Event 529s I’m ready for Ya

I’m stealing an idea from Jeff Meager in the newsgroup…. he said….

I decided to make an alert that informed you when too many bad username and password attempts had been made. You will need to customise it to the size of your company, but it’s too easy.

Copy and Paste the account lockout health monitor item. Cange and rename it. change the event id to 529 which is the incorrect username and password one. Set the number of incidences before alerting to something that would signify an attack, rather than legitimate bad typing by a user. The default is to email you about it and flag it as critical.

If you have the facility to do email > sms you could have it SMS you!

Hey, that sounds pretty cool.  Knowing that I looked over my own even logs and didn’t see too many 529s except when I fat-fingered my own passwords I thought I’d set this up.  You can either do what Jeff says or set up your own monitor.

Remote into the server, start, all programs, Administrative tools, Health monitor.

Wow, look at all those things being tracked.  Remember SeanDaniel.com’s blog post about how SBS got monitoring in the first place?

So under Core Server alerts I set up a new Event ID 529, right mouse clicked on the new event and made sure that it’s set to event 529 to “freak” out on.  I’ll have to log in from home and see if it does  🙂

and then don’t forget to change the message on the tab:

Okay time to go “fat finger the login” and see if it works!

Big server land versus Little Server Land

There is one thing that both Dr. Jesper Johansson and Steve Riley say in a lot of presentations…they say that “Account lockout has no value”, that it will “cause a denial of service”.  And this is ONE area that I timidly disagree and say… sirs?  I think we can handle this.

  • Big server land knows that account lockouts cost $70 a help desk call.
  • Little server land says “it doesn’t happen that much and we can handle it


  • Big server land says “this is the number one PSS support call“
  • Little server land says… “how we set up DNS is OUR number one support issue


  • Big server land says that someone could do a denial of service against our website.
  • Little server land says …”uh…we recommend you don’t host a website if you want to be nice and paranoid


  • Big server land says it adds no additional security.
  • Little server land says …”that may be for you, but it lets us sleep better at night

I think we can handle account lockout.  What do you think?

Allocated Memory Alert on Domain

Alert on DOMAIN at 1/31/2005 8:05:59 PM

A large amount of memory is committed to applications and processes. Consistently high memory usage can cause performance problems.

To determine which processes and applications are using the most memory, use Task Manager. Monitor the activity of these resources over a few days. If they continue to use a high level of memory and are less critical processes or services, try stopping and then restarting them.

You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.



If you are seeing that like I am I think we’re hitting a threshold and we need to bump it up but I still have a SRX [PSS] call open on this.  As you can see tonight WHILE THE BACKUP WAS RUNNING [and mind you mine backs up two machines] and remoting in…and setting up a new monitoring alert [more on that later] and I think I was doing just a smidge too much.  Remind me to call back and see if they want me to kick up the health monitoring a bit.  We’ve seen a smatterings of them lately and they tend to be Xeon’s or Dual Processors.

Just keep an eye out for them and we’ll keep you posted.

You know you are a geek when

You know you are a geek when….

  • Your best friends who went to the Las Vegas Computer Electronic show and get you a sweatshirt that says “Technology is a girl’s best friend“.
  • You debate the merits of looking up the TV listings on www.tvguide.com/listings or Media Center Edition with a person online
  • You chat more on IM than you do on the phone
  • You get goosebumps when a new Dell 19inch flat screen arrives in the office and it can rotate from landscape to portrait and comes with a telescoping stand
  • You use the “profile settings“ in Instant messenger to post comments to friends.
  • You’ve taken pictures before of computers that are in public places with BSOD’s and error messages [however I’d like to point out that while I’ve taken photos of these BSOD’s, it’s another geeky person that I know that actually figured out what the driver error in question was from looking at the digital image on the camera].
  • You know what BSOD is without saying “Blue Screen of Death“
  • You get a new computer and the FIRST thing you do is load up the Google toolbar and the SearchURL

There are lots more here from another source….and um… for the record…. um…. the Net was on TV this weekend and in the upcoming Advanced SBS book from Harry’s Brelsford… and I…..um… I list it as one of my favorite computer related movies.

So you want to be a consultant?

I think this is the year of the consultant.  First I get emails asking about this, the a friend posts a “so you want to be a consultant” on his web site and gets it linked to shashdot. 

