Aimless Ramblings from a Blithering Lunatic . . .

Just another Microsoft MVPs site

Category: 314 (page 2 of 6)

Making sense of Best Buy’s push into the SMB space . . .

Ok, for those of you who are either outside North America or simply have been living under a rock lately, Best Buy is making a move into the SMB solution space.  Specifically, they’re rolling out a Best Buy for Business program, and naturally using their Geek Squad as their troops on the ground.  Since it seems like just about everyone has an opinion on this topic, I figured I might as well dive in myself  ;^)

Now I know that most of us SMB partners have the same initial reaction when someone mentions the Geek Squad – and it usually consists of a bit of a smirk, a shake of the head and a little laugh to ourselves.  But before you shrug this off and discount this whole thing as a non-event, you need to sit back and take this seriously . . .

It is too early to be forecasting doom and gloom, as well as the utter demise of the traditional SMB var.  However, you’d be very naive to think that Best Buy can’t grab a piece of the market solely on their marketing might.  And they are making a solid effort, with their techs going through an intensive 2 week training course on SBS.  Of course, the providers this will affect at first are the part-time one man shops – the ones who have a couple clients that they work with at night and on the weekends.  Not to generalize, but it has been my experience that the majority of these guys have skills on par with your average Geek Squad member.  Basically, Best Buy will be able to capture the price-sensitive portion of the market without much effort.  Will they implement ideal solutions that follow best practices right away?  Probably not.  But depending on how Best Buy manages this will depend on how much of a threat they become.  If they implement their own internal knowledge base, have knowledgeable senior-level techs that support issues can be escalated to, and do simple things like training their techs how to plug into this amazing SBS community we have out here, they could easily move up the stack and start getting more business from the section of the market that isn’t necessarily price sensitive, but isn’t aware of their other options.

I don’t doubt that the Geek Squad will never be as reliable as the SMB var, and will never enjoy the level of trust that we have with our customers.  But just because they can’t be as good as us, doesn’t mean they can’t take business from us.

So, what do you need to do now to ensure you successfully weather whatever storm this might generate?  In all honestly – nothing that you shouldn’t be doing already.  You should be constantly working on your sales effort.  The point here is to not only drum up new business, but to constantly increase your name recognition.  Sure, most of the people you call today probably won’t be interested in your services today . . .  but the more they see your name around town, the more likely they’re going to call when they are interested in your services.  Next, review your SWOT analysis (Strengths, Weaknesses, Opportunities & Threats).  What are your strenghts as a technician?  as a business?  What sets you apart from your competition?  For example, with Best Buy we’re different because first and foremost, we’re service providers.  We’re not looking to sell a PC or a router, or a printer, or whatever.  Also – we’re often hardware agnostic – where the likes of Best Buy will be pushing what they have in stock.  Our biggest strength is that we’re small business owners ourselves – and can relate with our customers.  Regardless – find what sets you apart and determine how you can exploit that.  Then communicate that to your leads – maybe put together a sell sheet on what makes you different than the rest.  You may also look at focusing on a few vertical markets, where you can provide experience & expertise on their needs as well as various LOB apps their industry uses.

So – take a look at your organization and what you need to do to grow your customer base and increase your name recognition, and try to stay one step ahead, and offering services that Geek Squad either doesn’t or can’t offer.  One way you can stay ahead is by making the move to managed services.  The bottom line is the last thing you want to do is sit idly by with your head in the sand thinking that Best Buy isn’t a threat.  Granted, they may not be a big threat to you today – but who knows what the landscape is going to look like in a couple years?  Maybe SBS Longhorn will be super-simple to install & setup.  And what if Best Buy hires more & more truly capable technicians? And what if they make the move in to the managed services realm – maybe even purchasing an MSP software company like Kaseya, Level Platforms or N-Able?  Next thing you know there is a strategic alliance between Best Buy & Dell, where the Geek Squad provides Dell’s onsite installation & warranty services.  Best Buy also becomes a Dell partner – they get better-than-web pricing based on their volume, but they don’t have to stock anything.  They configure and sell Dell stuff on demand, and Dell keeps their direct model by only building machines when they’re ordered . . .   

