Aimless Ramblings from a Blithering Lunatic . . .

Just another Microsoft MVPs site

Page 3 of 19

Specifying a Custom Port for SmartHost Communications in SBS 2008

Just this morning I helped a partner with this very scenario.  Unlike previous versions of Exchange, Exchange 2007 does not provide an interface within its management GUI to specify a custom port when using a SmartHost for outbound mail delivery.  As a result, we need to set this via the Exchange Management Shell.

Once you open the Exchange Management Shell, one simple command will allow you to specify the custom port to use:

set-sendconnector –identity ‘[Send Connector Identity]’ –port [Port Number]

In SBS 2008, the default Send Connector that gets created is named “Windows SBS Internet Send [SERVER]”  where [SERVER] is the netbios name of your SBS server.  So for example, if your SBS box was named  SERVER01 and you needed to use port 2525 to send email to your smart host, you would enter:

set-sendconnector –identity ‘Windows SBS Internet Send SERVER01’ –port 2525

If necessary, you can find the identity (name) of your Send Connector(s) from the Exchange Management GUI, or from the Exchange Management Shell.

In the GUI, expand Organization Information, select Hub Transport, then click on the Send Connectors tab.

In the Exchange Management Shell, run the   get-sendconnector   cmdlet to get a list of send connectors.

Which RMM?

Ah, the great debate in the SMB Managed Services realm:  what is the better Remote Monitoring & Management (RMM) solution?  I don’t know how many times I’ve been asked this question by SMB providers, so I decided it would be beneficial for a no-holds-barred comparison of the products I know.  Obviously, it will not be a comprehensive comparison of every available solution, since I am only going to compare the products I know and have worked with first hand:  IT Control Suite, Level Platforms’ Managed Workplace, and Kaseya.

This will be a multi-part series, with each entry focusing on one aspect of RMM functionality (monitoring, patching, scripting, remote access, etc.) and providing a comparison of how each of the three solutions approaches the functionality and how well they deliver, noting gotchas to be aware of.

For those of you who aren’t familiar with me, I have been involved with providing managed services in the SMB space since mid-2003.  In mid-2004 we were one of Level Platforms’ earliest customers.  In early 2006 we added Kaseya and started running it side-by-side with Managed Workplace.  Finally, in mid 2008 we began working with IT Control Suite as well.  I spent two years as CTO of MSPSN, and during that time MSPSN offered vendor-agnostic NOC services, allowing SMB MSPs to use whatever RMM product they wanted.  Part of my duties included administering multiple RMM installations to keep them in sync with MSPSN’s standardized monitoring and ticketing configuration, but also training NOC staff on these products as well.  As a result, I have in-depth first-hand experience with these products.  I know each one’s killer features, what they do well, what they could do better, and in some cases what they flat-out don’t do.

Before we dive in with the series, it is important to note that if you are providing Managed Services, and do not have any RMM solution in place, any one of these is a viable choice that will enhance your offering(s) and help streamline your service delivery.  There is no wrong answer – just a potentially better answer depending on your needs and priorities in an RMM solution.  Just be aware that no RMM is truly “set it and forget it” – they all require on-going administrative effort to keep doing their job well, although some do require less admin overhead than others.

Large Files in SBS 2008’s Companyweb

If you are making use of document libraries in your companyweb on SBS 2008, you may have noticed that you aren’t able to upload large files (> ~28MB) to a document library.  When you attempt, you receive a 404 error in your browser.  Additionally, you have tried setting the upload size in SharePoint Central Administration, but you are still encountering the problem.

This behavior is due to certain changes within IIS7.  To increase the upload file size limit for your SBS 2008 companyweb, you must edit the web.config file for the companyweb application in addition to increasing the limit in SharePoint Central Administration.

