SBS 2008 – Certificate Authority Web Enrollment (Part 1)

I wanted to create a certificate PKCS #10 format on one of my SBS 2008 server.  This was needed so I could use two factor authentication for my ILO board.  Guess what SBS 2008 does not included the web interfaces necessary to create the certificate (this was installed if you installed certificate server under SBS 2003).  Based on some help here are the steps needed to get the certificate authority web enrollment installed.

  1. On the SBS 2008, open Server Manager.
  2. On the Roles node, select Active Directory Certificate Services and select Add Roles Services.
  3. Select the Certificate Authority Web Enrollment and finish the installation.
  4. Visit the http://servername/certsrv in the IE browser.
  5. Select Request a certificate.
  6. Select Advanced certificate request.
  7. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file.
  8. Copy the contents of the certreq.txt file and select the User template.
  9. Finish the Wizard.

This allowed me to generate the certificate, now in part 2 I will explain how I secured the web site itself.

Exchange Test Web Site

As I have been working through my OAB issues as of late I came across a very good test site, it may be known for many of the blog readers but for those who don’t know it can be found at:

 

https://www.testexchangeconnectivity.com/

 

It provides the following tests:

Microsoft Exchange ActiveSync Test

This test will simulate the steps a mobile device uses to connect to an Exchange Server using Exchange ActiveSync.

Microsoft Exchange ActiveSync AutoDiscover Test

This test will walk through the steps a Windows Mobile 6.1 device (or another AirSync licensed device) uses to connect to the AutoDiscover Service

Microsoft Office Outlook 2007 AutoDiscover Connectivity Test

This test will walk through the steps Microsoft Office Outlook 2007 uses to connect to AutoDiscover

Microsoft Office Outlook 2003 RPC/HTTP Connectivity Test

This test will walk through the steps Microsoft Office Outlook 2003 uses to connect via RPC/HTTP

Inbound SMTP Email Test

This test will walk through the steps an Internet e-mail server uses to send inbound SMTP email to your domain

 

I found it very useful hopefully you will too.

Deleted Update Services GPOs on SBS 2008

Somehow as part of the migration from SBS 2003 to SBS 2008 several GPOs were deleted (personally I blame the Jr. Admin who was helping me with the migration – that will teach me to let someone else muck around with my SBS Server / just kidding).

They managed to break the default settings in WSUS I ran the SBS BPA and it reported the following: The default AutoApproval rule is enabled. Because of this, software updates are not managed by Windows SBS 2008 Update Services. This results in a blue question mark in the the Updates section of the Windows SBS Console.

Also from the Tasks menu within the SBS Console when you ckick on the “Change the software update Settings” the error is reported back “Software Update Settings = Cannot display Software Update Settings The Update Service group policy settings are not accessible.  For resolving this issue, please contact Microsoft Product Support”

The problem was:

The error message indicates that SBS cannot find the default WSUS GPOs or these GPOs are corrupted. If there are problems with the default WSUS GPOs, this error message will popup and the console will crash subsequently.

The fix was the following:

Please run “gpmc.msc” to open GPMC and then verify if the following GPOs are available and linked to the domain level:

Update Services Client Computers Policy

Update Services Common Settings Policy

Update Services Server Computers Policy

 

If not, please link them to the domain and see if it works.

If the problem persists or the default WSUS GPOs are missing, we need to recreate the three GPOs with the default names and configurations. Please create the GPOs and configure them according to the attachment:

http://msmvps.com/members/levy/files/Update-Services-Client-Computers-Policy.zip.aspx

Please note the following two policy settings in the “Update Services Common Settings Policy” GPO must be modified to the real SBS server name in your scenario:

“Computer Configuration”->”Administrative Templates”->”Windows Components”->”Windows Update”:

Set the intranet update service for detecting updates: http://<SERVER>:8530

Set the intranet statistics server: http://<SERVER>:8530

Re-creating OAB in SBS 2008

Here are the steps needed to re-create the OAB on an SBS 2008 Server.  These steps are from the open Microsoft Support case I mentioned in another blog posting.

