Posts tagged ‘SBS’

Users not displaying in SBS console

A common question is; “why are my users missing from the SBS console, under the users tab?” 

If a user is created in the “SBS way” by using the “Add new user account” wizard under Users and Groups | Users tab of the SBS console, as they should be, they will automatically appear in the console.  However if a user was created within Active Directory, not using the Wizard, or possibly after a migration, they may not be shown in the console.  To resolve this:

  1. Open the Active Directory Users and Computers console, locate the users, which are probably under the Domain | Users Organizational Unit (OU), and move them to the Domain | MyBusiness | Users | SBSUsers OU
  2. In the SBS console under Users and groups | Users | menu on the right – choose “Change user role for user accounts”.  When running the wizard select what type of privileges you wish to give the user/s (Network Admin, Standard User, or Standard User with Admin Links) and choose to replace or add to existing permissions. Next select the users to which you want to apply the updates.  Note you need to check the box “Display all user accounts in Active Directory” for your missing users to appear in the list.  Select the user/s, click add, and then change user role.

This will update the users permissions and the features available to them, based on the assigned role, and add them to the SBS console.

There are a few blog articles that advise differently suggesting you have to make a change using ADSIedit.  Personally I have never run into this, but if the above steps do not work for you it is an alternate solution.  Keep in mind this method only adds them to the SBS console it does not edit or add other permissions and features as the User Role wizard would. 

Go to:  ADSIedit under Administrative tools | right click on ADSIedit | connect to | accept all defaults – click OK | expand Default naming context | expand DC=<your domain>, DC=local | expand the container that holds your user/s (probably  CN=Users) | right click on each user container and choose properties | scroll down to msSBSCreationState | highlight and click edit | enter in the “Value” box  Created | exit choosing OK | OK. 



SBS connect / connectcomputer wizard fails

Generally when a computer cannot join the domain using http://connect (SBS 2008 & 2011) or http://SBSname/connectcomputer (SBS 2003) it is due to inability to correctly resolve the name of the domain controller in a timely fashion. Below is a list of common reasons for the connect wizards to fail.

In an SBS domain, the server should be the DHCP server, and if so, items 3 and 4 below should be automatically set through DHCP.  However if addressing is statically assigned or you are using a router you may need to make changes. Items 3 and 4 are also basic networking requirements of a Windows Domain, not just important for joining the domain.

1. If there is more than 1 network adapter installed, wired or wireless, disable all but 1 until domain joined.  If at all possible, make it a wired connection, not wireless. 

2. Many new PC’s also show a Bluetooth connection under “Network Connections”, this should be disabled as well while running the wizard.  If you are using a Bluetooth mouse and/or keyboard these will have to be temporarily replaced.

3. Make sure, using IPconfig /all, that the client’s DNS points ONLY to your internal DNS servers, in this case the SBS.  Do not allow a router or ISP to be added even as an alternate.

4. IPconfig /all should also show next to “Primary DNS Suffix”” your internal domain suffix such as MyDomain.local.  If not you need to add the domain suffix to the client machine. To do so insert it in the “DNS suffix for this connection” box under the DNS tab of the NIC’s advanced TCP/IP IPv4 properties

5. If there are any 3rd party firewalls or security suites installed, disable them until joined to the domain.  The Windows firewall should not need to be disabled.

6. If still failing add the connect web site to the “trusted” sites list in Internet Explorer under Tools | Internet Options | Security |trusted Sites

7. If all else fails you can skip the wizard and use a 3rd party utility called ProfWiz.  

It is important to note that using the connect and connectcomputer wizards is very important.  With SBS 2003 it is especially critical to do so as it performs a long list of tasks other than just joining the domain.  It copies the local user’s profile, configures the user and computer environments, changes permissions, installs SBS related features, makes changes to networking, and much more.  Susan Bradley’s blog outlines this in detail: “So exactly “what” does connect computer do anyway?”  However SBS 2008 and SBS 2011 control most of this through Group Policy.  The key bonus feature with the SBS 2008/2011 wizard is its ability to import current users’ local profiles. Though I still strongly recommend using the wizard, it will only import a local workgroup profile.  If the wizard fails or you are wanting to import a previous domain profile, you may want to consider using Profwiz.  Profwiz by a simple little tool that will join the PC to the domain and reset the permissions of an existing profile allowing it to be used as the new domain profile (i.e. import users settings like desktop items, favorites, Documents, and application configurations). For instructions on downloading and running see:

