Monthly Archives: August 2005

You are browsing the site archives by month.

Need the tool to uninstall Norton?

Need the link to uninstall Norton… REALLY uninstall it?


Here it is.

So Quickbooks REALLY needs admin?

Got a call tonight about having Quickbooks go on a Terminal server and first off I should state… this is not supported by QB.  You are ‘supposed’ to buy QB Enterprise… that said..there’s a link about QB on TS.  Remember to get Quickbooks to run without local admin or power user rights on the local XP machine [non LUA] you have to do some more tweakage.


Applications : QuickBooks


The official statement from Intuit is that running QuickBooks 2003 in a Terminal Server session is not supported. Read the details in Microsoft Terminal Server functionality for QuickBooks


Notwithstanding the above, users in the terminal services newsgroups have reported that you can make QuickBooks available in a TS environment, if you give the users some extra privileges. Here are the steps:

  • perform a normal installation of QuickBooks (in install mode!)
  • reboot
  • enter install mode again (change user /install), start QuickBooks and activate it by entering the registration code (this is a crucial step, and must be performed immediately following the reboot
  • go back to execute mode (change user /execute)
  • copy the %systemroot%\Intuit folder into each users %userprofile%\Windows folder
  • create a Quickbooks Users group
  • add your users to this group
  • give the group Full Control to HKEY_LOCAL_MACHINE\Software\Intuit\QuickBooksRegistration
  • give the group Full Control to HKEY_CLASSES_ROOT\.QPG
  • give the group Full Control to HKEY_CLASSES_ROOT\obja.obja
  • give the group Full Control to HKEY_CLASSES_ROOT\Quickbooks.application – QB Premier 2004 only?
  • give the group Modify rights to the %Program Files%\Intuit folder
  • give the group Modify rights to the %Program Files%\Common Files\Intuit folder

Printing issues


Make sure that clients use short names for their local printers if they need to print to a redirected local printer. Quickbooks cannot handle long printer names.
It’s also important WHEN the driver was installed. Apparently QuickBooks only sees so many drivers in the registry, so if you installed 16 printer drivers and the 17th was the one you need auto-created, QuickBooks won’t see it.


Misc. issues


  • 123869 – Message: “An ActiveX control on this page is not safe” or QuickBooks Centers are blank

Further reading:


  • 320185 – HOW TO: Use the CHANGE USER Command to Switch to Install Mode in Windows
  • 186498 – Terminal Server Application Integration Information

Disclaimer: I have no knowledge of the License Agreement for QuickBooks. You should check your License Agreement with Intuit to see if running QuickBooks on a Terminal Server is a violation or not.



Update


QuickBooks 2005 Enterprise Solutions does support Terminal Services! Check QuickBooks Enterprise Solutions: Features and Benefits for details.



After installation, follow these steps:


  1. Right-click on the QBES shortcut
  2. Chose properties
  3. Go to the Compatibility tab
  4. Put a checkmark in the box labeled “Allow Non-Administrators to Run This Program”
  5. Apply and save

And yes…it REALLY wants Admin unless you hack it…

It’s not too late for SMBnation

So you’ve put it off haven’t you?


And now you know you should be there.  You HAVE to be there.  YOU MUST BE THERE.  There at SMBnation in Redmond. Mothership Redmond.  September 9th to 11th.  And now the Marriott Redmond Town Center and the Residence Inn are sold out.  So now what?


Well, there are other hotels that can put you up.  In fact you might want to drive and park at the Marriott and join us looney bins on the bus ride over.

RECOMMENDED: 
Homestead Hotel Redmond (5-min walk to conference center)
http://www.homesteadhotels.com/hotels/seattle-redmond.html
15805 N.E. 28th St.
Bellevue, WA  98008
425-885-6675

CLOSE-BY: 
Silver Cloud Bellevue Eastgate (10-min drive to Microsoft Conference
Center)
14632 Southeast Eastgate Way
Bellevue WA 98007  
800-346-8357  
If you don’t go…. you’ll be kicking yourself…..don’t be sorry….

If the worst occurs?

My city is about the same size as New Orleans.  And what if every man, woman, child, animal was ordered to leave.

Unbelievable… and think of all the SBSers in the area that are facing just that.

