Friday, 30 January 2009

Heartland Payment Systems - Credit Card Security Breach

It goes without saying, that no matter who promises what when it comes to our information, we need to be very careful about what we do with it anyway.

Some bits of information we would never publish to the Internet:
  • College or University graduated from and what city.
  • High School graduated from, what city, and what year.
  • Birth date.
  • Social Insurance Number (SIN - Canada), Social Security Number (US).
  • Major purchases made and where.
  • Banking information.
This type of information may seem to be inert on its own, but new services such as pipl are proving that data mining capabilities are becoming more and more sophisticated.

Keep this in mind when it comes to publishing personal information anywhere including social and business networking sites.

So, when it comes to our credit cards, we are quite diligent in our monitoring of the transactions on each card by checking our online statements at least two to three times a week. In our case, at least one of our credit cards have been impacted by this security breach.

And, when it comes to protecting our identity, we subscribe to one of the big three's credit profile monitoring services that sends out a weekly e-mail indicating whether anything has changed on our credit profiles. If the e-mail indicates a change, and we did not initiate that change, then it is imperative to jump on investigating what was up immediately. The e-mail gives an indicator, but we can log onto the report's site and take a closer look at the details.

Heartland Payment Systems has a Web site dedicated to the breach of their systems: Heartland Payment Systems Breach 2008 site:

The front page of the site has a statement by the Chairman and CEO of Heartland Payment Systems.

One item of great concern to us in the CEO's letter:
"... we will not rest until we have the answers to how and why this breach occurred so we can prevent any future attacks at Heartland and elsewhere."

Let's stop and think about this for just a moment ...

They do not know "how" the breach happened?!? The "why" is irrelevant. How about telling us the "when"?

To get a clue on the when, we go to the site's FAQ:

Was Heartland the victim of a data breach?

Yes. During the week of January 12, we learned we were the victim of a security breach within our processing system during 2008.

Now give that answer a once over again: "...DURING 2008"!!!

While a forensic investigation may be on the go now, if the breach was an ongoing thing that has just been discovered, will the investigators ever be able to pinpoint whether the breach originated in 2008, or 2007, or even 2006 and beyond?!?

Not only that, it was VISA, MasterCard, and other credit car companies that had to trace suspicious transactions back to Heartland before the breach became known:

How did we learn about the breach?

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, malicious software was discovered that potentially enabled data to be compromised as it crossed Heartland's network.

The magnitude of the breach and its implications are staggering in this case. It took a group of third parties to let the company know that there was a problem with its systems.

So, we have an indication of a breach, we have a Web site with some information on it, but that is about it?!? Not only that, Heartland chose to release the news on the day of President Obama's inauguration! One need not venture into the motivation behind this, but the implications are there ... where is the company's transparency?

It leaves us with an affirmation that our skepticism of the "system", and personal data protection, expressed in the first couple of paragraphs in this blog post are well founded.

We have seen a number of high profile security breaches in our headlines over the last couple of years or so. As a result, it is up to us to keep up that healthy skepticism and make sure we cover as many of the bases as possible when it comes to protecting our identity and financial information.
  • Only use one credit card for online transactions.
  • If possible, have an ultra low limit on that credit card.
  • Obtain the card from an institution that practices call-backs for out of the norm transactions.
  • Obtain the card from an institution that allows for card number rotations on an annual or bi-annual basis to further protect the card.
  • Where possible, utilize a trusted third party payment system such as PayPal for online transactions to keep credit card information out of the merchant's hands.
  • Monitor the transaction log for bank accounts, credit cards, and credit profiles (Canadian Trans Union Credit Monitoring).
And finally, when are our legislators going to get some laws in place making it mandatory for all companies to report a breach that would impact our identities, livelihood, and personal data?

It is high profile cases, such as the Heartland Payment Systems breach, that beg the question about breaches with companies that process personal information and never report it.

Lawyers and mitigating risk to a company should never trump a person's right to know their data has been compromised ... ever.

Searches on the matter:
Some further reading:

One quote of interest from WSJ:

"One hundred Million Transactions PER MONTH"

The depth of this breach is just mind boggling.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday, 29 January 2009

Seagate Hard Drive Brick Fix for 7200.11, ES.2 - Possibly

It looks like someone knows a little about the inner workings of Seagate hard drives.

They have posted a series of fix steps for Seagate hard drives that have seemingly bricked themselves because of bad firmware:
There are two separate reasons for the bricking of the drive with a specific methodology to deal with each reason. Keep this in mind. One of the methodologies requires the daughter board to be swapped while powered up leaving lots of room for frying it.

We have used a daughter board swap method to recover data on hard drives in the past. Though there was no power applied.

In this case, we are talking about connecting to the hard drive's underlying firmware structures via an RS232 based terminal session and working with the base level commands to bring the drive back to life.

This methodology is not for the feint of heart. This bears repeating: This methodology is not for the feint of heart.

This particular person has been kind enough to share the fix methodology, so if it is needed then handle with care.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday, 28 January 2009

Need: Intel Fan Kit for Intel Desktop Board DX58SO or 2U Passive Heatsink for LGA771?

Intel recently went through a manufacturing hiccup with their SC5299 and SC5400 series server chassis.

We had already placed an order with our supplier for a server configured on the SC5299BRP series chassis when we found out a week or so later that they would not be available until the manufacturing problem had been worked out.

Once we found that out, we searched to find any Intel server chassis and ended up with an SC5400BRP series and the additional power supply.

Now, one thing that got missed was the fact that we had two Intel Xeon E5430 Quad Core series processors with the Active heat sink/fan combination. The SC5400BRP requires the 2U passive heat sink for the CPU as there is a fan and duct setup to keep them cooled.

Our suppliers and Intel's site, along with some extensive searching turned up absolutely nothing for 2U passive heat sinks for the LGA771 socket.

We phoned into the Intel Channel Partner Program Support line to find out if we had an alternative to purchasing two additional CPUs with the passive heat sinks! We were beyond the 30 day exchange for the CPUs, and the packages had been opened. :(

They pointed us to the following site:

Intel Spares: LGA771-F 2U Passive Fan Heat Sink Solution.

The site did not come up in any of our search engines that we used while looking for the heat sinks!

This site has a number of hard to find Intel related spare parts:

Intel Spares: Fan Kit for Intel Desktop Board DX58SO.

Note the prices! They are definitely out to make a killing.

Other spare parts include things like motherboard configuration labels, I/O shields, active heat sinks, 1U/2U fans, and a lot more.

For us, the site has turned a bad mistake that could have been very costly (purchase two E5430 Passive CPUs) into a very reasonably priced mistake.

The site's direct link: Industry Education.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Canadian Businesses get 100% Deduction on Computer Equipment as of Yesterday

This little Canadian Budget tidbit came to us from one of the partners at an accounting firm whose network we support:

Capital Cost Allowance for Computer is 100% to February 1, 2011!

