My torn data pages - SBS

I've been holding this one off for quite some time, but finally bit the bullet... migrate the server.Coming from Windows Small Business Server 2003 (32-bit) going to Windows Server 2008 with Exchange 2007 (both x64), including transferring the web site. There were a few nasty pieces in the process and I didn't have/take the time/resources to test it all though before jumping in... so I got a disruption of about one hour for the blog and inbound smtp.

First issue I encountered was the installation of the server, which I ordered from Dell without operating system. I am a Microsoft Action Pack subscriber, so I slammed the 64-bit Windows Server from the Action Pack on the system, entered the Product Key and then went on to phone based activation. After putting in the last confirmation code and pushing the next button... my activation wasn't accepted!!! ... to cut a long story short, after dozens of voice menu selections and 4 persons, I found the guy who could help me out: Philip. Though it still toke Philip and me about 20 minutes to find the actual problem... I wasn't an Action Pack subscriber anymore!!! Technical story here, but it happened when Action Pack was integrated more tightly with the Partner Program. Somehow I didn't complete the Action Pack renewal transaction completely in February, but the partner site didn't show that (it only showed I'm still good for the Partner Program).

Couple of days later, I could go ahead with the migration process. It turned out to be easier than I expected after I found a very useful document about Upgrading Small Business Server 2003 to Exchange 2007. Some pointers on using the document though;

• Transferring the the other FSMO's (Schema Master is described); Determining FSMO Role Holders
• With Windows Server 2008 you NEED the Exchange 2007 SP1 DVD, Exchange 2007 without SP1 will not pass installation checks.
• Section Migrate mail send does not cover migrate mail receive. This caused me a bit of downtime... The issue was
  SMTP error from remote mail server after MAIL FROM:<abcd@efg.hi> SIZE=2703:
  host abcdef.ghi [10.10.10.10]: 530 5.7.1 Client was not authenticated
  And can be solved in the following manner in Exchange Management Console:
  • Go to the Server Configuration, Hub Transport. Select your server and add Anonymous to the Default SERVERNAME Receive Connector. While you're there, you can increase receiving message size here too.

And there were parts I did different;

• I continue to rely on Vamsoft's ORF for the anti-spam. Version 4.3 is fully compatible with Windows Server 2008 and Exchange 2007 and an ease to configure.
• Since I will continue the same DNS name for OWA and Windows mobile Active Sync, I transferred the Self-signed certificate from the SBS2003 (find it in your IIS, web site, directory security tab) to the new server.

My other bit of downtime was the blog... simply copy from the old server to the new one didn't cut it. So I downloaded the latest release of dasBlog from Codeplex, copied it into the virtual director of new server. Next I had to;

• Copy my own theme
• Compare (and adjust) the \SiteConfig files
• Transfer \Content files and \Logs files
• Make sure the account running the Application Pool has read on all dasBlog folders and change on \SiteConfig, \Content and \Logs.
• The Application Pool is running in Classic Managed Pipeline Mode

Guess I can say I didn't plan for the blog to be upgraded... that just had to happen.

Okay, I had the occasional SPAM message hitting my inbox, like every 1 out of 10 e-mails. But over the last couple of weeks that ratio seemed to flip. I had to do something in order to take back control; take some time for it now in order to save some time in the future. Since I don't believe in filtering in the inbox (or server based filtering of content for that matter), it had to be a solution at the receiving end of the server. Also, blocking at the receiver alerts the sender of a false positive that the e-mail they send will not be read (non-delivery error) which on the long run is far less intrusive to communication than silently dropping the false positive.

Building on past experience as systems administrator (I'm talking about the year 2003 now), we had about 97% of all incoming mails being either SPAM or addressed to no-existing mailboxes. For e-mail security we used MIMEsweeper, but it first received the mail (receiver service) and then processed it according its policies (security service). This way of working was both overloading the server and producing silent false positives (not many, but still). In order to fight SPAM more efficiently and be able to better spot false positives, we needed a solution capable of denying access to the server... and we found just the product to do that: Open Relay Filter by Vamsoft. This enabled to both block blacklisted servers at the door and reject mail for non-existing recipients, and instead of having to add another mail-gateway to support the overloaded server, utilization levels of the mail-gateway dropped to an acceptable level.

About 2 years back, Vamsoft invited MCT's to sign up for ORF for free, I jumped on the offer and today that offer really helped me out!!! Installation and configuration on my Small Business Server just toke a few minutes (about 25% of time compared to blogging about it).