Check it out…. a great paper written by a great guy… who probably HATES a SBS 4.0 box these days [long story, long migration, you’ll have to ask him about that]

Like yeah, Dude! We do need a MCE Server!

There are times sometimes you want to go…. yo…dude…what have I been saying?  Scoble tonight ponders about a home server.. not a mirraserver but a server based on Microsoft Media Center Edition.  Like YO DUDE…this is what I’ve been saying for like how many years now?  Especially I said it after touring the E-home at Microsoft.  As we toured the home of the future…well..the home of the future for GUYS as we gals still had to cook and clean and pick up the dustbunnies and what not.  But as we walked around the house I could see.. wow they need a server here.  My friends in LA already have in their closet a wiring cupboard that has the needed router, wireless access point, replay TV connectors, etc.  The house of the future will have a server.

I will wack Scoble upside the head on one thing though, a server in my world is a dedicated box that has dedicated software on it.  The title of this software has “SERVER“ in the name.  Not Windows XP media center or Windows XP.  So many of my fellow computer geeks consider a “workstation“ that they make into the “Mothership server“ role as a server and it’s not.  Servers are designed from the get go for maximum “serving“ and they are not designed as a “client“.  MCE is a “client“, not a “server“.

In one of Scoble’s link blogs they talk about the lack of a “cult” for MCEers.  Man I guess I’m just more friends with geeks but everyone that I know that have MCEs are quite “culty” about them.  Heck, when two SBSers got together for lunch did they talk about SBS?  No, they talked about MCE. 

So folks..yo..Microsoft… wake up and realize that people are already making the product that they want to have.  A home server. And while we’re in rant mode tonight, I was relaying my “computer purchase from h-e-double-toothpick story and everyone in my office says the same thing about their Best Buy Computer experience.  They hate the store.

Build us the product people are starting to want.

Sell it in a better way to us.

Sam the SBS 2003 Server ….the Spammer

We start this interview with Sam the SBS 2003 server

Q.  Hi Sam…. uh Sam?  You okay?

A.  Uh… well.. I’m kinda embarrassed,

Q. Embarrassed?

A.  Yeah, some of my fellow SBS 2003 server boxes …well their owners and consultants haven’t patched me like they should.

Q.  Patched you?

A.  Yes, well just like you would with a car, I need monthly maintenance and that includes patches.  And the thing is Windows Update is not enough.

Q.  It’s not?

A.  No, it’s not.  You need to visit my download page in addition to Windows Update.  And people running Popconnector and haven’t visited that page….well… they kinda got into trouble the other day.

Q.  Into trouble?

A.  Yeah they kinda caused a mess by sending a bunch of emails.

Q.  Oh wow that’s a really big mess.

A.  Yeah, a real big mess.

Q.  So what’s the best thing to do.

A.  Well obviously download those patches.  And I’d also recommend folks review the password on the Administrator account.

Q.  The admin account?

A.  Yes, by design the admin account cannot have a lockout policy applied to it so it’s really important to ensure that a VERY strong password or passphrase is selected for this account.

Q.  That’s good to know.  So Patching and Passwords is the lesson for today?

A.  Patching and Passphrases, actually!

Q.  Cool, Thanks Sam!

Hardware, vendors and other rants, oh my!

Wayne pinged me and asked if I had any Netgear PS110 print servers here and I don’t.  Seems like the servers just don’t want to work on Win2k3 and you either have to buy the 113s or buy some other print server.  Now we all know that hardware firewalls and print servers are just code in a box and you would think that they could just flash it or something but it acts like the vendor doesn’t want to do this.  Hey Netgear, how about some better response than this?  Listening out there, Mr. Netgear?

Speaking of vendors, when you buy software these days, do a “Howard/LeBlanc” on it.  A what you say?  A bit of “Secure coding Second Edition” sanity check on how it’s set up, what it wants you to do on your system, what it’s installing on your computers.  Ask for the specs BEFORE buying the product.  Ask the vendor how “securely coded” they are.  Threat Model that sucker too if you can.  We as consumers have every right to ask how things are setup.

I once had to go up to like third tier tech support to get the right answer when a vendor said they needed an “inbound port 80” connection to our server.  I was like WHAT?  You HAVE to be kidding!  Well come to find out it was like an outbound connection [like we all do outbound connections] and the initial three guys we talked to had no clue. 

If you don’t know if the vendor specs are okay, run it by someone more paranoid than you are.  Big firms can do project requirements that lists specifications.  We can’t.  But we can start in our own little way start putting the seeds of “hey are you coding right?” into the minds of all software companies that develop for small business.