SBS 2008 / 2011 adding an SSL certificate

[Note: some links point to SBS 2008 configurations, some to SBS 2011, the procedure is the same for both]

Just a quick comment to address the many internet posts suggesting that SBS requires a multi-name SSL certificate (UCC – Unified Communications Certificate).  This is not true.  SBS is designed to use a simple, inexpensive, single name certificate, and it is quite easy to install.  A basic GoDaddy or other vendor certificate is all that is required.  Sean Daniel outlines the process very nicely in his post entitled “Installing a GoDaddy Standard SSL Certificate on SBS 2008 “.  Keep in mind the FQDN for your site as recorded in your public DNS records, the certificate name, and public name used in the “Internet Address Wizard” (see step #7), all must be exactly the same.  As a mater of fact, although it is possible to use a UCC certificate, the wizard will not install it for you, you would have to do so manually.  There is no need for the additional cost or time involved with multi-name certificates.  (The link below will take you to the Godaddy site and should have a menu bar at the top offering you a very good first year discount)

Go Daddy $12.99 SSL Sale!

The primary argument for using a UCC cert is to make use of auto-discovery.   Though you do not need auto-discovery, if you wish to make use of it you still do not need a UCC certificate.  You can in fact configure auto-discovery using a single name certificate and creating an SRV DNS record by following the instructions; “Setting up Autodiscover for SBS 2011

Alternatively, you can avoid buying an SSL certificate at all.  After running the SBS “Internet Address Management Wizard”, a self-signed certificate is generated in the SBS Share: \\SBSname\Public\Downloads\Certificate Distribution Package  .  Machines that are joined to the domain after this will have the certificate automatically installed.  If you generate a new certificate (by re-running the wizard), or have non-domain joined computers or devices, you need to manually copy and install the certificate.  To distribute / install the certificate on the PC’s, please see “How Do I Distribute the SBS 2008 Self-Signed SSL Certificate to My Users?”  This is often not as easy to do on other devices such as smart phones.  Therefore using a 3rd party certificate becomes much more attractive, as nothing has to be installed on the connecting device.

Should you have a dynamic public IP at the SBS site, I recommend reading “Using DDNS services with SBS 2008/2011” which outlines using a dynamic IP, a DDNS service, and configuring DNS and certificates.

How can I add CALs to my SBS 2003, or SBS 2008

SBS 2003 CAL’s and SBS 2008  are no longer available for purchase, however there are still many of these servers in use and some in growing companies in need of additional CAL’s.  The solution is to buy SBS 2011 CAL’s and exercise downgrade rights.  Microsoft does have very good documentation available for doing so, but based on questions in the forum it seems to be very difficult to find, partially because the links have changed several times.  This article is by no means authoritative, you should refer to the current Microsoft documentation, but it is pulled, word for word, from the most recent documents I was able to find;   SBS 2011_Licensing_FAQ

The following outlines the options for purchasing, the downgrade rights available, and how to install the SBS 2003 CAL’s.  SBS 2008 of course does not require the CAL’s to be installed, you just have to maintain documentation for your CAL licensing for any potential audits.

Q. How do I obtain CALs for earlier versions of Windows Small Business Server when they are no longer offered on price lists?
A. It depends on what editions you need CAL for:

  • If you need additional SBS 2008 or SBS 2003 Standard CALs; you will need to acquire Windows Small Business Server 2011 CAL Suites and exercise your downgrade rights.
  • If you need additional SBS 2008 Premium CALs, they will remain available on the Open price lists for a period of time. This is due to the fact that the SBS 2011 Premium Add-on does not include the same components that are in 2008 Premium and therefore the SBS 2011 Premium Add-on CAL Suites do not offer downgrade rights.