What does that mean for us?
It means that we can drop a note into our client's inbox that were on the fence about a project or two and let them know that now would be a good time to move on it! :)
This is great news for our clients and subsequently for us.
The Canadian Government's site:
Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS 2008 - Migrating Lacerte 2006 onto Windows Vista

We just finished a successful integration of the Lacerte 2006 software on an SBS 2008 domain with 100% Windows Vista workstations.

Lacerte 2006 on Windows Vista

What we discovered was this:

  • The install files must lie on a UNC such as:
  • The Setup.exe file needs to be run from a workstation.
  • The first network install goes to:
    • \\ss-sbs\Company\ProgramData\Lacerte\06Tax
    • Again, note the lack of spaces in the folder names.
    • Windows Vista uses a folder called ProgramData so we copied the name for all server installed applications.
    • Lacerte will warn about running it on Windows Vista as shown above, click the Continue button.
  • Once the install finishes, the workstation install will need to run.
    • Leave the default C:\Lacerte\06Tax folder to install to.
    • Allow it to run the updates notifier.
    • Allow it to install the MSDE that it needs locally.
    • The Vista Warning will pop up again, this time check the Don't show this again option.
    • A reboot of the workstation will be required.
  • Run the program. If it warns you again, make sure to check the Don't show this again option and it should no longer bother you.
    • It may stall a few times on various set up routines. Just be patient. The program will begin to respond.
    • Note that the firm's Federal ID Number will be required once the program fires up.
  • Once the first workstation install has fired up, a new IDATA folder will show up in the 06Tax folder. Close the program and do the following:
    1. Rename the new IDATA folder to IDATA-Original.
    2. Copy the firms existing data folders into the 06Tax folder.
    3. Restart Lacerte 2006 and the firm's data should be there.
    4. NOTE: Do not copy the firm's data into the 06Tax folder until such time as Lacerte 2006 has had a successful start up after the first workstation install.

This is what the 06Tax folder looked like after we had transferred the firm's existing data into the folder and had a successful connection via one of the workstations:

The Firm's existing Lacerte 2006 data folders are good to go

Once everything is in place, we installed the rest of the workstations following the above steps (without the need to do a network install) via the installed application's UNC path:

While we have not run through our testing of the Lacerte 2005 program, if it shares the same code base as Lacerte 2006 then it should install and run okay.

One thing to keep in mind in this particular case is that we already have a number of applications installed on the Windows Vista workstations that utilize similar components to Lacerte.

So, we did not encounter any problems with the Windows Firewall with Advanced Security. If a connection cannot be completed, make sure to Unblock any service request warnings by the firewall. Enable the logs on the server and workstation to check for dropped packets and any rules that may need to be created. Port 1433 probably would show up due to the SQL MSDE instance on the workstations.

One caveat to warn users about:

Lacerte 2006 - Error on Shutdown

They may experience an application hang when shutting down the program. They need only wait until the Cancel button changes to Close program and click on that. This is, unfortunately, one catch for running older applications on a newer OS.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday, 27 January 2009

RDP via RWW - Full Screen with Two Different Sized Monitors

One of the more annoying puzzles that needed to be figured out was how to get an RDP session via the Remote Web Workplace to work full screen with monitors connected to the same system that are a different size.

Why was it annoying? Because, with the advent of RWW on SBS 2008 where there is no ability to control the connected desktop's resolution anymore, so we end up with scroll bars and a partial view of the connected desktop if it comes up on the smaller screen.

The RDP session will always come up on the monitor that the IE browser window was in.

Monitor 1 is 1280x1024 - Monitor 2 is 1680x1050

While not a perfect solution, the method to get a full screen RDP session via the RWW to work is as follows:

  1. Set the smaller monitor as the Main Monitor.
  2. Do not close the Display Settings window.
  3. Move the IE browser window to the smaller monitor.
  4. Connect to the remote desktop using the Connect to ... Computer link.
  5. Log onto the workstation.

Once the logon has completed and the remote computer's desktop has come up, switch the Main Monitor back to the larger of the pair.

When we are working on a workstation with an odd set of monitors like this, we tend to put the client's server or desktop on the larger monitor, and have our reference desktop VM opened up on the smaller monitor in full screen mode.

This method works for both SBS 2003 and SBS 2008 Remote Web Workplace desktop sessions.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

HTC Touch Pro swap experience and OMA

One thing sure is apparent when it comes to swapping out a data enabled phone: It takes a long time and multiple syncs to get the data onto the new phone.

In this case, we are talking about the Contacts, Calendar, and Tasks folders with their default content.

The e-mail was set to synchronize the last two weeks of e-mail in about 30 sub folders and nested folders.

The whole process took at least 2-3 hours with the need to initiate a Sync from within the ActiveSync application on numerous occasions to get things moving again.

When working with client's data enabled devices, the amount of data to synchronize is something to keep in mind if there is a need to get another phone working for their SBS based Outlook Mobile Access.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Monday, 26 January 2009

New Mac RDC Client v2.0 does not support TS Gateway

The new Remote Desktop Client for Mac, version 2.0, does not support the new Terminal Services TS Gateway feature.

Since we are in the midst of working with our principle Mac based client on a new solution for their three sites, having the ability to remote into a dedicated desktop for a number of key people at their various sites would just rock!

We just downloaded and installed the new RDC v2 on our iMac that is still running Tiger.

As soon as we ran through the various Preferences for the new RDC with the hope of finding the TS Gateway setting, as it is on the RDC v6.x Windows Platform client, we were disappointed to find nothing there.

And, the comments in this Mac Mojo post confirms that there are others who would like to see the TS Gateway ability in the Mac RDC: RDC Beta Users Update: Making It Work...RDC Beta3 Available Today.

We realize that from a programming perspective, implementing this feature may have not been possible given the time lines for the v2 release. But, there is a definitely a need to implement it in the R2 version or next release of the client ... and soon!

Please note that our iMac's Safari will not load the Blogger site at all. So, this post is coming via one of our Windows systems. We will hopefully be able to flatten it and get Leopard on it soon!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

ShadowProtect Best Practices and Documentation

StorageCraft has a couple of support white papers for us:

When we first signed up with StorageCraft, there was no real gander through the support white papers. There was an assumption made that a "white paper" in that part of the support site was more towards marketing than actual technical documentation.

That assumption was wrong.

To avoide NTFS Event ID 55 errors, and other problems, it is recommended that we do the following on our SBS installations where ShadowProtect is the principle backup:

  • Disable all VSS enabled applications such as the SBS Backup and NTBackup while SP is running.
  • Disable any Volume Shadow Copy snapshots being taken of your data volumes. SP will provide that functionality with the multiple daily incrementals.
Have a look through the various white papers contained on StorageCraft's Web site: StorageCraft Documentation.

There are a number of excellent recovery related documents and more.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Saturday, 24 January 2009

Word 2007 - APA, MLA, and other Styles Built-In!

