Performing a System State Backup on SBS 2011 (Standard & Essentials)

September 13, 2011 by Robert Pearman 8 Comments

Hands up if you use Image Based Backup?

Good, all of you.

Or is that bad?

There was a lively discussion recently on the topic of Image Based backups in an Active Directory environment.

It seems a lot of people have potentially overlooked the issue of having to restore a Domain Controller, or part of Active Directory.

If you are using solely image based backups and you loose a domain controller, what can you do?

Sure you can restore that server, using an image.

Thinking back to the days before image based backup, using NTBackup or similar provided us with a System State backup, which for those who don’t know, was basically a backup of the registry and any other critical system files and in the case of a domain controller, it also provided us with a backup of Active Directory. (Susan Bradley’s Blog Post on a System State Backup in the 2003 era)

This backup was special, separated from a normal all files backup.

With that backup you could perform either a non authoritative restore, or an authoritative restore, depending on your needs. I wont go into to much here but basically a non authoritative restore would allow the local server’s AD to be overwritten by any other DC, an authoritative restore told the local DC to overwrite all the other DC’s, But the key was, you need a System State backup in order to kick off either type of restore.

You can find more info here:

http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx

http://support.microsoft.com/kb/241594

http://blogs.technet.com/b/qzaidi/archive/2010/10/07/quickly-explained-active-directory-authoritative-restore.aspx

So, armed with that, you might have a shiver running down your spine, where you have been sitting comfortably knowing your well thought out and carefully monitored image based backup is fool proof – I’m afraid not.

(Having said all of that, there is actually a way around not having a system state backup, but telling you how would encourage bad practice so i’m not going to, and it only works for one of the scenarios )

If you are using the built-in SBS backup, then a system state is included as part of that backup.

http://blogs.technet.com/b/sbs/archive/2011/02/15/introducing-the-small-business-server-2011-backup-wizard.aspx

http://blogs.technet.com/b/sbs/archive/2011/03/31/how-to-perform-an-authoritative-system-state-restore-in-sbs-2008-2011-standard.aspx

Now it has to be said that there will only be a handful of occasions where this would be useful, but wow, if you are in one of those situations you will be glad you have one.

What is it going to protect you against? A corrupted Active Directory (yes it does happen) An accidentally deleted user or other object. Locking yourself out of the domain admin account?

(for SBS Essentials we can easily enable something called the Active Directory Recycle Bin more on that later)

Without the system state backup included in our daily backup – what do we do?

Well lucky for us on SBS the Windows Server Backup feature is already enabled. So it is very easy to setup and perform a System State backup. Open up a command prompt as an administrator..

To run a system state backup we can use the wbadmin command tool. You choose to run your system state backup to a volume, not a folder, however you cannot use a location that is included in the backup as the destination, so for example the below command will fail.

wbadmin start systemstatebackup –backuptarget:c:

Lets look at the parameters available for the backupsystemstate command.

From TechNet:

So, we know that a network location is out, that leaves either a separate Data volume, or an external drive.

I suppose could use the same disks here that we use for our daily backups however I think a better solution is to backup to our Data partition and then that will be included within our normal daily backup (image based or otherwise) Of course, once we have backed up the System State, there is nothing to say we can’t copy it to a network share or anywhere else.

So, let’s try this command instead.

wbadmin start systemstatebackup –backuptarget:d:

You will need to confirm that yes you really do want to start a backup.

The backup will then start, and create shadow copies for the volumes the system detects as part of the ‘system state’

It will show you how many files are being detected, and continue on with the backup.

Now it might take quite some time for the backup to run as being an SBS server there is a lot of data to be backed up.

Once the backup is completed, we can see we now have a new folder on our D drive.

If we try to access this we are blocked, so in order to show you what is inside ill click Continue here.

We see a folder named after the server, again we need to gain access.

Now inside here we have several folders, the backup itself is contained within the Backup folder, and it is named with a date and time that the backup was launched. Inside this folder will be some XML files and a VHD per volume backed up.

Below shows the size of the backup folder of a fairly standard SBS Essentials System State.

Moving on to schedule the backup we can just build a simple scheduled task to run the wbadmin command, but you will want to add on the –quiet switch so it runs silently. I will leave it up to you to decide if you want to copy that off to a different location.

Here is a sample script you can run to do perform a System State backup, then copy to a network share.

wbadmin start systemstatebackup –BackupTarget:d: -quiet

ping 127.0.0.1

robocopy d:\WindowsImageBackup \\networkcomputer\SBSSystemState /E /COPY:DATSO /Z

I added the ping in there to give it a few seconds after the backup had completed before it starts to copy, and not being a script wizard, that’s the best i can do. You can just dump that into notepad and save it as a BAT file and use your task scheduler to run that file.

I know what you are thinking, how do i restore this?

First off, you need to boot the server into a special mode called Directory Services Restore Mode. You do this by pressing F8 at startup (just after post has completed but before the windows logo appears) Then you need to logon.

You cant logon using your domain admin password, as the domain is not running. So instead you need to use a special account.

Enter this:

Username: .\administrator

(yes that is .\ this tells the logon process to logon locally as opposed to onto the domain)

Password: domain admin password

(your domain admin password)

Once logged in, you can browse the system as though you were booted up in normal mode. This is good if you need to copy the backup back from a network share or similar (you don’t need to as the restore supports a backup stored on a network share)

So from our elevated command prompt we can run..

wbadmin get versions

This will list all the available versions of the backups you have to restore.

Pay attention to the version identifier as we will need this to initiate a restore.

To start the restore enter.

wbadmin start systemstaterecovery –version:08/24/2011-09:56

You will need to say Yes i want to start the recovery, and then also say yes to confirm you understand about potential impact on replication (only applicable in multi DC environments)

The backup will then whizz off and restore.

Once the restore is complete, you need to reboot.. then when you log in you should see…

For more examples and a list of syntax, check this out.

