Nov 262015

Well, I received my new Microsoft Lumia 950 XL Windows Phone yesterday. Played with it all night (mostly setting it up). I have to say I’m very impressed with both the device, and the Windows 10 mobile operating system on mobile devices.

Let me start off by saying that I’ve actually had Windows 10 loaded up on my Lumia 1020 for the past week and a half (after hearing that the latest insider build is the same build that was shipping on the new Windows 10 devices). Jumping to Windows 10 absolutely rocked. The new operating system is a major step in moving forward in a mobile operating system for phones. I’ll get in to this later on in the article.


WP_20151125_15_31_48_Pro WP_20151125_15_31_59_Pro WP_20151125_15_32_15_Pro WP_20151125_15_32_51_Pro WP_20151125_15_33_35_Pro

As you can see, they shipped me the Dual SIM variant of the device which was a nice surprise.

Opening the box, it was a very simplistic and nicely organized layout inside. One thing that I immediately noticed was no headphones/headset (which is somewhat surprising as Microsoft is really pushing their Groove Music service, along with Xbox Music Pass). Either way, I can probably use my Lumia 1020’s headphones. I’m sure there’s a ton of headsets available on the Microsoft Store as well.

First, the device feels absolutely lovely in your hands. I ordered the black, and it’s very sleek. The device has a massive screen, and a simple “Microsoft” logo at the top of it. The back has the Microsoft Logo, along with the PureView Zeiss markings, and of course the camera.

Back cover pops off (this took me a while as I didn’t want to break or damage any clips). I’m not sure how easy these break, but I would advise to take your time opening it to install the SIM as well as Micro SD card. One thing I noticed that was interesting, is how the buttons are mounted on the back of the case that pops off. The design shows promise in that if anything is broken, it should be easy to replace the back cover. It would be nice if Microsoft made these parts available for purchase for people who remove/replace these on a regular basis. I’m sure the buttons become a casualty. Under the cover you’ll find the Micro SD slot, 2 X SIM slots, and a replaceable battery (replaceable battery is a nice touch).


Plugging in the device, you go through the usual Windows Phone setup which has now been updated to Windows 10. You’ll notice the menu’s and interfaces are beautifully animated in simplistic ways that are pleasant for the user. I elected NOT to restore a backup, as I wanted to start from scratch (especially since my last backup was completed on a Insider Fast build). Give’s me a chance to start from scratch, chose the apps I want (discard ones I don’t use any longer), and setup new personalizations.

You’ll notice once completing the configuration wizard, the display is absolutely BEAUTIFUL! The display features a massive screen, with a high resolution that you can enable a view of more tiles if required (note, if you enable the “View more tiles” feature, the text size remains the same and may limit visibility of text displayed inside of tiles. This is not a problem, rather an observation).


Immediate Observations:

-Beautifully animated interface for OS

-Massive screen, easy to read

-Easy to hold phone, feels comfortable in hand/hands.

-Microsoft nailed Windows 10 on mobile devices… Literally, nailed it!

-Texting/typing is super easy and pleasant now for people with big hands. I’ve been hating texting up to this point simply because I find it so hard to type on smaller screens. The 950XL screen size is perfect.

-Text messaging layout is amazing

-Skype video calls work beautifully

-Lots of new UI enhancements moving to Windows 10

-Continuum (desktop experience powered by the phone when connected to video/keyboard/mouse) sounds promising. I have not tested this.

-The Camera takes beautiful pictures, also a nice surprise was 60fps 1080p video recording, also 2160p video recording at 30fps.

-Iris scanner built in for logging on to phone (no more PIN codes). I’ve been using this and absolutely love it!

-Bluetooth pairing extremely reliable

-Service/Cell reception is better than my penta-band Lumia 1020!

-Major improvements to Microsoft Outlook, and now have the entire Microsoft Office suite on the device itself.


After spending a night and morning with it, this is my new favorite toy. I’ve so far had absolutely zero deal breaking issues with it, I will report back later on how battery life is.


