Resources for IT Professionals

Small Business Server 2000 Best Practices

Published: May 19, 2003

Please note: Portions of this transcript have been edited for clarity

Hosts:

  • Chris Avis, TechNet Presenter
  • Ben Miller, Community Program Manager for SBS
  • Ken McGrath, Moderator

 

Moderator: Ken (Microsoft)
Welcome to today's TechNet Chat. Our topic is SBS 2000 Best Practices. Questions, comments, and suggestions are welcome.

I'll now have the hosts introduce themselves.

Host: Chris (Microsoft)
My name is Chris Avis. I worked in the SBS Support team at Microsoft for 5 years including work on the beta for SBS 2000. I am currently a TechNet presenter for the SoCal/SouthWest and Mountain Districts in the United States. http://www.technetbriefings.

Host: Ben (Microsoft)
My name is Ben Miller. I am a Program Manager in Online Communities and I am also an MVP Lead for ASP.NET, etc.

Moderator: Ken (Microsoft)
And I'm Ken McGrath, TechNet/MSDN Web and Communities Producer.

Moderator: Ken (Microsoft)
We're ready to start taking your questions.

Host: Chris (Microsoft)
Q: What's probably the biggest issues seen in product support for SBS?

A:The most common issues usually revolve around network setup. These can almost always be resolved by running the SBS Internet Connection Wizard on the Server. Start Run ICW.EXE runs it.

Host: Chris (Microsoft)
Q: How do you determine what SP's / Updates have been installed for the various components of SBS (ISA, Echange, etc) ?

A:The absolute best utility to run for SPs and HOtfixes is the Microsoft Baseline Security Analyzer (MBSA) The utility identifies missing hotfixes for all of the SBS applications except for ISA which is still manual. You can get the MBSA at this location -- http://support.microsoft.com/default.aspx?scid=kb;en-us;320454

Host: Chris (Microsoft)
Q: Is there documentation on Re-installing SBS ISA

A:The only supported method of removing and reinstalling ISA on SBS 2000 is using the integrated SBS installer. Drop CD#1 in the drive and run through setup. At the Application selection screen you would change the ISA components to Remove, let the process complete, (then I suggest a reboot), then repeat - changing to Install for the ISA components

Host: Chris (Microsoft)
Q: I will be setting up a new DELL sbs 2000 server soon, I have been told that MS will refer all questions back to Dell on tech setup issues, is that right ?

A:Any software that is loaded at the OEM is usually supported by the OEM first. Microsoft will ALWAYS support OUR software on OEM products, however, it is usually as paid support. In short, we will support SBS loaded by Dell, HP, Compaq, etc but only as paid support.

Host: Chris (Microsoft)
Q: How are permissions set for Small Business Power Users? Is there a security group that can be added as local administrators on workstations?

A:You can add any Domain based security group to the local groups of a NT/2000/XP/2003 Workstation that you like. The permissions set for the SBS Power Users can be viewed in ADU&C.

Moderator: Ken (Microsoft)
Q: Is there an archive of these chats somewhere ( so I can download and search) ? Its a great resource.

A:Youll be able to find the transcript of this chat soon on the TechNet Web site at http://www.microsoft.com/technet/community/chats/trans/default.mspx

Host: Chris (Microsoft)
Q: In general if someone screwed up an install, can the cdrom be put back in the server and the install "refreshed" to proper reinstall the "bits"?

A:Depends on what screwed up is. If it is at the Core O/S level, no. If it is one of the backoffice applications then you can insert the CDs, run through the SBS Installer and it will refresh those applications. Core O/S would be reinstall, restore from Tape, or authoritative AD restore.

Host: Chris (Microsoft)
Q: Can you use exmerge to migrate from exchange 5.5 running on NT in it's own domain?, because you can't join domains in a trust

A:Is not dependent on Domain Names . The utility can be used to migrate mail from Domain X to Domain Y with no trusts established.

Host: Chris (Microsoft)
Q: Can you point me to directions to set up a terminal services server in my SBS network?

A:This is the best place to start for this one -- http://support.microsoft.com/default.aspx?scid=kb;en-us;282009

Host: Chris (Microsoft)
Q: I have a 2 server setup (1 NT, 1 W2K). This is a native mode network with the W2K server obviously the PDC. I'm needing to convert the NT box to SBS2000. What's the best route to take?

A:SBS 2000 will install over the top of an existing Windows server. However, SBS 2000 MUST be root of the forest in a new domain. It will not integrate in to an existing Domain structure.

Host: Chris (Microsoft)
Q: Does MBSA scan for ISA updates? (Not per the list I just viewed)

A: At this time MBSA does NOT scan ISA for information.

Host: Chris (Microsoft)
Q: How does one setup ISA so that all outgoing traffic is allowed - all protocols, ports etc - whilst maintaining incoming security. I just want my SBS to pass all outgoing traffic straight through

A: By default, ISA allows all traffic in and out for CLIENT machines who have the ISA Firewall client loaded. The client must initiate communications then ISA opens dynamic ports for clients. Traffic is only blocked specifically for the SBS Server NIC. To allow traffic in/out from the Server itself requires configuring packet filters.