Wonder if it would be in poor taste to send Scott Cook [CEO of Intuit] a Secure coding Second Edition just to make sure he can hand it to one of his devs to make sure they’ve read the book.

There are times I love ISA, there are times I hate it

I have a love/hate relationship with ISA server.  Most of the time I love it, but there’s that one hour out of the blue that it drives me crazy.  Part of it is my own fault.  I didn’t realize when I first setup the server at home, how important it was to put in the right server name [or IP address] to ensure that the Remote Web Workplace would publish properly.  One of these days I need google a resolution of the proper way to remove my unnecessary self certificates as the posts I’ve seen on the subject so far recommend being careful.  Tonight I was having an issue and probably should not have knee jerk re-ran the Connect to internet wizard, but I did.  And when I did it, the webproxy got stuck and would not restart.  So for anyone else having this issue, this is how I fixed it.  First I was getting these errors in the ICW log file:

calling StartWebProxyService (0x8007041c).
Error 0x8007041c returned from call to CCometCommit::Commit().


CCertCommit::ValidatePropertyBag returned OK
*** CCertCommit::EnableSSL returned ERROR 80070002
*** CCertCommit::CommitEx returned ERROR 80070002

And in the event viewer was this error:

Event Type:    Error
Event Source:    Microsoft Web Proxy
Event Category:    None
Event ID:    11000
Date:        1/28/2005
Time:        6:06:32 PM
User:        N/A
Computer:    SERVER
Microsoft Web Proxy failed to start. The failure occurred during Reading
publishing rules because the configuration property  of the key
could not be accessed. Use the source location 2.546.3.0.1200.365 to
report the failure. The error code in the Data area of the event
properties indicates the cause of the failure. For more information
about this event, see ISA Server Help. The error description is: The
system cannot find the file specified.

I first looked at www.eventid.net and didn’t find anything spot on.  Then I googled on what I felt was the most unique thing about that error.  The part that talks about source location 2.546.3.0.1200.365.  I found a Jim Harrison post that gave me a clue:

What that error is saying is that:
1 – there’s a protocol rule (“Reading protocol rules”) that is referencing
a certain Client Address Set (“Client-Sets”)
2 – the Client Address Set “{0FEE7518-FC55-48D1-9DB4-CB3949983e16}” likely
couldn’t be located in the Policy Elements

Start Regedit and drill down to:
…do you find a key named “{0FEE7518-FC55-48D1-9DB4-CB3949983e16}”?

You’ll have to search your protocol rules to see which one is complaining
about a missing Client Address Set.

I realized I had a mismash of protocol rules that wasn’t matching the registries, so what I did was to manually delete all protocol rules, manually delete all web publishing rules [you have to do the protocols first and then the web publishing] and then I reran the connect to internet wizard and all was well and the wizard would run.

By the way you have gone into the folder called Program files, Microsoft Windows Small Business Server, Networking, ICW and there are included in there an HTM file of what exactly the wizard did

Run the Configure E-mail and Internet Connection Wizard to connect your server to the Internet.

A key function of Windows® Small Business Server 2003 is to configure Internet services to the small business network.

To configure Internet services, use the Configure E-mail and Internet Connection Wizard.

The wizard is designed to correctly configure settings for your network, firewall, secure Web site, and e-mail services that are used when connecting your computer running Windows Small Business Server to the Internet. Additionally, you can use the wizard to return your server’s network configuration to its original state.

There are four components for the wizard:

  • Configure networking. Define the type of connection that your server will use to connect to the Internet. The wizard is designed to support either a broadband or dial-up connection.
  • Configure firewall. Secure your network by preventing unauthorized access to and from your local network. When you enable the firewall on your server, several standard services are allowed through the firewall to ensure Internet connectivity. You can also allow predefined Web services, predefined services, or custom-defined services through the firewall by using the wizard.
  • Configure secure Web site. Allow access to specific Web services or to your entire Web site through the firewall from the Internet. You can select to allow access to the entire Web site or only specific Web services. Specific Web services include Outlook Web Access, Outlook Mobile Access, server performance and usage reports, Remote Web Workplace, and the Windows SharePoint™ Services intranet site. When you allow access to a Web service, the service is also automatically configured to use Secure Sockets Layer (SSL) to secure communications between your server and a Web browser.
  • Configure e-mail. Specify how you will send and receive Internet e-mail. Based on the information specified in the wizard, a Simple Mail Transfer Protocol (SMTP) connector is automatically configured, which is necessary for your Exchange server. You can also configure the Microsoft Connector for POP3 Mailboxes to download mail from POP3 mailboxes at an Internet service provider (ISP). When you enable Internet e-mail, you also have the option to remove specific types of e-mail attachments from incoming Internet e-mail.
  • Troubleshoot network problems. If the network configuration of your server becomes corrupted or changed in any way, you can reset the configuration simply by running the Configure E-mail and Internet Connection Wizard again.