Gulf SMBs Flirting with Disaster:

Uh…That’s us folks…we’re SMBs out here too.

Some links for disaster recovery.. [not planning...but recovery] below….

 Getting back to business


Got any other resources for RECOVERY you want to share?

More on why we want .local, .lan, .bozo, .whocares but not .com, .net or .org

Read this KB


Quoted from there:


The following list describes some of the advantages when you use a separate and private domain name for the local Small Business Server network:


 


  • The management of the local namespace is controlled by the Small Business Server Server. When you use a private FQDN for local DNS name resolution, the DNS server becomes the start of authority for the local domain. This result means that a query to external DNS root servers is not required for local resource name resolution. 
  • The security may be increased for your DNS server by not enabling zone transfers by means of the zone transfer properties of the forward lookup zone. Because dynamic registration of internal hosts can occur with the DNS server, if you disable the zone transfers from external clients, you can limit the exposure of internal host names to the Internet.
  • The natural separation of internal and external networks occurs because of the use of a separate internal namespace. A client query generated from the Internet for www.contoso.local does not return any valid domain information because .local, at the present time, is not a registered domain name. However, by using the Web Publishing rules in Internet Security and Acceleration (ISA) Server, internal Web sites can be hosted externally and viewed by using resolvable domain names. This hosting still requires a registered domain name as well as the appropriate public DNS records that resolve to the external IP address of Small Business Server. Refer to “Configuring Publishing” in ISA Server Help for more information about Web Publishing rules.

 


The disadvantages of using the sub-domain of a publicly registered domain name or a publicly registered domain name include, but may not be limited to, the following issues:


  • Internal clients may be able to resolve resources on the internal domain, however, queries to external resources of the domain are not resolved by the DNS server. For example, if the internal network namespace is configured by using the publicly registered domain name of Contoso.com, only resources that have “A” (Host) records in the forward lookup zone for Contoso.com are available to local clients. This behavior can pose a problem if Contoso.com hosts resources, such as, a web server by means of an external provider or Internet service provider (ISP). Any queries from internal clients to www.contoso.com are resolved as a negative query by the local DNS server because the “A” record for “www” does not exist in the forward lookup zone for Contoso.com. For clients to access external resources, “A” records must be added to the forward lookup zone of the DNS server for those resources.
  • The use of a publicly registered sub-domain name can pose the same problems as described for a publicly registered domain name. If at any time, the start of authority for the registered domain (Contoso.com, in this example) adds records for sub-domains, the currently configured private sub-domain may become public.
  • Name resolution problems that are created by using a publicly registered domain name can be avoided by planning the private namespace around a .local first-level domain so that, in this example, Contoso.com and Contoso.local are both available to internal clients, but Contoso.com is only available to external internet clients.

Part two of Dr. Tom meets SBS [and I have some comments]

Split DNS and DNS forwarding… if there’s something that I will go on record as disagreeing with Dr. Tom [Mr. ISA Server] Shinder on is these two items.

In part two of Dr. Tom meets SBS, he talks about both.  And while I respect his passion and belief in these topics [lord only knows I'm a bit passionate myself], in SBSland, the information he gives just … we’ll it’s just not SBSized.

First let’s take the easier one of the two. If you don’t want to do DNS forwarding…whereby in the Connect to Internet wizard the DNS info from your ISP, then just leave it blank and your SBS box will do DNS lookup work just fine using something called ‘root hints’.  It will slow down the resolution ‘just’ a smidge, but I don’t agree that you should be putting ‘bogus’ entries in that box like that.

The help file says “ *Preferred DNS server*     If the value was not defaulted by the wizard, you must type the IP address of the DNS server at your ISP. The DNS Server service provided with Windows Small Business Server 2003 will be configured to forward the DNS queries it cannot resolve to the DNS server you specify.

If you do not specify DNS server information, name resolution requests must instead use root hints <#>. It is recommended that you use DNS server information if it is available from your ISP. For more information, click *Start*, click *Help and Support*, and then search for “root hints


Maybe if this warning box that you get if you leave the ISP DNS info blank was more ‘in your face’ it would be more obvious?  But bottom line I disagree about putting in bogus DNS info in that box.


Next the .local stuff.


