Archive for the ‘SBS 2008’ Category

Disable WSUS on Managed Computers

The past 8 or more years most of us have managed PC updates using WSUS (Windows Server Update Service) and Group policy.  However, the structure of the modern office has changed to a large percentage of mobile employees who never ‘touch down’ at headquarters.   If these devices do not connect to the domain they do not have updates applied.

A client who has not returned to the office in 18 months, and likely will not for the life of their laptop, recently asked how they could update their machine manually.  Currently they were not able to do so as Windows Update showed “settings are managed by your system administrator”, in other words, by WSUS

image

It is quite simple to disable WSUS management in the registry, however remember if the device is reconnected to the domain, the WSUS policies will be reapplied.  Therefore you may want to move the device to an OU not linked to the WSUS policy or remove the device in the policy under security filtering.

Disclaimer:  Be aware making incorrect registry changes can have disastrous effects to the health of the device.  Be sure to backup the registry before editing.  To do so see the following Microsoft article; “How to back up and restore the registry in Windows”  http://support.microsoft.com/kb/322756 

  • Open the registry editor, by entering Regedit in the Start / Run box, and browse to:  HKLM\Software\Policies\Microsoft\Windows\
  • Locate the WindowsUpdate  Key and delete it
  • Reboot the PC (may take 2 reboots)
  • Now you can manually update and configure Windows updates to automatically check for and install updates directly from the Microsoft Update site

image

You may want to consider using a newer service such as Windows Intune to manage your computers, especially mobile devices.  http://www.microsoft.com/en-us/server-cloud/products/windows-intune/

WSUSLogCleaner failure 2147942402

There are many articles regarding how to locate and regain space consumed by many SBS services and log files, including one of my own; “Missing SBS 2008/2011 Drive Space“.   One of the most common issues is the WSUS admin logs located in C:\inetpub\logs\LogFiles\W3SVC_____  which can consume huge amounts of drive space.  With SBS 2011 and SBS 2008 (2008 if updates are applied) this particular folder should be looked after by a scheduled task which clears out log files older than 100 days.  In a few cases you may want to edit this and reduce it to a shorter period of time, as very nicely explained by Ronny Pot.

I was asked to look at an SBS server today which had ‘lost’ most of its system partition available space.  It was not really lost as it was found in a C:\inetpub\logs\LogFiles\W3SVC_____  folder.  However, this should have been looked after by the aforementioned scheduled task.  Upon review of the task history it seems the task’s script has been failing for several months resulting in “Action start failed” and “Action failed to start” messages with an Error Value of  2147942402.

Note: the task is located under Administrative Tools |  Task Scheduler | Task Scheduler Library | Microsoft | Windows |  Windows Small Business Server 20xx Standard |  WSUSLog Cleaner

image

In this case the  time frame had been reduced to 30 days, but noticed when saving the changes, if not paying attention, the “arguments” for the script can get modified by Windows.  The changes can be made under the Actions tab as per the image below:

image

However, in some but not all cases, when clicking OK to save  you may get a popup as below:

image

Note the text.  If you select yes it changes the Program/Script field to C:\Program, and the Argument field to Files\Windows Small Business Server\Bin\WSUSLogCleaner.vbs 30.  The entire path needs to be in the Program/Scripts field and only 30 in the argument.   It seems someone in a hurry clicked yes, as one would assume when approving changes, and did not double check after the fact.  It seems the popup only occurs if there are no existing quotes around  “C:\Program,Files\Windows Small Business Server\Bin\WSUSLogCleaner.vbs” in the Program/Scripts field.

Add 2012 RDS server to SBS 2008/2011

Server 2012 has a new Remote Desktop Services (RDS) feature set which is a great addition to any network.  A common reason for wanting to implement 2012 RDS is for the Remote FX feature, RDP on steroids, which provides substantially better performance when remotely running graphic intensive applications, but there are other Remote FX bonus elements as well, in addition to other 2012 RDS features.  Remote FX was included with Server 2008 R2, but the pre 2012 hardware requirements were more restrictive, and configuration was a little more involved.

Remote Desktop Services is installed a little differently than it’s predecessor Terminal Services.  Most current instruction sets advise you to use the  “Remote Desktop Services installation” wizard, seen in the third image below.  However this automatically installs related services that conflict with those already installed on SBS, such as the Remote Desktop Gateway Service.  Therefore you need to install using the “Role Based or feature-based installation” method and manually select the features to be installed.

Installation:

To add a Server 2012, running the RDS role, the steps are as follows.

