Archive for How To
SSL Certificate Validation
Posted by: | CommentsI put up a post this morning regarding SSL certificate request validation over on the Third Tier web site. If you’ve been wondering how SSL certificates work in SBS 2008 or if you’re about to renew an SSL certificate on an SBS 2003 box, you might want to check out that post.
Remotely Installing This Month’s ISA Update
Posted by: | CommentsJust a heads-up for those of you who remotely install security updates for your customers. This month includes an update for ISA, and if you don’t know about it beforehand, you could end up in a bit of a jam.
As expected, when installing the ISA update, access to the Internet through the server is interrupted. Unlike some previous updates, however, when the installation of this update completes, Internet access is NOT restored. You don’t get Internet back until you restart the server.
So if you don’t have some mechanism in place for restarting the server automatically after updates install, you could find yourself, and your customer, in a rather unexpected place.
Troubleshooting Delayed Message Delivery in Exchange
Posted by: | CommentsAs more and more anti-spam solutions start doing “interesting” things with SMTP and mail delivery, there is an increased chance of users reporting that mail messages to certain domains are delayed. Unlike a full non-delivery report (NDR) which will list the SMTP error codes for easy identification of the reason for the rejection, a delayed delivery report could be the result of an Internet connection issue, spam filter, offline server, or any number of other causes. The remainder of this post details how to track down possible causes for Internet delivery issues. Read More→
SBS 2008 Update Rollup 1 Available
Posted by: | CommentsMicrosoft released the first update specifically for SBS 2008, information can be found in KB958715. The Officical SBS Blog also discusses the update. The update addressess two issues in the initial release of SBS 2008:
- The Security Tab in the SBS console did not correctly report anti-virus status on connected workstations for some anti-virus programs. I’ve been experiencing this with Sophos Anti-virus, which we use with our client base. After installing the update, I can confirm that the anti-virus status is now correctly reported with Sophos Anti-virus on the workstations.
- The Internet Address Wizard stops functioning when registering a domain name through GoDaddy.
The update is now available through Microsoft Update and should appear in the Update subtab of the Windows SBS Console. You can approve the update in the console and allow it to roll automatically through WSUS, or you can manually install the update as follows:
- Open the Windows Update panel from the Start Menu.
- Click the Check online for updates from Microsoft Update link in the panel.
- When the check finishes, you should see at least one update available. Click the View available updates link to see all updates available.
- Under Windows Small Business Server 2008, you should see the Update Rollup 1 for Small Business Server 2008 (KB958715) in the list and checked.
- Click Install to install the update.
No restart is needed after the update installs, but you should close the SBS Console prior to installing the update.
Enabling SMTP Logging in SBS 2008
Posted by: | CommentsI’m a huge proponent of enabling SMTP logging on servers for diagnostic and troubleshooting purposes. Every SBS 2003 server I’ve touched over the last few years I’ve enabled SMTP logging just so that when the inevitable question “why didn’t so-and-so get this e-mail” comes, I’ve got a starting point to go look through.
As with many aspects of SBS 2008, SMTP logging is handled differently in the new SBS solution. There are several places you have to go to enable logging, but fortunately, they’re all in the Exchange Management Console.
Because Exchange 2007 handles SMTP though multiple connectors, you have to enable logging in each of the connectors. In addition to having separate send and receive connectors, there are also multiple receive connectors. Also, SMTP logging is a binary option. You either have full SMTP logging on a connector, or you have none. The following steps walk you through the process of enabling SMTP logging on the Internet Send and Internet Receive connectors in SBS 2008.
- Open the Exchange Management Console from the Start menu.
- Expand the Organization Configuration and select the Hub Transport.
- Click on the Send Connectors tab.
- Right-click on the Windows SBS Internet Send servername item and select Properties.
- From the Protocol Logging Level drop-down menu, select Verbose.
- Click Apply, then click OK.
- Expand Server Configuration and select Hub Transport.
- Click on the Receive Connectors tab.
- Right-click on the Windows SBS Internet Receive servername item and select Properties.
- From the Protocol Logging Level drop-down menu, select Verbose.
- Click Apply, then click OK.
- Repeat the process for the Default servername item and the Windows SBS Fax Sharepoint Receive servername item if desired.
- Close the Exchange Management Console.
By default, the SMTP logs are stored in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\. This folder path is specified in the Exchange Management Console under Server Configuration, servername Properties, Log Settings. A separate folder exists under the ProtocolLog folder for SmtpSend and SmptReceive. You can, if you choose, move each of the log folder locations individually to alternate locations on the server.
