SBS 2011 won’t install because of replication issue

When installing SBS 2011 in migration mode it replicates Active Directory during the install. If it fails the SBS 2011 installation won’t complete. When looking at the File Replication Service in the Event Viewer, and you have NtFrs errors preventing replication, it won’t finish. Change the registry entry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at StartupBurFlags to D4. Then go to command prompt and stop the ntfrs service “net stop ntfrs”, when it stops, restart it, “net start ntfrs”

Check the File Replication Service event logs and see if the NtFrs event logs are Information now instead of Error.

http://support.microsoft.com/kb/840674

If you want to replicate ntfrs to another server use “D4”, if you want to replicated from another server use “D2” in the registry.

Move WSUS SQL database to another location

When running WSUS on a Small Business Server, the default location is the C: drive, when that drive gets full you need to move the content and the SQL database. Below are the steps to move the SQL database to another location.

1. Open command prompt and type: net stop “update services”

2. Next, at the command promt type: net stop w3svc (if it is SBS 2008 it will also stop the Terminal Services Gateway, remember to restart)

3. Open Microsoft SQL Express Management Studio (if you don’t have this, go to http://tinyurl.com/ynl9tv to download) and connect to the MICROSOFT##SSEE database, which is the WSUS database and the SharePoint databases in SBS 2008. You can’t just connect to the database normally, you need to type this in server name area:   \.pipeMSSQL$MICROSOFT##SSEEsqlquery

1577_1

 4. Detach the SUSDB database, move the SUSDB folder to the new location and attach the database again with Management Studio

5. Restart the services: “update services”, “w3svc”, and “Terminal Services Gateway”

 

 

Disable SSL v2.0 in IIS

While going through a vulnerability scan for PCI compliancy, the report noted that IIS 7 on a Small Business Server 2008 was still using SSL v2.0 instead of SSL 3.0 or TLS 1.0. To disable SSL v2.0:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK.Note If this value is present, double-click the value to edit its current value.
  6. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  7. Click OK. Restart the computer.

IIS negotiates the encryption with the client browser. An attacker could use a tool that tells the server it has only sslv2 (which is weaker) available. If you disable sslv2 it only uses v3 or tls, as requested by browser. A browser only supporting sslv2 would fail.

 This applies to Windows Server 2003, and Windows Server 2008, and both versions of SBS.

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

Problems Connecting Outlook 2007 with Exchange 2003 using RPC/HTTPs Outlook Anywhere

I came across a situation where an organization had been setup to use RPC/HTTPs “Outlook Anywhere” for some time and all the Outlook 2003 clients seemed to work fine. One user had Outlook 2007 and was unable to connect using this method. In the LAN and through OWA everything worked fine. I tried tons of different solutions online but in the end, the problem was with the configuration in Exchange. I looked over the suggested configuration here:

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

and I discovered that the RPC ports hadn’t been configured as the article suggests. I used the recommended “RPCnofrontend” tool: http://www.petri.co.il/software/rpcnofrontend.zip and everything worked fine after that.

Error Message When Attempting to Add a Vista PC to the SBS Domain

You may receive the following error message when attempting to add a Vista PC to a Small Business Server domain using the SBS wizard (http://servername/connectcomputer):

“The Small Business Server Networking Wizard was not installed. You may not be a member of the local Administrators security group on this computer or your Local Intranet security settings may be set to High. Click Connect to the network now to try again and click Yes when prompted. If the wizard fails to install, contact the person responsible for your network.”

To resolve this issue, you probably need to update your SBS server to support that Vista PC.  The update is commonly referred to as “Ripcurl”. 

Read more at the official SBS blog:
http://blogs.technet.com/sbs/archive/2007/02/09/sbs-vista-client-update-ripcurl-now-available.aspx

Small Business Server 2003 Transition Pack

With SBS 2003 there is a ‘Transition Pack’ to grow out of the 75 user cap or move your servers (ie. Exchange or SQL Workgroup) to other dedicated servers. Here are links for the SBS Transition Pack. When installing the Transition Pack, make sure that the media is newer than the version you are upgrading to (ie. if the media is Transition Pack R2, then you must uninstall Windows Server 2003 SP2 before installing).

Microsoft Documentation – link

Moloy’s Blog on the Transition Pack – link

SBS page – link

You do not have permission to send to this recipient. For assistance, contact your system administrator.

From: http://blogs.technet.com/sbs/archive/2006/06/30/439685.aspx

When you try to send an e-mail message in Microsoft Exchange 2000 Server or in Microsoft Exchange Server 2003, you cannot send the e-mail message. Additionally, you may receive one of the following error messages or one of the following Non Delivery Reports (NDRs):

• Access denied 

• You do not have sufficient permission to perform this operation on this object. See the folder contact or your system administrator. 

• Unlisted Message Error 

• MAPI_E_NO_ACCESS -2147024891 

• Failed to submit mail message for user USERNAME (HRESULT:-2147024891) Pausing user USERNAME. (Security error – Cannot access the users mailbox.)

NDRs

• You do not have permission to send to this recipient. For assistance, contact your system administrator. 

• The message could not be sent using your mailbox. You do not have the permission to send the message on behalf of the specified user. 

This issue is known to affect the following third-party products:

• Research In Motion (RIM) Blackberry Enterprise Server (BES) 

• Good Technology GoodLink Wireless Messaging 

 

CAUSE

This issue may occur when one of the following conditions is true:

     You do not have permissions to send e-mail messages as the mailbox owner in the account that you are using to send the e-mail message.

