I am pleased to announce my Windows Phone 8 Blog app has been published. As of yet it is not compatible with Windows Phone 8.1 but should be by the time of “official” release. The app, which is free, can be downloaded from: http://www.windowsphone.com/en-us/store/app/lan-tech-blog/d0bd5f80-c223-48ae-a13e-a978913198b0
Archive for the ‘SBS’ Category
There are many articles regarding how to locate and regain space consumed by many SBS services and log files, including one of my own; “Missing SBS 2008/2011 Drive Space“. One of the most common issues is the WSUS admin logs located in C:\inetpub\logs\LogFiles\W3SVC_____ which can consume huge amounts of drive space. With SBS 2011 and SBS 2008 (2008 if updates are applied) this particular folder should be looked after by a scheduled task which clears out log files older than 100 days. In a few cases you may want to edit this and reduce it to a shorter period of time, as very nicely explained by Ronny Pot.
I was asked to look at an SBS server today which had ‘lost’ most of its system partition available space. It was not really lost as it was found in a C:\inetpub\logs\LogFiles\W3SVC_____ folder. However, this should have been looked after by the aforementioned scheduled task. Upon review of the task history it seems the task’s script has been failing for several months resulting in “Action start failed” and “Action failed to start” messages with an Error Value of 2147942402.
Note: the task is located under Administrative Tools | Task Scheduler | Task Scheduler Library | Microsoft | Windows | Windows Small Business Server 20xx Standard | WSUSLog Cleaner
In this case the time frame had been reduced to 30 days, but noticed when saving the changes, if not paying attention, the “arguments” for the script can get modified by Windows. The changes can be made under the Actions tab as per the image below:
However, in some but not all cases, when clicking OK to save you may get a popup as below:
Note the text. If you select yes it changes the Program/Script field to C:\Program, and the Argument field to Files\Windows Small Business Server\Bin\WSUSLogCleaner.vbs 30. The entire path needs to be in the Program/Scripts field and only 30 in the argument. It seems someone in a hurry clicked yes, as one would assume when approving changes, and did not double check after the fact. It seems the popup only occurs if there are no existing quotes around “C:\Program,Files\Windows Small Business Server\Bin\WSUSLogCleaner.vbs” in the Program/Scripts field.
Server 2012 has a new Remote Desktop Services (RDS) feature set which is a great addition to any network. A common reason for wanting to implement 2012 RDS is for the Remote FX feature, RDP on steroids, which provides substantially better performance when remotely running graphic intensive applications, but there are other Remote FX bonus elements as well, in addition to other 2012 RDS features. Remote FX was included with Server 2008 R2, but the pre 2012 hardware requirements were more restrictive, and configuration was a little more involved.
Remote Desktop Services is installed a little differently than it’s predecessor Terminal Services. Most current instruction sets advise you to use the “Remote Desktop Services installation” wizard, seen in the third image below. However this automatically installs related services that conflict with those already installed on SBS, such as the Remote Desktop Gateway Service. Therefore you need to install using the “Role Based or feature-based installation” method and manually select the features to be installed.
To add a Server 2012, running the RDS role, the steps are as follows.
- Install the basic Server 2012 operating system. This can be on either a physical or virtual machine
- Next join the computer to the domain. Where this is an SBS domain you want to do this for obvious reasons, but just to note; Server 2012 RDS does require it be domain joined. To do so open the Server Manager Dashboard, click on “local server”, in the window to the right click on “Workgroup”, in the resulting window click “Change” and then select “Domain” and enter your internal domain name, such as MyDomain.local
- Once completed and you have reboot the server, I recommend installing all Windows updates.
- You can now begin the RDS installation. Make sure you have first logged in with a Domain Admin account and not a local administrator account.
- First from the Server Manager Dashboard select “Add roles and features”
- Next, as mentioned earlier, choose “Role Based or feature-based installation”
- Select the local server
- Select the “Remote Desktop Service” role and click next
- Do not select anything in the Features window, click next
- There will be a pop-up window where you can select the RDS features you wish to install. Select only the “Remote Desktop Session Host” option. You may also want to add the “Remote Desktop Licensing” service, though you can do so at a another time. The Licensing service will be discussed a little later on. Click next
- Click Add Features.