There are 3 major things I want to discuss with this device:

Windows 10 for Mobile Device

This truly is the next step not only for the desktop based operating system, but for mobile devices as well. Numerous improvements can be seen in this OS both on the desktop and mobile platform. What’s really interesting is how Microsoft is converging these platforms and almost essentially merging them both in to one thing, while identifying and maintaining the actual usages for the device that is running the OS, Windows 10.

Going specifically in to phone devices, Microsoft has truly has taken it’s own path in to what it believes the most user friendly mobile platform should be. In my opinion, I think they have hit it dead on. The operating system focuses both on ease of use, and the usual simple little dumb apps that are used for simple tasks in ones personal life, but at the same time is a very powerful tool for both business usage, along with keeping one connected, integrated, and in touch with things that are important for both business and life.

Cortana is a move with Windows 10 to provide an assistant of which most think it compares/competes with Siri on Apple’s iPhone, but while it does compete, she’s actually a total different gal! Cortana integrates all of ones Windows 10 devices, providing an assistant to life, as well as with the integration among devices. This provides someone with an interface to all their data, devices, and technologies behind each of the devices, to any outlet/device that runs Cortana. We are slowly seeing these technologies being introduced and enabled, I think it’s just the beginning of something great!

Microsoft is pushing for developers of Windows 10 apps, to provide design that allows the app to run fluidly among both desktop and mobile platforms. This allows a single app to be installed and ran on both platforms, allowing users to have a converged experience on both their desktop and mobile devices. This means your apps, data, and uses are seamless in changing devices. This essentially allows you to do whatever you need to do, on any of your devices.

Ultimately, you’ve got more than “just a phone” in your hand! You have a device that can do whatever you want, whenever you want! You could say Windows 10 is your window to the world! I know it’s cheesy, but it came to mind and holds true.


Iris Scan for Log on/Authentication

One thing I wasn’t aware of getting with this device, was the Iris scanner. While setting up the phone, it prompted to configure this and I thought, “There’s no way this phone has an Iris scanner”… Well, it does! Configured, and did about 20 scans of my Iris to improve the authentication mechanism. It works great, and is very comfortable and quick to use when signing in to your phone! I’m curious to know exactly how accurate this is, also where the Iris data is being stored.

Traditionally I’ve always used a PIN, and set up time-outs for authentication appropriately, but have still had issues with friends getting their hands on my device in between the security time out. With this new Iris scanning authentication, I’ve prompted to require it every time the device is used.

Great technology! I’ve been using fingerprint scanners on my Lenovo laptops for some time, and love the feature. However, Iris authentication is taking it a whole step further. Question is, where can I buy an Iris scanner for my desktop?

Make sure you do tons of scans in different lighting, different angles, and make sure you’re looking in different directions so it can fully map your Iris. This will make signing in to the device that much easier.


App availability for Windows 10 (or Windows Phone in general)

With all this power, flexibility, and technology, the only disappointment is that more 3rd party developers aren’t developing their applications for the Windows 10 platform. While the phone has everything I need built in for business, I do use quite a few apps for personal uses. The kicker is, is that most of the apps are not developed by the actual company, but by 3rd parties (one example being 6tag for Instagram access). It would be nice for 3rd party companies to take notice to the Windows platform and embrace it, especially with what it has to offer.

I’ve said this before many times, Microsoft hasn’t marketed any of their Windows Phones well, going back all the way to Windows Mobile days. There has been more adoption in the United States due to events, marketing promo’s, etc… However in Canada I feel there is still a lack of marketing being done.

Essentially, I believe there needs to be 3 separate initiatives. One for business apps, one for personal/consumer, and finally app development.

Microsoft needs to partner with more partners, hold more events, and really work on their relationships with phone providers. It also wouldn’t hurt to provide funding to some 3rd party companies to push Windows app development (this has been done in the past by Nokia and Microsoft as far as I know, however a lot of apps that were created from this haven’t been updated in some time).

Now that there is a new flagship Lumia (The Lumia 950 XL), it will be getting out in the hands of the people, but we need apps!


Final Note:

This device is kick ass. I’d totally recommend it!

Nov 172015

Decided to whip up a post about an issue that I have been running in to more and more as of late.

