SBS 2008 - ONECARE POSTSCRIPT

One glitch in the SBS 2008 migration nagged at me - it didn't make sense that the computers with the individual version of Windows Live OneCare were not reporting in to the SBS 2008 console, which tracks the security status of all the workstations on the network.

This is a sample of the new console for managing workstations in SBS 2008.

A handful of the computers running OneCare were able to get through and the server reported they were secure. I looked in vain for firewall exceptions for ports or services that were different on those.

It took a while to track it down, and in the end it wasn't the firewall after all.

Many things on a Windows Server network are controlled by "group policy," a very extensive set of rules that can be applied from the server to the workstations to control everything from network communications to your browser home page. There are thousands of settings that can be closely controlled with group policy.

Windows Server 2008 and SBS 2008 introduced hundreds of new group policy settings, but the workstations do not recognize them until new Group Policy Client Side Extensions are installed (Microsoft KB 943729). The group policy extensions are available through the Windows Update system but apparently are never offered as anything other than an optional update - ignored by OneCare and apparently ignored by WSUS, the system built into SBS 2008 to keep workstations up to date.

Sure enough, most of the computers had never installed the Group Policy Client Side Extensions. When the update was installed, the SBS 2008 console reflected their secure status about an hour later.

One more thing for the SBS migration checklist!

Labels: computers, domains, network, OneCare, SBS, security

posted by bruceb at 12/08/2008 12:06:00 AM | permalink

SBS 2008 - MIGRATION GLITCHES

Let me leave a few notes behind about some of the glitches during the migration from SBS 2003 to SBS 2008. I don't have many answers but perhaps it will help someone to know that I'm able to commiserate with them. (Loyal clients - this is not aimed at you and it won't help you get your work done. I'll be back to general interest topics next week!)

As background: I was migrating an SBS 2003 server with a very basic configuration - no ISA, no use of Sharepoint, a single NIC and external firewall, and no particular pre-existing issues.

MIGRATION WIZARD

Microsoft provides a detailed guide to the migration procedure. (Have you noticed that Microsoft's documentation has been getting better and better lately? There's much less ambiguity about what to click next - each step is described in precise and accurate detail.) The guide was great.

SBS 2008 begins a migration when a USB stick with an answer file is inserted in the new server before the SBS 2008 installation starts. Several people have reported that the USB stick has to be present when the server is turned on or SBS 2008 is likely to miss it. After installation, the first and most important item on the SBS 2008 is the "migration wizard" that leads through all the steps required to be successful.

I was about two-thirds of the way through the wizard when I took a break and installed the Server 2008 updates that were waiting. When the server restarted, the migration wizard crashed with a mysterious error that proved impossible to fix. I researched it and got nowhere. I removed a couple of the updates that conceivably might have unsettled something and got nowhere.

The wizard never came back to life. Fortunately most of its steps only lead to help files that describe the process for actually accomplishing each task by going into AD or MMC consoles or the like. I think - I think - I was able to finish the migration and cover the remaining steps without the wizard. There is still room for some surprise glitch - I'm going to cross my fingers when I demote the source server.

MAIL MIGRATION

I expected the mailbox migration to be slow but was still surprised. The Exchange 2003 mailbox store was about 25Gb after I pruned and archived as much as I could from the biggest mailboxes. The mailbox move took just about ten hours.

PUBLIC FOLDERS

I had no luck moving the public folders, and didn't really expect to, given the reports I had read. That may have been the result of a pre-existing glitch on the source server - this server, like several other of my SBS 2003 servers, throws up an error message when I try to do anything to the public folders in Exchange Server Manager. I've researched that one, too; I've removed the SSL requirement from EXADMIN in IIS, and a few other things suggested in other places, to no avail. I exported the public folders to a PST and stored them for now, since public folders were not being actively used and may not need to be implemented at all on the new server.

BACKUP

The most mysterious problem involves the backup system. The firm had been using ShadowProtect to back up to an NAS and two rotated external Maxtor hard drives. The backup built into SBS 2008 looks like it will be just fine but it does not directly back up to an NAS. I connected a Maxtor drive, formatted it, and ran the backup wizard. Hmm. Error message at the very end.

