Microsoft today announced the discontinuation of Windows Essential Business Server. Catch the full story at the EBS Official Blog. Thank you to all who have made EBS a great adventure over the past four years.

Steve

Check out Chico's new SBS wardrobe over at Sean's blog.

Great post to check out if you are having network issues with your SBS 2008 network!

We have seen an increase of instances where customers are experiencing various networking problems because they have altered the networking topology by installing multiple NICS or assigning multiple IPs to their single NIC. Some of the more common issues we have seen with this scenario include, but are not limited to:

· Slow or complete loss of file share/network login access

· Problems with Outlook connectivity (mailbox login, Autodiscover, OAB, Free/Busy, OOF assistant, Outlook Anywhere)

· Issues accessing web sites (OWA, RWW, Sharepoint, Connect)

· Issues with service startup, particularly Exchange.

· The server hangs at “Applying Computer Settings” upon boot.

· Inability to complete the SBS networking wizards (IAMW and CTIW)

Bring your lunch and your SBS related SQL questions this Saturday and join the Puget Sound Small Business Server User Group for our half-day SQL event at Microsoft's Lincoln Square offices! Information is at the PSSBS Website.

Received this request earlier today, so getting the word out!

The Windows PowerShell Community Review process is looking for volunteers for our third documentation review cycle – especially beginners and intermediate PowerShell users and people with little or no programming background. Volunteers can contact June at juneb@microsoft.com or Marco (Marco.Shaw@gmail.com ).

Windows PowerShell Community Review

Have you ever read Help that wasn't really helpful? Here's your chance to fix it.

The Windows PowerShell documentation team and PowerShellCommunity.org jointly sponsor the Windows PowerShell Community Doc Review. As a member, you'll get to read and comment on the Help docs before they're published, and work with the writers, editors, and the product team to make sure every word is really helpful.

We're looking for users at all experience levels and with all different backgrounds, but we love to have beginners, people with no programming experience, people who know other scripting languages or shells, and people who are not native English speakers. If you're a system admin and you don't really know Windows PowerShell, this is a great way to learn it with help from insiders.

Ready to rock the help? Contact June Blender (juneb@microsoft.com) or Marco Shaw (marco.shaw@gmail.com).

Thanks,

June

Windows Powershell Spoken Here

[Today’s post comes to us courtesy of Wayne Gordon McIntyre from Commercial Technical Support]

You may find yourself in a scenario where your SBS 2008 server has died and you have no backups available, however you do have a second non-SBS domain controller that is still operational which contains all of your domain information. The steps below will guide you thru rejoining the SBS 2008 server back into the existing domain so you do not have to recreate all of your AD objects and rejoin your client machines.

*** Please note that this is not a replacement for doing regular backups. Our recommended method to recover a server in these situations is to restore from a good backup. You should only do this if you have no other choice because there is no good backup to restore from. ***

Preparation and Clean Up Steps:

1. Change the primary DNS server IP on the TCP/IP properties of the network card of the second DC to point to it (e.g. 127.0.0.1).
   
   
   
   
2. Ensure the second DC is a global catalog server. Open Active Directory Sites and Services and go to the properties of NTDS settings of the second DC and check the global catalog box if it was not checked.
   
   

   
   *** IMPORTANT:  If the server was not a global catalog, make it a GC and wait for the Directory services event log to log event 1119 that states the server is now acting as a global catalog server. As a sanity test you can use ldp.exe to confirm that the server is responding to requests on port 3268. For these steps please see the appendix.***

3. Verify which FSMO Roles were held by SBS 2008 by running “NETDOM QUERY FSMO” from an elevated CMD prompt.
4. Seize all FSMO roles the SBS 2008 Server held to the second domain controller. From an administrative command prompt open the ntdsutil utility by typing NTDSUTIL and pressing ENTER.
   1. Type activate instance NTDS, and then press ENTER. *only required if the second DC is a 2008 Server otherwise skip this step.
   2. Type roles, and then press ENTER.
   3. Type connections, and then press ENTER.
   4. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
   5. At the server connections prompt, type q, and then press ENTER.
   6. Type seize PDC, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
   7. Type seize infrastructure master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
   8. Type seize naming master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
   9. Type seize RID master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
   10. Type seize schema master, and press ENTER, click yes on the Role Seizure Confirmation Dialog.
   11. Type q, and press ENTER until you are back at the command prompt.
       