And we all know that when it comes to SBS sales, Microsoft is focused on one thing, and one thing only – new sales.  There is only a very small percentage of small businesses that currently have a server – and Microsoft is drooling when it looks at the tens of millions of small businesses without a server – a market waiting for them to conquer.  It only makes sense that Microsoft would do a huge co-branding advertising campaign / blitz to drive small businesses to Best Buy, because next to the OEMs, Best Buy is going to be in the best position to push SBS.

So now in our hypothetical scenario, we’re a couple years down the road with Joe the small business owner seeing newspaper, billboard & TV ads about Best Buy for Business.  He also sees Microsoft ads pushing him to either Best Buy or a number of big-box retailers that have put in their own Geek Squad like service offerings.  He can have a Best Buy Business Technology Consultant (BTC) come out to his business, assess his needs and provide a written proposal.  If he wants Dell hardware, the proposal includes a link to a saved cart that the BTC has already configured.  He signs the proposal to accept, pulls up the Dell cart online and plugs in his credit card number.  The Geek Squad finishes the 15 minute OEM installation on the SBS, brings it out and installs it complete with their monitoring software.  Their managed services agreement is automatically billed to Joe’s Best Buy card every month, and they have a handful of data centers across the US where a team of engineers are watching the multitudes of monitored systems.  When something comes up, they either take care of it remotely, or if it requires a visit contact the customer and either have the customer bring the system in (hey, it’s still Best Buy ;^) – or for a higher fee, schedule a Geek Squad member to go out onsite.

You have to admit – it would be a little harder to sell against that offering . . .    and it isn’t much of a stretch of the imagination to see most of that hypothetical situation come to pass. 

So . . .   now about that sales effort of yours . . .      :^)

For some interesting reading on the topic, check out these posts of Vlad’s:

Best Buy for Business to End SMB IT Consultants?

Best Buy vs. SMB IT Consulting: Part 2

Best Buy now Gold Certified Partner

SBS, SSL Certs and Verizon’s Treo 700w

So, there has been a decent amount of rumblings about the new Palm Treo 700w from Verizon Wireless (running Windows Mobile 5.0) – and it’s apparent inability to sync with SBS.

Sean has a good post outlining how Windows Mobile 5.0 has changed how it handles certificates.  The good news is that if you’re using self-signed certificates with your SBS, you can get your Treo 700w to sync wirelessly with your Exchange server.  As proof, I just did this myself – configured a new 700w for one of our internal users to sync with our SBS, and we’re using a self-signed certificate.

The trick is to install both your self-signed certificate ( <A href="file://\\\\<your_sbs\ClientApps\SBSCert ) AND your CA certificate ( –  check out  <A href="file://\\\CertEnroll”>\\<your_sbs>\CertEnroll ).  Copy these two .cer files to your device using ActiveSync.  Then on your device, use FileExplorer to browse to the folder where you copied the certs, and double-click to install each.  Voila!  You’re good to go . . .

Now, there has been some talk that WM5 doesn’t trust as many Certification Authorities (CAs) as regular ol’ Windows.  As a result, if you have purchased an SSL cert from a CA, there is a chance that CA may not be trusted by WM5.  In that case, you’re not going to be able to sync with your Exchange, since you won’t have access to the CA cert to manually install it on your WM5 device.  However, you could always convert to a self-signed cert and get it to work that way

Glutton for Punishment . . .

I love swing migrations – I really do.  Admittedly, I haven’t done too many – primarily since currently our oldest SBS installation won’t hit the 3 year mark until this coming April, and an overwhelming majority of our installs are new installs / first server, versus migrations of existing servers / domains.  Well, I just finished another swing this weekend, and as usual it is a great experience.

