transferring FSMO roles when decommissioning and SBS server

When decommissioning an SBS server, you need to trasnfer the 5 FSMO (Flexible single master operation) roles.  Here's the process:

Start -> Run
ntdsutil.exe

Type roles
Type connections
Type connect to server
where is the name of the server you are transferring the roles to (such as "connect to server contoso1")
Type q
Type transfer rid master
Type transfer infrastructure master
Type transfer pdc
Type transfer schema master
Type transfer naming master

Windows Small Business Server 2008 Repair Guide

I came across this when troubleshooting an SBS 2008 problem, and I just wanted to keep this link as it may be helpful in the future:

http://technet.microsoft.com/en-us/library/sbs-2008-repair-guide(v=ws.10).aspx

Fixing 800B0001 in Windows Update on SBS networks

If receiving 800B0001 errors on domain connected machines on your SBS 2008 network, it's because an update had strengthened the communication channel between the machine and the SBS server and broken the connection.

Ignoring the absurdity of the issue, the fix is to run an update on the SBS box.  This page talks about it (you can ignore the portions about NLB - network load balancing for your SBS box):
http://support.microsoft.com/default.aspx?scid=kb;en-us;2720211

In essence, the resolution is to download this:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2ba0b137-d85b-4734-9a95-11a04004a355

and run this command from an elevated command prompt:

WSUS-KB2720211-x64.exe /q C:\MySetup.log

installing Exchange 2007 SP 3 on SBS 2008

Installing Exchange 2007 SP 3 on SBS 2008 is pretty easy, with one weird exception. As per this page:

http://www.sbsfaq.com/?p=2140

You need to stop the "Windows SBS Manager" service to allow the service pack to run. In the two service pack installations I've done so far, each time it complained about the datacollectorsvc - which as the above article says is stopped when you stop the Windows SBS Manager.

enabling shadow copy on SBS 2008

For some reason, shadow copy isn't enabled by default in SBS 2008. Or rather - it's enabled on the C drive, but not other drives - where your data is likely located.

Of note - you enable shadow copies for a drive - not a share. So here's how you enable shadow copies for a drive.

Right click on the drive itself and Configure shadow copies. Select the drive and hit enable. This is a no-brainer to set up for clients, but typically, you won't do it until the first time you need it - which will be too late by then.

too many blacklists on SBS 2008 leads to Earthlink delivery problems

I had this problem for several weeks, and I'm documenting it in case anyone else is unlucky enough to be in this situation and needs to find the solution. I was seeing that Earthlink and Mindspring were not able to send to my domain. The senders would get delivery delay emails and the delivery failures eventually on all emails to my domain. With a couple exceptions, everyone else had no problem sending to my domain. So 99% of all email was coming through, but these couple were problematic.

It turns out that I had configured too many real time block list providers (RBLs). When the remote server was connecting to my server, the process of checking the sending server against all 5 RBLs would take some time. In this case, the Earthlink servers wouldn't wait long enough for my server to finish checking - and the Earthlink servers would drop the connection. The solution was to just have one block list provider. In this case I used zen.spamhaus.org

So that was it. Just a note for future reference.

installing Filemaker on Windows 2008 SBS (or Standard)

I had quite an ordeal installing Filemaker Server on Windows 2008 SBS. I won't bore the people who don't care about my troubleshooting and just provide the relevant details:

• Filemaker 10 is necessary on Windows 2008. Filemaker 9 is not supported (I tried and failed).
• If installing on 64 bit Windows (SBS or otherwise), install the 64 bit version of Apple Bonjour first (Bonjour is required and the FMS install tries to install the 32 bit version). Credit for that advice belongs here.
• You need to open ports 5003, 16000, and 16001 on the server for the clients to interact properly with the server
• Filemaker Server 10 can use any level of Filemaker Pro on the desktop end - 8, 9, or 10 (and presumably 7)
• Web publishing should not be used on your SBS box. SBS isn't supported by Filemaker - though it works - but even if you use it - the web publishing stuff will conflict with some of the IIS stuff that SBS uses

altering the default lockout policy on Server 2003 (SBS or Standard)

For servers that are publicly facing, it's possible that hackers will attempt to hack you. Recently, I had a hacker try to guess logins and passwords over and over and over again (thousands of times) over port 25. I was able to thwart that by disabling port 25 for a bit (15 minutes) and the hacker lost interest. But theoretically, had I not seen the hacker attempting, he could have tried hacking forever, just guessing and guessing.