Typically, situation goes as follows: Customer has an environment where there are industrial machines running Windows CE Embedded computers as controllers. These systems typically are configured to either host files, or grab files off a network. These systems are typically dated, and IT staff is unable to get the Windows CE based machines to connect to network shares on Windows Servers running SMB version 2 or later (ie. Windows Server 2008 and later).


This issue is due to authentication issues with protocols and incompatibles. Over the years, Windows File Sharing has come a long way (SMB to be precise). Numerous security enhancements have been made, authentication mechanisms, etc…

In all cases, I’ve noticed companies usually either give up, or hire someone who is able to resolve it, but the resolution is never documented.


The solution I have come to could be considered somewhat controversial (due to the fact that Windows XP has reached it’s EOF), but I’ve found a way.

To provide file sharing solutions, in my experiences I have been able to accomplish this by implementing a Windows XP based “proxy” machine (calling it a proxy by name, not by actual usage). Configuring a Windows XP machine, enabling the “guest” account on it, and configuring file shares, will allow users on the network to dump files on these “proxy” network shares, in turn which will be browsable and accessible to the Windows CE machine. This Windows XP machine can be joined to the domain, to allow seamless authentication with other network users/computers, and also contains it’s own local user database.

The guest account needs to be enabled as the Windows CE machines typically browse and do initial file sharing handshakes as “guest”. You’ll also need a local user account configured on the Windows XP machine, which is the account that the actual Windows CE machine will use to connect/authenticate against the share and it’s access.

Please note, you may also have to go in to the “Local Security” policy, and allow guest access to file shares and browsing on the Windows XP machine.


As always, since Windows XP has reached it’s end of life, no more security updates are available. You want to make sure you have other security measures in place to mitigate any security concerns that could arise from having an active XP OS running on the network. If anyone else has a better solution or can comment further on this, please do! I’ve had to deal with this issue multiple times for CNC machines with older CE based controllers, as well as handheld Windows CE devices that require network share access.

Nov 162015

After upgrading to Windows 10, I immediately noticed that my 3 display setup no longer worked. It was powered by two NVidia graphics cards (GeForce GT 640, and a GeForce GTX 550 Ti).

For some time, I couldn’t find anything on the internet explaining as to why I lost my dual display setup. Finally I came across a forum that pointed to this NVidia Support KB article:

Essentially Fermi based GPUs utilize WDDM 1.3 mode, whereas the newer architectures of Maxwell and Kepler support WDDM 2.0. In Windows 10, it is not able to load multiple display drivers using different WDDM versions.

For a really long time I waited and no updates enabled the functionality until September when I performed an update, and out of nowhere they started to work. I assumed they fixed the issue permanently, however after updating once again, I lost the capabilities. In this case I reverted to the last driver.

I’m not sure if they updated the Fermi driver to support WDDM 2.0, but I just know it started working. And then after a short while, with another driver update stopped working again. Again, the driver rollback fixed the issue.


I recently upgraded to the latest build of Windows 10, and completely lost the ability once again, and lost the ability to rollback drivers.

It was time to find out exactly what driver version WORKS with both Kepler, Fermi, and Maxwell architectures.

After playing around, I found the WORKING NVidia driver version to be: 358.50

Load this version up, and you’ll be good to go! Hope it saves you some time!

Feb 062015
Microsoft Band

Microsoft Band

Microsoft Band

Microsoft Band


Well, with this big work out mission I’ve been on lately, and with general love in technology, I finally decided to try and secure one of the Microsoft Band Watches.

These little devices are not only smart watches, but also fitness tracking devices.

Unfortunately I had to purchase mine at a premium on eBay since I’m in Canada, but I have to say it was worth it. I’ve been wearing the devices for two days and love it!


Here’s some of my impressions:

-Fits great (I got the large size). Originally I was concerned that I’d have issues with fitting (due to the general bulkiness look of the device as seen on online pictures). Also, I was concerned due to complaints from other users. The first time I put it on I could feel it, but since then I don’t even know I’m wearing it.

-Great information on life stats (heart rate, steps, calories burned, etc…).

-Looks stylish

-Battery life is superb

-Yes, it’s great for a normal watch

-Notifications are SLICK!!!! Calls, e-mails, texts. I don’t even need to whip my phone out to see who is calling me (this is a huge benefit to me)

-You can wear it screen out or screen in

-Forgetting the fitness aspects, there is totally a justified use in having this for the “smart” features alone.


