Lukas Beeler’s IT Blog

Microsoft released the Windows Small Business Server 2008 RC0 today.

For those of you who do not know SBS: SBS has traditionally been a single server setup with Exchange, SQL Server and ISA Server. It consolidates all “big” Microsoft technologies on a single server. This contradicts most “Best Practices” published by Microsoft, and as such SBS has always been seen as the red-headed stepchild in the Windows Server Family. SBS 2008 aims to improve several of these points (especially with the Premium Edition shipping with TWO server licenses).

After a 6 hour downloaded that trickled in at a few meager 200kbyte/s, i was finally able to get started with it.

SBS 2008 now demands x64 hardware - so for testing i used an IBM x3650 running Windows Server 2008 Enterprise with the Hyper-V RC1. Hyper-V supports 64bit guests. Other hardware requirements have also gotten steeper - you’ll need 4GB RAM minimum (though i launched the VM with only 2GB). The Premium Edition now comes with licenses for two servers - finally making it possible to have redundant domain controllers even in a Small Business setup without paying for full server licenses.

The first half of the setup is similar to what you know from Windows Server 2008 and Windows Vista - you boot, select the disk, have the chance to enter a product key, and finally start the installation. After that, the WIM image is expanded to the harddrive. The machine reboots after installation, and this is where things get different.

After booting, you’ll land in “Install Windows Small Business Server 2008″ Wizard. This can be mostly automated using an Answer file, which is mandatory when migrating from earlier versions. I will check that out later and proceed with a simple installation without using an Answer file.

I get nagged by a “Insufficient Hardware Screen”, reminding me that my (virtual) machine only has 2GB RAM. After acknowledging the warning, i can setup my date and time. I choose the CEST timezone, and move onwards.

Next, a screen confronts me with the fact that i don’t have a NIC - which is true. The machine is running on Hyper-V RC1, and i wasn’t able to install the integration components yet. Luckily, there is a “Browse” Button, where i can launch the Integration Services setup. Installation of the Integration Components worked fine, the machine rebooted. I hope Microsoft packs the Hyper-V RTM bits into SBS RTM. This would make it easier to install it into a VM, but as you can see, it’s not much of a hassle.

I was back at the beginning, at the start of the SBS Wizard. Luckily, i was now able to use the mouse after installing the Hyper-V IC. Next, i get an Update Dialog, asking me if i want to update my server. I choose yes and have to wait.

Next, i was asked to enter my company information. Next, i was able to name my server and the NETBIOS name of the Domain. I was not able to choose a DNS Name for the Domain (This is only possible if using an Answer File). Interestingly, Dashes “-” were not accepted as part of the server name. I wonder why - our production setup uses dashes extensively in server names, and so does Microsoft (judging from their Mail headers).

Then i was asked to create an an administrative account - a good idea. The “Administrator” account shouldn’t be used in a production setup, instead each user with administrative rights should have their own account. SBS enforces this - a very good idea.

After confirming Server name, Domain name and Company name, the installation continued on it’s own. This took a good amount of time, during which the server restarted several times - of course completely unattended. No need to play disc jockey or logon - much better than SBS 2003.

After the installation, i was greeted with a screen that told me that it was unable to install some critical updates. Clicking on that bar revealed an IE7 404. I checked the IP configuration - the server was configured to use 192.168.0.2, and didn’t have a DHCP server installed. There was no default gateway set yet.

Next, i launched the “Connect to the Internet Wizard” which told me that i was already running a DHCP server - which makes sense. After choosing “Postpone”, the Wizard aborted. That wasn’t quite what i was hoping for.

I shut down the VM and reconfigured it to use a private LAN. That way, it wouldn’t have a connection to the internet, but it wouldn’t have to deal with a DHCP Server either. But SBS didn’t like that either - it wanted a router. So i setup a second VM running IPcop (which works flawlessly on Hyper-V using Legacy NICs and a small virtual hard drive).

It was interesting to see using “tcpdump” what SBS did under the covers to detect the router. ARP scanning, IPv6 Discovery, Everything. This seems rather well designed. It was sucessfully able to detect my IPcop VM which didn’t have a DHCP server.

Next, i started the wizard to enable my domain name. It seems that SBS will be able to do some of these things automatically if you live in the US. Here of course we have to do things manually.