I started my stint in University later in life. The word processor of the day was WordPerfect 5.x, and I needed to write my course papers in the American Psychological Association format since I was studying Psychology as one on my majors.

Getting a document APA formatted in any word processor at that that time was mental gymnastics with some ability to template things. But, getting there was a lot of fun to say the least.

Those days are gone now:

APA, MLA, and other writing styles built right in

The APA and MLA (another common Arts major writing style) styles, and their particular formatting peculiarities, are built right into Word 2007.

If that is not an incentive to upgrade to Word 2007, then certainly the built-in styles plus student pricing for Microsoft products should be a clincher!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Friday, 23 January 2009

SBS 2008 - Default Exchange 2007 SP1 Receive Connectors

Here is what they look like in the Exchange snap-in in the Windows SBS Native Tools Management console:

Default SBS 2008 Exchange Receive Connectors

Here are their respective settings (replace SS-SBS for the specific server name):

  • Default SS-SBS
    • General: Default SS-SBS
    • Protocol Logging: None
    • FQDN: SS-SBS.mysbsdomain.local
    • Message Max: 10240
    • Network: Local:,
    • Remote:,
    • ***Note the absense of the router's IP address (
    • Authentication:
      • TLS
      • Basic Authentication
      • Offer Basic only after TLS
      • Exchange Server
      • Integrated.
    • Permissions: Exchange users and servers, Legacy Exchange Servers
  • Windows SBS Fax Sharepoint Receive SS-SBS
    • General: Windows SBS Fax Sharepoint Receive SS-SBS
    • Protocol Logging: None.
    • FQDN: SS-SBS.mysbsdomain.local
    • Message Max: 10240
    • Network: Local: PORT 25, Remote:
    • Authentication: Basic Authentication only checked.
    • Permission Groups: Anonymous and Exchange.
  • Windows SBS Internet Receive SS-SBS
    • General: Windows SBS Internet Receive SS-SBS
    • Protocoal logging: None.
    • FQDN:
    • Max Message: 10240
    • Network:
      • Use these local IP to receive: PORT 25 (server IP)
      • Receive mail from remote:
        • (gateway/router)
    • Authentication: TLS only checked.
    • Permission Groups: Anonymous.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS 2008 - Enable UAC by default in Group Policy

We ran into a strange struggle while troubleshooting a client's line of business application today.

SBS 2008 is the primary server with all client computers running Windows Vista Business Service Pack 1.

We have set up a limited domain user account that was pushed out to all of the client computers and subsequently added to the local admin group on them for software installs and system configuration changes. The password on this account has not been rotated yet as this is a relatively fresh install. It will be rotated on a regular basis once things have settled in.

Remote Assistance in SBS 2008 allows the user to check a box to transfer UAC prompts to the one providing the remote assistance. But, they first need to affirm that setting by receiving a UAC prompt.

When we were providing remote assistance for the LoB and the user enabled the setting to transfer UAC prompts to us, no UAC happened. We knew this because the RA window goes black during that initial UAC prompt.

It did not take long to see that the user had managed to disable the Windows Vista UAC prompt altogether.

Well, we do not want that to happen. So, to eliminate that happening again, we are going to enable UAC by default using Group Policy:

Enable UAC by default in Group Policy

We created and linked a GPO called Default Computers Policy to the Computers OU, disabled User settings, and set the following under Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Security Options:

  • UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for credentials
  • UAC: Behavior of the elevation prompt for standard users: Prompt for credentials
  • UAC: Detect application installations and prompt for elevation: Enabled
  • UAC: Run all administrators in Admin Approval Mode: Enabled

Note that we set a comment into the properties of the GPO itself to keep track of the GPO's creation date, the changes we made and when they were made. We do this for all GPOs, but in this particular case the Windows Settings node does not allow for comments on each setting, so it is particularly important to make note of any changes we have made.

The Administrative Templates nodes for both User Configuration and Computer Configuration allow for us to comment on the individual settings. We also comment when we have made changes to any settings in those nodes too.

Once the new settings have been updated on the client workstations, the UAC will not be able to be disabled.

UAC is, in our experience, one of the best ways that a user can use to prevent any malware or virus infections. Once a user is aware of the implications when they see a UAC prompt, and they know they need to cancel, unless they initiated a software install, it is virtually impossible for any bad software to take hold of the system.

We did the opposite of Petri's Method #3 to disable UAC in Group Policy: How can I disable the User Account Control (UAC) feature on my Windows Vista computer?

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday, 22 January 2009

Ever been "yelled" at by a (Telus) "Customer Service" rep?

This post is in the midst of a "brewing and stewing" time after having one of the more surprising conversations with a "customer service" representative that I have had in a long time.

Please keep that in mind while reading this post.

I went out to the TelusMobility store where I purchased the HTC Touch Pro in mid-December to get this current bricked phone replaced.

Now, if you are keeping track, the phone in hand is phone #2 after phone #1 decided it was in a mid-seventies disco mode with the backlight pulsating.

Phone #2 was found locked up one morning. So, after soft resetting the phone, it proceeded to run a half-baked reinstall as though it was hard reset.

Today's phone, #3, was to replace #2.

But, phone #3 is all scratched up and most certainly used.

The dealer is unfortunately helpless in the way of being able to help me out here. So, in goes the call to Telus to try and get a new phone.

Asking for a new replacement phone is not out of line with my current experience with two bad units. Having replacement phone #3 come to me in the condition it was in was certainly quite surprising.

We operate our own business here. And, we strive to supply our clients with the best possible product experience. When things fall flat on their face, we do our best to make up for that experience, even if it means spending a lot of time and money to fix the problem (previous blog post).

When I called into Telus, the front line technician was not able to follow through on my request. I was transferred to a "Client Loyalty and Retention" manager by the name of Joe out of Calgary.

Now, keep in mind that I spent a couple of years collaborating and working with a TelusMobility dealer here in St. Albert just before Monique and I incorporated MPECS Inc. So, we got to see first hand what kind of struggles the dealer had to put up with along with the hoops they were forced to jump through by Telus.

The essence of my "conversation" with Joe:
  • "It is the dealer's responsibility as they sold you the phone." I purchased the phone from TelusMobility, whom the dealer represents. Joe's point did not wash.
  • "You purchased the phone outright, sign a 3 year contract and we will give you a new phone at a steeply discounted price". Now how about that! Stiff the dealer out of his sale (defective phone has to go back somewhere) and force me, the customer, into signing a contract I did not want to sign in the first place.
  • "It is HTC's problem, take it up with them". I proceeded to explain to him that, as a business owner myself, if my client went through what I was going through at this point with a defective product, our business would be replacing the problematic product without any questions.

By the last point that Joe had become quite exasperated with me and his voice had definitely stepped up a number of decibels during the latter part of the phone call. I was told by Joe, "I just can't understand how anyone can expect us, Telus, to give them another phone when they will not demonstrate any kind of commitment [by signing a contract I did not want to sign in the first place]".

