Configure Exchange to only accept mail from the hosted anti-spam service: Under Server Configuration, select Hub Transport, move to the Receive Connectors tab. Double click on Windows SBS Internet Receive YourServerName. Move to the Network tab. In the receive mail from servers with these IP addresses, add the IP address ranges of the hosted anti-spam solution servers.

Configure Smarthost for Outbound Filtering by hosted anti-spam: Under Organization Configuration, select Hub Transport, move to the Send Connectors tab. Double click the connector and move to the Network tab. Select the Route mail through the following smarthosts and enter the friendly name of the service. ex: outbound.exchangedefender.com

Disable Exchange Anti-Spam: Launch the Exchange Management Console. Expand Organization Configuration. Choose Hub Transport. Move to the Anti-Spam tab. Highlight each item except recipient filtering and choose Disable. Recipient filter is left enable to prevent reverse NDR attacks.

FTP is an older protocol which has been replaced with better methods of hosting files. FTP is also unsecure and your username/passwords are sent in clear text which poses a major security risk. For a list of better methods in lieu of FTP please consider using a secure SharePoint site, a secured website, or Secure FTP to host and share files. However, if you have no choice but to use FTP and need to isolate Users continue reading.

IIS 6.0 introduced a new feature for companies hosting an FTP site on their server to isolate users so they are “locked” in to their home directory and cannot browse the root of the FTP server. There are two ways of accomplishing this goal with user isolation, one method is to isolate users by creating a folder structure which has their username and another method is using Active Directory attributes to isolate the user(s). Here are the steps for configuring AD Isolation mode.

1. Install the FTP Service from add/remove windows components.

2. Open IISManager

3. Delete the Default FTP Site as it does not get created in isolation mode by default

4. Create a New FTP Site by right clicking FTP Sites and going to new FTP Site

5. This will launch the FTP Site Creation Wizard, Click Next

6. Enter a Description for Your FTP Site

7. Set the IP address and Port to use for your FTP Site

*note if you have ISA 2000/2004 installed on this server do not select All Unassigned, select the internal IP address only.

8. Next screen will be the FTP User Isolation options, Select Isolate users using Active Directory

9. Next you will need to select a User that has Access to Active Directory, any domain admin account will suffice. Click Next and re-enter password to Confirm

10. Select the required Permissions and click Next and then Click Finish

11. The IIS portion is now finished and now on to AD.

12. There are 2 schema attributes in AD that reside in the User Class that will allow us to define the users home directory for FTP. They are msIIS-FTPRoot which defines the root of the FTP server and msIIS-FTPDir which defines the users Home Directory. The problem here is that there is no GUI interface to define these attributes so for the purpose of this demonstration I will use ADSIEDIT from Support tools to modify these attributes, however you can also run the below script to do it as well.

Iisftp.vbs /SetADProp UserName FTPRoot Server\Share

Iisftp.vbs /SetADProp UserName FTPDir Directory

13. Load Up Adsiedit and drill down to the user account you want to isolate and go to the properties of that account and modify the 2 attributes mentioned above

14. Now whenever that user connects to your FTP server the user will be isolated to the Home Directory that was defined in Active Directory.

The connect to a computer feature in SBS 2008 is one of the most popular features of RWW. The connect to a computer feature in SBS 2008 utilizes TS-Gateway behind the scenes, however, when there is a misconfiguration or a problem, RWW may only provide partial information to help isolate the root issue. This post will discuss most of the known issues, how to identify them and steps to resolve them.

What we will cover:

1. Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
2. VBScript Error: 50331676
3. Connection Authorization Policies and Resource Authorization Policies.
4. Authentication Failures
5. Client Machine Requirements
6. Internal DNS Considerations
7. External DNS Considerations
8. TS Gateway Service Known Issues

1.  Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

For certificate related errors, please review the issues discussed in this article: http://blogs.technet.com/sbs/archive/2008/10/03/receiving-certificate-errors-when-connecting-to-clients-servers-with-ts-gateway-or-remote-web-workplace-on-sbs-2008.aspx

2.  VBScript Error: 50331676

When you try to connect to a server or machine you get the following error:

You must have a certificate installed in TS Gateway Manager. This is handled by the “Set up your Internet Address Wizard” or the “Add a Trusted Certificate Wizard” in the SBS 2008 Console. To verify you have a certificate installed for TS Gateway do the following:

1. Open TS Gateway Manager from Administrative Tools — Terminal Services
2. Select Properties on the Server Object, and choose the SSL Certificate tab from within properties. You should see a screen similar to the one below stating which certificate TS Gateway is using.

   

As stated beofre, you should not see this problem If you have completed the Internet Address Management Wizard, if for any reason no certificate is selected, make sure you click on Browse Certificates and select the proper certificate, for example “remote.contoso.com”.

3.  Connection Authorization Policies and Resource Authorization Policies.

You must pass the connection authorization policy to make a connection, and the resource authorization policy for the machine you are trying to connect to. This error may also display the VBSCRIPT error 50331676.

We have seen a few cases where the connection authorization policy was modified manually to only allow domain computers to make connections. This means that any machine outside the domain (e.g. their home machine) would not be able to connect. This is shown below. To access this policy:

1. Open TS Gateway Manager from Administrative Tools – Terminal Services
2. Expand your computer object
3. Expand Policies
4. Select Connection Authorization Policies
5. Right-Click on the General Connection Authorization policy on the right hand side and choose properties
6. Make sure the Client computer group membership is blank if you want non-domain joined machines to be able to use the RWW Connect To Computer feature.

4.  Authentication Failures

You must have Windows Authentication enabled on the IIS /RPC virtual directory under the SBS Web Applications web site. If it is missing, you will see a looping prompt for authentication when you try to connect.

Since both Outlook Anywhere and TS Gateway share this Virtual Directory modifying authentication settings in Exchange for Outlook-Anywhere within the Exchange Management Console can disable Windows Auth. To make sure Windows-Auth is enabled in Exchange Management Shell (Run as admin) perform the following command:

Get-OutlookAnywhere

(Ignore the warning)

Check the value for the IISAuthenticationMethods Parameter.

You can also check in IIS Manager under the RPC virtual directory, authentication.

Changing the authentication here may only help for a few minutes as Exchange will reset the settings again. You need to complete the proper Exchange configuration steps to resolve this.

If the output of the Exchange Management Shell shows that you are missing NTLM, you need to reset the Exchange setting for outlook anywhere from the Exchange Management Shell (run as admin) perform the following command (ignore the warning):

Get-OutlookAnywhere | Set-OutlookAnywhere –IISAuthenticationMethods: Basic, ntlm

After you make this change, the settings in IIS will not immediately change, it might take up to 15 minutes for this change to happen. You can safely make the change in IIS, under the authentication for RPC to enable Windows Authentication and Basic Authentication and they should remain set as expected.

If you still cannot authenticate to the TS gateway prompt, the following resources discuss some known issues:

• http://blogs.technet.com/sbs/archive/2009/02/20/the-network-policy-server-service-ias-fails-to-start-or-be-installed.aspx
• http://blogs.technet.com/sbs/archive/2009/05/18/bits-ias-vss-and-rras-may-stop-responding-on-sbs-2008-with-a-particular-nic-driver.aspx

5.  Client Machine Requirements

The client machine you are trying to connect to must have RDP enabled and listening on the default port of 3389. You must also verify that any firewalls present on the workstation are allowing the traffic inbound on TCP/3389.  Additionally, the client machine you are making the connection from must allow the ActiveX Control to run.  The easiest way to ensure that ActiveX will be enabled is by adding your remote web workplace site to your list of trusted sites in Internet Explorer.

6.  Internal DNS Considerations

You might connect to an unexpected machine when trying to connect to the remote machine.  If this happens you should verify that the DNS records for the clients on the SBS 2008 server hosting RWW are correct.  To do this open the DNS Management console from Start, Administrative Tools, DNS.  Expand the forward lookup zones, and your local active directory zone.  Verify that the host (A) records for the clients are correct.

7.  External DNS Considerations

The hostname section of the PTR record for the remote client machine’s public IP address cannot match the NetBIOS hostname of the SBS 2008 server. If these names match the RWW will not use TS proxy and the connection will fail or connect to an unexpected target.

The only fix is the change the PTR record for the client pc’s external IP address.

Example: Suppose you are using a Windows Vista machine on the Internet. The public IP for this client is 65.53.x.x. The PTR record for this IP is server01.contoso.com. If the SBS 2008 server this machine is trying to connect to has a NetBIOS hostname of Server01, the connection will fail. Ideally your PTR record should match your MX record and your MX record should not be the NetBIOS hostname of your server.

Note: This is a very RARE issue.

8.  TS Gateway Service known issues

TS Gateway Service Not Started After Restart in IIS Manager.