Smart (non-fitness features):

-Easy to read texts, emails, etc… Keep in mind this is to give you an idea as to IF you need to pull out your phone, not to actually use it to read/respond to texts.

-Cortana works great! I talk to my watch, and my watch texts people (totally bad-ass).

-Calendar notifications on your watch.

-It tells time (I’m not joking, haha)

-All Windows Phone notifications appear on this device. This is great if you use 3rd party messaging apps, news apps, pretty much any type of app that creates Windows Phone notifications.


Fitness features:

-Workout tracking

-Running tracking

-Sleep tracking

-General life stat tracking

-Guided workouts (I doubt I’ll use this, but may end up trying it one day)


Things I’ve noticed:

-Since I’m in Canada, I had to set the region on my phone to the United States to install the Microsoft Health app. After installing you can set your region back and the app will stay. Don’t worry, you can choose your measurements so you can use English or Metric.

-I used it yesterday during my weightlifting workout. The stats provided mentioned I barely burned any calories and didn’t do much when in all reality I did A LOT. The readings were definitely incorrect. I believe this is due to my inner wrist and the device not being in contact with skin (under flexing, tendons pop out). I will test further by having the watch reversed on my next work out (screen on the inside vs outside).

-Step tracking is accurate

-Sleep tracking seems accurate. I’m a horrible sleeper and I noticed it did record 8 minutes of me sleeping when in fact I was awake, however for the most part it’s accurate.

-Will be trying the running tracker feature in a few hours. I’m REALLY looking forward to testing this out. Will be updating later.



-Buy it

-Use it

-Enjoy it

Sep 302014

Recently, a new type of error I haven’t seen showed up on one of the servers I maintain and manage.


Event ID: 513

Source: CAPI2


Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

AddLegacyDriverFiles: Unable to back up image of binary EraserUtilRebootDrv.

System Error:
The system cannot find the file specified.


Also, after further investigation I also noticed that when Windows Server Backup was running, sometimes snapshots on the C: volume wouldn’t “grow in time” so were automatically deleting.

It was difficult to find anything on the internet regarding this as in my case it was reporting “The system cannot find the file specified”, whereas all other cases were due to security permissions. On the bright side, I was able to identify the software that this file belonged to: Symantec Endpoint Protection.

Ultimately I found a fix. PLEASE ONLY attempt this, if you are receiving the “The system cannot find the file specified”. If you are seeing any “Access Denied” messages under System Error, your issue is related to something else.


To fix:

1) Uninstall Symantec Endpoint protection.

2) Restart Server

3) Disable VSS snapshots for C: volume (NOTE: This will delete all existing snapshots for the drive.).

4) Re-install Symantec Endpoint protection.

5) Re-enable VSS snapshots for C: volume.


When this issue occurred, I was seeing the event many times every hour. It’s been 4 days since I applied this fix and it has completely disappeared, back to a 100% clean event log!

Aug 142014

So I purchased a Surface Pro 3 today from the new Microsoft Store that opened up in Calgary, Alberta today. I purchased the 512GB – i7 version with 8GB of RAM.

The unit is slick, beautiful, and totally has a purpose, however there is one major problem I encountered: overheating!


First it sync’ed my apps from my Microsoft Account, upon installing 20 (Metro) apps, the unit overheated and I was presented with the black background screen with a circle and a thermometer icon. The unit had to cool down for a while before it allowed me to power on. I wasn’t even using the device, except 20 “apps” were installing in the background.


I put the unit in my server room (air conditioned to 18 degrees), and then proceeded to configure the Surface, install applications, and install all the Windows Updates and firmware updates. Since installing the firmware updates the unit has not overheated, however it’s burning my hand from just ONLY running Microsoft Outlook.

Here is a screenshot of the temperatures when running only Microsoft Outlook.


This specific unit is too hot to use for me. It’s too hot for me to even hold to just read e-mails, and the sound of the fan racing non-stop (even when idling) is driving me absolutely insane. I’ve decided to return the unit for a refund until it sounds like these issues get resolved.