AD Recycle Bin (AD RB)

Being up front and honest, never used it.

it is a new feature with Windows Server 2008 R2, and, well it looks pretty cool. This will help protect against items that were accidentally deleted, and should help stop you having to do a full restore of AD.

Check out this blog post for an introduction:

http://blogs.technet.com/b/activedirectoryua/archive/2009/01/30/introducing-active-directory-recycle-bin.aspx

And for more info:

http://blogs.technet.com/b/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

http://technet.microsoft.com/en-us/library/dd391916%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/dd392261%28WS.10%29.aspx

Now, you read all that right?

So you know then, that to enable AD RB your Forest Functional Level must be at Server 2008 R2 which is good news for SBS 2011 Essentials customers, as it is by default.

Potentially bad news for SBS 2011 Standard customers, as it isn’t.

Even worse for those of you on SBS 2008, as that is plain old Server 2008, not R2.

Check out this TechNet page for more info http://technet.microsoft.com/en-us/library/cc730985.aspx

Very quickly, if you have, or plan to have any DC’s that will not be running Windows Server 2008 R2, then the AD RB is not going to be an option for you in an SBS network.

Assuming all is well, and you have followed the guidance and planning advice in the links above, and also done all your own research and promise not to blame me if anything goes wrong..

Enabling the AD RB is straight forward. You need to use the AD PowerShell Module, from Administrative tools, and also run this As Administrator.

This article does such a great job of explaining it, you should just read that instead!

http://blogs.technet.com/b/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

Filed under General, SBS E, SBS S, Tips & Tricks Tagged with Backup, Restore, SBS E, SBS S

Installing SBS Essentials using an Answer File

August 2, 2011 by Robert Pearman 5 Comments

A question came up on the SBS Essentials forum about how to install SBS Essentials with a domain name that ended in a suffix other than .local

The answer to that question was yes you can, but you need to use an Answer File.

Another question popped up about the layout of your disks, and the way SBS Essentials works with disks during installation.

As you may know SBS Essentials has a minimum requirement of a single 160gb hard disk for installation. If your system does not meet this requirement the install will fail.

The default install process will create a 60gb partition for Windows, and use the rest of your drive for a D drive (data). I think 60gb is woefully small, and i think most IT Pro’s would agree, however you do not have to stick with this, you can make use of an entire disk for C:, by using an Answer file.

There is an online resource here that explains the different values you can use with your Answer File.

Firstly, to build your answer file, you need to open Notepad, and save a text file as ‘cfg.ini’ You may need to save it with the file name in quotes, and with ‘all files’ selected.

Once you have this we can start to populate the file. But let’s review some of the things we can set through the answer file.

[WinPE]
Drivers
InstallDisk
WindowsPartitionId
PID
ConfigDisk
WindowsPartitionSize

Drivers

Here we can set a path to a folder that contains the drivers for the server. This is an option setting and should be self explanatory, you can only use the setting once to point the install to a driver folder, you can either use a known path to a drive letter, or a wild card.

[WinPE]
Drivers=x:\serverdrivers

[WinPE]
Drivers=_:\serverdrivers (_:\ denotes a wildcard)

InstallDisk

Another optional setting. This setting relates to the Physical Disk ID of the drive on which you wish to install Windows. It might prove difficult to actually identify the drive ID you want to use, especially with a RAID configuration, however it should follow some logic somewhere, so if you have multiple disks, it would be OK to assume that the disk on Channel 0 – will be found by the install as Disk0 etc. For Raid Arrays the same would apply, Array0 would become Disk0.

This is based on my assumptions – for example you may not have a disk connected to channel 0, in that event the disk on the lowest numbered channel would become disk 0.

Just remember that the installation of SBS Essentials will WIPE ALL disks, so please do test this before you begin, and don’t come crying to me if it wipes something important!

[WinPE]
Drivers=x:\serverdrivers
InstallDisk=0

WindowsPartitionId

Another option setting for disk management. This can be used in conjunction with the InstallDisk parameter and specifies which partition to install Windows to, on the disk specified. There are considerations to make here depending on whether you are using an MBR based system, or a UEFI based system. I think mainly this parameter is used when you have a preconfigured disk – i have not used this setting in my testing so i don’t have any experience with it. I cant really see a situation where i would use it myself as i imagine i would be formatting an entire disk in most cases. You can get more information from the Online Help (which is where i am getting my information) This setting is also related to the ConfigDisk parameter.

[WinPE]
Drivers=x:\serverdrivers
InstallDisk=0
WindowsPartitionId=2

PID

This parameter is where you would enter your servers License Key if you have one, and if you want to. I have personally stopped entering License keys during setup, i prefer to wait until my server is up and running and configured, then take a backup prior to Activation. With a ‘trial’ period available it seems to make sense to save your activation until you are happy that the server is going into production and will not be re-installed.

(Note this PID is invalid and your install will fail if you try to use it)

[WinPE]
Drivers=x:\serverdrivers
InstallDisk=0
WindowsPartitionId=2
PID=1234-5678-9101-1121-3141

ConfigDisk

Optional parameter. This can be either a 0 or a 1. The online help explains this quite clearly. If it is missing, then all disks and partitions are deleted, and new partitions are created.

If it is set to 1, then all disks and partitions are deleted, and new partitions are created.

If we set to 0, then nothing is done to the disks, and the WindowsPartitionId parameter is used to determine where Windows will be installed on the available disks.

If you set this to 0 and omit the WindowsPartitionId parameter, then setup will ignore your answer file.

[WinPE]
Drivers=x:\serverdrivers
InstallDisk=0
WindowsPartitionId=2
PID=1234-5678-9101-1121-3141
ConfigDisk=0

WindowsPartitionSize

The last parameter used in the WinPE section. As the name suggests, here we set the value for the size of the Windows Partition. The value here is in MB. NOT GB. The valid range here is 20480 – 102400. You can also specify a value of MAX which will format the entire disk as the Windows Partition. If you don’t specify this parameter, then the default value of 61440 is used.

