I wanted to create a certificate PKCS #10 format on one of my SBS 2008 server. This was needed so I could use two factor authentication for my ILO board. Guess what SBS 2008 does not included the web interfaces necessary to create the certificate (this was installed if you installed certificate server under SBS 2003). Based on some help here are the steps needed to get the certificate authority web enrollment installed.
- On the SBS 2008, open Server Manager.
- On the Roles node, select Active Directory Certificate Services and select Add Roles Services.
- Select the Certificate Authority Web Enrollment and finish the installation.
- Visit the http://servername/certsrv in the IE browser.
- Select Request a certificate.
- Select Advanced certificate request.
- Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file.
- Copy the contents of the certreq.txt file and select the User template.
- Finish the Wizard.
This allowed me to generate the certificate, now in part 2 I will explain how I secured the web site itself.
As I have been working through my OAB issues as of late I came across a very good test site, it may be known for many of the blog readers but for those who don’t know it can be found at:
It provides the following tests:
Microsoft Exchange ActiveSync Test
This test will simulate the steps a mobile device uses to connect to an Exchange Server using Exchange ActiveSync.
Microsoft Exchange ActiveSync AutoDiscover Test
This test will walk through the steps a Windows Mobile 6.1 device (or another AirSync licensed device) uses to connect to the AutoDiscover Service
Microsoft Office Outlook 2007 AutoDiscover Connectivity Test
This test will walk through the steps Microsoft Office Outlook 2007 uses to connect to AutoDiscover
Microsoft Office Outlook 2003 RPC/HTTP Connectivity Test
This test will walk through the steps Microsoft Office Outlook 2003 uses to connect via RPC/HTTP
Inbound SMTP Email Test
This test will walk through the steps an Internet e-mail server uses to send inbound SMTP email to your domain
I found it very useful hopefully you will too.
Somehow as part of the migration from SBS 2003 to SBS 2008 several GPOs were deleted (personally I blame the Jr. Admin who was helping me with the migration - that will teach me to let someone else muck around with my SBS Server / just kidding).
They managed to break the default settings in WSUS I ran the SBS BPA and it reported the following: The default AutoApproval rule is enabled. Because of this, software updates are not managed by Windows SBS 2008 Update Services. This results in a blue question mark in the the Updates section of the Windows SBS Console.
Also from the Tasks menu within the SBS Console when you ckick on the “Change the software update Settings” the error is reported back “Software Update Settings = Cannot display Software Update Settings The Update Service group policy settings are not accessible. For resolving this issue, please contact Microsoft Product Support”
The problem was:
The error message indicates that SBS cannot find the default WSUS GPOs or these GPOs are corrupted. If there are problems with the default WSUS GPOs, this error message will popup and the console will crash subsequently.
The fix was the following:
Please run "gpmc.msc" to open GPMC and then verify if the following GPOs are available and linked to the domain level:
Update Services Client Computers Policy
Update Services Common Settings Policy
Update Services Server Computers Policy
If not, please link them to the domain and see if it works.
If the problem persists or the default WSUS GPOs are missing, we need to recreate the three GPOs with the default names and configurations. Please create the GPOs and configure them according to the attachment:
Please note the following two policy settings in the "Update Services Common Settings Policy" GPO must be modified to the real SBS server name in your scenario:
"Computer Configuration"->"Administrative Templates"->"Windows Components"->"Windows Update":
Set the intranet update service for detecting updates: http://<SERVER>:8530
Set the intranet statistics server: http://<SERVER>:8530
Here are the steps needed to re-create the OAB on an SBS 2008 Server. These steps are from the open Microsoft Support case I mentioned in another blog posting.
1. Turned logging from management shell to expert level:
Set-eventloglevel "msexchangesa\OAL generator" -level expert
2. Built Offline Address Book. Organization configuration - mailbox - offline address book – update
-from management shell run following command : Update-offlineaddressbook "name of the offline address book"
3. Look for the 9340 and 9360 event id for the following legacyExchangeDN ' '
4. Ran the following command to update:
5. Opened Regedit and navigated to the following registry key
- Added a new DWORD Value 'OAL Post Full If Diff fails'
- Set the value to 1
6. Rebuilt your Offline Address Book and looked for the 9107 event and verified there are no Events generated for "9340" "9360"
7. Removed the registry key
8. Reduced the logging level Set-eventloglevel "msexchangesa\OAL generator" -level
8. We restarted File Distribution Service
While this did not fix my OAB problem, it does have value for those of you who are having OAB issues and need the steps to re-create it.
