Vista Service Pack 2 Not Applying Group Policy Preferences

We are collaborating on an SBS 2008 and Windows Server 2008 Core Hyper-V fresh installation.

The Hyper-V server will host 8 Windows Vista desktops for the organization that has users that are out of the office more than 85% of the time.

This solution keeps their data organized and protected as well as enables them to run a Line of Business application that is not Terminal Services friendly.

The Vista software is provided by a base retail OS purchase with Open Value Vista Upgrade + SA added.

The media that was downloaded for the VMs:

A fresh Windows Vista Service Pack 2 OS.

Well, we have discovered that the slipstreamed version of the OS does not have the Client Side Extensions functioning properly.

After troubleshooting our User and Computer based GPOs that contain Preferences, the following page came up in a search:

• TechArena: Group Policy Preferences not applying on Vista with Service Pack 2.
• Full thread here: Microsoft Newsgroups on Group Policy.

Ouch … this is not a happy scene because we had to burn critical time today troubleshooting this problem instead of placing the new SBS domain into production.

• The CSE are supposed to be in Vista SP2 according to Microsoft.

Jake Paternoster in the above TechArena page gave us a good lead towards the solution, but for some reason we could not come up with quite the right process to get the CSEs to install.

But almost every combination that we could come up with would fail with:

Or, at least UAC us but still fail ... with nothing in the Event Logs to even give us a clue as to what we were running up against.

But then, wait! It gets better! After leaving the first Vista SP2 VM alone for a while then coming back to work through the processes and see if we missed anything the GPPrefs were applied! 8O

So, was it the RSAT and GPMC that was enabled that made things work? Or, was it running the GP wizards in the GPMC that got things going?

Since we have 8 VMs to play with, we started with the next one and worked our way backwards through the process to figure out which step actually worked.

Gotta love these in the middle of everything too:

Windows 7 TS Client. They have not been very frequent, but they seem to hit when they are the least welcome!

Here is the methodology for getting things working:

1. Download the CSEs (Microsoft KB site).
2. Copy the KB file to C:\KB943729
3. Open an elevated command prompt.
• It is absolutely necessary that the command prompt be elevated with the domain admin credentials.
4. Navigate to C:\KB943729
5. expand Windows6.0-KB943729-x86.msu –F: *\KB943729 [Enter]
• Note the space _ in between the –F:_*
6. Delete the original Windows6.0-KB943729-x86.MSU
7. start /w pkgmgr.exe /ip /m:C:\KB943729\Windows6.0-kb943729-x86.cab [Enter]
   • No quotes around the path.
   • Make sure the full path including the CAB is there.
   • A bunch of files and folders will show up in the directory. This indicates that the CSEs are seemingly installed.
8. GPUpdate /Force [Enter] 
9. shutdown –r –t 0 [Enter]

Note that the syntax of the PkgMgr.exe command is extremely important ...

The actual command line format is to be found in this link:

• Aaron Tiensivu’s Blog: Generic way of brute force installing a .MSU package in Vista or Server 2008.

Lesson:

• Question:
• What is the definition of insanity?
• Answer:
• Doing the same thing over and over and over again and expecting a different result! ;)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Vista SP2 on Hyper-V SP1 – Integration Services Install Error Code 1

When trying to install the Hyper-V Integration Services on a newly installed Windows Vista Enterprise VM, this is the error we received:

Error

An error has occurred: One of the update processes returned error code 1.

Apparently, we need to Service Pack 2 our Hyper-V box too (Kit Kai’s Tech Blog).

In the mean time, if connected to the Hyper-V manager via an RDP session, there will be no mouse access to the VM.

To shut the VM down, do the following:

1. Click the button.
2. Hit the down arrow on the keyboard to get to Start Task Manager and hit the Enter key.
3. Type ALT+N to hit the New Task button.
4. shutdown –s –t 0 [Enter]

The VM will shut down. We shut down all of the desktop VMs on this Hyper-V box before installing the service pack.

You folks in the US sure have it good with your Internet connections!

• Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 - Five Language Standalone for x64-based systems (KB948465)

The update took a while on the dual Xeon E5420 series Dell 2950 2U. There were 5x 300GB 15K SAS drives in RAID 10 with a hot spare.

We shut the VMs ahead of applying the update to give the server as much dedicated processing and disk I/O as possible. Even though we are working with a Server Core install, the update is quite large.

At about 5 minutes:

And here we are about 17 minutes after the update was initiated:

Keep in mind that any Hyper-V server that hosts Windows Vista Service Pack 1 will need to be updated to Service Pack 2 prior to service packing the Windows Vista VMs.

When the Integration Services disk gets inserted into the VM the AutoPlay feature should pop up a window that enables us to hit the Enter key to initiate the setup routine and an ALT+A to continue through the UAC prompt.

If the VMGuest.ISO was already mounted, then make sure to dismount and click Insert Integration Services Setup Disk in the VM’s Action menu.

Once installed, we will see:

After the reboot, our remote mouse movements will be enabled. If the above menu gets lost behind the default Vista Welcome window, hit the CTRL+ALT+DLTE button in the VM manager and bring up the Task Manager to switch to the Hyper-V setup.