So with the above configured, we would have SBS Essentials installed to disk 0, Partition 2. With a 100GB partition for Windows. The WindowsPartitionID parameter is ignored as the ConfigDisk parameter is set to 0 – there fore the disk would have to be preconfigured.

[WinPE]
Drivers=x:\serverdrivers
InstallDisk=0
WindowsPartitionId=2
PID=1234-5678-9101-1121-3141
ConfigDisk=0
WindowsPartitionSize=102400

In order to get the answer file to format a drive, and configure a partition size of our choosing we must change the parameters.

[WinPE]
Drivers=x:\serverdrivers
InstallDisk=0
WindowsPartitionId=2
PID=1234-5678-9101-1121-3141
ConfigDisk=1
WindowsPartitionSize=102400

With this configuration the Answer File will install SBS Essentials to disk 0, but it will ignore the WindowsPartitionId parameter. ConfigDisk has been set to a value of 1, meaning it will format Disk 0 and create a partition of 100gb.

The last parameter you may see, is Processed. This parameter is added to the answer file after the disk configuration has been completed. This stops the server being stuck in an endless install loop of formatting the disks, and i guess it also allows the Installer to skip ahead to the next part of setup.

The only value that the installer will enter is True. Any other value will most likely be ignored, and function as though it does not say True. Since that results in the same behaviour, i.e. False.

If a value of True is detected and you boot into Setup, then the Answer file is ignored and you are presented with the options you would get if you were not using an Answer File.

If you have anything wrong in your answer file you will receive an error, and a log is create that will show you what has gone wrong.

You can click on the hyperlink ‘Installation Error Logs’ to view the setup log file and try to identify what is wrong with your answer file.

As you can see from the above, it has detected an invalid PID and the installation has failed.

In the second part of the answer file, we look at the Initial Configuration of the server. This includes the Locale to install to and the regional settings, the name of the company, server, and the domain name you want to use, and you also set the name of an administrator account, the password and that of a standard user account.

Again the information is available at the online help page.

[InitialConfiguration]
AcceptEula
AcceptOEMEula
CompanyName
Country
ServerName
DNSName
NetbiosName
Language
Locale
Keyboard
Settings
UserName
PlanTextPassword
StdUserName
StdUserPlainTextPassword

AcceptEula

Easy – do you, or do you not accept the end user license agreement. Let’s see how far you get if you set this to false!

Valid settings here are true or false.

[InitialConfiguration]
AcceptEula=True

AcceptOEMEula

This is another optional parameter, and one only used by OEM’s, same deal as above, True or False, with True being the only setting that will allow the install to continue. This is a separate License Agreement specific to your OEM hardware provider.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True

CompanyName

An easy one this – What is your company name? Up to 254 Characters.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet

Country

Your country abbreviated into a string. The only example given is for the USA, which surprisingly enough is US.

There doesn’t appear to be any additional help available for Country Codes.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB

ServerName

What do you want your server name to be? From the Online Help

The server name uniquely identifies the server on the network. Your server name must meet the following criteria:

Can be up to 15 characters long
Can contain letters, numbers and hyphens (-)
Must not start with a hyphen
Must not contain any spaces
Must not contain only numbers Example: ContosoServer

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB
ServerName=CompuServer

DNSName

Your internal DNS domain name. When installing using the GUI, SBS Essentials will use a .local extension. The gui will base the prefix on your company name to start with, so if your company is SBS, then your domain name, prefix, would be SBS. This prefix can be changed in the GUI, however you cannot change the suffix (.local) If you want to install using a domain name other then you need to use the answer file, and this is the parameter to change. The same limitations are placed on domain names as in a standard Active Directory domain (AD) (More Here) and you should also consider the NetBIOS name limits as well (More Here). Another consideration is, how often will i have to type this? So keep it short if you can. I usually recommend using SBS, but in my example below i am using a different company name for a change.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB
ServerName=CompuServer
DNSName=COMPUGL.com

NetbiosName

We are still using NetBIOS names, despite it’s demise being heralded at each new dawn… ok that’s a little dramatic and it, seemingly, does still have a place in modern networks. Keep this under 15 characters are your good.

Match it with your domain prefix to keep things simple.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB
ServerName=CompuServer
DNSName=COMPUGL.com
NetbiosName=COMPUGL

Language

A straight forward setting, you would think. What language do you want to install in? Well, let me tell you, unless you set this to EN-US you wont get very far. I am in the process of investigating this with Microsoft, but don’t worry, it does seem to ignore this setting in favour of one of the other Regional settings. But i don’t know which one. I tried setting this to match many different language codes, found here, but each time i hit this error:

If setup detects any errors in the [InitialConfiguration] part of your Answer File you will see the above. It is actually really useful, it doesn’t just error out, it actually gives you the chance to fix your Answer File and then retry. You can see above, one of my many attempts to get it to recognise the UK variant of English, that being, English.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB
ServerName=CompuServer
DNSName=COMPUGL.com
NetbiosName=COMPUGL
Language=en-US

Locale

Again, another regional setting. Default, and only published option is en-US, However i set mine to en-GB and it passed.

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB
ServerName=CompuServer
DNSName=COMPUGL.com
NetbiosName=COMPUGL
Language=en-US
Locale=en-GB

If you do decide to use an Answer File to install, please check your time zone is correct when installation is complete.

Keyboard

Self explanatory, keyboard layout. We do have some published parameters here, and setting mine to English_United_Kingdom which is, 00000809 works.

As i have explained i did have some issues with the Regional Settings of the Answer File, however i found that once i had installed with the above Regional Settings i got the result i wanted. I would assume then, that one of these settings takes precedence, over the Language setting.

Settings

From the Online Help.. This parameter relates to your Automatic Updates setting.

All equals “Use recommended settings”
Updates equals “Install important updates only”
None equals “Do not check for updates”

The last 4 parameters are straight forward. With the GUI Installation of SBS Essentials, you are prompted to create both an Administrator account, and also a Standard user account. The Password you enter here, is, clearly, in plain text. So please do make sure your answer file is kept secure, or that you use a default password for installation, and then change it when the installation is completed.