- Select restart the server automatically, and choose install.
- After a reboot the RDS service should be installed.
Tweak and configure access
There are some minor configurations to be done as well.
- Computer OU: Firstly, on the SBS, in Active Directory Users and Computers (ADUC) you should move the new server from the Computer OU to the MyBusiness\Computers\SBSServers OU. This will allow it to show up in the Windows SBS Console under the Computers tab (it may take a few minutes to show up). I usually create a sub-OU for Terminal Servers when applying group policies, but this is by no means necessary.
- User Group: Users must be granted the right to “log on though Remote Desktop Services”. To do so they need to be added to the local Remote Desktop Users” group on the RDS server, not the SBS. It would not be convenient to manage this from the RDS server, adding one user at a time so it is best in ADUC on the SBS to add a new Security Group named something like “Terminal Server Users”. Then on the RDS server, under Administrative Tools | Computer Management | Local Users and Groups | Groups, add this domain group to the local Remote Desktop Users group. This way from the SBS you can centrally manage by simply adding users to your new Terminal servers user group.
- RWW / RWA: You will also want to make the new RDS server available through Remote Web workplace / Remote Web Access. If added to the proper OU above it will be by default with SBS 2008, however with SBS 2011 you need to add a registry key. The following link explains: https://blog.lan-tech.ca/2011/12/12/add-a-terminal-server-to-the-sbs-2011-rwa-page/ Note, that this does not apply to Server Essentials.
- Certificate: Accessing the RDS server through RWA or using the RDP client and RD Gateway requires an SSL certificate. Where you are adding this to an SBS domain, access will use your existing certificate. Should you need to add a certificate, please see: https://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/
- Router Configuration: Traditionally Terminal Services required forwarding port 3389 from the router to the Terminal server’s IP. SBS makes use of the Remote Desktop Gateway service and allows you to connect directly to the RDS server more securely using SSL and port 443. This does require that port 443 be forwarded to the SBS, but presumably this is already configured if you are using OWA, RWA, and/or Sharepoint.
- RDP client: To access using the RDP client simply enter the RDS server’s name in the “Computer” box, and your SBS site’s FQDN in the RD Gateway server name box, under advanced | settings.
- RDS also requires a CAL (Client Access License) be assigned to each device or user in order to use Remote Desktop Services. This is managed with the Remote Desktop Licensing service mentioned earlier. There is a 120 day grace period before you are required to install the Licensing service, purchase, and add your CAL’s. If you exceed the 120 day grace period, users will be blocked from accessing the RDS server.
- The service can be installed on an another similar vintage server in the domain, but for simplicity the following steps installs on the same server. If not already done, It is installed by running the Add Roles wizard in Server Manager, in the Add Roles window, expand Remote Desktop Services, select the Remote Desktop Licensing service, then complete the wizard.
- Open the RD Licensing manager, located under Administrative Tools | Remote Desktop services. Expand All servers, right click on your server, choose Activate Server, and complete the required company information fields. The last step will let you add your CAL’s now, but I recommend waiting until completing your configuration.
- Right click on the server and choose “Review Configuration”. You may need to add the licensing server to the appropriate group in ADUC. You can do so easily by clicking the Add to Group button.
- Licensing mode: CAL’s can be purchased as Per Device or Per User. The latter tends to be more common. A single Per User CAL allows one user to connect from as many devices as they like; office PC, home PC, hotel lobby PC, laptop, etc. A per Device CAL allows many users to connect from only one device. The latter is generally only used in situations similar to a call center. Though you can mix User and Device CAL’s it is best to pick one or the other. To set the licensing mode, open the local security policy by entering gpedit.msc in the Run box. Locate the following policy, enable, and set the licensing mode. Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing | Set the Remote Desktop licensing mode.
