Pages

Categories

Archives

Archive for SBS

Dec
18

Another reason SBCore could shut down your server

Posted by: Q | Comments (0)

Earlier this month an associate pinged me about an unusual situation. He had an SBS 2003 server that was shutting itself down periodically, claiming that it was doing so because there was another SBS server in the domain. Well, this is expected behavior if there is, in fact, another SBS server in the domain, but this particular network had only one server, the SBS sever, and not a single other server or history of another server in the network. Another unusual symptom of the behavior is that the server would remain up for a little over 24 hours before it would shut itself down because of the phantom SBS server. According to MS KB 925652 the SBS server will shut down every hour if it detects another SBS server in the domain, so clearly a different set of events were causing this behavior. The server was logging SBCore 1011 errors in the event logs, but only after the server had been online for about a day.

On a tip from a colleague at MS, we started to look for a possible memory leak in the system. I worked with my colleague to set up perfwiz and poolmon to try to identify the process (or processes) that were leaking. The theory was that a runaway leak could strip the server of valuable no-paged pool memory which could cause the SBCore check to fail and generate the errors and shutdown event. I must admit, perfwiz and poolmon never were my strong points, so even after we got some results back, the review didn’t come up with a smoking gun.

Then my associate found a tip that I’d not heard of before, even though I regularly modify settings where this tip was found. He opened the Task Manger on the server, selected the Processes tab, then opened Select Columns under the View menu. In here, he enabled the “Memory – Non-paged Pool” column and then sorted the Task Manager process list by that column. Sure enough, he not only quickly found the culprit, but also could sit and watch the Non-paged Pool count grow steadily right before his eyes. The service causing the problem? spoolsv.exe, the print spooler service.

A quick bit of Googling on his part ultimately led him to this post from Tek-Tips which helped him identify the root cause of the problem: HP Standard TCP/IP ports for printers on the sever. He changed the port types for the printers from HP Standard TCP/IP ports to Standard TCP/IP ports, and the server hasn’t shut down again since.

Turns out, there is a KB on this situation, too, MS KB 933999. And in going back and looking further, the server was logging the Srv 2019 errors in the event logs as well. Since we were sidetracked by the anomalous SBCore behavior, we did overlook the 2019 as a possible factor as well.

In the end, I learned two things from this. One, you can track non-paged pool memory usage in Task Manager (which really isn’t a *revelation* per se, just something that I wouldn’t have necessarily deliberately gone out and looked for), and two, memory leak issues can cause anomalous SBCore errors and the shutdown of an SBS server. The good news is that the server was shutting down “normally” because of the SBCore misfire instead of totally running out of non-paged pool memory and crashing, as MS KB 933999 points out can happen. Bottom line, customer happy, and tech support further educated!

Categories : How To, SBS, Troubleshooting
Comments (0)
Sep
25

Resolving a 403 Forbidden Error from ISA

Posted by: Q | Comments (0)

A common error generated by ISA seems to cause a great deal of confusion and frustration for people who don’t work with ISA on a regular basis. However, this is actually one of the easiest issues to identify and then resolve with ISA. The exact error message that is seen in the browser is:

403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server

What this means, simply, is that the server address entered into the browser does not match the web site name that ISA is expecting. An easy way to see this for yourself is to try to access the Remote Web Workplace of an SBS box by entering the address as https://ipaddress/remote instead of https://site.domain.com/remote (provided that you have your SBS box configured to use site.domain.com as the public address). Boom, instant 403 Forbidden error.

So how can you tell what URL ISA is expecting to get from the browser? Also easy. Once you get the 403 Forbidden page, click on the Certificate Error tag in the browser address bar (you will always get a certificate error in this condition, by the wat) and view the certificate. The address in the certificate is what ISA is expecting to see. This is because ISA actually advertises the public certificate in the web listener to decrypt the incoming SSL transmission from the client. When it decrypts the transmission, if the URL it’s listening for does not match the URL that was requested, the connection is refused and ISA returns the 403 Forbidden error.

