In the new world of limited access permissions in Server 2008, trying to get elevated permissions to run certain things can be a bit of a challenge. That’s where this handy shortcut comes in.
In 2008, type a command to run in the Search window of the Start menu, then hold CTRL-SHIFT and hit Enter to execute that command as Administrator. You’ll get the UAC prompt, then the tool will run with elevated permissions.
A common error generated by ISA seems to cause a great deal of confusion and frustration for people who don’t work with ISA on a regular basis. However, this is actually one of the easiest issues to identify and then resolve with ISA. The exact error message that is seen in the browser is:
403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server
What this means, simply, is that the server address entered into the browser does not match the web site name that ISA is expecting. An easy way to see this for yourself is to try to access the Remote Web Workplace of an SBS box by entering the address as https://ipaddress/remote instead of https://site.domain.com/remote (provided that you have your SBS box configured to use site.domain.com as the public address). Boom, instant 403 Forbidden error.
So how can you tell what URL ISA is expecting to get from the browser? Also easy. Once you get the 403 Forbidden page, click on the Certificate Error tag in the browser address bar (you will always get a certificate error in this condition, by the wat) and view the certificate. The address in the certificate is what ISA is expecting to see. This is because ISA actually advertises the public certificate in the web listener to decrypt the incoming SSL transmission from the client. When it decrypts the transmission, if the URL it’s listening for does not match the URL that was requested, the connection is refused and ISA returns the 403 Forbidden error.
A common mistake made by those new to SBS is entering the wrong name for the SSL in the Connect to the Internet wizard. In a non-ISA setup, this will work, but it’s still wrong. The reason it works is that users can still bypass the Invalid Certificate warning that they see in IE. Only in this case, the invalid certificate warning is generated because the name on the certificate does not match the URL entered. Many times I’ve seen people enter the internal name of the server in the SSL certificate field of the CEICW, and by pure happenstance it hasn’t been a problem for them. Until ISA gets in the mix. ISA will not redirect traffic to the internal web site if the requested URL does not match the URL that ISA is advertising.
The best solution for ensuring that ISA is working correctly is to acquire and install a valid third party SSL certificate on the SBS server, then instruct your users to never go through to a site that lists an invalid certificate. Steps for requesting and installing a third party SSL cert for ISA on an SBS box can be found at the Official SBS Blog.
I recently was contacted by a partner who was having trouble with a migration. They had been working all night because they ran into trouble and had to start over. In the second pass, they could not get Active Directory to sync between the two servers. That’s when they called me in.
After getting a status report about the error, the first place I had them look was the ipconfig on both servers. As soon as they looked at the output from one of the servers, they knew what the problem was: the server was pointing to a non-existent system for DNS. There was no way that box could sync anything since it could not get valid DNS entries for AD.
The moral of the story: always check the basics. Even if you KNOW that the settings are what you are expecting, confirm them when you hit a snag.
While sitting in our local SBS 2008/Vista event this morning, Peter Gallagher, a TS2 presenter, mentioned that SBS 2008 Premium will ship with both SQL 2008 and SQL 2005 workgroup edition. The SQL 2005 is included for LOB apps that may not be ready for SQL 2008. You won’t be able to run both versions simultaneously, but you can switch when ready. This is documented in the Database box at http://www.microsoft.com/windowsserver/essential/sbs/compare-features.mspx.
With the release of the iPhone 2.0 software and the 3G iPhone on July 11, 2008, the iPhone can now have a native connection to Exchange 2003 and 2007 servers. This post documents the steps needed to configure the iPhone for an Exchange account, assuming that Exchange ActiveSync is already configured and working properly on the Exchange server. If the Exchange server is running on SBS 2003 or SBS 2008, this configuration is already in place.