- If you run the RD Licensing Diagnoser under Administrative Tools | Remote Desktop services, and it states a licensing server has not been specified, you may also have to manually enter the server’s name in the local security policy . It is located in the same place as the policy in the last step and named “Use the specified Remote Desktop license servers”.
- Server CAL’s: The discussion so far relates to RDS CAL’s but it should be noted that any user accessing any server on the network also requires Server CAL’s. Accessing the SBS and any other server of the same version year or older is covered by SBS CAL’s. Anyone accessing the new 2012 Server will also need Server 2012 CA’s in addition to SBS CAL’s.
- You may also have to edit the Windows firewall. Exceptions should automatically be created but on occasion they are not. You can verify and edit by using Control Panel | Windows Firewall | Allow an app or feature through the windows Firewall, and compare to the following screen shot. It seems to be the Remote Desktop Services Public setting that is not always enabled.
Your RDS server should now be fully functional.
I recently needed to virtualize an SBS 2003, that is to say convert it from a physical machine to a virtual machine on a Hyper-V host. I have done SBS conversions to VMware hosts in the past with with little or no problem, but converting to Hyper-V, my preference , was a little more involved. I first Googled the task and found many suggestions which based on the various articles and instinct, using Microsoft’s disk2vhd was the simplest solution. I was wrong. The first run on a test machine using a single disk worked well but did require several ‘tweaks’, and then when I added the data drives, which may have been unrelated, I ran into many problems, especially when I tried installing the Integration Services components. Though disk2vhd has worked well for me with other operating systems in the past, for some reason the HAL in this case caused problems.
I am not suggesting the following is the best method, or even a good method, but perhaps it will be of some help to those attempting the same task. I have posted the steps that worked flawlessly for me on a test server, trail run, and final move. All of the following was done remotely.
Note: The process will require re-activation of the SBS license. If SBS is an OEM version; it is a licensing violation to install on different hardware or virtualize, the activation will probably fail, and if it does Microsoft will not assist.
- If working remotely you will need to maintain access at least to the Hyper-V host throughout entire process. You can use RDP, VPN, LogMeIn, or any of a dozen other alternatives, but make sure it is in place and working, your existing RWW is about to stop functioning until complete.
- Clean up the initial machine: Remove the second/WAN NIC if present (not the LAN NIC) and run the CEICW (Configure e-mail and Internet Connection Wizard). Note that making network changes remotely can be risky, you can loose access.
- Run the SBS 2003 Best Practices Analyzer and resolve any problems.
- Presumably you do not want e-mail delivered to the server, or remote users accessing the server, during the move, so log onto the router and disable port forwarding on the necessary SBS ports 25, 443, 444, 1723 and 4125, for now.
- Download and run the free VMware converter tool. When running the tool make sure you right click on the program icon and choose “run as administrator”, if not you will receive an error; “A general system error occurred: Crypto Exception: error:02001005:system library:fopen:Input/ output error:unable to load C:\ProgramData\VMware\VMware vCenter Converter Standalone\ssl\rui.crt”.
- Clicking Next will deploy the conversion agent
- In the “Destination System” window choose destination type as “VMware Workstation or other VMware virtual machine” and “VMware Server 2.x”. The destination file location path must be to a network share, even if on the local machine. I also found if running VMware Converter on the Hyper-V server, due to limited name resolution services running and not being a domain member, using the IP in conjunction with the user name worked best, such as 192.168.123.123\UserName, even if it is the local machine. This was a simple workaround for the common credential error received by many; “The operation could not be completed for username due to incorrect user credentials”
- Review the specifications for the resulting VM as to how much RAM is to be assigned (SBS 2003 is limited to 4GB), number of processors, and if you want to change/increase disk sizes.
- In my experience the tool took less than 3 hours to convert about 100GB of files on 2 drives using a 10/100 mbps network, a relatively small site.
- Next download and run the Starwind’s free V2V conversion tool . This will allow you to convert the vdmk file, or files, created by the VMware converter to vhd files which will be compatible with Hyper-V. If you have more than one vdmk, you will need to convert one at a time. You only need the vdmk’s, the other config file/s created by the VMware converter are not necessary.