UserName

PlanTextPassword

StdUserName

StdUserPlainTextPassword

[InitialConfiguration]
AcceptEula=True
AcceptOEMEula=True
CompanyName=CompuGlobalHyperMegaNet
Country=GB
ServerName=CompuServer
DNSName=COMPUGL.com
NetbiosName=COMPUGL
Language=en-US
Locale=en-GB
Keyboard=00000809
Settings=ALL
UserName=HSimpson
PlainTextPassword=P@55word
StdUserName=SHomer
StdUserPlainTextPassword=MyP@ssw0rd

Information on using an Answer File was published to this page http://onlinehelp.microsoft.com/en-us/sbs2011essentials/answer-file-install-1.aspx and that has been the basis of where i got the information for this post. I found that the documentation did leave me with some questions which is why i wrote this post. Hopefully used in conjunction they will serve as a good reference for anyone wanting to use an Answer File to install SBS 2011 Essentials.

EDIT : 20/09/2011 Those clever chaps over at UsingWindowsHomeServer.com Managed to find a workaround to the issue of using an install disk smaller than 160gb, Despite my being told it was not possible in the RTM Build of SBS Essentials by Microsoft.. (I am not bitter or anything) If you are in need of using a smaller install disk check out this link.

Filed under General, SBS E, Tips & Tricks Tagged with Answer File, SBS E, SBS S, Unattended Setup

How to Install SBS 2011 CALS

July 26, 2011 by Robert Pearman 24 Comments

You Don’t!

Since SBS 2008 CALS are now based on Microsoft’s honour system, and they are no longer ‘installed’ and ‘activated’ when you buy them.

You just purchase the number of CALS you need, and keep them safe.

Small Business Server 2011 Standard, still ships with 5 CALs.

Even better, with SBS 2011 Essentials, there are no CALS to purchase. SBS Essentials, is a one off purchase. If you buy it today and have 4 users, you pay the same price as someone who has 10 users, or someone who has 25 users.

So, for Essentials think ‘all 25 CALS included’

(although on a technical licensing point of law, political correctness’ and outright Microsoft craziness – there is no such thing as a SBS Essentials CAL)

The Essentials OS is licensed for up to 25 users, but those ‘licenses’ are included in the fee you pay to purchase the software.

I know, i can see some of you at the back sneaking up your hands to ask..

“…i only have X amount of users, can i get a discount…”

No. Don’t be so cheap Smile with tongue out

Because of the unique way Essentials is ‘licensed’ those invisible CALs only allow you to access the Essentials box itself, so unlike it’s big brother, SBS Standard, if you purchase a standalone member server (not a PAO Server) you must also buy full Windows Server CALs. SBS Standard has a more traditional CAL model, so SBS Standard CALs grant access to ANY member server, regardless of whether it is a PAO or not.

An SBS 2011 CAL

SBS 2011 Premium Add-on (PAO)

With the Premium Add-on (PAO, or Kung PAO as Susan Bradley calls it) Licensing is the same, whether you are adding the PAO to Essentials or Standard (The PAO is available to both SBS Standard & Essentials)

When you purchase the PAO, it includes 5 PAO CALS which allows those 5 Clients to access the SQL Services of the PAO Server. (The SQL services are sometimes called the Premium Services)

If you don’t install the SQL component, then you don’t need to purchase any additional PAO CALS.

The CALS for SBS 2011 Standard or Essentials, allow you to access the Windows Server technologies of the PAO server, as long as you are not accessing the ‘Premium’ services, so you could install it as File and Print, Domain Controller, RDS Server etc., and you would not need any additional PAO CALS, or Standard CALS."

Just to add another level of complexity, if you did install the PAO server as an RDS Server, you would need to purchase RDS CALS.

Clear?

Well i hope you were taking notes because we now have a short test!

Licensing Examples

Scenario 1.

I have Windows SBS 2011 Essentials, 10 Users all requiring access to SQL Services.

What components/licensing do i need?

Scenario 2.

I have Windows SBS 2011 Essentials, 10 Users, 1 NON PAO Member Server.

What components/licensing do i need?

Scenario 3.

Windows SBS 2011 Standard, 10 Users (Total), 5 Users Require access to SQL

What components/licensing do i need?

Scenario 4.

I have Windows SBS 2011 Standard, 10 Users, 1 NON PAO Member Server,

What components/licensing do i need?

Answers

Scenario 1.

In this scenario you would have 1x Windows SBS 2011 Essentials Server, 1x PAO Server, and need to purchase 5 PAO CALs.

Scenario 2.

In this scenario you would have 1x Windows SBS 2011 Essentials Server, 1 Windows Server OS License (required for member server) and 10 Windows Server CALs

Scenario 3.

In this scenario you would have 1x Windows SBS 2011 Standard, 1x PAO Server and you would not need any additional PAO CALs

Scenario 4.

In this scenario you would have 1x Windows SBS 2011 Standard, 1x Windows Server OS License (required for member server) You would need to purchase an additional 5 SBS CALs

Thanks to Michael Leworthy of Microsoft for clarification on licensing points.

Filed under General, SBS E, SBS S, Tips & Tricks Tagged with CALS, PAO, Premium Addon, SBS E, SBS Licensing, SBS S

SBS 2011 Standard – iPhone & iPad Exchange Email

June 22, 2011 by Robert Pearman 18 Comments

EDIT – 28/10/2011 If you just want to know the settings required to connect your iPhone to your SBS Server, look at this post.

I use an iPhone, and i have blogged before on how to use the iPhone configuration utility in order to make deployment of the phones easier for clients.

I didn’t cover the iPhone’s ability to use ‘Autodiscover’ in that post, it didn’t occur to me at the time.

It didn’t occur to me until the other day, and then i set about confirming how it works, and in what scenarios you can use it to auto-configure a clients phone.