  • Install the basic Server 2012 operating system.  This can be on either a physical or virtual machine
  • Next join the computer to the domain. Where this is an SBS domain you want to do this for obvious reasons, but just to note; Server 2012 RDS does require it be domain joined.  To do so open the Server Manager Dashboard, click on “local server”, in the window to the right click on “Workgroup”, in the resulting window click “Change” and then select “Domain” and enter your internal domain name, such as MyDomain.local

image

  • Once completed and you have reboot the server, I recommend installing all Windows updates.
  • You can now begin the RDS installation.  Make sure you have first logged in with a Domain Admin account and not a local administrator account.
  • First from the Server Manager Dashboard select “Add roles and features”

image

  • Next, as mentioned earlier, choose “Role Based or feature-based installation”

image

  • Select the local server

image

  • Select the “Remote Desktop Service” role and click next

image

  • Do not select anything in the Features window, click next

image

  • There will be a pop-up window where you can select the RDS features you wish to install.  Select only the “Remote Desktop Session Host” option.  You may also want to add the “Remote Desktop Licensing” service, though you can do so at a another time.  The Licensing service will be discussed a little later on.  Click next

image

  • Click Add Features.

image

  • Select restart the server automatically, and choose install.

image

  • After a reboot the RDS service should be installed.

Tweak and configure access

There are some minor configurations to be done as well.

  • Computer OU: Firstly, on the SBS, in Active Directory Users and Computers (ADUC) you should move the new server from the Computer OU to the MyBusiness\Computers\SBSServers OU.  This will allow it to show up in the Windows SBS Console under the Computers tab (it may take a few minutes to show up).  I usually create a sub-OU for Terminal Servers when applying group policies, but this is by no means necessary.

image

  • User Group: Users must be granted the right to “log on though Remote Desktop Services”.  To do so they need to be added to the local Remote Desktop Users” group on the RDS server, not the SBS.  It would not be convenient to manage this from the RDS server, adding one user at a time so it is best in ADUC on the SBS to add a new Security Group named something like “Terminal Server Users”.  Then on the RDS server, under Administrative Tools | Computer Management | Local Users and Groups | Groups, add this domain group to the local Remote Desktop Users group.  This way from the SBS you can centrally manage by simply adding users to your new Terminal servers user group.

image

  • RWW / RWA: You will also want to make the new RDS server available through Remote Web workplace / Remote Web Access.  If added to the proper OU above it will be by default with SBS 2008, however with SBS 2011 you need to add a registry key.  The following link explains: https://blog.lan-tech.ca/2011/12/12/add-a-terminal-server-to-the-sbs-2011-rwa-page/   Note, that this does not apply to Server Essentials.
  • Certificate: Accessing the RDS server through RWA or using the RDP client and RD Gateway requires an SSL certificate.  Where you are adding this to an SBS domain, access will use your existing certificate.  Should you need to add a certificate, please see: https://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/
  • Router Configuration:  Traditionally Terminal Services required forwarding port 3389 from the router to the Terminal server’s IP.  SBS makes use of the Remote Desktop Gateway service and allows you to connect directly to the RDS server more securely using SSL and port 443.  This does require that port 443 be forwarded to the SBS, but presumably this is already configured if you are using OWA, RWA, and/or Sharepoint.
  • RDP client: To access using the RDP client simply enter the RDS server’s name in the “Computer” box, and your SBS site’s FQDN in the RD Gateway server name box, under advanced | settings.
  • image

Licensing

  • RDS also requires a CAL (Client Access License) be assigned to each device or user in order to use Remote Desktop Services.  This is managed with the Remote Desktop Licensing service mentioned earlier.  There is a 120 day grace period before you are required to install the Licensing service, purchase, and add your CAL’s.  If you exceed the 120 day grace period, users will be blocked from accessing the RDS server.
  • The service can be installed on an another similar vintage server in the domain, but for simplicity the following steps installs on the same server.  If not already done, It is installed by running the Add Roles wizard in Server Manager, in the Add Roles window, expand Remote Desktop Services, select the Remote Desktop Licensing service, then complete the wizard.
  • Open the RD Licensing manager, located under Administrative Tools | Remote Desktop services.  Expand All servers, right click on your server, choose Activate Server, and complete the required company information fields.  The last step will let you add your CAL’s now, but I recommend waiting until completing your configuration.
  • image
  • Right click on the server and choose “Review Configuration”.  You may need to add the licensing server to the appropriate group in ADUC.  You can do so easily by clicking the Add to Group button.
  • image
  • Licensing mode:  CAL’s can be purchased as Per Device or Per User.  The latter tends to be more common.  A single Per User CAL allows one user to connect from as many devices as they like; office PC, home PC, hotel lobby PC, laptop, etc.  A per Device CAL allows many users to connect from only one device.  The latter is generally only used in situations similar to a call center.  Though you can mix User and Device CAL’s it is best to pick one or the other. To set the licensing mode, open the local security policy by entering  gpedit.msc  in the Run box.  Locate the following policy, enable, and set the licensing mode.    Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing | Set the Remote Desktop licensing mode.