There's no lockout policy for invalid usernames. If the hacker is guessing on jsmith and you don't have a jsmith user, he can keep guessing forever. The lockout policy will not apply. But if the hacker is trying legitimate user names, the hacker should be locked out after a limited number of attempts. I have seen the default as no limit and as 50 attempts on SBS machines.

The number of attempts should be 6 or fewer and the lockout times should be 15 minutes or longer.

You can get to the appropriate place via:

Group Policy Management -> expand to default domain policy, right click on default domain policy and click edit. Then edit these fields:

Removing password requirement for mobile devices on Exchange 2007 and/or SBS 2008

When you put in a Windows 2008 SBS box, it puts in a password requirement once the mobile device (for example - an iphone) has an active Exchange ActiveSync connection.

You can alter that setting in Exchange Management Console under Oragnization Configuration -> Client Access -> right click on Windows ... Mobile Policy ... and unchecking require password on the password tab.

In my experience, you need to remove and re-add the account on the mobile device after making the settings change (at least on an iphone 3Gs I tested on)

More details here:

http://msmvps.com/blogs/bradley/archive/2009/07/04/you-deployed-a-new-sbs-2008-and-now-the-phones-demand-a-password.aspx

Fix My Network Wizard in SBS 2008

The "Fix My Network" wizard in SBS 2008 is pretty well received. I used it when I built and SBS 2008 box alongside an older Windows 2000 box. The old Windows 2000 box was in charge of DHCP, so the SBS 2008 box wouldn't start or run DHCP server. I took that old DHCP server out of service, and I ran the Fix My Network wizard and it saw the issue and addressed it. More info here:

http://sbs.seandaniel.com/2008/10/fix-my-network-wizard-in-sbs-2008.html

creating shared printers on SBS 2008

SBS 2008 is 64 bit, of course. So it needs to 64 bit printer drivers. But obviously, you need 32 bit printer drivers associated with the shared printer when installing them for 32 bit clients.

Apparently, that can't be done from the SBS box itself.

Instead, log on to any 32 bit machine as a domain administrator, go to \\servername and the go to printers and faxes (don't go to the printer shares you see there - go to the folder where printers are stored). Highlight the printer you want to add the 32 bit driver for and choose file -> Server Properties. Click Drivers and then Add. It's pretty self explanatory from there.

More info here:

http://www.ditii.com/2009/02/14/sbs-2008-how-to-add-32-bit-printer-drivers/

UPDATE
Another option - which I have found easier and more effective . . .
Log on to a workstation as an admin with the opposite type of OS (with a 64 bit OS, log on to a 32 bit workstation or with a 32 bit OS, log on to a 64 bit workstation).
Download the driver and install it on the network printer.
Go to the printer properties.
Go to the sharing tab and click on additional drivers.
Check the box for the appropriate type of OS and it will upload your newly installed drivers to the server.

SBS 2003 licenses disappear after reboot

A couple times, I have seen SBS 2003 licenses disappear after a reboot. You're only left with the original 5 licenses. The consensus seems to be that antivirus scanning the licensing files is the cause. However, in this case, the license files were already immune from scanning. Anyway, here is a way to fix this issue:

1. Look for licstr.cpa & Autolicstr.cpa files under c:\windows\system32 folder.

2. Exclude these two files from being scanned by Anti Virus.

3. Make a backup copy of both the files on a different folder.

4. Delete licstr.cpa from c:\windows\system32 folder.

5. Rename autolicstr.cpa file to licstr.cpa.

6. Restart the Licensing Service.

7. Goto Server Management Console -> Licensing & you will have the actual no. of CALS.

low free space on C drive of SBS box

After troubleshooting SBS boxes with low space on the C drive, I have found three good places to look for freeing up space.