Another reason Windows 7 in a VM is way ahead of Windows Vista! Windows 7 has the Hyper-V Integration Services already installed!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

A DRAC, Or Any Other Remote Management Tool Will Only Get Us So Far …

Now, what happens if we have set up the server via baseboard level access to the server using the Dell DRAC add-in, or any other baseboard level management module for that manner, and the remote management module has died before we have run the SBS 2008 Getting Started Tasks?

This:

 

We are assisting with the SBS 2008 and Server Core with Hyper-V Role installs on behalf of an I.T. company at a remote client site of theirs.

So, the second option is to temporarily enable port forwarding for Terminal Services 3389 to the new SBS 2008 server so we can keep moving forward.

But, what happens if there was no one around to do that?

To pre-empt this kind of situation we would do one of the following:

• Ship a preconfigured router/firewall device with the USB flash drive that had the Answer File on it.
• Coach our contact through the port forwarding process on their firewall device.

It just goes to show us that there can be no fool-proof method of connecting to a server remotely without some sort of fall-back measure in place.

Once we had the server configured for Remote Web Workplace access the 3389 port forward would be deleted in the firewall device.

In this case, once we have tried a firmware flash to the DRAC, if things still do not work, then we will initiate a support incident with Dell and have someone come out and replace the defective unit.

The DRAC no longer shows up anywhere … it is toast. Warranty replacement time.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Ack! SBS 2008 Not Genuine!

The situation we find ourselves in right now is a little silly.

Going to download the Hyper-V manager for Windows Vista SP1, the site called for a Windows Genuine Advantage verification.

Okay, we are on a newly built SBS 2008 box with its Server Core Hyper-V partner almost built and ready for the Windows Vista VM installs.

All of the local workstations on this newly set up SBS domain are Windows XP Pro SP3 but not added to the new domain yet. We could install the Hyper-V manager on any of them anyway.

We ran through the WGA which failed of course. It then required that we download the WGA tool and run it to get a key to get through to the download.

Once the tool ran and we got the key, the WGA site choked on the key and stated that we were not running genuine software.

Yikes!

Okay, so we went into the Change Product Key routine and entered the SBS 2008 Open Value license key and ran through the validation. Well, that failed too!

This is getting a bit nerve racking since the last backup was done about an hour ago when we had finished the last batch of updates. We are working on a new server install for a client in Florida.

Since activation was stating that we had to activate today, meaning the server would go catatonic on us at anytime soon, we needed to get this situation resolved or we were recovering the server before we want to.

Nothing in our searches turned up a plausible solution.

However, since we did not enter the product key for the install (we never do until the server goes live), why not try and rearm the “trial” period and see if that corrects the problem.

1. Start –> right click Command Prompt and Run As Administrator
2. cscript %windir%\System32\slmgr.vbs –rearm [Enter]
3. shutdown –r –t 0 [Enter]
4. Once logged on: Start –> right click Computer –> Properties.
5. Click Change Product Key
6. Enter the product key and go.

Eventually, the following will show:

Lesson learned: Never run the WGA tool for any other OS on the server! 8*O

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2008 Setup Checklist V1.2.0 Released

The checklist has been substantially updated and can be found here:

• SBS 2008 Setup Checklist V1.2.0

Some changes include running a backup just prior to MUing (Microsoft Update) the box along with some additional steps and warnings about some hiccups along the way.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2003 to 2008 Migration Stall – Event 1001 SBSSetup.exe and CLR20r3

This one is a stumper.

The migration is from SBS 2003 to SBS 2008 with approximately 45 users and a 45GB mail store. Most of the users are remotely connected.

The error in the SBSSetup.log:

[4020] 090520.201958.9605: Setup: Exception removing info: System.IO.IOException: The process cannot access the file 'C:\Program Files\Windows Small Business Server\Data\info.xml' because it is being used by another process.

   …Microsoft.WindowsServerSolutions.Setup.SBSSetup.MainClass._PrepareForFinalExit(Boolean stillHaveOneMoreReboot)

[4020] 090520.202756.1849: Setup: Removed SBSSetup from the RunOnce.

The error in the SBS 2008 Event Log:

Application

SBSSetup.exe

CLR20r3 with System.IO.IOException

We just ran the migration on our own hardware by having our client ship us a ShadowProtect image of the source server that we used to complete a Hardware Independent Restore to one of our lab servers.

We used one of our own quad core Xeon 3000 series boxes to run the SBS 2008 setup in Migration Mode on.

The failure is always during the DCPromo and Active Directory replication cycle of the SBS 2008 Migration Mode install.

At this point, we are completely stumped and are looking to get Microsoft support involved to figure out where the problem lies.

Hopefully when we find the solution to the problem, we will post that here.

Note the following:

• Okay: NIC binding order
• Clean: DCDiag
• Clean: NetDiag
• Clean: RepAdmin /SyncAll
• Clean: RepAdmin /ShowReps
• Clean: ADSIEdit.msc of any other DC references
• Clean: ntdsutil in MetaDataCleanup mode
• Clean: Active Directory Sites and Services
• Clean: SBS 2003 Best Practices Analyzer
• Clean: Migration Preparation Tool on SBS 2003

UPDATE 2009-06-02: A support incident has been opened with Microsoft’s Product Support Services to get this resolved. Hopefully we can.