- When running the tool, point to the vdmk file and choose to convert to “MS Virtual PC” format. You can also choose whether the resulting vhd (Hyper-V disk) is to be a “pre-allocated” or “growable” image. These are Starwind’s terms for a “fixed size” or “dynamically expanding” disk. The former, “fixed” is recommended on domain controllers, but not a requirement on recent Hyper-V servers.
- I found the V2V conversion took about 60-70% as long as the previous P2V step. Once completed if you need the drive space you can delete the .vdmk and other files created by the VMware Converter tool.
- Using the Hyper-V management console you can now create a new VM using the wizard. When doing so presumably you want the maximum RAM, so set to 4000 MB, leave the network adapter as “not connected”, under “Connect Virtual Hard Disk” choose “Use an existing virtual hard disk” and select your system disk (disk containing the C: partition) created by the P2V/V2V steps above, under “Installation Options” select “Install an operating system later”, and click finish.
Next, open the settings console for the newly created VM. It will have added a network adapter, remove it and add a legacy network adapter but again if the existing SBS is still powered up on the same network segment choose “not connected”, if you have multiple physical or virtual processors (cores) adjust the number of processors, if you have multiple disks add the others, and review the remaining settings.
You are ready to start up the new VM. Boot the Virtual SBS and log in. Ignore any offers to discover and add new hardware. You will be a notice you have 3 days to activate. I recommend waiting until complete before doing so. As mentioned do not install any hardware, but you may be prompted at different stages to reboot which you should do. Note that you will have no mouse for this or the next 4 steps.
Manually configure the server’s NIC with the LAN IP, Gateway, and DNS pointing to its LAN NIC IP. You can keep the same IP as the previous server if using the steps I have outlined.
Run the “Change Server IP Wizard” located under Server Management / Internet and E-mail, and keep the same IP as you just set. The wizard will likely tell you it failed and you should run again due to inaccessibility to the LAN. You can ignore.
Run the CEICW (Configure E-mail and Internet Connection Wizard) angin located under Server Management / Internet and E-mail, and make no changes, just accept the existing configurations.
Install the Hyper-V Integration Services by clicking “Insert Integration services Start Up Disk” under “Action” on the menu bar. Allow this to complete and reboot as requested. This can take a little while to run sometimes.
After reboot you may want to do some tweaking such as changing display size settings.
You may also receive a message after rebooting; “At least one service or driver failed during system startup”. Though this could be anyone of a dozen services, reviewing the event logs may show a parallel port service error. To resolve this, on the VM from a command line run; sc config parport start= disabled
If not automatically removed, uninstall the VMware vCenter Converter Standalone Agent, using add/remove programs in the contol panel.
Flush the DNS, NetBIOS, and arp cache to be safe using “ipconfig /flushdns”, “nbtstat –R”, and “arp –d * “
At this point you should be able to shut down the old server. You may want to verify WakeOnLan is enabled and record the MAC address if you think you might have to remotely restart. If so, you can download Solarwind’s Wake-On-LAN tool.
You can now enable the Virtual NIC on the SBS by choosing the physical NIC (Virtual Switch) to which you want to associate the Virtual NIC, in the settings configuration of the VM.
Perform any internal testing such as access to other LAN resources, Internet access, printer availability, services by clients are working such as redirected My Documents, and anything else with which you might be concerned.
Assuming all is well you can now forward the ports on the router to the new Virtual SBS to allow incoming e-mail and remote access by users.
Test e-mail reception, and finally activate the server through windows Activation process.
In troubleshooting an issue with the SBS user creation wizard, I wanted to know what was set as the default Organizational Unit in which users would be placed. Though the following works with any server version which is domain functional level Server 2003 or newer, SBS defaults to placing users in the MyBusiness\Users\SBSUsers OU and I wanted to verify this was set appropriately. There are 100 articles explaining how to change the default users OU using the command “Redirusr”, or “Redircmp” for computers, but it was difficult to find a link explaining how to locate the current defaults. There are a few links explaining where the information is stored, which is in the “wellKnownObjects” attribute of the properties of the domain, in Active Directory Users and Computers.