All in all my migration from SBS 2003 to SBS 2008 went well. I am planning on posting several of the errors I found at a later time. But there was one issue that had been plaguing me since the migration.
Several users (myself included) had issues download the Offline Address Book (OAB). The local clients would just get stuck trying to download it and worse the remote users outlook sessions would hang completely. I tried several things, which did not solve the issue (including having one of my remote users upgrade from Outlook 2003 to Outlook 2007 to see if that would fix his issue). I opened a support case with Microsoft and while we were working through the issue (I plan on posting snippets of the case once it is close). I was doing my own searching because the problem would occur and then resolve itself then re-occur again with no rime nor reason. I came across a blog posting on the EMEA SBS Team's site:
Today we implemented the fix and so far things are looking great. I wanted to get this out only because I am a real life case of how the problem existed for a user and how the fix actually did fix my problem (thus far).
The interesting thing, is my local and remote users were having OAB issues not just RPC issues.
To fix the problem we did the following:
1. We made modifications to the web.config file in the following path:
C:\Program Files\Windows Small Business Server\Bin\webapp\SBS Web Applications
2. We removed
<add name="HttptoHttpsRedir" type="Microsoft.WindowsServerSolutions.IWorker.IIS.Modules.HttpToHttpsRedir,HttpToHttpsRedir,Version=22.214.171.124, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="" />
between <modules> and </modules>
3. Did IISReset
Based on my last blog post it got me thinking is WSUS the best solution for a small (read under 5 computer) installation? Window SBS 2003 requires (for all the nifty green checks) to work that you do not make modifications to WSUS via the WSUS Administration tool. See Microsoft Support article:
SBS all requires that the server download all patches for all Operating Systems, devices, etc. Making modifications to this also breaks WSUS.
Based on the above I decided to uninstall WSUS entirely from my Windows SBS 2003 R2 server and let the clients download the patches themselves. I know this in theory goes against everything SBS is about in practicality it made sense because I reclaimed upwards of 30Gb of server disk space. As we all know server disk space (especially on a SCSI RAID server) is quite costly. Much more then client's disk, to me it only made sense to get the server space back. Enforcement of patching can easily (as it was pre-R2) be handled through server side GPO. While this might seem controversial taking a step back holistically it made sense.
I would like to see what the fellow SBSers out there think about this idea. Feel free to reply here or just drop me a line. Also let me know if you don't want me to post your replies.
Ok back to blogging about SBS issues I have encountered.
After I did an in-place upgrade of my SBS 2003 server to R2 I was unable to get WSUS to work correct. Specifically, we selected that client computer automatically download and install upgrades. Further, we have selected that all updates are approved automatically for both server and client computers. This was the selected configuration within the Server Management console on the Update Services page.
Neither took effect. On the client computers under Automatic updates and the option is locked with Notify but do not download or install.
The cause and resolution was the following:
WSUS policy was not linked to the domain.
Linked it and did gpupdate /force on server and client.
Now we were able to see policies applying in gpresults.exe.
Checked the update and was applying.
Checked the server management console and it was showing that updates being applied now.
As I said my blogging has been really poor (frequency wise) as of late. I gave it some thought as to why, and I realized I needed a better way (then writing the post in word, and then doing a cut-paste on the blog site). I decided to find an easier way - so I am now blogging using Windows Live Writer.
I did try to get Word in Office 2007 to work with the site, although it continued to give me a weird could not connect to the site error. As I said above it has to be simple Live Writer was a braze to setup therefore it is my program of choice.
We will see if it makes things easier (read Alan is more motivated to post). Since I deal with other users issues and problems daily, I wanted to make things easy for myself at home technology wise. We will see if this is the trick. I do have to say that the setup could not have been easier, now let us hope that it will keep all the formatting in place.