A common mistake made by those new to SBS is entering the wrong name for the SSL in the Connect to the Internet wizard. In a non-ISA setup, this will work, but it’s still wrong. The reason it works is that users can still bypass the Invalid Certificate warning that they see in IE. Only in this case, the invalid certificate warning is generated because the name on the certificate does not match the URL entered. Many times I’ve seen people enter the internal name of the server in the SSL certificate field of the CEICW, and by pure happenstance it hasn’t been a problem for them. Until ISA gets in the mix. ISA will not redirect traffic to the internal web site if the requested URL does not match the URL that ISA is advertising.

The best solution for ensuring that ISA is working correctly is to acquire and install a valid third party SSL certificate on the SBS server, then instruct your users to never go through to a site that lists an invalid certificate. Steps for requesting and installing a third party SSL cert for ISA on an SBS box can be found at the Official SBS Blog.

Categories : SBS, Troubleshooting
Comments (0)
Jul
26

SQL solutions with SBS 2008

Posted by: Q | Comments (0)

While sitting in our local SBS 2008/Vista event this morning, Peter Gallagher, a TS2 presenter, mentioned that SBS 2008 Premium will ship with both SQL 2008 and SQL 2005 workgroup edition. The SQL 2005 is included for LOB apps that may not be ready for SQL 2008. You won’t be able to run both versions simultaneously, but you can switch when ready. This is documented in the Database box at http://www.microsoft.com/windowsserver/essential/sbs/compare-features.mspx.

Categories : SBS
Comments (0)
Jul
12

Connecting iPhone 2.0 to an Exchange Server

Posted by: Q | Comments (4)

With the release of the iPhone 2.0 software and the 3G iPhone on July 11, 2008, the iPhone can now have a native connection to Exchange 2003 and 2007 servers. This post documents the steps needed to configure the iPhone for an Exchange account, assuming that Exchange ActiveSync is already configured and working properly on the Exchange server. If the Exchange server is running on SBS 2003 or SBS 2008, this configuration is already in place.

From the iPhone:

  1. Press the Home button to bring up the Home screen.
  2. Select Settings from the Home screen.
  3. Select Mail, Contacts, Calendars from the Settings page.
  4. Select Add Account.
  5. Select Microsoft Exchange.
  6. In the Email field, enter the e-mail address for the account.
    NOTE: this e-mail address must match EXACTLY with the default e-mail address on the account, case included. If the default e-mail address is First.Last@domain.com and you enter first.last@domain.com, you will run into issues with Calendar sync, and possibly other areas as well.
  7. In the Username field, enter the domain user information in the format Domain\Username (i.e., smallbizco\jondough).
  8. In the Password field, enter the account password.
  9. If desired, you can change the Description field.
  10. Select Next.
  11. If you have a self-signed SSL certificate, you may get an “Unable to Verify Certificate” warning. Select Accept to continue.
  12. In the Server field, enter the full public domain name for your server. This is the same as the web address you use to connect to Outlook Web Access. If your OWA address is https://mail.smallbizco.net/exchange, then enter mail.smallbizco.net in the Server field.
  13. Select Next.
  14. If you have a self-signed or unrecognized SSL certificate on the Exchange server, you will receive an “Unable to Verify Certificate” warning. Select Accept to continue.
  15. Once the account has been verified, you will be able to select which information you want to synchronize: Mail, Contacts, and Calendar. Select the items you wish to synchronize to the iPhone by selecting On or Off for each item.
  16. Select Save to create the account.
  17. On some Exchange servers, you may be prompted after completing the account setup to configure a passcode for the device. Enter a passcode for the device and keep record of that passcode.

At this point, your iPhone is connected and ready to go. The first time the iPhone attempts to synchronize with the server, you may get the “Unable to Verify Certificate” warning again if you do not have a recognized SSL certificate. If you get this warning, select Accept. Otherwise, your selected items will sync to the iPhone from Exchange. You can go back to the home page and open the Mail app to review your mesages.