UPDATE: 2009-07-10: Workaround found: SBS 2003 to 2008 Migration Stall – Event 1001 SBSSetup.exe and CLR20r3 – Workaround Found!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

 Subscribe in a reader

The Intel ARK Information Site Is Excellent

This is a site that came up while searching for relevant information on the new Atom processor revisions:

The site:

• Intel ARK.

This is a pretty neat grid of all of Intel’s product code names:

Click through from the home page to the Atom processor family page which is what we were searching for in the first place:

A grid of all of the available Atom processors showing product features at a glance and a link to the actual product micro-site.

The specific Atom Processor 330 product micro-site:

This is one site that definitely needs to be bookmarked as it contains a wealth of product information that is generally two or three clicks away from the home page!

Also, make sure to check out the Product Tools links near the top right of the Home Page. The Platform Browser and the System Design Tool are phenomenal multiple choice decision making tools.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Windows 7 and QuickBooks – UAC Required

QuickBooks 2008/9 Multi-Currency Edition, which uses the legacy codebase that the non-multicurrency edition does not, elicits a UAC prompt when running on Windows 7.

The software will then run, but will not find the previous network mapped drive company file location.

We need to click the Open button which then shows us our company file and click through from there.

This is good news for us as we could not get our QuickBooks to run at all on Windows Vista in our own company domain due to the security policies in place here.

When we migrate to SBS 2008 and the new Group Policy structures available to us we may have had success with QB on Vista, but we will not go there anymore! :)

We did try to work with the Windows 7 Compatibility Mode for XP to see if that would resolve the UAC prompt but it did not.

Again, no complaints because at least it will run!

Once we migrate our domain to SBS 2008, it will be interesting to see how QB and Windows 7 work with the new GP setup.

If we have nothing but grief, there is always XP Mode on Windows 7.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Thermaltake Silver River Duo USB HDD Enclosure – Fail

A while back we had a bunch of problems with the Vantec NexStar3 enclosures we were using for backups on Intel server board based servers.

A warm boot would stall the server with a blinking cursor just before the BIOS information would show itself.

With the S5000PSLxxxR series and the S3200SH series boards Intel has put a BIOS setting to disable booting to USB so the point is now moot.

We have since gone back to the NexStar3 enclosures.

What we are finding now though is that the power blocks on the Thermaltake Silver River Duo enclosures are bad.

We have Vantecs that have been in operation for a number of years now and to date have not had one bad power block.

We have 6 bad power blocks waiting for their replacement from Thermaltake.

Most of the time when they fail, they do not outright stop the hard drive from spinning up. The status light comes on and the drive does indeed spin up. But, once the system needs to write data to the hard drive the enclosure’s status light will be in activity mode and the server will sometimes lock right up.

Since we sold a lot of these enclosures during the S3000AH and S5000PSLxxx product time period, we are anticipating more failures to come.

Previous posts on the subject:

• New Vantec NexStar 3 version does not like S3000AH Intel Boards
• Intel S3000AH - Vantec vs. Thermaltake USB HDD

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Check that Password Strength Tool

This is a neat little tool to help us educated users on password strength or lack thereof:

Since the dawn of the Remote Web Workplace in SBS 2003, we have been educating our client users to use pass phrases.

The above tool will be a very helpful part of that training.

• Microsoft Password Checker Tool.

Link comes courtesy of Sean Daniel: The Importance of a Strong Password.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

BES 5.0 and SBS 2008 – No Go For Now

After uploading all of our server logs to Blackberry support on the weekend, we received the following reply today:

Thank you for contacting BlackBerry Customer Support. The log files did not pin point the error that is occurring. It appears it may be a local port conflict on the BlackBerry Enterprise Server and the Small Business Server. The installation guide does point out that the BlackBerry Enterprise Server 5.0 is not to be installed on the mail server. You do have messaging working but not the Monitoring Service. We recommend you try and install the BlackBerry Monitoring Service on another machine. We cannot guarantee this will work as the BlackBerry Enterprise Server is not installed in a supported environment. See page 19 of the attached Installation Guide.

Page 19:

So, it looks as though we will need to look at repurposing the old SBS for BES, or there may be some other options to discuss with our client.

Lesson learned. :)

Previous posts:

• BES 5.0 on SBS 2008 – So Far No Go
• Calgary Again

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

BES 5.0 on SBS 2008 – So far a no go …

We are working on a BES 5.0 install on a client that we did a side-by-side migration for.

We managed to get BES to install successfully being mindful of all of the needed ports for the SBS related services and the BES related services.

Once we had a successful install, we could not get the BES monitoring services installed:

All three monitoring services fail with essentially the same Event ID of 3:

BBMonitoringService_APP

‘Cannot find PKI files.’

We were on the phone with the Blackberry support folks for quite a while running through the various aspects of the install.

Finally, we uploaded both the BES and Server 2008 logs (Win2K8 App and Sys) to them and are now waiting to hear back.

