Friday 31 August 2007

System Builder Tip: Residential Wireless Setups

We just installed a wireless setup into one of our client's homes.

If one has not scoped out the neighbourhood for other access points beforehand, it can be really sticky to get things to work.

This is especially true if the house is not already wired for Ethernet. We have to work with what we have, or work with the hot and cold venting to get our Access Points where they will provide the best coverage and still have a power source.

In this case, there were approximately 7-9 neighbouring access points.

And guess what? Most of them were not secured. The ones that were, had WEP as their, um, "security". In case you didn't already know this, WEP can be cracked in minutes.

So, we have lots of signal competition. To get around this, we need to have our Access Point centrally located relative to where any wireless device may be connecting to it. We also need to make sure that the channel that the AP is going to use is "Automatic" so that the AP can rotate channels as needed. This last point is especially important in areas where there are competing APs close by.

So, we need to know: Which areas of the house are blanketed by a neighbour's AP strong signal.

To find out, we use our Windows Mobile phone. It has built in wireless capabilities and, with about 15 minutes of walking about to the four corners of the house and standing with it up in the air, we get a pretty clear lay of the wireless land.

A laptop with some software can also do the same thing. But, in our experience, laptop manufacturers are not consistent in their product's abilities to pickup wireless signals. It is also awkward carrying a laptop around.

We ended up with a compromise in this case: We installed the AP in such a way as to give a clear line of site to the room downstairs as much as possible. We managed a decent signal and throughput for now.

We have a couple of other options for them, but they will need to invest in some hardware to make it happen. For now, they are happy that they have access to their Internet connection pretty much anywhere in the house which means they will have access to their corporate workstations via their SBS network at the office.

Wireless Links:
WiFiFoFum has a radar feature to give an approximate location of each AP that is picked up by the wireless antenna. It is a pretty neat utility.

Also, remember that walls, duct work for heat and cold air returns, plumbing, and the home's structure all contribute to a degradation in the WiFi signal. Sometimes, the best signal comes with the strangest AP placements.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday 30 August 2007

StorageCraft - Small Business Special Expiration

Folks, if you have quotes based on the StorageCraft Small Business special of 1 server and 10 desktops, now is the time to get those orders in as the special has expired.

StorageCraft will honour the original special for 30 days from the release of their new version 3 of ShadowProtect for Desktops and Servers. The new version was released August 24, 2007.

That grace period ends: September 23, 2007.

This may give your clients a bit of incentive to order now to avoid a price increase in their backup/recovery solution.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday 29 August 2007

SBS - SBS Security and a Linux comparison

In all of our conversations with Linux gurus or guru wannabees, we can ask a simple question (keep in mind that we deploy 98.5% SBS Premium): You get your best tools, and we can sit down together and watch them try to work on our SBS Premium box with ISA setup and configured properly. With ISA SP3, we will be seeing a sea of red - that is denies!

ISA is more than a software firewall! Check out isaserver.org for more info. It is one of the best ways to manage data coming in or leaving the SBS network ... period. This is one of the main reasons why we pretty much only deploy Premium Edition of SBS. For a few extra dollars, the client gets an enterprise level of protection and user/software access management.

We have clients with Internet facing SBS Premium servers hosting email and providing HTTP filtering for Server 2003 Web Edition farms that have been running trouble free for years now. We have yet to see a successful attack.

For SBS standard, it is not much different since the built in firewall service is configured by the CEICW to only allow the requisite ports opened for SMTP and Remote Web Workplace access. The built in firewall cannot be as finely tuned as ISA, but it will provide that extra layer of protection over a firewall/router/gateway that should be protecting that SBS Standard box.

One should always use the native Remote Web Workplace connectivity to manage your SBS boxes. This further reduces the server's exposure. It gives you SSL protection for your management access without the risk of opening the 3389 port for Terminal Services.

The principle, as far as Linux is concerned, is having so many services running on one box. This is because of the way Linux operates. Each SBS like component, email like SendMail or QMail, Squid for firewall and proxy, Apache for web based services, SSH for remote management and connectivity, MySQL for databases, PHP for scripting and environments, Samba for sharing data files and folders across the internal network, and more all present an attack vector for someone to try and crack their way into the system.

Just the patch management alone on this kind of Linux setup would be a huge undertaking. Each server application product presents a different Web site or newsgroup that one would have to monitor for updates! Nevermind the conflicts that could arrise with all of these services installed on one box.

Small Business Server is not like that. Microsoft in the guise of the SBS team took a lot of time to make sure that each component of SBS plays nice together. They took the time to make sure that there would be a reduced attack vector by presenting what is essentially one secure and united front for access to the server: Remote Web Workplace. This front has a few facets in that VPN and Outlook Web Access can also be dialed in for access to data and email respectively. But, we are still presented with one way in: Through an SSL secured portal that requires us to authenticate BEFORE we get any further.

That is what a Linux person will not understand without sitting them down in front of the server's console and showing them point by point how things operate on a SBS box. Then we would let them watch the live traffic monitoring feature in ISA to gain an understanding of just how tight things run on SBS.

That in a nutshell, this late at night, is an off the top of the head run down of what is said to the Linux people we come across who protest the SBS configuration.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Mac on SBS - Reloading OS X wireless keyboard/mouse caveat

The iMac is not configured on our network yet, so this post is coming via one of our Windows machines.