Hmm, did this about half a year ago and didn't blog about it... stupid, because now I had to figure it out again. The unfortunate event was the phone on my PDA (T-Mobile MDA Vario II) had a bit of a malfunction. It either didn't connect to the GSM-network or when it did, calls would be disconnected after a couple of minutes. So I called T-Mobile and after having determined the problem was the phone (not the SIM), they collected it for repair. Naturally, I made a backup of my personal stuff and then removed the personal stuff and security settings from the device before it was picked up (hey, I do security training occasionally).

Well today I got my device back... software update, all information gone (but I have a backup)... I just had to restore my stuff and configure network settings and Exchange synchronization again. No problem until: 0x80072FD; indicating the certificate on the Exchange Server (my Small Business Server) was invalid.

The solution is to add my SBS self-signed certificate to the trusted root certificates of the PDA. How?

Well first make sure you environment is set up for synchronization. Not my issue, but it never hurts to check on it. See Petri for the overview.

Now obtain your SBS self-signed certificate, in all cases this will be located on the virtual directory Exchange on your web server. From IIS Manager you can directly export the certificate (without private key) to the required DER encoding. Execute following steps, which are derived from kb841060:

1. Export the root certificate to a computer that is running Microsoft Windows in DER encoded binary X.509 format with a .cer file name extension.
2. Create a root-folder Storage on the Windows Mobile device.
3. Download and extract SmartPhoneAddCert.exe package on your Windows Computer.
4. Use ActiveSync (Windows XP and earlier), Windows Mobile Device Center (Windows Vista) or the storage card to transfer the DER-encoded certificate and the SPAddCert.exe (from the downloaded package) to the \Storage folder on your Windows Mobile device.
5. On your Windows Mobile device, start SPAddCert.exe from the \Storage folder. It will give a warning that the application is not verified (or something the likes), ignore the warning and proceed. The application will now show you the certificate you exported, continue by confirming all actions.
6. Restart your device.

You can check the trusted root certificates under Settings, System, Certificates, Basic (in my case (Dutch) Instellingen, Systeem, Certificaten, Basis). After executing above procedure you should see the SBS-cert here.

I'm not sure if Windows Mobile 5 really required the restart, but that's because before I restarted I received the error 0x85010014 from ActiveSync on my SmartPhone. After restart (still the same error) it turned out to be a connection issue. Due to firewall restrictions I had to use another interface on my multi-homed SBS Server (hey, it's been a couple of months!!).

Next error I encountered from ActiveSync was 0x85020013, but since I had that funny feeling I mistyped my password (big fingers, small keys), that one was quickly resolved.

Device details:

Windows Mobile 5.1.195 (Dutch)

T-Mobile MDA Vario II (device modelnr: HERM300)

About 2 months ago I wrote that trackbacks didn't work from dasBlog... but I learned *backs do. But it toke a while to notice, here's what happened. Oh, let's clarify first, *backs are TrackBacks and PingBacks. Essentially you want to achieve the same thing with both, get a link on the (blog)page you reffer to.

I'm running my blog on a Windows Small Business Server 2003 R2, with ISA Server 2004. Also I had the blog configured to automatically ping the available servers using the XML-RPC Ping Interface. When I checked dasBlogs Eventlog after a couple of posts, it was filled with error messages like;

Error:
CookComputing.XmlRpc.XmlRpcServerException: Forbidden ( The ISA Server denied the specified Uniform Resource Locator (URL). )
at CookComputing.XmlRpc.XmlRpcClientProtocol.ReadResponse(XmlRpcRequest req, WebResponse webResp, Stream respStm, Type returnType)
at CookComputing.XmlRpc.XmlRpcClientProtocol.Invoke(Object clientObj, String methodName, Object[] parameters)
at CookComputing.XmlRpc.XmlRpcClientProtocol.Invoke(String MethodName, Object[] Parameters)
at newtelligence.DasBlog.Runtime.Proxies.WeblogUpdatesClientProxy.Ping(String weblogName, String weblogUrl)
at newtelligence.DasBlog.Runtime.BlogDataServiceXml.PingWeblogsWorker(Object argument)
while processing PingWeblogsWorker, pinging Yahoo.

So the configuration of the ISA Server was preventing the IIS Application Pool of reaching out to the world. Well, a little tweaking of the ISA config and the next posts' event resulted in... another error. Only this time the message wasn't saying ISA Server was in denial. The other end just didn't seem listening;

Error:
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A socket operation was attempted to an unreachable host
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetRequestStream()
at CookComputing.XmlRpc.XmlRpcClientProtocol.Invoke(Object clientObj, String methodName, Object[] parameters)
at CookComputing.XmlRpc.XmlRpcClientProtocol.Invoke(String MethodName, Object[] Parameters)
at newtelligence.DasBlog.Runtime.Proxies.WeblogUpdatesClientProxy.Ping(String weblogName, String weblogUrl)
at newtelligence.DasBlog.Runtime.BlogDataServiceXml.PingWeblogsWorker(Object argument)
while processing PingWeblogsWorker, pinging Yahoo.