       Steps taken and modified for 2008 from KB 255504 Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

       http://support.microsoft.com/default.aspx?scid=kb;EN-US;255504

5. Perform metadata cleanup to remove the SBS server from Active Directory.
   
   

   216498 How to remove data in Active Directory after an unsuccessful domain controller demotion

   http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498

   ** Please note you have to type “Activate Instance NTDS” in ntdsutil if it is a 2008 DC before you do the meatadata cleanup steps. Also if any FSMO roles were not seized in step 3, the updated version of ntdsutil (2003sp1 and greater) will perform the seizure of the remaining FSMO roles.

6. Clean up DNS records that point back to SBS 2008.
   1. Delete CNAME records “CompanyWeb”, “Connect”, “SBSConnectComputer” and “Sites”
      
      
      
      
   2. Delete the Same as parent ‘A’ records that point to the IP of the SBS server
   3. Go to properties of the _msdcs.domain.local and domain.local zones and go to name servers tab and remove the SBS server as a name server
      
      
      
      
7. Delete the exchange server object out of Active Directory.
   1. Open Active Directory Sites and Services.
   2. With Active Directory Sites and Services highlighted at the top node of the tree use the view menu and click on Show Services Node.
      
      
      
      
   3. Expand until you get to the Server name of the failed server as shown below, and press DELETE, put a check in the box to delete sub-containers then click yes.
      
      
      
      
8. You are now ready to rebuild your SBS server to rejoin the existing domain by following Sections 1 – 3 from the link below using the secondary DC as the source server. http://technet.microsoft.com/en-us/library/cc664208(WS.10).aspx

Post Migration Install Steps

1. Change the DNS server IP back on the 2^nd DC to point to the SBS server, with alternate pointing to itself.
   
   
   
   
2. Re-add the Source Server on the SMTP connector.
   1. Open the Exchange Management Console.
   2. Expand Organization Configuration
   3. Select the Hub Transport Node
   4. Go to the Send Connectors tab.
   5. Open the properties of Windows SBS Internet Send COUGAR connector.
   6. Select the Source Server Tab and choose Add, select the SBS 2008 server as the source server.
      
      
      
      
3. Run “Connect to the Internet Wizard” and the “Set up your Internet Address Wizard”.
4. If you have data to restore such as Exchange, Sharepoint, SQL or files you can now restore it.

Appendix A

Using LDP to verify GC functionality

1. From an Administrative cmd prompt launch LDP
2. From the file menu select connect and enter the server name that you are on and change the port number to 3268
3. Once it connects we know that the server is listening and responding to connections on the GC port. Also verify it has the “isGlobalCatalogReady” equals true setting.
4. Next step is to verify you can Bind go to file menu and select bind and use the currently logged on credentials.
5. Click on View > Tree and leave the baseDN blank and you should see your domain tree.

Appendix B

Testing replication:

To test replication between the 2 domain controllers run Repadmin /showrepl. The output should show successful replication for all partitions. For more assistance on using repadmin please see the following Technet link.

http://technet2.microsoft.com/WindowsServer/en/library/a103036b-5d82-4d99-8e61-23d434a8e6eb1033.mspx?mfr=true

[Today’s post comes to us courtesy of JoAnn McKimpson from the SBS Marketing Team]

Every day, your users work with information that is valuable to your business. However, this same information—including your customer databases, product price lists, and financial information—is constantly at risk of discovery. You see the reports in the papers nearly every day: laptops are stolen, removable hard drives are sent to the wrong recipient. Savvy businesses realize they need help to secure their business information and protect it from inadvertent or deliberate disclosure.

That’s why Microsoft created Encrypting File System (EFS), a powerful tool for encrypting files and folders on servers and client computers. EFS helps secure confidential information that should not be disclosed without authorization, information that resides on remote servers or on portable computers such as laptops or netbooks, or confidential information on computers that are shared by multiple workers at a business. With EFS, you can protect your business’s information in case someone gains physical possession of the computer that the files reside on. Even people who are authorized to access the computer and its file system can’t view the data that they shouldn’t. Files are encrypted when you close them, but are automatically ready to use when you open them. If you change your mind about encrypting a file, clear the check box in the file's properties.

