SBS 2011 – Error moving Microsoft Sharepoint Foundation data location

If you are in the middle of migrating from SBS 2003 to SBS 2011 and are trying to move the Microsoft Sharepoint Foundation data location on the SBS 2011 server and receive the following error:

“An error occurred while attempting to move the Microsoft Sharepoint Foundation database”

Please check to see that the ports in use on the SBS 2003 server are 80 and 444.  I was just trying to move the location and it kept failing.

After a few searches with no useful information being found, I checked a couple of other SBS 2003 servers that I have access to and saw that the one I was trying to migrate was using port 81 and 444, so I changed the port to 80, stopped and started the website and then tried the move again and this time it completed.

Exchange 2007 & 2010 SSL Certificates

Having just installed Exchange 2007, Exchange 2010, SBS 2008 or SBS 2011, you are now probably at the stage of getting Exchange to work properly (Activesync, OWA, Outlook Anywhere and Autodiscover) and are debating whether or not to use the self-issued SSL certificate installed with the version of Exchange you have, or buying a 3rd party SSL certificate.

Well, for me – it is a no-brainer. I ALWAYS buy a 3rd party SSL certificate from www.exchange-certificates.com because I can buy one, request the certificate, approve the certificate, import it onto the server, enable it for SMTP, POP3, IMAP and IIS and then forget about it for at least 3 years (I always buy one for 3 years minimum) until it is time to renew the certificate.

Once the SSL certificate has been imported and enabled, ALL aspects of Exchange will work (Activesync, OWA, Outlook Anywhere and Autodiscover) and there won’t be any annoying popups in Outlook complaining about certificate issues.

With Exchange 2007 / 2010, the following names should be included in your SSL certificate:

mail.externaldomain.com (or whatever you prefer to use)
autodiscover.externaldomain.com
internalservername.internaldomain.local
internalservername

With SBS 2008 / SBS 2011 you should include the following names:

mail.externaldomain.com (or whatever you prefer to use)
autodiscover.externaldomain.com
internalservername.internaldomain.local
internalservername
sites

You will also need to setup a new A record in your Domains DNS records (external via your Domains Control Panel, not in your internal DNS records) called Autodiscover and this needs to point to the IP Address of your Exchange / SBS server.  If you can’t do this (and sometimes this is not possible), the alternative it so setup an SRV record and the following MS guide advises you how to achieve this:

http://support.microsoft.com/kb/940881

With Exchange 2003, a simple single name certificate was all that was required and these were much cheaper than the SAN (Subject Alternative Name) / UCC (Unified Communications Certificate) certificates, but sadly, these sort of certificates won’t work properly with Exchange 2007 or 2010.

Whilst some parts of Exchange 2007 and 2010 can be made to work without a 3rd party SSL certificate by tweaking the settings in Exchange, my personal recommendation is to save yourself the pain of doing so by spending the small amount of money it takes ($60 / £40 per year) and save yourself the hassle of trying to tweak Exchange and get all the settings correct. This can be time consuming (how much is your time worth to your company) and fiddly to say the least and the time spent / cost of fixing Exchange to make it work with the self-issued SSL certificate vs the small cost of buying and installing a SAN / UCC certificate is money well spent in my humble opinion.

Extract from Understanding the Self-Signed Certificate in Exchange 2007 :

Limitations of the Self-Signed Certificate

The following list describes some limitations of the self-signed certificate.

• Expiration Date: The self-signed certificate is valid for one year from the date of creation in versions of Exchange 2007 that are earlier than Exchange 2007 Service Pack 2 (SP2). Self-signed certificates are valid for five years from the date of creation in Exchange 2007 SP2 or in later versions. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
• Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
• Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
• Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.

Extract From Exchange 2010 Understanding Digital Certificates and SSL :

Self-Signed Certificates
When you install Exchange 2010, a self-signed certificate is automatically configured. A self-signed certificate is signed by the application that created it. The subject and the name of the certificate match. The issuer and the subject are defined on the certificate. A self-signed certificate will allow some client protocols to use SSL for their communications. Exchange ActiveSync and Outlook Web App can establish an SSL connection by using a self-signed certificate. Outlook Anywhere won’t work with a self-signed certificate. Self-signed certificates must be manually copied to the trusted root certificate store on the client computer or mobile device. When a client connects to a server over SSL and the server presents a self-signed certificate, the client will be prompted to verify that the certificate was issued by a trusted authority. The client must explicitly trust the issuing authority. If the client confirms the trust, then, SSL communications can continue.

Frequently, small organizations decide not to use a third-party certificate or not to install their own PKI to issue their own certificates. They might make this decision because those solutions are too expensive, because their administrators lack the experience and knowledge to create their own certificate hierarchy, or for both reasons. The cost is minimal and the setup is simple when you use self-signed certificates. However, it’s much more difficult to establish an infrastructure for certificate life-cycle management, renewal, trust management, and revocation when you use self-signed certificates.

Summary:
So – there you have it. If you want to have Exchange working happily and trouble-free, my best advice is to buy a 3rd party SSL certificate and www.exchange-certificates.com is about the cheapest place around that you can buy an SSL certificate for Exchange from (even cheaper than GoDaddy and they are pretty cheap already!).

How to Assign a Static IP Address to a VPN Client in SBS 2008 and SBS 2011

Have you ever wanted to assign a Static IP Address to a Dial-In user on your SBS 2008 or SBS 2011 server and wondered how to do it?  Well, until recently this was not something that I had ever had to spend any time thinking about, so had not even tried it myself.