When Joe was told that, "The customer is always right", I was essentially told to go take a flying leap and the call ended there.

My "business" relationship with Telus has been somewhat like/hate since I signed up for my first phone about eight years ago. Recently, my HTC PPC6700 (~2.5yrs old) was on its last legs, and no real offer was available short of $150 off for signing another 3 year contract. This was unacceptable to me.

So, where does this leave me? I need to go back to my friend, yes I have known him for a long time, that runs the TelusMobility store where the phone was originally purchased and see if we can obtain a suitable replacement for this phone ... again. If not, then where does that leave me? My contract with Telus is up in June.

The credit card used to purchase the phone has terms and conditions that are pretty clear when it comes to purchasing a product that does not work properly with no resolution. It allows us to refute the charge. Unfortunately, the store owner gets caught in the middle, but what are the choices?

Maybe BellMobility? At least I can pick up another HTC Touch Pro. I like the phone ... at this point the cell provider is less than stellar ... and, HTC seems to be having quality control issues. Though the bricking of phone #2 may very well be due to the carrier mucking about in the default Windows Mobile 6.1 Pro OS.

Perhaps it is time to look seriously at an iPhone 3G?!?

*Very Deep Breath*

Previous posts:
Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

QuickBooks 2008 Multi-Currency - no 2009 version

We have done a number of QB 2009 upgrades for our clients so far.

We are on a subscription with Intuit for our QB needs. Generally we receive a disk in the mail along with our new key codes.

That has not happened yet.

We initiated a chat session after logging into our account on the Intuit support site.

This is the conversation with JasonS:

Philip: I need 2009 please?
Philip: or is 2009 MC not ready yet?
Jason S: I am showing you on a multicurrency subscription
Philip: is there a 2009 version for Multi-Currency?
Jason S: No, it is the same as the MC product that was put out in 2008.
Philip: that explains the lack of a CD mailer then
Jason S: yes
Jason S: When the new code base is able to handle multicurrency, then it will be shipped out to you.
Philip: oh?
Philip: when you say new code base, are you talking about the non-multicurrency version?
Jason S: We are hoping for the 2010 product, but we do not have a guaranteed date for it.
Jason S: Yes, the same program that the 2008 and 2009 products are.
Jason S: but able to do the MC
Philip: thanks for your time. I not worry about product updates then. Hopefully that means that we will not get expiry messages?
Jason S: You shouldn't
Philip: Thanks.

So, for those of us running our businesses on QB 2008 Multi-Currency, we will need to hang on for a while before we see any updates to the software.

As long as our payroll and any incremental updates keep coming down, we should be okay.

And, at least we can be assured of having a relatively stable QB for the next little while! ;)

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday, 21 January 2009

SBS 2008 and Group Policy Preferences

The Microsoft document download:

Here is a Group Policy Object with the GP Preferences expanded for both computer and user configurations:

SBS 2008 Group Policy Preferences

With the exception of any Windows Vista SP1 workstations that have the RSAT (download site) installed, all workstations and servers will need to be updated to accept the GP Preference settings pushed out to them.

For those using WSUS, the update should have come and gone a while back: Microsoft Knowledgebase KB943729: Information about new Group Policy preferences in Windows Server 2008. If not using WSUS, then a file for each OS and architecture (x86 or x64) will need to be applied. The above search results link contains links to each file needed as does the KB article.

Group Policy Preferences are just that: Preferences. They enable us to provide the user with a set of allowed configurations on their desktops that they can choose. If they don't like something in one of the GP Preferences, they can disable it, change the setting to something they prefer, or just ignore it altogether.

They also give us the ability to fine tune a user's experience as well as connected network resources without the use of complicated logon scripts. We can create and link a GPO to an OU or Security Group to limit the scope of the preferences.

Or, we can use GP Preferences to set up and push a local admin account (using a limited domain account created in ADUC) on all Windows Vista and XP Pro workstations that we can change the password for in a snap after say a run of software updates. Thus, once the password has been changed, it is possible to have a little more control over what is happening on the SBS network.

This feature is one big plus to migrating existing SBS 2003 domains to SBS 2008.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Server 2008 and Vista SP1 Group Policy settings spreadsheet download

It never hurts to have a quick reference to the more complicated aspects of the products we work with.
The download is in either Excel 97-2003 format or the new Excel 2007 format. Note the difference in the size between the old and new formats!

The benefit of having the spreadsheet is the ability to do a quick Find to search for a policy setting.

Each setting has its location with the GPO indicated, its name, what client and server OS versions support it, a really good explanation of the setting, and whether a reboot or logoff would be required to get the policy setting to apply.

Group Policy is a pretty awesome thing for us to manage our SBS domains. The new Windows Server 2008 Group Policy structures we inherit with our SBS 2008 domains are phenomenal.

One example is Group Policy Preferences. They give us such granular control over so many aspects of our SBS domains that we either had to script or run manually on all workstations.

Check it out!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday, 20 January 2009

Seagate SATA drives and a firmware update

Seagate, it seems, has been experiencing some issues with their Barracuda SATA line of hard drives from a particular manufacturing facility.

We have experienced what seems to us to be an inordinately high number of drive failures on the ES.2 series. Though, in our case the drives die midstream and generally not during a boot of the server.

Previous posts:
Seagate's articles on the matter:
The second article indicates that the drives that we have in production will not have a firmware update yet.

When we have had a dead drive in the past that has spun up with no internal sounds indicating drive heads being flung about within, we have had some success with switching out the daughter cards that contain the electronics.

In this case, we have not had any drive failures related to the firmware situation, so we cannot test to see if this does indeed enable us to gain access to the drive's contents. We have seen some indications that we may not be able to do so.

A small bonus for us is the ability to obtain an RMA from our supplier for one full year after the original purchase and have a replacement drive the following day. The drawback is that we have consistently had the defective drives replaced with identical ones.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Monday, 19 January 2009

Hard reset the HTC Touch Pro on Telus

Apparently the stock HTC Touch Pro hard reset instructions have been slightly modified by Telus.

To hard reset the HTC Touch Pro on a Telus network:
  1. Make sure the phone is one.
  2. Pull the stylus.
  3. Turn the phone upside down.
  4. Hold both Volume UP and Volume Down buttons simultaneously.
  5. Hold the Enter (round button). (Step 1 and 2 at the same time)
  6. Reset the phone using the stylus.
  7. Wait for the "Are you sure message" and release the volume buttons.
  8. Use the Volume Up button to confirm the hard reset.

The phone will run through a blanket reinstall of everything just as it did when it was first fired up.

The reason we know this?

The first HTC Touch Pro we received had a pulsating backlight: HTC Touch Pro Windows Mobile 6.1 Review.

This second one decided that it was going to lock up sometime between plugging it in to charge at night and the morning. When the phone was reset, it ran through the initialization routine with a choke mid way through.

The phone still works, but the data connection and the display theme are toast. Not only that, there are missing icons and software on the phone or most of the "installed" software will not run.