It will be interesting to see what they come up with.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2008 – Symantec EndPoint Error – Unable to communicate with reporting component

All of our Symantec EndPoint Protection (SEP) installs have been flawless up until today.

Error

Unable to communicate with the reporting component.

Trying to find the solution in the midst of all of the fluff that comes up while searching for it has been tough!

The following Symantec knowledge base article helped us out:

• Error: "Unable to communicate with the reporting component" when opening Symantec Endpoint Protection Manager (MR2) on Microsoft Small Business Server 2003

First, we needed to correct the ODBC settings. Since we are on SBS 2008, we need to access the 32bit version of the ODBC manager.

1. Start –> Run –> odbcad32.exe [Enter]
2. UAC: Continue
3. System DSN tab:
• ODBC: Leave
• Login:
• User ID: DBA
• Password: Same as your SEP Admin
• Database:
• Server Name: MY-SBS
• Network:
• TCP/IP: SBS IP Address
• Advanced:
• Leave alone.
4. Click the ODBC tab and click the Test Connection button.

You should see:

From there, elevate a command prompt and:

• iisreset [Enter]

The second part of the mentioned article indicated that we should change the service associated with the DefaultAppPool. We did not do this since so many services depend on that pool.

After resetting IIS, restart the two Symantec services and you should see:

At least we are not looking at a reinstall!

Note that the Symantec communication ports need to be added to the SBS 2008 Windows Firewall with Advanced Security:

• Admin site: 8014
• Admin communication: 8443

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Intel vPro System Defense Utility Now Available

We use the Intel System Defense Utility to manage our smaller clients that have vPro enabled workstations.

The utility gives us the ability to power cycle the system, remote boot via image for troubleshooting or OS load, and more.

It is available here: Intel System Defense Utility.

Some prep work on the workstation needs to happen prior to being able to connect with the ISDU.

• AMT password set.
• System Name.
• AMT management set to SMB versus Enterprise.
• AMT set to the newest version.

We keep a record of all of the system names and their AMT passwords.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Windows Server 2003 SP1? Hotfix or SP2 before ChkDsk /F or /X or R

If SBS 2003 has not been service packed up to Windows Server 2003 SP2 (How to obtain the SP) yet, there is a cautionary tale to be had about running chkdsk /f on that server:

• Microsoft KB: 913034: The Chkdsk.exe utility incorrectly identifies and resets security descriptors in Windows Server 2003

If the bug rears it’s head, then it is quite possible the server will not come back up if the system partition had chkdsk /f run on it. This goes for any other partition chkdsk was run on that may have critical data on it relevant to a proper OS boot too.

If the partition was client data oriented, there could be a need to either reset the permissions on the entire partition, or recover it from the most recent backup to save on all of the work resetting permissions.

This is another good reason to test those service packs and then deploy them on our client servers!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Microsoft Licensing Briefs

One area we always seem to need to brush up on is Microsoft Licensing.

A site that has the necessary documentation:

• Microsoft: About Licensing – Licensing Briefs

The site:

We are looking to find out whether a client of ours can install Windows Server 2008 x64 Server Core with the Hyper-V role enabled and virtualize a Windows Server 2003 Standard server using the 1+1 virtualization rights plus downgrade ability with Open Licensing.

This is the site we were pointed to with the specific document:

• Licensing Microsoft Server Products in Virtual Environments (DOCX)

Pages 24-25 explain the Server Standard 1+1 and Enterprise 1+4 licensing guidelines quite well.

So, the answer is yes we can run Server 2003 Standard with their Open Licensing server license.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2003 to 2008 Migration – DCPromo Fails – The wait operation timed out

The following error can be expected during the final steps of the migration process where we are removing the source SBS 2003 box from Active Directory:

Active Directory Installation Wizard

The operation failed because:

Failed to configure the service NETLOGON as requested

“The wait operation timed out.”

If this error happens, click OK, then click back to the Welcome in the Active Directory Installation Wizard. Click Next back through the Wizard to restart the process.

The DCPromo demote should run successfully from there. It did for us.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2003 to SBS 2008 Migration – WSUS, SUS and GPO Deleting Step Caution

The migration we are running this weekend is an SBS 2003 Premium RTM with SP1 installed to SBS 2008 one.

So, in this particular case, we have the manually created GPOs in place for the downloaded install of WSUS v2:

The Migration steps call for the deletion of the following SBS 2003 R2 based GPOs:

• Small Business Server Update services Client Computer Policy.
• Small Business Server Update services Common Settings Policy.
• Small Business Server Update services Server Computer Policy.

In this case, and any other where SUS/WSUS was manually installed on SBS 2003 RTM, we need to be mindful of which GPOs to delete.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2003 to 2008 Migration – Removing the Legacy Scripts

When it comes time to remove the legacy logon scripts during the SBS 2003 to SBS 2008 migration process, the instructions are not quite correct:

When we navigate to the SYSVOL via UNC path, we are viewing the contents of the Scripts folder in Read-Only mode.

On the destination SBS 2008, open Windows Explorer and navigate to the SYSVOL\SBSDomain.local\Scripts folder to delete the scripts there.

Note that there will be a few UAC prompts for the delete command.

