“Fix My Network” wizard.

The wizard is designed to detect known problems on your network, and then give you the option to fix them or not. There are roughly 70-80 different checks and fixes that it does. Some important things to note:

1. The fixes may have dependencies. For example, if the wizard detects that the DHCP services are stopped, it will report that, but won’t be able to check the configuration inside the DHCP service, because it’s stopped. So, it’s important to run this wizard a few times, until you’re happy with the issues it’s finding/not finding.
2. If you replace your router on your network, or change your router IP address, you should consider running the Connect to the Internet Wizard first.
3. The wizard is designed to bring the network back to a “known good” working state. So any custom configuration will be un-done.

Now that you know how to use the wizard, what exactly are the things we keep an eye on? Well, to know exactly, you will have had to work on the wizard, but here is the high level.

1. Network Cards
   1. Disabled Network Cards
   2. Additional Network Cards
   3. Duplicate IP, Missing IP, Extra IP addresses
   4. Incorrect DNS, Gateway and subnet settings
   5. NIC unplugged from the network
2. DHCP Configuration
   1. DHCP Enabled and running
   2. DHCP scope settings
   3. DHCP IPv4 and IPv6 settings
3. Local DNS Configuration
   1. Missing Zones
   2. Invalid Names and domains
   3. Missing records
   4. Reverse Zones invalid or missing
4. Internet DNS (if with a domain name partner)
   1. Missing Records
   2. Missing or incorrect credentials
   3. Domain configured and in good standing with provider
   4. Dynamic DNS client is configured correctly (if running)
5. SSL Certificate Configuration
   1. Invalid Root and Leaf Certificates
   2. Invalid Certificate installation package
   3. Certificate installed on IIS
   4. Self-Issued certificates expiring or invalid
   5. Certificate authority is installed and running
   6. Trusted Certificate installed and valid
6. Router Configuration
   1. Gateway can be reached
   2. Internet can be reached
   3. UPnP (if available) port mappings
7. VPN (if enabled)
   1. Firewall configuration
   2. RRAS service enabled and running
   3. VPN default Policy is in place
8. E-Mail Configuration
   1. SMTP connectors configured correctly
9. IIS Configuration
   1. IIS is enabled and running
   2. Host headers are configured correctly

If you uncheck the IPv6 protocol from your network interface card on your Windows SBS 2008 server you may see the following issues after a reboot:

• Microsoft Exchange services fail to start
• Server hangs at “Applying Computer Settings…” (can eventually logon after 30 – 60 minutes)
• Network icons show as offline
• Some or all of the following events

Application Log Events

Source: MSExchange ADAccess
Event ID: 2114
Task Category: Topology
Level: Error

Description:
Process MAD.EXE (PID=2088). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

———————-

Source: MSExchange ADAccess
Event ID: 2601
Task Category: General
Level: Warning

Description:
Process MSEXCHANGEADTOPOLOGY (PID=952). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=DC1301662F547445B9C490A52961F8FC,CN=Microsoft Exchange,CN=Services,CN=Configuration,…> – Error code=80040a01.

The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

———————-

Source: MSExchange ADAccess
Event ID: 2102
Task Category: Topology
Level: Error

Description:
Process MAD.EXE (PID=2088). All Domain Controller Servers in use are not responding: SBS.sbs2008.local

———————-

Source: MSExchange ADAccess
Event ID: 2105
Task Category: Topology
Level: Warning

Description:
Process MAD.EXE (PID=2088). Exchange Active Directory Provider failed to obtain DNS records for domain sbs2008.local. DNS Priority and Weight for the Domain Controllers in this domain will be set to the default values 0 (priority) and 100 (weight).

———————-

Source: MSExchange ADAccess
Event ID: 2114
Task Category: Topology
Level: Error

Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=952). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

———————-
Source: MSExchangeFBPublish
Event ID: 8197
Task Category: General
Level: Error

Description:
Error initializing session for virtual machine SBS. The error number is 0x80040a01. Make sure Microsoft Exchange Store is running. Also, make sure that there is a valid public folder database on the Exchange server.

———————-

Source: MSExchangeTransportLogSearch
Event ID: 7005
Task Category: General
Level: Error

Description:
Microsoft Exchange couldn’t read the configuration from the Active Directory directory service because of error: Failed to load config due to exception: Microsoft.Exchange.Data.Directory.NoSuitableServerFoundException: The Exchange Topology service on server localhost did not return a suitable domain controller.