Looking into Active Directory users and Computers there is a handy Dial-In tab on User Accounts where you can set the IP Address up.  So having chosen a suitable IP Address that was part of the RRAS IP Range reserved in DHCP for Dial-In users I applied the settings and got the user to test the connection.  They somehow received a completely different IP Address to the one I had assigned!

So – this lead me to digging into the only other logical place I could think of that might be causing this to not work properly and that was the VPN Policies.

To get to the Policies, I opened up Routing and Remote Access (under Administrative Tools).

Once opened up, I clicked on the Remote Access Logging & Policies folder.  Having selected this folder, I then right-clicked the folder and selected Launch NPS.

This brought up the Network Policy Server window and from there I selected the Network Policies Folder.  In the Policies at the top of the list is the General Connection Authorization Policy, so I right-clicked this and chose Properties from the menu option.

On the General Connection Authorization Policy Properties Window – it became immediately apparent why the fixed IP Address I had assigned in Active Directory Users and Computers was not working.  Staring me in the face was a check box entitled “Ignore user account dial-in properties” and this was ticked by default, so I unticked the box and clicked the OK button.

I then asked my user to try the VPN again and this time the IP Address that I had assigned them was the IP Address that they received.

So – if you have been scratching your head over this for a while – it is as simple as assigning a fixed IP Address in Active Directory Users and Computers and unticking a check box.

Alan

Problems Installing KB891193 on SBS 2003

I was starting an SBS 2003 to SBS 2011 Migration for a customer today and it failed the SBS 2003 SP1 check! So – I downloaded the relevant components and installed the ones that had not been installed. All fine and dandy, apart from when I got to KB891193 where it failed with Fatal errors repeatedly.

Scouring the web for solutions was pretty fruitless – suggestions of removing the Fax Service (make sure you have SBS 2003 CD1 handy) and running the update as Domain Administrator (which I was) proved fruitless.

I finally decided to try and remove the Client Apps which refused to comply, so as a last resort I felt that it might benefit from a reinstallation of the Client Apps part of SBS 2003 installation (make sure you have SBS 2003 CD3 handy!)

After what seemed like an eternity where nothing was happening, the reinstallation completed, the server rebooted and then I tried KB891193 again and it instantly installed without a single complaint.

So – after 8 hours of wasted time – I can now continue with my SBS 2011 installation! Roll on the weekend.

SBS 2008 Update Rollup 5 Released

Microsoft has just released Update Rollup 5 for Windows Small Business Server 2008. This update is available from the Microsoft Update website.

This update addresses the following issues that were not previously documented in a Microsoft Knowledge Base article.

Issue 1
Windows Server Update Services (WSUS) log files grow quickly and consume a large amount of disk space.

Issue 2
You cannot correctly disable IP version 6 (IPv6) by clearing the Internet Protocol Version 6 (TCP/IPv6) checkbox in the network connection properties dialog box.

Issue 3
When you try to install Windows SBS 2008 Update Rollup 4 after you uninstall Windows SharePoint Services 3.0, the installation may fail.

Issue 4
When you try to edit the properties of a user account, you may receive the following error message:
“Invalid E-mail alias
This e-mail alias already exists. Type a different e-mail alias.”

Note: This issue occurs when the user account has the same SMTP mailbox name as a mail-enabled contact. For example, a user account has an email address of test@contoso.com, and a mail-enabled contact has an email address of test@adventureworks.com. In this example, you may receive the error message when you try to change the user account.

Issue 5
After you install an earlier update rollup for Windows SBS 2008, you may receive the following event in the application event log every 5 to 10 minutes:
Log Name: Application
Source: Windows SharePoint Services 3 Search
Date:
Event ID: 2424
Task Category: Gatherer
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.
Context: Application ‘Search’, Catalog ‘index file on the search server Search’

In this situation, new content is not added to the search index. Therefore, new content cannot be found when you perform a full-text search in the companyweb website.

Issue 6
You may experience compatibility issues with Windows Internet Explorer 9. For example, Internet Explorer 9 may not work correctly with the following websites:
http://companyweb
http://server/remote
http://connect

About Me

I co-own a small independent IT Consultancy called IT Eye Ltd who provide support, consultancy, e-mail hosting solutions & server / workstation / network installations for the SMB (Small and Medium sized Businesses) marketplace.   We provide consultancy / support services to Businesses that are large enough to need IT systems, but that don’t require a full-time member of staff employed to manage their IT systems.  As a result, we are extremely cost effective and can save companies thousands of pounds on their annual IT spend.

We are based in the South-East of England in the Beckenham, Chislehurst & Eltham areas but we regularly travel to London and areas within the M25, sometimes beyond (we used to support a company in Jersey!).   We can also remotely support any computer that is connected to the Internet (we have remotely supported several US based computers and also one on Australia, although I won’t be rushing to repeat that experience as the connection was a little bit on the slow side) and offer fixed price annual support contracts starting from £140 per PC.  You will find me regularly posting on Experts Exchange: http://www.experts-exchange.com/M_4926565.html where I have been active since May 2009.

I have recently migrated an Exchange 2003 Server in Kansas to Exchange 2010 with zero downtime and all done remotely.

If you have a Microsoft server that is in need of an upgrade / migration, then you will be in safe hands.  I have performed numerous SBS / Exchange / Windows migrations, both locally and remotely all around the world.

HIRE ME! I have extensive knowledge of a wide range of Microsoft Products, predominantly Microsoft Exchange and Windows Server products, and can support existing installations, integrate new servers into existing configurations or setup / configure new brand new environments.  You can contact me directly by email at alan @ it-eye.co.uk or you can visit our website at http://www.it-eye.co.uk.