I do not get why you are so stuck on this.  Aurora is "just" active directory.  When you keep saying it can't be added to existing domains you are missing that it's "just" AD.  Now then if you are thinking that this might be a good fit for SBS 2003 upgrades that never moved to SBS 2008 because they were smaller and didn't need the beef of 2008, you are probably right.

Now .. I think what Paul is thinking is that you can't do an inplace upgrade from SBS 2003 to Aurora and he's right.  You can't.  Aurora is a 64bit based OS and honey, there ain't no inplace upgrade from a 32bit OS.  And you also can't just expect that Exchange 2003 is just going to magically leap from SBS 2003 into the cloud.  Ever looked at a BPOS migration from an existing Exchange deployment?  It needs someone helping the business to migrate  ..again.. you'll be following a checklist of some sort to be determined to get information and users off of a SBS 2003 to an Aurora domain.  Also it has to be the primary domain controller and hold the FSMO roles (so does SBS remember).  You could have additional DCs in an aurora domain as long as they didn't hold the FSMO roles.  Somewhere I think I saw it said that the answer file would need to be utilized to deal with the 'join domain' thing but I can't find the cite now.

Furthermore there has always been the long running argument regarding whether or not at the less than 10 user level if a clean domain is the way to go anyway and just redesign the network when a hardware chance out occurs.  You WILL need to have a router that does DHCP rather than be on the SBS box.  You will be reconfiguring.. so you may just want to rebuild the network especially if you didn't set up the old one in the first place.  But this "you can only do Aurora for new domains' is not acknowledging that with SBS 2008 now we're dealing with moving from 'a' box to another 'a' box and it's not easy moving ANYTHING let alone reconfiguring workstations and what not. 

There's no wrinkles here, no curveballs, just choices and full employment for Jeff Middleton and his domain design advice should you be as confused as Paul is.

Intel's McAfee buy is a Buffett-like play - Aug. 19, 2010:

seen on a listserve... a joke at McAfee's expense...

Headline read:  Intel acquires McAfee - $7.6B in cash

And the response was

"Hi Bear.  Wow!  It's worth at least 10 times that!  Oh.... wait....that's a "B" for Billion not an "8" as in $7.68 in cash  ;-)"


Joke by RC White

Posted Thu, Aug 19 2010 17:47 by bradley | with no comments
Filed under:

I'm stealing this grid as it's a nice recap of the differences...

Sign-up for the Beta of SBS ”7” and SBS “Aurora” - Welcome to the US Partner Skills Development TS2 Team Blog - Site Home - TechNet Blogs:

Posted Wed, Aug 18 2010 23:51 by bradley | with no comments
Filed under:

Every time I connect to the server or desktops from my Windows 7 laptop via
RWW, the remote window is cropped - to view the edges I must use scroll bars.
 This happens no matter what screen size I choose in options - from smallest
to full screen.  When I connect via default.rdp, the window has no scroll
bars.  What setting is needed to make the (more convenient for remote) RWW
interface display properly?

Merv Porter says...
From another forum....
I had the same issue - turns out it's the zoom level that you have set on IE8 that's
causing the resolution to go haywire. check out this page -
Basically to save you time so u don't have to read the page, there's a zoom level that's indicated at the
bottom right of Internet Explorer 8. Mine was set to 150%, make sure it's set to 100%. Then you will
have no problem. Hope this fixes your problem.


Posted Wed, Aug 18 2010 22:55 by bradley | with no comments
Filed under:

* Recover Sage PeachTree Accounting passwords*

Advanced Sage Password Recovery <http://www.elcomsoft.com/asapr.html>

New product is now available: *Advanced Sage Password Recovery* <http://www.elcomsoft.com/asapr.html>, a Windows tool to display Admin and user passwords to *Sage Peachtree Accounting* software as well as recover or replace passwords protecting *Sage ACT!* documents. Advanced Sage Password Recovery works instantly, replacing or displaying the passwords in plain text in just a moment. Advanced Sage Password Recovery supersedes Advanced ACT Password Recovery, a tool to instantly recover or replace passwords protecting databases created with ACT! Personal Information Management software manufactured by Sage.

Announcing Windows SBS Codename Aurora Preview Availability - The Official SBS Blog - Site Home - TechNet Blogs:

Just posted this to the SBS2k listserve and thought I'd reblog it here:

More on SBS Aurora Playing Nice With OCS : The OCS Insider:

*"Aurora cannot be added to an existing AD domain. It must create a new one.* Microsoft intends Aurora for NEW businesses only. And this is how they make that clear."