Any mapped network drives can be rerouted to the new server using Group Policy Preferences instead of a script. In fact, Group Policy Preferences can be used for most any setting that was contained in the legacy scripts.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2003 to SBS 2008 Mailbox Migration Time

Here is the mailbox move result for the SBS 2003 to SBS 2008 migration we are working on this weekend:

The time of a little over 55 minutes was for a source information store of about 2.5GB. Public folders were not in use on the source SBS 2003 server.

SBS 2003 source server configuration:

• Intel Pentium D 3.0GHz.
• 3GB ECC RAM.
• Intel Server Board.
• 300GB onboard RAID 1 array.
• Intel SC5290BRP Chassis
• Box age: Approximately 3.5-4 years (we put it in).
• OS: SBS 2003 Premium RTM with SBS SP1.
• Win2K3 SP2
• Exchange SP2
• WSS v2 SP1
• WSUS v2 (v3 kept failing on install so we left it till now)
• Users: 8
• Mailboxes over 500MB: 2
• Mailboxes over 250MB: 4
• Mailboxes under 250MB: 2

SBS 2008 destination server configuration:

• Intel Xeon X3370 3.0GHz Quad Core.
• 8GB ECC RAM.
• Intel S3210SHLX Server Board.
• 950GB RAID 10 array with 3 partitions:
• 175GB OS
• 25GB Swap File
• 750GB Network Data
• Intel SRCSASBB8i PCI-E 8x RAID Controller (LSi).
• Intel SC5299BRP Chassis
• OS: SBS 2008 Premium

A D-Link WebSmart Gigabit switch provided the backbone for the process with both servers connected at full duplex Gigabit speeds with one NIC each.

Watching the process on the SBS 2003 source server in the Exchange snap-in showed that the newly created SBS 2008 domain admin account logging into each mailbox until all of them showed the domain account as being logged on.

Watching the process on the destination SBS 2008 server showed nothing while the above was going on beyond the scrolling progress bar. Once the SBS 2008 domain admin account was logged into all of the mailboxes, the transfer process started a few minutes later. But, it took a good 15-20 minutes of waiting before things started to move!

Look to much longer mailbox move times if there are more users. Especially if there is a larger number of users with mailboxes over 1GB in size.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2008 and the Self-Issued Certificate

When it comes to SSL certificates, the new certificate structure in SBS 2008 makes things a bit more difficult for the network admin.

To get things to work for our remote users, we need to get a certificate distribution package out to them:

For users that work in the office on occasion, this is not such a bad thing other than needing to coordinate getting the certificate to them so that their productivity is not impacted.

For those that work remotely all of the time, the worst thing we can do is to teach them to click through this warning:

For many of us that got our users used to passing through this warning on our SBS 2003 RWW self-issued certificate, this may have come back to bite us in the form of a compromised system as the user did not stop to think about clicking through a certificate warning at a “banking” site they went to via an e-mail.

If we try and connect to a system via HTTPS/RDP using the SBS TS Gateway service or via RWW, we get the following warning after a short pause:

To install the SBS self-issued certificate, double click on the InstallCertificate executable and:

Choose the destination for the certificate. In this case, we are installing the certificate on a laptop we use to manage client systems with. The third party certificate is not ready yet and we need to continue the SBS 2003 to SBS 2008 migration setup.

On this Windows 7 based laptop, a UAC prompt happened at the beginning of the certificate install.

Once installed, we were able to open the Remote Web Workplace on our new SBS 2008 box and log onto the server’s desktop via RDP to discover that our Exchange Mailbox move process had completed 100% successfully! :)

NOTE: It is not a good practice to place the certificate distribution package on a Web site or other public location for “ease” of distribution. The best and only method for distributing the SBS self-issued certificate is via USB flash drive.

Once the user has installed the certificate on their machine, they should delete the files from the flash drive.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Signing Into the SharePoint Site Via the Windows 7 Favorite Link

As we have mentioned in our previous blog post on Windows 7 and SharePoint integration, one of the really kewl new features in Windows 7 is the ability to Favorite a SharePoint library for quick access.

There is a small catch that we need to be aware of when trying to sign into the SharePoint library via the Windows 7 Favorite though:

Note the backslash just before the username. If that backslash is not there, Windows 7 will send the credentials in Domain\FirstLast format and SharePoint does not seem to like that.

Put .\FirstLast for the credentials and the local machine name will appear on the left of the backslash.

Now that we have figured that out, our access to the SharePoint library is quick and easy.

Note that the first time a document is opened in the library, we may be prompted for credentials too. Those credentials need to be in the same format as above.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS Migration DNS and Shaw’s Customer Phone Support = Huge Improvement

At least here in the Greater Edmonton Area.

In the past, trying to get through to Shaw Internet Support would cost at least half and hour to an hour of wait time. Once through, the folks on the other end of the phone would not necessarily follow through on the support request or not understand what was being asked of them.

We needed to make DNS changes to our client’s domain hosting setup to prepare for the migration we are doing today.

The call was on hold less than 5 minutes and the fellow that took care of all of the needed changes took care of them all without any problem.