First – set the new limit in SharePoint Central Administration (if you haven’t already):

  1. Log in to your SBS and navigate to Start | Administrative Tools | SharePoint 3.0 Central Administration
  2. At the User Access Control prompt, click Continue
  3. In SharePoint 3.0 Central Administration, navigate to the Application Management tab and click on Web Application General Settings.
  4. On the Web Application General Settings page, verify that the selected web application is 
    1. If this application is not selected, click on the web application and select Change web application.
    2. In the Select Web Application window that opens, click to select the SBS SharePoint application.
  5. In the Maximum Upload Size field, enter the maximum upload size you want to allow.
  6. Scroll to the bottom of the page and click OK to save the changes.

After setting the increased limit in SharePoint 3.0 Central Administration, you must set the increased value in the companyweb web.config file:

  1. Open My Computer and navigate to C:\Program Files\Windows Small Business Server\bin\webapp\InternalWebSite
  2. Right-click on the web.config file and select Properties.
  3. Go to the Security tab and verify the administrative user you are logged in as has modify permissions on this file.  (By default, the administrator account you create during setup will only have read access). 
  4. If necessary, click the Edit button to give your administrative user Modify permissions.
  5. Click OK to close the file properties.
  6. Open the web.config file in notepad.
  7. Scroll to the bottom of the file.  Directly above the </Configuration> line, enter the following:
  8. </System.Workflow.ComponentModel.WorkflowCompiler>
     <system.webServer><security><requestFiltering><requestLimits maxAllowedContentLength="52428800" /></requestFiltering></security></system.webServer>
  9. The maxAllowedContentLength= value listed is in bytes.  The value dispayed (52428800) corresponds to 50 MB.  I recommend making this value slightly larger than the max upload size you specified in SharePoint 3.0 Central Administration.  If this value is equal to or less than the value in SharePoint 3.0 Central Administration, users may not receive the friendly error page indicating they exceeded the file size limit.
  10. Save the changes to the web.config file.
  11. Open IIS 7 Administration (Start | Administrative Tools | Internet Information Services (IIS) Manager ).
  12. Expand <servername>, then expand Sites.
  13. In the list of sites in the content pane, click to highlight the SBS SharePoint site.
  14. In the Manage Web Site section of the right-hand pane, click Restart to restart the web site.

Your users should now be able to upload large files to your companyweb document libraries.  However, depending on how large of files users are actually uploading, their uploads may still fail – not due to a size restriction, but rather an IIS timeout issue.  To adjust the timeout values for your site, take a look at this post over on Don’s blog.

Installing Group Policy Preferences Client Side Extensions

In my previous post, I ran through a quick and dirty overview of Group Policy Preferences in Windows 2008.  One little tidbit of information to note is that in order to take advantage of Group Policy Preferences in your Windows 2008 domain, you need to have the Group Policy Preferences Client Side Extensions installed on your PCs and Servers.  The Client Side Extensions are installed on Windows 2008 systems by default, but they must be deployed to your XP, Vista, and 2003 devices in order to take advantage of Group Policy Preferences.

Like virtually everything in IT – there is more than one way to skin a cat.  The GPP Client Side Extensions are available as an update for Windows (KB 943729).  So if you have a method for centralized deployment of updates, you can push this update out to all of your machines.  If you’re using WSUS – 943729 is classified as a Feature Pack – so you will need to be synchronizing all Feature Pack updates in order to deploy this via WSUS.

If you don’t have an automated method for deploying updates, or if you’re just a bit sick & twisted like I am, we can configure our SBS 2008 domain so that all machines get the update installed automatically via a GPO startup script.  I personally like this approach for a few reasons.  First – once it’s set up, we don’t have to do anything special.  If we add a new machine to the domain, it will get the Client Side Extensions installed automatically at startup.  And considering the few reboots that happen when joining a PC to the domain via http://connect – the CSE will almost always be installed before the user logs in for the first time.  This is beneficial to relying on WSUS – because even if we have the update approved for installation, when the PC is first joined to the domain it has to check in with WSUS, and depending on our patching schedule, it could take several days until the CSE actually gets installed.  If we’re relying on Group Policy Preferences to handle our drive mappings, printer installations, etc. – it’s obviously preferable to have the CSE installed as soon as possible.