System Log Events

Source: Service Control Manager
Event ID: 7044
Task Category: None
Level: Warning

Description:
The following service is taking more than 16 minutes to start and may have stopped responding: Microsoft Exchange System Attendant

———————-

Source: Service Control Manager
Event ID: 7022
Task Category: None
Level: Error

Description:
The Microsoft Exchange Transport service hung on starting.

———————-

Source: Service Control Manager
Event ID: 7024
Task Category: None
Level: Error

Description:
The Microsoft Exchange Information Store service terminated with service-specific error 0 (0×0).

Resolution

To resolve this issue all you have to do is re-check IPv6 in the properties of you NIC and reboot.

NOTE: IPv4 must also be enabled.

Properly Disabling IPv6

SBS 2008 is designed to fully support IPv6 and has IPv6 enabled by default. Most users should never need to disable IPv6, however if you must disable IPv6 here is how to disable it properly:

Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/)

1. Uncheck Internet Protocol Version 6 (TCP/IPv6) on your Network Card.
2. In Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
3. Double-click DisabledComponents to modify the DisabledComponents entry.
   Note If the DisabledComponentsentry is unavailable, you must create it. To do this, follow these steps:
   1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
   2. Type DisabledComponents, and then press ENTER.
   3. Double-click DisabledComponents.
4. Enter “ffffffff” (eight f’s), and then click OK:

   

5. Reboot the SBS 2008 server.

RRAS (VPN) Note: If you plan to enable VPN on your SBS 2008 server, you MUST also Export and then Delete the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipv6

If you do not delete this key you will get an 20103 Event when trying to start RRAS with IPv6 disabled. You must reboot after removing this key.

Error Installing Exchange 2007 SP3 on SBS 2008

Mark Berry July 14, 2010

Today I wanted to install Exchange Service Pack 3 on my SBS 2008 box. MSKB 982423 says the only thing to worry about is Forefront, which I’m not using. I ran setup.exe as an Administrator. The Readiness checks passed fine. However within a few seconds of starting the upgrade, I got this error:

Unable to remove product with code 6574fdc2-40fc-405a-9554-22d1ce15686b. Error opening installation log file. Verify that the specified log file location exists and that you can write to it. Error code is 1622.

The only option was to click Finish and start looking for answers.

Exchange Is Down, Can’t Re-Run Setup

At this point, the service pack setup has stopped and disabled all Exchange services, so your Exchange server is offline. If you re-run setup, the Readiness checks fail with a message that the metabase cannot be accessed. The linked advice is to uninstall and re-install Internet Information Services. (Yeah, right.) So yes, the web server is also offline.

Through some trial and error, and with the help of this Technet article, I found that all I needed to do was re-enable and start these two IIS services:

World Wide Web Publishing Service
IIS Admin Service

With that, when I re-ran the SP3 setup, the Readiness checks passed—and I was back to the upgrade failure:

Manually Uninstall Microsoft Full Text Indexing Engine for Exchange

A little digging in C:\ExchangeSetupLogs\ExchangeSetup.log and I saw that this error occurred when working on MSFTE.MSI. That corresponds to some Internet research that identifies the component as the Microsoft Full Text Indexing Engine for Exchange. I boldly followed the advice in this thread to manually uninstall that component:

MsiExec.exe /X {6574fdc2-40fc-405a-9554-22d1ce15686b}

Then I re-started the two IIS services and re-ran the Exchange SP3 installation.

Worked This Time

This time, the Preparing Setup step finished quickly. I got a bit nervous when the Remove Exchange Files step seemed stuck, but it finally finished after 21 minutes. The entire process took just under 37 minutes. No reboot was requested, and Exchange and the web server are back online.

Google “{6574fdc2-40fc-405a-9554-22d1ce15686b}” and you’ll see that people have been getting this error since Exchange 2007 SP1. If I can uninstall the product from the command line, why can’t the service pack setup uninstall it?

MORE INFORMATION

If Microsoft Forefront Security for Exchange Server is installed on the computer, you must first disable the Forefront Client Security (FCS) scan engine. To do this, follow these steps:

1. Stop the following services:
   • FSCController
   • Microsoft Exchange Information Store
   • Microsoft Exchange Transport
2. Open an elevated command prompt.

   To open an elevated command prompt, click Start

   

   , type cmd in the Start Search box, right-click cmd.exe in the Programs list, and then click Run as administrator.

   

   If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.