Per discussions with folks on the SBS team there will be a migration story.

"I'm sure there will be an OCS option within SBS Aurora when it's released. Whether that's a plugin to run it directly through the dashboard, or a cloud-based app to connect the two."

(Jaded SBSer who has bugged and asked for a lighterweight Live communication server for YEARS now with no one from the OCS team seeing a marketplace in SMB)   I'm honestly not so sure.  It will only happen if you start asking your MS contacts to have the OCS team build one or your vendors that you get hosted OCS from.

IMHO it's dumb to think that an on premises OCS is feasible for aurora... OCS on paper wants 3 servers.  So I'd be looking at hosted OCS and I'd be asking your vendors that provide hosted OCS to download the Aurora SDK and start thinking of building a plug in.   In fact anything that you'd like to see added and extended, think of a vendor that could do that and ask them to take a look at Aurora Server.

Posted Mon, Aug 16 2010 12:20 by bradley | with no comments
Filed under:

Volume Licensing Service Center:



Posted Mon, Aug 16 2010 12:09 by bradley | with no comments
Filed under:

From the connect site comes the email....





We are very pleased to announce that today the Preview of Windows Small Business Server Codename “Aurora” is available for download.

Windows Small Business Server Codename “Aurora” is part of the greatly anticipated next generation of our award winning Windows Small Business Server, and represents a significant departure from our traditional on premise version because Aurora will be Microsoft’s first server to deliver both on premises and cloud computing capabilities for small businesses.

We believe that most small businesses need a server; however not all of them know it yet. That is why we designed Aurora, which is the ideal solution as a first server for those millions of Small Businesses worldwide that have less than 25 users and are still using a peer to peer network or have no network at all.

For those businesses, Windows Small Business Server Codename “Aurora” provides a cost-effective and easy-to-use way to simplify those businesses’ IT infrastructure, reduce cost and spend more time focusing on core business’ needs and less time worrying about their IT.

Aurora offers small businesses the help they need to ensure their data is safe through advanced backup and file restoration features. Aurora’s users can quickly set automatic, daily backups of every computer and server on the network and if problems with files arise, the customers will be able to restore individual files, folders, or an entire PC or server with simple recovery tools.

In addition, we are giving our users the power to utilize their files and documents to address business challenges even when they’re away from the office. By using a personalized web address, Aurora’s users will also be able connect to the server from virtually anywhere and access their computers and documents from any common web browser.

Finally, Aurora offers our customers the possibility to run their critical line of business applications on a stable, reliable platform based on Windows Server 2008 R2.

If these on premise functionalities are not enough, Windows Small Business Server Codename “Aurora” is a true “bridge to the cloud” designed to integrate between on-premise and online services and to use pay-as-you-go online services to extend the server functionality without increasing workload and maintenance needs. To learn more about the next version of Windows Small Business Server, visit our SBS site.

The beta release is available on our connect site and can be downloaded now. If you haven’t already signed up for the preview, you can visit our connect site and get signed up. We have setup a connect feedback form to capture your reaction to the product, bugs and suggestions as well as a newsgroup where you can discuss the preview with other testers.

Additionally, we have posted a version of our Windows Server Solutions SDK for those that are interested in developing add-ins for “Aurora”. The SDK can also be found on our connect site in the download section.

For Windows Small Business Server Code Name “Aurora,” the SDK provides a toolset to extend the platform, develop server and client add-ins, and provides customized interoperability with cloud services. Partners can develop integration components for new and existing cloud services for Windows Small Business Server Code Name “Aurora”

The SDK provides the following content:

· API references that help you understand all the API elements that can be used to extend and manage Windows Small Business Server Code Name “Aurora”

· How-to documents that help you to understand how to build add-ins

· Templates that help you build add-ins with Visual Studio 2008

· Samples that provide examples of complete add-ins

So what are you waiting for? Join the site, download the preview and start testing with us!


If you have not given feedback to Microsoft regarding the VLSC web site in the last six months, please.. take the time, flll out this survey and give feedback.


Yes it sucks that they didn't ask before they made all the changes, yes it sucks that they've been offline all weekend, but now's your chance to say what you need from the VLSC web site.

