Windows Power Essentials Tips & Tricks
December 20, 2011 3 Comments
Right now i am dealing with an SBS 2008 Server that was missing the Terminal Services Gateway service. This meant that RWA was not working. Users could login to the RWA, choose which computer to connect to, but then they got an error saying that the Terminal Services Gateway service was not running and to call and shout at their Administrator Read more of this post
November 29, 2011 16 Comments
During a recent SMB MVP Community Roadshow event in Edinburgh, a member of the audience asked us about Email restore in SBS 2011.
Although i knew this could be done, i had never actually done it. So i decided to work out how it was done with SBS 2011.
I found a lot of great resources online that helped me with the process and i have linked to them at the end of this post.
I’m focusing on a situation where we are restoring from a backup, rather than what is available through the Exchange dumpster (aka Recover Deleted Items) although i do cover that briefly below.
November 3, 2011 3 Comments
I currently have a number of books on my desk that i use for reference, you may have heard of them, read them, bought them, stolen them, sorry, borrowed them etc, Anyway they wont be a new idea to you, i don’t mean books in general i mean these particular books. I am of course referring to the Administrators Pocket Consultant series from Microsoft Press.
All of them unnervingly seem to be written by the same person, Mr William R Stanek. Anyway there is a point to this.
I have been answering questions in the forum recently and i find myself asking the OP, hey do you have XYZ update installed?
They usually reply, how do i check?
Of course i refer them to their Administration journal, which clearly shows the date and time any update had passed testing and was approved for installation, the name of the tech who logged onto the server, the colour of his socks he had on whilst he installed it. Of course it could have been a her.
Knowing many of you don’t keep such a journal only saddens me, i like to know what colour socks i had on, on a given day and i frequently go back and check.
I turned of course to my PowerShell Administrators Companion, and found the following command.
Never again shall you be left red faced by the question, do you have XYZ update installed? Not only will you be able to answer with confidence, you will be able to give all sorts of other detail that will really impress me.
Loading up PowerShell, you can simply type…
Get-Hotfix
This will list all of the Updates, Hotfixes and Service Packs that have been installed onto the system, it will also list the date, and who installed them.
But how does that help you find a specific update? Simply add the KB number you are looking for.
Get-Hotfix –id <KB Number>
For example if i want to know if i have installed SBS Essentials Update Rollup 1, i can type..
Get-Hotfix –id KB2554629
If the hotfix is not installed you will get an error.
As easy as that.
By the way, I’m not selling these books nor do i earn commission out of their sale, but i have one of these books for pretty much every Microsoft Server/Client OS i support. They are cheap and are just full of brilliant tips such like the one i just ripped off and turned into a blog post.
October 31, 2011 15 Comments
I have been battling this problem for some time now. It has been driving me to distraction it is fair to say.
What i didn’t realise until now, is that i was actually battling two separate issues, once i realised that it made the solution clear.
The issue i was facing was that additional mailboxes were being automatically added to an Outlook profile. This was puzzling me because firstly, i didn’t know why it was happening, and secondly i 
wasn’t able to send from that second mailbox. I could manually type in the address in the From field, but i wanted to be able to choose it and have the signature change based on the account i was using.
So a lot, of research, lab work and questions later i think i found the answers, and the solution.
Are you running Exchange 2010 SP1 with clients running Outlook 2010 SP1?
If you are, and like me you have shared mailboxes, or generic mailboxes that other users access, you may be used to setting Full Mailbox access permission on those generic accounts.
(You would then add them to Outlook through the properties of your Primary Mailbox, under More Settings, and Advanced)
With Exchange 2010 SP1 and Outlook 2010 SP1 having given full mailbox access to an account, you may have seen a that the account that you have full mailbox access to, has automatically added itself to your Outlook profile.
You may also notice, there is no way to remove it!
This behaviour is actually well documented, but one of the best explanations i found is here.
If you don’t want to bother reading that – and you should read it – basically using Exchange 2010 SP1 EMC, EMS to add Full Mailbox Access, now also sets an Attribute on the account – msExchDelegateListLink. This attribute says which other accounts have access to this mailbox.