So, I’ve put together a little vbscript to handle the installation of the Group Policy Preferences Client Side Extensions.  This script can be used in a number of fashions – from running it manually on a device, to using your favorite Remote Monitoring & Management product (Level Platforms, Kaseya, etc.) to deploy it, or by using it as a startup script in a domain Group Policy Object.  

A few details regarding the script:

  1. The script assumes that the CSE installers are present on the LAN.  Therefore you will want to make sure each of the six variations of the CSE installer (both x86 & x64 for Vista, XP & 2003) are downloaded to a share on your network.
  2. You will need to edit the paths to the installers in the script.  The defined paths can be found on lines 47 – 52.  Note that these paths must be UNC paths to work.
  3. If you are going to use the script as a domain startup script, remember that startup scripts execute under the computer account’s security context – so you will need to make sure that your Domain Computers security group has read access to the share where the script and the CSE installers reside.

I’ve tested the script on a number of systems, and it has worked flawlessly on each.  However, as usual I make no warranties of any kind, and if you choose to use this script in a production environment, you do so at your own risk  smile_regular

The Death of IFMEMBER

Anyone who has heard me talk about service delivery standards knows that I’m a big advocate for standardizing everything you can.  One of my big pet peeves are SMB networks that are not using standard drive mappings – where each user has a different drive letter pointing to the same share on the server . . .    I’ve been surprised by the number of administrators & consultants who don’t know about the IFMEMBER utility from the Windows Resource Kit.  IFMEMBER has been a core building block of my login scripts for the past 10 years, allowing me to dynamically map network drives based on a user’s security group membership at login. 

Well, with the dawn of Windows 2008 – IFMEMBER is effectively dead.  I’ll admit that I’m probably a bit behind the curve here, but quite frankly – login scripts themselves are effectively dead in Windows / SBS 2008 and are replaced with Group Policy Preferences.  I finally got a chance to play with Group Policy Preferences, and I have to say they work pretty slick.

Let’s take a fairly typical example:  We have a site running SBS 2008, and each user has their own folder under the usershares share on the server, we also have a public share for common files, and we have an accounting share for our QuickBooks data and accounting specific spreadsheets & reports, etc.  We want each user to have H: mapped to their user shared folder, P: mapped to the public share, and Q: mapped to the accounting share.  We only want Q mapped for members of the Accounting Users security group we’ve created, and we want to force these mappings (so they replace any different drives users may have created using the same letters).  

Previously, our login script to accomplish this would have looked like:

net use h: /delete
net use h: \\server\usershares\%username%

net use p: /delete
net use p: \\server\public

IFMEMBER “Accounting Users”
if not errorlevel 1 then goto quit_acct
net use q: /delete
net use q: \\server\accounting

With Group Policy Preferences, we start by opening the Group Policy Management Console on our SBS 2008.  I decided to create a new GPO in the DOMAIN \ My Business \ Users \ SBS Users OU.  When the GPO is opened in the editor, you can see a clear delineation between Group Policies and Group Preferences:


There is still a separation between Computer configuration and User configuration.  Obviously, drive mappings will be a user configuration.  Expand User Configuration | Preferences | Windows Settings and select Drive Maps.  You can add a new drive mapping by either clicking the plus sign “+” icon in the toolbar, or right-click in the content pane and select New | Mapped Drive.


You will notice there are four different actions that the drive mapping group preference can take:  Create, Delete, Replace or Update.  Create and Delete are self-explanatory.  In the example in the screenshot, I’m mapping H: to the user’s shared folder on the server.  If the user was already using H: for a different drive, the Replace option will effectively remove the existing H: drive then create a new mapping based on the settings defined in this preference.  If we used the Update action, the preference would only change the attributes of the existing H: drive to match the settings specified, thus retaining any locally applied settings for the drive mapping that are not defined in the preference.  Both the Replace and Update actions will create a new mapped drive if it doesn’t exist when the preference is applied.