I also noticed that "normal" url (the ones I linked in my posts) were pinged, with much the same (= NO) result.

Error:
/* As above */
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at newtelligence.DasBlog.Runtime.BlogDataServiceXml.PingbackWorker(Object argument)
while processing PingbackWorker, auto-discovery of: http://msdn2.microsoft.com/en-us/library/ms175535.aspx.

After that I left it be and didn't worry about TB and PB anymore. However, today I found a refferal in the activity log from lostcausegeek.blogspot.com, so I got curious again. I did nothing besides including a link to one of the posts, turns out something did work after all. Now back to the errors, so far I assume I'm looking at pingbacks (look here for a comparision on the *backs). In the end, it will pretty much come down to the blog service and the blog configuration, wether it works (or not).

Trackbacks, I think, is a different story with dasBlog and/or WindowsLiveWriter.

 

This morning, as I wanted to start working, I noticed my server wasn't working... Outlook couldn't connect to Exchange and the ReSQueL website was down as well. The server still had power, but no response (not even the keyboard LED for NumLock). So a power-cycle was next, well at least half of it, power down worked, power up didn't.

Absolutely nothing happened! Now I must admit, I've been there before with that type of system (not just my own). So I pulled the power cord and left the system for about 10 minutes, then tried again. This time I heard some ticks coming out of the power supply unit. And believe me, ticks from the PSU is not a good sign about the health of the thing.

However, I did have another unused ATX cabinet with PSU, so I tried transferring the internals of the old system to the replacement cabinet. Unfortunately, the TP123 motherboard has an extra power connector for the CPU core voltage. So putting power on the board worked, but (as expected) it didn't boot.

Not wanting to extend the downtime much further, I grabbed the car-keys, drove to Office Centre (cash and carry beats a webshop when you need something NOW!!!) and bought the cheapest config with 1 GB internal memory. Back home, I tested if the system worked. It did. Next I added the old disk and an extra network card and booted the system from the old disk... BOSDed and rebooted right away. But since the config is totally different, that shouldn't be too surprising. So I fetched the Windows Small Business Server 2003 R2 DVD and started the repair installation. Finally some time to sit down and write some... if all is well, this is on the blog (and the blog available) little over 5 hours 6 hours after I noticed the server down... always fun when you don't have the drivers for your new system (only the Vista drivers supplied)... NOT!

Today I had the challenge of joining a Vista x64 computer to an SBS 2003 domain. Okay, not a straightforward thing and there is some patching needed before Vista can be joined to an SBS 2003 domain. However that was not the issue today, as it wasn't the first Vista machine to be joined to this domain. The SBS 2003 Server already received the 926505 patch (which was needed to get the first Vista x64 into the domain). However this time upon trying to join a Vista x64 machine, this error came up.

Your computer could not be joined to the domain because the following error has occurred:

The remote procedure call failed and did not execute.

And nothing in the eventlogs of either the Vista machine or the SBS-box! Also, after receiving this error, the computer account for the Vista machine is disabled in AD.

A bit of Googling showed the failing RPC might very well be a firewall issue, not specific to SBS and applicable to both Microsoft ISA and CheckPoint (see 899148). Not that this was the issue right now as ISA was running SP2 and SP1 is said to resolve the issue. But it was the hint I needed, knowing that the ISA Server 2004 was put on the SBS box after the first Vista machine was joined to the domain... To sum it up, the issue is 917903 and is solved in rollup update 930414.

CAUTION!!! After applying the 930414 patch, likely your Exchange Routing Engine, Simple Mail Transport Protocol and World Wide Web Service are stopped and publications (HTTP, HTTPS and SMTP) could be failing too.

But I did join the Vista machine to the SBS domain!

UPDATE(2007-03-15), applying the 930414 patch solved the problem where Outlook loses connection to the Exchange server, then keeps asking for a password, without restoring connection. 

1. Run Internet Explorer as administrator (go via Start, All Programs, click right mouse key on Internet Explorer, see the shield...).
2. In IE, click Tools, Internet Options, Content, Certificates.
3. Click Import to start the wizard. Click next and browse to the SBS Cert (\\yourSBSbox\C$\ClientApps\SBScert\SBSCert.cer). Click Next.
4. Choose "Place all certificates in the following store", then click Browse and check to "Show physical stores".
5. Browse to place the certificate in "Trusted Root Certification Authorities\Local Computer". OK, Next, Finish to complete the wizard.