We replaced our iMac's original wired keyboard and mouse with Bluetooth versions not long ago.
When we reinstalled OS X today, which ultimately took over two hours on the iMac, there were a number of inputs that needed to happen.

Wireless would not work at that time either. So, we needed to dig up our wired keyboard and mouse to complete the install and post install tasks.

So, don't throw out that wired keyboard and mouse! Otherwise, there will be a mad scramble to the local store for a keyboard and mouse to complete the install of OS X.

Not sure if a non-Apple keyboard and/or mouse could be plugged in once the OS X install had already been started. They probably would if present from the start.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday 28 August 2007

Mac on SBS - WSUS and the iMac

We are in the process of formatting and reinstalling the iMac. We are going to run through the SBS setup steps a number of times so we can refine our setup procedures for OS X 10.4.x Tiger. So, this post is coming via one of our Windows workstations.

We were greeted with a warning from WSUS on SBS R2 not long after the iMac was added to the domain:


There are 1 computer(s) that have not registered with Update Services. For more information, click More Information, and then in the Troubleshooting section click Common Problems.

imac
So, WSUS wants the iMac to register as per the common Group Policy that requires all Active Directory registered workstations to be updated via WSUS if it is installed on SBS RTM or SBS SP1. SBS R2 has WSUS installed by default.

Well, we all know that a Mac cannot be updated via WSUS! ;)

Under Advanced Management on the SBS server, then in Group Policy Management, click on the Small Business Server Update Services Common Settings Policy. Click on the Settings tab on the right hand side. Click the Show All near the top right of the settings page. Right click anywhere in the page, and print it. You will need those settings for the next steps.

The simplest method to eliminate the WSUS error message is to create an OU beside SBSComputers called SBSMacs. You will find SBSComputers under Domain\My Business\Computers in Group Policy Management.

After adding a Mac to the domain, it will show up in the default Computers group under the domain in Active Directory Users & Computers. So, once the SBSMacs OU is created, open ADUC under Advanced Management and move any Mac computers out of the default Computers folder into the new SBSMacs OU. Answer Yes if you are warned about moving them.
Create and link a new Group Policy Object (GPO) to the SBSMacs OU and call it SBSMacs Update Policy or something to the like. Once you have created the GPO, right click on it and click "Enforced". The Enforced setting will override the relevant GP settings from the default domain level GP.

You will end up with the following:


Edit the SBSMacs Update Policy by right clicking on it under the SBSMacs OU and clicking on Edit..., and Disable any of the Enabled settings found in the Small Business Server Update Services Common Settings Policy that we printed out previously.

Once the settings are completed, Start-->Run-->GPUpdate /force [Enter] to update Active Directory on the SBS box and any other DCs on the domain.

Here is a screen shot of the default SBS Update Services Common Settings Policy GPO for reference:


It is best to not have the SBS Update Services Common Settings Policy opened for edit while disabling the specific GP settings in the Mac specific GPO. This eliminates the possibility of confusion and the subsequent disabling of the settings in the wrong GPO!

This should eliminate any Mac based computer having to register with WSUS and thus the Yellow Shield warning in SBS R2.

Remember, it is always a good idea to create specific Organizational Units located in specific places within Active Directory for any Group Policy tasks we have in mind. Group Policy Objects are subsequently linked to those OUs with the appropriate settings for our specific requirements as we have done here. No GPO at the domain level should be created or modified there unless there is an absolute need for it!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Internet Explorer - Surreptitious Entry in the User Agent String

What does the Internet Explorer User Agent String say?

You can check it here: User Agent String.com.

By default on XP IE 7:


Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Okay, so it tells us that the browser is IE 7, on Windows XP and it has the three versions of .NET installed.

By default on Windows Vista IE 7:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
Again, it is quite simple. We have IE 7 as a browser, Vista as the OS, something about SLCC1, and the .NET components.

Now, what do we have here:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TheFreeDictionary.com; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
We have it seems, some free advertising for a particular Web site going on. Somehow, whether by software install, spyware or malware install, the above .com site is in the User Agent String that IE shows to the world.

The InfoPath entry would have come by an InfoPath install.

To get rid of any unwanted entries, navigate to the following locations in the registry:

Windows XP:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Windows Vista:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Delete the offending key and close all IE windows. Open an IE session again and navigate to User Agent String.com and verify that it is gone.

It only seems fair that the offending site ask permission for their name to be carried around the Internet. If the offending entry's permission came via some small print in a Terms & Conditions somewhere, then this situation demonstrates why we should be reading them!

This is one more little indicator for us to use to keep an eye on system health and integrity.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Friday 24 August 2007

SBS - Troubleshooting port issues

Every once in a while we run into a situation where one service or another doesn't seem to get their designated port for listening.

When a port conflict happens, we use a Microsoft tool called PortQry to diagnose which service is jumping in on the port before the service that needs to use that port.

KB 832919 New features and functionality in PortQry version 2.0 explains the full features and their use for the command line version. About 3/4 of the way down is the PortQry local explanation.

KB 310099 Description of the Portqry.exe command-line utility. A brief description of the utility and its features.

The download: PortQry Command Line Port Scanner 2.0.