Profile Missing in SBS 2008 Connect Computer Tool
Posted by: | CommentsThe “wizard” used to join workstations to an SBS 2008 network has undergone some significant changes from the SBS 2003 days. The process is streamlined, it can work with workstations that are domain-joined (including workstations that are joined to the current SBS domain), and it has additional options that were not present in the SBS 2003 version of the wizard. But it still has problems with private profiles, just like its predecessor.
When you go to the new http://connect site, run the tool, and get to the section where you select the local profile to use for the specified domain account, you may find that the profile you want to choose is not listed in the drop-down list. This doesn’t mean that there’s a problem with the profile, just that the profile has probably been marked private.
The simple fix is to open Windows Explorer, browse to C:\Documents and Settings, right-click on the user’s folder, and clear the “Make Folder Private” checkbox. Apply the changes, close the window, and run the Connect Computer tool again. The profile should show in the list now. If it still does not, go back into the folder settings, enable the “Make Folder Private” checkbox, apply the changes, then disable the “Make Folder Private” checkbox and apply the changes again.
Renaming Items in the Start Menu
Posted by: | CommentsIf you want to rename an item that appears in the Start Menu, click the Start Menu, then right-click on the item whose name you want to change, then click Rename. Enter the new name for the item and press Enter when done. Viola, the item has been changed.
So what?
Well, if you’re like me and keep forgetting that when you open a Command Prompt on SBS 2008 that you’re not running the command prompt as an administrator, you might want to rename the Command Prompt item to something like “Command Prompt – Run as Administrator” so that you remember you need to right-click the Command Prompt icon and select Run As Administrator so you can get administrative access to a command prompt when needed. Just a thought.
Creating a Proper CSR for a Third Party SSL Certificate
Posted by: | CommentsThe Add a Trusted Certificate wizard goes a long way towards creating a proper CSR (Certificate Signing Request) to send to an SSL certificate vendor to get a valid third-party SSL cert for your SBS 2008 server. However, there are a couple of gotchas you need to watch out for.
First, you must put in the proper DNS name for the server when requesting the cert. This may seem obvious, and the Add a Trusted Certificate wizard does pre-populate the field with the domain name you specified in the Set Up Your Internet Address wizard. But if the DNS name does not match exactly what users type into their browsers to get to the SBS 2008 server, you may as well have stuck with the self-generated cert.
Second, in the US, when you enter the State into the form, SPELL IT OUT. Do not use the two-letter state abbreviation. Legit SSL cert providers will choke on an abbreviated state name and not allow you to complete the certificate request. [Note: the last time I had this issue, GoDaddy did not correctly verify this information in a CSR I had created and allowed me to continue to the next phase of the cert request, Thawte did check the field value and rejected the abbreviated state name.]
Fortunately, Thawte provides an online tool to validate the CSR before you submit it for a cert. Once you generate the CSR from the Add a Trusted Certificate wizard, plug the CSR into the Thawte form to ensure that the CSR has been properly formatted. If there are any problems, the tool will let you know and you can go back and correct it.
Fortunately, the Add a Trusted Certificate wizard is an easier way to generate the CSR than what we had in SBS 2003, but it’s still a good idea to validate the CSR before submission to your SSL vendor.
Network Requirements for SBS 2008 Migration
Posted by: | CommentsThe SBS 2008 getting started wizards assume that the server will be in a Class C subnet (i.e., subnet with a mask of 255.255.255.0). Furthermore, when you run the Connect to the Internet wizard, the wizard specifically looks for your Internet gateway at specific addresses in the 192.168.x.x class C subnet. So what if you’re migrating from an existing SBS 2003 server that doesn’t match one of these assumptions?
In the case of your existing server being in a subnet other than 192.168.x.x, no problem. When you create the answer file, you’ll plug in the IP addresses for the existing server, the IP gateway, and the new server into the Answer File Creator so that the migration setup can do its job. In the case of a new installation, the Connect to the Internet wizard will fail to automatically detect the router and you’ll be able to enter the information manually.
But if your network is on anything other than a Class C subnet, migration is not going to work. You will have to temporarily configure the network into a Class C setup to get the initial migration working. After that, you can modify the network settings to go back to your other network configuration, but the migration setup requires a Class C configuration in order to work.
Hopefully this is going to be one of those exceptions rather than a rule, but there it is in case you run across this.
Running Just About Anything as Admin in 2008
Posted by: | CommentsIn the new world of limited access permissions in Server 2008, trying to get elevated permissions to run certain things can be a bit of a challenge. That’s where this handy shortcut comes in.
In 2008, type a command to run in the Search window of the Start menu, then hold CTRL-SHIFT and hit Enter to execute that command as Administrator. You’ll get the UAC prompt, then the tool will run with elevated permissions.