Categories : How To, iPhone, SBS
Comments (4)
Jul
09

KB948110 and Sharepoint

Posted by: Q | Comments (2)

Looks like there might be an issue with installing KB948110 via Automatic Updates or Microsoft Updates if you have Sharepoint on the server. I’m tracking this down at a client site, but have heard of several other instances this morning. The behavior is this:

  • After installing KB948110, Sharepoint/Companyweb is not available. The message “Cannot connect to the configuration database. For tips on troubleshooting this error, search for article 823287 in the Microsoft Knowledge Base at http://support.microsoft.com.” appears in the browser when accessing the site.
  • The Application Log has numerous Sharepoint errors: #50070: Unable to connect to the database STS_Config on SERVER\SharePoint. Check the database connection information and make sure that the database server is running.
  • The ERRORLOG file in C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\log contains the following at the end of the log: Database ‘master’ has invalid schema.

If you go into services.msc, you will see that MSSQL$SHAREPOINT is set to Automatic but not started. If you start the service, it will appear to start, but on a refresh it will show as stopped again. Attempts to uninstall KB948110 may not show the Sharepoint instance in the list. A successful uninstall of 948110 may not restore operation to Sharepoint, either.

I’m working with Microsoft on this and will update this post as new information becomes available.

UPDATE: 1:45pm
One of the factors leading to the issue has been identified. The 948110 update is not correctly identifying the Service Pack level on some MSDE instances. In cases where MSDE 2000 is at SP3, the 948110 update should not be installing, yet it is. This was the cause of the problem on the system I was working with. Other factors are involved as well, and those are still being investigated. More info as it becomes available.

UPDATE: 4:00pm
The SBS CSS support team is now officially recommending that you hold off on installing this update on SBS servers, per their blog post: http://blogs.technet.com/sbs/archive/2008/07/09/hold-off-on-installing-hotfix-948110-on-sbs-2003-servers.aspx. I’m taking the stance that I will not be installing this update on any servers with Sharepoint until another update is released.

UPDATE: 7/10/08 7:00am
OK, a few other items have been identified as causes for this issue. I’ve already mentioned the Sharepoint database being on WMSDE 2000 SP3 instead of WMSDE 2000 SP4. Turns out there are also cases where Sharepoint is running on MSDE 2000 instead of WMSDE 2000, and that can cause problems as well. Not sure how Sharepoint is getting installed on MSDE 2000 instead of WMSDE 2000, as with the SBS 2003 install it goes on WMSDE for sure (and I think the default install of WSS 2.0 does as well), but there have been some instances where this is the case.

If you look in the ERRORLOG file in the path mentioned earlier, you may see something like this at the top of the file:

Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
May 3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2)

The last line above is the tell-tale indicator of which version of SQL that the Sharepoint database uses. If it says “Desktop Engine” like in the example above, Sharepoint is sitting on MSDE (which has a 2GB file size limit and the real reason it wants to sit on WMSDE). Instead, the line should read “Desktop Engine (Windows)” which indicates that it’s sitting on WMSDE.

Also, the SBS Blog has an update on how to get Companyweb working again if you hit this scenario. this is a workaround, as their advise is to roll back the BINN directory under MSSQL$SHAREPOINT to the content it had before the update. This can be done by restoring from backup, or by using the Previous Versions feature if VSS has been enabled on the volume. Regardless, if you have NOT installed this update yet, DO NOT install it yet. This update has been pulled out of our process for installing updates on our managed servers until the installer gets fixed.

Still, if your Sharepoint database instance has not been updated to WMSDE 2000 SP4, you should probably look to do that at you earliest convenience.

Categories : SBS, Troubleshooting
Comments (2)
Mar
27

OWA Logon Failure – Be Careful What You Restrict

Posted by: Q | Comments (0)

Ran across an unusual one this week that’s worth sharing. A site had two users who could not log in to Outlook Web Access hosted on SBS 2003. All other users could log in to OWA without issue, but these two could not. The employees do shift work and sign on to a shared workstation and only access e-mail via OWA, no Outlook client was installed on the workstation. The error encountered when trying to log in was “username or password is incorrect.” The password for the accounts were changed, and the accounts were checked to make sure they were not locked out. Attempts to access OWA from any workstation failed, internally and externally.