This issue is discussed on this post: http://blogs.technet.com/sbs/archive/2009/04/20/ts-gateway-service-not-started-after-restart-in-iis-manager.aspx

The Terminal Services Gateway service is not running, Contact your network administrator to resolve this issue.This error can happen due to a number of different issues other than the TS Gateway service not running or the role service not being installed.

• If IPv6 has been unproperly unbound from the network interface you might get an error that states that the TS Gateway service is not installed.  Check the following link for issues related to improperly disabling IPv6: http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx
• If Client certificates has been set to Accept or Require under the SSL setttings on the Rpc virtual directory. This must be set to Ignore.
• In general, this error will happen when we cannot properly access the /RPC virtual directory or its settings have been changed from default.

Remote Desktop Disconnected

You may receive the following errors when attempting to access a client machine through the Remote Web Workplace (RWW) or the TS Gateway:

[To connect to Remote Web Workplace, you must install the proper certificate. Contact the person who provides technical support for your network.]

Likewise, connections to TS Gateway will fail as well. You will receive the following error:

[This computer can't connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server's certificate is not valid.  Contact your network administrator for assistance.]

To determine whether you trust the certificate or not, browse to RWW from Internet Explorer. If it’s not trusted, you will receive the following error in IE:

Also, check for the certificate status to the right of the URL field:

Certificate Creation

When you complete the Internet Address Management Wizard for the first time, a certificate installation package is created for distribution to non domain-joined client machines and mobile devices. Details regarding this package can be found here:

http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

NOTE: This package is not for installation on the SBS 2008 server

Connections to TS Gateway or Terminal Services through RWW will fail if either the certificate is not trusted, or the name on the certificate does not match the name of the server that you are connecting to.

Certificate Not Trusted

If you are receiving these errors, you need to install the root CA certificate from the SBS server by using the certificate installation package as described in:

http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

Once the certificate is installed, you can view it in IE by going to Tools > Internet Options > Content > Certificates. You will also stop receiving certificate errors once to connect to RWW.

Certificate Name Does Not Match

Connections will also fail if you connect to TS Gateway or RWW using a different address than that on the certificate. In this case, you will receive the following error when you connect.

For RWW, you will receive these errors in IE:

If you check the certificate status to the right of the URL field, you’ll see this:

For TS Gateway, you will receive the following:

In either case, click on View certificates to show the Issued to name on the certificate. This is the name that you need to put into IE or the RDP client:

In the case of the above certificate, I would type https://remote.contoso.com/remote to connect to RWW. For TS Gateway, I would connect in the following manner:

Certificate Has Expired

This issue can also occur if the SSL certificate has expired.  SBS 2008 self-signed leaf certificates are valid for 2 years and the root cert is valid for 5.  If your self-signed certificate has expired run the “Fix My Network” wizard from the Connectivity tab.  This wizard will automatically issue a new matching cert.  If you are using a trusted (purchased) certificate you will need to contact the cert issuer for a new cert and import it using the “Add a trusted certificate” wizard.

Wrong Version of Remote Desktop Connection

RWW and TS Gateway require that the connecting client have Remote Desktop Connection 6.1 or greater installed.   RDP 6.1 is included with XP SP 3, Windows 2008, and Vista SP 1. RDP 6.1 is available as a separate download for XP SP 2 (requires a reboot).

You can tell the version of the RDP client by looking at the version of C:\windows\system32\mstsc.exe

• 6.0.6001.18000 is RDP 6.1
• 6.0.6000.16386 is RDP 6.0

NOTE: After installing SP3 for XP you may see the following error “Remote Desktop Web Connection ActiveX control is not installed. A connection cannot be made without a working installed version of the control.”  If you receive this error please review KB951607 for information on enabling the IE-add on to support RWW.

In Summary:

1. For TS Gateway or RWW to function properly, you cannot receive any certificate errors when you connect.
2. Your client machine must trust the Root CA certificate.  Install the certificate installation package on the client accomplish this. (This package is created by running the Internet Address Management Wizard.)
3. You must connect to TS Gateway or RWW using the address listed on the Issued to field on the certificate.
4. The certificate must NOT be expired.
5. You must be running Remote Desktop Connection 6.1 on the client making the connection.  (http://support.microsoft.com/kb/951616)

Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:

1. Check their E-mail.
2. Access the Internal Web Site (CompanyWeb).
3. Connect to a computer through RDP (only network admins can connect to the SBS server)
4. Change their domain password
5. Access help and configuration information for RWW
6. Access customized corporate links (more information available at: http://technet.microsoft.com/en-us/library/cc527586.aspx)

RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3^rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.