There is a GUI for the utility, though we don't really use it. It can be found here: PortQryUI - User Interface for the PortQry Command Line Port Scanner.

This is a required troubleshooting tool for our technicians.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday 23 August 2007

PowerPoint 2007 - Still buggy?!? - Slideshow Hangs...

We were requested to put together a slide show for a client. We decided to take PowerPoint 2007 for a test drive.

We ended up with a 25 panel slide show with multiple images and themes. We created a soundtrack for it on the Mac that ran the entire duration of the slide show.

We set the transition times for every panel to 15 seconds. We set the proper animation sequences for all of the panels and away we go right?

After saving the presentation in both presentation and slide show format, we took it for a test run.

Well, the first slide shows up, the music starts, then the second slide comes in 15 seconds later as expected. Then, it just hangs there. The slides no longer change. The second slide just sits there. The music keeps running though.

Okay, go back into the presentation, change the order of the slides to see if it is that particular slide, regenerate the slide show and try again.

Nope. It didn't work. Build a whole new slide? Nope, same thing happens again.

We still had a hang at the second slide.

So, the next step was to go back and see what happened to the transition settings. Each panel was still showing the 15 second transition time with the exception of the second one. It had 456:30:00 as a time setting!

Um, just where did that come from?

So, reset all of the panels to a transition time of 15 seconds, regenerate the slide show, and sure enough, it worked.

This was not an isolated incident. That 456:30:00 number showed up again, randomly, over the process of building the entire slide show.

Buried somewhere in PowerPoint, is that strange time number that only shows itself occasionally.

So, we learned a valuable lesson. Make sure that slide show works as expected before sending it off to the client.

Oh, and the soundtrack will, by default, be linked in the presentation so one should make sure to have the soundtrack mp3 accompany the final slideshow.pps or slideshow.ppsx.

By the way, the end user does not need to have PowerPoint installed on their system to run the slide show. They only need the PowerPoint Viewer. It can be found here: PowerPoint Viewer Download.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday 21 August 2007

Buyer Beware: Mail, Phone, Fax & more ...

As a business owner, it never ceases to amaze me the cunning ways that people who phone, send a piece of snail mail, email, or fax will try and "extract" dollars from us.

The word "extract" is used for a reason.

We provide products and services for which we get paid. Our clients see the value in those products and services. If they did not, then we wouldn't have business relationships spanning more than a decade in some cases.

As an example, we receive envelops from a company here in Canada that are setup in such a way that if our Accounts Payable people didn't realize that we didn't deal with them, we would be paying them for a service we never contracted them for in the first place.

There are, of course, the huge volume of information soliciting emails that we get as well. Some masquerade as suppliers, others as "clients".

Then, there is the phone call that we just received for a survey. The person mentioned that they were calling on behalf of our banks. When grilled for the bank we deal with they actually named it which means either they are working with the bank, or they have some sort of source for the information. Can we afford to answer any questions over the phone with someone we cannot see in person? No.

There is no longer any trust for anyone calling unless they can provide very specific details about us and our accounts. Even then, I will ask the person for a phone number and an extension number that can be used to reach them, and then call them back! If they cannot provide a line into the bank we deal with, then the next call is to the R.C.M.P.

It has gotten to the point where we are very cautious with out of Province numbers on our call display, or even in Province numbers. With Call Display spoofing being a reality, we really need to be careful.

Never answer the, "May I speak to the business owner/manager/I.T. person/person who manages the toners/etc/etc/etc" with a, "Sure! You can speak with John Owner, just a minute!" :D

And, if they do ask for John Owner by name, always come back with, "What is it regarding please?" If their answer is vague or circuitous, then ask questions to get a specific answer. Nine times out of ten they are trying to sell something or other.

If it smells fishy, it more than likely is fishy. If it sounds too good to be true, then it is.

Never, ever volunteer information.

Always take a polite but firm stance by taking control of the conversation immediately. Protect your business, or your employer's business.

And, when it comes the phone soliciting, take the person's first name and initial, employee or badge number, who they represent - if they will volunteer the information - and ask to be removed from the call list. They are then bound by law to remove the name and phone number they just called.

In Canada, we have PhoneBusters to call if we have received some sort of fraudulent offer via phone or email.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Monday 20 August 2007

Business Principles: Advertising where?!?

Susan's post on advertising is rather relevant today for us: Do we need advertisements everywhere?

We just unpacked a new HP LaserJet 1022 printer for a client and guess what we found in the box besides the expected printer related collateral?

We found a post card sized advertisement for a well known VOIP home phone replacement service in the printer box.

Finding the advertising in a product purchased by a client is really disappointing.

What message does that send about the product and/or the product's manufacturer? Is the product we just purchased now a vehicle to sell advertising?

And, more importantly, what message does it say about the purchaser of the manufacturer's product? What does that say about the manufacturer's perspective on who or what the product's purchaser is to them?

These questions are rhetorical in nature. Yet, the answers, if we dig deep enough, may surprise us.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS - Getting familiar with SBS via the Wizards

For those of us who may have come from an Enterprise background, using the built in SBS wizards is almost completely foreign to us.

For those of us who may have come from a non IT background, the SBS wizards are also pretty much foreign.