image

  • If you run the RD Licensing Diagnoser under Administrative Tools | Remote Desktop services, and it states a licensing server has not been specified, you may also have to manually enter the server’s name in the local security policy . It is located in the same place as the policy in the last step and named “Use the specified Remote Desktop license servers”.
  • Server CAL’s: The discussion so far relates to RDS CAL’s but it should be noted that any user accessing any server on the network also requires Server CAL’s.  Accessing the SBS and any other server of the same version year or older is covered by SBS CAL’s.  Anyone accessing the new 2012 Server will also need Server 2012 CA’s in addition to SBS CAL’s.

Firewall

  • You may also have to edit the Windows firewall.  Exceptions should automatically be created but on occasion they are not.  You can verify and edit by using Control Panel |  Windows Firewall | Allow an app or feature through the windows Firewall, and compare to the following screen shot.  It seems to be the Remote Desktop Services Public setting that is not always enabled.

image

Your RDS server should now be fully functional.

Locate default Computer or User OU

In troubleshooting an issue with the SBS user creation wizard, I wanted to know what was set as the default Organizational Unit in which users would be placed.   Though the following works with any server version which is domain functional level Server 2003 or newer, SBS defaults to placing users in the MyBusiness\Users\SBSUsers OU and I wanted to verify this was set appropriately.  There are 100 articles explaining how to change the default users OU using the command “Redirusr”, or “Redircmp” for computers, but it was difficult to find a link explaining how to locate the current defaults.  There are a few links explaining where the information is stored, which is in the “wellKnownObjects” attribute of the properties of the domain, in Active Directory Users and Computers.

image

However when you click on “View”, to inspect the settings for that attribute, you get a popup warning; “There is no editor to handle this attribute”, and the same happens when using ADSI Edit.

image

Thanks to a tip by Alex Verboon, using Microsoft’s (Sysinternal’s) Active  Directory Explorer will allow you to see the settings of this attribute.  Download AD Explorer, run the app, on a single domain server you can live all fields blank and click OK.

image

Click on your domain, then in the right hand window right click on wellKnownObjects”, and choose properties.

image

In the resulting window you can review the current settings for the default OU’s for Computers and Users

image

image

Sharepoint update KB2596911 on SBS

I just installed “Security Update for Windows Services 3.0 x 64 KB2596911” on a clients SBS 2008 server, as 1 of 6 updates, only to have it fail.  Upon reboot neither Sharepoint website or the WSUS console were functioning.  In addition the Application Event Log was full of Event ID 5084, Source MSSQL$MICROSOFT##SSEE informational events.  A quick Google showed many folk have encountered similar issues, for example:

http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/e8391454-a5b2-418f-8dab-324c430ce219

In my case after the reboot I was able to resolve by downloading the single update from the link below, right clicking and choosing run as administrator, and wait, and wait, and wait!  Be patient, the update though small took about 45 minutes to complete but it was successful, and all services restarted.  Though it did not prompt for a reboot I felt it was best to do so and everything still functioned properly.

http://www.microsoft.com/en-us/download/details.aspx?id=30274

For the record, there is no mention of it in the KB article, but during the install it advises that you need volume licensing to use the update.  I choose to accept the notification and continue, working on the assumption the licensing referred to the base product.  In my case this was being installed on Small Business Server where Sharepoint is an integrated component.

This may not be a solution in all cases, but it was a simple, though tedious, repair for this server.

Users not displaying in SBS console

A common question is; “why are my users missing from the SBS console, under the users tab?” 