1) Look in C:\WINDOWS\system32\LogFiles\W3SVC1 for unneeded/old log files
2) move the windows search index files. Go to the control panel and in the "indexing options" applet, click on advanced, and change the index location. After finishing, restart the search service. This saved me a full 1 GB on an SBS 2003 machine.

3) move the ISA tracing log files using this method - http://davehope.co.uk/Blog/move-isa-tracing-location/

removing Sharepoint from an SBS box

Here is a Microsoft article on removing Sharepoint from and SBS box:

http://support.microsoft.com/kb/829114

This was relevant to me in a certain situation where I was getting tons of STS_Config errors on a box where I had no desire or need for Sharepoint

Adjusting memory threshold to get rid of allocated memory alerts

I get allocated memory errors on all my SBS boxes from time to time. There can be reasons that is happening, but on most of my boxes, that is not the case. You can adjust the alert thresholds by using the helath monitor in the MMC:

http://blogs.technet.com/sbs/archive/2006/06/07/433707.aspx

sbsbackup fails with "Script.bks" cannot be found.

One of my SBS boxes had its SBSbackup jobs fail nightly with the following info:

----

Backup Runner started.
Launching NTBackup: ntbackup.exe backup "@D:\Program Files\Microsoft Windows Small Business Server\Backup\Small Business Backup Script.bks" /d "SBS Backup created on 10/30/2008 at 11:00 PM" /v:yes /r:no /rs:no /hc:off /m normal /j "Small Business Server Backup Job" /l:s /f "H:\backup4\Backup Files\Small Business Server Backup (04).bkf" /UM
NTBACKUP LOG FILE: C:\Documents and Settings\SBS Backup User\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\backup05.log
==========================================
The saved selection file "Script.bks" cannot be found.
The saved selection file "Script.bks" cannot be found.
============================================
NTBackup finished the backup with errors.

----

Apparently, the problem is that selections are invalid - which is strange because I didn't change anything. The solution turned out to be:

1. Start -> Run -> NTBackup -> Advanced Mode -> Backup tab -> Job -> Load
Selections.

2. Select Small Business Backup Script.bks

3. Click OK on the error message:

Some invalid selections found in C:\Program Files\Microsoft Windows Small
Business Server\Backup\Small Business Backup Script.bks.

4. Job -> Save Selections (overwrite --> Small Business Backup Script.bks)



It seems like this is related to a recovery storage group causing backup trouble.  

Restoring an Exchange mailbox from NTBackup on SBS

I found this great tutorial on restoring a mailbox and/or entire information store from an ntbackup.

http://blogs.technet.com/asksbs/archive/2008/06/03/how-to-use-the-recovery-storage-group-to-restore-a-single-mailbox.aspx

completely uninstall SBS Monitoring and Reporting

I uninstalled and reinstalled SBS Monitoring and Reporting to resolve a SQL issue with it today. And I referenced this blog post from someone else:

1. Control Panel -> Add Remove Program -> Windows Small Business Server 2003.
Set Server Tools to Maintenance. Set Monitoring to Uninstall and continue the setup process.
2. Control Panel -> Add Remove Program -> Microsoft SQL Server Desktop Engine (SBSMonitoring) -> Remove.
3. Rename the C:\program files\Microsoft SQL Server\MSSQL$SBSMONITORING Folder.
4. Reboot the server.
5. Control Panel -> Add Remove Program -> Windows Small Business Server 2003.
Set Server Tools to Maintenance. Set Monitoring to Install and continue the setup process.
6. Reboot the server.
7. Start MSSQL$SBSMONITORING and SQLAgent$SBSMONITORING services.
8. In Server Management Console -> Monitoring and Reporting: run the "Set Up Monitoring Reports and Alerts wizard”

WSS v3 upgrade - SBS needs in place upgrade

After spending 3 hours troubleshooting why I couldn't get SharePoint v3 on an SBS box, I found that the problem was the you CANNOT do an in place upgrade. You have to do a side by side install as per this Official SBS Blog entry:

http://blogs.technet.com/sbs/archive/2006/11/30/wss-v3-0-installation-on-sbs-2003.aspx