So far i don’t like that SBS tells me very very few technical details. But this might be because Microsoft somehow thinks that a Small Business Owner will setup SBS on their own (which just seems a horribly stupid design decision).

Next, it told me that i couldn’t configure my Internet Router properly (my IPcop instance didn’t have UPNP support enabled). It’s interesting to see that it wants to forward port 25 to the server. It looks like the POP3 Connector was finally killed off for good. That’s very good to hear!

I also had to configure outbound email properly, with the ability to configure a smarthost or use direct sending. There is also a wizard to easily create a properly signed official SSL certificate - nicely done and will surely improve the security of the many SBS setups that are out there.

SBS 2008 also ships with OneCare for Servers already preinstalled. You can just activate it with a few clicks. I don’t see this very positively - I’ve made a few bad experiences with ForeFront Client Security, which OneCare is based on. We’ve been using McAfee for the past. So in the future for SBS setups we will have to either remove OneCare from the SBS, or deal with having multiple virus scanners on the network (a management nightmare).

Another interesting tidbit is that UAC is enabled in approval mode, just like on standard Windows Server 2008 installations when not using the Administrator account. This is annoying, IMHO. I don’t have a problem with UAC on my desktop because i usually use my desktop to work and not change settings - but when i’m logged onto a server, i want to change settings all the time.

That’s it for the first impressions. I will have a closer look at SBS 2008 over the following days and will keep you all updated.

Pictures are here:

Outlook Anywhere / Outlook Autodiscovery on Windows 2008 still has some problems.
Read this most excellent post that has all the details.

Long story shorts: Modify the hosts file, remove the IPv6 localhost (::1) and then add hosts entries for your server. I would recommend against disabling IPv6 on the Exchange server, as this is probably not a recommended or supported configuration.

The root cause is that Outlook 2007 can’t contact a DC/Domain Controller using RPC over HTTP/Outlook Anywhere when used on Windows Server 2008.

Also note that NTLM Authentification for Outlook 2007/Outlook Anywhere is broken on Windows Server 2008.

So i’ve been playing with Office Communication Server 2007 to pass time. Thanks to the Microsoft Partner Licensing Program we can use this software internally, in production, without paying anything.

After playing with it in VMs for a few days, I decided to deploy it internally. Of course, the current deployment is not very integrated - our PBX is years old, and we have no chance to get any decent sort of integration, and we’re not yet on Exchange 2007 (though this is planned). As such, I didn’t expect to much usefulness out of. Boy, was I wrong.

OCS 2007 is several products in one, and it has a few drawbacks in a small business deployment (because it was designed for bigger environments). The price of the product isn’t prohibitive for a small business - 1500 CHF for the server, and 100 CHF per CAL (for Standard versions - the Enterprise versions are more expensive).

So, what features can one expect from OCS2007?

Services

Instant Messaging

One of the OCS2007 functions is an internal Instant Messaging server, with all the standard features you probably already know from ICQ, MSN et al. This part could easily provided by using e.G. an internal Jabber server and a Windows Jabber client like Pidgin. So why use OCS2007 for instant messaging? The reason is easy: Integration. The server software integrates into your Active Directory environment. You extend the AD schema, and all the user information is stored directly in Active Directory, with no need to maintain yet another user database. While that’s an advantage, it not much of a selling point (because the CEO usually doesn’t care if need 3 more minutes to add a user).

So let’s talk about integration on the client. After installing Office Communicator (the IM/VOIP client for OCS) on the client, you will notice full IM integration into Outlook, see the status of all the recipients and senders of the mail. This is a very nice feature, because it offers you information at a glance, without having to open the IM GUI to see whether someone is available for a quick follow up or not. But it gets better: this Integration also works in Sharepoint Services 3.0 and MOSS 2007. Also, the Unified Messaging part of Exchange Server 2007 integrates nicely into OCS 2007. You can check your voicemail using OCS 2007, with a fully graphical interface (similar to how the iPhone handles it’s voicemail)

Besides the ability for instant messaging, there is another very important feature - at least in our company: availability and presence. We have a HQ and a branch office, and our HQ is split over three floors. So usually it’s not easy to tell if someone is at his workplace or not. While Outlooks calender helps to establish the general whereabouts of a person, its not at-a-glance, and it doesn’t help if the person just isn’t at his desk (for whatever reason).