While on the phone with the Telus technician, the phone would not hard reset. The icon for Clear Storage was also missing, so we could not reset the phone that way either. We could not even set up the cellular data connection manually as those settings had seemingly disappeared too.

We are now onto HTC Touch Pro phone number three!

The phone's features are great, but the hardware is starting to show quality issues. Whether this problem is related to the carrier and their "modifications" or HTC is not known.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS 2008 Windows Firewall with Advanced Security troubleshooting

We are discovering that there can be quite the process to enable an application installed and hosted on the SBS 2008 box to listen for incoming connections.

Not only that, the application client on the Windows Vista workstation will most likely need at least a program exception enabled in the Windows Firewall with Advanced Security properties too.

Two settings that need to be enabled after SBS 2008 has been installed and configured to help with troubleshooting:

Enable Log dropped packets

After opening the Windows Firewall with Advanced Security console, right click on Windows Firewall with Advanced Security and click on Properties. Click the Customize button for Logging to enable logging on the domain profile (it should be active).


Enable Display a notification

Click on the Customize button for Settings and enable the Display a notification setting so that a pop-up will happen if a newly installed application tries to get out and listen.

With Logging enabled, click on the Monitoring node and a there will be a Hyperlink to the logging file that can be clicked on for quick access. It will indicate any dropped packets, the port they were attempting to connect on, and whether they were UDP or TCP. Client IP is also included along with other details.

Two additional tools for the troubleshooting:

  • From the command line: netstat -an >ports.txt [Enter]
  • From the command line: PortQry -local >ports.txt [Enter]

PortQry V2 can be downloaded from here: PortQry V2 Download. Both commands will port a list of services listening on what ports using which IP addresses an more.

If the service being troubleshooted shows up in the list as Listening, then the next step is to check that the Vista client is allowing the application client out.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Saturday, 17 January 2009

Blog: SnapShots is gone ...

We put up a poll on whether to keep SnapShots or let it go: Blog Poll: Should we keep SnapShots?

The responses to the poll put SnapShots out.

While the feature can be handy, we try and make a point of labelling any link with a short (italicized) description of where the link will take you.

The breaker for us, and one of the main reasons behind initiating the poll, was the occasional underlined word with an ad tied to it that did not fit in with our blog and its gist. The other reason was some of the ads placed around the screenshot of the page the link was leading to. There were a few other little things that grew to be irritating from a blog management point of view too.

Suffice it to say, SnapShots is now gone!

Thanks for your input! :)

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

ExchangeDefender mobile blog post test

This post should have the ExchangeDefender footer with a link to check the e-mail's authenticity.

Click through on that link to see what it has to say.

For us, the ExchangeDefender footer is a sign to our clients that we take our e-mail safety seriously.

And, from a business point of view, since we are an OWN partner, it is another revenue opportunity for us with our clients.


Sent from my SBS integrated Windows Mobile® phone.

SBS 2003 - ISA and ExchangeDefender IP Subnets

Since our switch to the ExchangeDefender service for our own e-mail is now over 72 hours old, we can be reasonably confident that there are no other e-mail servers out there that are using our old DNS MX records that pointed to our three SBS sites.

Since we purchased SBS 2003 R2 Premium SA for two of our sites, we will be migrating both sites to SBS 2008 and still be eligible to protect those sites with ISA.

In the mean time, our sites are still behind ISA running on SBS 2003 R2 Premium.

Now, the ExchangeDefender Deployment Guide addresses the need to limit the IP subnets to protect the internal Exchange server without getting into too much detail. The recommendation is to limit SMTP traffic at the firewall, but since there are so many firewall products out there, the deployment guide only shows us how to set the IP subnet restrictions into Exchange itself.

Here are the ExchangeDefender IP subnets:

ExchangeDefender IP Subnets

For SBS 2003 R2 Premium with ISA 2004 SP3 installed, and for the time when we migrate to SBS 2008 protected by our Software Assurance benefit of ISA 2006 SP1, the setup is actually quite simple.

In the case of SBS 2003 R2 Premium, we took the default SBS Smtp Server Access Rule that had the External network set as the From/Listener and removed it. We then created the ExchangeDefender Subnets in the Add dialogue on the From tab for the rule. The following screenshot shows the modification:

ISA - SBS Smtp Server Access Rule Properties - From Tab

And, once the edit is complete and the APPLY button in ISA has been clicked on:

Default SBS SMTP Rule modified with the ExchangeDefender subnets

The rule setup will be similar on the standalone ISA 2006 SP1.

Once the 72 hours have passed and legitimate e-mail is flowing solely through the ExchangeDefender network, head into the ISA live Logging feature and delimit the query on the SMTP protocol. It will become readily apparent that there are a lot of illegitimate SMTP connection attempts being made.

ISA blocking SMTP attempts

In this particular screenshot, the IP address is from Kiev (Kyyiv) in the Ukraine.

And this one is from Kuala Lumpur:

ISA blocking SMTP attempts

We certainly hope that as time goes by that the IP address associated with our Exchange server no longer resides on spammer's e-mail server IP address list.

Now that we have seen this, ExchangeDefender makes even more sense to us.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Friday, 16 January 2009

SBS 2008 - HP LaserJet 1320 will not auto install for TS

We blogged a bit about our experiences with HP LaserJets and the automatic driver install built into Terminal Services on SBS 2008: SBS 2008 Terminal Services and HP Printer Drivers

We ran into one printer that had a driver that would not install no matter what we tried. Not only that, the printer would not accept the HP Universal Print Driver either.

That printer was the HP LaserJet 1320.

If there is a need to deploy TS Desktops or Applications and the remote users have a LaserJet 1320, then we need to install the HP LaserJet 1320 onto the LPT1: port to enable the remote users to print.

When we do this, we name the printer DO NOT USE so that the remote users do not mistakenly try and run a print job to it.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday, 14 January 2009

AntiVirus 2009 on Google's Home Page?!? WinSystems.dll

This is probably one of the more interesting things to see on any given day:

Google has detected unregistered (sic) AntiVirus 2009 copy on your computer.

Now, besides the bad grammar, it is a little surprising that Google would be supporting any kind of A/V product.

If one is careful enough, the so-called IE Information Bar actually hides a bit of bad code that shows itself. has some great articles on removing the malware.

The articles point to a MalwareByte's A/V freeware product that actually does the removal: Malwarebytes' Anti-Malware.

In the above screenshot, the malware shows in the tray. The user knew that there was something up on the initial window, but did not realize that the only way to get rid of that window was via the Task Manager. So, clicking on the red X only served to give A/V 2009 a foothold into the system.

So, we downloaded the tool and ran it through. It cleaned out the system, but missed something. After the clean we were still getting the A/V 2009 hook on the Google Web page.

So, back to Antivirus 2009 Hijacks The Google Web Site. But, the winsrc.dll file mentioned in the article did not exist on this system.