Since the message says "Cannot configure backup schedule," I started trying every scheduling option - once a day, twice a day - as well as swapping in the other (identical) hard drive, and couldn't get anywhere. I couldn't find anything in the logs at all. I got the flavor that it might be caused by the server disliking the external hard drives.

I'd like to talk to the person who thought it would be helpful to write: "If this problem persists, contact the person who provides you with technical support." It made me irritable.

ShadowProtect claims that the current version will back up SBS 2008 servers. With any luck I'll be able to install that and never know the answer to this one.

PHONE PASSCODES

This isn't a glitch, just something to warn your users about. By default, Exchange 2007 enforces a new passcode requirement on Windows Mobile phones (and iPhones) syncing with the server. Users are forced to set up a four-digit password that will be tapped in every time the phone is used. I'm sympathetic to all the reasons that this is an important security measure, but I'm also sympathetic to the desire to keep my job and not be fired by the attorneys who began flipping out immediately. It's possible to turn the requirement off in Exchange Management Console / Organization Configuration / Client Access / Windows SBS Mobile Mailbox Policy, which then allows it to be turned off on the phones. The iPhone balked and refuses to relax, even after the policy was changed, which apparently is a known glitch.

SERVER CERTIFICATE

I was determined to allow my users to continue to use the familiar URL for remote access, even though it didn't match the naming scheme preferred by SBS 2008. The email domain is www.bigfirm.com, say, and my users have been reaching RWW at www.bigfirmnet.com for years. I have a GoDaddy SSL certificate for www.bigfirmnet.com and heck, I just like it. Plus I've got migrations coming up where I know it will be difficult to work with the web hosting company to set up a subdomain and MX records for the primary domain name.

The Internet address wizard insists on getting the primary address and only allowing RWW to be reached at the same address with a prefix - remote.bigfirm.com or something like it. I had to work around that by lying to the wizard that the primary domain name was bigfirmnet.com, which (in Advanced Settings) would then let www.bigfirmnet.com be the remote access address.

When that was in place, then I could set the primary email addresses back to @bigfirm.com in Exchange Manager / Organization / Hub Transport / Email address policies / Windows SBS Email Address Policy.

ONECARE

Windows Live OneCare has been a trusted friend but it does make me a little crazy sometimes. SBS 2008 expects to get feedback from each workstation about its security status and apparently OneCare isn't set up to let that happen. So far I haven't found the firewall port or other hack that will let the workstations report in, so they're all showing in the server console as "unknown." I can't even find a definitive statement that it's possible or impossible with the standalone version of OneCare. I'm not going to install OneCare for Server so I may just not get good feedback in the console until we switch to Trend Micro. I was hoping to procrastinate on that - everyone has been used to OneCare for a long time - but change happens.

DRIVE MAPPING

Drive mapping is supposed to be accomplished in Group Policy now. I was comforted that other people online said they had trouble with it, because I couldn't make a mapped drive appear on a workstation no matter what I did in Group Policy. After a fruitless half hour of researching and trying things, I put the nice simple logon script in the folder and assigned it to everybody. I feel kind of crude, but it works.

SHARED PRINTERS

Another little headache - it was easy to install 64-bit drivers for network printers and share them from the server. At least, it was easy once I stopped clicking on the "Add printer" button and getting an "Access denied" message when it tried to set up a TCP/IP port. Right-click in the Printers folder and click on Run As Administrator / Add printer - ah, that's intuitive! Sheesh.

Out at the first workstation, I was reminded forcibly that there were no 32-bit drivers around, so I downloaded the corresponding 32-bit drivers for a few of the printers (a couple of HP Laserjets and a Toshiba copier) and went to add them on the server using Additional Drivers on the Sharing tab. The server thought that was a terrible idea - it never agreed that the 32-bit drivers corresponded with the 64-bit drivers. (I read somewhere that it was known problem with some HP drivers but I had the same epxerience with the Toshiba drivers.) So I parked the 32-bit drivers where I could get to them, went back to the workstation, and browsed to the 32-bit drivers when the workstation tried to connect to the shared printer and rejected the 64-bit drivers. Nope! The workstation also didn't agree that it was a match. It was the closest match, trust me - these were the identical 32-bit and 64-bit drivers for the same model running the same PCL level.