Customers who acquire SBS 2011 CALs or SBS 2011 Premium Add-on CALs are eligible for the following CAL downgrades:


Q. How will SBS 2003 CAL activation work in that scenario since SBS 2011 [Edit: and 2008] does not require CAL activation but SBS 2003 does?
A. If you have acquired SBS 2011 CALs through the Volume Licensing (VL) channel, you can obtain SBS 2003 CAL product keys through the Volume Licensing Service Center (VLSC); these keys can then be used to downgrade to SBS 2003 (R2) CAL’s. For customers who have acquired SBS 2008 and 2011 CALs from channels other than VL, such as FPP and OEM, please use the following product keys to activate SBS 2003 Standard CALs.

A product key can only be used once to activate the designated number of CALs for that given key. Therefore a combination of keys may need to be used to activate all of your 2003 CALs. We have provided 3 keys that will activate 5 CALs each and 3 keys that will activate 20 CALs each. This is so customers can activate anywhere from 5 to the maximum number of 75 CALs supported with SBS 2003. It is recommended that you use the 20 CAL Keys first and then use the 5 CAL keys to avoid a situation where adding the 20 CAL key(s) last may put you over the 75 CAL limit when you have existing CALs.


Windows VPN Client Deployment

      subtitled: What happened to the SBS Connection Manager?

VPN name resolution is a common problem for many IT folk.  I have addressed in in previous blogs by manually configuring the VPN client to point to the corporate server for DNS, and adding the corporate domain suffix.  This is not practical as it has to be done on every computer on which the VPN client was configured.

Small Business Server 2003 had a very nice little wizard that would create a deployable VPN client called “Connection Manager” which contained server connection information and allowed for proper name resolution over the VPN.  Though the missing feature from subsequent SBS versions inspired this article, it can be used to create a deployable VPN client for any Windows Server.  The SBS wizard basically ran a mini version of a standard Windows tool called CMAK.

Firstly you need to install CMAK, the Connection Manager Administration Kit.  To do so, on a 2008 or newer server, open Server Manager under Administrative Tools, choose Features, and Add Features.  In the features wizard choose Connection Manager Administration Kit, and complete the wizard.


Though there are many configurable options and features that can be added with CMAK, for the purposes of this article only the basics will be configured to allow for VPN name resolution, automatic installation, and to try to replicate the old SBS 2003 Connection Manager experience.  One of the additional advantages of the Connection Manager Client is it limits the options with which the client can “tinker”, thus reducing support calls and increasing security.

In this example CMAK is being run on a 64bit machine. The deployable VPN client created can only be used on other 64bit machines. If you need to deploy on a 32bit machine you will need to install and run CMAK on a 32bit computer/server.  CMAK may not available from the built-in windows options on older operating systems.  If so, it can be downloaded as part of the Windows Server 2003 Administration Tools Pack (32bit)

Start The Connection Manager Administration Wizard from Administrative Tools, accept the UAC warning, click next, and select the O/S on which the client will be deployed, remembering the above warning about 32/64 bit.


Select New Profile,


Enter a ‘Friendly’ name for the connection and a file name (<9 characters) for the deployment package.


Rather than cluttering this post with unnecessary images, accept the defaults on the next two pages, “do not add a realm name to the user name” and leave the merge profiles boxes empty. In the next window, as per the image below, check Phone book from this profile, always use the same VPN server, and insert the public FQDN or IP of the VPN server.


Next highlight your new connection and choose edit.  Under General select Only IPv4 addresses.  If you like, for added security you can disable file and printer sharing, which blocks access to shares on the connecting client’s computer while connected to the VPN.


Under IPv4 add the internal IP for your corporate DNS server.  If you have multiple corporate DNS servers you can add a second, and if you have WINS servers you can add those as well.  Do not add public DNS servers here.  I recommend checking “Make this connection the client’s default gateway” (disabling split-tunneling) which blocks access to to the client’s local LAN while connected to the VPN.  By doing so Internet access is actually made via the VPN, rather than through the local router.  One reason you may need to un-check this is it also blocks access to a local networked printer, i.e. one that is not physically attached to the connecting computer.  Leave “Use IP Header compression” checked.  Note that in a user created VPN client using the tools built into a Windows PC, the “default gateway” option can be changed.  When created with CMAK it cannot be changed.  This is intentional for security reasons.  Split-tunneling, allowing the client simultaneous local and remote network access, is considered a security risk.