Ok, now those of you who are familair with the swing method and have caught Jeff’s presentation on the topic are probably wondering why I finished a swing this weekend.  After all, one of Jeff’s primary talking in points is that the swing method allows you to regain your weekends and migrate during the week.  So why was I swinging not only on a weekend, but on a long holiday weekend of all times?  That’s where the title of this post comes in:  I’m a glutton for punishment. 

Let me paint the picture for you:  First, while this is a small company (4 PCs), this isn’t any old client – this is family (cue blood-curdling scream sound effect  ;^).  Next, this isn’t just family – this is the family business where I spent the better part of the last decade.  Third – the family isn’t exactly a full-paying customer – yet.  I say ‘yet’ because we’re working that way.  It was just a little bit of a shift from having me handle all of the IT stuff in addition to my normal duties (I was the Controller – yep, I did accounting believe it or not  :^), to paying by the hour.  So I’ve done a lot of the basic maintenance stuff remotely after hours pro-bono.  They’ve been paying for anything they need during normal business hours, with me just throwing in miscellaneous stuff after hours when I have time.  While they haven’t signed a contract yet, they’ve been asking about our Managed Services offerings, and should be on-board in the next few months.  And the fact that they’re asking about our Managed Services is a testament to the value they can bring to a small business.  You have to realize that up until a little over two years ago, my uncle refused to use a computer – and hated having to spend money on anything IT related. 

So, back to our swing.  Their old server was in desparate need of being replaced, and I’ve been talking to them about this for a good nine months or so.  That box was originally put into service 5 years ago – in early November 2000 as an SBS 4.5 box.  In the spring of ’01 it was upgraded to SBS 2000 (which we got as part of Microsoft’s Technology Guarantee program).  In the fall of ’02 we bought another SCSI hard drive and reconfigured the RAID array from RAID 1 to RAID 5.  Needless to say, the box had lived a good, long life, but was starting to show its age.  I finally got the OK to build a new server a few weeks ago when the tape drive in the old server died.

Well, considering this is family – and considering that I wouldn’t be where I am today without their support, not to mention the great real-world small business experiences I gained running their business – I gave them the hardware at cost and didn’t charge anything for the install.  Did I mention I was a glutton for punishment?

SO – the server got built on Monday, on Tuesday I built the RAID array, and did the initial Windows portion of the SBS install.  Tuesday night on my way home, I stopped by, pulled out my laptop, fired up Windows 2003 inside of virtual PC, and did the initial steps of the swing (joined domain, installed DNS, dcpromo’d, made global catalog, verified AD replication, etc.).  Wednesday afternoon I swung the AD onto the new box, and finished the SBS integrated install.  Thursday I gorged myself on turkey with the fam :^).  Friday I finished all of my usual post-SBS install configurations (To-do list, install Trend, WSUS, etc. etc.).  I had a few other little projects that I worked on in the office on Friday (taking advantage of the peace and quiet being there alone without the phone ringing :).  I left the office around 6:30 that night and decided to start the next phase of the process – taking the old server down, migrating data and bringing the new server online.  I got to the family’s building around 7, unloaded the new server, etc. and dug in.  I disconnected the server from the internet, connected an external USB hard drive and started with an online backup of Exchange while I started unboxing the new server, etc. and getting ready for the migration.  After I had unboxed the new server and checked the workstations to make sure everyone was logged out, etc. I got back to the new server and realized that after 45 minutes, my online backup of the 4gig Exchange store was only about half way done.  Wow does USB 1.1 suck.  So I started pulling data off the server across the network to the newest PC (that happens to have the largest hard drive).  I pulled 14 gig of data off the server in a little over a half hour.  Needless to say, I still beat the online backup of Exchange.  When that finished, I stopped the Exchange services and copied the store databases to the workstation as well.  From there I was able to write to the USB drive in no time as I powered the old server down, and put the new one in its place.  Booted the new server and started restoring data.  Once all data was restored, I mounted the original Exchange databases and logged in to one of the PCs . . . voila!  Just like nothing had happened . . .   redirected folders working wonderfully, Exchange mailbox is there, drive mappings via login script worked perfectly, printers are all there (and working), just perfect.  (btw, THAT is what I love about swinging  :^)