When there is a need to interact with the SBS based management features for those who may be the on-site "technical" person, the wizards can be very helpful towards accomplishing most of the mundane server management for things like user and computer accounts. Getting that on-site "technical" person comfortable with the wizards is our task.

The beauty of the SBS wizards is the fact that they work for everyone. Whether that one be someone who has no need or desire to understand what they do, or for those who may have come from another IT related background and are interested in delving into the various changes they make. They just work.

There is also another neat aspect to the wizards: They are an excellent way to facilitate training on the various server components installed on SBS. For someone like us who manage SBS domains for a living, this is the best way to delve into the various server components to figure out just what is happening and where. For us, it is essentially mandatory that we be willing to do that. Having an in-depth knowledge of the SBS setup will always be beneficial especially in the case of a troublesome server.

Oh, and by the way, if we run into a troublesome SBS box, having used the wizards means we are working with a box that is consistent throughout. These boxes are complicated. When the SBS box is setup without the wizards, any combination of settings, or series of settings, or methodology of setup, may change between SBS box setup. This introduces the "human factor" into the setup or troubleshooting which can be dangerous to the health of the SBS box.

The SBS wizard's methodology for making changes, that is the changes they make, are a window into the "proper" way, as deigned by the Microsoft SBS team, to setup the SBS box.

Whether we realize it or not, the SBS wizards make changes in many ways both seen and unseen.

For those who advocate the setup and management of SBS without the wizards, it is the unseen aspects of what the wizards do that may come back to haunt.

Yes, it is possible to setup the SBS box without them. But, doing it that way may actually be a lot more time consuming than by using the ToDo and wizard method.

The stock out of the box wizard based setup of SBS will suit most client's needs. There will be customization required in some cases. But, those changes should be accomplished after the fact.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Saturday 18 August 2007

Virtual Server - VM Memory & CPU requirements

We have been working with Virtual Server 2005 R2 SP 1 for our virtualization needs.

The two key physical limitations to the number of virtual machines, in our experience, are the amount of memory installed and the speed and number of cores on the CPUs.

Windows Server 2003 Standard R2 x64 serves most of our virtualization needs. With the /PAE switch in boot.ini, we get to address as much RAM as we need.

For Intel based uniprocessor servers we are limited to 8 GB of RAM. For dual processor servers we are limited to 32 GB of RAM.

We tend to configure one (1) virtual machine for each core on a processor. For a Quad Core uniprocessor server we would run a maximum of 4 virtual machines. For a V8 server, dual Quad Core CPUs, we would run a maximum of 8 virtual machines.

This setup is, of course, based on the limitations of VS 2K5 of one core to one virtual machine.

VMWare Server would give us the option of dual SMP - two cores - for a virtual machine if the situation warranted. We would reduce the number of VMs running on the host OS accordingly.

A good portion of our client based virtualization needs are for remote desktop serving. The ability to run virtual XP Pro or Vista Business desktops provides flexibility for Group Policy based desktop security, user and application limitations via Group Policy, Line of Business apps that may not be able to be installed on a Terminal Server, Remote Web Workplace access via "Connect to my computer at work", and more.

An XP Pro VM can run quite comfortably on 512 MB of RAM while on a dual 3.06 GHz Intel Xeon based server. Virtualization is one place where Hyper-Threading actually works.

Windows Vista Business will require a minimum of 1 GB of RAM when running virtually. Anything less than that and Vista takes a pretty heavy performance hit.

We tend to set at least 2 GB of RAM to a virtualized SBS installation. That is the minimum we would install on a physical SBS installation, so we stick with it for VMs.

Windows Server 2003 Standard R2 serving DNS to the Internet can run on 256 MB of RAM. Install Exchange and the memory requirements jump up to at least 1 GB with 2 GB being better. ISA virtualized will run okay on 512 MB but better on 1 GB.

A rule of thumb is to leave a minimum of 384 MB of RAM for the host OS. Make sure that only the host OS basics are installed. For Windows Server 2003 Standard R2, remove or disable all nonessential services to lean out the OS.

So far, virtualization has done great things for our clients and for us. It can greatly reduce the costs of running a few extra dedicated remote desktops when all of the client's staff is laptop based. It can provide a single box solution for a number of light duty server roles that are easy to backup and restore as needed and in short order.

For those of us in IT, it eliminates the hardware/$$$ limitation on our testing labs. One V8 server will serve most small shop's server/client VM environmental needs. No more need to have four, five, or more boxes with a KVM or two just for those lab situations where we need to test whether our client boxes will blow up with the next run of updates and patches!

It also gives us a tremendous time saver: Undo Disks! With undo disks enabled, if that run of patches or updates does blow up the virtualized client SBS or other server box, we can undo the patches by discarding the changes and then start again. Hopefully we will be able to figure out which patch is causing the problems with what installed component and go from there.

All in all, virtualization can provide an excellent way for us to create some pretty neat solutions for our clients with a very attractive price point.

This is needed to enable Windows Server 2003 Standard R2 x64 to access installed RAM above 4 GB: Microsoft KB 283037: Large memory support is available in Windows Server 2003 and in Windows 2000

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday 16 August 2007

Business Principles: Spice up that Proposal with Visio

Doing up a network infrastructure proposal?