Run IE with no add-ons and Google was clean.

So, a look into the Add-Ons manager in IE turned up:

IE Add-On for Research? winsystems.dll

Disable that add-on, and sure enough there was no more A/V 2009 on Google's home page.

A quick search for the file and a SHIFT+DEL and the file was gone.

The lesson here is quite simple: MalwareBytes is a great tool, but like any other malware fighting tool, it may miss on its searches once in a while. It managed to scan through and find a whole bunch of different stuff like the original A/V 2009 programs, search bars and the like, but it missed the winsystems.dll.

For users with Windows Vista, the UAC lesson is very simple: Cancel.

For users of Windows XP: Do Not Touch. Bring up the Task Manager and kill the software there.

The process in the Processes tab was AntiVirus2009.exe, so it was not too difficult to kill so we could get to the MalwareBytes site and download the cleaner tool as A/V 2009 always redirected to a "Get our product now or else you are doomed" type message page.

We really need to keep on top of training our users! In this case, we are dealing with a new client. So, in time, and with some Internet "Street Smarts" training, our new client's users will be more prone to avoid any malware infections.

Working against malware is one area where our experience, that is our working with the same settings and Internet Explorer Add-Ons, and knowing which Windows processes are the right ones to be there, can pay dividends in finding the source of the problem quickly and efficiently.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS 2008 - Migrating Practice Creative Suite from SBS 2003

One project we are working on is the move of an existing SBS 2003 domain onto a totally new SBS 2008 setup. The previous SBS 2003 setup was too messed up to even consider a migration, plus we were walking into a totally new server and workstation setup anyway.

One product we are working with in this case is the Thomson Reuters Practice Creative Suite (PCS). It is a product that users use to keep track of their time while working on their client tasks.

Note that, during the Practice CS install routine, install the client software
too as it may be required when testing database connectivity.

Also, install SQL 2005 Express into a new instance leaving the default CREATIVESOLUTION instance name.

The database move was actually quite simple as all that needs to be done is detach the database in Microsoft SQL Server Management Studio Express. Once the database and log file are released, copy them onto a USB hard drive and copy them up to the default CREATIVESOLUTION instance that was created when Practice CS was installed on the new SBS 2008 box.

There are a number of gotchas in this process. One of them is the actual NTFS permissions on the two files once they are in place in the SQL directory.

Since we are talking about SBS 2008 with its own SQL 2005 Express db installed, the default directory will probably be:
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Data
The simplest way to line up the correct permissions on the two SQL files is to right click on the CSP_0_Sample.mdf file and click on Properties. Click on the Security tab and then click on the Continue button which will require a UAC acknowledgement.

There should be three sets of permissions with FULL CONTROL set:
  • Administrators

Duplicate those permissions for the newly copied in database and log files. It is important to do this step first as the attach process will choke if the permissions are incorrectly set with an error about Read-Only and Performing a database recovery" in SQL Server Management Studio Express.

Once the permissions are correctly set on the databases, attach them. Make sure to close SQL Server Management Studio Express (SSMSE) if it is open first. Right click on the SSMSE and Run as administrator. If this step is missed, the database attach will choke.

Okay! We now have a nicely installed set of databases in SSMSE. But, none of the default permissions that Practice needs will be set yet. Verify that the SBS domain admin account is owner of the database within SSMSE by right clicking on the CSP_FIRM#_FIRM# database and clicking on Properties.

If the domain admin does not own the database, then we need to run the SQL 2005 Surface Area tool. Again, right click and Run as Administrator. Click the Add New Administrator link and move the CSP_FIRM#_FIRM# database over to the "Privileges that will be granted to SBSDOMAIN\AdminAccount and click OK.

With the correct permissions set, we need to verify the Users under the Security folder for the CSP_FIRM#_FIRM# database to have dbo (Login name: CreativeSolutionsPracticeCsDatabaseOwner), INFORMATION_SCHEMA, and sys.

The dbo is critical. In our case, the domain admin account was the login setting for the dbo and we were not able to shift to the CreativeSolutionsPracticeCsDatabaseOwner account.

We created a new account called dbo-PCS, set the needed user account as login and give the Database role membership of db_owner.

New dbo-PCS account with ownership set

We now have Practice CS installed on SBS with the requisite reboots, the database has been properly attached, and we have installed Practice CS onto the workstations (no Remote Entry option), and/or laptops (with Remote Entry), a connection attempt can be made. More than likely it will fail.

We need to do the following on the SBS 2008 server itself:

SBS 2008 Firewall Exceptions

We need to set up Inbound rules for the following:

  • TCP 1433
  • UDP 1434
  • SQLBrowser.exe ( ..\90\Shared\sqlbrowser.exe)
  • SQLServer.exe ( ..\MSSQL.X\MSSQL\Binn\sqlserver.exe)

MSSQL.X indicates the SQL 2005 Express instance. If Practice CS is the first product to be installed on SBS 2008 with an additional SQL Instance, then X=2. The SQL application to be exempted needs to be the one that resides in the same folder structure as the Practice databases.

Run the Practice CS client on the server, and a firm logon page should happen.

Now, run Practice CS on a Vista client, and more than likely there will need to be one more firewall rule set up ... but not on the server, in Windows Vista.

Windows Vista Outbound Firewall Rule for Practice CS

Once we created the outbound exception on the Windows Vista client box, we were still seeing a connection error.

There was one more step to the puzzle. On the SBS server, run the client and connect to the firm database. A logon is not required. Click cancel for the logon dialogue box to get to the Practice program, click on Help then About Practice CS. There is a Download Licenses button. Click on this to enter in the necessary particulars for the firm and allow the license files to download.

Once the files have downloaded, the Practice CS client will run a reinstall routine. If Practice CS is installed on all of the network clients already, then they too will run through the reinstall routine.

Once the license files are installed, Practice CS will fire up and the firm's database will be available for login.

Because this was a very time consuming and labourious process, some steps may be missed. Here is an overview of the process:

  1. Detach on original SBS
  2. Install Practice CS including client. Reboots required.
  3. Db and Log File copy to new Practice CS SQL instance directory.
  4. Files permissions set identical to the Practice Sample Db and Log File settings.
  5. Attach in SSMSE (Right click and Run as Administrator to open).
  6. Run SQL Server Surface Area Configuration and set domain admin to CREATIVESOLUTIONS instance.
  7. Set proper permissions for dbo in SSMSE.
  8. Set up SBS 2008 Firewall permissions for two applications and two ports.
  9. Test connection in Practice CS to firm database.
  10. Cancel login and download and install the firm's license files.
  11. Set Outbound program rule in Windows Vista for Practice CS.
  12. Run Practice CS on Vista client and connect to database.

Please comment if anything is caught missing or out of line with the process, and we will update the blog post.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday, 13 January 2009

SBS 2008 Terminal Services and HP Printer Drivers

When configuring a Terminal Services Remote Desktop environment for users to connect to, keep in mind that SBS 2008 has the 64bit driver installed by default.