But if you know me – you know that nothing is ever truly that easy – something, SOMETHING always comes up and bites me in the arse.  Well, this time that something was WinFax Pro.  (I know, I know – who would have ever guessed in a million years that a Symantec product would throw a wrench into things?!?  ;^)  My aunt & uncle have a decent amount of fax traffic – sending 15 – 20 faxes per day – almost all being invoices.  That’s not enough to really justify a full-fledged fax server product (with that volume they’re not even using a fax board – just a normal fax modem), but it’s still enough that it’s a PITA to have to print that stuff out and walk to the fax machine a few times every hour.  As a result, they’ve been using WinFax’s sharing feature.  I had WinFax Pro installed on the SBS 2000 box and configured as the WinFax host, with the workstations sending & receiving faxes through it.  Well, after I booted the new server, I could not get any of the workstations to connect to the new WinFax host on the new SBS box.  After a relatively short search, I found where Symantec doesn’t support WinFax on Windows 2003 – as WinFax is a consumer product, and Windows 2003 is not a consumer OS.  (Consumer product?  Is it just me, or do you not see a lot of home networks using WinFax sharing to handle their fax traffic???)   Argh . . .   faxing is one thing that really needs to work – the natives will be very restless come Monday morning is that isn’t working.  For multiple reasons I can’t have one of the PCs act as the WinFax host – basically due to placement.  The fax line is separate from the phone system – which means the only jack is in the server closet.  So what now?  MSN Search to the rescue – I downloaded a 30 day trial of FaxBack’s NET SatisFAXtion 7.5 and installed it on the SBS.  Went to the workstations and installed NET SatisFAXtion’s WinFax integration piece, and the workstations can send using WinFax on the desktop like normal . . .  woo hoo!  (and no, don’t ask me about SBS fax – that is completely not an option).  So at this point, I look at the clock and about fall over when I realize it’s 5am Saturday morning . . .   so I decide to call it a night.

I returned early Saturday afternoon after what seemed like only a few hours sleep.  Besides migrating to the new server, I’m also updating their wiring.  The building is about 23 years old – and as such was not wired for networking.  The front office was added on in 97 and was wired – but apparently the electricians used some cheap cat 5 as it has been going down hill for some time.  Additionally, at the time we put the switch in the attic – again, for several reasons.  Well, the time had come where the faulty wiring in the front office needed to be replaced, the switch needed to be replaced as well as relocated out of the drastic temperature fluctuations of the attic, and the other offices needed upgraded wiring beyond a cat 5 wire dropping down from a hole in the ceiling 🙂  So, I started Saturday with mounting plywood to the wall in the server cabinet to give me something that could hold the wall-mount patch panel & switch, then mounting the patch panel & switch.  Of course, I didn’t have any plywood available when I realized I was going to need some, so I had to run to Home Depot to get the plywood, then run home to get some screws and my circular saw . . .  I was able to run all new cable for the front office as well as the shop office – not only replacing existing jacks, but adding additional jacks as well (after all, you can never have too many network jacks!)  So I called it a night and headed home about 3am Sunday morning. 

I worked around home most of the day today, then went back around 4:30 this afternoon.  I finished replacing the wiring going to the parts office, including adding a few new jacks.  I then finished puting all of the covers on the raceways I had installed, cleaned up the patch panel so that all of the cables were nice and bundled and organized, and cleaned up my mess – taking all of the old cabling out to the dumster, etc., and left around 9:30.  So here I am at home, showered and getting ready for bed, trying to figure out how in the hell tomorrow can be Monday . . . and not only Monday, a Monday where I have to be onsite with a client around 7 am to troubleshoot a printer issue so they can run payroll . . .