 

1. Turned logging from management shell to expert level:

Set-eventloglevel “msexchangesa\OAL generator” -level expert

2. Built Offline Address Book. Organization configuration – mailbox – offline address book – update

-from management shell run following command : Update-offlineaddressbook “name of the offline address book”

3. Look for the 9340 and 9360 event id for the following legacyExchangeDN ‘ ‘

4. Ran the following command to update:

Update-offlineaddressbook “NEW”

5. Opened Regedit and navigated to the following registry key
‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters

- Added a new DWORD Value ‘OAL Post Full If Diff fails’

- Set the value to 1

6. Rebuilt your Offline Address Book and looked for the 9107 event and verified there are no Events generated for “9340” “9360”

7. Removed the registry key

8. Reduced the logging level Set-eventloglevel “msexchangesa\OAL generator” -level
lowest

8. We restarted File Distribution Service

 

While this did not fix my OAB problem, it does have value for those of you who are having OAB issues and need the steps to re-create it.

Hot off the Press RPC and OAB SBS 2008 Fix

 

All in all my migration from SBS 2003 to SBS 2008 went well.  I am planning on posting several of the errors I found at a later time.  But there was one issue that had been plaguing me since the migration.

Several users (myself included) had issues download the Offline Address Book (OAB).  The local clients would just get stuck trying to download it and worse the remote users outlook sessions would hang completely.  I tried several things, which did not solve the issue (including having one of my remote users upgrade from Outlook 2003 to Outlook 2007 to see if that would fix his issue).  I opened a support case with Microsoft and while we were working through the issue (I plan on posting snippets of the case once it is close).  I was doing my own searching because the problem would occur and then resolve itself then re-occur again with no rime nor reason.  I came across a blog posting on the EMEA SBS Team’s site:

http://blogs.technet.com/asksbs/archive/2008/12/10/intermittent-outlook-anywhere-connectivity-in-sbs-2008.aspx

Today we implemented the fix and so far things are looking great.  I wanted to get this out only because I am a real life case of how the problem existed for a user and how the fix actually did fix my problem (thus far).

 

The interesting thing, is my local and remote users were having OAB issues not just RPC issues.

To fix the problem we did the following:

1. We made modifications to the web.config file in the following path:

C:\Program Files\Windows Small Business Server\Bin\webapp\SBS Web Applications

2. We removed

<add name=”HttptoHttpsRedir” type=”Microsoft.WindowsServerSolutions.IWorker.IIS.Modules.HttpToHttpsRedir,HttpToHttpsRedir,Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ preCondition=”” />

between <modules> and </modules>

3. Did IISReset

To WSUS or Not to WSUS

Based on my last blog post it got me thinking is WSUS the best solution for a small (read under 5 computer) installation?  Window SBS 2003 requires (for all the nifty green checks) to work that you do not make modifications to WSUS via the WSUS Administration tool.  See Microsoft Support article:

http://support.microsoft.com/kb/921910/en-us

 

SBS all requires that the server download all patches for all Operating Systems, devices, etc.  Making modifications to this also breaks WSUS.

 

Based on the above I decided to uninstall WSUS entirely from my Windows SBS 2003 R2 server and let the clients download the patches themselves.  I know this in theory goes against everything SBS is about in practicality it made sense because I reclaimed upwards of 30Gb of server disk space.  As we all know server disk space (especially on a SCSI RAID server) is quite costly.  Much more then client’s disk, to me it only made sense to get the server space back.  Enforcement of patching can easily (as it was pre-R2) be handled through server side GPO.  While this might seem controversial taking a step back holistically it made sense.

 

I would like to see what the fellow SBSers out there think about this idea.  Feel free to reply here or just drop me a line.  Also let me know if you don’t want me to post your replies.