From the iPhone:
https://mail.smallbizco.net/exchange, then enter mail.smallbizco.net in the Server field.At this point, your iPhone is connected and ready to go. The first time the iPhone attempts to synchronize with the server, you may get the “Unable to Verify Certificate” warning again if you do not have a recognized SSL certificate. If you get this warning, select Accept. Otherwise, your selected items will sync to the iPhone from Exchange. You can go back to the home page and open the Mail app to review your mesages.
Looks like there might be an issue with installing KB948110 via Automatic Updates or Microsoft Updates if you have Sharepoint on the server. I’m tracking this down at a client site, but have heard of several other instances this morning. The behavior is this:
If you go into services.msc, you will see that MSSQL$SHAREPOINT is set to Automatic but not started. If you start the service, it will appear to start, but on a refresh it will show as stopped again. Attempts to uninstall KB948110 may not show the Sharepoint instance in the list. A successful uninstall of 948110 may not restore operation to Sharepoint, either.
I’m working with Microsoft on this and will update this post as new information becomes available.
UPDATE: 1:45pm
One of the factors leading to the issue has been identified. The 948110 update is not correctly identifying the Service Pack level on some MSDE instances. In cases where MSDE 2000 is at SP3, the 948110 update should not be installing, yet it is. This was the cause of the problem on the system I was working with. Other factors are involved as well, and those are still being investigated. More info as it becomes available.
UPDATE: 4:00pm
The SBS CSS support team is now officially recommending that you hold off on installing this update on SBS servers, per their blog post:
http://blogs.technet.com/sbs/archive/2008/07/09/hold-off-on-installing-hotfix-948110-on-sbs-2003-servers.aspx. I’m taking the stance that I will not be installing this update on any servers with Sharepoint until another update is released.
UPDATE: 7/10/08 7:00am
OK, a few other items have been identified as causes for this issue. I’ve already mentioned the Sharepoint database being on WMSDE 2000 SP3 instead of WMSDE 2000 SP4. Turns out there are also cases where Sharepoint is running on MSDE 2000 instead of WMSDE 2000, and that can cause problems as well. Not sure how Sharepoint is getting installed on MSDE 2000 instead of WMSDE 2000, as with the SBS 2003 install it goes on WMSDE for sure (and I think the default install of WSS 2.0 does as well), but there have been some instances where this is the case.
If you look in the ERRORLOG file in the path mentioned earlier, you may see something like this at the top of the file:
Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
May 3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2)
The last line above is the tell-tale indicator of which version of SQL that the Sharepoint database uses. If it says “Desktop Engine” like in the example above, Sharepoint is sitting on MSDE (which has a 2GB file size limit and the real reason it wants to sit on WMSDE). Instead, the line should read “Desktop Engine (Windows)” which indicates that it’s sitting on WMSDE.
Also, the SBS Blog has an update on how to get Companyweb working again if you hit this scenario. this is a workaround, as their advise is to roll back the BINN directory under MSSQL$SHAREPOINT to the content it had before the update. This can be done by restoring from backup, or by using the Previous Versions feature if VSS has been enabled on the volume. Regardless, if you have NOT installed this update yet, DO NOT install it yet. This update has been pulled out of our process for installing updates on our managed servers until the installer gets fixed.
Still, if your Sharepoint database instance has not been updated to WMSDE 2000 SP4, you should probably look to do that at you earliest convenience.
Microsoft made the Public Preview of SBS 2008 available for the general population yesterday. This was announced on the Official SBS Blog. To get access to the software, you will need to visit the Technet Evaluation Center. Before installing, make sure that the system you are going to evaluate on meets the basic system requirements identified by Microsoft. If you don’t have hardware that meets the basic requirements, you may be able to install, but you will encounter difficulties that will lessen your experience with the software.
And if you do take the time to download and test the software, please make the effort to provide feedback to the development team. This could include bugs, feature suggestions, or compliments on implementations that have been done correctly. There may not be much that can be done with the product in terms of changes at this stage, but if you do find something that causes problems and do not report it, it may not get reported by anyone else, and the team really does want that feedback. But whatever you do, please do not expect to use this version in production. If and when subsequent releases of the public preview are made, there will not be an “upgrade” process to move from one public preview build to another build.