Fortunately, we already had reason to be running a Windows XP virtual machine on the second server with Hyper-V. I've shared all the printers from there and I bet it's rock solid.

A migration is a complex project! I think it went smoothly. These are the kind of glitches that happen constantly, every day at every level. Some of them will happen to me the next time, others will come up that are brand new. It's the nature of IT today. With luck I'll bring good instincts and a lot of experience and use them both the next time I come to your office!

Labels: computers, domains, mail, Microsoft, mobile, network, OneCare, printers, SBS, security, software

posted by bruceb at 12/05/2008 12:09:00 AM | permalink

SBS 2008 - SSL CERTIFICATES

Let me give you a quick overview of the kind of issue that makes it fun to be a consultant.

When you go to a web site where any personal information is going to be exchanged, you're likely to see the web site address change from http:// to https://. The data is encrypted (has a "Secure Sockets Layer" or SSL) and is reasonably well protected against eavesdroppers. You'll see it at banking sites or almost anything involving money or payment, as well as on web sites for access to company networks and other places where data should be confidential.

When you go to http://www.wellsfargo.com/, the bank's web server presents its security certificate from a known certificate authority, a big company that has done some checking to ensure that the server actually belongs to the company whose name is on the web site. Your browser examines it and agrees that it looks authentic, then it does some cryptographic things that convince it that the certificate was really issued by the big trusted authority. When it's satisfied, it proceeds automatically to https://www.wellsfargo.com/ and shows you a happy padlock icon in the address bar.

Until recently, SSL certificates were only used by big companies: they were expensive, required annoying paperwork, and the whole process was technically difficult.

Small Business Server 2003 wanted remote users to log into its great Remote Web Workplace over a secure SSL connection but couldn't saddle small businesses with the headache of buying expensive certificates, so it used a workaround. By default an SBS 2003 server presents a "self-signed certificate." Essentially the server vouches for itself and tells your browser that it's safe and trustworthy.

That sounds a bit flaky but it worked well enough for a long time, until security concerns began to trump everything else. Business people began buying Windows Mobile phones to sync their Outlook folders over the air and for a while it was possible to convince them to accept the SBS server's self-signed certificate, but it got harder and harder to accomplish - it required finding the right tool to install the certificate on the phone and the manufacturers were nervous about giving people access to the depths of the phone's operating system to do that. Now it's almost always impossible.

Meanwhile Microsoft began to add new security warnings to Internet Explorer as part of its hardening over the last few years. Now when you go to a site with an SBS 2003 certificate, you get this ominous warning:

If you go past the scary warning to the company's RWW site, you get the unhappy red IE address bar instead of the happy padlock:

Fortunately, a few companies began offering inexpensive SSL certificates with a minimum of fuss. GoDaddy.com offers SSL certificates for only thirty dollars per year that are accepted by most computers, phones and other devices. SBS consultants began to work out elaborate documentation for installing them on SBS servers. Many consultants made it a standard part of setting up a server running SBS 2003.

SBS 2008 still begins with a self-signed certificate but a wizard is included in the initial setup checklist to help purchase a third-party certificate.

The wizard wasn't helpful to me in a migration where I already had a domain name with an existing certificate. I found myself burrowing deeply into IIS and feeling my way through the process. I was successful but it took some interesting tricks to get everything to work correctly.

The experience exposed another interesting feature of Exchange 2007. If a company runs the web site http://www.bigfirm.com/, it can set up http://remote.bigfirm.com/ as a subdomain that leads to their internal company network. Set the company's MX record for incoming mail to http://remote.bigfirm.com/ and give that address to the business people for remote access. SBS 2008 has wizards to help get the domain names registered and set up in Exchange.

Then if a business person goes home and sets up Outlook 2007 for an Exchange Server at http://remote.bigfirm.com/, Outlook will configure itself automatically with the settings to connect over the Internet to Exchange Server at the office. It's not necessary in that case to configure the deep proxy settings that have been required until now to set up Outlook for RPC over HTTP. Microsoft thinks the technology is so cool that it blessed it with a new brand name, "Outlook Anywhere." (SBS 2008 does some of the magic to accomplish that, thank goodness - otherwise it requires deep surgery in ADSIEDIT and the Exchange command line console.)