• Redirect www.domain.ca to Shaw’s servers for hosting their site. It is currently hosted on their own internal server.
• Implement ExchangeDefender’s inbound MX record for their domain e-mail.
• Implement a DNS A record for remote.domain.ca to point to the new SBS 2008 server.

With these changes out of the way, we are now getting ready to remove ISA 2004 from SBS 2003 and restructure around 1 NIC. From there, we will install SBS 2008 in Migration Mode and go as we have done the preliminary health checks on our source server and everything looks to be good to go! :)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2003 to SBS 2008 Migration Begins Tomorrow

This being a long weekend in Canada, it is the time to take care of an in-depth project so that we do not impact our client’s business productivity.

The project we are running this weekend is an SBS 2003 to SBS 2008 migration.

Our client has purchased a new Intel X3370 Quad Core based server with Intel RAID and hot swap capabilities.

We have already done a practice run through using a ShadowProtect image to Hardware Independent Restore to a lab box here in the shop. Things went fairly smooth considering the box is around 4 years old and has been misbehaving every once in a while for the last year or so.

We will also be upgrading all of their Windows XP Professional workstations to Windows Vista. From there, we will be distributing Office 2007 Pro Plus via Group Policy, and configuring their new SBS 2008 domain along the guidelines we have for our other SBS 2008 clients.

We will be taking a basic hardware router with us for the initial migration process as their existing SBS 2003 will be repurposed as a dedicated ISA 2006 server that we will install at a later date.

The ShadowProtect images we will create when we start the process will remain separate and available if we need to fall back on the original hardware with SBS 2003 reimaged to the box.

Given the results of the practice run through, we are pretty confident that the migration process will be successful.

Happy Victoria Day Long Weekend to our Canadian readers! :)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

OWN Off-Site Backup Experiences

We have a policy to try out any and all services that we are going to resell. This gives us a practical user based experience of the services.

Thus, we can have answers to the questions that our client’s users are bound to ask during their use of the services.

Here is what one of our directory’s upload speed is running at:

Note that our ADSL upload speed is currently around 1.0Mbit though our actual throughput is higher as the CO is a stone’s throw away.

Depending on the types of files being compressed and encrypted, the upload speed has jumped up as high as 8Mbit per second.

Since we have a long weekend here in Canada this coming up, seeding our off-site backup via upload will work just fine.

For our clients that may have a large amount of data to start off with, we can send a USB hard drive down to OWN to “seed” the backup. No additional fees apply to do so.

The backup client is fairly straight forward to operate, though we will be providing the initial backup agent configuration for our clients. The systems where the backup agent will run will have the users trained on its usage so that they can make changes to the backup folders and schedules if there is a need.

All in all, the service will provide peace of mind for our clients and us knowing that our data resides somewhere other than our building that may someday be toasted by fire, flood, or some crazy clown with a huge magnet. ;)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Off-Site Backup Services with OWN

We have mentioned in the past how partnering up with OWN provides an excellent passive revenue stream for our company: An Opportunity for Passive Income with OWN.

As an OWN partner, we are slowly moving into reselling more of the services that OWN offers.

We are now in a position where Cloud storage is going to provide the best off-site backup solution for one of our clients in the immediate future. This client has multiple sites with a different market focus at each site. Two of those sites incorporate volumes of scans and images as part of their product and service offerings.

A loss of any data for those two sites would be absolutely devastating to them and the community they serve.

So, given the volume of data that needs essentially a static place to sit, along with the fact that multiple sites juggling multiple NAS units (we are talking huge volumes of data here) for their backup routines is essentially out of the question.

The cost of either wiring up direct cable or fibre connection between the sites, or even putting in a fibre connection in the main site with the branches using standard DSL or Cable Internet to upload to cannot be justified when compared to the cost of OWN hosting the data.

The OWN storage fees provide an excellent value for the product and service we will receive from OWN for the Off-Site Storage service.

This is the kind of partnership that gives us the best of both worlds:

1. We do the leg work to bring our clients onboard with the service. We get to charge a setup fee based on service configuration and also invoice monthly for the service thus providing a passive revenue stream for MPECS Inc. Our clients get a phenomenal service in the process.
2. Vlad and his crew get to do all of the exciting stuff keeping that data safe and available! ;)

Partnerships are the way to make sure we stick around folks! Finding good, honest, and upstanding corporate citizens to partner with is the future proofing foundation for our own company.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

With Windows 7 and SharePoint, Who Needs A VPN? And … It Network Drive Maps!

This is a pretty neat new feature available to us:

After logging onto a remote SharePoint site, open a SharePoint library and change the view to Explorer View. In this case, the above screenshot is showing the Shared Documents folder on our SBS 2008 Advanced Blueprint SharePoint site.

Catch what is happening yet?

The screenshot above was taken after opening the remote SharePoint library in Explorer Mode and on a whim, clicking in the address bar and pulling the folder icon over to the Favorites after the full path was shown.

Voila! We have our shortcut to the SharePoint library!

Now, what happens when we have logged off and back on again?

When we log on, click on the Libraries icon on the Task Bar, we can click on the Shared Documents favorite. When we do, we are presented with the standard SharePoint credentials request. Once we have authenticated, we are in!

Talk about an absolutely huge time saver. There is literally no more need for a VPN connection!