Need a simple way of presenting the proposed network setup that most people can understand without the technospeak?

Look no further than Visio:



It is a powerful tool that can give us the edge over other proposals that rely on words for descriptions.

Another way to get the edge is to hand deliver the proposal to the prospective client contact person. Chat with them and put a face to that book.

For proposals that are local, how do you think that will compare to something someone put together and faxed or emailed in?

In our experience, the extra effort pays of.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Working with non-profits? Then TechSoup has your licensing answer

When we began working with non-profit organizations, we were finding that licensing was in some cases just about as expensive for them as for our corporate clients.

One of our non-profit clients pointed out that they purchase a good chunk of their licensing from an organization called TechSoup.

It is amazing what the discounts are for software licensing. Microsoft's licenses are Open Business with Software Assurance for 2 years.

Server licenses for under $100US, SBS, Office, Windows XP/Vista upgrade, Office for Mac, and more. There are a lot of known and somewhat unknown software vendors who facilitate non-profit licensing there.

Check it out and use it with your non-profit clients. It could potentially save them thousands in licensing fees!

TechSoup.org.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

The Licensing Muddle - Here is the Cure - Microsoft Product Licensing Advisor

We all have to muddle through licensing at some point. Sometimes getting a clear answer from the licensing "specialists" at the other end of the phone brings about many different answers.

So, what do we do?

Microsoft brought a new version of the Licensing Configurator we used to painfully use for trying to get licensing questions answered a year or more ago.

It is called: Microsoft Product Licensing Advisor.

Please check it out.

It works. It gives the same consistent answer for almost all licensing part number needs. It is actually being updated with new products and their SKUs on a regular basis.

Open Value, Open Business, Open License, Select, and Enterprise products are listed. SKUs, SA benefits and more.

It is worth the 15 minutes to have a look.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday 15 August 2007

SBS - Exchange Email Spam Issue - Error Workaround - Exchange may not be retrying!

In the process of searching for the version numbers for the Exchange SMTPSVC for the previous blog post on using the wizards, we stumbled on what could be a big thing.

Yesterday, we posted about our experiences with two SBS servers, one our client's server and one ours, that seemed to drop email off the planet when hitting a hosting provider's SMTP server that Greylists. SBS - Exchange Email Sam Issue with Question to You.

Not sure how, but in our searches we came up with this:
andy webb View profile More options Mar 17, 2:07 pm
Something I haven't tried yet, but was talking with someone about last week was setting the Glitch Retry registry key. It's possible this isn't correctly being defaulted in SP2 or some version of SMTP.

In HKLM\System\CurrentControlSet\Services\SMTPSVC\Queuing, create "GlitchRetrySeconds" as a dword and try a value of 60 or 120. Then restart the SMTP service.

By default, messages receiving a 4xx SMTP response are processed as a "glitch" 3 times before being put back into the queue for processing on the retry interval. It seems like something in this mechanism is failing. [Emphasis ours] So, if assertively setting GlitchRetrySeconds to a value that allows the greylisting conditions to be satisfied, voila, a solution.

This is referenced a couple places:
http://technet.microsoft.com/en-us/library/aa998772.aspx
http://msexchangeteam.com/archive/2005/04/04/403297.aspx
This quote is from microsoft.public.exchange.admin via Google Groups: Exchange-->Greylisting. It is about three quarters of the way down.

This lead to another post on that newsgroup: Greylisting Problem. Here we see that there are indeed others having issue with Exchange not retrying if it receives a 471 Retry from a Greylisting server.

And then, a confirmation that Exchange indeed didn't retry as it should: Nabble.com: Does Microsoft Exzchange Exchange retry delivery correctly?

Now, given our experience working with the hosting company this afternoon and being able to repeat the problem, me thinks the problem is indeed in our court. That is, in Exchange.

As mentioned in the above quote, there is a registry key that needs to be added. From there, restart the SMTP service and hope! :D

So folks, time to get in touch with our clients and get that change in place!

UPDATE: And one more thing: My apologies for the original assumption that our SBS Exchange servers were not at fault. That is the assumption made when we first started into this stuff. And, it looks as though that assumption was dead wrong.

UPDATE 2008-06-18: Fixed the broken link in the TechNet Library referral.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS - Exchange and the dangers of NOT using the wizards!

Here is the answer from a SBS based Exchange server:
220 mysbsserver.myinternaldomain.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Wed, 15 Aug 2007 19:30:25 -0600
Okay, so what is wrong with this picture?

It is pretty obvious that the people who set this one up were not using the CEICW to configure the Internet settings. If they did, Exchange would have answered with at least "myinternetdomain.com" instead of the .local internal domain.

What does that mean? Probably a good chunk of that particular establishment's email won't be getting anywhere fast. Most SMTP servers will perform a reverse DNS lookup on any email they are receiving. The myinternaldomain.local does not exist on the Internet, so their email is toast.

Also, the ESMTP 6.0.37.90.3959 does not line up with any of our installations. My guess is that Exchange SP2 is not installed. Our SBS Exchange SP2 ESMTP answers 6.0.3790.1830.

After a search, we couldn't find the version numbers for the SMTPSVC. Anyone able to fill us in?