Is anyone else noticing overheating issues with their i7 version of the Microsoft Surface Pro 3?

UPDATE: I found this thread on Microsoft’s “Answers” forum –

Nov 142013

So you’re running SBS 2011, and recently you notice (or an end user reports) that when trying to log in to your SBS 2011 Remote Web Workplace (RWW) you receive:

404 – File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Screenshot below:

File or directory not found SBS 2011 Remote Web Workplace

File or directory not found SBS 2011 Remote Web Workplace


You check your server, all is good. You test internally, and all is good. Absolutely no errors! What’s going on?

Well, as Microsoft pushes out updates to it’s Internet Explorer web browser (and with users upgrading to Windows 8, or Windows 8.1), the compatibility with the Remote Web Workplace is broken and/or lost.

To fix this, you need to add your RWW site to your Internet Explorer Compatibility list:

1)    Open Internet Explorer, and go to your Remote Web Workplace login page. (DO NOT LOG IN YET)
2)    Press the “Alt” button which brings up the internet explorer menus
3)    Drop down “Tools” and then go to “Compatibility View Settings”.
4)    Your internet domain should be in the “Add this website” box, just press the “Add” button, then hit Close.
5)    Close out of Internet Explorer, and then go back in and try getting on remotely.

Note: If you clear your internet history, you will lose the above settings and have to re set them!

And BAM! It should now work without any problems whatsoever!

Sep 272013

Nokia Canada has this awesome Facebook contest running right now where if you describe the new Lumia 1020 in one word, you can win a Lumia 1020 prize pack which includes:

-Nokia Lumia 1020

-Nokia Camera Grip

-JBL PlayUp Portable Wireless Speaker

-3 Month Nokia Music+ Subscription

To enter, “Like” the Nokia Canada Facebook page here: and fill out the contest application form here:

The good news? I already won one of the prize packs!!! Yesterday was my birthday and around 3:00PM I received a message from Nokia Canada telling me I won one of the prize packs! Woohoo!

I’m TOTALLY excited about the phone. I’ve been harassing my Rogers reps for a while wondering when I can pre-order a 1020. This is just icing on the cake baby!

Once I get my hands on it, I’ll be writing an in-depth review on the device. I already have the feeling I’m going to love it!


Win Lumia 1020

Jun 132013

As most of you know, I’m a huge fan of the Microsoft Surface Pro tablet. I’ve been using it since day 1 of the release and absolutely love it. This thing has become such a valuable tool in my life, if anything were to happen to it, I’d replace it in a flash.

Since I’ve had mine, I’ve had numerous clients ask about it. After demo’ing the device, most have actually gone out and pulled the trigger. They all compare it to their various old tablets, and say hands down the Surface Pro is #1.

Recently one of my clients, Larry Wellspring at Synterra Technologies Ltd. (a leading seismic consulting company located here in Calgary, Alberta and a long time client of mine) was thinking of purchasing one so he didn’t have to lunk around his high performance laptop. One of the most important questions he had were the spec’s of the device and if it could handle the seismic software applications he and his business use. Since the Surface Pro is essentially a higher performing computer in the form factor of a tablet, I said chances are it would work. He went out and bought one.

For the most part, most applications worked right off the bat. However we had a few issues with Omni 3D from Gedco. The application would install fine, however we were receiving errors when launching the application:

The application was unable to start correctly (0xc0150002). Click OK to close the application.

We tried contacting Omni 3D support, however they mentioned running Omni 3D on Windows 8 was unsupported and untested, especially running it on a Tablet. They mentioned they’ve never recalled getting Omni 3D to run on a tablet. Well, we wanted to make history! :)

Trying different compatibility configurations had no affect. Ultimately, I researched the error and noticed it had something to do with C++ runtime’s. Although none of the posts had a solution to our problem, it at least pointed us in the right direction. I noticed we already had the 64-bit and 32-bit C++ 2010 runtime’s installed (I believe a different application installed these), so first and foremost, I re-installed these. It had no affect. I then decided to try installing the C++ 2008 run time installs. In our case, we installed the 64-bit version of Omni 3D, so I installed the 64-bit version of the Microsoft Visual C++ 2008 Runtime components available here.