     You are running Microsoft Exchange 2000 Server Service Pack 3 (SP3) with a Store.exe file version that is equal to or later than version 6619.4. Version 6619.4 was first made available in the following Microsoft Knowledge Base article:

915358 A hotfix is available to change the behavior of the Full Mailbox Access permission in Exchange 2000 Server

     You are running Microsoft Exchange Server 2003 Service Pack 1 (SP1) with a Store.exe file version that is equal to or later than version 7233.51. Version 7233.51 was first made available in the following Microsoft Knowledge Base article:

895949 “Send As” permission behavior change in Exchange 2003

Note that this fix is not included with Microsoft Exchange 2003 Service Pack 2 (SP2). If you have installed the Exchange Server 2003 SP1 version of this hotfix, you must install the Service Pack 2 version after you upgrade to Service Pack 2.

     You are running Exchange Server 2003 SP2 with a Store.exe file version that is equal to or later than version 7650.23. Version 7650.23 was first made available in the following Microsoft Knowledge Base article:

895949 “Send As” permission behavior change in Exchange 2003

Note This change was not included in Exchange 2000 Server SP3, in Exchange Server 2003 SP1, or in Exchange Server 2003 SP2. The change was implemented after release of all of these service packs. However, the change is supported in each of them. The change will be included in future service packs for these products.

 

If you install Exchange Server 2003 SP2, you must install the additional update to retain the new behavior. You must do this even if you already installed the version of the update for Exchange Server 2003 SP1.

 

RESOLUTION

 

Grant the Blackberry or other application’s service account the Send As permission on every user in a container or domain.

To grant Send As for the service account on a single user account, follow these steps:

1. Start the Active Directory Users and Computers management console.

2. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for domain and container objects.

3. View the properties of the user account and click the Security tab.

4. The service account (BESAdmin, for instance) is not listed.

5. Add the service account (BESAdmin, for instance). It will default to having Read permissions, but not Send As.

6. Note: This step is optional. The only permission the service account needs is Send As, so you can remove the Read permissions if you wish.  To do so, uncheck the following checkboxes in the Allow column for the service account (BESAdmin, for instance):

Read

Read Account Restrictions

Read General Information

Read Group Membership

Read Logon Information

Read Personal Information

Read Phone and Mail Options

Read Public Information

Read Remote Access Information

Read Web Information

 

7. With the service account (BESAdmin, for instance) still selected, check the following box in the Allow column:

Send As

8. Click OK until you have exited and saved all changes. 

9. Restart the Microsoft Exchange Information Store service.

Shrinking the SBSmonitoring database

http://msmvps.com/blogs/bradley/archive/2006/05/25/97044.aspx

First the caveat.. the SBSmonitoring database shouldn’t be that big.. if it is …. your monitoring program isn’t running properly and purging the database as it should so rerunning the monitoring wizard is probably the best plan of action… but if you need to clean up that monitoring file… here’s some info from the newsgroups…

1>	We can simple rerun the Monitoring wizard to purge the
SBSmonitoring.mdf database.

NOTE: After doing the following steps, the original performance and usage
data will be removed. The server will start to collect new counter value
from the beginning.

1. Open Server Management console, navigate to 'Monitoring and Reporting'
snap-in. In the right panel, click 'Set Up Monitoring Reports and Alerts'.

2. In the wizard, click 'Next'->Select 'Reinstall monitoring
features'->Select the options if you want to receive the report e-mails.
Check 'View the usage report in Server Management' option. If you want to
receive the usage report e-mail, also check the option below->Add the users
which you allow them to view the usage report to the authorized
list->Select the option if you want to receive the performance
alerts->Click 'Finish' button to complete the configurations.

3. After doing the above steps, the performance and usage data will be
reset. Please wait for 24 hours and then you will see the reports through
the Monitoring and Reporting console.

2>	If you are using SBS Premium and have SQL server installed:

You can use the SQL Client Utilities to try and shrink the database. In
SBS, there is a job SBS_Database_Cleanup that is scheduled to run at 3:00
AM everyday, to delete over 90 day old information from the monitoring
database.

You can manually run the SBS_Database_Cleanup job, and use DBCC
SHRINKDATABASE, DBCC SHRINKFILE or use Enterprise Manager
to reduce the size of the database.

3>	If you are running SBS Standard:

You need to use osql to connect to the WMSDE instance, and use transact SQL
commands manually to request the database be shrunk ("dbcc shrinkdatabase(
SBSMonitoring, <% free space target>)").

4>	If you need more space on your C drive, I would also suggest moving
available data from your C drive to other partition on your Server. The
following white paper demonstrates this scenario in detail.

Please refer to Step 5: Move the Monitoring Database in the following white
paper.
Moving Data Folders for Windows Small Business Server 2003
http://www.microsoft.com/technet/prodtechnol/sbs/2003/maintain/movedata.mspx

Windows Small Business Server 2003: Windows Vista and Outlook 2007 compatibility update

Update for SBS 2003 and Windows Vista using the connectcomputer wizard – link

Remote Web Workplace for SBS2003

See: Remote Web Workplace Part 1 (PDF) for more info

Basic Setup:

Configure Internet and Email access settings to allow access to the Remote Web Workplace web service from the Internet (Server Management -> Connect to the Internet -> Web Services Configuration)

Configure the IIS Web application named Remote to Allow access by Default ( ISS Manager -> Web Sites -> Default Web Site -> Remote -> Properties -> Directory Security -> IP address and Domain Name restrictions -> Edit)

Configure the Firewall to allow SSH (Port 443)  to the SBS box from the WAN.  Create a custom service for RWW (Port 4125) and allow access to that service from the WAN to the SBS box.

Connecting client machines must be Windows XP Pro or better

Access the site to test:
From the LAN  https://SBSSERVER/Remote
From the WAN:  https://mail.domainname.com/Remote