I started noticing a weird occurrence in my Outlook 2007. My search all of sudden stopped working. I rebuilt my client's index with the issues still occurring. As you may have read by now I am connecting to an Exchange 2003 Sp2 server. I looked through my clients Event Log and came across the following error. "The per-user filter pool could not be found. (0x80040dba)" Went to the usual sites for answer with no luck. I finally came across a thread post on the MSDN site which stated that if you install FrontPage 2003 on top of Office 2007 you get this error because Frontpage breaks Email Indexing. The quick fix is to do a repair install, which fixed my problem.Here is the thread I read to find the fix:
A weird problem a simple fix. Hope this helps you out.
As I promised in my last post I wanted to jump back in to issues and fixes I have had with my SBS Server. Here is the first of several. One afternoon for no reason whatsoever, my Sprint 6700 (WM5) quit synchronising mail with the SBS server. I spent the great part of an entire day trying everything to fix the problem myself event logs showed nothing, IIS logs showed nothing. Being an SBS server I did things the SBS way and repaired my mail connection – still no luck. I finally broke down and opened a support case with Microsoft at 6PM on Thursday night. I had hoped that it would be some quick fix that I had missed; my hope was not to be true. The problem took roughly 36 hours to finally solve. The call started on Thursday night - you do the math. Luckily I was off all day Friday (from the real job), because of the weekend the issues was finally fixed Sunday night late around 11:30PM.
Below is the snipit for the resolution closing Email from Microsoft, I have added comments. It looks really simple I wish it was. I happy that my WM5 worked again, I sure was - was it worth 36 hours? I will leave that to others to draw their own conclusions.PROBLEM========
Not able to use Outlook Mobile Access on SBS 2003 since migration
Event ID: 1805 with error code 501Rebuilt the exchange-oma virtual directoryError Code was 501 – equates to access denied to the mailboxThis was for one user – (Username) Used Exmerge to export the mailbox and recreated the user account Imported the .pst file and we started getting the error code 500 in the same event id: 1805
Rebuilding the exchange-oma virtual directory fixed the issue [by hand, needed to use the IIS tools to remove extended IIS attributes, none of the tools – scripts worked]
It has been a long time since I sat down to write a post this is both a good and bad thing. The bad is that it has been over a year since my last post and there have been SBS issues (more to come on those later) that have reared their ugly head. The good thing is that I have decided to come back with much more of vhim and hopefully the posts will be a more regular occurrence.So what have I been doing other then blogging, two things specifically. Menucha and I recently had our second child Gaia Rachael - for anyone who says taking care of two kids is just as easy as one they are lying. While it is not as hard as raising three (or so I have been told) it is no cake walk. The rest of my free time has been being spent in a time suck of a game called World of Warcraft. It is a complete break from the world of IT and taking care of the kids.
Back to SBS Land - I am still running my SBS 2003 server and have upgraded to the R2 release. Was it a flawless upgrade, no but more to come on that later.
I thought about it over night how wrong I was for not giving out full information to the solution. So from this time forward I am sharing all the steps I used to get SBS 2003 installed, even if I used tools which may ultimately damage your system if used incorrectly.
The tombstone lifetime attribute ("tombstoneLifetime") is located on the enterprise-wide DS config object. The path for this attribute is:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
To get access to this value you need to fire-up adsiedit.msc which is found in the Support Tools pack on disk two of your SBS 2003 CD set.
The value is also quite useful if you need to restore a backup which is older then default 60 days. A useful Microsoft Knowledge Base Article I found which references these steps can be found at:
I was awoken by my son after only 3 hours of sleep and promised my wife that if she got up and took care of him and let me get a few more hours sleep I would give her anything she wanted (as of this date\time she has yet to collect - although after this post, I bet it will be any day now). That extra two hours put me in a right frame of mind to give it another go. My wife was taking my son for a play-date, which freed me up to give it another go.
I decided to start fresh and re-format the server after properly removing the server from the domain (as it was now only a member server). I reformatted the server, gave the machine a new name, promoted it to a DC, and then to a GC with the same result. More then frustrated I decided to bring in the big guns. I opened up a PSS call directly with Microsoft.
I was directed connect to a support engineer, we then proceeded to go through all manner of tests (most of which I had already done before the call) to see what was preventing getting this Windows SBS server from becoming a GC. I will not bore everyone with the gory details, but we did finally get to the root cause of my issues.
