Microsoft Exchange and Blackberry Server Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Massive SBS Server and Network Cleanup

Something I have been doing frequently for the last 18 months of so is cleanups of SBS 2003 servers and their associated networks. I have a number of clients in the IT Support industry who ask me to clean up their client's servers. Two of them get a new client and the first thing they do is ask me to look at it and make recommendations.

In many cases it is minor cleanups or ensuring that everything is up to date. However one that I have done just recently deserves a blog posting on its own.

Background

New client for one of my IT Support clients.
They said that their client didn't think that there had been much maintenance done by the previous support company and the AV had expired. They were also looking to use Windows Mobile devices but were having problems getting it to work.
It had already been agreed to deploy AVG, so I was asked to look at the site and report what was required.

Seven users, one server, low level of email use apparently. Old school was the phrase that was used to me when describing the company.

I was shocked, to say the least.

Server

SBS 2003 RTM.
Thankfully I was sitting down when I saw that. No service packs, no automatic updates nothing.
DHCP was being run by the router, not the server.
DNS wasn't configured correctly.
The AV had indeed expired - 18 months ago. It was Symantec as well.
POP3 connector for email collection
Most of the wizards hadn't been run correctly.
Various other bits of junk on the server
The backup wasn't configured correctly, therefore the Exchange transaction logs were building up. There were four years of transaction logs.

Clients

I was able to get on to one of the clients.
Windows XP SP1
Office 2003 RTM
Same expired Symantec AV.
Adobe Acrobat Reader 6 (remember that?).

It was like the site was stuck in 2004. The site was deployed and never touched afterwards.

Anyway, I like a challenge.
Did I mention that the site was 350 miles away, and I was working on it remotely?

The positives?
I tried.
8mb ADSL getting 5mb on the bandwidth tests, which was ok. Plus it had a static IP address. The server had lots of space on it, it was a good configuration, multiple arrays, 2gb of RAM. It was a Dell system and the original suppliers had obviously installed it fresh as it didn't have the Dell issue of a 12gb root partition. However the rest of the server hadn't been done correctly.

So what did I do?

To begin with, over a course of two nights in the week, I downloaded the updates I needed

Windows 2003 SP2
Exchange 2003 SP2
Windows XP SP2 and SP3
SBS SP1
SharePoint Service Packs
WSUS 3.0 SP1
Office 2003 SP3
AVG Admin and the main Application
Adobe Acrobat 9.0

I asked my client to purchase an SSL certificate credit from https://DomainsForExchange.net/
I also asked for access to their domain name configuration, and web site.

Finally I asked that all the workstations be left on over the weekend and a tape left in the backup drive.

Before I started, I corrected the backup job.
This not only provided me with a backup of their data, it also flushed out almost 15gb of transaction logs, which made the server a little more snappier. Once the job was finished, I ejected the tape as a precaution.

With a successful backup, I could then begin the real work.

I started off by flashing the router firmware to the latest version, then reviewing its configuration.
Then started on the server, downloading the latest BIOS and drivers.
Windows Service Pack was first, then the driver updates.
Rest of the service packs as required, concluding with the WSUS installation. I then set that to sync and started on the workstations.
Symantec AV was removed and the AVG installation was setup and configured, ready for installs on the clients.

I moved the data around on the server as per the best practices.
Using the SBS Best Practises tool, cleaned up any issues that flagged and reset the backup job to backup correctly. 

Each workstation had the Symantec AV removed, the Adobe Acrobat removed and then was brought up to SP3. Rebooted as required.
Office 2003 service pack installed along with the new version of Acrobat Reader.
The workstations also got updated BIOS and drivers.

AVG was installed on the systems, updated and a full scan carried out.
They were very lucky. While a few things were found, they were not serious and

I setup the client with an OpenDNS account and changed the configuration of the server to use that. DHCP was removed from the router and moved to the server. However before I did that I carried out an IP Address scan and found a network printer. A nice HP LaserJet. Fortunately it was configured by defaults, so I was able to connect to it, update its configuration and firmware. Then downloaded the latest drivers from HP and installed them on to the server and shared the printer from there. On each client the printer was changed from direct to the shared printer.