There’s a reason we do that… in the help file it says…


The full DNS (Domain Name System) name and NetBIOS domain name are used to create your Windows Small Business Server domain. Having a domain enables you to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Setup provides default settings for your internal domain, separating your local (internal) network from the Internet (external network). It is recommended that you use these values.


Dr. Tom in his article states:


“The problem is that this statement is patently untrue. The belief that using the same domain name for internal and external domains is a security issue is based on misconfiguring the split DNS required for using the same domain name for both the internal and external network domains. It is untrue because a core tenet of a well design split DNS infrastructure is that the internal and external zones authoritative for the internal and external domain names have no relationship other than the domain name.


This is why there is no security issue with using the same domain name for external and internal domains. The only way you would run into security problems is if you, for some reason, decided to do a zone transfer from your internal DNS zone to your external DNS zone. If you did configure such a zone transfer, you could put the privacy of your internal naming infrastructure at risk. However, there’s no reason in the world to ever configure such a zone transfer, so imagined security issues related to mirrored DNS zone information is bogus at best, and misleading at worst.


There are many advantages to using the same domain name for internal and external zones. However, in the SBS single server environment where it’s likely that you’ll be hosting Web and other resources at an ISP or Web hosting service, the split DNS can make things more complicated. However, you can still deploy a fine-tuned split DNS infrastructure while leaving your Active Directory domain’s top level top name .local. In a future article I’ll go through the step by step procedures to make this happen so that you can benefit form the elegant transparency provided by a split DNS infrastructure.


Uh… say what?  Dr. Tom totally lost me on these statements.  We don’t do external DNS, and more often than not we [I know I do not] host a web site somewhere else and we get WAY more people asking “I can’t get to my firm’s web site’.  Remember what it says in the help file regarding the .local?


Local Domain vs. Internet Domain


A local domain is a way to manage access to resources on your network (for example, user accounts, client computers, shared folders, or printers). Local domain information is also used by tools and applications, such as Microsoft® Exchange Server 2003 or Microsoft® Windows® SharePoint™ Services. The local domain, or internal domain, for your Windows Small Business Server 2003 network is created automatically as part of Setup using a default value of organization_name.local. An Internet domain name is a friendly name used to identify your company on the Internet. An Internet domain name is registered for use on the Internet through an Internet registrar and uses the extension such as .com, .net, and .biz.


Setup creates your local, or internal domain, by installing and configuring the Active Directory® directory service. Setup uses the default value of .local for the last label of the internal domain name because the .local label is a more secure configuration as it is not registered for use on the Internet. This also separates your internal domain from your public Internet domain name. Additionally, using the extension of your registered Internet domain name can result in name resolution issues.


Once you name that box the same as your firm’s Internet domain [that due to firm mergers and acqusitions... I'll bet you a Mountain Dew you'll be changing that sucker at some point in time], you are stuck with that name.  Which is why you shouldn’t call it the name you expect to use on email and web sites.  I strongly recommend you call that internal domain .lan for mac, .local, heck call it computer.bozo, it doesn’t matter, but don’t call it your email address because if you are the agile firm that I know you are, you’ll be changing that sucker and then go into the newsgroup asking “can this be changed’ and we’ll say…uh …no it can’t. 


Furthermore, Dr. Tom says it makes it more complicated to call it .local.  I disagree… it makes it more complicated to call it the same name.  We later enter the mailhosting domain name later into the Exchange setup wizard [Connect to Internet] and it doesn’t matter what the internal name is called whatsoever.  But I’ll guarantee if you call your internal computer name the same as your externally hosted web site, we’ll have to walk you through hacking the A record inside the server afterwards.  In SBSland it causes more problems, not less.


Remember we ALWAYS look inward for our DNS… not outside… naming us .local means the box always stays inside for inside stuff and doesn’t try to resolve anything internal by looking external first.


Just as a footnote… even with a router, I use the “broadband’ selection and put a static IP address in the inside NIC and outside NIC setup. 


Welcome to SBSland Dr. Tom, I just still disagree with some of your comments. 

Do Domain Admins have to have access to EVERYTHING?

From the mailbag today comes a question about Sharepoint security….