Under security you can leave the defaults or change to “Only use Point to Point Tunneling Protocol (PPTP)”.  If you are connecting to an old server it may also be necessary to also check CHAP authentication, but this is less secure than MS-CHAP v2, so only do so if absolutely necessary.  All 2008 and newer servers use MS-CHAP v2 by default.


Under advanced add the internal corporate domain suffix.  Check “Register this connection’s DNS address in DNS” if for some reason LAN clients need to resolve the name of the remote computer.  I recommend not doing so if not needed as it adds unnecessary entries to DNS that may not be cleaned up if DNS scavenging is not properly configured.  Select OK, Next, and move on to the next window.


We are not using “phone books” so uncheck “Automatically download phone book updates”


From here accept all defaults in the next 4 windows; Configure Dial-up Networking, Specify Routing Tables, Configure Proxy Settings, and Add Custom Actions.

Note: it is assumed the server VPN configuration is basic, assigning IP’s in the same subnet for VPN clients as LAN clients, which is typical of SBS.  However, if the VPN clients are assigned addresses outside of the LAN subnet, and you want to access resources on the corporate LAN other than the VPN server, you will need to add a routing table file, on the “Specify Routing Tables” page, to have the route pushed out to VPN clients.

Though not necessary at all you may want to add a custom graphic or logo to the connection client. This is done on the “Display Custom Logon Bitmap” page followed by the ability to add a custom graphic in the phone book (list of connections), and on the 3rd related page you can choose to use  custom Icon for the deployed VPN connection.

Leave the “Include Custom Help File” as default, and under “Display Custom Support Information”.  You may want to add contact information. This is displayed on the VPN connection client where they enter their user name and password, when trying to establish a connection.


Accept the defaults in the remaining windows; “Display a Custom License agreement” and “Install Additional Files…”.  In the final Window “Build the Connection Manager Profile and its Installation Program” leave Advanced uncheck, and assuming you do not wish to make any changes, click Next, and Finished.  The deployable package will be saved in a folder named profiles in the CMAK folder, the default location being: C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\   You only need to copy the .exe file to the client computer, in this case AcmePkg.exe


To configure the client, simply double click on the .exe file.  You will be prompted if you want the client to be available to all users or just the current user.


Click OK, and wizard will complete, add a connection icon to the desktop, add the connection to task bar network icon………


…….and launch the VPN client.

If you wish to connect enter the user name of a member of your VPN User group, their password, and internal domain name.  The domain name does not have to be present just to connect to the VPN, but in most cases if the PC is not domain joined, it needs to be there to access files using server names, rather than IP’s.


You should now have access to resources on the remote server, assuming the VPN at the server end is properly configured, and you have the appropriate Share and NTFS/Security permissions on the server to do so.

If needed, I have bloged in the past about configuring the VPN server.

Configuring a Windows SBS 2003 as a RRAS/VPN Server

SBS 2011 Essentials – Configuring VPN access

Configuring a Windows 2003 RRAS/VPN Server with 1 network adapter

Editing SBS 2008/2011 Server Reports

There have been many complaints that there are numerous events logged in the daily SBS reports to which the ultimate Microsoft solution is; “The errors/warnings are benign and may be safely ignored”, “You can safely ignore the event ID error message, or similar. The fact is some of us quickly scan the reports for serious errors and as soon as we see a red warning, we have to stop, review, and take action or as Microsoft suggests, “ignore”.  In the interest of efficiency, or simply wanting to provide clients with clean reports, it would be nice to have errors that can be ignored, be ignored, and not added to the report. 

Great news!  Microsoft just released “An SBS Monitoring Feature Enhancement”.  This a tool or add-on package that allows you to create your own custom list of excluded events that will no longer be added to the daily reports.  It does include a list of the known common events (below) that can be ignored, which you can also edit if you wish.