The SSL certificate was deployed with a real name following some DNS changes, and the relevant port opened on the firewall (443). Yes I know SBS can do that for me, but I needed to retain control.
Configured a split DNS system so that the external name on the SSL certificate also worked internally.

I also downloaded and installed PRTG Traffic Grapher and configured that on the server to look at the router. Created a mini admin web site on the server, with PRTG on a web page, along with the AVG status page and a web page to manage the IMF quarantine emails.

By this time WSUS had synchronised, so a few group policy changes had the client talking to that. I ran a few scripts on the client to get them to call in correctly, then left them to download their updates for a few hours.

Once the updates were in and installed, and the systems rebooted, close to finishing.
Secured the server for SMTP email and then changed the MX records to point to their static IP address.

Tested Exchange ActiveSync from outside, along with RPC over HTTPS, OWA and confirmed it was working.

Finally set all systems to defrag. 

There were also a lot of very small changes that I do on every site which are simply too numerous to list (plus I can't remember them all).
I was also available on Monday morning for any issues that came up - there were none.

Rough tests on start up times of the server and workstations showed that I halved the time they took to start up.

The job took most of a weekend and basically involved three or more years of maintenance being done on the network in that time. Once it was complete I dropped an email to my client with a list of what I had done (pretty much what I written above), recommendations for future work and a bill for £2,000.

Probably the best bit was the feedback from the end users. It felt like they had a new network, everything worked, faster, things we where they should be etc. Overall everyone was very pleased.

Ultimately, they were lucky. As they had a router and their email traffic was so low, they didn't get hit by anything major that would have caused a problem. They were badly exposed though and if something had got in then it would have run amok.

The Sales Pitch

If you are in the UK and either a direct user of SBS or are supporting SBS Servers, then I can do something similar for you. Server cleanups start from £250 (+ VAT) depending on the work that is required. I will look at the server and tell you what is needed and quote on that basis. Additional bits (like SSL certificates, AV licenses etc) need to be purchased separately.

If you are a support company, then this type of work can give you a quick win and provide you with an immediate impact with the client. The simple change from POP3 connector delivery to SMTP delivery is normally enough, without the other background work.

In the vast majority of cases, this work can be carried out remotely, out of hours. It does not require a site visit, simply remote access is required (Log Me In is my preferred method).

Similar work can be carried out on the full product over multiple servers.

However, here is the interesting bit… the financials.
The client who I did this job for was prepared to buy additional hardware and software from their previous support company to resolve the problems - which the previous support company had caused by not doing the maintenance correctly. Someone suggested getting a second opinion, and that has saved them money. Their original outlay will now be fully utilised and they will see benefits. Since that work was carried out in mid September they have started to use Windows Mobile, and are now looking at laptop use. Productivity has increased - simply by investing some time in their existing infrastructure, rather than purchasing new and going through the headache of a migration. Despite everything I did for them, Monday morning they were able to come in and start work immediately, with no significant impact on their business, other than the "wow" factor.

More on SSL Certificates with Exchange 2007

SSL certificates with Exchange 2007 continue to be a reoccurring question on forums, and I have recently had some common points continue to come up. 
If you are looking for my guide on SSL certificate requests for Exchange 2007 then it is here: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

The Self Signed Certificate
As Exchange starts to mature, and installations have been in place for over 12 months, the question of renewing the self signed certificate comes up.
What these people do not seem to realise is that they shouldn't even be using the self signed certificate. It is designed for interim use only and should be replaced with a commercial SAN/UC certificate as soon as possible.

This is Microsoft's official stance on the use of the self signed certificate: http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

One of the key lines is this:

"Important:  The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync.  "

Therefore if you are using either of those features with a self signed certificate you are actually in an unsupported environment.
The fact that getting the certificate to work for those two features can be tricky at the best of times, makes it even more pointless to continue to try and use self signed certificates.