That works fine, I'm sure, but I used a different naming scheme when I bought domain names for all my SBS clients for their remote access. SBS 2008 does not like that arrangement one little bit. And it's only easy to set up a subdomain and manipulate MX records if you have full DNS control over the ISP for http://www.bigfirm.com/. A small business will frequently have set up their web site with small hosting companies and web site designers that are, shall we say, not always easy to work with.

You see what I mean, I'm sure - it's fun!

Labels: domains, IE, Internet, mail, Microsoft, mobile, Outlook, phone, remote, SBS, security

posted by bruceb at 12/03/2008 12:46:00 AM | permalink

WINDOWS LIVE ONECARE FOR SERVER

Microsoft Small Business Server 2008 will be released on November 12. Veterans of SBS 2003 are finding many things to like in the new version; I'll have more to say about it in the next few weeks. Here's an early look at the features and changes in SBS 2008.

At about the same time, Windows Live OneCare will be upgraded to version 3. If you already use OneCare, the new version will presumably be sent to you automatically, it will restart your computer, and it will cause enough glitches that I'll be busy on the phone for a few days. I don't have any details about the new version yet but I'll keep you posted about what to expect.

(Loyal OneCare users - I've spent some time in the last few days with the latest security suites from Symantec/Norton, ZoneAlarm, and TrendMicro. Trust me - OneCare is the very model of decorum and politeness and looks angelic by comparison.)

The big news for Windows Live OneCare is the addition of Windows Live OneCare for Server, which will be included with SBS 2008 as an optional choice for security. The new server product will provide simple virus and malware protection, which in itself is a welcome addition for small businesses.

But apparently it will also allow up to 25 workstations to be managed centrally and covered by a single OneCare license, which is good news indeed! I've needed better monitoring and management for my clients' computers. It also allows the data on the workstations to be backed up centrally, which might be sufficient to protect the Outlook .PST archives that are piling up everywhere. Here's some info about the new server product.

Pricing is pretty reasonable:

• OneCare for server only: $189.95/year
• OneCare for server plus a "site license" (apparently up to 25 workstations): $399.95/year.

There is a big caveat, though - OneCare for Server will only work with SBS 2008. I can't install it on my clients' existing SBS 2003 networks.

In my mind, this is a big selling point for an upgrade to SBS 2008 as we replace aging SBS 2003 servers!

Labels: domains, network, OneCare, SBS, security

posted by bruceb at 10/23/2008 12:37:00 AM | permalink

GOOGLE WEB HOSTING

If you're looking for a quick way to get something online, take a look at what Google is doing.

There's no shortage of ways to get started online with a web site, a blog, a place for collaboration, a shared calendar, a shared photo gallery, or any of a hundred other things. In fact, for many people that's the problem - it's not easy to articulate what their goals are for an online site, and there's no way to make an informed choice and be confident that a service will match their technical skills, meet their needs, and still be in business a year from now.

Traditional web hosting - register a name, sign up with a web hosting company, get a web site designed, and keep it up to date - has many pitfalls. Name registration and simple web hosting cost virtually nothing, but there are many ways to muck it up, and it's hard not to feel helpless and lost while trying to decide what companies to choose. Very few web site designers are willing to work cheaply on a simple web site, for obvious reasons - there's no money doing inexpensive work for a customer who likely won't come back for repeat business.

Lots of companies big and small have jumped in to make it easier to get started, typically by offering the web hosting for free or nearly free and providing templates for cookie-cutter web sites. Don't underestimate that! Many of those services are just great and some of the templates are beautifully designed.

Microsoft, for example, has introduced Microsoft Office Live, intended to provide small businesses with the tools to start a web site and do useful things with it - online commerce, marketing, online document storage and collaboration, and more. A motivated business owner with strong technical skills can probably do wonderful things with it. I've only looked at the first few screens and I can see the potential, but wow, there's a lot of things to learn! The thought of working with them enough to be confident makes me want to go lie down.