We checked the status of the mailbox in Exchange System Manager to make sure the mailbox had not been disconnected on either account, and the mailboxes were connecting fine. We tried to access the mailbox by creating an Outlook profile on another workstation and could access the contents of the mailbox, so we knew the mailbox was not corrupt. We tried to access the user mailbox through the Administrator’s OWA logon (after granting the Administrator account full access to the user mailbox) and as soon as we attempted to open the path to the user’s mailbox, we got a login prompt instead of access to the mailbox.

We tried to access the mailbox via Outlook Mobile Access, and got an “access denied” error after three login attempts. That prompted us to go look in the Security Log on the server, and that’s where we found the clue – we got a login failure for the user on the server. We found out that the local administrator had tried to restrict the user’s ability to log in to only one workstation in their AD account properties. In the Account tab, in the Log On To button, the only machine listed was the workstation. We added the server to the list of machines the user could log into, and we were able to access the account through OWA from all workstations.

Trying to restrict the user’s ability to log in to a single workstation is a good idea. But the actual authentication for OWA/OMA actually takes place on the server, which is where the service runs to grant access to the user. If you choose to use the Log On To feature of Active Directory to limit where the user can log in, be sure to add the server as one of those machines so network services can be accessed by the user account.

Categories : SBS, Troubleshooting
Comments (0)
Mar
12

Install this now!

Posted by: Q | Comments (1)

Microsoft released KB948496 which is an update that disables ALL of the Scalable Networking components that were added into Windows Server 2003 SP2 last year. The previous update only disabled two of the four components, and in practice, systems have continued to have problems when any of the Scalable Networking components were enabled.

This update could come down with Automatic Updates this month, but may not get automatically installed. If you are running SBS 2003 with Windows Server 2003 SP2, you need to install this update.

Categories : SBS, Troubleshooting
Comments (1)
Jan
19

Outlook Behind ISA 2004 on SBS 2003

Posted by: Q | Comments (1)

I ran into an interesting one today that I had not seen before. A client installed ISA 2004 on his SBS 2003 server, and we followed the best practices for doing so. After an hour or so, he called me back because he could no longer check e-mail with Outlook. I had assumed (incorrectly, of course) that when he mentioned still using POP3 to get e-mail because he hasn’t switched over to SMTP delivery yet, that he was referring to the POP3 Connector in SBS. In fact, he was still having the workstations pull down e-mail from the external server using a POP3 account in Outlook, then saving the new mail into the Exchange profile. And Outlook could not connect to the POP3 server.

We had already installed the firewall client, so I knew it wasn’t an issue with not having the client installed. I ran a monitoring scan in ISA, and saw the connections from the workstation getting denied by the SBS Internet Access rule. I checked that the Internet Users security group got created during the ISA installation, and I checked that all the users had been added to the Internet Users security group. I checked that the SBS Internet Access rule was built as it was supposed to be. All these things checked out.

I connected to the workstation and ran a manual telnet to port 110 on the POP server expecting the connection to be refused. It wasn’t. It worked as expected.

Google to the rescue again. I found this article on isaserver.org that pointed out the default configuration of the ISA firewall client in ISA 2004 is to ignore connections from outlook.exe. When this happens, ISA will treat connections from the workstation as a SecureNAT client when the connection comes from Outlook, and that is specifically denied by the SBS rules.

The workaround in the article is to change the default settings for the firewall client in the ISA Management Console so that the Firewall Client will take connections from outlook.exe and pass them through ISA as a firewall client and not a SecureNAT client, and this change allowed the workstation to pull e-mail down from the remote mail server as it had before ISA was installed.

Long term, the my client will be moving to direct SMTP delivery of e-mail. Near term, he will be configuring the POP3 connector to pull mail into Exchange instead. But it was the first time I’d worked with a setup where Outlook on the client was pulling e-mail from a remote POP mail server behind an ISA server, and it caught me by surprise. Hopefully this post will help someone else in this situation find the solution a little quicker.