  • If you want to run the Configure E-mail and Internet Connection Wizard at a later time, click the Connect to the Internet task on the Manage Internet and E-mail taskpad in Server Management. To open Server Management, click Start, and then click Server Management.

Look for an htm called ICWdetails__.htm and it will let you know EXACTLY what that wizard did:


This file contains detailed information about the
configurations specified in the Configure E-mail and
Internet Connection Wizard.
The configurations specified in the Configure E-mail and
Internet Connection Wizard determine the settings for your
network, firewall, secure Web site, and e-mail.


After the wizard completes, the following network connection
settings will be configured:
Connection type: Do not change


After the wizard completes, the following firewall settings
will be configured:

Internet Security and Acceleration (ISA) Server will be
configured as follows:

Disable existing filters that may create a filter

Create a standard set of network service filters.
For a list of the standard filters, see firewall settings
for your Windows Small Business Server network in Help and

Create the following additional filters:
Virtual Private Networking (VPN)
Terminal Services
For more information about the port number and
purpose of each additional filter, see firewall settings for
your Windows Small Business Server network in Help and

Create the following custom filters:
SBS Remote Web Workplace CustomFilter, 4125, TCP
NTP, 123, UDP

Add the internal domain name for Windows Small
Business Server to the local domain table (LDT) of ISA
Server to allow ISA Server to route internal network
requests on the local network.

Enable IP routing.

Disable automatic discovery as this interferes with
IIS as both ISA Server and IIS attempt to bind to port 80.

Configure the Web listeners to receive incoming http
requests using Small Business Reverse Proxy Listen Entry.

Disable the H.323 Application Filter for video and
audio conferencing for security.

Set the maximum number of incoming Web request
connections allowed to the default Web site to 500. This
improves system availability and reliability by mitigating
denial-of-service attacks against your Web site.

Add the loopback adapter IP address of to
support the http://localhost for IIS.

Create an incoming Web request listener and bind to
IP address of server’s local network adapter to allow ISA
Server to handle Web requests from the Internet.

Set the incoming Web request listeners to allow a
maximum of 300 connections from the outside. This improves
system availability and reliability by mitigating
denial-of-service attacks against your Web site.

Ensure that the publishing rules created by the
wizard are listed first in the order.

Create publishing rules to route appropriate
incoming Web requests to the server’s local network

Create a Web publishing rule for Outlook Web Access
that publishes the following IIS Web site directories:
/exchange, /exchweb, and /public. This publishing rule
routes appropriate incoming Web requests to the server’s
local network adapter. Additionally, Outlook Web Access will
be configured for Forms Based Authentication (also called
Cookie Authentication). The Public folder is also configured
to accept Windows Integrated Authentication.

Create a Web publishing rule for the Remote Web
Workplace that publishes the /remote IIS Web site

Create a Web publishing rule for the Server
performance and usage reports that publishes the /monitoring
IIS Web site directory.

Create a Web publishing rule for Outlook Mobile
Access that publishes the following IIS Web site
directories: /OMA and /Microsoft-Server-ActiveSync.

Create a Web publishing rule for Outlook via the
Internet that publishes the /rpc IIS Web site directory.

NOTE: Users connecting to Outlook Web Access,
Remote Web Workplace, and Outlook via the Internet, must use
an https:// connection. Additionally, these Web site
directories are configured to require 128-bit encryption.
All other Web sites can use either https:// or http://
Internet Information Services (IIS) will be configured as

Configure http.sys driver to only bind to the local
network adapter to prevent IIS from conflicting with ISA
Server on the ISP network adapter.

Disable socket pooling.
Set DNS to listen to only to the local network
To only listen on the local network adapter. This
allows ISA Server to monitor incoming Web requests from the


After the wizard completes, the following secure Web site
settings will be configured:
Secure Sockets Layer (SSL) will be configured as follows:
The Web server certificate required for https:// will be
created for the following Web server name: domain.com
Create a Web server certificate named ISAcert.cer in
the \sbscert folder and also install this certificate into
ISA Server. This certificate is required so that you can
access secure Web sites on the computer running Windows
Small Business Server if ISA Server is installed.
ISAcert.cer is configured for ISA Server for external Web
clients. Create an additional Web server certificate named
Sbscert.cer and install this certificate in IIS, which is
used by internal clients and by redirected Web requests from
ISA Server.

The incoming Web listener is configured to use the
ISAcert.cer certificate.


After the wizard completes, the following e-mail settings
will be configured:
Exchange will be configured as follows:
Email: Do not change Exchange configuration for Internet
Keep the existing Internet e-mail configuration.

After the wizard completes, the icwlog.txt in C:\Program
Files\Microsoft Windows Small Business Server\Support is
After the wizard completes, the wizard script file
config.vbs is created in C:\Program Files\Microsoft Windows
Small Business Server\Networking\Icw.
NOTE: Each time the wizard runs, a new config.vbs file is
automatically generated to preserve the previous settings.
For example config.vbs, config1.vbs, config2.vbs, and so

Man… I told you someone in the SBS dev team was a beancounter in a prior life.  See people?  Do you REALLY want to do that by hand? 

So anyway I had an extreme low tolerance for tech issues tonight, called Microsoft PSS.

What’s funny is that because I ended up fixing the issue myself while on the call, they refunded the call.  😉

Migration just sucks, let’s face it

I want to revisit yesterday’s blog post talking about different ways to go from point A to point B.  There’s something that is glossed over in the “zeal” to showcase that SBS 2003 is just…well it’s just Windows 2003 [other than we are SO much smarter than plain Windows 2003 that we dont’ allow Terminal Server on our Domain Controller …but that’s another hotly contested blog post].  Nearly anything you can do with migrating from/to Windows 2003, you can do with SBS 2003.

But, there’s something to remember in all of this talk of migration.

Let’s face it.  The process sucks for the consultant.  You are ripping out a working network and hopefully not walking off a deep cliff that you can never return from again.  The Official Microsoft ADMT migration method is the one that Mothership Microsoft will support. 

No matter whether you do it the old fashioned SBSland way of “clean install“, rejoin the domain, and then attempt to make your users are happy that you kinda put their desktops back the way they were, or any other method, migrations is just kinda sucky.  It’s equivalent to choosing a “C-section“ or a “natural birth“ method.  Both have the same result. Both can have issues.  Both can have side effects.  Both involve pain and drugs [drugs in the IT migration case is in the form of caffeine].  Both have huge rewards at the end.

Kinda like we joke about when learning SBS for the first time [install it once, screw it up, install it twice, take notes, install it a third time to check your notes], the same thing is true for a migration plan, you need to test.  Even then, stuff happens.  If you have never done even the Microsoft ADMT migration method before, your client is not the one you should be practicing on.  And for those DIYers like me, realize that I’ve got a support net that’s second to none.  [Admittedly though when I needed to rerun the Connect to Internet wizard tonight and ISA web proxy was barfing, it was the fact that I had a laptop still able to get out to the web to find me support that helped better than the Tech Call I made to Microsoft.  [More on this lovely event in a separate blog post]

So what’s my point here?  My point is that whatever migration path you choose, be comfortable with that path.  Know why you chose it, why it’s the best plan of attack for your situation and just be prepared.  It is doable.  It is possible. We do have options.

Just remember that you can have

  • SBS and a file and print server.

  • SBS and side web server in a DMZ

  • SBS and another SQL server [with cals and what not extra]

  • SBS and a terminal server

  • SBS and multiple servers

  • As long as you stay below the magical limit of 75, you can add any number of servers.

I am constantly amazed by the number of people think that SBS can only be the one server.  Oh and Backup Domain controller or BDC on a SBS network?  I’ve given up trying to correct anyone about the “BDC thing”.  It’s a leftover from the NT 4 days and isn’t relevant anymore…but if you ask me “Can SBS support a backup domain controller?”  I’ll probably say yes because I’ve given up trying to correct the Universe over that misconception.  But yes, we can add additional domain controllers, and member servers, and file servers, and print servers, and……well just keep thinking of the possibilities…NOT the limitations.