We discovered that a domain administrator has access to all sharepoint sites created on an SBS server.  The issue here is when the execs in the company want to create a site to discuss business, financials, HR, etc., they probably need a domain admin to set it up.  That is obviously a problem if the domain admin or anyone in the domain admins group has access to such sensitive information.  I’ve not had a chance to look closely, but would this happen if the domain admins group had Administrator access to SQL and the Sharepoint site was SQL based?  Any insight is appreciated.


So knowing that Chad Gross wrote the Sharepoint chapter in the SBS Unleashed that does indeed talk about changing some of the default permissions of Sharepoint to ‘tighten’ them up a bit, I ran the question also by him…. and he said


[Captain Obvious mode]


Well domain admins have access to everything, so if you can’t trust your domain admins, time to start looking for a replacement.


[/Captain Obvious mode]


He went on to say that he saw this as an HR issue, not a technology issue.  That you could have the same issue with Excel Spreadsheets in a shared folder.  That admin is GOD. 


It reminded me of the Blog post/article by Steve Riley which drives home the same thought… this isn’t a technology problem…it’s an HR problem here.  Once that you need policies in place, not tweaking ACLs for.


So.. the answer is… no… you are going to have to put policies in place so you ‘can’ trust that Admin.

Ray-Ism: Where’s my ConnectComputer?

So from the mailbag tonight comes a question about getting workstations to work via RWW but it appears that the setup may be a bit more horked than that.  When the person goes to /connectcomputer it says “Page cannot be displayed”.


So googling around… I came across “Ray THE MAN Fong” postings… Ah Ray… who suffered through dealing with a bunch of us MVPs in Charlotte for training…


Per Ray here are some Steps to troubleshoot with:


  • Ensure clients are pointing to the server for their DNS
  • Check to see if you can bring up http://servername
  • In IIS check to see if you have a virtual directory called ConnectComputer under the Default Web sie
  • If you don’t…. if you look at c:\Inetpub, is there a folder called ConnectComputer, and if you do, make a virtual directory called ConnectComputer under the Default WebSite, enable anonymous access to it.
  • Add the http://servername to the IE Intranet zone on the local machine
  • And if you are an upgrade from SBS 2000, remove the URLScan security tool and download the updated version

Thanks Ray…even more than a year later your posts are Golden!

WSUS on SBS

Overheard by an SBSer at a T2 presentation.

“It’s AWFUL! It rebooted all of a clients machines in the middle of the workday, including the SERVERS.”


Uh…folks… you SET the timing of the reboot, or you can let the end user manually download.  You ‘chose’ it to reboot in the settings that you selected. 


Read the instructions carefully….. and I have some pictures here.


…thanks to Happyfunboy for surviving a TS2 presentation without getting up and slugging a couple of folks….

SBA on SBS [the unsupported instructions to get the datafile ON the network]

So you build a Small Business Accounting Program and you call it a multi user version…and then you don’t install it on SBS in such a way so that the msde datafile is ‘on’ the server, but rather on a desktop inside the office.


Okay ….lemme get this straight… why does EVERYONE see the word ‘multi-user’ and translate that to “Peer to Peer” except for me?  I WANT that datafile ON the Server.  I mean that’s WHY I have a network you know so that data can be better protected over there.  I don’t see peer to peer networks as being of value to me.  I WANT a server.  I WANT the active directory goo.  I WANT the control.  So what’s a gal to do? 


She gets advice from her fellow geeks who hack up the way to get it on the server. 


So here is the unofficial, unsupported instructions to get SBA on SBS 2003.


“What I have done is install Small Business Accounting on SBS2003.  This results in an MSDE instance called MICROSOFTSMLBIZ being installed there.  The instance can host the BCM database as well.  You would install BCM on your workstation, set it up for sharing and add users.  Then shut down Outlook and SQL on your workstation, copy the BCM database and log file to the server and use SQL Enterprise Manager to attach them there.  Restart SQL and Outlook on the workstation.  You should now be able to redirect Outlook to the copy of the database on the server.


Unfortunately this method is not supported by Microsoft as I mentioned in the meeting.  In fact, if you have SBS Premium you can upgrade the MSDE instance to full SQL to remove any database size or number of user limitations.”


Remind me to email Dennis Clark and give him feedback to take back that they DO start supporting SBA on SBS.  I mean… it just makes sense, you know?