Well, if nothing else, this weekend has reminded me of two things:  the value of family, and why we subcontract our wiring jobs  ;^)   Oh yeah, and that I’m getting too damn old to be pulling all-nighters . . .   :^)

The compromise of SBS . . .

I’m sure that most people here are aware that there are circles in the IT community where SBS is a punchline.  One of the most common assertations is that ISA on SBS is a security compromise.  So I figured it was time to address this head on.

Is ISA on SBS a security compromise?  Completely – because the mere notion of a firewall on Windows is a security compromise at best . . . we should all be running a SonicWall or Cisco Pix if we really want security.     Sorry, I couldn’t resist a little jab  :^)

Seriously – is ISA on SBS a compromise?  Absolutely – because SBS itself is a compromise.  Which is why it fits so well in the small business space, because each and every small business is a living, breathing example of compromise on a daily basis.  You can’t truly appreciate or understand Small Business Server if you don’t understand small business.  And you can’t understand small business if you haven’t experienced it. 

I can’t help but wonder if the people who look down on SBS with disdain have truly experienced small business.  Have they laid awake at night worrying about making payroll – knowing that their employees have families to feed and mortgages to pay?  Do they realize that for many small businesses, money could be spent in several different places – so that server upgrade often relates to not being able offer the raises or bonuses we’d like, or offering additional benefits.  We have to take care of our employees and our customers, but we also have to invest in our businesses to insure our long-term ability to take care of our employees and our customers.  We can’t afford an imblanace either way – literally.  So each day is a compromise.

Would I love to be able to follow ‘best practices’?  Absolutely.  But look at the average small business with 25 users or less . . .  how would I be helping them by deploying a DC, a secondary DC, an ISA server, a front-end Exchange box, a back-end Exchange box, a file & print server, a Sharepoint box and a LOB server?  Not only would there be extensive cost at deploying that sort of solution, but extensive cost to maintain and administer that set up.

Let’s face it – SBS customers aren’t shopping for ISA server any more than they’re shopping for Exchange.  What they’re looking for is a solution that let’s the work smarter.  Does the small business owner care about running ISA on their DC?  Nope – not in the least.  The fact is that it isn’t realistic to sell that client a separate ISA server – simply put, the costs outweigh the benefits.  

Is ISA on SBS a compromise?  Sure – it’s a compromise between the benefits of the full product and great pricing of an integrated bundle.  I will be the first one to admit that in a perfect world ISA would always run on its own dedicated box.  In the small business arena, that just isn’t going to happen in an overwhelming number of cases.  So the question facing most small businesses isn’t whether or not they should run a dedicated ISA box in addition to their SBS, but whether they should run ISA on SBS or stick with their $39 Linksys router.

So what’s the bigger security compromise and risk for the small business – running ISA on their SBS or sticking with a low-end nat-ing router?  Because down here in the trenches – that’s the reality.


So, it appears that everyone has survived the first SMBTN Summer Conference.  I’ve got to take my hat off to Roger, Jim and everyone else who put in tons of effort to pull this off.

I thoroughly enjoyed the entire event – and the best part is being able to just sit down and visit with everyone else about what we’re all doing, what we’d like to do better, and what sort of solutions we’ve done for our customers.

Several people asked me about Sharepoint resources – so here’s the two sites I enjoy the most:

Also – if you’ve got a specific quesiton, don’t forget Google & Google Groups!

SBS SP1 + ISA 2004 = No DHCP?

Last week, we were installing SBS SP1 for one of our SBS Premium customers.  Naturally, we upgraded their ISA 2000 to ISA 2004, which went very smoothly.  The only problem was that after the upgrade to ISA 2004 was complete, none of their workstations could pull an IP via DHCP.  We verified that the DHCP Server service was running, and tried restarting the DHCP Server service, as well as rebooting the server – both to no avail.