There is already a list of clients in my head that this feature alone will justify the upgrade to SBS 2008 with SharePoint v3 and Windows 7 as soon as it arrives.

The sweet spot: No more VPN bandwidth overhead. Everything is riding inside of an HTTPS tunnel!

The above screenshot’s site URL:

• \\remote.mysbsdomain.ca@SSL@987\DavWWWRoot\sites\SBS2008AB\Shared Documents

And, the cat’s meow:

• net use r: “\\remote.mysbsdomain.ca@SSL@987\DavWWWRoot\sites\SBS2008AB\Shared Documents”

The net use command will call for credentials. But, it works! :D

UPDATE: Okay, the CMD window that was used to make the initial R: connection allowed us to browse the folders, but the R: drive did not show up properly in Windows Explorer.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2008 Side-By-Side From SBS 2003

What an adventure this job has been!

I am still in Calgary. :)

The messes we have uncovered have caused no end of struggle to make things work in our migrating this client to SBS 2008.

The biggest issue we are working on right now is an unstable Companyweb SharePoint v2 database (SQL 2005 integrated on SBS 2003 R2 Premium) that refuses to keep its connection with SharePoint. There is 80GB, yes Gigabytes, of data in this site and we need to somehow get all of it!

The proper way:

• SmallBizServer.net: SBS 2003 R2 - Upgrading the Sharepoint MSDE instance to SQL 2005

We have managed to use BeyondCompare V3 to save us from having to figure out which files we have managed to copy over to one of the local workstations.

Our two remaining options are SharePoint Database Explorer or bringing the 80GB worth of databases up with us on a ShadowProtect image and try and attach those databases to a fresh and stable install of SharePoint V2.

Never a dull moment. :D

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

The Built-In SBS 2008 Backup Rocks!

I did not even get a chance to get through my last post on the Companyweb being toasted before the recovery finished!

As has been mentioned before by us:

• March 7, 2009: SBS 2008 – Restore Failed – Element not found 0x80070490.
• March 9, 2009: Thoughts on Supporting SBS and SBS 2008 Migrations.
• March 24, 2009: SBS 2008 – Using SBS Backup to Expand an Array and Partition.

The built-in SBS 2008 backup really does work very well for keeping our servers protected from failures.

With ExchangeDefender in place we also have e-mail retention to back us up in the case of a downed server too!

Our Disaster Recovery bases are covered.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

SBS 2008 – Hang On Before Installing WSS SP2

We have just had our freshly installed SBS 2008 Companyweb get toasted by the Windows SharePoint Services Service Pack 2 update.

One of the lessons we have learned, whether we are talking about SBS 2003 or SBS 2008, is to make sure we backup the server before running each product group updates (previous blog post).

In this case, WSS v3 SP2 was the second last update to be run along with an SBS 2008 specific update.

So, we are fortunate that this particular server has not gone into production yet.

To save time, we are restoring the entire box from backup, which is the last optional step on our checklist anyway, and then running with the SBS 2008 update only.

While this is our first Companyweb SharePoint site toasted by WSS v3 SP2, it is not the first we have heard of the Companyweb site getting toasted.

The Official SBS Blog:

• Companyweb Inaccessible After SharePoint 3.0 Service Pack 2.
• Microsoft Knowledgebase: KB 944267: How to troubleshoot common errors that occur when you run the SharePoint Products and Technologies Configuration Wizard on a computer that is running Windows SharePoint Services 3.0 or SharePoint Server 2007
• Files in Companyweb are Opening Read-Only After SBS 2008 UR2.

The troubleshooting steps did not work for us. Given the speed of this particular box, a restore is only going to take about 15-25 minutes. That will be a lot quicker and safer than:

• TechNet SBS Repair Gide: Reinstall SharePoint Services

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Calgary Again

A new client install here in Calgary.

We will be required to install BES 5.x on SBS 2008 for Blackberry integration.

This should be interesting! ;)

UPDATE: Apparently our client received a really good deal on some Samsung Windows Mobile 6.0 phones along with a few iPhone 3Gs!

So, no BES to go today. But, demand is there, so we will be running a test install on a lab SBS 2008 box soon!

Thanks for reading. :)

Philip

Sent from my SBS Integrated Windows Mobile® phone.

 Subscribe in a reader

Allowing a Dell DRAC (Remote Management) Session through ISA

The Dell Remote Access Card (DRAC) requires a couple of ports to be opened up outbound through our ISA servers in order for the Console redirection function to work correctly on a remotely managed server:

• TCP Outbound: 5900 (Keyboard and Mouse)
• TCP Outbound: 5901 (Video)

Create a custom protocol with the above settings, we call it Dell DRAC, and then create an Access Rule that allows the custom protocol from Internal/Local Host to External for All Users.

Once the rule has been created we are able to remote into any Dell server that has a DRAC 5 installed.

For any client that we support remotely, we make sure to have a remote management capability in the box ahead of time. This gives us console access via an Internet connection for those times where an OS may have stopped responding and we need to power cycle the box. Or, for SBS updates that like to kill Exchange, IIS, and/or RRAS thus taking us out of our remote session via the Remote Web Workplace or PPTP VPN.