Office Communicator sets your presence to away at the instant you lock your machine, which people do when they walk away from their desk. As such, you can tell whether someone is currently working at his desk or not. This is very cool, and helps to save time on unnecessary phone calls to which no one answers.

There’s also a web client - Office Communicator Web Access. At the first glance, it is indistinguishable from the full desktop client, so the web interface is very nicely done.

Voice over IP (SIP)

OCS 2007 is also a fully blown VoIP solution. I can’t talk about this part too much - i haven’t worked with the mediation server or more enterprise VoIP integration (as said, our PBX doesn’t support that).

The Softphone client, integrated into the Office Communicator works nicely though, the voice quality is normal, and we didn’t have much problems using it over WAN lines.

You can also connect hardware IP phones to OCS2007, which should work with standard SIP phones - not having one, i didn’t test this. There are some very nice looking OCS specific IP phones out there.

Live Meeting

I’ve attended a few Webcasts done using Live Meeting 2005. With OCS 2007, you can now host Live Meetings (using the 2007 client) directly in your company, with no need for any hosted services. This feature might not be terribly useful if you’re working for a single-location Small Business, but it can be a timesaver when spread across the country (or world). Live Meeting also integrates into Outlook (see the above screenshot).

It works flawlessly, and i had few problems using Live Meeting. Didn’t really deploy this into production yet, though.

And more

OCS 2007 can also do a lot more stuff than i mentioned here. Most of this, like CDR and Archival is not necessary (or financially viable) in Small Businesses, so I didn’t invest too much time.

Drawbacks

So, what are the drawbacks of OCS 2007 in a Small Business? The main point i see here is that you need at least three servers - a Standard Server (hosting all the services), a mediation server for connecting to your PBX, and an Edge server offering internet connectivity. These are at least three OS instances that need to be maintained. Add to that the cost of either a proper virtualization server, or a few 1U boxes, and you’ll get into unviable price regions pretty soon.

For basic functionality, you can leave both the Mediation and the Edge server away. This means no integration with your PBX, and no external access to your server - at least in theory.

If you just need external access to IM, you can create appropriate SRV records in your public DNS, and forward port 5061. This will not result in a clean service, but it’s better than nothing. But without a proper edge server, you won’t be able to access other IM networks. Not cool.

Microsoft should really make single-server deployment possible, but probably we’re too small of a market to make this financially viable.

So what’s my conclusion? If you’re an SMB, give OCS2007 a try. It’s a very cool software, and the basic IM functionality isn’t that expensive.

Today i’ve encountered a very interesting problem that’s very hard to track down exactly.

A small business customer was running an Exchange 2003 server behind a ZyXEL ZyWALL 5 with AntiSpam installed and enabled. The ZyWALL forwarded port 25 to the Exchange server. This worked, for the most, flawlessly. But a few hosts (i’ve found no distinct differences between the source hosts - ADSL, Leased Lines, Colocated, Europe, USA) failed to get an SMTP greeting (220 customer.example.com Microsoft ESMTP MAIL Service, Version: 6.0.xx ready at Thu, xx Sep 2007 xx:xx:xx +0200).

When i disabled the Anti-Spam and pressed enter (in a telnet session to port 25), the SMTP greeting appeared. If anti-spam was enabled, it never appeared. But that didn’t help - Postfix still couldn’t send mails:

postfix/smtp[25010]: C65AA88075: conversation with customer.example.com[256.256.256.256] timed out while receiving the initial server greeting

I’ve looked at every setting on both the ZyWALL and the Exchange server, but didn’t find any unusual DNS etc. setting. I even disabled all the DNS lookups done on the Exchange server, but to no avail.

But after upgrading the ZyXEL ZyWALL 5’s firmware to the latest version (V4.02(XD.2)), the problem disappeared. While this wasn’t exactly what i was hoping for, at least the problem was now solved.

Source: MSExchangeSA
Event ID: 9188

Microsoft Exchange System Attendant failed to read the membership of group ‘cn=Exchange Domain Servers,cn=Users,dc=your domain’. Error code ‘80072030′.

Please check whether the local computer is a member of the group. If it is not, stop all the Microsoft Exchange services, add the local computer into the group manually and restart all the services.

This error message sounds very serious, but it is entirely possible that the situation is not as grave as it sounds.