SBS 2008
•Event ID: 10016 Source: DCOM
•Event ID: 10009 Source: DCOM
SBS 2011 Standard
•Event ID: 129   Source: WinRM
•Event ID: 142   Source: WinRM
•Event ID: 4107  Source: Microsoft-Windows-CAPI2
•Event ID: 10016 Source: DCOM
•Event ID: 10009 Source: DCOM
•Event ID: 5586  Source: SharePoint Foundation
•Event ID: 6772  Source: SharePoint Foundation
•Event ID: 6398  Source: SharePoint Foundation
•Event ID: 8     Source: MSExchange CmdletLogs
•Event ID: 6     Source: MSExchange CmdletLogs

For full details and link to the download, see the full article:

Using DDNS services with SBS 2008/2011

Often a small business cannot justify the cost of acquiring a static IP from their ISP. It is still possible to host e-mail and other services using a dynamic public IP, but you will need to use a DDNS service (Dynamic Domain Name Service). The following instructions use services offered by No-IP ( link below), my preference, but similar services are offered by other vendors such as .

The following assumes you have already purchased a domain name from a registrar. There is no need to host it with your DDNS provider but if they support your domain suffix, such as .com, you can transfer it to them for management simplicity if you wish. You can also purchase a domain through most DDNS service providers if you do not already have one. However, for the purpose of this article it is assumed the domain is with another registrar.

Reliable Dynamic DNS

Set up DNS records:

I recommend purchasing and configuring the necessary services first, followed by making the changes with your domain registrar so that there is no interruption of service if the domain name is already in use. You will need to open an account with No-IP and then purchase their Plus Managed DNS service ($24.95/year). To locate, on the No-IP menu choose Services, managed DNS, No-IP Plus, learn more. Then simply enter your public domain name, click “add my domain”, and then proceed to check out.

Once complete, you need to configure your DNS records. To access the management screen select “Your No-IP” from the top of the screen, DNS hosting, then modify next to your domain name. No-IP sets up assumed common DNS records like ftp.DomainName.comwhich you can leave, or I would recommend removing and just creating the records you need. Click on “Add a host” . In the dropdown list to the right of Hostname, select your domain. In the window to the left enter the name you will use to connect to your server. This can be anything you like but if using a certificate, self-signed or purchased, it must match this name. Common names are mail, the name of the server, or the default with Small Business Server 2008 is “remote”. Click the “Create Host” button at the bottom to save.

Next you need to create an MX record for mail delivery. The MX record would usually uses the Host record you just created, but if you plan to use a different Host name you need to repeat the above process for the additional Host record.

Return to the “Managed Hosts” page and click on “Modify” next to (the root). In the bottom section of the page under mail options enter the Host record you created (not an IP) and click the Update button.

Chances are if you are using a DDNS service you have only one server (one MX record). You may want to consider a backup MX service such as the one offered by No-IP. This is added as a second, lower priority, MX record and in the event your server is off line, the No-IP service stores any mail destined for your server for up to 7 days until your server is back on line. It then automatically forwards all mail to your server. One of the nice features of the No-IP Backup MX service over others is it offers an online usage report. Often you may not be aware your server was off-line due to an ISP outage. The Usage report will record when and how long.

If you have other services such as a web page hosted with a 3rd party or at a second site, you need to create another host record for www.DomainName.compointing to the appropriate IP. If not an IP and you need to redirect to another URL you can use the “Web Redirect” option.

Configure the DDNS client:

The DDNS client needs to be downloaded and installed on a PC or server on your network that is always on, and does not sleep or hibernate. It will monitor your public IP and update No-IP should the IP change. Many newer routers support DDNS services internally, but they require the “Custom DNS” option for No-IP, which most do not. The best bet is to install the No-IP client on your server. It can be downloaded from the No-IP site by choosing the Download tab on the home page.

Once installed, start the No-IP DUC client from the programs menu. Enter your e-mail address and password you used to set up your No-IP account. There should be a popup window as below, but if not click “Select Host” in the client management window. Check the box next to the Host record or records you wish to update with this public IP, and save. I do not recommend choosing the root domain unless you want ALL traffic for your domain directed to this IP.

Next you need to make sure this runs at all times even upon reboot by running the No-IP client as a service. In the No-IP client select file, preferences, check the box “Run as a system service”. At the bottom, if there is only one network adapter installed, you can leave as “Windows Default”. If more than one network adapter select the appropriate one from the drop down list, then click OK to save. This should be the Internet facing network adapter.