3. Change the current directory to the following directory:
   C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server
4. At the command prompt, type the following command, and then press ENTER:
   fscutility /disable

   After you run this command, you receive the following message:

   Removing dependencies…
   dependency on FSCController removed from Microsoft Information Store
   dependency on FSEIMC removed from Microsoft Exchange Transport Service
   Microsoft Exchange Transport Service Agent registration removed

   Status: Microsoft Forefront Server Security NOT Integrated.

After the Forefront Client Security (FCS) scan engine is disabled, you should be able to install the service pack.

After the service pack setup is complete, you must enable Forefront Client Security (FCS) scan engine if you disabled it. To do this, follow these steps:

1. Stop the following services:
   • Microsoft Exchange Information Store
   • Microsoft Exchange Transport
2. Open an elevated command prompt.

   To open an elevated command prompt, click Start

   

   , type cmd in the Start Search box, right-click cmd.exe in the Programs list, and then click Run as administrator.

   

   If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.

3. Change the current directory to the following directory:
   C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server
4. At the command prompt, type the following command, and then press ENTER:
   fscutility /enable
5. Restart the following services:
   • Microsoft Exchange Information Store
   • Microsoft Exchange Transport

Known issues that may occur after you install Exchange Server 2007 SP3

After you install Exchange Server 2007 SP3, you may be unable to access the following Web sites:

• https://sites/owa
• https://sites/remote

Note This issue occurs only if the Internet Address Management wizard has not already been run on the computer.

To resolve this issue, edit the bindings for the SBS Web Applicationssite to select the correct certificate. To do this, follow these steps:

1. Open Internet Information Services (IIS) Manager.
2. Expand server_name.

   Note The server_name placeholder represents the name of the server.

3. Expand Web Sites.
4. Right-click SBS Web Applications, and then click Edit Bindings.
5. Click HTTPs port 443, and then click Edit.
6. Under SSL certificate, select the Sites certificate.

CAUSE

RESOLUTION

Known issues that may occur after you manually install Exchange Server 2007 SP2

Exchange Server 2007 does not work

To resolve this issue, restart the computer or start the following services manually:

• Microsoft Exchange Information Store
• Microsoft Exchange Transport

The default Web site or the Small Business Server Web Applications site is stopped and cannot be restarted

To resolve this issue, remove the Secure Sockets Layer (SSL) settings from the default Web site. To do this, follow these steps:

1. Open Internet Information Services (IIS) Manager.
2. Expand the server.
3. Expand Sites.
4. Click Default Web Site, and then click SSL settings.
5. Click to clear the Require SSL check box, and then click Apply.
6. Right-click Default Web Site, and then click Edit Bindings.
7. Select HTTPs port 443, and then click Remove.
8. Right-click SBS Web Applications, click Manage Web Site, and then click Start.

You may be unable to browse https://sites/owa or https://sites/remote

To resolve this issue, edit the bindings for the SBS Web Applications site to select the correct certificate. This issue will occur only if the Internet Address Management Wizard has not been run. To do this, follow these steps:

1. Open Internet Information Services (IIS) Manager.
2. Expand the server.
3. Expand Sites.
4. Right-click the SBS Web Applications Web site, and then click Edit Bindings.
5. Select HTTPs port 443, and then click Edit.
6. Under SSL certificate, select the certificate that is named “Sites.”

You may be unable to browse https://remote.contoso.com/owa or https://remote.contoso.com/remote

Note In this example, remote.contoso.com is the external domain name of your site. This issue may occur only if a third-party trusted certificate is installed on the server.

To resolve this issue, run the Fix My Network Wizard to add the trusted certificate back to the SBS Web Application site.

You may be unable to use Remote Web Workplace or the Terminal Services Gateway service to connect to the server or client desktops

To resolve this issue, install the certificate on the terminal server gateway. To do this, follow these steps:

1. Open Terminal Services Gateway Manager.
2. Open the properties of the server.
3. Click the SSL Certificates tab.
4. Click Browse Certificates, and then select the appropriate certificate.

Small Business Server 2008 (SBS 2008) requires a number of ports open on your firewall to allow inbound traffic from the Internet in to your network. SBS 2008 needs a lower number of ports open than SBS 2003 did. You will only need to open the ports below to enable all SBS 2008 functionality if you are using all facilities. If you do not need a specific function open then there is no need to allow that port to be open inbound to the server.