EFS is an integral part of the file system and is transparent to your users and applications; you don’t need to install any special software to work with encrypted files. It’s available on Windows Small Business Server (Windows SBS) 2008 and the Windows 7 Professional, Enterprise, and Ultimate operating systems, including both 32-bit and 64-bit platforms.

How EFS works

EFS helps secure the information that is contained in your folders and files by creating a unique key that uses a combination of the server’s credentials and the user’s credentials. When you first apply EFS to a folder, any files that are created in that folder or moved into that folder are encrypted, and only you and the recovery agent are given access to encrypt or decrypt the file. You can give any other user access to individual files in this folder. However, users can only be added to the access list individually; it is not possible to grant an entire group access to a file. Also, although you can give users access to individual files, it is not possible to give users access to an entire folder.

After a folder is marked for encryption, it isn't necessary to manually mark the files in it for encryption. But when you move a file out of the encrypted folder, the file may be decrypted, depending on whether you move the file into an NTFS volume. The best practice is to keep a file in its encrypted folder until the file is no longer needed.

If a person or program doesn’t possess the correct key to read the encrypted file or folder, an “Access Denied” message appears. EFS is an excellent file encryption system—there is no "back door”—however, anybody who can obtain the user ID and password can log on as that user and decrypt that user's files.

Encrypting File System Best Practices

Because EFS is so secure, it’s critical to enforce a strong password policy. It’s also a best practice to archive and back up the recovery keys for your domain and keep them in a safe place to ensure recovery should the keys become damaged or lost. If you don’t take these precautions, you can permanently lose the information in encrypted files and folders. We will cover recovery keys in the next section of this post.

When encrypting removable media, it is important to keep in mind that the encrypted files will only be accessible on computers that have certificates for users who are listed as having access to the file (or the recovery agent key). This means that if you are working on an encrypted file at work, and you bring it home to finish up on your home computer, you will only be able to access this file if your home computer has your user certificate.

Similarly, you should take great care when you enable EFS on a SharePoint site. Any user who has access to a SharePoint site can encrypt any file on that site. However, once that file is encrypted, only users listed as having access to that file (or the recovery agent) will be able to access it.

For more information on EFS Best Practices, read this TechNet article*: http://support.microsoft.com/kb/223316/en-us.

Using Encrypting File System

As previously mentioned, it is essential to back up your user certificates and recovery key before you use EFS to encrypt anything on your computer or the server. Once you have backed up these certificates, you can encrypt folders and files either directly or using group policy

Creating Backing Up the Domain-Based Recovery Key

The first step in backing up user certificates and recovery keys is to create a domain-based data recovery agent. By default, the local administrator is set as the recovery key. This means that if the machine is lost or stolen, the domain administrator will not be able to access encrypted files. Instead, it is best to set the domain administrator as the recovery agent.

To create a domain-based recovery agent:

1. Log on to the Windows SBS 2008 server.
2. Click Start > Administrative Tools > Group Policy Management.
3. Right-click the GPO that contains the EFS policy, and then click Edit.
4. In the console tree (on the left), navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, and then right-click Encrypting File System. 
   
   
   
5. Click Create Data Recovery Agent to make the currently logged on user a Recovery Agent. The new Recovery Agent certificate appears in the right-hand pane.

To add additional recovery agents, right-click the Encrypting File System node, and then click Add Data Recovery Agent. This will open the Add Recovery Agent Wizard.

Once you have set the domain recovery agent, you should back up the certificate. To export the domain EFS recovery agent's private key:

1. Log on to the Windows SBS 2008 server.
2. Click Start > Administrative Tools > Group Policy Management.
3. Right-click the GPO that contains the EFS policy, and then click Edit.
4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Encrypting File System.
   
   
   
5. Right-click the certificate you want to export.
6. Point to All Tasks, and then click Export. The Certificate Export Wizard starts.
7. Click Next.
8. Click Yes, export the private key, and then click Next.
9. Click Personal Information Exchange – PKCS #12 (.PFX).  
   
   Note: We strongly recommend that you select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box to protect your private key from unauthorized access. If you select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent's private key only in situations when you need it to recover files. In all other situations, export and then store the recovery agent's private key offline to help maintain its security.
   
10. Click Next.
11. Specify (and confirm) a password, and then click Next.
12. Specify a file name and location where you want to export the certificate and the private key, and then click Next.
    
    Note: We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.
    
13. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Now that you have set the domain recovery agent and backed up the certificate, you can begin to use EFS to help protect files and folders from unauthorized access. The following sections provide instructions on enabling EFS by selecting specific folders and files and by using group policy.

Encrypting Specific Folders and Files in Windows SBS 2008 or Windows 7 Professional

In Windows SBS 2008, there are two ways you can use EFS to help protect business information. The first is the easier one to implement: select the specific folders or files on your server that you want to encrypt. These steps are also the same for encrypting folders or files in Windows 7 Professional. Follow these steps to select specific folders or files:

1. Start Windows Explorer.
2. Right-click the folder or file you want to protect, then click Advanced > Encrypt contents to secure data.
3. Click OK twice to close the dialog boxes. Your folder or file is now encrypted.
   
   

This method helps secure your information in cases where unauthorized users attempt to access the files from within your business, or for when the server or its hard drives are removed from your business.

To allow a user to encrypt or decrypt a file:

1. Open Windows Explorer.
2. Right-click the encrypted file that you want to change, and then click Properties.
3. On the General tab, click Advanced.
4. In Advanced Attributes, click Details.
5. To add a user to this file, click Add, and then do one of the following:
   
   
   
6. To add a user whose EFS encryption certificate is on this computer, click the certificate and then click OK.
7. To view a certificate on this computer before adding it to the file, click the certificate and then click View Certificate.
8. To add a user from Active Directory, click Find User, then locate the user in the list and click OK.
9. To remove a user from this file, click the user name and then click Remove.

Note: When a user is added to a file and the user's EFS encryption certificate is imported, the certificate is validated to a trusted root certification authority (CA). The certificate is then stored in the Other People certificate store for that user.

Encrypting Folders and Files in Windows SBS 2008 or Windows 7 Professional Using Group Policy

The second way to encrypt folders and files is to create a group policy for computers in your business so that specific files and folders on those computers use EFS. The most useful group policies enforce encryption of the user’s Documents folder and encrypt offline files. They give remote users or users with laptops the ability to work with information while on the road, but they keep the information secure should the laptop or hard drive fall into unfriendly hands.

You should be aware, however, that using Folder Redirection group policy, which redirects specific user folders to server locations, can result in those files being encrypted multiple times. This is unnecessary and can adversely affect file server performance.

Follow these steps to create an EFS group policy:

1. Click Start > Administrative Tools > Group Policy Management.
2. In the console tree, right-click the domain name in the forest in which you want to create and link a Group Policy object (GPO).
3. Click Create a GPO in this domain, and Link it here… 
   
   
   
4. In the New GPO dialog box, specify a name for the new GPO, and then click OK.
5. In the console tree, in the Group Policy Objects folder, right-click the new GPO and click Properties.
   
   
6. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
7. Right-click Encrypting File System and then click Properties. The Encrypting File System Properties dialog box appears.
8. Under File Encryption using Encrypting File System (EFS), click Allow.
9. Select Encrypt the contents of the user’s Documents folder and then click OK.
   
   
   
10. Close the console applications. The new group policy will be applied the next time a user logs on to the domain.

The next time the user uses the computer, the new settings will be applied. To verify that the policy has been correctly applied:

1. Log in as any user on the domain.
2. Right-click any folder on the user’s computer.
3. Select Properties, then Advanced.
   You should see the following settings:
   
   

Note: It can take a few minutes for these settings to propagate. Also, the user’s machine may need to be restarted.

Recovering EFS Keys

As we’ve discussed, encrypted data is readable only to users who possesses the required private key to unlock the data and to the recovery agent. It is important for you to realize that if the user's private key is lost or damaged, the encrypted data becomes unusable unless there is a means to restore the plaintext or the private key to the user. Your organizations can lose access to valuable encrypted information unless there is a means for someone else besides the user to recover the encrypted information.

In order for you to successfully retrieve that user’s data, the EFS user must have a valid EFS user certificate, and at least one EFS recovery agent account must have a valid EFS recovery certificate. Thus, when you deploy EFS or secure mail, you should implement a recovery program and policies to ensure that users' encrypted data can be recovered.

When Group Policy is downloaded to computers, the Encrypted Data Recovery Agent Group Policy settings contain the certificates for each designated recovery agent account within the scope of the policy. EFS uses the information in the current Encrypted Data Recovery Agent Group Policy settings to create and update DRFs. A recovery agent certificate contains the public key and information that uniquely identifies the recovery agent account.