Google offers simple web hosting for individuals and very small businesses with typical Google features - drop dead simple controls, nice designs for the templates, and all completely free. Details are on the Google Web Hosting page. For a modest monthly fee, you can hire professional designers to help put your site together.

All of these services have quirks. I don't know the details about Google's web hosting, but I can give you one quick example. Google is not offering to host http://www.yournamehere.com for free! The service creates pages with an address in this format: http://yoursitename.googlepages.com. That's fine for an individual, a bit funky for a business. That also means that Google will not be providing email to a custom domain name, although you can have mail from your site sent to any email address (including a Google GMail account.)

Let's be clear: that means you can have a web site online in minutes, for free, that can be updated from anywhere. Nice!

Today Google opened up another service that looks fascinating. Google Sites also lets you get a web site online in minutes, for free, that can be updated from anywhere. But these sites are designed for groups - sports teams, community groups, classrooms, clubs, families, anything that might involve more than one person.

The pages can easily be used for calendars, photos, videos, documents, blog-style news, gadgets, and more.

Anyone can view the pages online, but it's also easy to give people permission to add information - enter an email address and immediately give someone permission to update the calendar, contribute to the news items, or upload pictures, for example.

This is very good stuff! The world is pretty overwhelming, I know, but this ought to be in the back of your mind so you can use it when the need arises.

Sites created with Google Sites will have names in the format http://sitename.googlepages.com.

Here's Google's announcement that Google Sites is now available to anyone, and here's a news article with a few more details. Go put it to good use!

Labels: domains, Google, Internet, Microsoft, web_services

posted by bruceb at 5/23/2008 01:27:00 AM | permalink

VISTA ULTIMATE UPGRADE

Microsoft has a special price of $99 for an upgrade to Vista Ultimate on PCs purchased from Best Buy, Staples, Circuit City, and Amazon through June, according to Paul Thurrott, normally a well-informed source. (I can't find any reference to it on the Microsoft web site. Maybe there's a coupon in the box or something.)

That seemed like a bit of a yawn until an extra piece fell into place, courtesy of Susan Bradley. PCs purchased from one of those stores will undoubtedly have Vista Home Premium installed - and Vista Home Premium cannot be used effectively in any business run by a server. The $99 upgrade to Vista Ultimate allows the computer to be joined to the company domain without the expense and difficulty of buying a copy of Vista Business and wiping the hard drive.

The upgrade offer makes it a little easier to tell the boss about the next step when he or she proudly shows off the computer they bought for themselves at Best Buy.

Here's information about the versions of Vista if you need a refresher course. In short:

• Vista Business is required if the computer will be used in a business, and is the preferred choice for many home users.
• Vista Home Premium is a fine choice for parents or people who are going to focus on multimedia, and perfectly adequate for most home users.
• Vista Ultimate has everything.
• Vista Basic will serve if you simply must buy the cheapest computer on the market and have no self-esteem.

Labels: computers, domains, SBS, Vista

posted by bruceb at 4/10/2008 10:46:00 PM | permalink

PRIMER ON NETWORK ATTACHED STORAGE

Network Attached Storage devices ("NAS") are starting to appear regularly at small businesses. An NAS device is a small box with one or more hard drives and a simple operating system that can add huge amounts of storage space on a network just by plugging them in. They're frequently designed with multiple hard drives that can use RAID drive management to hold data very safely, but without the expense or maintenance required for a Windows-based server.

This article is a useful primer on network attached storage. Every computer user should start to become familiar with this technology!

"As the name indicates, NAS devices connect directly to a computer network, rather than to an individual PC. Therefore, the files they contain can be made available to anyone on the network that needs them. Unlike a PC, NAS devices don?t use monitors or keyboards. Instead, you configure a NAS device using a Web browser such as Internet Explorer. From there you can do things like set up folders for employees to store files in, as well as create user names and passwords to control who is allowed to have access to those files.