To follow me through this post you will need:

A Small Business Server 2011 Standard (you should have run the ‘Connect to internet’ ‘Set up your address’ ‘add a trusted certificate’ wizard)

An iPhone or iPad

Internet connectivity!

Note: When i say External IP of either SBS Server or Exchange Server, i mean the address you would type if you were going to Remote Web App / Remote Web Workplace, eg. remote.domain.com = 123.123.123.123 – this applies even if you are using a third party to provide anti spam or filtering services to your email.

So, from the ‘home’ screen find ‘settings’

Find ‘mail contacts and calendars’..

Choosing Add Account.. we can then choose a Microsoft Exchange Account.

You are then faced with 5 configurable settings.

Email Address (your email address)
Domain (your internal domain name, i.e.. sbs.local)
Username (the username you use on your office computer)
Password (the password for your office computer)
Description (a description of this account – i.e. Company Email)

If you fill out these details with the settings relevant to you, you can then click Next. (if you click return it will automatically attempt the next stage)

You will see at the top of the screen ‘verifying..’

This is the part that has interested me, and i went to some lengths to find out what the iPhone is actually doing here.

However if i had used my brain at all i could have guessed it actually just follows the same behaviour you can see if you run the ‘Autodiscover’ tests here (at testexchangeconnectivity.com)

The iPhone will use DNS to query for your domains ‘default’ record – this is usually represented as an @ in your dns zone file.. but not something you are likely see if you are using a third party to host your DNS. Your default record like any other record translates ‘domain.com’ to an IP Address.

So for example, if you type in http://domain.com in to your browser, you MAY end up at your website, but you may end up elsewhere. It depends on the configuration of that record.

Suffice to say, it most likely does NOT point to your Exchange server. That is a problem.

If this query does return an IP address, then the iPhone will attempt the next stage of verification.

If you do not have an @ default record, for your domain, which is a valid configuration, then of course that query will fail and failover to query for ‘autodiscover.domain.com’.

At next stage of verification the iPhone will attempt an HTTPS connection to either – https://domain.com/autodiscover/autodiscover.xml or https://autodiscover.domain.com/autodiscover/autodiscover.xml

This XML file is located on your exchange server, you can see it within Windows Explorer.

You can open the file in notepad if you are interested to see the content

Please note THIS SHOULD NOT BE EDITED

You may be presented with a certificate warning if you are using a self signed – or single name certificate that is not for ‘autodiscover.domain.com’

It will attempt to login to the server with the username and password provided. If successful – your iPhone will be auto configured for your Exchange servers address.

You can then continue to finish the setup of your account.

If an HTTPS connection fails, then the process is repeated on HTTP.

If any of the above steps fail, or cannot complete – then you will be presented with a new box on your screen, and that will be for ‘Server Address’

Of course that’s fine to just enter at that stage – but it may be useful for some to know how to get this bit to work.

So to recap – to get the autodiscover feature to work:

You must either point your domains @ record to the your Exchange Servers public IP address.

Delete the @ record from DNS and then setup a new A Host record, for ‘Autodiscover.domain.com’ and point that to your Exchange Servers public IP address.

I am making no recommendation on which option to choose, however i personally chose to delete my ‘default’ record and nothing bad has happened.

What other things will prevent a smooth auto configure? A self issued, or incorrectly named certificate.

Now most people will know with an iPhone you can simply ignore invalid certificates, BUT this is an extra prompt, and in the spirit of removing those obstacles to your users you should consider getting a UCC certificate for your SBS Server.

SBS Server will run perfectly well with a single name certificate – in fact it is designed with this in mind.

However the price difference between a single name certificate and a UCC certificate has come down considerably so now there is a good case for using a UCC instead. If the iPhone could use the DNS SRV record method for attempting autodiscovery – like Outlook clients can, then we could stick with a single name certificate.

Filed under General, SBS S Tagged with ActiveSync, EAS, Exchange, iPhone, SBS S

Quick Fix : Internet explorer cannot display the Webpage SBS 2011 RWA (RWW)

May 17, 2011 by Robert Pearman 4 Comments

(I did screen shot this post but for some reason when i posted they got all jumbled, and the formatting was messed up! so enjoy the plain text, 56k dialup version)

I have my lab server situated at home, but from time to time a question crops up during the working day that requires me to login to my lab setup and look things up.

As part of my lab setup i have SBS 2011 Standard running, but curiously i have been unable to access this from my work PC using IE and RWA(RWW).

If i RDP to the host Hyper-V box, it works perfectly. If i attempt to go to the external IP of the router at home in IE, it works perfectly.

If i use Firefox to go to the RWA page, it works perfectly, i just get a blank response from IE.

The question is, what could be causing it? Skip to Solution?

First, i am trying the obvious things, Resetting IE to defaults, restoring advanced settings.

What i find interesting here, is that IE is seemingly not even attempting to connect to the page – if you hit F5 to refresh the page it is instantly coming back with the failure.

I am now going to switch to WireShark to see if i can see anything happening on that level. For those of you who don’t know – Wireshark is a protocol analyser, and allows you to see in real time the traffic going across ‘the wire’, of your LAN connections. You can download it for free from here: http://www.wireshark.org/

There are tutorials and help files, and if you haven’t used the program before it can be a bit overwhelming to see the packet captures whizzing past.. so i would recommend you run through those before you start using the program.

I know what i want to find out here, so, i can go straight to inputting a capture filter, to only show me traffic destined for my SBS 2011 server.

The filters can be quite tricky, but to only display traffic destined for one IP enter – ‘ip.addr == <ip address>’

You will then need to go into ‘Interfaces’, (click Capture, then Interfaces) to select which Interface you want to monitor (Click Start, next to the interface you want to monitor)

Once you have clicked start, you will see a blank screen, because there is no traffic flow to that destination IP. To test your filter, you may want to PING that IP address to verify the capture shows those packets.

Now, lets try to gain access to our RWA site.

I see nothing in my packet capture.. (only my ping responses)

It seems as though IE has cached some bad response, or unavailability of the service, and is refusing to attempt a connection.. Very Odd.