Outlook 2010 SP1 will look for that key now and anyone that matches, will be auto added. Quite straight forward when you know what is happening.
So that is the first part of the mystery solved.
The solution to stop this happening is easy, remove that attribute. You can either do it through ADSIEdit, or by Adding Full Mailbox Access with a script instead of using the EMC/EMS. again ill point you back to this blog for the solution.
Assuming you have now removed that attribute, you can go ahead and add the second mailbox the traditional way.
But wait – once you have done this, you still cannot select it as an account to send from?
At this point i really started to get frustrated. I was wrongly blaming Exchange 2010 SP1 for this weird behaviour and missing the clue right under my nose.
It seems that the ability to send from a second Exchange mailbox, when it is added in what i will call, the traditional manner, has been changed in Outlook 2010.
I’m running Outlook 2010 and have several exchange mailboxes open, i just had never noticed this behaviour. I’m also running Exchange 2007, and having been dealing with the issue outlined above, i never thought to look at my own Outlook.
The solution here seems to be very simple indeed.
Once you have removed the attribute, you still retain full access. That means you can add the second mailbox, as a totally separate account, and you wont be prompted to login to that mailbox, because your current credentials have permission to open it.
So to recap, first you need to make sure you remove the msExchDelegateListLink attribute from the second mailbox. Then just add that second mailbox as a second account. You will need to close Outlook down in order to do that, when adding the mailbox choose to ‘Manually Configure Server Settings..’
You will then see the mailbox as a second account.
And you can choose to send from this account as well.
I really hope this helps you, and saves you some time and energy!
October 27, 2011 3 Comments
I’ve noticed a lot of people are hitting my blog with search terms like SBS2011 iPhone or words to that effect. I got to thinking that maybe some people are not interested in the technical detail in my previous posts about iPhones or iPads, and maybe they just wanted to know how to add their Exchange email to their device.
If you want to know how to configure your iPhone with Office 365 look here.
If you are looking for information on the iPhone Configuration Utility, look here.
If you are looking for information on the iPhone and AutoDiscover, look here.
If you just want me to shut up and tell you what settings you need to make your iDevice work with your new Exchange Server, read on!
First from the Home screen, go to Settings.
Then go to Mail, Contacts, Calendars
Choose Add an Account.
Choose Microsoft Exchange
You are then asked for 5 pieces of information.
This is your email address
Your servers internal domain name. For example, ‘sbs.local’ could be your internal domain name. You can just enter ‘sbs’
This is the username you use when you logon to your computer in the office.
The password you use when you logon to your computer in the office.
This is just a memorable name so you can distinguish between multiple email accounts on your device.
Once you have filled out this information, click on Next. Notice the device now says ‘Verifying’
You may be presented with a warning message regarding ‘verification of the server identity’ Click on continue.
for more info on why this happens follow my link above regarding autodiscover.
In most cases you will now see a new box appear, called Server.
This is the public name for your SBS Server.
The default for SBS 2008 and SBS 2011 is ‘remote.company.com’
(where company.com is your email domain)
Type this in and click next. Again the phone will show as Verifying.
The next page will ask if you which items you want to sync to your phone.
Click on Save when you are happy with your selection.
Your items will now start to sync to your phone.
By default the iPhone will only sync the last 3 days of content, so don’t get freaked out if all of your email is ‘missing’.
You can change the behaviour in the settings of the account.
Under, Settings, Mail, Contact, Calendars, find your account by its description. Inside here you can change the sync behaviour.
October 7, 2011 22 Comments
Had a puzzler last week. Client called up to say one of his contacts couldn’t email him. It was being rejected.
Message Rejections will be a common problem for many people, and the best thing to do is get a copy of the rejection message or what i call NDR (Non Delivery Receipt (or Report) )
Luckily in this case, there was actually an NDR generated, because some times email can just seem to vanish into the ether, and you’re left with little to go on…
Also luckily for me the third party was happy to send on the NDR via my client’s secretary.
The smart ones reading will now have figured out that the rejections were only to my caller – the third party was able to email the secretary successfully.
Here is the NDR
You can see that the Error Code is #5.1.0 smtp; 554 5.1.0 Sender denied
Sender denied i thought… sounds like something was configured in Exchange… which it turns out it was, but not what i thought.