However when you click on “View”, to inspect the settings for that attribute, you get a popup warning; “There is no editor to handle this attribute”, and the same happens when using ADSI Edit.
Thanks to a tip by Alex Verboon, using Microsoft’s (Sysinternal’s) Active Directory Explorer will allow you to see the settings of this attribute. Download AD Explorer, run the app, on a single domain server you can live all fields blank and click OK.
Click on your domain, then in the right hand window right click on wellKnownObjects”, and choose properties.
In the resulting window you can review the current settings for the default OU’s for Computers and Users
There may be occasions where you need to join an off-site computer to an existing domain at a remote office. Most often this would be in a situation such as a satellite office which is part of a larger corporate network and there is a site-to-site VPN in place. Though a site-to-site VPN is by far the easiest way to join, it can be done using a Windows VPN client, which will be discussed further on in this article. The primary problem encountered when joining the domain is DNS, but this is easily dealt with.
Joining the domain using a site-to-site VPN
- Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection. If any others exist such as a wireless card, disable until domain joined. On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
- Configure the connecting PC’s network adapter either statically or through DHCP to point ONLY to the domain controller at the corporate office for DNS. Do not add an alternate external DNS server such as an ISP or router as these will often respond first and name resolution will fail.
- In the NIC configuration, under Internet Protocol Version 4 (TCP/IPv4) properties, click advanced, and under the DNS tab insert the corporate internal DNS suffix, such as CompanyDomain.local in the box entitled “DNS suffix for this connection”
- Then join the domain using the traditional method of Computer (formerly My Computer) | Properties | Change Settings | Change | enter the internal domain name | click OK | and you should be prompted for credentials for an account authorized to do so, a Domain Admin account. If the Domain Controller is a version of Small Business Server the SBS option to use http://SBSname/connectcomputer or http://connect most often will not work. (more detail and screen shots for the joining the domain process can be found below in the using a VPN client section).
- If you wish to simultaneously import an existing local user profile, you can use ProfWiz as outlined in the following link which will both join the domain and move the profile. Though the article references SBS, it can be used with any Windows Server Version. https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/
Joining the domain using a Windows VPN client
Joining a domain using a VPN client is a little more involved, but not complicated. This method may work with other VPN clients, so long as they have the option to connect to the VPN before logon, but this explanation uses only the Windows built-in VPN client. Without the ability to connect before logon, there is very little advantage even if you can join the domain, as you would not actually be authenticating to the domain. I will assume the server end, RRAS, is configured and working for VPN client connections.
- Log on to the PC you wish to join the domain with a local administrator account
- Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection. If any others exist such as a wireless card, disable until domain joined. On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
- Establish a VPN connection. If not familiar with doing so:
- From the network and sharing center choose “Set up a new connection or Network”
- Select “Connect to a workplace”
- Choose “Use my Internet connection (VPN)”
- Enter the public facing FQDN of the corporate VPN server such as VPNserver.MyDomain.com and enter a friendly name for the connection, anything you like. It is also very important to check the box “Allow other people to use this connection” as you will soon have a domain account which will require access to this VPN connection.
- Enter a User name, which ideally is the user that will be using the connection once joined to the domain, but can be any user name that is authorized to connect to the corporate network via VPN. If you use a name other than the ultimate user of the PC they will simply have to change the user name during in the connection wizard, the first time they try to connect. Enter the password and choose connect. For security reasons I don’t recommend checking “Remember this password”.
- If prompted for a network type after connecting, choose “Work Network”.
- Presumably you were able to establish a connection. However while connected if you did an NSlookup from a command line for the server name, you will see it fails. Try an NSlookup for the FQDN of the server, and it will succeed. Thus, we need to configure DNS for the VPN clientbefore proceeding.