Way down deep within the bowels of Active Directory hidden away from everyone are records of every connection or connection attempt between Domain Controllers. These records are default purged (tombstone) once every 60 days. What I needed to do was to use manually readjust the tombstone timer from 60 days to 1 day. This reset will cause the automatic clean-up routine within AD to fire-off cleanup all the orphaned records of my failed Domain Controller connections. Please only change these settings if you have a complete understand of what you are doing. Really bad things, like permanently disconnecting Domain Controllers from each other (yuck) will occur. That is one of the reasons why I am not posting exactly how to change the timer directly in the blog.
The bad thing is that you cannot force the automatic cleanup routine to run. You must let the grains of sand in the hourglass pass on their own. It would take roughly 16 hours (the cleanup occurs anytime between 12AM and 2AM local server time) before I could move forward. So resigned to another day of non-productivity I left the servers to do "their own thing" and joined my wife and son at his play date.
As I discussed in my last post I had a new server available and I was going to migrate my single server front-end \ back-end installation of Exchange 2003 to SBS.
To Microsoft's credit, they anticipated that people like me would want to make such a migration. Microsoft published a very well written and all inclusive (or so I thought) article on the exact steps necessary to perform the tasks. The current link to the article is at:
Titled: How to install Small Business Server 2003 in an existing Active Directory domain
Armed with the article I started own my installation\migration path. I put my SBS 2003 SP1 Premium CD in to the CD drive and in off I went. I used the guided installation found on my HP ML370 to get the ball rolling with all the correct drivers needed to perform the installation. Being a server engineer\architect as a profession for the last ten years I was hoping to get everything installed in time for me to get to bed by hopefully 12:00AM or at the very latest 1AM (I started the installation at 5PM on a Thursday night), finishing everything up on Friday my day off.
Everything was proceeding normally, Windows 2003 installed normally the drivers were updated automatically I installed Service Pack two and joined my newly minted SBS 2003 server to my existing domain as a member server.
I followed the instructions step by step and promoted my member server to be a DC, added DNS services and promoted my new SBS 2003 DC to be a Global Catalog Server. This is where the problems started. The article states not to move on to further steps until:
"Note Wait for the account and the schema information to replicate to the new global catalog server. Wait for event 1119 or event 1869 to be logged in the Directory Services event log with a description that states that the computer is now advertising itself as a global catalog server."
It was 7PM now and I was busy helping to bathe my son and get him ready for bed so I decided to give the replication some time since I did not see either event 1119 or 1869 in the event log. I came back roughly one hour later and still no message, very strange I thought the events should have happened almost immediately since both machines were plugged in to the same switch with no firewall (or so I thought) between them.
I ponder things for server moments looking at both event logs on both DCs. Everything seems to look right, but convincing myself that something had gone wrong with my DC promotion I demoted my SBS 2003 machine and re-promote it again. This is where things get a bit fuzzy in my mind since I never planning on blogging the events I went in to engineer mode and started trying this and that to no avail. I then went out to the web and started scowering the Internet and all related newsgroups for any clue as to what could be causing my issues.
I came across one article somewhere (I cannot find the newsgroup article again to give proper credit), which stated that the Premium addition of SBS comes configured automatically with the ICS (Internet Connection Share Firewall) automatically enabled. I read those words and my heart sank. I did a quick look see on the networking properties of my adapter and confirmed what the article stated. I knew now exactly why my promotions had failed. Windows 2003 Server needs certain ports to be open for DCs to be able to correct share information and with the ICS enabled correct DC replication could no occur. I decided to turn off ICS and see if the magic of Windows DC replication would eventually solve my problem. Half an hour later I went back to see, GC promotion had not occurred. I gave it the old college try demote, remove, promote - same result.
Not wanting to let this new situation get the best of me I decided on treating the night's events as one of the most serious cases in Active Directory \ DC situations. I was going to see if there were any remnants of my previous failed promotions\demotions left in AD. I followed Microsoft's article titled: How to remove data in Active Directory after an unsuccessful domain controller demotion.