Just to confirm that or packet capture would actually pick up an RWA access attempt, switching back to Firefox i refresh my page..

Lots of info flows past – so we are definitely seeing a connection attempt from FF. Still – why nothing from IE?

So, i decided to reinstall IE on my computer.

Just a note for those of you running Win7 (i am running Win7 x64) IE8 ships installed on Win7, so you cannot download it!

To reinstall you must go to Control Panel, then Programs and Features. Choose to ‘Turn Windows Features On or Off’ then find IE8 in the list and uncheck it. Reboot, and then Check it to kick off the reinstall.

After a reinstall i was quietly confident this would solve the issue. Unfortunately not.#

At this point i was beginning to run out of ideas.

I decided to turn to some of my online friends for some pointers. Enter Tim Barrett.

Tim offered to connect up to my pc so we could both play around with settings to see if we could solve the issue.

We went through several things, including adding an entry to the hosts file, resetting IE (including using the clear personal settings option), we ran IE with and without Add-ons, and we ran it in both x64 and x86 (32bit) mode.

Nothing worked, and what was stumping us was the lack of activity in WireShark.

We then loaded up Windows XP Mode on my PC and confirmed that it was working correctly.

It was and i could access RWA perfectly well through XP Mode

Solution

Tim began searching online, and turned up a post from Experts Exchange that mentioned if you were using a Self Signed Certificate to make sure it was installed correctly and that eventually lead us to the solution.

I was indeed using a self signed certificate on my SBS box. But that shouldn’t stop me visiting the site, right?

Well as it turns out, it was.

I got the root CA certificate exported into .cer format and onto my machine, and installed it. As soon as i did this i was able to load RWA in IE. I removed the certificate again to test, and sure enough my access was once again failing.

So, to install the certificate..

Firstly you will need your SBS Server CA certificate. This can be distributed in a number of different ways.

On my network i have a share where the certificate resides. This is accessible via RWA – so via Firefox i could download this to the pc. Other methods would be through email, or pen drive transfer.

Once you have the file on your computer, open an MMC.

Click Start, then type MMC in the search box.

Click on MMC, then accept the UAC prompt.

Click File, then Add/remove snapin.

Find Certificates in the list of snapins, and click Add.

In the next box select ‘Computer Account’ and click OK.

Click OK to accept the default ‘Local Computer’

Click Ok to close the ‘Add Snapin’ Dialogue.

Now, expand ‘Trusted Root Certificate Authorities’

Expand ‘Certificates’ and right click, then click All Tasks, and then Import..

Follow the import certificate wizard, find your .CER file and continue to import it. When you have finished you will see a successful import message.

Now test your RWA access and you should find you can now connect!

Filed under Quick Fix, SBS S Tagged with IE, RWA, RWW, SBS S

Virtualising your server for Migration Preparation

April 22, 2011 by Robert Pearman Leave a comment

With Virtualisation technology and programs becoming increasingly popular, it makes sense to look at Virtualising your server prior to a major upgrade or migration, keeping the source server as a fully reliable backup/roll back.

Using tools like Shadow Protect, you can very quickly take a running server, and turn it into a bootable virtual machine.

The drawback is it is an expensive product, and, for some smaller consultancy’s it may be a ‘nice to have’ but not something that is looked at as a serious option when preparing to migrate a client.

Hopefully we can change that idea.

Using the Sysinternals tool, disk2VHD, we can take our running system and create a VHD from it. Using this VHD and Microsoft’s Free Hyper-V Server, we can build a VM from that VHD and using this we can begin to prepare our migration or upgrade.)

So, to follow me through this article you will need…

A source server ( i am running SBS 2003 R2 Standard)
Some available hardware to host your virtual server (ideally with at least the same amount of ram as your physical server, but remember your server needs to have hardware that supports hyper-v)
The Sysinternals disk2VHD tool
USB/eSata Storage to transfer VHD (or local network access to the source server)
Microsoft’s free Hyper-V server (this is the pre SP1 version)(1.5gb)
Hyper-V Management Tools (Install the update, then use ‘turn windows features on or off’ to activate) (240mb)

Considerations: Make sure your source server is correctly licensed to allow for virtualisation, Keep in mind technically you are moving the server to new hardware, so a typical OEM license would not cover you for this. That being said, I’m sure we can all use our common sense on the licensing front!

Can i just REITERATE – if you are running an OEM install of SBS 2003 (or any OS) it is highly likely your server will require activation when it boots on the virtual hardware. Reactivation will be at Microsoft’s discretion and i can make no guarantees or whatever :p

Also as we are on new hardware, we will need to follow procedures for your particular OS to change NICs.

This article is split into 10 steps…

Step One – disk2VHD

Step Two – Install Hyper-V Server

Step Three – Initial Hyper-V Configuration

Step Four – Hyper-V Network Configuration

Step Five – Connect to Hyper-V Server

Step Six – Configure your VM

Step Seven -VM Network Configuration

Step Eight – Power Up your VM!

Step Nine – Testing your VM

Step Ten- Back to the Future!!

Step One. disk2VHD

So first of all we will run our disk2VHD tool on our source server, the size of your servers disk drive(s) will determine the time it takes for the VHD to be built, luckily on my source server i only have a single C: drive, and the used space is quite low.

Under VHD File name, you can choose the destination VHD path and file name, once you are happy with that simply click on ‘Create’, to start building your VHD.

You will then have a short, or long, period where the volume(s) are snapshotted, and then you will see some progress and a quite accurate ETA for the time the process will complete.

Once this process is completed i can copy the VHD off to removable media, and begin working with it in Hyper-V.

Step Two. Install Hyper-V Server

SO i guess we should get our Hyper-V server ready.

You’ll want to burn that ISO to a DVD or extract to bootable USB media, and boot.

As usual, press the any key to boot…

Windows loads files from your media..

Windows is starting..

Choose your installation language..

Choose your time and date / keyboard preferences..