BES install guide for SBS 2003 or Domain Controller

This content is reproduced for future reference from:
http://www.blackberryforums.com.au/forums/microsoft-exchange/281-bes-sbs-2003-a.html

Gary's BES install guide for SBS 2003 or Domain Controller

1. Ensure the port 3101 TCP is open on the firewall (Outbound ONLY).

2. Create a new user called BESadmin and ensure you create a mailbox. Ensure this user is ONLY a member of "Domain users"

3. Make BESadmin a local Administrator of the server. This is done in AD via the "Built-in" Administrators group

4. Go to Admin Tools on open "Domain Controller Security Policy" and expand the "Local Policies" and "User Right Assignment". You need to add BESadmin to "Allow Log on Locally" and "log on as Service".

5. Open Exchange System Manager and right mouse click on "DOMIANNAME (Exchange)" and select Delegate Control. Follow the steps and add BESadmin as an Exchange View Only Administrator.

6. In Exchange manager expand the servers folder and right mouse click on your server and select properties. On the properties windows select BESadmin and add the permissions "Administer Mailbox Store, Receive As, Send As"

7. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As". (This will overcome some MS patches that prevent BES sending emails)

8. Log on as BESadmin and install the BES software, normally you just install "BlackBerry Enterprise Server" as most sites don't use the MDS services (MDS is a much heavier install). Follow the prompts of the install and the server will be required to restart half way through the install. Restart the server and log back on as BESadmin and the install will continue. (Make sure the Connect Test works and the SRP ID etc is validated during the install)

9. After the install is finished open BlackBerry Manager, an error will appear about MAPI client which you can just hit OK. The MAPI setting windows will appear so just add the server name back in and select "Check Name", if it resolves just hit OK and the manager will start.

10. Within Blackberry Manager click on Blackberry Domain in the left column and then the users SERVERS tab in the center section, select your server within this tab and view the properties below. Ensure that "SRP Status:" is Connected (This can take a few minutes the first time so refresh the screen a few times). Once your status is connected you can start adding users.

11. Within Blackberry Manager click on you server name in the left column and then the users TAB in the centre section, just add a user and the click on that user. You will see all the users’ properties and a drop down menu called "Service Access” and select “Set Activation Password” and set a password of “a” for example.

12. Turn on you BlackBerry device and ensure Wireless is enabled. Go into “Options/Settings” and “Time & Date” and set the correct zone and time etc. Then from the home screen go to enterprise activation and enter the users email address and enter the password that was set in step 11. Press the track wheel and select Activate. Within a minute you should get data returned which indicates the process is functioning correct.

Extra

Note: Sites running SBS 2003 premium will need to change the BES "Web Server Listen Port" from 8080 to another available port (e.g. 8090 or 9090) as soon as it is installed. This port needs to be changed as the BES Web Server will be listening on the same port as ISA. To change this setting open Blackberry Manager, select MDS and then "edit Properties" and change the "Web Server Listen Port" to the desired port number.

a. Also ensure you review the IT Policy in BlackBerry Manager. This can be found in BlackBerry Domain > Global TAB > Edit properties. It is recommended that in the IT Policy you go into “Device Only Items” and set “Enable WAP config” to FALSE, this will force user to use the free browser (It uses the internet connection of your BES server). It is also highly recommended that you configure a password policy prior to rolling out any handhelds.

b. If you are unable to activate devices wirelessly you can test your connectivity to Blackberry buy running the following app from the command prompt:
C:\Program Files\Research In Motion BlackBerry Enterprise Server\Utility\BBSrpTest.exe
This will send a signal to BB and wait for a response, it this fails check your firewall settings (open and/or direct port 3101 TCP to you BES server)

c. If you have Domain Admins using BlackBerry devices you may have to run the following script if you are unable to send email for those users devices:
dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=c om " /G "DOMAINNAME\BESadmin:CA;Send As"