Avoiding trouble with Windows Updates
Do you ever wonder why there are so many sporadic one-off problems with Windows Update? Someone runs a .Net update and it breaks a lot of things, even though thousands of other admins have run that same patch without problems?

I think I might have an inkling why.

How many times have you been checking on a server right before lunch and saw an optimization you could easily make, made the change and then saw that the server wanted a reboot? It wasn't that critical a change, and you can't restart the system during business hours, so you add a task to your list to restart the server that evening. Or do you? Did you ever actually get around to it?

Maybe you download a patch for a known issue and then it calls for a reboot, and you decide that you might as well run some other updates before the reboot to get your downtime's worth.

Both of these situations are much more likely to result in failed Windows Updates, since there are unresolved .dll, file and registry changes underway.

The best practice is to restart a server BEFORE you run Windows Update or any significant patches. You would do this in order to ensure that there are no subsystems that can't be patched properly due to their already holding their breath for a reboot. So a good Windows Update procedure would involve at least two server restarts: one before the updates are run, and another after.

The truth is, if your servers run for 30+ days between reboots, it's fairly common for them to begin to accumulate some of these "pending reboot" situations, and if you don't resolve those before doing any serious patching, you may end up with unpredictable results.  ¶ 3:03 PM 0 Comments

---

  Links for the SBS 2008 Build Day participants
Yeah, that's right. Every body else look the other way.

Are you short on space and thinking about using restoring to an RSG located on a USB drive? Remember that you'll need that drive to have an admin share.
http://msexchangeteam.com/archive/2009/05/27/451488.aspx

You need to set up a dial-tone database, but you need to think carefully about how it will affect your cached Exchange Outlook users.
http://technet.microsoft.com/en-us/library/aa998698.aspx

This is a common problem that I usually hear about via the old, "Server runs fine for a few days and then nothing works, no connectivity at all" story.
http://blogs.technet.com/sbs/archive/2009/02/12/you-may-lose-network-connectivity-on-sbs-2008-when-using-a-driver-which-utilizes-tdi.aspx

This was fun. I need to come back and talk about troubleshooting mailflow hassles.  ¶ 3:40 PM 0 Comments

---

  Advanced SBS 2008 Build Day in Portland
This Saturday there's an event held at a New Horizons center in Portland that I'll be speaking at. It's an all-day thing, from 9am to 4pm, and it will be covering security, virtualization and Exchange. Yours truly will be gabbing and demoing for two full hours as part of this event. I'll be covering the following topics:

- Exchange Management: Tasks Beyond the SBS Console
- Recovering Exchange on SBS 2008: Backup and Disaster Recovery
- Troubleshooting Mail Hassles on SBS 2008

Tim Carney (of basbits.org fame) will probably be talking on a variety of topics, and SME's Dana Epp and Susan Bradley will also be presenting via Live Meeting. All of them are awesome people to learn from.

The event will showcase a live step-by-step build of SBS 2008, including joining clients to the domain and post-installation tasks.

The event includes lunch and snacks, and I think the paltry registration fee is primarily to cover those...

https://www.clicktoattend.com/invitation.aspx?code=137854

New Horizons
9800 SW Nimbus Ave
Suite 100
Beaverton, OR 97008
USA  ¶ 11:40 PM 0 Comments

---

  VMWare - Cannot find a valid peer process to connect to
I work a lot with VMWare Workstation, and tonight while I was doing some work on a lab environment, I realized that the VM containing my domain controller was not running. It had been running earlier, but now it was not. When I tried to start it again, I got the message "Cannot find a valid peer process to connect to". Google turned up all sorts of things, including people who said that everything was fine after they rebooted the host machine. Since I'm usually juggling three or four VMs at a time and each one takes around 8-10 minutes to shut down, I wasn't about to waste my time with that.

Instead I went into Task Manager and looked at the processes. I currently had two VMs running, one Windows 2003 server with Data Protection Manager that I'd given 1.5gb of memory to, and an Exchange 2007 server that I'd given 3gb to. In the Processes list, I could see three instances of vmware-vmx.exe, and two of them had a Peak Working Set that matched the amounts of ram that I'd allocated them. The remaining one showed a working set of 1.2gb, around the amount I'd allocated to the domain controller. Once I killed that process, I was then able to fire up that VM. Apparently it had crashed, but it had left a ghost process behind that was keeping that VM from starting up again.

So that's an easier way to go about it than rebooting your host workstation. Worked for me, but it might not work for you.  ¶ 11:21 PM 1 Comments

---

  Trouble with reporting services during DPM installation
If you're installing Data Protection Manager and you keep running into issues at the point that it tries to install SQL Reporting Services, you are probably dealing with a certificate error. You can't have a public cert installed in IIS, you need the simple kind that maps to the local NetBIOS name.