Confirm your settings, and click next..

Choose ‘Install Now’…

Setup will begin..

Review the license agreement.. If you accept the terms, check the box and click Next..

Choose a ‘Custom’ install..

Here you can choose your disk formatting options, or install raid controller drivers if needed. I just have a single disk in my system and i am not using RAID – this is my lab system remember. If you are doing a real, live, migration you may want to consider the redundancy of your virtual machine. Yes you can always go back to your VHD if you took a copy before you started, but you don’t really want to start again if you can avoid it!

You can click on Drive Options, if you have to partition format the drive in a specific way, or just click Next if you have a blank drive to let the system format and partition the drive for you.

Setup will now run through, copying files, expanding files, installing features etc etc…

Step Three. Initial Hyper-V Configuration

At first boot, you will need to setup a password for your account. Put some thought in to this, i am running my Hyper-V server in a workgroup. My laptop is also in a workgroup. That means to authenticate between the two we need identically named accounts. (Both username and password) For example if i login to my laptop as Administrator with a password of Rob123 i should set the Hyper-V server username to Administrator, and use a password Rob123. However i wouldn’t recommend you use those :p

Enter your password and confirm..

Success!

Now the system will log you on, and you will get your first look at the Hyper-V Core.

So from the home screen, you can get a little bit of info about the server itself, you can see the default hostname, and domain status, you can configure any one of these options by selecting the corresponding number.

First thing i will do is add a new local admin, as stated above we need identically named accounts on our workstation with the Hyper-V tools installed.

So press ‘3’ and Enter.

Type the new account name, and press enter. The screen will switch over to a traditional command prompt, where you are asked to enter the password for the account, and confirm.

If you confirmed correctly, you will be given a congratulatory message!

Now i want to enable the remote management of the Hyper-V server, so press 4 and enter.

You have several options here, we will go through 1-3 in turn. Start with number 1.

You will receive a message to say this has completed..

Next, use option 2 to enable PowerShell.

Once the powershell commands have completed you will need to restart.

Log back in, and go back to option 4 (Enabled Remote Management), to complete the setup, go to option 3 to enable ‘Remote Server Management’.

It will take a few moments for all the commands to run and complete…

Once that has finished, you can press 5 to return to the main menu. (Reminds me of DOS)

Step Four. Hyper-V Network Configuration

If you want to change the system name at all, just press 2, then enter. I am happy to leave mine on the random name assigned by setup.

Let’s have a quick look at our network settings.. press 8 and Enter.

We can see the NIC’s installed, and the current IP Address. If you want to configure the NIC, press the index number that represents that NIC. So i only have 1 NIC so i can press 0 (zero)

You might want to configure a static IP or any other network setting, this is the place to do it. I am going to put my server on a static IP, so i will need to use option 1.

Choosing option 1, prompts me then to use either DHCP (D), Static (S) or to cancel..

Choose S for Static. Then enter your IP details.

When you enter the default gateway you will see the screen refresh and reflect your new address details.

So you can see DHCP is now showing as false (disabled) and my new static IP is displayed

You can press 4 to go back to the main menu.

From testing i know that the firewall configuration can be tricky.

However, as this will not be a production box i have decided on my system to just switch off the firewall.

There is a great little tool called HVRemote.WSF which you can obtain from here… this takes a lot of the pain out of configuring the Hyper-V core, especially when you follow the instructions, which IMHO could be just a little clearer, but nether the less work well.

You run it both from the Hyper-V server, and the Client that will control the Hyper-V server (most commands are run from the client) it even has a great switch for diagnosing connectivity issues between the two!

To disable the firewall..

Exit to the command line (option 15) and then type:

netsh firewall set opmode disable

(If you choose to Disable the firewall, instead of configuring, You will need to run that command each time you reboot the Hyper-V Server)

As you can see in the screen shot, this command is deprecated now and you are told you should use ‘netsh advfirewall’ instead, but since this command still works, why should we bother??

Quick Recap

Now just to recap, at this point we have installed the Hyper-V core, we have configured it for remote management, we have added a like named user to match our workstation/system with the Hyper-V tools running. We have configured our network adapters and turned off the firewall.

Step Five. Connect to Hyper-V Server

Now that your Hyper-V server is up and running, you probably want to add some Virtual Machines, and finish our server virtualisation project?

You will need a machine running the Hyper-V management tools, you can install these as part of the RSAT, or if you already have a server running Hyper-V you can add it as an additional server.

I have a Windows 7 Pro machine running the Hyper-V tools, so i will connect to the Hyper-V Server from there.

Open up the Hyper-V console.

Right click ‘Hyper-V Manager’ and click on ‘Connect to Server’

Choose to connect to ‘Another Computer’ and enter the IP or HOSTNAME of your Hyper-V Server, and click on OK.

After a short delay, you will see your server is added to the console tree. It will display the hostname, whether you added the server by IP or HOSTNAME.

Select your server from the list, to begin working with Hyper-V on that server. You will see that the Hyper-V console is attempting to connect to the Virtual Machine Management service on the remote server..

And hopefully in a few seconds you will see….

Step Six. Configure your VM

Now we will need to copy our VHD across to the Server, and build our VM.

I am going to attempt to copy my VHD across the network firstly, and then i will walk through the process using removable media.

Before you attempt to power up your VM you MUST move the Hyper-V server to a separate network. You cannot run two Servers on the same Subnet with the same name and IP address.

I ran the disk2VHD tool directly on my SBS server, and stored the created VHD there, so from the Server i will attempt to browse to the Hyper-V server.

So, Click Start, then Run in the run box , enter the UNC path to your server, and as we don’t yet have any shares on the server, let’s try to go for the c$ share.

Hopefully you are prompted to login, so enter the administrator username and password.

If you entered the correct credentials you should now see your C: on the Hyper-V server. Add a new Folder to store your VHD file.

Right click, new > folder. Name the folder VHD and press enter.

Now we can just try to drag and drop our VHD file across..

