SBS 2008 to SBS 2008 Migration

 Small Business Server  1 Response »
Sep 052010
 

I’ve done a bunch of these migrations in the past, and I’ve noticed two main issues that I’m sure a lot of you have also come across. I decided to whip up a post here to go over them, and how to deal with them. I know it’s happening to other people because of how many searches bring in to my blog for people looking for this stuff.

Access denied when copying network shares from source server to destination server

When you get to the point of copying data over from the source server to destination server, using the robocopy command that is listed inside of the migration document; comes up with “Access is Denied”. To resolve this issue, you need to make sure that on both shares configured on the source server and destination server, that you have to add the share permissions to provide “Administrators”, and your Administrator account added and allowed full access. I’m not too sure, but it may also be wise to add “Administrators” and your Administrator account to the actual file security permissions as well (full access). After doing this you should be able to copy everything over perfectly.

Lack of documentation on moving “RedirectedFolders” from source server to destination server

There are typically two things I want to cover in this. The first is actually how to move them. Please note that you do NOT need to use robocopy, manually copy, or do anything to actually move them. When you update the group policy on SBS and change the location from the source server to the destination server, the workstations will automatically move their “RedirectedFolders” on their first login after the GPO has been replicated. To force a replication of the GPO, login and issue “gpupdate” from the command prompt.

The second issue (which I always come across) is when doing a migration; it mentions that the first step is to move the location of your data (ie. RedirectedFolders, UserShares, WSUS updates, etc…). In most of my installations we have a dedicated C drive for SBS and OS, and use a second array (D Drive) for all data. I’ve noticed that during these migrations, folders for each user’s “RedirectedFolders” are not automatically created on the destination server. This is very important because these folders have their own security permissions that you DON’T want to mess with. In my cases, when I update the GPO to the new location, when the folders SHOULD move, they don’t because the users don’t have security access to create \\destinationserver\RedirectedFolders\$username. What I’ve had to do is use RoboCopy to copy the user folders from “UserShares” (most of my clients don’t use the UserShares, so they are empty) to the RedirectedFolders share just to create a bunch of blank directories with the appropriate security permissions. After doing this the workstations could then move the data upon logon and all is good!

Remember, if you need help with SBS or migrating from SBS, I provide Small Business Server migration consulting services. Click here for more information!

Install Exchange 2007 SP2 on SBS 2008

 Exchange Server, Small Business Server  No Responses »
Aug 312010
 

For those of you who have tried installing Exchange SP2 on SBS 2008 but have had it fail during its initial steps, this blog post is for you!

Microsoft has created a tool that you can download and install which permits you to install Exchange SP2 on SBS 2008.

For more information on the procedure and to download the tool please see:

http://support.microsoft.com/kb/974271/

I cannot stress enough on the importance of a backup in case things go wrong. I have performed this at numerous client locations, most successful; however in one instance while SP2 was installing, the update failed and totally removed Exchange from SBS 2008. This was unrecoverable and a full restore from a backup would have been needed (thankfully this was the configuration of a new server so we just restarted the implementation).

How to extract your domain certificate to use Exchange ActiveSync on your Windows Mobile Device

 Exchange Server, Windows Mobile  No Responses »
Aug 202010
 

If you’ve tried configuring your Windows Mobile device to connect to your exchange server, but have been receiving errors on the lack of a certificate issue, this may help.

Keep in mind it’s always best to contact your local IT department to find out if they have an easier way of doing this, or a better way.

If your desktop computer at work is joined to the domain, chances are you have a certificate installed that authenticates various systems on your network. By extracting this certificate and installing it on your Windows Mobile device, chances are this will solve your issues.

Keep in mind that if your IT department did not generate your Exchange SSL cert from the domain certificate authority this won’t work.

Now let’s get started…

  1. Open Internet Explorer
  2. Press the “Alt” button to expose the menu
  3. Select “Tools” then “Internet Options”
  4. Select the “Content Tab”, and hit the “Certificates” button.
  5. Select the “Trusted Root Certification Authorities”.
  6. Now look through the list and look for something that may contain your Company’s name in it, or the name of one of your network servers.
  7. Once you find this, click once to highlight, and select the “Export” button.
  8. Go through the wizard and leave all defaults. At the very end where it asks you to choose a file, save it on your desktop and call it “cert.cer”.
  9. Copy this file to your Windows Mobile Device (using a Memory Card, or a Sync function).
  10. On your Windows Mobile device, use the File Explorer to browse to the location where you saved your cert.cer file, and select it to run. It should say “You have successfully installed a certificate”.

Now go ahead and configure your Exchange account and chances are it should work!

