Skip to main content
Sign In |
  Help (new window)

James's Blog

Go Search
Home
Services
Calendar
News
Links
Staff
Contact Us
  

ISI > James's Blog
James McAlister's Blog

2/19/2010

Server 2008 firewall rule to allow FTP

I had trouble getting access to a new FTP site that we setup. It turns out to be a problem with configuring the firewall for FTP passive mode. I opened a case with Microsoft to resolve the issue.

To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:

  1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
  2. To open port 21 on the firewall, type the following syntax then hit enter:
    netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21
  3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:
    netsh advfirewall set global StatefulFtp enable

Important Notes:

  • Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.
  • FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.)

http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

Posted at 2:48 PM by James McAlister | Permalink | Email this Post | Comments (0)

8/7/2009

Using Entourage 2004 to gain access to a mailbox on Exchange 2007

I had an issue with a Entourage 2004 connecting to Exchange after migrating to SBS 2008.  To resolve the issue under Accounts, Edit the configuration and change the server name to be in the following syntax:

https://[prefix.domain.com]/exchange/user@domain.com

We assumed that it should be /owa but after some research found that since Entourage uses WebDAV that it still uses /exchange.

Posted at 12:25 PM by James McAlister | Permalink | Email this Post | Comments (0)

7/13/2009

Migrating from Server 2003 Standard to Small Business Server 2008

Here are steps that I have followed to migrate from Server 2003 Standard to Small Business Server 2008. Since you can’t run the migration prep tool Server 2003 standard here are a list of task that I followed for two migrations that we have recently completed. Before we begin I would like to thank Roger Crawford with Heartland technologies, some of the things that I cover below he has covered in a 3 part series here

1. Update Source Server with the latest service packs and windows updates, including Windows .Net Frameworks 2.0

2. Create a backup of the server at this point, we use Storage Craft Shadow Protect to create an image of the server to a USB drive that we can restore back in a reasonable amount of time. With this type of backup having USB 2.0 on the server would make the process a lot faster. I have seen backing up using USB 1.1 take 8 hours or more with 2.0 the same job in 45 minutes, big difference between the two. We have actually bought 2 PCI USB 2.0 cards just for server that don’t have USB 2.0.
I would also recommend stopping the SMTP service at this point so they do not receive email going forward until the process is complete, which means for some of you out there this step may need to wait until further in the process.

3. Update the Domain and the forest to 2003 Native, you can do this by opening Active Directory Users and Computers right clicking on your domain and then selecting Raise Domain Functional level and choosing 2003 Native. Unless you have older Domain controllers in the domain then you will have to upgrade them to 2003 Server or take them off the domain. You would want to verify this before proceeding as it could be a show stopper. In this case it was just one 2003 Server so I was good to go. To Update the forest you open up Active Directory Domains and Trusts right click on the Top Level and select Raise Forest Functional Level and raise this to 2003 Native. Also be sure that if you are migrating from Exchange 2003 to Exchange 2007 be sure Exchange 2003 is in native mode. You can do this by right clicking Servername (Exchange), selecting properties and changing the operation mode from Mixed Mode to Native Mode.

4. Check the NIC settings to verify that an ISP DNS server is not listed as one of the DNS servers on the source server. The source server should be set to use itself for DNS. Also make sure the Source Server is handing out DHCP. I would move DHCP to the source server from any device that is currently handing out DHCP before continuing.

5. Since we are unable to run the migration prep tools on the source server running Server 2003 Standard you will have to run adprep from the SBS 2008 DVD on the source server. Open a command prompt and browse to dvddrive\tools\adprep. Run adprep /forestprep, this will take a while to run. Then run adprep /domainprep and adprep /domainprep /gprep. Usually these two are already run when you ran the forestprep.

6. Once that is all done it is time to run the Answer File Tool to create a answer file for the migration. You will be using a little USB Flash drive and what you do is plug this into your Source Server and then Browsing to Tools folder on the DVD and running the SBSAfg file. Usually I will select the attended install meaning uncheck the box that says run unattended just so I can verify the information as the migration starts. I also select to Migrate from existing server (join existing domain) and to download Updates. You can select unattended but you need to be darn sure you have all your information correct. One thing to be aware of is where it asks for the Certificate Authority Name do not put the name of your email domain i.e. mail.whatever.com. Leaving it blank is acceptable or Company Name CA or whatever you feel like just not your domain name so leaving this blank is good. So once you are sure everything is the way you want it save your Answer File to the USB Flash drive.

7. Now it is time to start the SBS 2008 install. I would follow the SBS 2008 migration CHM from this point further. Once the install is finished you will get an error when you run the migration wizard. This is what I did to get around this issue:
1. Go to C:\Program Files\Windows Small Business Server\Data folder on SBS
2008.
2. Open the info.xml file in an editor.
3. Search for "sourceservertype" and replace "Others" with "Sbs2003" (case
sensitive).
4. It will not let you save the file to the data folder so save it to your My Documents. Then rename the info.xml file in the data folder to .old and copy the info.xml file from your My Documents to the data file.
Then, try to run the Migration Wizard again.

Posted at 1:11 PM by James McAlister | Permalink | Email this Post | Comments (0)

5/11/2009

What is SVCHost.exe?

What is svchost.exe?

One of the most common questions about system processes is what is svchost.exe and why are there so many processes running? First appearing in Windows XP, svchost.exe hosts multiple services within one process.  This allows the operating system to save memory by reducing process overhead by cutting down on the number of processes that need to be running.

Every system service such as Windows Update, Event Log, Terminal Services, Audio Service, etc. runs within svchost.exe.  Depending on the access the services need, they are grouped together and are run in a number of processes which explains why you see so many in Task Manager running under different accounts such as System, Local Service and Network Service.

Identifying what services are running is different depending on the version of Windows you have.

Windows XP

In Windows XP at a command prompt run:

tasklist /svc

The tasklist utility will show you what processes are running under each svchost.exe process.

Windows Vista and Windows 7

Task manager in Windows Vista and Windows 7 has been enhanced so you can easily see what services are running inside a host process such as svchost.exe.

Click on the Start Button, type in taskmgr and hit Enter. When task manager loads, click on the Processes tab and click Show processes from all users to see all of the svchost.exe processes. Then, right click on a svchost.exe process and select Go to Service(s). You will be taken to the Services tab with all services running in that process highlighted.

All Versions of Windows

Microsoft Sysinternals has a great free utility called Process Explorer that is like a task manager on steroids.  It works on all versions of Windows and allows you to easily see services running inside of svchost.exe.  Download Process Explorer here.  Once you have it running right click on any process and select Properties. Then click on the Services tab and you will see all processes running inside the host process.

Posted at 12:59 PM by James McAlister | Permalink | Email this Post | Comments (0)

3/25/2009

Terminal Server Licensing Server on SBS 2008

I discovered today that in Server 2008 you can install the Terminal Server Licensing Server role on the same server as Terminal Services. In Server 2003 this was not the case, you had to install the licensing server on a separate server. Further more you should not install the TS Licensing Server role on a SBS 2008. When you do your licenses will not activate, which is the problem that I have been working on for weeks. I finally found a TechNet article that straighten me out.

http://technet.microsoft.com/en-us/library/dd253097.aspx

Posted at 2:18 PM by James McAlister | Permalink | Email this Post | Comments (0)

12/4/2008

Browse Remote Web Workplace from Windows XP SP3 machine

I found this article here:

http://blogs.technet.com/11/archive/2008/11/07/browse-remote-web-workplace-from-windows-xp-sp3-machine.aspx

History:

The Microsoft Terminal Services Client ActiveX control (also known as Microsoft RDP Client Control) Is ActiveX is component offered by the server This is a downloadable ActiveX control provides nearly the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web. The ActiveX control does not come installed as part of any Windows client system. Instead, clients obtain the control from web servers that offer terminal services. The configuration process that enables an IIS server to provide terminal services involves installing on the server a file containing the control. The server then delivers this file to any client system that needs it, and the client installs the control

When trying to browse remote web workplace hosted on a Small business Server 2008 we get the following error

VBScript: Remote Desktop Connection

The wizard cannot configure Remote Desktop Connection settings. Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer.

When we verify the version of mstsc .exe 6.0.6001.18000 however when we check the add-ons currently loaded in Internet Explorer 7 it show

Microsoft RDP client Control ActiveX control (Msrdp.ocx)

This is terminal services client add-on for Remote Desktop Protocol 5.0 as per the above mention error message we need Remote Desktop Protocol (RDP) 6.0 or later when we install Windows XP Service Pack 3 (SP3) The Microsoft Terminal Services Client ActiveX control is already includes this ActiveX control and installs it by using the Mstscax.dll file. By default, this ActiveX control is disabled in Windows XP Service Pack 3 (SP3).

if we disable Microsoft RDP client Control ActiveX control (Msrdp.ocx) add-on we get the error as follows:

VBScript: Remote Desktop Connection

The Microsoft Terminal Services Client ActiveX control (also known as Microsoft RDP Client Control) is either not available, or is not enabled. For more information about installing and enabling this ActiveX control, see the Microsoft TechNet Web site (http://go.microsoft.com/fwlink/?LinkId=103719).

do backup the favorites in Internet explorer

Reset the Internet Explorer Settings to defaults

Regsvr32 Mstscax.dll located in %Windir% \system32

Close all open all instances of Internet Explorer

Try browsing Remote Web Workplace now The Microsoft Terminal Services Client ActiveX control should be offered by the server install this ActiveX

Posted at 11:00 AM by James McAlister | Permalink | Email this Post | Comments (0)

9/22/2008

Public folder error: ID no: 80090325 The certificate chain was issued by an authority that is not trusted.

I had an issue access public folders on our Exchange server. I used two articles to resolve the issue. The first article recommended uncheck SSL in IIS for exadmin and exchweb then running iisreset. This did not resolve the issue for me so I found another article which did the trick.

The SSL certificate server name is incorrect. ID no: c103b404

This error occurs when trying to view Public Folders in the Exchange System manager when he SSL certificate name differs between the FQDN and the local server name.  The Exchange System Manager will not allow you to view the public folders as it believes the folder name to be incorrect.

This can be resolved using a front-end, back-end scenario, but what if you are stuck with a single Exchange server (ie. SBS) in your environment?

On following a few blogs and sites, the solution seems to be to remove SSL requirement for that particular folder in the IIS Manager.  This didn’t work for me though - and I found a lot of people out there with unresolved issues on Experts Exchange etc.

The end solution was to use the ADSIEdit utility to manually stop the Exchange System Manager from using SSL.

The steps are as follows:

1) Install the ADSIEdit Utility (one of the Windows Server 2003 Support tools) from your SBS2003 CD (CD2) using suptools.msi

2) Run a Microsoft Management console (Start->Run->MMC)

3) Open the ADSIedit.msc (browse to the Support Tools folder)

4) Browse through to

Configuration > Services >  Microsoft Exchange > Domain Name > Administrative Groups >     First Administrative Group > Servers > Servername > Protocols > HTTP > 1 > Exadmin

5) Right click msExchSecureBindings, and click Properties

6) Highlight :443: and click Remove

7) Click OK

Restart the Exchange System Attendant and the IIS Admin service

Exchange system manager will now no longer try to use SSL when connecting to the service.

Posted at 2:37 PM by James McAlister | Permalink | Email this Post | Comments (0)

5/9/2008

How to: Configure Reporting Services to Use a Non-Default Web Site (Reporting Services Configuration)

How to: Configure Reporting Services to Use a Non-Default Web Site (Reporting Services Configuration)

Updated: 14 April 2006

You can create virtual directories for the report server and Report Manager under a custom Web site. To use a non-default Web site, you must create the site, select it when you create the virtual directories, update the URLs in the Reporting Services configuration files, and then test your installation to make sure the report server is available. How you specify the URLs and test your configuration will vary depending whether you identify the Web site through a unique IP address, port number, host header name, or a combination.

Depending on how your Web site is configured, you might encounter one or more HTTP 401 errors when verifying the URL:

  • "HTTP 401.1 - Unauthorized: Logon failed" can occur if you are running Windows XP Service Pack 2 or Windows Server 2003 Service Pack, and the fully qualified domain name of the Web site is different from the local computer name. There are several workarounds for resolving this error. For more information about the error and possible workarounds, go to http://support.microsoft.com/kb/896861.
  • "HTTP 401.1 - Unauthorized: Access is denied due to invalid credentials" can occur if the application pool is a local account or domain user account, and the Web site is configured to use integrated security. Because the report server virtual directories use integrated security by default, you can expect to encounter this error when you access the report server. For more information about the error and possible workarounds, go to http://support.microsoft.com/kb/871179.

You can run multiple report server instances on the same computer without having to create custom Web sites for each instance. For more information, see Installing Multiple Instances of Reporting Services.

To create the virtual directories in a new custom Web site

  1. Create a new Web site in IIS Manager. Creating a custom Web site requires that you either configure the Web site to use a specific IP address or host header name. For instructions on how to create a Web site, see the Hosting Multiple Web Sites on a Single Server topic in the Internet Information Services (IIS) product documentation.

  2. Verify that the Web site is accessible and that you do not encounter authentication errors when you access the site.

  3. Start the Reporting Services Configuration tool and connect to the report server that will use the new Web site.

  4. On the Report Server Virtual Directory page, click New.

  5. Select the Web site you just created, and click OK.

  6. If you are configuring the Report Server for Secure Sockets Layer (SSL) connections, select the Require Secure Sockets Layer (SSL) checkbox.

  7. Click Apply to create the report server virtual directory.

  8. On the Report Manager Virtual Directory page, click New.

  9. Select the Web site you just created. Click OK.

  10. Click Apply to create the Report Manager virtual directory.

  11. Verify that you can access the report server by testing the URL. To do this, type the URL in a browser window. If you get HTTP 401 errors, review the Microsoft Knowledge Base articles noted at the beginning of this topic.

    A fully qualified report server URL includes the prefix, server name, and virtual directory:

    If you assigned a host header to the custom Web site, use the following syntax: http://<hostheader>/reportserver.

    If you assigned an IP address to the custom Web site, make sure the IP address resolves to a host name, and then use the following syntax: http://<IP address>/reportserver.

    If you assigned a unique port number to the custom site, append the port number to the Web server name: http://<servername>:<portnumber>/reportserver.

  12. (Optional for some Web site configurations). Edit the RSWebApplication.config file to update the report server URL that Report Manager uses to connect to the report server.

    You can omit these steps if the custom Web site is mapped to a specific IP address, and the host name resolves to the IP address. You can also omit this step if the Web site uses SSL and port 443, and you selected the SSL option when creating the report server virtual directory.

    You must perform these steps if the custom site uses host headers or a custom port number:

    1. Open the RSWebApplication.config file.
    2. Delete the entry in ReportServerVirtualDirectory. Remove just the value; do not delete the tags.
    3. In ReportServerUrl, type a fully qualified name to the report server instance. It should be the same value that you use previously to confirm the report server URL.

    The settings should look similar to the following example:

    Copy Code

    <ReportServerUrl>http://myhostheader/reportserver</ReportServerUrl>
<ReportServerVirtualDirectory></ReportServerVirtualDirectory>

    If you are configuring multiple report server instances, repeat this step for each instance. For more information about this configuration file, see RSWebApplication Configuration File in SQL Server Books Online.

  13. Verify that you can access Report Manager by testing the URL. For example, if the report server URL is http://<hostheader>/reportserver, the Report Manager URL is most likely http://<hostheader>/reports.

    If you get the error "The request failed with HTTP status 400: Bad Request", the URL that you specified in RSWebApplication.config is not valid.

  14. If you are using report server e-mail delivery, edit the RSReportServer.config file and specify the UrlRoot configuration setting. The value should be the fully qualified report server URL. It should be the same value that you used previously step to confirm the report server URL. For more information about this configuration file, see RSReportServer Configuration File in SQL Server Books Online.

Posted at 8:32 AM by James McAlister | Permalink | Email this Post | Comments (0)

5/7/2008

Unable to request certificates from a CA

When I would try to request a certificate from a CA through the /certsrv site I would receive an error message stating that "An unexpected error has occurred".

I found two error messages in the event logs on the CA.