"NAS devices can be an option for any size business because they come in a variety of sizes, prices and storage capacities. Depending on the features and amount of storage provided, the cost of a NAS device can be quite inexpensive--as little as $200--or as much as several thousand dollars. Although some NAS devices can be physically large, models designed for small businesses can be easily tucked away almost anywhere. Most are smaller than an average PC and many take up barely more space than a hardcover novel."

More expensive NAS devices will have four or more hard drives in a RAID 5 array, which allows the device to be completely functional and keep the data safe even if an individual hard drive fails. Some of them integrate with Active Directory running in a Windows domain (including a domain run by Small Business Server) so that the NAS device knows the names of users and can enforce different levels of access to shared folders.

They have quirks, of course. I've gotten several Buffalo Terastation Pro II devices to store backup archives for my SBS clients; on Sunday all of them refused to allow the backup program to store files, with an "access denied" message. Headscratching, memories of the setup process - ah! This weekend was the original date for Daylight Savings Time to go into effect; the Terastations mistakenly set their clocks forward one hour. When the time on the Terastations doesn't match the rest of the network, the Terastations won't recognize the credentials of domain users. Why? I've stopped asking that question. None of the quirks we face with our computers make any sense. When I set the Terastations' time correctly, everything went back to normal.

Labels: backup, computers, domains, hardware, network, SBS

posted by bruceb at 4/09/2008 11:38:00 AM | permalink

PROBLEMS WITH 1AND1
Yet another tale of woe.

1and1.com is one of the largest web hosting companies in the world. They established themselves in Europe before making a big splashy entrance in the US a couple of years ago, with huge advertising sections on thick glossy paper in dozens of magazines. They offer rock bottom prices, a wide range of services, and well-designed online control panels.

I started using them and recommending them for domain name registration ($5.99/year), web hosting, and hosted Exchange mailboxes. A year ago I had a couple of reasonably good experiences with customer support.

A client called up a few months ago and complained that he had a terrible experience with an aggressively incompetent tech support person in India. Hmm.

Two friends had so much trouble with the hosted Exchange service that they cancelled the service. Another lost access to his Exchange mailbox for a day and got no satisfaction from his phone calls.

Today a business client learned that 1and1.com had locked his account, turned off his web site, and stopped the company e-mail, with no notice whatsoever - no e-mail, no letter. There was an issue with the company credit card - details are hazy, but let's assume the card lapsed.

The lack of notice was inexcusable. This has the potential to do serious harm to a business that lives by its e-mail.

The reaction from 1and1's customer support was worse. A bored customer service rep explained that the account had been turned over to a collection agency, and nothing could be done until the business "negotiated" a payment through the collection agency - at which point 1and1 would have to be called again to throw the switch on the domain names. There would then be even more of a delay, another 24 hours, before the domain came to life and the mail started to flow.

This is very bad.

Many businesses with millions of customers get treated to web pages like this one full of complaints, but that doesn't make it any more pleasant to run across them, and it's a little hard to find people praising 1and1 recently. There are some anecdotes about support being outsourced and company properties being relocated - and a persistent theme that things at 1and1 have deteriorated fast in the last six months.

Sonic does domain name registration and web hosting. Their mail handling for domains is primitive, their online controls are clumsy - heck, even their sales pitches are a bit confusing. But I don't think Sonic would allow your domain to go dead without notifying you, and so far Sonic hasn't started routing support calls to India.

Hmmm . . .

Labels: domains, Internet, mail

posted by bruceb at 3/16/2007 01:47:00 PM | permalink

BRUCEB.COM OUTAGE
Something took down all the web servers at XO Communications at 2pm yesterday. That's why you couldn't bring up the bruceb.com favorites page until about 9pm last night. The outage apparently affected all the web sites hosted by XO and took down my mail along with the web site. During that time the phones at XO would immediately disconnect calls to tech support - presumably they were overloaded.

The disturbing thing is that there's no information from XO this morning about what happened. XO has a long history - it started life as Concentric Networks, went through acquisitions and bankruptcy, and still offers very appealing onscreen tools for domain hosting. But its prices are way too high now after years of strong competition from 1and1.com and other companies, and an unexplained eight-hour outage is pretty frustrating. Time for a change, I think.

Labels: domains

posted by bruceb at 1/14/2006 09:48:00 AM | permalink