Sit back and grab a coffee, it might take a while!

When the copy has completed we can switch back to our Hyper-V server and configure the VM.

If you want to use removable media instead, copy the VHD to your media from the source server, plug that media into your Hyper-V server, and you can use the xcopy tool from a command line to copy it across. You might want to use DISKPART to identify which Drive letter your Media has been assigned.

From a command prompt, type..

DISKPART <enter>

LIST VOLUME <enter>

This will show you the volumes on your system, their size, and assigned drive letter.

From here you can gauge which drive is your removable media, and it should be simple enough to copy the file across.

Now we need to configure our networking. My Microserver only has one NIC so i am not able to have a dedicated NIC for management and one for the VM.

In the Hyper-V console, load up the ‘Virtual Network Manager’

Our VM will need physical network access, so we will need to create an ‘External’ Network. Click Add.

You will need to enter a name for your network, you may want to add some notes about it’s purpose/function within your Hyper-V setup, you also need to confirm the physical NIC the network will bind to, and whether or not the Host OS will have access to share this NIC. There are also some other settings which we do not need to worry about.

As i said, i only have the one NIC, so i am leaving all of the defaults here.

Enter a name you are happy with, and click on OK to setup the network.

With a single NIC configuration you may have some temporary disruption when you click on OK. You will be prompted to acknowledge this by clicking ‘Yes’ in a warning dialogue box.

Once the server has applied your networking configuration, you can go ahead and run the New Virtual Machine Wizard.

Right click the Server Name, highlight New, then select Virtual Machine.

Review the information on the ‘Before you Begin’ page, even if you have done it before it is always useful to review this type of information.

Click Next when you are ready.

We will need to name our Virtual Machine – this name will be what is shown within the Hyper-V console. You may also choose to move the configuration information to a non default location.

When you are ready, click Next.

Choose your memory allocation. My Physical server had 1GB of Ram, so i am going to allocate 1GB here. You may want to allocate more if your system has the free memory. My Microserver only has 2GB installed, and remember SBS 2003 only supports up to 4GB of RAM.

When you are ready click Next.

Choose your Network from the dropdown menu. I only have the one to choose. Click Next. (You can ignore this step for Windows 2003 as it does not support the Hyper-V synthetic NIC by default)

Next we choose our VHD. We don’t want to create a New VHD here, so choose to ‘Use an Existing VHD’ and type the path information to the VHD file, you ‘may see it auto-completes for you!

When you are happy with the VHD information, click Next.

Review the settings shown, and if you are happy, click on Finish.

Your new Virtual Machine will now be shown in the details pane of the Hyper-V console.

Step Seven. VM Network Configuration

Now, because we are running Windows Server 2003, we will need to use a ‘Legacy Network Adapter’

Right click the VM, and click Settings.

It should open on the ‘add hardware’ screen, select ‘Legacy Network Adapter’ and click Add.

Again, here you need to choose which network to connect the NIC to, and click on Apply.

Click on OK to close down the settings page.

Your NIC is now installed.

Now remember when we startup, it will be like we have replaced the NIC in a physical server, so there will be some configuration required and the SBS BPA can help us with that.

All that is left to do is start it up!

Step Eight. Power Up your VM!

Remember, your Hyper-V Server should now not be located on the same LAN as your source server.

Double click the VM to connect to it, then click on the green Power Button to power on.

You may be prompted for credentials due to the way the VM, and Hyper-V interact with the remote Hyper-V system, simply login with credentials valid on the remote Hyper-V Server.

Once you have logged in you will see the VM at whatever state it has got to in the boot process, it does not wait whilst you enter credentials!

After a short time you will be at the CTRL-ALT-DEL screen and you can login. (CTRL ALT END on Hyper-V) (CTRL ALT LEFT ARROW, to get your mouse focus back to your local pc)

Once logged on, you can see your server is at exactly the point when we made the disk2VHD snapshot.

At this point you should have a booted SBS 2003 system.

Step Nine. Testing your VM

Your next step is to run the SBS BPA and resolve any issues highlighted. Remember your VM functions just like the real thing, so any issues in the registry that pre-existed for example, still exist. The main issue you are likely to see relates to having a new NIC installed on the system when SBS is tied to the other NIC. This error is the result in a change in the ‘LANNIC’ registry value.. the registry key is located here:

HKLM>Software>Microsoft>SmallBusinessServer>LANNIC

The above shows the current value of the GUID for our LANNIC. If that NIC is removed you might experience errors on the system, and services like DHCP may not work as expected.

The solution is to find the GUID of your actual LAN NIC, copy it down, and replace the value shown above, with your actual GUID.

To find the GUID of your NIC, go to, HKLM>System>Services>TCPIP>Parameters>Interfaces

Step Ten. Back to the Future..

No not a direction to sit in front of a DVD, but i needed a good name for the last step.

At this point you should have a fully functional SBS 2003 Virtualised, on Microsoft’s free Hyper-V server. You are now free to test migrations, patches, backups, anything you like, safe in the knowledge that your physical server, is safe from, well, you!

So you are back, where you started, which is, looking to the future… of your network and a server upgrade? ok that was awful but hopefully you get the point!

I hope you have found this useful, if not a little entertaining.

Links..

HP Microserver
http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/15351-15351-4237916-4237918-4237917-4248009.html

Hyper-V system Requirements
http://www.microsoft.com/hyper-v-server/en/us/system-requirements.aspx

Disk2VHD
http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Hyper-V Download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=48359dd2-1c3d-4506-ae0a-232d0314ccf6&displaylang=en

Hyper-V Management Tools (RSAT Updated for Windows 7 w/SP1)
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

ISO Extraction
http://www.magiciso.com/download.htm

USB Bootable Media Guide
http://www.nogeekleftbehind.com/2010/12/22/how-to-install-sbs-2011-with-a-bootable-usb-drive/

HVRemote
http://archive.msdn.microsoft.com/HVRemote

Thanks to Tim Barrett, for his awesome editing and ideas!