To retrieve an encrypted file or folder:

1. As the recovery agent, log in to the computer from which you need to retrieve data.
2. Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing ENTER.‌
3. Click the Personal folder.
4. Click the Action > All Tasks > Import. This opens the Certificate Import wizard.
   
   
   
5. Click Next.
6. Type the location of the file that contains the certificate, or click Browse and navigate to the file's location, and then click Next.
   
   
   
   If you have navigated to the right location but don't see the certificate you are importing, then check that the correct file type is selected (i.e., .PFX, .P12, etc.).
   
7. Type the password, select the Mark this key as exportable check box, and then click Next.
8. Click Place all certificates in the following store, confirm that the Personal store is indicated, click Next, and then click Finish.

After you import the certificate, you should have access to decrypt the encrypted files: right-click the file, click Properties > Advanced, and then uncheck Encrypt contents to secure data. This will decrypt the file.

The Combined Benefits of EFS on SBS 2008 and Windows 7

Using EFS is especially important for those of us who use devices such as laptops and external hard drives away from the office. Encrypting the Documents folder helps ensure that the information is kept from prying eyes and, when used with the redirected folders policy in Windows SBS 2008, also helps ensure that the information is maintained and backed up on the server. When used together, these methods create a centrally-managed business policy that helps add security to your business information. It is important to properly back up recovery keys so that you can access a users’ files if disaster strikes.

For more information on the Encrypting File System, read this TechNet article: http://technet.microsoft.com/en-us/library/cc700811.aspx.

*Written originally for Windows XP but still valid for current EFS implementations

Today Microsoft announced that effective June 30, 2010, Microsoft will discontinue future development of Windows Essential Business Server (EBS), the infrastructure solution we designed specifically for midsize businesses. This blog post is to specifically answer the question around whether the change affects other Microsoft solution products.

The short answer is, no.

In no way does today’s EBS announcement impact Windows Small Business Server, Windows Home Server and Windows Server 2008 and R2.

Our decision to discontinue future plans for Windows Essential Business Server was based on several factors, but most notably in response to midsize businesses making a rapid shift towards technologies such as management, virtualization and cloud computing as a means to cut costs, improve efficiency, and increase competitiveness. As it happens, those technologies are offered today through other Microsoft solutions, and midsized customers are adopting them, including Windows Server 2008 R2, Microsoft System Center, Microsoft Exchange Server, and the Microsoft Business productivity Online Suite (BPOS).

We believe that streamlining our server product portfolio will provide clarity for customers and partners to determine which option might be right for them.

Microsoft remains fully committed to small and medium-sized businesses. EBS customers can look forward to continued support and a number of options for continuing with EBS or transitioning to other technologies.

For more information, please visit: http://www.microsoft.com/ebs.

[Today’s post comes to us courtesy of Damian Leibaschoff and Wayne Gordon McIntyre from Commercial Technical Support and Chris Puckett from Product Quality]

SBS 2008 installs all of its features using a single volume (C:), there are tools available to move some of the data to other locations, but a number of folders that remain in the C: volume can continue to grow if left unchecked, this can potentially eat all the available disk space on the C: drive. Once the C: drive reaches certain low space thresholds, some services will stop functioning properly on the server, while others will change their behavior to prevent data loss. Usually, administrators realize they have a problem when e-mail flow is impacted, under low disk space conditions, due to the Exchange Back Pressure features, mail flow will stop. Users may experience some of the following errors or non-delivery-reports: Error 0x800CCC6C, SMTP_452_NO_SYSTEM_STORAGE, or 452 4.3.1 Insufficient system resources. 

These are some of the steps that can be performed to help recover and prevent these issues.

IIS and SBS Logs

(This is expanding on the existing post “Reclaiming Disk Space Lost to IIS Logs on SBS 2003 and SBS 2008”)

By default, all IIS hosted web sites have logging enabled, this can lead to some large folders in C:\inetpub\logs\LogFiles (Review this post in case you have moved your log files). You may also want to specifically stop logging all together for certain web sites, in particular, the “WSUS Administration” web site (Site Id 1372222313). For this, perform the following steps:

1. Launch IIS Manager from Administrative Tools.
2. Expand Server, Sites, and select the WSUS Administration web site.
3. On the feature panel, click to open Logging.
4. Click Disable in the Actions panel (rightmost panel)
5. Repeat the steps for any other web site. Please note that logging may be needed for troubleshooting or auditing purposes on sites that are public facing, this is usually not the case on the WSUS Administration site.