So, there are two very important lessons here:
  1. Use the wizards! - especially the Configure E-mail and Internet Connection Wizard.
  2. Post SBS install should always have the latest updates and service packs.
This last one needs some reflection. Windows Server 2003 Service Pack 2 requires some research first.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS Premium - SBS ISA Rule for Remote Management Needed

For those of us who have SBS Premium internally and manage client SBS servers, the following is an important manually created rule for allowing the 4125 RDP proxy port out:


If one does not create this rule, there is no RDP connectivity allowed out of the internal network to any external SBS server's RWW based RDP session.

For clients, this is no big deal, but for those of us who manage SBS networks, it means not being able to connect to remote SBS and XP Pro/Vista Business desktops via RWW proxied RDP.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

SBS Premium - SBS ISA publishing defaults

Out of the box for SBS 2K3 Premium and SBS 2K3 Premium R2 ISA runs the CEICW when it is installed.

This is a screen shot of the default rules created out of the box by the ISA CEICW:

Sometimes it is good to have a quick reference when mucking about with those settings! :D

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Tuesday 14 August 2007

SBS - Exchange Email Spam Issue with Question to You.

Okay folks ... This one has me a bit stumped, but at least we are getting somewhere with it.

After calling two different hosting companies - they each host a domain that our client is trying to communicate with - located locally, we may have something. One of the hosting companies has not returned our call yet, but we got to work with the other for about half an hour testing things.

It turns out that they have their servers set to deny the first connection attempt with a 5.7.1 "Try Again" message. This is verbatim from the technician we were speaking with.

On our client's SBS Exchange server, the message tracking indicates that there was a successful SMTP connection, and that the email message was accepted by the hosting provider's email server successfully too!

We tried sending an email from our own SBS Exchange based domain to our client's intended recipient, and the email disappeared into the ether as well. The hosting email server accepted the SMTP connection and accepted the email with no Deny/Retry indicated. Our SBS Exchange queue indicated the email sent to the intended recipient successfully.

At that point the technician was a bit puzzled but still indicated that the problem was on our end and not theirs. I mentioned that it was strange that two different sending SMTP servers have done this, one while we watched, and he stood by our servers being the culprits.

Me thinks not. Their server received the email, put it in some sort of queue - he could look at the cue but couldn't find the message - and their email server would then wait for the sender's server to try to send the email again.

Well, Exchange is not going to try again, because the email was "accepted" by the hosting company's email server. Both of our SBS Exchange message tracking logs indicated thus.

He requested that I send a second email which I did, and it got through with no problems. Again, our SBS Exchange message tracker indicated a successful transfer of the email to the hosting company's email server.

It is strange that both our client's SBS Exchange and our own SBS Exchange servers indicated a successful transmission of the email but the hosting company's servers seemed to make them "disappear" on the first attempt by those SBS servers.

Anyone else experiencing this kind of issue?

It is looking like the hosting company has a configuration issue with their email servers.

For the email server experts out there ... is it proper to have an email server deny the first attempt to connect by a SMTP email server?

Somehow I find this to be a bit strange in my experiences working with Exchange all these years to do that as an anti-spam technique.

Hopefully we hear back from the second hosting company. It would be interesting to see if they are doing the same thing.

BTW: By default Exchange will retry to send a message after 10 minutes if it had received the Deny/Retry message.

UPDATE 2007-08-15: We have subsequently found out that the second hosting provider is only hosting the Web site. So, our next step is to look to the internal email setup for that one.

The hosting provider that we did speak with yesterday contacted us today as we sent in a message requesting further clarification.

They graciously forwarded the logs from yesterday.

This is a screen shot modified to pull relevant data:


So, as the fellow mentioned, there is a "4.7.1 Please try again later" message in the log. I do believe that these logs may not reflect the very first attempt to send the intended recipient an email as there was no retry. If there was as this log shot shows, then their email server vapourized our email as indicated by the second acceptance message in their log!

We ran through a series of tests again today, only this time Exchange did get the 4.7.1 message and retried 1 minute later.

Perhaps they made some changes? Not too sure about that. BTW, they are running the Merak Email Server by IceWarp.

It would be interesting to see if these issues are primarily with smaller outfits like this one.

UPDATE TO THE UPDATE - IMPORTANT:

This one deserves its own post...SBS - Exchange Email Spam Issue - Error Workaround - Exchange may not be retrying!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Mac on SBS - A Count Down Widget for the Focused!

I don't know about you, but when working on a large project on whatever computer that happens to be, I get focused.

To the point where the next time I look up a couple of hours may have passed.

Doing that for long durations over the day can drastically reduce one's productivity.

Because of that, taking a break for 10 minutes or so to walk around or do something else away from the computer is important.

While onsite, have a stopwatch with countdown timer with you.

While working on the computer, have some sort of countdown timer going to ring after 50 minutes or so.

For the Mac, we have installed a Widget called 3-2-1. It works really well. It can be found here: BaldGeeks: 3-2-1.

For Windows Vista, there is the Sphere Timer.

So, take a break. It's good for you!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Monday 13 August 2007

System Builder Tip: SBS OEM R2 with W2K3 SP2 SKUs

While preparing a new SBS install quote we noticed some new SKUs for SBS.