One HUGE word of CAUTION HERE, please, please, please do not ever use the advice given in the KB unless you really have to. Whenever\where ever possible let the DCPROMO wizard do the heavy lifting for you. The article requires use of tools which can IRREPREPLLY DISTROY your Active Directory environment if used incorrectly. Ok there I have said and you have been warned.
Even after following the article I could not get the new SBS 2003 server to become a Global Catalog Server. Resigned and dejected I decided to call it a night since it was almost 3AM and I had been up for going on 22 hours. I decided to give everything a fresh look in the morning.
I acquired a new piece of hardware which was much faster, bigger, etc and I decided to install Microsoft Small Business Server 2003 instead of re-install my old single server Exchange 2003 front-end \ back-end environment.
Two primary factors lead me down the SBS path; I remember the true pain I had configuring Exchange 2003 the first time through. Getting OMA, OWA, and RPC over HTTP (which never working successfully) was a real pain to configure say the least. I spent the greater part of a one week's vacation and 4 calls to Microsoft PSS to get OMA, and OWA working successfully.
Not to scare anyone away from a single server front-end \ back-end configuration. A lot has happened since I installed Exchange 2003 on my old hardware. Microsoft Knowledge Base articles have improved, the Exchange Community have a lot more answers (I was one of the first to install and configure after Exchange 2003 when it was publicly released), but call me pessimistic I didn't want to have a repeat of my original adventure. Little did I know I was in store for a whole new saga.
The other reason was the SBS Diva (Susan Bradley) herself wrote me a very convincing Email which tipped me over the edge. I really do trust her opinion. I met Susan through my involvement in the Microsoft MVP program. I remember sitting with her in San Francisco for the launch of Windows 2003. She was going on and on about the new SBS 2003. I filed it away in the back of my head to someday re-visit SBS given an opportunity. I decided to give SBS 2003 a try since I had a licensed copy of SBS 2003 Professional at my disposal and was really impressed by the automatic configuration wizards that were supposed to rid me of my Exchange installation pains.
I am planning of recounting all my pitfalls and a bit of frustrations in the migration. Feel free to check back often as the story unfolds.
I think I should answer the last part first. Even though I have had a web site for some time (blatant plug for - www.thelevyhome.com/alan), I have never thought of sharing my day by day - week by week techno thoughts with a greater audience then my friends and family who get a dose of it, simply because they either are two polite to tell me to shut it or have learned over the years to tune me out when I start to talk tech.
One of the biggest factors in causing me to share with the world is my recent experiences in migrating my home email system (Microsoft Exchange 2003) to SBS 2003. I thought there might be value in giving my good and not so good experiences in the migration along with my daily trials and tribulations working with SBS.
Will this simply be another SBS help technology site?
I sure hope not, I do plan on talking about my own experiences with SBS, but I reserve the right to venture in to any other areas of technology at a moments notice.
Who am I and why do I think I should talk about technology?
I have been working in technology for approximately 12 years after making a switch from practicing law (before I get inundated with a flood of lawyer jokes - I have heard most of them and some are actually a very good representation of lawyers and the legal profession, so nuff said about that). I am currently employed by a Fortune 500 financial institution as a Computer Systems Manager. I currently manage a team that supports roughly 2000 seats in the Chicago land area.
I thought this was a site for Microsoft MVP to blog about technology, what gives you the right to blog here?
Well the right comes from the site owner who set me up with a link but more to the heart of your question.
From 1997 through 2004 I was a Microsoft MVP. I answered user's questions in areas such as Outlook Express, Internet Explorer, Windows 95, 98, 2000 and XP. So why did I stop, in 2004 my wife and I (actually I did very little on the birthing side except for actual presence), gave birth to my son Jacob. Being a father of a little one left no time for user's questions therefore I became an Inactive MVP (in Microsoft speak) and did not re-awarded (for those of you who don't know each MVP must earn their bones - so to speak each year by consistent participation).
With all that does that mean I have a big head, some might think so - I personally find it very funny that a Lawyer can make a switch from arguing cases in court to arguing with senior management for IT dollars. All I can say is I will endeavor to state the truth and check my facts before I blog it. But, if you find inconsistencies or errors, feel free to post to Email me about them. I will make corrections and give you credit where credit is due.
Also if you disagree with anything I have posted, feel free to reply. I have a thick skin, I can take it.