Some of the SBS 2008 log files can grow to very large sizes, all SBS logs are stores in this folder (and subfolders): C:\Program Files\Windows Small Business Server\Logs\. Some of the logs that will grow the most and may need trimming are:

• Console.log, this log will continue to grow while the SBS Console is running.
• *.evtx files, these are the event logs before the setup of the server completed, they can be safely removed if the server has been in production and had no setup issues.
• W3wp.log, in the C:\Program Files\Windows Small Business Server\Logs\WebWorkplace folder. This is the log for Remote Web Workplace.
• The C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs folder. These are the logs for the Windows SBS Manager service.

POP3 Connector Badmail directory

If you are using the POP3 Connector, you may end up with emails that failed to be delivered (rejected by the local Exchange server) in C:\Program Files\Windows Small Business Server\Data\badmail. This folder will be automatically trimmed to 400mb once it reaches 450mb once a week.

The licensing log can consume a significant amount of hard disk space

This is discussed on the Windows Small Business Server 2008 Release Documentation
You can delete the events in the Windows SBS 2008 licensing log to free up additional space on the hard disk drive.

To delete events in the Windows SBS 2008 licensing log

1. From the server, open a Command Prompt window as an administrator. To do this, click Start, and then in the Search box, type command prompt.
2. In the list of results, right-click Command Prompt, and then click Run as administrator.
3. At the command prompt, type the following command: del "%systemroot%\system32\winevt\logs\Microsoft-Windows-Server Infrastructure Licensing*%4Debug.etl.*"

You can also use Registry Editor to disable the licensing log.

1. Click Start, type regedit, and then press ENTER.
2. In Registry Editor, locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerInfrastructureLicensing
3. In the details pane, right-click TraceMask, and then click Modify.
4. In the Edit DWORD dialog box, change the value for Value data to 0 (zero), and then click OK.
5. Restart the server.

Windows Server Update Services (WSUS) Server Cleanup Wizard

In WSUS, you can delete unused updates and update revisions, computers not contacting the server, unneeded update files, expired updates and superseded updates. In order to accomplish this, you have to manually go through the WSUS Server Cleanup Wizard.
To run the Server Cleanup Wizard :

1. In the WSUS administration console (launch it from the Administrative Tools), select Options, and then Server Cleanup Wizard.
2. By default this wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all possible options, and then click Next.
3. The wizard will begin the cleanup process, and will present a summary of its work when it is finished, depending on the server performance, this may take a very long time. Click Finish to complete the process.

Very large SharePoint SQL transaction log file

Please read the following KB article for an explanation and instructions on how to prevent this:
2000544 SBS 2008 BPA Reports that The Windows SharePoint Services configuration databases log file is getting large (currently over 1gb in size)

Active Directory Certificate Services transaction log files

When completing a critical or system state backup of the C: volume, a new transaction log will be generated under the c:\windows\system32\certlog\ folder. Removing these logs is only safe as long as the CA database file is consistent. In order to remove these logs and reclaim disk space, follow these steps:

1. Open the Services MMC and stop the Active Directory Certificate Services service.
2. Make a backup copy of ALL the file contents present in the c:\windows\system32\certlog\ folder.
3. Delete EDB.CHK and all the files that have an extension of .LOG (*.LOG)
4. Restart the Active Directory Certificate Services service.

Windows Component Clean Tool

The Windows Component Clean Tool (COMPCLN.exe) can be used to remove the files that are archived after Windows Vista SP2 or Windows Server 2008 SP2 is applied. It also removes the files that were archived after Windows Vista SP1 was applied, if they are found on the system. Running this tool is optional.

Installing Windows Server 2008 service packs increases the amount of disk space that is used by the operating system. This space is used to archive files so that the service pack can be uninstalled. Typically, you should run COMPCLN.exe if you want to reclaim this disk space after applying SP2 and if you will not need to uninstall SP2.

NOTE: You cannot uninstall Windows Vista SP2 or Windows Server 2008 SP2 after you run this tool on an image.