When deploying Terminal Services, one needs to make sure to install the Print Services Role, and then load up both the x64 and x86 HP Universal Print Driver on the SBS 2008 box.

If the user needs to take advantage of a particular printer feature on an MFP series, then make sure to verify on the HP Support site that there are no specific Windows Server 2008 x86 and x64 drivers available for that printer.

As a precaution, it is a good idea to verify if there are any specific printer drivers, both x86 and x64, with HP's site and load them into the Print Management Console anyway.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Visual Studio Professional 2008 NFR goes to Platte River Whooping Crane Maintenance Trust

A while back we had an NFR copy of Visual Studio 2008 Professional that would never be used in our shop.

We offered the product up for any takers in the above blog post.

We received a number of responses with the Platte River Whooping Crane Maintenance Trust being the entry that was chosen to receive the NFR. Congratulations! :)

Thanks all for the responses folks!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS 2008 and QuickBooks 2008 or 2009 Database Manager

Around here, QuickBooks (QB) is probably the number one accounting software we see in small businesses.

As some of our previous posts alluded to, the QuickBooks (blog label search) upgrade from 2007 to 2008 was very painful and in some cases outright destructive. With the advent of QB 2009, which looks to be an incremental update to 2008, things seem to have settled down.

Whenever we are asked about updating the company books to the newest version of QB, or any other accounting software for that matter, we always recommend that the company do the upgrade at year end and the previous year's books are closed. If anything blows up, then very little work will be lost.

When it comes to the new setup in QB 2008 or 2009, the database structure is based on MySQL. So, if there is a need to share the QB company file, the QB Database Manager will need to be installed on the computer where the company file resides.

We have a number of Windows Server 2008 x64 Standard file servers where we have set up the database manager. There are, however, a couple of gotchas when there is a need to get things going on Win2K8 and SBS 2008 too.

We just finished an SBS 2008 setup with a centrally located QB file. The process is essentially the same for it.

SBS 2008 Firewall - QB Database Manager and Network Service

Both QB database manager programs need to be added to the Windows Firewall with Advanced Security Inbound Rules.

From there, after installing the QB database manager Server Only components on the server, make sure to visit the QB Update (Canadian site) site and download the webpatch.

Once the patch has been applied, there will be a need to reboot the SBS box. Keep this in mind if the install is being done during business hours.

After SBS reboots, if at an accounting office client, have a user load up a QB company file and try to switch it over to Multi-User Mode. Do the same for a non-accounting firm client that requires two or more people connected to the QB company file. Make sure to run this test, as the QB 8202 error will not show itself until the user tries this.

QB 8202 error tells us that QB cannot connect properly to the QB Database manager. The first time we received this error, we ran both the Db Manager update and realized we needed to open up the firewall at the same time.

Once the users have demonstrated that they can connect to the same company file together, it is time to move on! :)

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Monday, 12 January 2009

Some thoughts on SBS 2008

We have been having some of the craziest days lately! 8-O

Fortunately, all of the fires we have been working on have been solvable, or not too critical in nature.

We have done a number of SBS 2008 setups over the last little while with most of them being a non-migration of existing domains. From a really messed up Active Directory setup, a failing SBS with all kinds of hiccup issues, to a brand new set up where there was nothing to start off with, we have seen a lot of good things with SBS 2008.

The migration side of things we are saving for our own domain first. We will virtualize our current SBS 2003 R2 Premium and proceed to chop it up into little bits over and over again (hopefully only a couple of times).

For now, with the timing crunch here, suffice it to say that SBS 2008 really does improve things from both a user and admin perspective.

It is well worth the step up from SBS 2003.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Friday, 9 January 2009

SBS 2008 - PDF Search in Companyweb SharePoint

Here are some excellent instructions for enabling the SharePoint spiders to crawl and index PDF files and their text content: SharePoint Server 2007 and SharePoint Services V3 PDF search and indexing.

While the post does have the correct icon for us to download and install, though the name in the post and the actual file name are different, we need a new version of the iFilter for 64bit systems: Adobe - Acrobat : For Windows : Adobe PDF iFilter 9 for 64-bit ...

  • The correct file name for the XML edit: icpdf_3.gif
In a nutshell:
  1. Download the above iFilter v9 from Adobe's site.
  2. Extract the installer from
  3. Click Start and right click on Command Prompt and Run as administrator.
  4. Click Continue at the UAC prompt.
  5. net stop iisadmin [Enter]
  6. In Windows Explorer, double click on the PDFFilter64installer file.
  7. Copy the PDF icon to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Template\Images
  8. In the C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\Template\Xml\ directory edit the DOCICON.XML file.
  9. Paste the following into the (ByExtension) section that is sorted alphabetically by extension (ours went under the "onetoc2" extension):
  10. (mapping key="pdf" value="icpdf_3.gif") (Change the round brackets to Greater or Less Than as Blogger's editor does not like them)
  11. There will be a need to save the modified XML file to the server's desktop and then copy it back into the XML folder through two UAC prompts.
  12. Back at the command prompt: net start iisadmin [Enter]
  13. Click Start and type Windows SBS Native Tools Management [Enter] in Search.
  14. Click on the IIS Manager.
  15. Under the SS-SBS (MySBSDomain) click on Application Pools.
  16. Right click on the following and Recycle them:
    • DefaultAppPool
    • SBS Sharepoint AppPool
    • SBS Web Applications application pool
    • SBS Web Workplace AppPool
    • SharePoint Central Administration v3
    • Post the PDFs.
  17. Or, instead of recycling the services, append the System Path with: C:\Program Files\Adobe\Adobe PDF iFilter 9 for 64-bit platforms\bin\ and reboot!

The update to the System path is suggested in the Adobe installation instructions.

Once the SharePoint application pools have been recycled, we will see:

PDF document icons

One very, very important thing to remember: Upload the PDF files AFTER the Adobe PDF iFilter is installed so that the files are indexed. Otherwise, they will not be indexed until they are touched!

This is very important if there are thousands of PDF files to place into a document library or libraries.

UPDATE: Added the System Path variable to be appended in the last step, and made some grammar error corrections.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday, 8 January 2009

SBS 2008 - ExchangeDefender and the ExportAddresses.vbs how-to

OWN provides us with a simple VBS utility to run on the Exchange server to extract all e-mail addresses on the Exchange server. This dump file is then used to set up the e-mail addresses in ExchangeDefender.

Given the fact that the download resides on the OWN blog, the script will need to be downloaded to the Technician's Thumb Drive ahead of time if working with the server in person with no workstation access. Otherwise, have a zipped copy of the utility on the shop's Companyweb site or via a link to the ExchangeDefender download if working from a workstation.