A couple of part numbers for your OEM SBS installs:
  • Win SBS Premium 2003 R2 English 1Pack DSP OEI CD 1-2CPU 5 Client:
    • T75-01713
  • Win SBS Premium 2003 R2 English 1Pack DSP OEI CD 1-2CPU 5 Client w/WinSvrSP2:
    • T75-02110
  • Win SBS Std 2003 R2 English 1pk DSP OEI CD 1-2CPU 5 Clt SR:
    • T72-01849
  • Win SBS Std 2003 R2 English 1pk DSP OEI CD 1-2CPU 5 Clt w/WinSvrSP2:
    • T72-02193
Note that OEM versions can now be ordered with Windows Server Service Pack 2 incorporated. Whether they are in Disti's pipe yet is another matter as we don't seem to see stock yet.

Keep in mind to make sure that all hardware component's firmware is up to date, especially the Intel ProSet NIC drivers. Look for the possibility that adapter teaming will be broken even with a fresh install!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

We are back and buried! ;)

As things go, we have had a bunch of things to take care of after our break.

So, posting may be light as we catch up, but we do have a number of new Mac on SBS related posts to take care of.

A little spam monster is rearing its ugly head on the spam front: We are finding that some of our clients are hitting mysterious disappearances of their emails sent to their own clients. Hopefully, we can get some cooperation out of the recipient's IT department to find out what spam filters they are running and whether they are in-house or a third party service. And, why the chicken they can't seem to add email domains to a "whitelist" on their spam filters.

More to come on the spam filter front...

Anyone else encountering clients getting frustrated that their email isn't getting through?

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Friday 3 August 2007

Blogging Break

We are taking a couple of extra days off around this long weekend.

Posting will be virtually nonexistent! :D

For the Canucks, enjoy the long weekend!

Everyone else, have a great week!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Business Principles: The Price is the Price

I just got off the phone with a supplier.

We have had some product on order and it has come in. We are leaving for a break until late next week, so we needed to put the order on hold.

The prices on the product have changed since the order was placed.

So, the price we now pay has changed also.

I mentioned to them that changing the price we pay was wrong. It does not matter if the prices go up or down in the interim between the time we ordered the product and when they receive it to send it to us.

The price is the price

"Oh", says my supplier contact, "people whine and complain if the price drops so we give it to them".

Wrong answer.

You don't give it to them. Ever!

We live and work in an industry that has traditionally had wildly fluctuating prices. Lately, those fluctuations have not been nearly as wild, but they still change.

By whining and complaining about that price being lower, one has not, in my opinion, stopped to think about the process of that transaction.

Here it is:
  1. Purchased Gizmo A for $100 from the supplier.
  2. Supplier buys Gizmo A from the manufacturer for $80.
  3. Supplier receives Gizmo A from the manufacturer.
  4. Gizmo A has since dropped in price to $75.
  5. We pay for and the supplier sends Gizmo A to us for $100.
That is the proper order of the transaction.

Now, what happens when Company B Owner whines and complains about Gizmo A's price drop and expects to receive Gizmo A for the $75 price instead of the original $100 price?

Pretty obvious isn't it? The supplier takes the $25 hit if they bow to the pressure put on them by the Company B Owners.

It is the Cost of Doing Business if prices change in a direction we don't like. We eat it as we should.

The same goes if prices head up. Do we turn around and up our already quoted prices to our clients?

In the end, it actually ends up costing us more for products. The suppliers will need to make up for that $25 hit and any others like it. So, to make up for it, product prices get artificially inflated to cover the risk.

How we handle pricing says a lot about us and our business and who or what we are in it for.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Thursday 2 August 2007

Mac on SBS - Share Permissions Puzzle...

Since starting the publications, I have been working on them on the iMac via the SMB://mysharingserver/Users/MyUsername/My Documents redirect share.

SMB Signing has been disabled via Group Policy as instructed in the draft document for connecting a Mac to an SBS network.

Our My Documents redirect to a server other than our SBS box. This was still accomplished via the Configure My Documents Redirection wizard under Shares in the Server Management Console.

On the folder that contains the contents of the publications we have suffered an irreparable permissions corruption on the specific folders the publications are in. We had to login directly to the file server hosting the My Documents folders and correct the permissions. But, they still kept exploding.

Keep in mind that SBS sets the Special Permissions of "Full Control" on "This Folder Only" on the Users (x:\Users Shared Folders folder, not a user's folder) root share. These permissions carry over to the user's root folder when they first login to the domain and their My Documents get redirected to a file server other than the SBS box. It is important to note that every subfolder receives those Special Permissions!

This may be what is messing things up.

So, after examining SBS installations where the Users folder is resident on the SBS box, it turns out that SBS sets "Full Control" to the user's own root folder share and propagates that across all subfolders and files. When you look at the user's NTFS Security properties, there are a bunch of white squares with check marks in them up to "Full Control" on the their root folder. All subfolders are set to inherit so they pick up the "Full Control" with no issues (grayed out checked boxes).

We will begin the task of resetting those permissions immediately. It will be a big task as we have a lot of data in the redirect folders.

Hopefully the resetting of the folder permissions will fix the issue.

For those working with Macs on networks where the My Documents folder is redirected to a server other than the SBS box, then keep a look out for those permissions and the need to modify them!