As a result, we no longer need to have a timed script in place to force the box into a reboot during updates which may not bring the box back up in some cases where an update chokes the NICs, RRAS, or even IIS.

An additional benefit to having a remote management capability is being able to watch the boot cycle from start to finish. We can see all of the BIOS, RAID controller, and other firmware messages on our screen prior to the OS loading. It is one more way for us to assess the health of the server.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Heartland Payment Systems, Visa, and PCI Compliance

Attrition has a very good read on how they regard PCI compliance in relationship to the Heartland Payment Systems breach as well as the RBS Worldpay breach:

• PCI: A Brand, Not a Security Standard

From the article:

security curmudgeon

I am so fed up with this entire ordeal. As a customer who was twice affected by Heartland's security breach (two different cards through two institutions were re-issued because of the breach), I am disgusted with Visa and Heartland. PCI and its cheerleaders make me angry.

We have been keeping an eye on the whole Heartland breach fiasco since we found out about it due to the fact that one of our credit card providers, and thus us, was directly impacted by the Heartland breach.

One of the promises made by Heartland was “openness” around the whole incident. To date, other than the initial press releases made by Heartland, there has been very little information on the impact the breach has had or the how/when/where/what on the intrusion itself.

Visa, MasterCard, and other credit card providers surely know but it is in their best interest to keep things as mum as possible too.

For those that are keeping some track on the impact of the Heartland breach, here is a somewhat accurate tally of the costs to Heartland so far:

• Network World: Security breach cost Heartland $12.6 million so far.

The Network World article covers Heartland’s push, and investment, in an end-to-end encrypted tunnel for payment processing between the merchant and the payment processor (Heartland).

The actual costs to those impacted by the breach, meaning all of those whose credit card information was taken, is an unknown and may never be known.

The reality is, we are ultimately the ones responsible for protecting our identities. We need to remain ever vigilant over our bank and credit card accounts by using their online transaction management systems on a regular basis. Anything out of the ordinary, especially those $0.65 and $2.73 transactions need to be questioned immediately.

Some past posts on the Heartland breach:

• January 30: Heartland Payment Systems - Credit Card Security Breach.
• February 16: Heartland Payment Systems Breach Update
• February 20: More Heartland Payment Systems Breach News and CEO Webcast today.

Heartland CEO Bob Carr’s Goldman Sachs Technology and Internet Conference presentation linked in the third blog post is available on the Talkpoint site linked to in the post.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

The Stats Are In on the Presentation – Needs Focus!

Yup. They are in.

The presentation is here:

• SBS 2003 to SBS 2008 SBSC Breakfast Presentation (WMV file – right click and Save As).

Even with a fairly clear understanding that my principle weakness is staying focused and being on topic, reading all of the “stay focused” or “needs to be more focused” comments from the feedback forms really brought that weakness to the fore.

Taking any kind of criticism can be really tough. Whether the criticism is constructive, as is the case here, or destructive, it is an opportunity to learn from my mistakes.

Some of the feedback was quite positive which will help to hone the presentation skills in even further.

Thanks to all of those that provided feedback after the presentation!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Hotel Is Blocking the MSN Messenger Protocol?

Hmmmm … this is a new one to me.

This is the first hotel that I have stayed in where they will not allow the MSN Messenger protocol to flow on their guest network.

A call down to the front desk to find out why the Messenger client was not connecting yielded the fact that the protocol was blocked and that it was for “security” reasons.

When asked about the fact that the guest network was isolated from any internal network, at least it should be, thus preventing any issues the front desk clerk stated that the protocol would not be permitted.

MSN Messenger is a critical communication tool for us with our key clients, suppliers, and those we provide on/off consulting services for. So, being blocked from communicating with those we need to is certainly inconvenient.

All it took was one search to come up with this:

MSN Web Messenger

So, we were able to sign in, get connected to a couple of key folks that we needed to, and now can go about resting up for tomorrow.

Blocking a guest from going about their required Internet communications in the room they have paid for is not really good for business. Needless to say, a comment will be expressed to the folks that manage the hotel to that fact.

Hat Tip: Proxy.Org

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Hack And Defend Calgary

The drive down this morning started at 0500Hrs with the sun just below the horizon.

I am in Calgary for the Hack and Defend workshop that turns out to be a half day only! The registration system did not make it too clear, so I now have a free afternoon to rest and prepare for tomorrow's SBS 2003 to 2008 side-by-side setup here.

The event ID: 1032408773.

It looks as though there is still seats available.

More to come on the session...

Philip

Sent from my SBS Integrated Windows Mobile® phone.

RSAT for Windows 7 x86 or x64

RSAT for Windows Vista will not work on Windows 7.

There is a version for Windows 7, though we needed to dig around for it:

The links on the Microsoft Download site do not work.

But, this site has a direct link to the downloads themselves (x86 and x64) that work as of this writing: Remote Server Administration Tools (RSAT).

After downloading and installing them, note that they need to be enabled in the Windows 7 Programs and Features on or off.

Note the lack of a check mark beside the Remote Server Administration Tools feature.

Once in, we have access to the Hyper-V Manager which is what spurred the search on in the first place.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer