Category Archives: Migrationextras

A little reminder of the ickiness of Daylight savings

iPhone DST bug causing alarms to fail across Europe (updated) — Engadget:
http://www.engadget.com/2010/11/01/iphone-dst-bug-causing-alarms-to-fail-across-europe/

Seeing this reminds me that this is the window where building servers is more ickier than usual, especially if you are using migration strategies like www.sbsmigration.com to build temp DCs.  Due to the dumb multi changes in the laws for daylight savings you will end up where your temp DC is an hour off because it doesn’t have the DST patch.  Mind you this is documented in the swing process but it’s still a pain in the rear.  It only bites you in this window of period between when the old daylight savings USED to kick in and now it’s in November.  The 2003 temp DC unless it has the DST patch will shift to the daylight savings zone that used to be in play (shifting the hour in October) and you have to patch it to not shift.  Server 2008’s have the DST patches from the get go and will be waiting until November to shift.


Also you need to watch time settings in HyperV and ensure that not only is EVERY DC in the same time zone, but also that you’ve turned OFF the time sync in the parent Hyper V.


Bottom line your 2008 era boxes will be shifting daylight time in November, 2003 era boxes WITHOUT the daylight patch will be shifted already (thus you need to daylight savings patch them) and ensure you turn OFF the HyperV time integration and match time zones.


If the boxes are more than 5 minutes off (plus or minus) they won’t replicate.

Watch that WSUS administrator log file location

In looking at my SBS 2008 I realized that the c:drive was getting full WAY too fast.  In looking at the c: drive (keeping in mind you need to run the treesize free program with “Runas Administrator” in order to properly see the drive size used on the C: drive)



That W3SVC1372222313 folder that is building up log files is the log file responsitory of the WSUS administrator web site.


If you see this IIS log file site crusting up with too much stuff you can move the location of the IIS logging off the C:\.  You can manually delete off the build up of the files, or you can use your MSP tool to thin these IIS log files (and all unneeded IIS log files) down.


In the IIS console, in the WSUS administrator settings, under logging, change the location to a larger drive



Change that directory to store the IIS log files in another location that isn’t the C:\ drive

Setting up a Member Server Group Policy

I’ve done this twice now and it annoys me every time I do it.


I set up a server in a SBS 2008 domain.  I join it to the domain.  It initially goes into the SBScomputers OU that has a prebuilt group policy to allow for remote desktop and firewall exclusions for remote desktop.  I change the server from the SBSComputers OU to the SBSServers OU and if I don’t remember to then manually go back in to the system/remote tab and edit the ability to remote into the server I’ve locked myself out.


So I built a group policy rule so I won’t do that anymore.


First build a WMI filter:


Launch the group policy management console.  Go in the WMI Filter section, right mouse click and click new.  Title up the policy, put in a description, click add.


Leave the root\CIMv2 namespace as is and in the Query section copy and paste in:


Select * from WIN32_OperatingSystem where ProductType=3


You will note that in the Windows SBS Client the query value is like this:


select * from Win32_OperatingSystem Where ProductType!=2


The “!” stands for “does not equal” so that one reads “filter on everything BUT the Domain controller.  The one I’m building is specifically targeting Server OS’s.

http://www.eventlogblog.com/blog/2009/10/useful-wmi-queries-to-filter-g.html


Workstation
Select * from WIN32_OperatingSystem where ProductType=1
Domain Controller
Select * from WIN32_OperatingSystem where ProductType=2
Server
Select * from WIN32_OperatingSystem where ProductType=3



Now we go into the SBSServer OU, right mouse click and click on “Create a GPO in this domain and Link it here”



 Call the group policy something descriptive.  Now go down to Computer Configuration, then to Policies, then to Administrative templates, then to Windows components, then to Terminal Services, then to Terminal Server, then to Connections,  and ensure that “Allow users to connect remotely using Terminal Services” is enabled. 



Next go to  Computer Configuration, then to Policies, then to Windows Settings, then to Security settings then to Windows Firewall with Advanced Network Security and go to inbound rules.


Right mouse click and click on “New Rules”.  Choose predefined rules and choose Remote Desktop (TCP-IN), then Distributed Transaction Coordinator, then Windows Management Instrumentation.  You can thin these down if you like, but for me those three core ones allow me to manage the box remotely better.


So the resulting firewall will look like this:



So there you go, a specific group polcy for member servers.


Word of advice when setting up servers that later will be installed in an office or remote location.  Stick logmein free on there until you get the server stable and policies working just so.  You can accidentally log yourself out of RDP, but chances are the logmein beacon will still work just fine so you can figure out what you did and undo it.

Distribution group issue on migrated groups

This hit me today.  One of my old migrated distribution group lists wouldn’t work and when I went to edit them I got a ‘Validation Error This field cannot be empty’ when I tried to edit the members of the distributions groups.


Found the solution in the SBS 2008 newsgroups:


https://connect.microsoft.com/SBS08/community/discussion/richui/default.aspx


1. Open adsiedit.msc and connect to the Default Naming Context.
2. Expand Default naming context -> DC=domain,DC=local -> OU=MyBusiness ->
OU=Distribution Groups.
3. Find a group that was created post migration and view its properties.
Look for msExchVersion = 4535486012416. (Verify if the number list matches
this one or not. I suspect it will, but want you to be sure.)
4. Now go view the properties of a migrated group and look for
msExchVersion. It may not be there or it may be empty.
    – If it’s empty, set it to the value 4535486012416 or whatever the group
you found in #3 was set to.
    – If msExchVersion is not there, you may have to click the Filter button
and alter the settings to see if it’s not set to appear.
5. Once you’ve set msExchVersion to the appropriate value, click OK out and
then try your edits to the group.


Sure enough, that was the fix.

RWW – tweaking for speed and for large screens

If you have clients that remote from a large screen Vista or Win7 to a large screen Vista or Win7 bookmark these two KBs:


Remote Web Workplace connect to client computer feature may display black bars:
http://support.microsoft.com/kb/2011825/en-us
Remote Web Workplace connect to computer feature may be slow to redraw the screen:
http://support.microsoft.com/kb/2011807/en-us

OALGen encountered an error while generating the changes.oab file for version 2 and 3

I kept getting this in the event logs…


OALGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list ‘\Global Address List’. The offline address list has not been updated so clients will not be able to download the current set of changes. Check other logged events to find the cause of this error.
If the cause of the problem was intentional or cannot be resolved, OALGen can be forced to post a full offline address list by creating the DWORD registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\OAL post full if diff fails’ and setting it to 1 on this server. When OALGen next generates the offline address list, clients will perform a full OAB download. After that time, the registry key should be removed to prevent further full downloads.
- Default Offline Address List


And various event sources pointed me to a registry key..


Event ID 9340 Source MSExchangeSA:
http://www.eventid.net/display.asp?eventid=9340&eventno=6436&source=MSExchangeSA&phase=1
Event ID 9360 Source MSExchangeSA:
http://www.eventid.net/display.asp?eventid=9360&eventno=7260&source=MSExchangeSA&phase=1
Error message when a user performs the Send/Receive operation in Outlook:”Unknown error 0x8004011B”:
http://support.microsoft.com/default.aspx?scid=kb;en-us;922255


Now my error didn’t quite sound like Philip’s in:
MPECS Inc. Blog: SBS 2003 to 2008 Migration – Exchange OAB 9331 and 9335 Along with Outlook 0x8004010F Errors:
http://blog.mpecsinc.ca/2009/08/sbs-2003-to-2008-migration-exchange-oab.html


So I’m going to do this registy thingy.. and see what happens and report back in a day or two.


  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
  3. Point to New, and then click DWORD Value.
  4. Type OAL post full if diff fails to name the new value.
  5. Right-click OAL post full if diff fails, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor.
  8. Dismount and then mount the Public Folder Store again




 

Setting up a bit more of alerts

So I noticed that in the event viewer there was a specific backup log that was deep under the sub folders.  And in there I found that it was warning me that I was getting low on backup space.



So I went into the event viewer and build a task that emails me an alert when the backup is running low on space.  Once you build one for one server, you can export it out, tweak it, and then import it back into another system.


The raw xml looks like this:


But trust me it’s a piece of cake to do inside the event viewer.


<?xml version=”1.0″ encoding=”UTF-16″?>
<Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task“>
  <RegistrationInfo>
    <Date>2009-12-01T18:10:47.6153557</Date>
    <Author>DOMAIN\Admin</Author>
    <Description>Backup target is running low on free space. Future backups to this target may fail for want of enough space.</Description>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id=”0″ Path=”Microsoft-Windows-Backup”&gt;&lt;Select Path=”Microsoft-Windows-Backup”&gt;*[System[Provider[@Name=’Microsoft-Windows-Backup’] and EventID=51]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id=”Author”>
      <UserId>DOMAIN\Admin</UserId>
      <LogonType>Password</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context=”Author”>
    <SendEmail>
      <Server>10.0.0.5</Server>
      <Subject>Backup space running low</Subject>
      <To>sbradcpa@pacbell.net</To>
      <From>admin@domain.com</From>
      <Body>Backup target is running low on free space. Future backups to this target may fail for want of enough space.</Body>
      <HeaderFields />
    </SendEmail>
  </Actions>
</Task>


 


You find the event that you want an email alert generated from.  You “attach” a task by right mouse clicking on the event.



It’s pretty self explanatory to set up an email task







The trick on this screen is to click that check box to open up the properties dialog after you hit finish as there’s one more key step to adjust.



Tick the box to run whether the user is logged on or not.  This ensures it will run after reboot and doesn’t need someone logged in.



