As part of the marketing for the upcoming Windows Small Business Server 2008 Unleashed book, I've been given the opportunity to have a blog space over at Network World for the next month. I'm excited about the opportunity to share my experiences with SBS 2008 with that audience, and hopefully the information will be well received.
The first post in that series went live today. You can read Small Business Server 2008 - Start Looking Now at your convenience. Enjoy!
One of the more powerful features of SBS 2008 is the User Role concept, based on the roles that were available in previous versions of SBS. These Roles are like account templates that can establish a common group of settings for one or more users in the network. Unlike the SBS 2003 Account Templates, however, the SBS 2008 User Roles are much more active, and if you're not careful, you can get yourself into unintended trouble.
Let's take a trivial example. You have a user with a large mailbox, and you don't want that user subject to to the default Exchange mailbox quota. You go in and modify that user's settings in the SBS console, and that user now has no Exchange quota. Super.
Down the line, you learn that you can modify the folder redirection settings for users by modifying the User Role. So you go into the Standard User Role and update the folder redirection settings. You save the changes to the role, and when you do, it lets you know that it's going to apply those changes to all the users who have the role assigned. Great, that's exactly what you want. Life is good.
Suddenly, you get a call from the user with the large mailbox and that user tells you that he (or she) can't send or receive e-mail. Oops! When you reapplied the role, you inadvertantely reset the Exchange quota for that user. So you wipe the egg off your face nad go take care of that.
Unlike when you run the Change User Role wizard and have the option to Add To or Replace the user's settings when the role is applied, if you make a change to the Role, any user who had Role settings modified from the Role defaults will have those custom settings overwritten. Working with Roles is not like working with Security Groups in AD, where you can adjust certain settings for one group and not impact other settings. All settings contained within a role get pushed back out to the users who have the role assigned when you make changes.
So what's an SBS admin to do?
First, get out of the habit of having custom settings based on a user if you're going to be using Roles (and I'm not suggesting that you shouldn't use Roles, I'm just saying that you need to know what you're in for if you do). If you have a user, or a group of users, who have one setting different from one of the standard roles, create a new Role for those users and modify the settings for those roles. In the example of the user with the large mailbox, you could create a new role based on that user's settings and call it something like Standard User with No Exchange Quota. Then if you need to add a new user who also needs to have no Exchange quota, you assign that new user to that new Role.
Second, document the changes that you make. Nothing can cause you embarassment with a client quite like making a change from the "default" settings, then making another change that impacts the undocumented change, ending up with the user unable to send and receive e-mail, for example. The more you document, the greater the likelihood that you won't end up with unexpected results. OK, that's a bit of a pipe dream in this industry, but still, any documnetation is better than no documentation at all.
My recommendation for how to approach using User Roles in SBS is to leave the three roles created by SBS alone and create new roles for any customzations you want to make. Have a new user that needs no special configuration? Make them a Standard User. Have someone who needs folders redirected? Change them to the Standard Users with Folder Redirection role. If their mailbox grows larger than the default quota, add them to the Standard User with Folder Redirection and No Exchange Quota role. Could that get ridiculous before long? Absolutely. But if you come up with the configurations you want and create roles for them, your management life will get a LOT easier than if you have individual users with custom user settings that might get modified if you accidentally change a role.
Now is the time to think about these things, not after you've started an installation of SBS for a client. And certainly not after you lock the big boss out of his (or her) e-mail.
This post will be the first in what I hope will be a short series related to issues I've encountered in my SBS2008 migration of my internal server. I'd love to say "hey, everything worked as advertised" but we're not quite that lucky. But to start off, I have a very common setup that will probably catch some folks off-guard, so here it is in the blogosphere for someone to find and figure out.
First, I have a large mailbox. Like 8GB. Yeah, it needs pruning, I know. My first hint of trouble was when I ran the move mailbox part of the SBS migration. The move mailbox process stopped because of the default quotas in Exchange 2007. Yes, 2GB is far better than the 200MB default in Exchange 2003, but that's beside the point. So I went right in and removed the quotas on the mail store and fired up the move mailbox tool again. This time it completed without error.
Jump to this morning. I am going through the migration CHM file and get to the point about the users not showing up in the SBS console. I can either do the ADSIEDIT fix for that, or I can just run the Change User Role wizard (or whatever it's called). Boom, all of my users show up in the console. Woo hoo!
A little bit later, Susan (yes, that Susan) pings me that my mail is getting rejected because my mailbox is full. D'oh! That's right, the default Standard User role has the 2GB Exchange quota enabled by default. Dummy that I was, I didn't change the user role before applying it (I actually ran across this during migration testing and made a note about changing the Standard User role to remove the Exchange quota, but forgot about it this morning while I'm trying to do a gajillion other things) and now my 8GB mailbox is dying over 2GB quota. No problem, I change the User Role, then I open my user object to make sure the setting is removed, and all is well.
Would that it were that simple.
An hour later, I still can't get into OWA (well, I can get in, but it's yelling at me that I'm over quota and won't do anything until I fix it - if you haven't seen the OWA UI for being over quota, try it - there's nothing subtle about it). I quit and restart Outlook, it fires off the Mailbox Cleanup wizard (again, yes, I should do a cleanup, but that's not the issue). I look at the my user object in the SBS Console, no quota. I look at the message store in the Exchange console, no quota. I ping David Shackelford and he has me run a couple of PS cmdlets, all show the quota is disabled. Dave suggests I restart the Transport service. No love.
Finally, Dave sends me to http://technet.microsoft.com/en-us/library/bb684892.aspx and suggests I restart the Information Store service. Bingo, OWA and Outlook stop yelling at me, and mail starts flowing again.
I don't know why Exchange couldn't figure out in a two-hour window that I had adjusted the quota settings, but it didn't. I had to forcibly restart the information store before it woudl check the quota again and allow me to get back to my precious e-mail.
So, lessons learned for today:
- Modify the quota settings on the mail store before migrating any user mailboxes over if you have users with mailboxes over 2GB.
- Modify the Standard User Role before you touch any user objects during your migration and remove the Exchange quota if you have users who are above the limit.
- If you should get a user who goes above the quota and you need to restore their access quickly, adjust the quota settings, then restart the Information Store service. No, you shouldn't have to do that, but it fixes the issue.