Well, it turns out that this is at least partially my fault.  You see, when I set up ISA 2000, I never let ISA build the LAT table for me – I always manually specified the internal address range I wanted.  So for an SBS using the default IP of, I would specify a LAT of to

ISA 2004 varies from ISA 2000 in that it firewalls all network interfaces, including the internal interface.  My DHCP problem was that DHCP requests happen via the broadcast address of .255 – since my LAT entry ended at .254 – ISA blocked the traffic, so the DHCP Server never received the client request, and the client thus was unable to pull an IP via DHCP.

SO – if you encounter this problem, open your ISA Management console, and expand <servername> | Configuration | Network.  Select the Internal network, and edit it to include .255 

SMB Technology Network

Susan has already blogged about this – but I wanted to make a point of mentioning it as well.  In just about a month, I’ll be in sunny southern California for the first ever SMB Technology Network Summer Conference!  I’m still preparing for it, but I think it’s a safe bet that I’ll be talking a lot about Sharepoint that weekend.  So, if you’re interested – go ahead and register, and I’ll see you there!

The SMB Technology Network® has opened registration for its Summer Conference 2005 to be held July 14-16, 2005 at Embassy Suites in Buena Park, CA. The goal of the event is to expose attendees to knowledge, products, and services that can either make them money or reduce their costs on Monday morning.

To register, go to
We have a number of terrific speakers lined up, including

    • Harry Brelsford, noted author on SBS and SMB Consulting, presenting his 4-hour workshop on “Building the SMB Franchise” (a $99 value).
    • Susan Bradley, SBS-MVP
    • Chad Gross, SBS-MVP

We will also have a number of sponsors presenting and exhibiting, including:

    • Veritas
    • SonicWALL
    • Level Platforms
    • AutoTask
    • more to come…

The Embassy Suites in Buena Park is located within walking distance of Knott’s Berry Farm, Movieland Wax Museum, and Medieval Times. Disneyland is just a 15 minute drive. The hotel provides complimentary shuttle service to both Knotts Berry Farm and Disneyland. Embassy Suites is offering us their spacious, two room suites on a first-come, first-serve basis at a price of $129 per night. There are also many other hotels in the area, if you prefer to stay elsewhere. For reservations, call 1-800-EMBASSY and ask for the “SMB Tech” rate.

The cost for this three-day event which includes admission to all events, including Harry Brelsford’s 4-hour “Building the SMB Franchise” workshop on Thursday evening (valued at $99), presentations by Susan Bradley, Chad Gross and a host of SMB vendors, admission to the exhibitor area, complimentary breakfast and lunch on July 15th, as well as, breakfast on July 16th, is $179 for SMBTN members and $199 for non-members.

Members         $179
Non-members     $199

To register, go to
You will be billed by PayPal within 48 hours of registration.

Jim Locke
SMB Technology Network®

From the mailbag: SBS, Print Servers and Error 61

So I get an email this afternoon from Mitch regarding a problem he’s been fighting:

“I have a HP laserjet setup on the network. It is using a castele print
server. It has an IP address and all the workstations have no problem
printing to it. Added to each workstation as a local printer using the
ip address. (added using generic card and ip address)

SBS Server refuses to print to this printer. I can ping it, It will let
me add the printer, and when i try to print to it it shows up in the
print queue, but then times out with the stupid error 61 I have been
reading about.“

Well, I personally haven’t seen this issue before.  As a pure shot in the dark, I suggested Mitch try disabling SMB Signing and see if that helped.  Well, I happened to get lucky as Mitch confirmed that disabling SMB Signing resolved the issue.  (And yes, that means that I have used my luck quota for this decade . . . so much for winning the lottery any time soon!)   So if you see this – you should try disabling SMB Signing on your SBS and see if that helps.  You can get step by step instructions from the M&M’s site:

But Mitch’s email raises another question:  When you run across a problem that just has to stumped, where do you go for help?  Blogs can contain several tech tidbits – but really aren’t a good source of tech support . . . and as much as I enjoy helping SBSers, I really don’t do email support.  Well, OK – I do . . . for my own customers with service agreements . . . so if you want email support – just ping me and I’ll fax over a contract for you to sign, and we can get started right after the check clears the bank  . . .  ;^)

But seriously – where do you find support for those tough, and downright weird issues?  Well, in SBS land you have a plethora of choices . . .   For community resources, you have:

Microsoft Public Newsgroups:

Grey’s SBS2k Yahoo! Group:

Mariette & Marina’s forms:  (Registraiton required to access forums)

Nick’s SBS forum at Mark Minasi’s site:

And don’t forget that you always have official Microsoft support:

For Microsoft Partners – visit the Partner Managed newsgroups for free Microsoft PSS support:
Also – partners . . .  you are aware of Business Critical Phone Support, correct?  As a partner, you get a set number of Business Critical support incidents per year.  You have to sign in to the partner site and register with Business Critical support – but then you’re good to go.  So if you have a client that has a problem that is impairing their ability to work (server down, etc.) – you can call for Business Critical phone support – which is FREE . . . (but you have to be registered :^)

If you find a Microsoft Knowledgebase article that indicates you need to contact PSS to obtain the hotfix, know that HOTFIXES are FREE . . .  yep – they won’t even ask you for payment info.  Just follow the prompts when you call and one of your options will be ‘…to obtain a hotfix’

If you have a problem as a result of applying a Service Pack – contact PSS.  Just like hotfixes, SERVICE PACK support is FREE . . .  yep – free.  Just indicate when you call in that you are having a problem with Service Pack <whatever> and you’ll be good to go.

And finally – if you’ve exhausted all other avenues and are still having problems, call PSS for paid support.  A lot of small businesses look at the $245 price tag  and grumble – but I’ve got to tell you, that is one of the most undervalued bargins around.  What does that $245 get you?  A solution – and nothing less.  No matter how many phone calls or emails it takes, no matter how many PSS engineers get involved, it doesn’t matter – you *will* get the problem resolved.

Luckily, I haven’t had to contact PSS but 3 times in 4 years . . . the first was a bug with the SBS2000 Technology Guarantee media where setup didn’t like the CD Key.  Took two days and several dozen regenerated CD Keys before we found one it liked.  But that’s what I get for being on the bleeding edge and moving from SBS4.5 to SBS2k the day after I got the media :^)    Second call was a Service Pack issue . . . applying SQL SP3a to an SBS2k box we acquired that was still at SQL GOLD . . .   MDAC upgrade blew up (we later determined) and was causing all sorts of issues.  Spent six hours with PSS on a Tuesday night working through that one.  Last call was just a few months ago.  Clean install of SBS2k3 that I was building in our shop.  Finished the install and was patching the box.  Applied the OWA gzip patch and Exchange SP1 and rebooted – and the box fell over – took an hour an a half to boot.  Discovered that booting into safe mode and disabling Exchange services let it boot normally.  That was another 6hr PSS call – working with two engineers no less . . .  :^)

The point is that Microsoft PSS ROCKS!  They are by and far the best vendor support I have ever experienced – and IMHO they set the standard for what Product Support should be.  There’s a lot of companies out there who charge less for support – but don’t provide anywhere near the level of support that Microsoft does.

Sharepoint permissions on SBS

Ok – I’ve gotten this question enough that it is definitely time to blog it:

On SBS 2003, you grant your users specifc permissions within your companyweb site (let’s say with Reader level access) – but you find that those users can still do anything they want with the site – add / edit / delete / design.


This is somewhat hidden – but by default, SBS adds the Domain PowerUsers security group as a member of the SharePoint Administrators security group – so if you used the Power User template when creating your users, they will automatically be Sharepoint admins regardless of the explicit permissions you grant within the companyweb site itself.  In order to correct this, open Active Directory Users & Computers, expand <your_domain> | My Business | Security Groups and open the Properties pages for the Sharepoint Administrators group.  On the Members tab, remove Domain Power Users and you should be good to go.  Note that none of your users will be able to access your companyweb site until you grant them permissions within the site.