If you encountered this error message, you should first read all the hints over at EventID.Net. This shows the most common causes for this problem in bigger environments.

I’ve encountered this error message in smaller environments if specific factors were true: DC and Exchange were on seperate servers, and the Exchange wasn’t a DC (which is correct). However, there is only one DC on the network. In this case, the error message above might appear immediately after you restarted the first DC.

This seems to be a minor problem in Exchange which doesn’t fully recognize that the DC is back up. Restarting the Microsoft Exchange System Attendant service will solve the problem. This is not really a full solution to the problem, as you have to restart the System Attendant service everytime you restart the only domain controller.

The right way to fix this is to install a second domain controller. If you can’t do that, scripting the System Attendant restart makes sense - my approach would be srvany.exe and a plain cmd script. I didn’t write such a script yet, and i don’t really intend to do. Just buy a second DC.

Right after i got my new iPAQ 510 Voice Messenger, our chief sales was looking for a new mobile phone (mostly because there was no longer a sync software for the Sony P910 under Windows Vista). As i’m fine with any mobile phone as long as it is running Windows Mobile 6, as these offer superior synchronization to Exchange using Exchange ActiveSync. Even Push-Email is supported since WM5+MSFP using Microsoft’s DirectPush.

In the end, the choice fell on the HTC TOUCH. It runs Windows Mobile 6 Professional (aka “PDA Phone Edition”), this means it uses the PDA UI, not the SmartPhone UI.

The packaging provided by HTC was very nice, in a sleek black box that comes with everything you need. A USB cable with the usual mini-USB connector (no idea on how this thing is really called), stereo headphones, a 1GB Mini-SD card and a USB charger cable.

Again, setting up the device was a breeze, it automatically configured the necessary GPRS settings. After downloading our self-signed certificate and installing it, the Phone already synced against the Exchange server. No need to plug it into any computer. (Many WM5 modems back in the days required a variety of registry hacks in order to import new trusted certificates - it’s very good to see that this has changed).

I’ve also installed version of Windows Mobile Device Center on the laptop, in order to sync files and notes (You can’t sync Outlook notes over the air, i’d like to see the design decision behind this one). WMDC works fine and integrates completely into the OS. While the ActiveSync desktop software under Windows XP was mostly troublefree when used with Exchange ActiveSync, the WMDC software works even better.

Back to the device itself. The HTC Touch is often touted as an iPhone competitor, but it’s not. They play in whole different areas. The iPhone is a consumer device - it does not offer Enterprise Messaging features like a Blackberry Connectivity Software or Exchange Active Sync. The HTC Touch is meant for professionals which need the ability to synchronize with an enterprise messaging system over-the-air, including contacts, calender, etc.

The HTC Touch has a 2.8″ 320×240 screen. The resolution is acceptable, but i would’ve preferred 640×480 pixels at the same screen size. (I really liked the 2″ 240×320 screen on my HTC MTeoR). The device is much, much smaller than it appears on photos. It’s also much thinner - in fact, it’s the first Windows Mobile device that doesn’t look like a Windows Mobile device (which can usually be described as “bulky”. As such, i think the HTC Touch is very important for the Windows Mobile marketplace.

The Touch has an alternative shell called TouchFLO - it’s a homescreen replacement with support for a few gestures, a program launcher, and a music player. The TouchFLO functionality is nice to use, but it is not a full Windows Mobile touchscreen conversion. As such, the functionality is very, very limited. There’s a standard pen located in the phone’s corner, like with every other PDA. You’ll need this to use much of the functionality. You can place calls with just the touchscreen alone, and the touchscreen seems to implemented very well. It even works beyond the edges of integrated 320×240 screen, which makes using your finger to point at things on the side much, much easier.

There’s an included ZIP-Software and Adobe Reader LE is preinstalled, and there is not much “vendor crap” as i’ve seen on operator branded HTC devices. As such, i see little reason not to recommend this device - the build is very nice, the screen and other hardware components also work as they should. They only points that could be criticized are the screen resolution (which is “normal PDA” resolution instead of “hires PDA”), and the missing UMTS support which only plays a role when surfing the Web or connecting to the Web with a laptop. For EAS purposes, EDGE is enough.