Most of the fields on this page are self-explanatory.  Note that we can specify a given account to use to connect to the share, and we can specify a custom label for the mapped drive as well, and take advantage of variables such as %username% in the path & label.

If we take a look at the common tab, we have a few more options, including the ability to enable item-level targeting which unleashes the true power and flexibility of Group Preferences.  Let’s take our basic example of wanting to map the Q: drive to the accounting share, but only for members of the Accounting Users security group.  On the Common tab, we would check to enable the options to run the preference in the logged-on user’s security context, and to enable Item-level targeting.  Then we click the Targeting button to specify the target:

In this case, we would click “New Item” and select the Security Group option.  From here, we can browse to select our Accounting Users security group.  Note that we can specify whether we are checking the user or computer’s membership, and using the Item Options, we can specify whether we want to check if the user/computer IS a member or IS NOT a member of the group.   In our example, this is all we would need to do to have our Q: drive mapped for members of the Accounting Users security group.

But while you’re in the targeting editor, take a look at all of the items we can check for.  Also note that we can add collections (groups of items) for nested targeting, and we can use AND or OR operators within our collections to specifically target exactly who or what we want to get this preference applied. 

Another preference that will get a lot of use in the SMB space is the ability to add mapped printers (and set default printers) via the preferences as well.  As an example of targeting, if we have a customer with multiple locations all on the same domain & linked via router-based VPNs, we can target based on the client PC’s IP address, so it only gets printers at its location installed.   

Regardless – I encourage everyone to really play with the new Group Policy Preferences – they’re going to make it much easier to standardize our client environments  smile_regular

Accessing the Windows Internal Database in SBS 2008

OK, so I’m a little behind schedule – but I’m finally getting a chance to really dive in to SBS 2008, and I should hopefully have some decent posts moving forward . . .    yeah, yeah I hear you – *any* post decent or not would be an improvement over the last year . . .    I’m workin’ on it, k?  smile_regular

So most of us running WSUS 3.0 or WSS 3.0 are familiar working with the Windows Internal Database, and know that we can connect to that instance via Named Pipes so we can actually use the nice GUI interface provided by SQL Management Studio (Express).   Well, if you’ve tried using the Named Pipes method to connect to your Windows Internal Database on your SBS 2008, you’ve probably noticed that it doesn’t work . . .

Here’s the deal:  When the Windows Internal Database is installed, the built-in administrator account is granted system administrator privileges to the SSEE instance.  As you’re aware – with SBS 2008 the built-in administrator account is disabled by default and we use a custom administrator account created during setup to administer the box.  The problem is that this custom administrator account is not granted SQL system administrator privileges to the SSEE instance by default.

The work around to get this to work was simple enough – all i did was enable the built-in administrator account on my SBS 2008, then log in using that account.  Once I was logged in, I was able to successfully connect to the Windows Internal Database via named pipes.  At that point, I was able to add my custom administrator account as a SQL system administrator for the SSEE instance;

Expand Security | Logins.  Right-click on Logins and select “New Login”

Click the Search button to find your custom administrator account in the directory

Accept the defaults on the General page

On the Server Roles page, check the  sysadm  role

Click OK to add the user

Now you can log back in to your SBS using your custom administrator account and access the Windows Internal Database instance via named pipes.  Just don’t forget to disable the built-in administrator account when you’re done! 

The Changing of the Guard

It’s official: as of October 1st, I am now a Small Business Server MVP Alumnus.  I have to admit that it comes as no surprise that I was not re-awarded as an MVP this year – the past 18 months I have been buried with MSPSN and building our NOC operations.  As a result, I have been noticeably absent from the community.  As my professional life continues to evolve, I am hoping to reach a point where I have the available time to contribute to the SBS community at large and continue to promote the product and empower the partners and DIYers that believe so passionately in SBS.  This community rocks, and I have been honored to be associated with the MVP program for the past 5 years.

But don’t worry – I’m not completely going away.  You can’t get rid of me that easily [:)] 

MSP Revolution 2008 Last Call!