If you check the logs, you'll have something like this near the end of the log:

The remote certificate is invalid according to the validation procedure.

Chances are if you check the certs in this server's Personal store, there won't be a cert that matches the local server's NetBIOS name. There needs to be one. Check in the Trusted Root, and if there's one there, copy it into the Personal store. Make sure that the cert that matches your NetBIOS name is also the one that the Default Web Site is configured to use. But there may not be one there. That was the case for me tonight, and I figure that since it took me till 2am to find a solution, I'm sure as heck going to publish it.

Basically the next step if you don't have that cert is to request one from your local CA. But maybe you don't have a CA or you don't want to hassle with setting one up at 1am. What I did is this:

1. Go to my nearby Exchange 2007 server, open up the Exchange Management Shell, and (assuming your server's name is DPMSERVER1) do the following:

New-ExchangeCertificate -DomainName DPMSERVER1 -privatekeyexportable:$true

Then tell it "No" you don't want to overwrite the existing SMTP cert settings. This will generate a cert with your DPM server's NetBIOS name set as the Common Name.

2. Go into the cert MMC on the Exchange server and export this cert with the private key.

3. Copy the cert file over to your DPM server and import it into the Personal store there.

4. Then go into IIS and configure the Default Web Site to use that cert.

Now rerun setup AGAIN... Your installation should work if lacking the proper cert was your issue.  ¶ 1:38 AM 0 Comments

---

  Troubleshooting ActiveSync - Outlook Email 0 Items
Last week I worked on a problem for a client who had an interesting situation. He was using ActiveSync on his Exchange 2003 server, and it had been working perfectly until it didn't work perfectly. But the symptoms of the failure were very strange: there was only one--after an initial synchronization completed, all his local PDA Outlook folders were still empty. On a device that already had content synced to it, no new content would ever arrive.

I had him set me up a test account and put some mail in it, and I synced it to my Treo 700w. When hit "sync", I actually watched it checking for changes. At the bottom of the screen, ran through each step: Contacts, Calendar, Email and Tasks. I watched it sync 10 different Inbox items, but when the sync completed, the inbox was empty and the display said "Outlook Email 0 Items".

If I decided to send an email from the phone, that worked fine.

Running the test from TestExchangeConnectivity.com showed that everything was working, green the whole way.

I even removed all the Exchange virtual directories in IIS and allowed them to regenerate, but nothing changed in the behavior. For all practical purposes everything was working, but the devices (both real and emulated) didn't actually get any email.

SOLUTION:

Eventually we chose to uninstall Trend Messaging Security (we'd already disabled it to no avail), and immediately synchronization worked properly. I've also read about this happening with other mail-focused security applications like Symantec and Avast, so definitely keep this handy as a solution for this problem.  ¶ 12:27 AM 1 Comments

---

  I've joined the team at Third Tier
Last October, while at the SMBNation conference, Amy Babinchak and Eriq Neale invited me to work for them as a Third Tier support engineer. I accepted, and part of my time since then has been dedicated to resolving tickets opened on the Third Tier website. The nature of my daily work didn't really change much as a result of this, but it did shift the origin of it, and I've enjoyed getting to know Amy and Eriq better in the process.



So what's Third Tier?

Third Tier is a remote support business that aims to provide top-notch problem-resolution skills for technologists who need help with advanced projects. Rather than having SMB business owners call us for help, Third Tier exists to support "trusted advisors" within the SMB consulting space who need additional expertise with specific technologies. My own contribution to Third Tier is to handle most of the Exchange-related tickets.

I've been working actively for ThirdTier since November 2008, and have worked on quite a few tickets. As of today, all my open tickets have been closed with a 100% resolution rate. I like this work because it allows me to spend my time focused on what I'm best at, and I get to work on more interesting problems than I might otherwise.

How does Third Tier work? Basically if you have a need for technical assistance from a subject-matter expert and don't want to go through the queue at the software vendor, you open a new ticket at the Third Tier website. Along with the ticket, Third Tier requires a $175 PayPal payment to cover the first hour of work. The basic rate is $175 and hour for each subsequent hour. Most of my tickets have taken two hours to resolve, but I have worked on multiple sub-projects for some clients that have totaled quite a few hours as well.

I would say that as a whole, my work has shifted toward focused specialization on messaging and away from the sort of projects that might involve me in working on desktop issues of any sort. These hands are very grateful for that.  ¶ 11:03 PM 0 Comments

---