For full access to the RWW feature set from the Internet, you must ensure the following:

1. TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
2. Clients are running Internet Explorer 6.0 SP2 or higher
3. The RDP 6.1 client or higher is installed on the client machine
4. The client must trust the SSL certificate that is installed on the SBS Web Applications site
5. The client must connect using the URL that matches the common name on the certificate.

Features

From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).

Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:

1. Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
2. Users are not presented with the “Administration” links

SBS Console Integration

From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:

1. Enabling or disabling the website
2. Browse the website (opens in IE using https)
3. Add or remove users permissions to login to RWW
4. Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
5. Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles

Login Requirements

As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:

User Account Properties for RWW Login Rights

Launching OWA and CompanyWeb

When OWA and CompanyWeb are launched in RWW, your browser is connected to either https://remote.domain.com/owa or https://remote.domain.com:987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:

Connect to a computer

When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:

Computer account properties:

Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.

If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:

1. To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
2. Browse to HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer.
3. Right-click SmallBusinessServer, click New, and then click Key.
4. Name the key BusinessProductivity.
5. Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
6. Name the new value ShowAllComputers.
7. Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.

TSGateway Integration

RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3^rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.

The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:

You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:

Enter in the URL for the SBS 2008 server (which you configured during the IAMW)

Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:

Many providers offer inexpensive SSL certificates for domain-only validation.  GoDaddy seems to be a popular choice given just how inexpensive the certificates are.  GoDaddy’s inexpensive cert is called Standard SSL certificate.

Before we dive in, let’s recap the certificate story in Windows Small Business Server 2008. There are two “types” of certificates and four “states” your certificate can be in.  Those are defined on TechNet in the Managing Certificates section of the SBS documentation.  The two types are “Self-Issued” or “Trusted”, and by default, SBS 2008 ships using a self-issued certificate infrastructure, which is used to authenticate the server to the client, and encrypt the traffic between the remote client and the server. The obvious downside here is there is extra work with the certificate installer package on your remote/non-domain joined clients, and Windows Mobile devices.  At some point there are enough of these to warrant the low cost to upgrade to a 3rd party Trusted certificate.  With a 3rd party trusted certificate, the client computers and mobile devices already trust the root of the 3rd party certificate, as these are maintained by Microsoft Update (and various other solutions for non-Microsoft based clients/devices).

As you probably read when you learned about the Internet Address Management Wizard, we have a number of domain name providers, eNomCentral, GoDaddy, and Register.com.  All three of these providers are very well equipped to sell you and facilitate installing a trusted certificate for your small business network, so feel free to shop around! 

I’ll be going through the steps for GoDaddy today as they are the only provider that requires intermediate certificates, which is a bit more challenging.  The process is the same for all the providers, except for eNomCentral and Register.com, you can skip the intermediate certificate steps, and naturally the UI would be different.  On a final note, I have not had luck with the GoDaddy certificate and Windows Mobile 5 (Update Below), if you have Windows Mobile 5 devices, you may want to consider one of the other partners, but the best thing to do here is open the certificate store on your WM5 device and validate the root cert for the provider you’re going with is available in the certificate store.

provide detailed steps, specific for SBS 2008:

1. In your Windows SBS Console on the server, navigate to the Network tab and the Connectivity sub-tab and launch the Add a Trusted Certificate connectivity task
2. Click Next on the welcome screen and choose I want to buy a certificate from a certificate provider and click Next.
3. Verify this information is correct.  This information will be encoded in the request to the certificate provider, and cannot be changed without buying a new certificate.  Additionally for some certificate requests this information could be used to contact you to validate the ownership of the domain name.  Then click Next.
4. Once you get to the screen below, you are now going to deal with only the certificate provider, with the encoded certificate request shown in the gray box.  Since most providers have you paste this into a web browser, you should click the Copy button to place this into your clipboard.
   1. IMPORTANT: It’s important not to click back or next-back on this page, as it will re-generate a new encoded string, which will not match the request you make to your cert provider.
5. Once the encoded string is copied safely (I paste it into Notepad so I don’t loose it during the process) Let’s close the Trusted Certificate wizard for now to get it out of the way and prevent errors now that we have that encoded text in the clipboard (and hopefully in Notepad).  Let’s click Next and then select My certificate provider needs more time to process the request, and click Next again, the wizard will show a warning that it could not import the certificate into Remote Web Workplace.
   1. You will also notice after you click Finish, that the console now shows Request Submitted and you have an option to Remove this Certificate, which we don’t want to do unless we want to go back to the beginning.
6. At this point, go to your providers website and follow the instructions for purchasing a certificate.  The provider will most likely ask you to purchase the certificate before they collect the certificate information (encoded text above) from you. Notes:
   1. The provider may try to sell you other services, feel free to browse, but the server doesn’t require additional services
   2. The server does not require a wildcard certificate, port numbers (such as 987) are used to save you the cost of purchasing a wildcard certificate
   3. You should get a confirmation email with instructions on how to install the certificate.  My particular email has this section in it, stating to log into the website to obtain my cert:
7. Once I log into my account, It’s abundantly clear that I have a certificate set up waiting for me:
8. I log in to my account using the ID and choose to use your certificate credit
9. Next you will want to go to the Manage Certificate Control Panel:
10. In the control panel, select your certificate credit and click Request Certificate
11. Now you are prompted to insert the CSR, or Certificate Signing Request, which is all of the information you copied out of the trusted certificate wizard (and put into Notepad right?)
    1. IMPORTANT: Make sure you select the server software to be Microsoft IIS.
    2. Note: the actual domain name you are requesting for is encoded in the string from within the Trusted Certificate wizard
12. Validate the information in the cert is correct, once you confirm it, it’ll cost more money to do this over again, and then click Confirm.
13. Once you confirm, an email gets sent to the email account on file for that domain name, once you get that email, there is a verification link inside that email that needs to be clicked.  Click it and approve the request, some more email will come into that account you just checked.  One to tell you that it was approved, and one to give you the link to go and get the encoded text.
    1. One thing to note here is there are two things to download, the signed certificate itself, and the intermediate certificates which must also be installed on the website.
14. Validate the install type is IIS and click Continue, then proceed to the Download Signed Certificate link and save the certificate to the desktop of the server.
15. Then click the IIS Installation Instructions link to open up the installation instructions.  It’s important to use these instructions for installing the Intermediate Certificate Bundle.  You can follow the Installing the SSL certificate steps as well, but it will change the flow through the Trusted Certificate wizard shown later in this instruction set.
    1. So follow the steps from GoDaddy.com, but I’m going to paste and modify them for SBS 2008 here for you as well… These are of course subject to change without notification!!!
       1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC). Agree to the UAC prompt
       2. In the Management Console, select File; then “Add/Remove Snap In.”
       3. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
       4. Choose Computer Account; then click Next and Finish.
       5. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
       6. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
       7. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
       8. Follow the wizard prompts to complete the installation procedure.
       9. Click Browse to locate the certificate file (gd_iis_intermediates.p7b). You’ll have to change the file filter at the bottom right to PKCS #7 Certificates.
       10. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
       11. Click Finish.
16. Once this is imported, we can go back to the Trusted Certificate wizard in the product
    1. Click Add a Trusted Certificate in the console to re-launch the wizard if you closed it (as recommended above), and click Next on the welcome page.
    2. Click I have a certificate from my certificate provider and click Next.
    3. Since GoDaddy provided me with a file, I’m going to browse to the file (alternatively if the provider gave back encoded text, that could be pasted into the wizard too) that matches my domain name, in this case, remote.seandaniel.net. and clicking Next.
    4. We’re finally done, click Finished!  Now remote clients will get the benefit of a trusted certificate, and the console reports Trusted as the certificate type.

It’s important to use the Trusted Certificate wizard for the last step, to ensure that the certificate is bound to the correct IIS website, as well as TSGateway for remote desktop access.  If you followed all the steps from GoDaddy to install the certificate, simply run the Trusted Certificate wizard and choose I want to replace the existing certificate with a new one, and you’ll get shown the trusted certificate and the self-issued certificate for your domain name, just choose the appropriate one based on the type and the expiration date:

On a final note, renewing your certificate after the year, just click that Add a Trusted Certificate link in the console but this time through choose I want to renew my current trusted certificate with the same provider, and follow the instructions!

On Windows Server 2003 or Windows 2000 domain controllers the Active Directory can be backed up while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.

Yes – On Windows Server 2003 or Windows 2000 domain controllers the Active Directory can be backed up while the domain controller is online.?

You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.