If a user is created in the “SBS way” by using the “Add new user account” wizard under Users and Groups | Users tab of the SBS console, as they should be, they will automatically appear in the console.  However if a user was created within Active Directory, not using the Wizard, or possibly after a migration, they may not be shown in the console.  To resolve this:

  1. Open the Active Directory Users and Computers console, locate the users, which are probably under the Domain | Users Organizational Unit (OU), and move them to the Domain | MyBusiness | Users | SBSUsers OU
  2. In the SBS console under Users and groups | Users | menu on the right – choose “Change user role for user accounts”.  When running the wizard select what type of privileges you wish to give the user/s (Network Admin, Standard User, or Standard User with Admin Links) and choose to replace or add to existing permissions. Next select the users to which you want to apply the updates.  Note you need to check the box “Display all user accounts in Active Directory” for your missing users to appear in the list.  Select the user/s, click add, and then change user role.

This will update the users permissions and the features available to them, based on the assigned role, and add them to the SBS console.

There are a few blog articles that advise differently suggesting you have to make a change using ADSIedit.  Personally I have never run into this, but if the above steps do not work for you it is an alternate solution.  Keep in mind this method only adds them to the SBS console it does not edit or add other permissions and features as the User Role wizard would. 

Go to:  ADSIedit under Administrative tools | right click on ADSIedit | connect to | accept all defaults – click OK | expand Default naming context | expand DC=<your domain>, DC=local | expand the container that holds your user/s (probably  CN=Users) | right click on each user container and choose properties | scroll down to msSBSCreationState | highlight and click edit | enter in the “Value” box  Created | exit choosing OK | OK. 

image

WSUS Update KB2720211 Issues

There have been numerous problems reported after installing Microsoft update KB2720211

  • WSUS server stops synchronizing with Microsoft Update
  • Website Verifications are not accurate
  • WSUS server stops working and also fails to reinstall
  • Errors in errorlog for Windows internal database
  • Some have reported backups fail to run on SBS

Should any of these be plaguing your systems Microsoft just released a TechNet Blog article addressing these issues which may be of some help:

http://blogs.technet.com/b/sus/archive/2012/06/20/wsus-kb272011-common-issues-encountered-and-how-to-fix-them.aspx

If interested in reading about end user reports, currently the key links to follow are:

http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/e918a191-ef6d-4c4b-b83a-7a4ae20a5217

http://byronwright.blogspot.nl/2012/06/kb-2720211-kills-wsus.html

http://tinyurl.com/c2clhht

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_27758486.html#a38107387

Google/Bing KB2720211 to locate more.

SBS connect / connectcomputer wizard fails

Generally when a computer cannot join the domain using http://connect (SBS 2008 & 2011) or http://SBSname/connectcomputer (SBS 2003) it is due to inability to correctly resolve the name of the domain controller in a timely fashion. Below is a list of common reasons for the connect wizards to fail.

In an SBS domain, the server should be the DHCP server, and if so, items 3 and 4 below should be automatically set through DHCP.  However if addressing is statically assigned or you are using a router you may need to make changes. Items 3 and 4 are also basic networking requirements of a Windows Domain, not just important for joining the domain.

1. If there is more than 1 network adapter installed, wired or wireless, disable all but 1 until domain joined.  If at all possible, make it a wired connection, not wireless. 

2. Many new PC’s also show a Bluetooth connection under “Network Connections”, this should be disabled as well while running the wizard.  If you are using a Bluetooth mouse and/or keyboard these will have to be temporarily replaced.

3. Make sure, using IPconfig /all, that the client’s DNS points ONLY to your internal DNS servers, in this case the SBS.  Do not allow a router or ISP to be added even as an alternate.

4. IPconfig /all should also show next to “Primary DNS Suffix”” your internal domain suffix such as MyDomain.local.  If not you need to add the domain suffix to the client machine. To do so insert it in the “DNS suffix for this connection” box under the DNS tab of the NIC’s advanced TCP/IP IPv4 properties

5. If there are any 3rd party firewalls or security suites installed, disable them until joined to the domain.  The Windows firewall should not need to be disabled.

6. If still failing add the connect web site to the “trusted” sites list in Internet Explorer under Tools | Internet Options | Security |trusted Sites

7. If all else fails you can skip the wizard and use a 3rd party utility called ProfWiz.  

It is important to note that using the connect and connectcomputer wizards is very important.  With SBS 2003 it is especially critical to do so as it performs a long list of tasks other than just joining the domain.  It copies the local user’s profile, configures the user and computer environments, changes permissions, installs SBS related features, makes changes to networking, and much more.  Susan Bradley’s blog outlines this in detail: “So exactly “what” does connect computer do anyway?”  However SBS 2008 and SBS 2011 control most of this through Group Policy.  The key bonus feature with the SBS 2008/2011 wizard is its ability to import current users’ local profiles. Though I still strongly recommend using the wizard, it will only import a local workgroup profile.  If the wizard fails or you are wanting to import a previous domain profile, you may want to consider using Profwiz.  Profwiz by forensit.com a simple little tool that will join the PC to the domain and reset the permissions of an existing profile allowing it to be used as the new domain profile (i.e. import users settings like desktop items, favorites, Documents, and application configurations). For instructions on downloading and running see:  https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