Host: Chris (Microsoft)
Q: Follow up : So once I install SBS2000 over the NT Box, is there a way to migrate my AD settings from the W2K DC over to the newly installed SBS?

A:The simplest migration would actually be to load SBS 2000 on top of the existing Windows 2000 Server. The install would retain all of the AD Settings. However, if you must install to the NT4 machines, you can use the Active Directory Migration tool to move settings to the new AD structure.

Host: Chris (Microsoft)
Q: To clean up my question...Can you point me to directions to set up a separate terminal services server in my SBS network?

A:Setting up a separate Terminal Server in an SBS 2000 Network is no different from doing the same in a Windows 2000 Domain.

Host: Chris (Microsoft)
Q: Follow-up: My Power Users are added to several groups, like BO Folder Operators and Account Ops. Should there be a Power Users security group, or must I create it manually? Also, how can I toggle whether those users have interactive logon on server?

A:POWER USERS is a LOCAL group which only exists on machines that are NOT domain controllers. So there is no way to set them to interactive logon. You would need to create a new group on the DC and add users to it then grant the right to logon locally.

Host: Chris (Microsoft)
Q: Are there special rules in ISA to publish external web sites by ISA? I have FTP allowed both directions, but clients can't connect to a remote server.

A:ISA does include a Web Publishing Wizard. It does not have any impact on FTP sights though. To access an external FTP site, the client machines MUST have the ISA Firewall client installed and active.

Host: Chris (Microsoft)
Q: I recently cannot enter secure websites like my online banking. i have tried restoring my computer, but it won't let me. Any suggestions?

A:I have had this same issue. It had to do with Cookies being disabled on my client. So I had to allow cookies for the banking site. Check that before tweaking ISA or anything else on the SBS Server.

Host: Chris (Microsoft)
Q: Follow-Up : Where is the AD Migration Tool found?

A: http://www.microsoft.com/downloads/details.aspx?FamilyID=788975b1-5849-4707-9817-8c9773c25c6c&DisplayLang=en

Host: Chris (Microsoft)
Q: Follow up: The domain users created with the SB Power User template DO have interactive logon on the server, which surprised me. How can I turn this off while allowing them access by TS?

A:You will not be able to do them both. If a user has the Logon Locally right (which is required for TS Access) then they will be able to sit at the DC and log on. If you would like to email me later I can research this to see if this can be blocked.

Host: Chris (Microsoft)
Q: Follow-Up : The AD Migration Tool will work from W2K to SBS as well as NT4 to SBS?

A:Yes.

Host: Chris (Microsoft)
Q: Follow-up: I have the firewall client running on the PC, and ftp enabled both ways. Any ideas what else to check?

A:You should not have to enable anything at all for Client FTP access. However, if you have a specific packet filter that blocks TCP ports 20 and/or 21 that will block connectivity. You can find if it is a packet filters by disabled packet filtering and attempting again from the client. If it connects with packet filtering disabled then you have a bad filter.

Host: Chris (Microsoft)
Q: Follow-Up : Would I install the AD Migration tool on the NT Box (converted to SBS) or the current W2K box?

A:The site link I provided gives all the details on how to run the tool. However, you would load it on the Windows 2000 machines in your case. DesertSBS - Was OE isntalled to the SBS Server or to a client?

Host: Chris (Microsoft)
Q: After outlook is installed, I try to start outlook and get the following message. MAPI was unable to load the information service PSTPRX.dll How do I correct this?

A: http://support.microsoft.com/default.aspx?scid=kb;en-us;293058

Host: Chris (Microsoft)
Q: Is there any problems with having 'net time \server /set /yes" in the login script for XP Pro clients?

A:No, there is no issue with this. However, I would suggest using DHCP to send the IP address of a valid time server or even the SBS Servers own IP address so the clients stay in synch with the SBS Server.

Host: Chris (Microsoft)
Q: I have a Network Laser Printer with the IP 192.168.1.2 How do I get SBS to allow it to connect to the network

A:Follow-up - is the IP above in the same IP subnet as the SBS Server?

Host: Chris (Microsoft)
Q: On a new install we keep getting the event "This machine is a PDC of the domain at the root of the forest. Configure to sync from External time source using the net command 'net time /setsntp: <servername'. We have set this to time.nist.gov and...

A: You should test to make sure the packet filter is correct by attempting to telnet from the SBS Server to the time server IP and port in question. If you can then the filter is correct and the issue should not be there. If you can not telnet then the filter is incorrect and must be adjusted. Unfortunately this issue would likely require PSS to resolve as we are out of time.

Moderator: Ken (Microsoft)
Thanks for joining us today and thanks for the questions. It's time for us to go now.

For further information on this topic please visit the following:

Newsgroups: http://www.microsoft.com/smallbusiness/community/newsgroups/dgbrowser/default.mspx

SBS Transcripts: Read the archive

Website: Visit the SBS site.

Page view tracker