OK, so I’ll admit it’s blatant self-promotion – but we have a few slots left until we fill up  smile_regular



MSP Revolution Sponsors


Level Platforms

















Labtech Software



PRE Day Conference Events

Designing, Implementing, and Making Money with Virtual Environments
by Dave Sobel and Karl W. Palachuk
How to add $100K (or more) in revenue in the next 6 months!
by Matt Makowicz and Stuart Selbst from Secure My Company
For more information:


Our Website


More About Us



Dear Chad,

Last Call for MSP Revolution!
Seats are filling quickly and MSP Revolution 2008 is the only event this year where we’ll take you deep into the Managed Services Business Model and deliver a proven Road Map to profitability in Managed Services.
September 4-7 in Chicago


Thursday September 4, 6p-9p
Cocktail Party with MSP Mentor.  MSP Mentor’s Joe Panettieri will lead us in an interactive discussion on the “State of the MSP Channel.”
Friday September 5
Kick the morning off with a keynote by Len DiCostanzo of Autotask where you’ll learn how to “Organize, Integrate, and Automate your IT Services Business.”
Next, dive right into the MSP Revolution Excellence in Business Acumen business simulation experience delivered by Andromeda Training.

Discover how to strengthen all aspects of running and managing your business through this focused and intensive management education that allows you to work through and resolve major business decisions in a fun, fast paced environment.
Working in teams, participants gain an experience of what it is like to operate a business in a competitive market. They make all the decisions – production, marketing, sales, finance, and own all the results. Teams and long-term professional friendships are built in a challenging game environment.  The secret benefit is that some very thorough business finance learning occurs.
End the day with cocktails and dinner with MSP University’s Erick Simpson who will share his professional insight in “Growing Your Practice During an Economic Downturn.”

Saturday September 6th & Sunday the 7th
Spend a day and a half with the greatest minds in the Managed Services Channel today.  Our speakers are the BEST minds in the Channel and you won’t want to miss this opportunity to learn from them.
Each speaker has built multimillion dollar Managed Services companies and they are going to share their knowledge & experience with you!

Defining Your Managed Services Offerings
Learn how to design and deliver profitable Managed Offerings.
Ron Cook, Xilocore

Pricing Your Managed Services Offerings
Discover How to Price Your Managed Offerings Profitably
Ramsey Dellinger, MSP On Demand
Developing Your Contracts & Service Level Agreements
Service Level Agreements, Why You Need them & How to Create Them
Karl Palachuk, KP Enterprises
Marketing Your Managed Services
Learn how to fill your pipeline with proven effective marketing techniques.
Erick Simpson, MSP University
Building a Profitable Service & Help Desk
Learn how to inject efficiency into your Service Desk and realize the profitability you’ve been seeking.
Amy Luby & Chad Gross, MSPSN
Selling Value in the Managed Services Model
Proven Techniques in transitioning from selling features to selling Value.
Matt Makowicz, Ambition Consulting

Partnering for Success
Industry, vendor and peer partnering can transform your business.  Learn how.
Stuart Selbst, SecureMyCompany
To learn more about each speaker, go to


We are bringing some of the greatest minds on Managed Services together for a premium event like no other.  We can’t wait, and we hope to see you there.  Don’t miss out on this opportunity to learn from the best!


The View from the Dark Side

I have a confession . . .   I took my first step moving to the dark side three months ago.  You see, my beloved Treo 700w had finally died for the last time – it had lived a long, hard life of just over 2 years and had been dropped countless times.  I was looking for a Windows Mobile 6 device that had a touch-screen and a vertical orientation like the Treo (I for one dislike the slide-out keyboards because it requires two hands to type).  I was surprised at the lack of options available for those three criteria.  As a matter of fact – Verizon did not have a single device that met all three criteria – they still had the Treo 700w with a touch screen, but running WM5.  They had the new Moto Q with WM6 and the vertical orientation, but no touch-screen.  Or the Samsung isomething that had a touch screen and WM6, but had the horizontal slide-out keyboard.