Source: CertSvc
Event ID: 86
Description:

Certificate Services could not use the provider specified in the registry for encryption keys. Access is denied. 0x80070005 (WIN32: 5)

Source: CertSvc
Event ID: 87
Description:

Certificate Services could not use the default provider for encryption keys. Keyset does not exist 0x80090016 (-2146893802)

To resolve the issue I followed recommendations from this article:
http://support.microsoft.com/kb/908572/en-us

CAUSE

This issue occurs if the administrator who tries to create the certificate request does not have Full Control permissions on the files and the subfolders in the following folder:

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

RESOLUTION

To resolve this issue, grant the administrator account Full Control on all files and subfolders in the MachineKeys folder. To do this, follow these steps:

1. Click Start, click Run, type "\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\", and then click OK.

2. Right-click MachineKeys, and then click Properties.

3. On the Security tab, click Administrator or click the administrator group account you want, click to select the check box to enable Full Control permissions, and then click OK.

Posted at 2:32 PM by James McAlister | Permalink | Email this Post | Comments (0)

4/22/2008

Setting up a SQL maintenance task

This needs to be done for every database we setup and configure.

  1. Verify that SQL Server 2005 has SP2 installed. This is required to create subplans underneath one maintenance plan.
  2. On the SharePoint database make sure that the recovery model is set to Full. Right click the database and select properties, then options, select the drop down beside Recovery Model and Select full. Changing the recovery model to full will allow the maintenance plan to create transaction log backups giving us the ability to restore to a point in time.
  3. Verify the SQL Server Agent is running and right click and select new operator. Type the name as ISI and an email address.
  4. Under Management, right click maintenance plan and select Maintenance Plan Wizard, select next when the wizard opens. I always leave the name "Maintenance Plan" since there will be several jobs running in this maintenance plan. Also select "Separate schedules for each task", this will allow you to create a separate subplan for each task, select next.
  5. When the "Select Maintenance Task" page opens, select Check Database Integrity, Back Up Database (Full), and Back Up Database (Transaction Log), select next.
  6. I usually don't change the task order, select next.
  7. Define Database Check Integrity Task window, select the drop down and select All user Databases.  Then select change to change the schedule. Leave the name, Schedule Type, and Occurs the default setting. Select Sunday for the day of the week that it will occur on and I would select early in the morning, after the system backup completes, click OK and then click next.
  8. Define Backup Up Database (Full) Task, select All user databases, select "Create a backup file for every database, also check "Create a sub-directory for each database", create a folder on the D drive called SQLBackups and point the folder location to that folder. 
  9. Check the box besides "Verify backup integrity".
  10. Change the schedule to be everyday an hour before the system backup starts, select next.
  11. Define Back Up Database (Transaction Log) Task, select the drop down beside databases and this time select only the databases that you configured in Full recovery model, it will not let you select it if the database is not in full recovery model.
  12. Select "Create a backup file for every database" and check the box "Create a sub-directory for each database", create a new folder under d:\sqlbackup called transactionbackup, and check "Verify backup integrity"
  13. Change the schedule to be daily and to occur every hour.
  14. Select next and change the location of "Write a report to a text file to be d:\sqlbackup. Also check e-mail report and verify ISI is listed. Click next, and then finish
  15. Once the Maintenance Plan has been create we need to go backup and configure maintenance cleanup tasks. Double click the Maintenance Plan under Maintenance Plans
  16. Rename each Subplan to the job it performs, single click the box and highlight the name, copy and past it as the subplan name.
  17. Select the Check Database Integrity job, in the design view below, drag Notify Operator Task in Maintenance Plan Tasks to the design view. Select the arrow under "Check Database Integrity" and drag it to "Notify Operator Task, right the arrow and select completion. Then double click "Notify Operator and select ISI.
  18. Do the same as above for Back Up Database Full and Back Up Database Transaction log. When finished drag Maintenance Cleanup Task to the design view and drag an arrow to it.
  19. Double click Maintenance Cleanup Task and select backup files, select "search folder and delete files based on an extension" browse to d:\sqlbackup, file extension bak, check include first-level subfolders, and for the file age select 2 days.
  20. Do the same for Transaction log backups, browse to D:\SQLBackup\Transactionbackup, file extension trn, check include first-level subfolders and delete files after 2 days.
  21. Reconfigure the backup to only backup D:\SQLBackup.
Posted at 5:18 PM by James McAlister | Permalink | Email this Post | Comments (0)
1 - 10 Next

 ‭(Hidden)‬ Admin Links