Categories : How To, SBS, Troubleshooting
Comments (1)
Jan
19

Outstanding Macintosh Connectivity Issues

Posted by: Q | Comments (3)

There are a couple of connectivity issues related to using a Macintosh in a Windows network that are worth noting. These can impact connectivity of both Mac OS 10.4 and 10.5 in an SBS (or other Active Directory network).

First, if the Active Directory login name matches either the Full Name or shortname of a local Macintosh account, you will not be able to authenticate against active directory. What seems to be happening in this instance is that the Mac OS authentication mechanism looks first at the local user directory before looking at any remote user directories when attempting authentication. If the name entered at login matches an accoun in the local user directory, Mac OS will attempt to authenticate against that user instead of the account in the remote user directory. This means an AD account named “jane” will not authenticate against AD if there is a local account with the shortname “jane” or the long name “Jane Dough.” Even if the shortname for “Jane Dough” is “admin,” the authentication will fail.

To resolve this issue, first create another local Mac user account with a long name and short name that have no close matches to any account in Active Directory. Make that user an administrator over the local machine. Then log in with that new user and remove any local accounts with names similar to the AD login name. If the user has been using that local account for a while, you will need to take steps to move the local user profile information into another account, which is not a trivial task. Only after you delete the local account with a similar name to the AD account will you be able to authenticate against the AD account. This happens whether you join the Mac to Active Directory or not.

Second, I have seen two instances where joining a fresh Leopard (10.5) install to an SBS network have been problematic. Specifically, when you log in with AD credentials, the process can take 5 or more minutes to process the login. Unfortunately, I have not been able to troubleshoot these two instances the way I had wanted, and I have not been able to replicate the behavior on demand. I believe that there is an issue/delay with the Mac doing LDAP lookups in AD to get the account information for authentication, but I cannot be sure withouth further testing.

If anyone has seen this problem and is willing to work with me to do some more in-depth troubleshooting on the problem, please let me know. Given the number of systems that I’ve connected and that have been done following the instructions on this blog and the smallbizserver.net site, this specific behavior is very rare. But now that I’ve seen it twice, I’d like to know what’s going on and modify these instructions as needed to help prevent that problem in the future.

Categories : Leopard, Mac, SBS
Comments (3)
Dec
03

Installing Windows Server 2003 SP2 on SBS 2003

Posted by: Q | Comments (0)

Back in March, Microsoft sorta surprised everyone with the “silent” release of Service Pack 2 for Windows Server 2003. Without rehashing all the drama, there were problems with the SP on SBS 2003 boxes. Many people in the community posted to their blogs and the newsgroups to hold off on installing SP2 on SBS 2003 servers, but it’s time to change that stance. The service pack has been out for more than six months, and the general consensus is that the scope of problems related to SP2 have now been identified, so it’s safe to install SP2.

There are still issues, however, and those must be worked around when SP2 is installed on SBS 2003. This document serves as the road map I am using to install SP2 on SBS servers. Note that I do not guarantee that following this step-by-step process will result in a trouble-free installation. But this is the process I have been following and have not had any issues on client systems.

Install SP2:

  1. Check for available disk space. If you don’t have at least 2GB free on C:, you could run into space issues. One option is to have the uninstall folder on a different drive/partition (discussed below).
  2. Grab a System State Backup. Easiest way to do this is run ntbackup, select System State as the item to back up, and save it to a file on disk. Don’t put it on C: if you can avoid it.
  3. Restart the SBS 2003 server. This is not required, but it falls in with my general recommendation to restart a server prior to installing any updates, so if there is an issue that would keep the server from coming up cleanly, it will be identified prior to the installation of any updates or service packs.
  4. Disable on-access anti-virus scanning of the server. This can be restored once the service pack installation is complete.
  5. Install SP2. When prompted for an uninstall folder, consider putting on a separate partition or volume. This can help with space on C: and make future cleanup of the Windows folder a bit easier if you still want to be able to do an uninstall of SP2 later.
  6. Reboot the server when finished.

ISA 2004:

If you have ISA 2004 installed on the server, download and install ISA 2004 SP3.