While working on this process, we finished the last step of adding the iMac to the SBS domain:


The OS X 10.4.10 Directory Access interface was laid out differently than what is in the document, but I was able to figure it out.

Kinda looks neat having it nested there with the Windows boxes! :D

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Outlook 2007 - RSS Broken Feed Frustration

There have been some posts on this subject somewhere.

It is getting really frustrating trying to keep the RSS feeds in Outlook 2007 synchronized. They just do not seem to keep up.

This is what a manual send/receive looks like when things are broken:


Sometimes, we don't notice that the feeds are gone when we are quite busy. This can be frustrating, since there are a number of important news items or information items that we miss in the mean time.

I do hope that it will be fixed in a patch update as opposed to a service pack for Office 2007!

It is getting to the point where even a reboot of the system doesn't always get things reconnected.

Upon exporting the feeds, then deleting them in Outlook, then reimporting them again with a subsequent reboot ... they seem to be working again. We will see.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Wednesday 1 August 2007

SBS - Exchange Email and DNS

With today's spam filters getting more militant, it is up to us to make sure that our SBS based Exchange servers and the DNS associated with them are absolutely correct.

Many anti-spam filters will not send out an NDR - Non Delivery Report - to let the sender know that something is amiss.

How about a phone call from a client saying something to the order of, "We have a client that we can't seem to send e-mail to. Please fix it!"

After verifying all of the settings being correct, or at least seemingly correct, another call comes in a while later by the same client stating that e-mail is not getting through again.

Sometimes, it is someone on the other end who has incorrectly setup some sort of anti-spam appliance. We were in that situation. The call came through, and we know that our settings were correct, so it must be the other side's issue. It turns out that their IT department had installed this anti-spam appliance a number of months ago and since then many board members were no longer able to receive a lot of their email. Ouch!

For us, there is no excuse for an incorrectly setup Exchange server on SBS. The tools are available for us to make sure everything is correct.

To verify your client's DNS for email go here: DNSStuff and run the DNSReport. You will be surprised what you may find there. Kewl thing about this tool? It provides all of the relevant fix information too.

So, get it done. And, if you are dealing with a less than cooperative ISP, then counsel the client into a 3rd party email hosting setup for your SBS email redundancy. Exchange hosting might be an option in this case.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Mac on SBS - Remote Desktop Client for Mac 2.0 beta 1 available

Just a quick note to let you know that the new Remote Desktop Client 2.0 beta 1 has been released. This was just yesterday, and since we are buried in creating our assessment publications it went right by unnoticed.

Thanks to Rodney Buike of the Canadian IT Pro Blog for pointing this out to me via email.

The new client can be found here: Microsoft Remote Desktop Connection Client for Mac 2.0 (Beta).

The RDC beta's kewl new features from the site:
  • Universal Binary
    Runs natively on both Intel-based and PowerPC-based Macs.
  • Remote Desktop Protocol 6.0
    Provides better compatibility with Windows Vista, improved security features, and many other improvements.
  • Multiple Sessions
    Lets you connect to multiple Windows-based computers at the same time.
  • Improved User Experience
    Provides a true Mac experience and improved usability.
  • Improved Customization Options
    Lets you change application preferences, including keyboard shortcuts, while you are running a session.
    Changes take effect the next time that you connect.
  • Dynamic Screen Resizing
    Lets you resize your session window or switch to full-screen mode during a session.
  • Improved Printing Support
    Supports all configured printers on your Mac. No longer limited to PostScript printers.
The Remote Desktop Connection Client for Mac 2.0 Public Beta site. The link is to the Connect site where feedback and bug reports can be filed. One will need to sign in via their Windows Live ID to participate in the feedback and bug reporting mechanisms.

There is also a newsgroup: microsoft.public.mac.rdc

Note the difference between the RDC 1.03 icon on the left and the new 2.0 beta one on the right:



The new icon has a wide screen style monitor, the dish is different, and the colours are a bit different and a lot deeper.

Have fun! :D

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Mac on SBS - The iMac was unhappy today ... again :(

Okay, these kernel trap errors are no longer hitting after a point where the iMac is sitting with iTunes running. While working in InDesign we got hit with the Black Screen of Death!

This is the subsequent report after rebooting:


So, off to find out just what the chicken we have gotten ourselves into.

The best site, by far, for troubleshooting these errors is here: The X Lab: Resolving Kernel Panics.

We did upgrade the existing 512 MB Nanya RAM stick that came with the iMac to a 1 GB stick of Hynix RAM as soon as we got it. The 1 GB upgrade RAM stick came straight out of an Acer laptop that was brand new and was getting an upgrade to 4 GB of RAM. So, the RAM was new too.

We pulled eight (8) 1 GB sticks out of 4 Acer laptops during that Acer laptop upgrade. Out of those 8 sticks, the one that went into the iMac was the only Hynix that came out of the Acers. The rest of them were Nanya. Go figure that the memory brand changed mid way through that particular run.

The original 1 GB RAM stick installed in the iMac was a Crucial stick.

So, we pulled both 1 GB sticks of RAM, the original Crucial and the Hynix we had installed when we got the iMac, and installed two identical 1 GB sticks of Nanya RAM.

According to The X Lab, this is the first step, and hopefully the last, in resolving our iMac's Kernel Trap errors.

If not, we are onto the next steps.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.