- Disconnect the VPN client
- In the network connections window right click on the VPN/PPP connection and choose properties | Networking tab | highlight Internet Protocol Version 4 (TCP/IPv4) and choose properties | Advanced | DNS tab | and enter the IP of the corporate DNS server under DNS server addresses and the internal domain suffix such as MyDomain.local in the “DNS suffix for this connection box. If admins need to connect to the remote client PC for administration by name check the box “register this connection’s address in DNS” but I would discourage this as the IP can change frequently and cause issues. Also on the “IP Settings” tab leave the option “Use default gateway on remote network” checked, at least for now, so that all traffic is forced to the corporate network while the VPN is connected.
- Now you can try joining the domain
- Connect the VPN client
- Right click on “Computer” (formerly My Computer) and choose properties.
- In the resulting window select “Change Settings”
- Slect “Change” again
- Enter the corporate internal Domain name, such as MyDomain.local in the Domain box and click OK
- You will be prompted for a domain account with privileges to join a PC to the domain, a Domain Admin. Enter it and the password and you should receive a message advising you have been joined to the domain. Be patient it takes a little longer as this is a slow link compared to the LAN.
- You now need to reboot the connecting PC.
- In order to authenticate to the corporate network at logon and work as if on the corporate LAN, you need to connect the VPN before logging on to the PC. When the PC reboots press Ctrl+Alt+Delete as you normally would, and then choose “Switch User”
- You will then be presented with a new option, a little blue icon in the lower right corner.
- Clicking this allows you to choose to connect to the corporate network, by using the VPN. After entering your credentials you will see the familiar VPN connection automatically start, it will connect, and you will be authenticated to the domain.
- Logon is a little slower of course due to the slow link, and the first time you connect it will have to set up the local domain profile. If you make use of redirected my documents, offline files, or have a lot of group policies logon can take a very long time while they apply and sync. If logon is too slow, you may want to review options available to the remote user. You will note that if you now try nslookup <servername> works as it should.
Note: If connecting from Windows 8, please see the following updated article: https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection. The following policies can assist with this:
Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:
- Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
- Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
- Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
- Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed
Server 2003 / SBS 2003 / SBS 2003 R2:
- Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
- Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
- Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
- Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
- Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed
I just installed “Security Update for Windows Services 3.0 x 64 KB2596911” on a clients SBS 2008 server, as 1 of 6 updates, only to have it fail. Upon reboot neither Sharepoint website or the WSUS console were functioning. In addition the Application Event Log was full of Event ID 5084, Source MSSQL$MICROSOFT##SSEE informational events. A quick Google showed many folk have encountered similar issues, for example:
In my case after the reboot I was able to resolve by downloading the single update from the link below, right clicking and choosing run as administrator, and wait, and wait, and wait! Be patient, the update though small took about 45 minutes to complete but it was successful, and all services restarted. Though it did not prompt for a reboot I felt it was best to do so and everything still functioned properly.
For the record, there is no mention of it in the KB article, but during the install it advises that you need volume licensing to use the update. I choose to accept the notification and continue, working on the assumption the licensing referred to the base product. In my case this was being installed on Small Business Server where Sharepoint is an integrated component.
This may not be a solution in all cases, but it was a simple, though tedious, repair for this server.
A common question is; “why are my users missing from the SBS console, under the users tab?”
If a user is created in the “SBS way” by using the “Add new user account” wizard under Users and Groups | Users tab of the SBS console, as they should be, they will automatically appear in the console. However if a user was created within Active Directory, not using the Wizard, or possibly after a migration, they may not be shown in the console. To resolve this:
- Open the Active Directory Users and Computers console, locate the users, which are probably under the Domain | Users Organizational Unit (OU), and move them to the Domain | MyBusiness | Users | SBSUsers OU
- In the SBS console under Users and groups | Users | menu on the right – choose “Change user role for user accounts”. When running the wizard select what type of privileges you wish to give the user/s (Network Admin, Standard User, or Standard User with Admin Links) and choose to replace or add to existing permissions. Next select the users to which you want to apply the updates. Note you need to check the box “Display all user accounts in Active Directory” for your missing users to appear in the list. Select the user/s, click add, and then change user role.