The script should be placed in the root of the C:\ System drive. On SBS 2008, you will need to run the script from an elevated command prompt:
  1. Click Start.
  2. Right click on Command Prompt and click Run as administrator.
  3. Click Continue on the UAC.
  4. If the prompt ends up somewhere on the system drive already: cd \ [Enter]
  5. ExportAddresses.vbs [Enter]

We upload the resulting text file onto our own SBS Companyweb site as we run the ExchangeDefender Admin portal from within our shop network. That keeps things simple and the resulting SMTP Dump file becomes a part of our SBS setup documentation.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Webinar: Jeff Middleton - Migration Concepts with SBS 2008

Jeff Middleton, an SBS MVP, is hosting a Webinar on SBS 2008 migration concepts.

Microsoft Partner Program: 5W/50 Series - Migration Concepts with SBS 2008 Friday January 9 at 09:00AM Pacific Time (US & Canada).

We have been SwingIT subscription holders for about two to three years now. Jeff's migration techniques, called a Swing Migration, to Swing SBS 2003 onto new hardware, or even Swing it off the old hardware and back on again are an absolute must learn for anyone supporting SBS.

While the Swing Migration method is great for migrating the existing OS, the techniques are an absolutely phenomenal foundation to work from when it comes to recovering SBS from a catastrophic failure. Once comfortable with them, it is a lot easier to stay calm in the midst of establishing a recovery plan for a failed SBS server. The techniques help establish the big picture, directions to take, and ultimately the best road to follow through to a successful SBS recovery.

Come have a listen. It will be worth your while!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Simply 2009 simply disappears with multiple monitors?!?

All of our accounting office clients have multiple monitor setups on their desks. All it took was to convince one of the partners to try it, for free, for a couple of weeks. Pretty soon there were extra monitors on all of the partners and bullpen worker's desks.

While this situation works really well for improving productivity, we have seen a few hiccups here and there. Strangely, many of the hiccups seem to be with Simply 2008 and 2009.

If a file is shared between two people at different times, and they have different monitor configurations, such as the extra monitor on the left instead of the right, and either one will open the file the Simply window will flash by and "disappear".

The user will see a button on the toolbar, but will not be able to do anything with it.

To get that window back on the screen do the following:
  • Right click on the Simply button on the Task Bar and click on Move.
  • Tap on any one of the direction arrows (-->) on the keyboard. (This locks the mouse to the window's header)
  • Move the mouse around and the window will eventually appear.

Now, some programs will remember the window position when it gets closed. But, as we are seeing with Simply Accounting, this may not be the case with any kind of consistency.

In some cases, there will be no right click option when the Task Bar button is clicked on. When this happens do the following (note that there will be no feedback that the process is working until the mouse is moved about and the application window appears):

  1. Click on the Simply button to make it active.
  2. On the keyboad press the following key combination together and release: ALT+Spacebar.
  3. Press the M key on the keyboard for Move.
  4. Press the -->or any of the direction arrows on the keyboard. The mouse cursor should "disappear".
  5. Move the mouse about until the missing application window appears.

Once this situation has happened once or twice, then the remedy becomes second nature.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday, 7 January 2009

RWW and OWA Idle Time-Out Bug Filed - Please Feedback

We previously mentioned the situation here: SBS 2008 - RWW and OWA Idle-Time Caveat or Hiccup?

Essentially, if you pass through the Remote Web Workplace into Outlook Web Access and leave the RWW window/tab open but idle, it will time-out after 30 minutes.

The problem is, the active OWA window/tab will hit an OWA logon page once the RWW has timed out too. Even though OWA was being used right up to the moment RWW timed out.

A bug has been filed on the Connect site: OWA Time-Out Behaviour when Remote Web Workplace idle time-out is reached. If this issue is important to you, please take a moment to rate the bug. It has already been validated by the SBS Team.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday, 6 January 2009

Participating In the SMB Conference Call Tomorrow

Karl Palachuk will be interviewing Harry Brelsford and myself tomorrow morning at 09:00 AM Pacific Time (1000hrs Mountain).

You can register here: SMB Conference Call with Harry Brelsford and Philip Elder.

We will be talking about Harry and my new SBS 2008 Blueprint book which should be shipping any day now.

Writing the book with Harry was quite the learning experience. It was fun and gruelling at the same time.

One of the neat things to see over the process of authoring the book is to see the growth in writing style and abilities across the many months we put into the tome.

Just in case you have not guessed it yet, I love to write! :) And, writing this book with Harry has been a very rewarding experience in so many ways.

Thank you to Harry Brelsford and the folks at SMB Nation for this opportunity!

And, one more piece of neat news: Look for the Advanced SBS 2008 Blueprint book sometime this fall! This book will be a solo project as Harry has given me my author's pilot's license! :)

We will deep dive into SBS Migrations, Companyweb SharePoint management and configuration, backup and recovery to similar and different hardware configurations, and more.

Thank you all for reading!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Monday, 5 January 2009

SBS 2008 - Group Policy and 32bit PushPrinterConnections.exe

To deploy printers to 32bit XP clients via Group Policy in a 64bit SBS 2008 network can be frustrating if we are not aware that the utility included with SBS can only work with 64bit versions of XP Pro.

Our previous blog post on the matter: x86 PushPrinterConnections.exe a must for the Technician's Thumb Drive!

Please let the SBS team know that this is an important issue. Please go here if you have a Microsoft Connect account and you were on the SBS Cougar beta, you may not have to be now that SBS is official, and vote for this item's importance:

Connect ID: 382304.

Hopefully we can have the 32bit utility included in R2.


Sent from an SBS integrated Windows Mobile Phone.

SBS 2008 Migrations

Now that SBS 2008 has been out for a while, we have begun to see the realities involved with the migration process.

Primarily we are talking about SBS 2003 to SBS 2008.

Both internally, and via the Internet it is not hard to find migrations that have hiccuped leaving the source or destination server useless, or in some cases where both are toast.

So, here are some procedures we are planning on making a mandatory part of our SBS 2003 to SBS 2008 migration procedures:
1: Make a ShadowProtect image of the source SBS 2003 and do an HIR based restore with that image in our shop. This tests for a fall back if things don't work.
2: Run the migration process against the newly HIR restored SBS in our shop looking for gotchas and the death of either SBS. We then know what we are getting into.
3: Run a ShadowProtect incremental just prior to initiating the actual migration process as well as during. Our fall back is ready and up to date.

In the end, the extra time and precautions will give us the confidence we need to come through any migration successfully.


Sent from an SBS integrated Windows Mobile Phone.

Thursday, 1 January 2009

SBS MVP Awarded to Philip Elder

There was a very pleasant surprise waiting for me in my Junk E-mail folder today (the domain has since been whitelisted):

Dear Philip Elder,

Congratulations! We are pleased to present you with the 2009 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others.

Wow! Neat! :)

Thank you all, especially Rodney at Microsoft who was very much a part of the nomination process.

Without support from the community, you, this award would not have been possible. Thanks for all of your encouragement, knowledge sharing, constructive criticism and corrections, and so much more.

Philip Elder SBS MVP
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.