Also, the NDR in question was generated by their Exchange server, not by their Offsite AntiSpam service, which helped me quickly identify that the issue was at their Exchange, not at the Anti Spam service.
Sender Filtering, is one of the Anti Spam tools enabled and running by default on SBS 2011 Standard.
Usually the NDR above would be associated with an address that is blocked by the Sender Filter running on the Hub Transport Role.
However in this case there were no addresses blocked by the Sender Filter at the server level.
(if you want to look at the Anti Spam tools, i have covered their location at the end of the post)
In this case the address was defined by the users own Junk Mail settings.
I logged into the SBS RWA (Remote Web App) and logged into Outlook Web App (OWA)
Clicking on to Options, then More Options, there is a ‘Block or Allow’ option in the menu on the left hand side.
If you click here you can see a list of Allowed Senders, and a list of Blocked Senders. Scroll Down to see Blocked Senders.
Sure enough the email address being rejected was set to be blocked. Removing the address from this list will allow emails to be received from that address. Make sure to save the changes and that should solve the problem.
It wont solve the mystery of how the address ended up as a blocked sender, but that mystery will live on, like the other great mysteries we face, such as using a PC during a power cut, Photocopying a floppy disk to use as a backup, and using the optical drive as a beverage cup holder.
You can find the Anti Spam tools on SBS by opening up Exchange Management Console, Navigating to..
Organization Configuration, Hub Transport, Anti Spam Tab
And Under …
Server Configuration, Hub Transport, You will find another Anti Spam Tab..
September 13, 2011 8 Comments
Hands up if you use Image Based Backup?
Good, all of you.
Or is that bad?
There was a lively discussion recently on the topic of Image Based backups in an Active Directory environment.
It seems a lot of people have potentially overlooked the issue of having to restore a Domain Controller, or part of Active Directory.
If you are using solely image based backups and you loose a domain controller, what can you do?
Sure you can restore that server, using an image.
Thinking back to the days before image based backup, using NTBackup or similar provided us with a System State backup, which for those who don’t know, was basically a backup of the registry and any other critical system files and in the case of a domain controller, it also provided us with a backup of Active Directory. (Susan Bradley’s Blog Post on a System State Backup in the 2003 era)
This backup was special, separated from a normal all files backup.
With that backup you could perform either a non authoritative restore, or an authoritative restore, depending on your needs. I wont go into to much here but basically a non authoritative restore would allow the local server’s AD to be overwritten by any other DC, an authoritative restore told the local DC to overwrite all the other DC’s, But the key was, you need a System State backup in order to kick off either type of restore.
You can find more info here:
http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx
http://support.microsoft.com/kb/241594
So, armed with that, you might have a shiver running down your spine, where you have been sitting comfortably knowing your well thought out and carefully monitored image based backup is fool proof – I’m afraid not.
(Having said all of that, there is actually a way around not having a system state backup, but telling you how would encourage bad practice so i’m not going to, and it only works for one of the scenarios 
)
If you are using the built-in SBS backup, then a system state is included as part of that backup.
Now it has to be said that there will only be a handful of occasions where this would be useful, but wow, if you are in one of those situations you will be glad you have one.
What is it going to protect you against? A corrupted Active Directory (yes it does happen) An accidentally deleted user or other object. Locking yourself out of the domain admin account?
(for SBS Essentials we can easily enable something called the Active Directory Recycle Bin more on that later)
Without the system state backup included in our daily backup – what do we do?
Well lucky for us on SBS the Windows Server Backup feature is already enabled. So it is very easy to setup and perform a System State backup. Open up a command prompt as an administrator..
To run a system state backup we can use the wbadmin command tool. You choose to run your system state backup to a volume, not a folder, however you cannot use a location that is included in the backup as the destination, so for example the below command will fail.
wbadmin start systemstatebackup –backuptarget:c:
Lets look at the parameters available for the backupsystemstate command.
From TechNet:
So, we know that a network location is out, that leaves either a separate Data volume, or an external drive.