Port 25 This is required for inbound mail using the SMTP protocol – this will be needed on MOST SBS 2008 servers. If you are using an external third party mail filtering service such as Trend Micro Internet Messaging Security then you will want to restrict this port to be open ONLY to their servers. Closing this port to all traffic will prevent ANY inbound mail to your SBS 2008 server.

Port 80 This port is used to redirect requests to the Remote Web Workplace for http://remote.mycompany.com through to the secured site on port 443. You do not need to have this port open for SBS 2008 to work, but if you close it then you must get your users to use https://remote.mycompany.com/remote to get to their Remote Web Workplace. Closing this port will result in errors when users try to access Remote Web Workplace via http://remote.mycompany.com/remote

Port 443 This is the secured sockets layer (SSL) access to the Remote Web Workplace. All traffic over this port is encrypted for security. This port needs to be open in order for Remote Web Workplace to work. Closing this port will result in the Remote Web Workplace not being accessible outside of the office from the Internet.

Port 987 This is another secured sockets layer (SSL) port that is used to allow access to the Companyweb from the Internet. It uses the same digital certificate as that on port 443. Closing this port will result in the Companyweb not being accessible outside of the office from the Internet.

Port 1723 This port is used for the PPTP VPN in SBS 2008. It only needs to be enabled if you have already configured the SBS 2008 server to be used as a VPN server. You can do this via the SBS 2008 console on the Network Tab using the Enable VPN wizard. Closing this port will result in the VPN not being accessible from the Internet.

SBS 2008 does NOT require the following ports to be opened BY DEFAULT.

Port 21 This port is used for FTP access from the Internet to the SBS 2008 server. The SBS 2008 server is NOT configured as an FTP server by default. It is NOT recommended that you configure your SBS 2008 server as an FTP server as by default any password used to access it will go over the Internet in clear or plain text. This means that someone else can easily read your password and potentially compromise your network security.

Port 3389 This port is used for DIRECT access to the SBS 2008 servers console via the RDP protocol of the Remote Desktop Connection software. Allowing this port to be open to the Internet WILL increase the potential of your server being compromised via a password brute force attack. If you MUST have this port open to the Internet, it is recommended that you implement a two factor authentication solution called AuthAnvil from Scorpion Software

The Remote Web Workplace connect to computer feature in SBS 2008 by default doesn’t allow for local drive redirection. When you attempt to connect to the server or a client machine you will get the following popup showing what local resources will be available. The remote desktop connection only exposes clipboard and printer redirection by default.

In order to get local drives to be available as an option, we have to use the following steps to modify a file on the Small Business Server.

1. Make a backup copy of the following file:
   C:\program files\windows small business server\bin\webapp\remote\tsweb.aspx
2. Right click on notepad and choose run as Administrator.
3. Select File > Open and browse to the following file:
   C:\program files\windows small business server\bin\webapp\remote\tsweb.aspx
4. Search for this line:
   MsRdpClient.AdvancedSettings2.RedirectDrives = FALSE
5. Change the line to:
   MsRdpClient.AdvancedSettings2.RedirectDrives = TRUE

   The file should look like the following:
   

6. Save the file and exit notepad
7. Log back into the remote web workplace.

Now when you use the connect to client desktop or connect to server feature you will see the following dialog allowing for local drives to be redirected.

Note: If the tsweb.aspx file is ever updated in a future hotfix or service pack, your custom changes may be lost and if so you will need to manually redo them.

Time synchronization is an important aspect for all computers on the network. By default, the clients computers get their time from a Domain Controller and the Domain Controller gets his time from the domain’s PDC Operation Master. Therefore the PDC must synchronize his time from an external source. I usually use the servers listed at the NTP Pool Project website. Before you begin, don’t forget to open the default UDP 123 port (in- and outbound) on your firewall.

1. First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo
2. Log in to your PDC Server and open the command prompt.
3. Stop the W32Time service: C:\>net stop w32time
4. Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
5. Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
6. Start the w32time service: C:\>net start w32time
7. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
8. Check the Event Viewer for any errors.

On Windows Server 2003 or Windows 2000 domain controllers the Active Directory can be backed up while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.

After repairing or installing FAX on SBS 2008
When we try to add Fax account Under Tools in Windows Fax and Scan
Click on connect to Modem
we get the error

Cause

The error message is misleading
Even though the user maybe a member of the SBS Fax Administrators group.
This due to User Account Control 

Resolution / workaround

Launch the Windows Fax and Scan as the administrator
we are able to complete the configuration (i.e. Run as Administrator)