Posted Sun, Aug 15 2010 14:25 by bradley | with no comments
Filed under:

Hey.  What can I say.  I've been a SBS customer since 4.0.  The blog is called SBS Diva.  So that means I kinda have this kinda cheerleader attitude about this SMB solution.  And you can tell that the new kid on the block, code named Aurora with an on premises server and cloud based SharePoint and Exchange is getting closer to a public beta because they've let the journalists kick the tires and have access to the beta.

And as they do, here comes the articles.

A closer look at the next Microsoft Small Business Server | Windows - InfoWorld:

First off.. Aurora is another SMB server but technically it's not the next Small Business Server.  There is truly a SBS v7 (aka based on Windows Server 2008 R2 with Exchange 2010, SharePoint 2010 and all that) in the works.  So I'm trying to keep myself from being nitpicky when journalists say that Aurora is the next Small Business server.  Technically speaking it's not.  It's a new kid on the block.  It max's out at 25.  SBS v7 still supports 75 users.  So don't freak out the SMB var/vap thinking that the "next" version of SBS doesn't support as many users.  Aurora takes the place of the under 25 seat SMB server and makes it so that you can put it on lighter weight servers because the heavy needs of Exchange are off the box.

Next.. the line of every SBS/SMB server that kills me.... which is meant to allow small businesses to stay focused on their core competencies rather than becoming technology experts or spending a smalll fortune to hire IT experts.

On the one hand Microsoft says that they sell more stuff from Partners.. and then they let journalists make comments that IT consultants/partners are too expensive and shouldn't be hired or will be put out of business tomorrow.  It's a confusion choice ridden marketplace out there and small businesses are still looking for help with this "thing" called technology.  What you should say is that "Aurora is meant to be another small firm solution option that a consultant can choose to deploy for a firm". 

Even with SharePoint and Exchange off the box, I'm not convinced that technology is dumb enough yet to be able for the average business owner to go to the store, plop it in and it will just work.  To get the server talking to the web talking to the email syncing with the email sharing the calendars working with the line of business application... sorry folks, even the cloud options aren't dead simple enough yet.  There's a lot of configuration and set up to make this stuff all work together.

Bottom line ...technology is still not plug and play.  Small businesses still need to get guidance to determine "what works".

Get ready for Microsoft Aurora... another server for small business .. but not Small Business Server ;-)


Star Wars™ voices now available for TomTom devices:

I have a Garmin.  I may need to buy a TomTom just for this.

Posted Fri, Aug 13 2010 19:21 by bradley | with no comments
Filed under:
Event 2436 for SharePoint Services 3 Search - The Official SBS Blog - Site Home - TechNet Blogs:

Click Start, click Run, type regedit, and then click OK.

In Registry Editor, locate and then click the following registry key:


Right-click MSV1_0, point to New, and then click Multi-String Value.


Type BackConnectionHostNames, and then press ENTER.


Right-click BackConnectionHostNames, and then click Modify.


In the Value data box, type the URL mentioned in the above warning event, and then click OK.

Quit Registry Editor, and then restart the IIS service

(obviously don't put in remote.domain.com put in the url that the warning is telling you about.

Today's post is courtesy of Kevin Royalty (better known as the Home Server in businesses MVP) discussing how he sets the DNS scavenging values in SBS 2003 and SBS 2008 to ensure that there are no issues with RWW.

In SBS 2003 and 2008, if your users encounter issues using Remote Web Workplace, it is usually due to stale DNS entries causing you issues.  To fix this, you could go read this blog post and try to figure it out yourself, or you can take our SBS Best Practice recommendation below.

First, you need to go to the DNS Console under Administrative Tools.  Right-click your server name (the sample server below is called “Server 2003” don’t let that throw you off – this is indeed an SBS 2008 server) and select “Set Scavenging/Aging for all Zones”.  You should see the screen below, but you’ll notice the checkbox is missing and the intervals are 7 days.  You can change it to match the server below.

Now, you need to right-click the “server” again and select “properties”.  Click the “advanced” tab and you’ll see the screenshot below.  Notice yours has automatic scavenging not set.  Please set it to match below.

We’re almost done!  One more thing you need to do is go into the DHCP console, and bring up the properties of your IPv4 scope and hit the DNS tab.  Make your settings match the screenshot below.


Now, if you go back to the DNS console, and right-click the server name and select “scavenge stale resource records” your users issue with connecting to their computers from remote are most likely resolved, or if you are fresh building your SBS 2008 server, will most likely not happen as a result of stale resource records.

Posted Thu, Aug 12 2010 22:59 by bradley | with no comments
Filed under:
More Posts « Previous page - Next page »