So on a whim, I did an abrupt face and bought myself an iPhone.  This was back in March, and I admit that what finally pushed me over the edge was the announcement of the iPhone 2.0 software update that would include support for push email via Microsoft ExchangeSync.  Admittedly, there are days that I still miss my Treo  (I still prefer a physical keyboard over the iPhone’s on-screen keyboard – but I eventually discovered the trick to fast composition on the iPhone is to just get close and trust its auto-correct to fix your typos – and 98% of the time it gets it right).  The biggest pain over the past 3 and half months has been the lack of over-the-air calendar and contact sync.  After having that for over two years with my Treo, having to dock my iPhone every few days or remember to look at my Outlook calendar before I ran out the door was getting old. 

But anyway, today was d-day – when the iPhone 2.0 upgrade was officially available to the masses.  I didn’t get a chance to really try the upgrade until late this afternoon.  I started earlier this morning, but I could not get iTunes to backup my phone prior to the upgrade (unknown error -43).  Of course, it gave me the option to continue without a backup – I would just lose little things like my text messages, favorites, mail accounts, etc. – basically anything that wasn’t sync’d with my PC.  So I stuck it out and eventually tracked the issue down to iTunes not playing nicely with folder redirection in a domain environment.  My music lives in a redirected folder and syncs ok, so I’m assuming the issue is with a redirected Application Data folder.  But anyway . . . )   So late this afternoon I finally got the phone backed up and initiated the upgrade.  The entire process took about 30 minutes to download, install, restore & activate.  Luckily, I did not run in to the mess this morning where Apple’s activation servers were overwhelmed and couldn’t be contacted, leaving a lot of people with a nicely upgraded phone that could not activate and thus had no service . . .   but again, there’s a reason it’s called the bleeding edge . . . smile_regular

But the big news for me is the Exchange integration.  I removed my previous IMAP account, and set up my Exchange account.  Biggest surprise for me: the iPhone will sync with Exchange over the air if you’re using a self-signed SSL certificate on your SBS / Exchange server.  It complains a bit that it can’t authenticate the certificate when you’re setting up the account, but you can acknowledge the warning and it will start synchronizing.  Naturally, if you select to synchronize your contacts and calendar, any contact & calendar data on the phone itself will be overwritten by data on your Exchange server.  For me this was no big deal as I was manually synchronizing this data anyway. 

I still have to play around a bit, especially with installing some of the new apps, but so far the Exchange integration is working just as I would have expected.  The contacts feature even handles multiple contact folders in your Exchange mailbox very nicely – even additional top-level contacts folders, and even allows you to search the GAL

Anyway, I’m off to go play on the dark side a little more . . .

The Straw the Almost Broke the Camel’s Back

Ok, I admit it.  I’m a creature of habit, and I don’t always adjust nicely to change.  I’m getting ready to do my first of the month recurring invoicing, and reviewing an Excel spreadsheet one of my vendors sent me.  As I try to navigate the spreadsheet in Excel with my arrow keys, I find that my arrow keys are scrolling the worksheet instead of moving cells. 

So a quick google came up with a simple solution: disable scroll lock.  The problem was this was the first thing I tried, and it didn’t work.  After the scroll lock suggestion, I found a few workarounds, including a post from my old friend Kevin

The problem is that I’ve never been a big fan of workarounds – I want to know the answer and solution to the problem.  As I was checking out a few of the hits where the scroll lock option wasn’t working for the original poster (including Kevin’s post), I quickly identified a common thread:  Logitech keyboards.  And I’m using a Logitech MX3200 cordless desktop on this machine.

Within a few minutes I had the solution to the problem.  In order for the Scroll Lock key combination (FN + Pause/Break) on the Logitech keyboard to work, the Logitech SetPoint software must be running.  Once I fired up the application, it worked like a charm.  Close the app, and they key combination doesn’t work at all.

Here’s hoping this saves a little bit of someone else’s sanity . . .

« Older posts Newer posts »