Keep in mind that some carriers lock down devices to avoid the installation of untrusted certificates. I haven’t run in to this issue, but I have heard about it happening. If this is the case, you will need to do some research on your phone and find a way to bypass this security block.

Blast from the Past! – Calgary Herald article I was interviewed in way back in 2004

 Stephen Wagner  No Responses »
Jul 062010
 

So recently the other day I came across this article that I was interviewed for. I’ve taken a clipping of the part that has to do with me:

The actual document is available Here. I’m on the top right of page 3.

WOW was I young. I was fresh out of high school and was 18 years old. Things have changed big time! (PS. I almost didn’t consider posting this since I had my haircut botched the day before. I was borderline bald!)

Those were the days back when I was JUST getting into business!

Sophos UTM Firewall – SNAT, DNAT, 1-to-1 NAT and Full NAT – HowTo

 Astaro, Internet, Linux, Sophos, Sophos UTM  34 Responses »
Jul 032010
 

I’ve had my main web server directly on the net for some time now. The box runs CentOS and I always have it fully up to date, with a minimal install just to act as a web server.

It’s always concerned me a little bit, the fact is I keep the box up to date as much as possible, but it’s still always in the back of my mind.

This weekend I had some time to mess around with some stuff. I wanted to get it setup behind my Sophos UTM, however I did NOT want it to use the public IP address that it’s setup for as I have numerous static IPs all for different services.

I spent a good 3-4 hours doing lots of searching on Google, and Astaro.org. I saw a few people that wanted to do the same thing as me, but didn’t really find an explanation for anything.

Ultimately I wanted to setup another external IP address on the Sophos UTM software appliance box, and have that external IP dedicated to JUST the web server. Everything else would continue to run as configured before I started modifying anything.

I finally got it going, and I thought I would do a little write up on this since I saw a lot of people were curious, however no one was having luck with it. So far I’ve just done it for my main web server, however in the future I’ll be doing this with a few more external IPs and servers of mine. So let’s log into the Astaro web interface and get started!

PLEASE NOTE: I performed this configuration on Astaro Security Gateway Version 8, this will also work on a Sophos UTM

  1. Configure the additional IP  –              “Interfaces & Routing”, then choose “Interfaces”. Select the “Additional Addresses” tab on the top of the screen. Hit the “New additional address…” button and configure the additional IP. Please note this worked for me as all my static IPs use the same gateway for the most part, if you have multiple statics that use different gateways this may not work for you. In my case I called this address “DA-Web”. Make sure you enable this afterwards by hitting the green light!
  2. Configure the NAT Rules      –              On the left select “Network Security”, then choose the sub item “NAT”. We do not want to touch anything under “Masquerading” so lets go ahead and select the “DNAT/SNAT” tab. In this section we need to create two rules, one for DNAT, and one for SNAT. Keep in mind that “Full NAT” is available, but due to the setup of the traffic initiation I don’t think we want to touch this at all.
    1. Create the DNAT Rule            –              Hit the “New NAT rule” button. Set “Position” to Top”. “Traffic Source” and “Traffic Service” to “Any”. “Traffic Destination” set to the additional address you created (keep in mind this has the same name as the main external, only with the name of the connection inside of it). Set “NAT mode” to “DNAT”. And finally set Destination to the server you want this going to, or create a new definition for the server. Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    2. Create the SNAT Rule            –              Hit the “New NAT rule” button. Set the “Position” to top. “Traffic Source” should be set to the definition you created for the server you are doing this for. “Traffic Service” should be “Any”. “Traffic Destination” should be “Internet”. Keep in mind this is very important, we want to make sure that if you use multiple subnets inside your network that SNAT is ONLY performed when needed when data gets shipped out to the Internet, and NOT when your internal boxes are accessing it. Set “NAT mode” to SNAT. And finally “Source” being the additional IP you created (again this looks like your normal External IP, but hold the mouse over when selecting the definition to make sure it’s the “additional” IP you created). Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    3. Create Packet Filter Rules    –              Now it’s time to open some ports up so that your server can offer services to the internet. This is fairly standard so I’m sure that you can do it on your own. In my example I created a few rules that allowed HTTP, DNS, and FTP from “any” using the service, to the destination “DA-Webserver” to allow the traffic I needed.

This should be it, it should be working now. If you don’t want to create the packet filter rules and want ALL traffic allowed, you can simply forget section c above, and when creating the DNAT and SNAT rules check the “Create automatic packet filter rules” box on both rules. Keep in mind this will be opening your box up to the internet!

If you find this useful, have any questions, or want to comment or tell me how to do it better, please leave me a comment!

Thanks!

 Older Entries  Newer Entries