Move Data Wizards

We are not going to focus on these wizards on this post, but as a reference, SBS 2008 provides an automated way of moving the following:

• Move Exchange Server Data: which moves both the exchange database file as well as your exchange transaction logs for all storage groups.
• Move Windows SharePoint Services Data: Moves the SharePoint Content and Configuration databases.
• Move Users’ Shared Data: Moves C:\Users\Shares\ directory and all sub directories 
• Move Users’ Redirected Documents Data: Moves C:\Users\FolderRedirections\ directory and all sub directories
• Move Windows Update Repository Data: Moves the repository data from C:\WSUS\WSUSContent and C:\WSUS\UpdateServicePackages. Please note it does NOT move the SUSDB Folder and the WSUS database which contains the metadata.
• More Resources:
  Manage Server Storage by using Windows SBS Console
  Moving Data on Windows Small Business Server 2008
  Introducing Server Storage Management in SBS 2008

Update #1 3/3:
Added reference to WSUS Administration web site ID (Site Id 1372222313)
Added reference to Exchange 2007 BackPressure NDRs and errors due to low disk space

[Today’s post comes to us courtesy of James Frederickson and Shawn Sullivan from Commercial Technical Support]

We have seen an increase of instances where customers are experiencing various networking problems because they have altered the networking topology by installing multiple NICS or assigning multiple IPs to their single NIC. Some of the more common issues we have seen with this scenario include, but are not limited to:

· Slow or complete loss of file share/network login access

· Problems with Outlook connectivity (mailbox login, Autodiscover, OAB, Free/Busy, OOF assistant, Outlook Anywhere)

· Issues accessing web sites (OWA, RWW, Sharepoint, Connect)

· Issues with service startup, particularly Exchange.

· The server hangs at “Applying Computer Settings” upon boot.

· Inability to complete the SBS networking wizards (IAMW and CTIW)

SBS 2008 (Server 1 in Premium Edition) is supported by Microsoft only in a single network card environment with a single IP address. If multiple NICs are detected during the initial SBS setup, all but one will be disabled.  This is because the integration between the various components included with the product has been designed to depend on this basic topology. This, in turn, simplifies the deployment of the product. Other configurations, although supported and perfectly legitimate on Windows Standard edition, would be considered unsupported in SBS 2008. Microsoft technical support may require that the server is brought back into a supported scenario before troubleshooting can begin. For more information regarding supported network topologies and SBS, see the following post.

To return the server to a functioning and supported state, begin by running the SBS 2008 BPA. This will check for and notify you of any network configuration settings that require attention:

Common Scenarios

1. Multiple NICs are installed and active. Or multiple NICs are installed, but only one is plugged in.

To fix this, open Network Connections from the Control Panel, or type ncpa.cpl from the Run command.

**Note** It is critically important to know which IP addresses your services (DNS, IIS, SMTP, Terminal Services, etc) currently are listening on before you make any changes to your TCP/IP configuration. You could easily render a critical service completely unbound from the network.

Right-click and disable all but the primary adapter.  If you decide remove and uninstall the additional adapters, please read the following SBS blog Device Manager may seem to hang while uninstalling a NIC.

You will also need to verify the binding order of your NICs by clicking on Advanced > Advanced Settings menu. Your enabled NIC must be first in the list and must have both File/Print sharing and Client for Microsoft Networks enabled:

2. Multiple IPs are assigned to the NIC.

As stated before, SBS 2008 is designed to only have a single IP address on a single network adapter.  The NIC must use a private IP address with a 255.255.255.0 subnet mask. The following IP ranges are supported:

• 10.0.0.0 - 10.255.255.255
• 172.16.0.0 - 172.31.255.255
• 192.168.0.0 - 192.168.255.255

Remove any additional IP addresses that you have bound to the NIC. Be careful and verify which IP address(es) your services are listening on, changing them if necessary, beforehand.

A note about NIC teaming:

We periodically encounter servers with NIC teaming enabled. When configured properly, teamed NICs will logically act as a single NIC with a single IP address and provide fault tolerance if one fails. However, this still falls into an unsupported network topology on SBS 2008 and you may be asked by Microsoft technical support to break the team as part of troubleshooting. You can find this documented as well in the SBS 2008 Release Documentation under the section “The Windows Small Business Server 2008 networking wizards do not support network teaming”.