This will update the users permissions and the features available to them, based on the assigned role, and add them to the SBS console.
There are a few blog articles that advise differently suggesting you have to make a change using ADSIedit. Personally I have never run into this, but if the above steps do not work for you it is an alternate solution. Keep in mind this method only adds them to the SBS console it does not edit or add other permissions and features as the User Role wizard would.
Go to: ADSIedit under Administrative tools | right click on ADSIedit | connect to | accept all defaults – click OK | expand Default naming context | expand DC=<your domain>, DC=local | expand the container that holds your user/s (probably CN=Users) | right click on each user container and choose properties | scroll down to msSBSCreationState | highlight and click edit | enter in the “Value” box Created | exit choosing OK | OK.
There have been numerous problems reported after installing Microsoft update KB2720211
- WSUS server stops synchronizing with Microsoft Update
- Website Verifications are not accurate
- WSUS server stops working and also fails to reinstall
- Errors in errorlog for Windows internal database
- Some have reported backups fail to run on SBS
Should any of these be plaguing your systems Microsoft just released a TechNet Blog article addressing these issues which may be of some help:
If interested in reading about end user reports, currently the key links to follow are:
Google/Bing KB2720211 to locate more.
Generally when a computer cannot join the domain using http://connect (SBS 2008 & 2011) or http://SBSname/connectcomputer (SBS 2003) it is due to inability to correctly resolve the name of the domain controller in a timely fashion. Below is a list of common reasons for the connect wizards to fail.
In an SBS domain, the server should be the DHCP server, and if so, items 3 and 4 below should be automatically set through DHCP. However if addressing is statically assigned or you are using a router you may need to make changes. Items 3 and 4 are also basic networking requirements of a Windows Domain, not just important for joining the domain.
1. If there is more than 1 network adapter installed, wired or wireless, disable all but 1 until domain joined. If at all possible, make it a wired connection, not wireless.
2. Many new PC’s also show a Bluetooth connection under “Network Connections”, this should be disabled as well while running the wizard. If you are using a Bluetooth mouse and/or keyboard these will have to be temporarily replaced.
3. Make sure, using IPconfig /all, that the client’s DNS points ONLY to your internal DNS servers, in this case the SBS. Do not allow a router or ISP to be added even as an alternate.
4. IPconfig /all should also show next to “Primary DNS Suffix”” your internal domain suffix such as MyDomain.local. If not you need to add the domain suffix to the client machine. To do so insert it in the “DNS suffix for this connection” box under the DNS tab of the NIC’s advanced TCP/IP IPv4 properties
5. If there are any 3rd party firewalls or security suites installed, disable them until joined to the domain. The Windows firewall should not need to be disabled.
6. If still failing add the connect web site to the “trusted” sites list in Internet Explorer under Tools | Internet Options | Security |trusted Sites
7. If all else fails you can skip the wizard and use a 3rd party utility called ProfWiz.
It is important to note that using the connect and connectcomputer wizards is very important. With SBS 2003 it is especially critical to do so as it performs a long list of tasks other than just joining the domain. It copies the local user’s profile, configures the user and computer environments, changes permissions, installs SBS related features, makes changes to networking, and much more. Susan Bradley’s blog outlines this in detail: “So exactly “what” does connect computer do anyway?” However SBS 2008 and SBS 2011 control most of this through Group Policy. The key bonus feature with the SBS 2008/2011 wizard is its ability to import current users’ local profiles. Though I still strongly recommend using the wizard, it will only import a local workgroup profile. If the wizard fails or you are wanting to import a previous domain profile, you may want to consider using Profwiz. Profwiz by forensit.com a simple little tool that will join the PC to the domain and reset the permissions of an existing profile allowing it to be used as the new domain profile (i.e. import users settings like desktop items, favorites, Documents, and application configurations). For instructions on downloading and running see: https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/