In my opinion, the HTC TOUCH is a very cool Windows Mobile 6 device, thats shows a lot of the progress needed in this sector. Together with the Motorola Q9h (Review from a co-worker), i would vote these two to be the two best available Windows Mobile 6 devices on the market. The TOUCH is better if you want a full fledged PDA with a touchscreen, while the Q9h is a true Smartphone with a full keyboard.

About a month ago, i’ve passed exam 70-237. A few days ago, the last exam of the the MCITP: Microsoft Exchange 2007 Messaging Solutions Administrator series (not yet on the MS websites) was released - that is exam 70-238.

I noticed this on Saturday, and booked a testing appointment for today. I arrived almost late at the testing center, because a customer appointment took longer than i thought (that’ll teach me to book exams in the afternoon). Another bonus was that it is quite hot today (32C according to my car), and the A/C in the testing center has failed or was overloaded - in fact, it was almost cooler outside the building. I was offered to move my testing appointment, but i didn’t want to.

70-237 was easy as pie, and mostly theoretical questions on “how should you do this”. 70-236 required you to learn vast PowerShell commands to be able to pick the right one from the answers given.

70-238 was completely different, and much more technical than 70-237. A very large focus were backup, backup windows, recovery methodologies, migrations from older Exchange versions, migrations from/to clustered mailbox servers, and lots of questions about journalling, mailbox and transport rules, and Send and Receive connectors. Most of the questions focused on where you have to set rules, i.E. Hub or Edge server. This is usually pretty easy, but there were a few cases where the solution wasn’t obvious.

A bit of material was the same as in 70-237 (not word for word, but in the type of questions) - focusing on which rules you need for what. A few other questions centered around Active Directory, and the requirements Exchange has for it.

There were also questions which i found completely irrelevant - at least 3 questions focused on MOM and what you should do to configure it with Exchange. I never used MOM, so i used all my guessing skills.

In the end a passed with around 850 points, i expected much worse than that. I didn’t even have bars that we’re below the (imaginary) 80% margin, even though i don’t think i understood all the Journalling/Transport/Managed folder stuff completely.

So now i should be a MCITP: Microsoft Exchange 2007 Messaging Solutions Administrator, as long as Microsoft doesn’t have the same troubles they had with the MCSA and 70-620.

Update: Updating the transcript wasn’t a problem this time, the credentials were visible a day after i passed this exam.

Today i’ve passed Microsoft exam 70-237, Designing Messaging Solutions with Microsoft Exchange Server 2007.

I didn’t spend too much time preparing for this one, mostly because i wasn’t able to find many referneces on the web related to this exam. This is also why i decided to write this post.

While the 70-236 exam was clearly focused on the technology itself, with many EMS and EMC questions, this exam tested the other half you need to know.

Basically, what Microsoft shuffled into on Exam in the Windows Server 2003 series (70-290, et. al.) is now split into two or more exams - one focused on the handling the technology in detail, and others handling the planning and limitations of the product. This is already explained on the New Generation of Microsoft Certificates page, it’s amazing how this worked out in practice. I really do like this approach, as it makes it easier to prepare for an exam.

I found the 70-237 way easier than the technical exam 70-236, mostly owed to the fact that when knowing all the base rules of Exchange 2007 deployment, you will have a lot of questions in 70-237 covered. But other topics also get their share, like Message Management, Auditing, Archival. None of them to deep. I even got a single question about Unified Messaging, which was not the case in the previous exam.

I honestly didn’t really learn for this exam - i’ve read How to Cheat at Configuring Exchange Server 2007 about a month earlier, but didn’t do anything else.

Now i’ll have to wait till 70-238 is out to complete my Exchange 2007 certification.

As part of a “security cleanup”, someone removed IIS from his Small Business Server 2000. The result was, well, obvious. Exchange stopped working. He reinstalled IIS, but Exchange still wasn’t working.

Luckily, Microsoft already knows what you have to do:
How to remove and to reinstall IIS on a computer that is running Exchange Server.

As usual, Microsoft KB entries aren’t very reassuring when it comes to “what data will i loose when i do this”. Don’t be concerned, reinstalling Exchange will not hurt your data in any way, if you follow the manual to the letter.

How to Cheat at Configuring Exchange Server 2007 is the book i’m reading right now, preparing myself for the first Exchange 2007 deployment that is going to come.

So far i’m through the first three chapters, and i think it’s pretty good so far. I’ve setup a few Exchange 2007 testing environments before, but i never did anything serious with it.