 

-Alan

SBS R2 WSUS Issues

Ok back to blogging about SBS issues I have encountered.

 

After I did an in-place upgrade of my SBS 2003 server to R2 I was unable to get WSUS to work correct.  Specifically, we selected that client computer automatically download and install upgrades.  Further, we have selected that all updates are approved automatically for both server and client computers.  This was the selected configuration within the Server Management console on the Update Services page.

Neither took effect.  On the client computers under Automatic updates and the option is locked with Notify but do not download or install.

The cause and resolution was the following:

 

WSUS policy was not linked to the domain.

Linked it and did gpupdate /force on server and client.

Now we were able to see policies applying in gpresults.exe.

Checked the update and was applying.

Checked the server management console and it was showing that updates being applied now.

 

-Alan

New Blogging Program

As I said my blogging has been really poor (frequency wise) as of late.  I gave it some thought as to why, and I realized I needed a better way (then writing the post in word, and then doing a cut-paste on the blog site).  I decided to find an easier way – so I am now blogging using Windows Live Writer.

http://windowslivewriter.spaces.live.com/

I did try to get Word in Office 2007 to work with the site, although it continued to give me a weird could not connect to the site error.  As I said above it has to be simple Live Writer was a braze to setup therefore it is my program of choice.

 

We will see if it makes things easier (read Alan is more motivated to post).  Since I deal with other users issues and problems daily, I wanted to make things easy for myself at home technology wise.  We will see if this is the trick.  I do have to say that the setup could not have been easier, now let us hope that it will keep all the formatting in place.

 

-Alan

Weird Error

I started noticing a weird occurrence in my Outlook 2007.  My search all of sudden stopped working.  I rebuilt my client’s index with the issues still occurring.  As you may have read by now I am connecting to an Exchange 2003 Sp2 server.  I looked through my clients Event Log and came across the following error.  “The per-user filter pool could not be found.   (0x80040dba)”  Went to the usual sites for answer with no luck.  I finally came across a thread post on the MSDN site which stated that if you install FrontPage 2003 on top of Office 2007 you get this error because Frontpage breaks Email Indexing.  The quick fix is to do a repair install, which fixed my problem.

Here is the thread I read to find the fix:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1101775&SiteID=1

A weird problem a simple fix. Hope this helps you out.

Alan

My WM5 device cannot sync with my SBS Server

As I promised in my last post I wanted to jump back in to issues and fixes I have had with my SBS Server.  Here is the first of several.  One afternoon for no reason whatsoever, my Sprint 6700 (WM5) quit synchronising mail with the SBS server.  I spent the great part of an entire day trying everything to fix the problem myself event logs showed nothing, IIS logs showed nothing.  Being an SBS server I did things the SBS way and repaired my mail connection – still no luck.  I finally broke down and opened a support case with Microsoft at 6PM on Thursday night.  I had hoped that it would be some quick fix that I had missed; my hope was not to be true.  The problem took roughly 36 hours to finally solve.  The call started on Thursday night – you do the math.  Luckily I was off all day Friday (from the real job), because of the weekend the issues was finally fixed Sunday night late around 11:30PM.


Below is the snipit for the resolution closing Email from Microsoft, I have added comments.  It looks really simple I wish it was. I happy that my WM5 worked again, I sure was – was it worth 36 hours?  I will leave that to others to draw their own conclusions.

PROBLEM========
Not able to use Outlook Mobile Access on SBS 2003 since migration

RESOLUTION
============
Event ID: 1805 with error code 501Rebuilt the exchange-oma virtual directoryError Code was 501 – equates to access denied to the mailboxThis was for one user – (Username) Used Exmerge to export the mailbox and recreated the user account Imported the .pst file and we started getting the error code 500 in the same event id: 1805 


Rebuilding the exchange-oma virtual directory fixed the issue [by hand, needed to use the IIS tools to remove extended IIS attributes, none of the tools – scripts worked]