After installing this, we went to open up Omni 3D and it worked!

Keep in mind that this should not only work and apply to Surface Pro tablets, but to anyone trying to install Omni 3D on Windows 8.

May 312013

Back in February, I was approached by a company that had multiple offices. They wanted my company to come in and implement a system that allowed them to share information, share files, communicate, use their line of business applications, and be easily manageable.

The first thing that always comes to mind is Microsoft Small Business Server 2011. However, what made this environment interesting is that they had two branch offices in addition to their headquarters all in different cities. One of their branch offices had 8+ users working out of it, and one only had a couple, with their main headquarters having 5+ users.

Usually when administrators think of SBS, they think of a single server (two server with the premium add-on) solution that provides a small business with up to 75 users with a stable, enterprise feature packed, IT infrastructure.

SBS 2011 Includes:

Windows Server 2008 R2 Standard

Exchange Server 2010

Microsoft SharePoint Foundation 2010

Microsoft SQL Server 2008 R2 Express

Windows Server Update Services

(And an additional Server 2008 R2 license with Microsoft SQL Server 2008 R2 Standard if the premium add-on is purchased)


Essentially this is all a small business typically needs, even if they have powerful line of business applications.

One misconception about Windows Small Business Server is the limitation of having a single domain controller. IT professionals often think that you cannot have any more domain controllers in an SBS environment. This actually isn’t true. SBS does allow multiple domain controllers, as long as there is a single forest, and not multiple domains. You can have a backup domain controller, and you can have multiple RODCs (Read Only Domain Controller), as long as the primary Active Directory roles stay with the SBS primary domain controller. You can have as many global catalogs as you’d like! As long as you pay for the proper licenses of all the additional servers :)

This is where this came in handy. While I’ve known about this for some time, this was the first time I was attempting at putting something like this in to production.


The plan was to setup SBS 2011 Premium at the HQ along with a second server at the HQ hosting their SQL, line of business applications, and Remote desktop Services (formerly Terminal Services) applications. Their HQ would be sitting behind an Astaro Security Gateway 220 (Sophos UTM).

The SBS 2011 Premium (2 Servers) setup at the HQ office will provide:

-Active Directory services

-DHCP and DNS Services

-Printing and file services (to the HQ and all branch offices)

-Microsoft Exchange

-“My Document” and “Desktop” redirection for client computers/users

-SQL DB services for LoB’s

-Remote Desktop Services (Terminal Services) to push applications out in to the field


The first branch office, will have a Windows Server 2008 R2 server, promoted to a Read Only Domain Controller (RODC), sitting behind an Astaro Security Gateway 110. The Astaro Security Gateway’s would establish a site-to-site branch VPN between the two offices and route the appropriate subnets. At the first branch office, there is issues with connectivity (they’re in the middle of nowhere), so they will have two internet connections with two separate ISPs (1 line of sight long range wireless backhaul, and one simple ADSL connection) which the ASG 110 will provide load balancing and fault tolerance.

The RODC at the first branch office will provide:

-Active Directory services for (cached) user logon and authentication

-Printing and file services (for both HQ and branch offices)

-DHCP and DNS services

-“My Documents” and “Desktop” redirection for client computers/users.

-WSUS replica server (replicates approvals and updates from WSUS on the SBS server at the main office).

-Exchange access (via the VPN connection)

Users at the first branch office will be accessing file shares located both on their local RODC, along with file shares located on the HQ server in Calgary. The main wireless backhaul has more then enough bandwidth to support SMB (Samba) shares over the VPN connection. After testing, it turns out the backup ADSL connection also handles this fairly well for the types of files they will be accessing.


The second branch office, will have an Astaro RED device (Remote Ethernet Device). The Astaro/Sophos RED devices, act as a remote ethernet port for your Astaro Security Gateways. Once configured, it’s as if the ASG at the HQ has an ethernet cable running to the branch office. It’s similar to a VPN, however (I could be wrong) I think it uses EoIP (Ethernet over IP). The second branch doesn’t require a domain controller due to the small number of users. As far as this branch office goes, this is the last we’ll talk about it as there’s no special configuration required for these guys.