SBS Missing Attributes tab in AD

It seems the Attributes tab is missing on the user profile in Active directory after a migration from SBS 2003 to SBS 2008 and SBS 2011.  Normally this is hidden, but easily reviled by selecting on the AD menu bar; View, and then Advanced Features, however this is not so after a migration.  The issue was addressed in a post by Stuart Hudman  http://social.technet.microsoft.com/forums/en-US/winserverManagement/thread/6e6ef6bd-b5c9-4f16-b346-097832e3b93c/  but I was recently asked to help locate the exact location for the required changes, so I have posted detailed instructions below.

As always, you should have a good backup, including system state, before editing AD.
Note: the values to add, such as “11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}” need to be exact , without quotes. All three entries are similar but copy carefully as they are not the same. There will probably be multiple entries already present under the attribute, you are just adding one more….assuming it is not already present, which you should check first.

-open ADSIedit.msc
-at the top of the ‘tree’ right click on ADSIedit and choose “connect to”
-under connection point select “select a well known Naming context” and in that window choose “Configuration”
-under computer leave as “Default (Domain or server that you logged into)” Assuming you are logged onto the SBS
-click OK
-expand (click on the +) CN=configuration, DC=<your domain>, DC=local
-expand CD=DisplaySpecifiers
-click on CN=your language. The language # can be found on http://support.microsoft.com/kb/324097 (for example US English is 409, so CN=409  (this is the language you chose when setting up the server)
-in the right hand window locate CN=User-Display right click on it and choose properties.
-Locate AdminPropertyPages, highlight it and click “edit” and add the line 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
-in the right hand window locate CN=Computer-Display right click on it and choose properties.
-Locate AdminPropertyPages, highlight it and click “edit” and add the line 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}
-in the right hand window locate CN= Default-Display right click on it and choose properties.
-Locate AdminPropertyPages, highlight it and click “edit” and add the line 4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

SBS 2008 / 2011 adding an SSL certificate

[Note: some links point to SBS 2008 configurations, some to SBS 2011, the procedure is the same for both]

Just a quick comment to address the many internet posts suggesting that SBS requires a multi-name SSL certificate (UCC – Unified Communications Certificate).  This is not true.  SBS is designed to use a simple, inexpensive, single name certificate, and it is quite easy to install.  A basic GoDaddy or other vendor certificate is all that is required.  Sean Daniel outlines the process very nicely in his post entitled “Installing a GoDaddy Standard SSL Certificate on SBS 2008 “.  Keep in mind the FQDN for your site as recorded in your public DNS records, the certificate name, and public name used in the “Internet Address Wizard” (see step #7), all must be exactly the same.  As a mater of fact, although it is possible to use a UCC certificate, the wizard will not install it for you, you would have to do so manually.  There is no need for the additional cost or time involved with multi-name certificates.  (The link below will take you to the Godaddy site and should have a menu bar at the top offering you a very good first year discount)

Go Daddy $12.99 SSL Sale!

The primary argument for using a UCC cert is to make use of auto-discovery.   Though you do not need auto-discovery, if you wish to make use of it you still do not need a UCC certificate.  You can in fact configure auto-discovery using a single name certificate and creating an SRV DNS record by following the ThirdTier.net instructions; “Setting up Autodiscover for SBS 2011

Alternatively, you can avoid buying an SSL certificate at all.  After running the SBS “Internet Address Management Wizard”, a self-signed certificate is generated in the SBS Share: \\SBSname\Public\Downloads\Certificate Distribution Package  .  Machines that are joined to the domain after this will have the certificate automatically installed.  If you generate a new certificate (by re-running the wizard), or have non-domain joined computers or devices, you need to manually copy and install the certificate.  To distribute / install the certificate on the PC’s, please see “How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?”  This is often not as easy to do on other devices such as smart phones.  Therefore using a 3rd party certificate becomes much more attractive, as nothing has to be installed on the connecting device.

Should you have a dynamic public IP at the SBS site, I recommend reading “Using DDNS services with SBS 2008/2011” which outlines using a dynamic IP, a DDNS service, and configuring DNS and certificates.

Tag Cloud