More thoughts about SBS 2008 can be found at OnQ under the SBS 2008 category.
Ran across an unusual one this week that’s worth sharing. A site had two users who could not log in to Outlook Web Access hosted on SBS 2003. All other users could log in to OWA without issue, but these two could not. The employees do shift work and sign on to a shared workstation and only access e-mail via OWA, no Outlook client was installed on the workstation. The error encountered when trying to log in was “username or password is incorrect.” The password for the accounts were changed, and the accounts were checked to make sure they were not locked out. Attempts to access OWA from any workstation failed, internally and externally.
We checked the status of the mailbox in Exchange System Manager to make sure the mailbox had not been disconnected on either account, and the mailboxes were connecting fine. We tried to access the mailbox by creating an Outlook profile on another workstation and could access the contents of the mailbox, so we knew the mailbox was not corrupt. We tried to access the user mailbox through the Administrator’s OWA logon (after granting the Administrator account full access to the user mailbox) and as soon as we attempted to open the path to the user’s mailbox, we got a login prompt instead of access to the mailbox.
We tried to access the mailbox via Outlook Mobile Access, and got an “access denied” error after three login attempts. That prompted us to go look in the Security Log on the server, and that’s where we found the clue - we got a login failure for the user on the server. We found out that the local administrator had tried to restrict the user’s ability to log in to only one workstation in their AD account properties. In the Account tab, in the Log On To button, the only machine listed was the workstation. We added the server to the list of machines the user could log into, and we were able to access the account through OWA from all workstations.
Trying to restrict the user’s ability to log in to a single workstation is a good idea. But the actual authentication for OWA/OMA actually takes place on the server, which is where the service runs to grant access to the user. If you choose to use the Log On To feature of Active Directory to limit where the user can log in, be sure to add the server as one of those machines so network services can be accessed by the user account.
Microsoft released KB948496 which is an update that disables ALL of the Scalable Networking components that were added into Windows Server 2003 SP2 last year. The previous update only disabled two of the four components, and in practice, systems have continued to have problems when any of the Scalable Networking components were enabled.
This update could come down with Automatic Updates this month, but may not get automatically installed. If you are running SBS 2003 with Windows Server 2003 SP2, you need to install this update.
Microsoft has started the marketing push for SBS 2008 as part of the Windows Essential Server Solutions family of products, that currently includes Small Business Server 2008 and Essential Business Server 2008. Unfortunately, the marketing is prominently featuring an element that has been causing some confusion in the SBS space. Right on the main WESS page, the blurb for SBS 2008 states that SBS 2008 is: “An affordable server solution designed for businesses with 50 employees or fewer.” Many people are thinking that this means SBS 2008 will revert back to a 50 user/device maximum licensing combination, which is less than the 75 user/device max in SBS 2003.
Fear not, the maximum # of users/devices that will be licensed with SBS 2008 is still 75. Yes, Microsoft has targetted SBS 2008 for the 1-50 user market and EBS 2008 for the 50-250 user market, but the technical limitations on the maximum number of users/devices has not changed. You can find the 75 figure listed at http://www.microsoft.com/windowsserver/essential/products.mspx and http://www.microsoft.com/windowsserver/essential/choose-solution.mspx.
The serious IT Professional knows that the number of licenses is not the only factor in determining which product will be the best solution for a particular company. Some 50-75 user companies will do just fine on SBS 2008. I know of a couple of 20 user companies (and smaller) that EBS 2008 would be an excellent match for. It all boils down to need and resource availability. Will you be able to run a 75-user company on an SBS 208 box that was designed for 15-20 users? Yes, but it may not perform as well as expected. Would the three-server implementation of EBS 2008 be complete overkill for some 60 user businesses? Absolutely.
With EBS in the product options now, there are more considerations to make when planning an SBS/EBS implementation for a business. The maximum number of user/device licenses is simply one consideration. There will be many, many others.