Clean up Help and Support:

  1. Open a Command Prompt.
  2. Enter the following command exactly as shown and press Enter:
    %windir%\pchealth\helpctr\binaries\HelpSvc.exe /regserver /svchost netsvcs /RAInstall
  3. Enter the following command exactly as shown and press Enter:
    %windir%\pchealth\helpctr\binaries\HSCUpd.exe -i %windir%\pchealth\helpctr\binaries\hscmui.cab
  4. Enter the following command exactly as shown and press Enter:
    %windir%\pchealth\helpctr\binaries\HSCUpd.exe -i %windir%\pchealth\helpctr\binaries\hscsp_l3.cab
  5. Enter the following command exactly as shown and press Enter:
    services.msc
  6. In the Services Control Panel, look for the Help and Support service. Start the service if it is not started.
  7. From the Start menu, open the Help and Support item. Confirm that the Help and Support tool launches correctly.

Clean up Scalable Networking Settings:
Note – this section provides instructions for modifying the registry. MIcrosoft gives all kinds of warnings about bad things that can happen when you edit the registry incorrectly. They’re not kidding. If you do this incorrectly, you could put your server into a non-bootable configuration. Do this at your own risk.

  1. Open the Registry Editor (Start -> Run -> regedit).
  2. Expand HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services -> Tcpip -> Parameters.
  3. Look for the EnableRSS value.
    1. If the EnableRSS value exists, change its data to 0.
    2. If the EnableRSS value does not exist:
      1. Right-click on Parameters under Tcpip and select New -> DWORD Value.
      2. Name the value EnableRSS.
      3. Change the Data in ENableRSS to 0.
  4. Look for the EnableTCPA value.
    1. If the EnableTCPA value exists, change its data to 0.
    2. If the EnableTCPA value does not exist:
      1. Right-click on Parameters under Tcpip and select New -> DWORD Value.
      2. Name the value EnableTCPA.
      3. Change the Data in ENableTCPA to 0.
  5. Look for the EnableTCPChimney value.
    1. If the EnableTCPChimney value exists, change its data to 0.
    2. If the EnableTCPChimney value does not exist:
      1. Right-click on Parameters under Tcpip and select New -> DWORD Value.
      2. Name the value EnableTCPChimney.
      3. Change the Data in ENableTCPChimney to 0.
  6. Look for the DisableTaskOffload value.
    1. If the DisableTaskOffload value exists, change its data to 1. (It very likely will not exist.)
    2. If the DisableTaskOffload value does not exist:
      1. Right-click on Parameters under Tcpip and select New -> DWORD Value.
      2. Name the value DisableTaskOffload .
      3. Change the Data in DisableTaskOffload to 1.
  7. Close the Registry Editor.
  8. Restart the Server.

Confirm Normal Operation:

After restarting the server, check to make sure clients can access the server, Outlook can interact with Exchange, clients can access the Internet, etc. Also go through the event logs and look for any unexpected or unusual errors or warnings. After following the steps in this document, the interaction between the workstations and the server should continue as it had prior to the installation of SP2.

Notes:

Information in this post came from a number of sources at Microsoft. Where possible, KB articles referencing the specific changes have been noted below. In one case, the best reference for the change came from the SBS Best Practice Analyzer and is noted as such. Several of the referenced KB articles make reference to a hotfix. In my experience, the workaround listed in the KB article provides a sufficient resolution without the need to call in and request the hotfix or worry about adding to the installed hotfix table on the server.

Help and Support fix: http://support.microsoft.com/kb/937231/
EnableRSS fix: http://support.microsoft.com/kb/936594 (Step 3, Method 2)
EnableTCPA fix: http://support.microsoft.com/kb/936594 (Step 4)
EnableTCPChimney fix: Referenced in the SBS BPA with a command-line process, and discussed in http://support.microsoft.com/kb/912222
DisableTaskOffload fix: http://support.microsoft.com/kb/904946/

Categories : How To, SBS
Comments (0)
Next Page »

search

recent posts

meta