The second branch office will have the following services:

-DHCP (via the ASG 220 in Calgary)

-DNS (via the main HQ SBS server)

-File and print services (via the HQ SBS server and other branch server)

-“My Document” and “Desktop” redirection (over the WAN via the HQ SBS server)

-Exchange access (via the Astaro RED device)


For all the servers, we chose HP hardware as always! The main SBS server, along with the RODC were brand new HP Proliant ML350p Gen8s. The second server at the HQ (running the premium add-on) is a re-purposed HP ML110 G7. I always configure iLo on all servers (especially remote servers) just so I can troubleshoot issues in the event of an emergency if the OS is down.


So now that we’ve gone through the plan. I’ll explain how this was all implemented.

  1. Configure and setup a typical SBS 2011 environment. I’m going to assume you already know how to do this. You’ll need to install the OS. Run through the SBS configuration wizards, enable all the proper firewall rules, configure users, install applicable server applications, etc…
  2. Configure the premium add-on. Install the Remote Desktop Services role (please note that you’ll need to purchase RDS CAL’s as they aren’t included with SBS). You can skip this step if you don’t plan on using RDS or the premium server at the main site.
  3. Configure all the Astaro devices. Configure a Router to Router VPN connection. Create the applicable firewall rules to allow traffic. You probably know this, but make sure both networks have their own subnet and are routing the separate subnets properly.
  4. Install Windows Server 2008 R2 on to the target RODC box (please note, in my case, I had to purchase an additional Server 2008 license since I was already using the premium add-on at the HQ site. (If you purchase the premium add-on, but aren’t using it at your main office, you can use this license at the remote site).
  5. Make sure the VPN is working and the servers can communicate with each other.
  6. Promote the target RODC to a read only domain controller. You can launch the famous dcpromo. Make sure you check the “Read Only domain controller” option when  you promote the server.
  7. You now have a working environment.
  8. Join computers using the SBS connect wizard. (DO NOT LOG ON AS THE REMOTE USERS UNTIL YOU READ THIS ENTIRE DOCUMENT)

I did all the above steps at my office and configured the servers before deploying them at the client site.

You essentially have a working basic network. Now to get to the tricky stuff! This tricky stuff is to enable folder redirection at the branch site to their own server (instead of the SBS server), and get them their own WSUS replica server.


Now to the fancy stuff!

1. Installing WSUS on the RODC using the add role feature in Windows Server: You have to remember that RODC’s are exactly what they say! !READ ONLY! (As far as Active directory goes)! Installing WSUS on a RODC will fail off the bat. It will report that access is denied when trying to create certain security groups. You’ll have to manually create these two groups in Active Directory on your primary SBS server to get it to work:


Replace RODCSERVERNAME with the computer name of your RODC Server. You’ll actually notice that two similiar groups already exist (with the server name different) for the existing Windows SBS WSUS install, this existing groups are for the main WSUS server. After creating these groups, this will allow it to install. After this is complete, follow through the WSUS configuration wizard to configure it as a replica for your primary SBS WSUS server.

2. One BIG thing to keep in mind is that with RODC’s you need to configure what accounts (both user and computer) are allowed to be “cached”. Cached credentials allow the RODC to authenticate computers and users in the event the primary domain controller is down. If you do not configure this, if the internet goes down, or the primary domain controller isn’t available, no one will be able to log in to their computers or access network resources at the branch site. When you promoted the server to a RODC, two groups were created in Active Directory: Allow RODC Cached Logins, and Deny RODC Cached Logins (I could be wrong on the exact name since I’m going off memory). You can’t just select and add users to these groups, you need to also select and add the computers they use as well since computers have their own “computer account” in Active Directory.

To overcome this, create two security groups under their respective existing groups. One group will be for users of the branch office, the other group will be for computers of the branch office. Make sure to add applicable users and groups as members of the security groups. Now go to the “Allow RODC Cached Logins” group created by the dc promotion, and add those two new security groups to that group. This will allow remote users and remote computers to authenticate using cached security credentials. PLEASE NOTE: DO NOT CACHE YOUR ADMINISTRATIVE ACCOUNT!!! Instead, create a separate administrative account for that remote office and cache that.