The main argument for not using a commercial certificate is the cost and the perceived complexity of the certificate acquisition. When Exchange 2007 was first released the first UC/SAN certificates were expensive. However with vendors releasing low cost certificates for US$60/year (http://DomainsForExchange.net/ for example) that has now changed.
As for the perception of complexity for the purchase, I outlined what required in a previous blog posting: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx


SAN/UC Certificates and Outlook Anywhere

The other thing that appears to be catching people out is when using Outlook Anywhere (aka RPC over HTTPS) with SAN/UC certificates.
When you setting up Outlook Anywhere in the client, if you choose to enable the "mutual authentication" option then you cannot use one of the alternative names on the certificate - you must use the primary common name. For most people this shouldn't be a problem, particularly if you follow the recommendation to put the most common name that will be used (the URL used for OWA) in as the common name and the other URLs (auto discover, the server's FQDN and real name) as additional names.
However if you have used SAN/UC certificates to support multiple domains on the same server, then it could cause you a problem.
The answer of course is to disable that option. Outlook Anywhere will continue to work correctly without that option enabled, although users may get authentication prompts. The most likely scenario where you would disable that option is when hosting, so the clients are likely to be off your domain anyway.

SAN/UC Certificates and POP3/SMTP/TLS

Similar to the issue above, to ensure maximum compatibility, the primary name on your certificate should also match your MX record. Therefore what I am recommending is the same URL is used for OWA, Outlook Anywhere and the MX records - usually mail.example.net

Certificate Prompts where the Certificate is Issued to Another Domain Entirely

Another issue I have seen a few reports of is Outlook 2007 generating a certificate prompt, and when you look at the certificate it is issued to someone else.
The cause of this is a combination of a missing URL and a wildcard on your DNS.
If you have not configured a split DNS system on your public domain for internal use, then Outlook 2007 will attempt to connect to autodiscover.example.com as part of its startup process. If you have a wildcard DNS entry on your public DNS (so *.example.com resolves) which resolves to your public web server, AND you do not have autodiscover.example.com defined, then you may get the prompt if your public web server has an SSL certificate protected site on it.

Always define autodiscover.example.com and preferably setup a split DNS system so that you can point autodiscover.example.com to your Exchange server. http://www.amset.info/netadmin/split-dns.asp

Certificates when Using Unified Messaging

You can also run in to problems when you are using Unified Messaging. I have blogged on that subject before: http://blog.sembee.co.uk/archive/2008/06/02/79.aspx

Experts Exchange - Free Access

If you have used Google to look for IT solutions you will be unable to avoid Experts Exchange. However many IT professionals avoid their answers because they are in the mistaken belief that they need to pay for access.

As a previous user of Experts Exchange, including expert of the year for three years in a row, I never paid them a penny, even before I started clocking up the large number of points.

However, Experts Exchange do not help themselves or their reputation in the IT community by hiding the free signup page away. I know this has been raised with the management team of EE in the past, but they seem to ignore it.
If you follow the public sign up links you will not see the free link - all it is pushing you to is the paid options. Even the free trial requires a credit card to sign up.

In some ways you can understand why, EE is a business and they want the subscriptions which pay for the servers, developers etc.

So how do you get free access?

At the time of writing if you choose "Think you're an expert" in the lower right corner, you can then choose another link to get to the free signup - which requires a username and email address.

However to make things easier here is the link to the free sign up page:
http://semb.ee

Sign up, save the password and then you don't have to worry about it again.

If you want the advert free site (I actually forgot what it looked like with the ads) then you need to get 10,000 points. That is five, 500 point questions. (EE has a point multiplier which means a question which costs 500 points earns 2000 to the expert who answers it) and then you need 3000 a month to maintain the premium access.

There is an awful lot of information in the site, I contributed in excess of 10,000 answers personally. It would be a shame to not get access to them just because of the way that Experts Exchange decides to sell themselves, when there is a free option available.