And there’s my two alerts, one for low disk space in the backups, the other for a successful backup. 


 

Disclaimers in email

One of the final things to put back on my SBS 2008 is a piece of software that puts custom disclaimers depending on the content of the email.  Personally I think email disclaimers are non binding and ridiculous, but unfortunately I have to follow the industry.  So we have ones that when we use key phrases certain disclaimers pop out automagically.


While Exchange 2007 can do disclaimers, I like the fact that we can use a solution that doesn’t put that annoying disclaimer on ALL emails, just the ones that it pertains to.


http://www.policypatrol.com/exchange-disclaimers.htm


Dear Susan Bradley,



Thank you for downloading Policy Patrol Disclaimers. We hope that you will find Policy Patrol a useful tool for adding disclaimers and signatures to your emails.

Policy Patrol Disclaimers offers advanced user-based disclaimer & signature features such as formatting, merge fields, HTML disclaimers with pictures & tables and disclaimers as text attachments. Furthermore, Policy Patrol can avoid adding multiple disclaimers when replying or forwarding and can position signatures after the last entered message text. Policy Patrol can even send a different signature on replies and forwards.


For more information on how to install and configure Policy Patrol Disclaimers, please download the product manual from: http://www.policypatrol.com/docs/PPD5Manual.pdf. More documentation, including Exchange 5.5 and Lotus Domino installation guides, can be downloaded from http://www.policypatrol.com/Download_documentation.htm.


Policy Patrol Enterprise
===============
If you are interested in trying out other features in addition to disclaimers, such as anti-spam, archiving and content checking, you can go to <server name> Security > Licenses and remove your existing license. Click OK. Policy Patrol will warn you that there are no valid licenses. Click OK. Click OK to reconnect. The serial number screen will pop up prompting you to select a serial number. Select Policy Patrol Enterprise 30-day evaluation to gain access to all Policy Patrol features. Your disclaimer configuration will still be intact.



Top 5 FAQs
=========


  1. No disclaimers/signatures are being added
  2. User merge field is not being replaced
  3. Avoid multiple disclaimers is not working
  4. How can I adjust the disclaimer line breaks?
  5. My disclaimer is appearing centered in the message

More FAQs..

Do you have a build document?

So officially demoted my SBS 2003 box tonight (sniff sniff, it served me well for five years) and once again, the first time I ran the dcpromo the netlogon service wouldn’t shut down.  I just went into the service, shut it off and then the server dcpromo’d down.


I went back to my own recap of blog posts (which reminds me I need to add to) as my guidance.  See you guys think I blog to entertain you and gain brownie points with the Mini Cooper management so I can become a Mini Cooper MVP?  Wrong.  I do it for me because it helps me understand and document what I’ve done.  Go back to November of 2004 and that’s the tasks I did when I built my SBS 2003.


To you this is a blog.  To me, it was my build document.  As I did a true dry run of my exact network migration from start to finish.  So when I hit those slight little roadblocks along the way… like the pdf file with the messed up permissions that stopped the robocopy from copying over that I fixed ahead of time by merely deleting the file since I didn’t need it.   Like the fact that on the final step where the dcpromo got stuck on netlogon service still running and not shutting down, I went “oh yea, I blogged about that, just turn off the service and try it again”


And it reminds me that we need/you need/we all need to have a build document.  A plan of action.  A document that provides you guildance all the way from start to finish to patching. 


http://blogs.msdn.com/sbsdocsteam/archive/2009/11/12/the-windows-sbs-2008-migration-guides-are-updated.aspx


Something that takes those documents and make them your own.

Why you want to turn off the SBS 2003 before you remove it…

… because you find out the dumb things you forgot… like….


The fact that the Live Communication server still had it’s nic card pointed to .x rather than .y for it’s DNS resolution even though .y is the new server.  So when I turned off .x it had issues with DNS.  Changed the nic properties to point to the new server and all was well.


I wasn’t as smart as I thought I had been and I found a couple of XP 32bit’s still pointing to \\oldserver\printername rather than new server.  Bookmark this post, you’ll probably need it:  http://blogs.technet.com/sbs/archive/2009/02/13/how-to-add-32-bit-print-drivers-to-sbs-2008.aspx  and read up on that http://technet.microsoft.com/en-us/library/cc753109(WS.10).aspx


Then I wanted to test the ability of our UPS’s to hold up the new server …and weeelllllll… hmmm… long story short it didn’t quite go as I planned but the good news is I did a dry run of the test to ensure I could log in via RDP to the HyperV parent if the SBS 2008 that handles the authanvil authentication is down.  Thank you, Dana, the bypass so that the non domain joined parent can bypass the AuthAnvil should the DC be down worked beautifully.


So don’t forget, when doing a major migration, turn the old SBS 2003 box off for a day.  See who finds something that doesn’t work.