You can close the No-IP client but for future reference note there are some useful troubleshooting tools built in for testing your server, especially to see if the appropriate ports are open for the services you are offering via the Internet.

Set Domain to use No-IP DNS servers::

The final step is to change your Domain registrar to use No-IP’s DNS servers. With many registrars such as you can make these entries yourself, but with some others you have to call or open a trouble ticket and have the service provider make the changes. No-IP’s DNS servers are listed below. You do not have to use all 5. ( ( ( ( (

Note: DNS changes can take up to 48 hours to propagate the various Internet DNS servers, however usually less than 8 hours. One of the advantages of a DDNS service is in the future if your IP changes due to a move or ISP change, the DNS changes are immediate. For this reason some technicians choose to use a DDNS service even if using a static IP as it can make for faster recovery in a disaster situation, when a server has to be set up in a new location.

One possible issue with hosting your own services and using a dynamic IP is the ISP blocking specific ports such as 25 which will not allow you to host a mail server. There are services such as NO-IP’s “Mail Reflector” which allow you to use ports other than the standard port 25.

SSL Certificates:

Once your DDNS service is configured you may want to purchase a 3rd party SSL certificate from a vendor such as . The certificate eliminates the need of installing the SBS self-signed certificate on remote devices connecting to your server. This will work with a dynamic IP and a DDNS service but as mentioned the name created by the SBS to be used remotely (in our example, the public DNS record, and the SSL certificate must all be the same.  For details regarding installing an SSL certificate on SBS 2008/2011 see:

Reliable Dynamic DNS

Reset Domain Administrator Password

“Help! I cannot log onto my server, how do reset the domain admin’s password?”  This has been asked a thousand times. Rather than continually advising folk or posting elsewhere I thought it best to blog a few methods and in future provide a link to this site, feel free to do so yourself as well. Hopefully the following information will be used in a responsible manor. Keep in mind none of the following is my original material though have tried to give credit when possible. Use at your own risk, there are no guarantees or warrantees associated with any of the material below, and make sure you back up anything you can still access through shares and such before attempting. I have tried other methods not listed below that have corrupted Active Directory and resulted in server rebuilds or restores, so a backup is critical.

If it is a Domain Controller most of the free or inexpensive password tools will not work. You can buy enterprise software that will do the job, the most common being:

Alternatively, the following is free, works well, but it involves many steps. Basically you reset the ASR password and then create a service that will automatically run when the server restarts to reset the password. To fully understand all the details, make sure you review all of the links within the article.

There is a newer method that is easier with Server 2008 / Server 2008 R2 / SBS 2008 / SBS 2011  (I have not tested on server 2003, though the necessary files do exist). The original site outlining this seems to be off-line so I have posted the contents of the original site below. However, in an attempt to give credit to the author the original site link was:  There is also a video outlining the same process that has since been posted at:

The steps are as follows:

· Restart the server and boot to the DVD

· After selecting the appropriate installation language, select Repair Your Computer

· Start command prompt, and change the command line path to C:\ by entering c:\

· Enter cd c:\windows\system32

· Enter ren utilman.exe *.bak

· Enter copy cmd.exe utilman.exe

· Restart the server. this time do not boot to the DVD, just boot normally

· At the login screen, press the Windows+U keys on your keyboard. this will bring up the command prompt

· Enter net user [server admin username] [new password]

· On a regular Server 2008 install, [server admin username] will probably be administrator, but it could be any domain username with domain admin rights. [new password] will be the new password you want to set. If password complexity is enabled (which is the default on Server 2008) you will need have some UPPER case letters and/or numbers and/or symbols in the password.

· On SBS 2008, the administrator account is disabled by default. Even if you reset the administrator password, you still won’t be able to login because the account will still be disabled. Instead of administrator, you would use the server admin user name that was used when the server was first setup. If you don’t know the user name, you can enter net user to get a list of all domain user accounts. It won’t show you what users have what privileges, but it could help jog your memory.

· Now go back to the login screen and log in with the user name and new password you just set. for user name, be sure to use the domain\username format

· Once you have verified that you can log in with the new password, repeat steps 1-4

· Enter ren utilman.bak *.exe

· Restart the server and boot normally


Tag Cloud