I suppose could use the same disks here that we use for our daily backups however I think a better solution is to backup to our Data partition and then that will be included within our normal daily backup (image based or otherwise) Of course, once we have backed up the System State, there is nothing to say we can’t copy it to a network share or anywhere else.
So, let’s try this command instead.
wbadmin start systemstatebackup –backuptarget:d:
You will need to confirm that yes you really do want to start a backup.
The backup will then start, and create shadow copies for the volumes the system detects as part of the ‘system state’
It will show you how many files are being detected, and continue on with the backup.
Now it might take quite some time for the backup to run as being an SBS server there is a lot of data to be backed up.
Once the backup is completed, we can see we now have a new folder on our D drive.
If we try to access this we are blocked, so in order to show you what is inside ill click Continue here.
We see a folder named after the server, again we need to gain access.
Now inside here we have several folders, the backup itself is contained within the Backup folder, and it is named with a date and time that the backup was launched. Inside this folder will be some XML files and a VHD per volume backed up.
Below shows the size of the backup folder of a fairly standard SBS Essentials System State.
Moving on to schedule the backup we can just build a simple scheduled task to run the wbadmin command, but you will want to add on the –quiet switch so it runs silently. I will leave it up to you to decide if you want to copy that off to a different location.
Here is a sample script you can run to do perform a System State backup, then copy to a network share.
wbadmin start systemstatebackup –BackupTarget:d: -quiet
ping 127.0.0.1
robocopy d:\WindowsImageBackup \\networkcomputer\SBSSystemState /E /COPY:DATSO /Z
I added the ping in there to give it a few seconds after the backup had completed before it starts to copy, and not being a script wizard, that’s the best i can do. You can just dump that into notepad and save it as a BAT file and use your task scheduler to run that file.
I know what you are thinking, how do i restore this?
First off, you need to boot the server into a special mode called Directory Services Restore Mode. You do this by pressing F8 at startup (just after post has completed but before the windows logo appears) Then you need to logon.
You cant logon using your domain admin password, as the domain is not running. So instead you need to use a special account.
Enter this:
Username: .\administrator
(yes that is .\ this tells the logon process to logon locally as opposed to onto the domain)
Password: domain admin password
(your domain admin password)
Once logged in, you can browse the system as though you were booted up in normal mode. This is good if you need to copy the backup back from a network share or similar (you don’t need to as the restore supports a backup stored on a network share)
So from our elevated command prompt we can run..
wbadmin get versions
This will list all the available versions of the backups you have to restore.
Pay attention to the version identifier as we will need this to initiate a restore.
To start the restore enter.
wbadmin start systemstaterecovery –version:08/24/2011-09:56
You will need to say Yes i want to start the recovery, and then also say yes to confirm you understand about potential impact on replication (only applicable in multi DC environments)
The backup will then whizz off and restore.
Once the restore is complete, you need to reboot.. then when you log in you should see…
For more examples and a list of syntax, check this out.
Being up front and honest, never used it.
it is a new feature with Windows Server 2008 R2, and, well it looks pretty cool. This will help protect against items that were accidentally deleted, and should help stop you having to do a full restore of AD.
Check out this blog post for an introduction:
And for more info:
http://technet.microsoft.com/en-us/library/dd391916%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd392261%28WS.10%29.aspx
Now, you read all that right?
So you know then, that to enable AD RB your Forest Functional Level must be at Server 2008 R2 which is good news for SBS 2011 Essentials customers, as it is by default.
Potentially bad news for SBS 2011 Standard customers, as it isn’t.
Even worse for those of you on SBS 2008, as that is plain old Server 2008, not R2.
Check out this TechNet page for more info http://technet.microsoft.com/en-us/library/cc730985.aspx
Very quickly, if you have, or plan to have any DC’s that will not be running Windows Server 2008 R2, then the AD RB is not going to be an option for you in an SBS network.
Assuming all is well, and you have followed the guidance and planning advice in the links above, and also done all your own research and promise not to blame me if anything goes wrong..
Enabling the AD RB is straight forward. You need to use the AD PowerShell Module, from Administrative tools, and also run this As Administrator.
This article does such a great job of explaining it, you should just read that instead!
Title (Required) 