Using Windows Sharepoint Services as an Extranet

Ok – so recently I’ve been asked several times about using Sharepoint Services as an extranet to securely exchange documents with customers and business partners.  The short answer is that this is very possible with Windows Sharepoint Services.  However, you must be familiar with the licensing considerations, and how those apply to vanilla Windows Server compared to Small Business Server . . .

First, Windows Sharepoint Services is a free add-on to Windows Server 2003 – and as such, access to WSS is bound by Windows Server licensing for the product it is installed on.  With vanilla Windows Server, we have two licensing modes – Per Server and Per User / Device.  It is also important to note that while you can enable anonymous access to WSS sites and bypass licensing considerations, for the purposes of enabling a secure extranet, we’re assuming that anonymous access will not be enabled.

With Per Server mode, you are using a concurrent licensing model – so you can have an unlimited number of users accessing the server (and thus any WSS sites) just as long as the maximum number of concurrent connections does not exceed the number of installed CALs.

With Per User / Per Device mode (formerly Per Seat mode), you must have a User or Device CAL for each unique User or Device that connects to the server.  Therefore, if you wanted 100 separate users to access the server (and thus any WSS sites), you would need 100 User CALs. 

Now, for vanilla Windows Server, you can also purchase an External Connector – which allows for an unlimited number of external users to connect to your server (and thus any WSS sites).  Note that an external user is defined as “a person who is not an employee, or similar personnel of the company or its affiliates, and is not someone to whom you provide hosted services using the server software” – so you would still require the necessary CALs for internal users.

So – to use Windows Sharepoint Services as an extranet solution on vanilla Windows Server, the licensing structure that works best is dependant on the number of concurrent external connections that you are anticipating, as well as the licensing mode you’re using for any other Windows servers in your domain.  For a stand-alone server, you would probably be best served with a Per Server licensing mode and a smaller number of CALs – as you would only need to license the maximum number of concurrent connections (whether internal or external users).  For a domain member server where the rest of the domain is using a Per User / Per Device mode, it makes sense to use the same Per User / Per Device mode on the WSS server, since your users / devices are already licensed.  In this scenario, you would then need to purchase User CALs for each named external User.  Once an organization is looking at more than 40 external users, then the External Connector makes sense (as Windows CALs are ~ $50 each, and the External Connector is ~ $2k).  Again, the External Connector only licenses external users – so you would need CALs for internal users.

Now, things get a little less flexible when we start to talk about Small Business Server.  First, remember that WSS is bound to the licensing mode / restrictions of the OS it’s installed on.  Second – we all know that SBS is always in Per User / Per Device licensing mode – we can’t do Per Server licensing with SBS.  As a result, we have to provide a CAL for each named User or Device that is going to be accessing (authenticating with) our SBS domain (we can’t use a concurrent connections model).  Third – there is no External Connector for SBS.  So what does this mean?  In simple terms, this means that if you want to use WSS on SBS as a secure extranet, you need an SBS CAL for each external user.  And since SBS is limited to 75 CALs total – you’re limited as to the number of external users who can access your WSS extranet (internal users + external users <= 75).

Does this suck for SBSers?  Yeah – kinda.  Although it is important to note that this wasn’t an intentional restriction.  Microsoft is aware of this restriction, and members of the SBS team have publicly stated* that they are going to correct this in future versions.  While they haven’t provided specifics on how they are going to correct this – I’m guessing we’ll either have an updated EULA that explicitly allows external authenticated connections to WSS sites, or the addition of an SBS External Connector sku.

* Guy Haycock stated this during the Microsoft Partner Tour stop here in Omaha on 3/28

Older posts Newer posts