3. One of the sweet things about SBS is all the pre-configured Group policy objects that enable the automatic configuration of the WSUS server, folder redirection, and a bunch of other great stuff. You have to keep in mind that off of the above config, if left alone up to this point, the computers in the branch office will use the folder redirection settings and WSUS settings from the main office. Remote users folder redirection (whatever you have selected, in my case My Documents and Desktop redirection) locations will be stored on the main HQ server. If you’re alright with this and not concerned about the size of the user folders, you can leave this. What I needed to do (for reasons of simple disaster recovery purposes) is have the folder re-directions for the branch office users store the redirection on their own local branch server. Also, we need to have the computers connect to the local branch WSUS server as well (we don’t want each computer pulling updates over the VPN connection as this will use up tons of bandwidth). What’s really neat is when users open applications via RemoteApp (over RDS), if they export files to their desktop inside of RemoteApp, it’ll actually be immediately available on their computer desktop since the RDS server is using these GPOs.

To do this, we’ll need to duplicate and modify a couple of the default GPOs, and also create some OU (Organizational Unit) containers inside of Active Directory so we can apply the new GPOs to them.

First, under “SBSComputers” create an OU called “Branch01Comps” (or call it whatever you want). Then under “SBSUsers” create an OU called “Branch01Users”. Now keep in mind you want to have this fully configured before any users log on for the first time. All of this configuration should be done AFTER the computer is joined (using the SBS connect) to the domain and AFTER the users are configured, but BEFORE the user logs in for the first time. Move the branch office computer accounts to the new Branch office computers OU, and move the Branch office user accounts to the Branch office users OU.

Now open up the Group policy Management Management Console. You want to duplicate 2 GPOs: Update Services Common Settings Policy (rename the duplicate to “Branch Update Services Common Settings Policy” or something), and Small Business Server Folder Redirection Policy (rename the duplicate to “Branch Folder Redirection” or something).

Link the new duplicated Update Services policy to the Branch Computers OU we just created, and link the new duplicated folder redirection to the new users policy we just created.

Modify the duplicated server update policy to reflect the address of the new branch WSUS replica server. Computers at the branch office will now pull updates from that server.

As for Folder redirection, it’s a bit tricky. You’ll need to create a share (with full share access to all users), and then set special file permissions on the folder that you shared (info available at On top of that, you’ll need to find a way to actually create the child users folders under that share/folder in which you created. I did this by going in to active directory, opening each remote user, and setting their profile variable to the file share. When I hit apply this would create a folder with their username with the applicable permissions under that share, after this was done, I would undo that variable setting and the directory created would stay. Repeat this for each remote user at that specific branch office. You’ll also need to do this each time you add a new user if they bring on more staff, you’ll also need to add all new computers and new users to the appropriate OUs, and security groups we’ve created above.

FINALLY you can now go in to the GPO you duplicated for Branch Folder redirection. Modify the GPO to reflect the new storage path for the redirection objects you want (just a matter of changing the server name).

4. Configure Active Directory Sites and Services. You’ll need to go in to Active Directory Sites and Services and configure sites for each subnet you have (you main HQ subnet, branch 1 subent, and branch 2 subnet), and set the applicable domain controller to those sites. In my case, I created 3 sites, and configured the HQ subnet and second branch to authenticate off the main SBS PDC, and configured the first branch (with their own RODC) to authenticate off their own RODC. Essentially, this tells the computers which domain controller they should be authenticating against.


And you’re done! (I don’t think I’ve forgotten anything). Few things to remember, whenever adding new users and/or computers to the branch, ALWAYS join using SBS wizard, add computer to the branch OU, add user to the branch OU, create the users master redirection folder using the profile var in the AD user object, and separately add both user and computer accounts as members of the security group we created to cache credentials.

And remember, always always always test your configuration before throwing it out in to production. In my case, I got it running first try without any problems, but I let it run as a test environment for over a month before deploying to production!


We’ve had this environment running for months now and it’s working great. What’s even cooler is how well the Astaro Security Gateway (Sophos UTM) is handling the multiple WAN connections during failures, it’s super slick!