The Great SBS Wizard Challenge

                                                                                                                                                 

A few months ago, I posed the following question on Experts-Exchange:

 
I’ve now been posting here on EE for about three years.  Most of that time spent in the Small Business Server Zone (ne Topic Area).  There have been a number of recurring themes in the few thousand questions I’ve participated in during that time, but none that causes more controversy than whether the SBS Wizards should be used, or if you can configure an SBS without them.

Since I’ve always taken the stand that in order to properly configure an SBS you must use all the wizards.  I guess this has often been interpreted as "you cannot properly configure an SBS unless you use all the wizards".  But since the wizards are really just advanced scripting tools, you could obviously make all of the same settings or even different ones manually.

So, the question I now pose to all who care to respond is:  Why?

Why would you want to manually make these settings when there is a tool that will do it for you in a fraction of the time?  On this point, I believe there is no debate on whether or not working with the wizards will take less time if one were to make ALL of the same settings manually.  The issues seem to be that either the wizards do things that you don’t want them to do, or that you have special circumstances which seem to conflict with the way the wizards configure things.  So, to clarify the question, I will ask, "What situations have you found that they prevent you from implementing a customized solution?"  or "What situations have you found that the wizards do something you don’t want them to do and your only option is to not run them (ie, the wizard makes 10 settings and you like 7 of them but don’t like 3)?

Your answer should have a concrete example of a situation as well as an explanation of how the wizard causes the problem.

Of course if you disagree with my time premise, (that making the exact same settings manually would take longer), I’d be interested in hearing about that as well.

I would have posted this in the Experts Lounge area, but since it’s focused on SBS only and many of you don’t even go to the Experts Lounge, it makes more sense here.

Thanks in advance for your comments.

Jeff
TechSoEasy

 

The crux of the question was this: 

"What situations have you found that they prevent you from implementing a customized 
 solution?" or "What situations have you found that the wizards do something you don’t 
 want them to do and your only option is to not run them (ie, the wizard makes 10
 settings and you like 7 of them but don’t like 3)?

Since nobody actually answered the question I decided to give feedback to a few notable comments:

"the last month and a half have read all over this site that terrible things
are going to happen at some point in the future because i didn’t use the
wizards. So far nothing has happened to my own server or any of the half dozen
or so that i have worked on."

          I think you’re looking at this from the wrong end of the equation.  I don’t
          think anyone said that terrible things are going to happen if you don’t use the
          wizards.  The basic question I posed above is that given that it takes a
          significant amount of time to manually configure things compared to the wizards,
          why would you do something that takes so much longer?  And while I don’t want to
          suggest that you are guilty of this, I am aware of a number of consultants who
          charge by the hour — so if they are doing things manually, they are ultimately
          being unethical towards their clients.

          But it’s actually more than just how much is being billed out to a client.
          Consider that there are some features of SBS which you may not be aware of which
          could save your clients significant amounts of time and money if they took
          advantage of these benefits which are part of SBS natively.  Most of the
          features are installed and configured automatically when the wizards are used…
          but when the wizards aren’t used, the features go unused.  The priorities of
          what features are imporatant are different for every client, but if they aren’t
          even aware of what some of them are, such as centralized fax, Exchange deleted
          item recovery, Volume Shadow Snapshot file recovery, Intelligent Message Filter
          for reducing SPAM, Document libraries that are easier to manage, automatic
          backup of My Documents folders, remote access to their office desktops, full
          synchronization with their windows mobile smartphone or PDA, daily, easy to
          understand monitoring reports to let them know the health of their system so
          they don’t worry as much… All of these things (among others) are installed and
          configured automatically through just the wizards listed in the To-Do list of
          the Server Management Console.

          You may know what you want done… but you’ve admitted to not having any
          experience in the Small Business realm… perhaps you should find out what Small
          Business owners want?  (and you can’t just ask them… because they don’t know
          the answers to the "direct" questions about technology… instead you have to
          keep abreast of the multitude of studies and surveys which interpret the views
          of small business:
http://snipr.com/1qrn2  (then ignore at least half of those
          and make up your own predictions… but make sure that whatever you do, you
          aren’t using your "enterprise network" mentality because that is never in step
          with what small business owners want).

"I think I spend more time troubleshooting errors from what the wizard did to my
users and computers than I would spend if I didn’t run them and did it all
manually. Example: trying to figure out why I can’t reset the power management
scheme on all the computers so they don’t go to sleep… I still haven’t
completely figured that out yet."

          I will cover this a bit more down below… but suffice it to say that if you are
          troubleshooting errors from the wizards, you haven’t learned how to properly
          install and configure an SBS.  While I sometimes run into errors when running
          the wizards, they are easily found and corrected.  Usually it’s something that I
          just forgot to do, like plug in an ethernet cable, and if I didn’t have the
          wizard to remind me, it might have been missed overall and caused a need even
          greater troubleshooting.
          As for the power management on workstations?  It can’t be managed by group
          policy on Windows XP… it has nothing to do with SBS at all.  But you can
          download a third party tool called EZ GPO to help you with this: 
               
http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo.  

          Vista does support power management through group policy… and there is also a nice
          Wake-on-LAN plugin for Remote Web Workplace for XP Machines.  You can read about
          both of those things here: 
               
http://sbs.seandaniel.com/2007/03/interesting-in-conserving-little-power.html

"Single NIC installations where I have an upstream proxy/firewall cause problems
in themselves.  You need to really bypass CEICW and ignore the nags about not
being complete – not clean IMHO.  I have it running in my lab on a VM and it
works fine, but I continue to get nagged about running this wizard even though
there is no option for my configuration."

          What do you mean there is no option for your configuration???  Single NIC with a
          FIREWALL is absolutely supported and documented.  Even if it’s a PROXY (because
          you would set all local traffic to bypass the proxy). You most definitely do not
          have to bypass the CEICW, nor should you. See configuration option number 5 or 6
          at
http://sbsurl.com/msicw.  I’ve deployed MANY SBS networks with this
          configuration… primarily using SonicWall Firewalls

"1.  DHCP…It sets the scope range to be your ENTIRE subnet (i.e.
192.168.1.1-255) then puts in exclusions.  This is quite possibly the worst way
of doing a DHCP scope."

          Why would that be the worst way of doing a DHCP scope?  A default installation
          of SBS would create a scope range of 192.168.16.1-254, then exclude
          192.168.16.1- 10 and when you then run the Remote Access Configuration Wizard,
          it will grab 192.168.16.11 – 19 for RRAS connections.  I will often go back and
          then exclude 192.168.16.200-254 to use for printers and other such devices, but
          perhaps you can explain what a better method would be?

"2.  Firewall GPO…I always have to go back and disable the firewall on all
machines because the Wizard creates this Firewall GPO.  This especially becomes
annoying when installing a server based AV system that pushes out installs over
WMI (which needs the Firewall disabled)."

          If you have to go back and disable the firewall on all machines, then you aren’t
          really allowing SBS to manage the network centrally.  I’ve run many programs
          that use WMI to push out a client program and the only time I’ve ever seen a
          problem is when I came into a network that the workstations weren’t joined using
          the ConnectComputer wizard.  If you are not joining the workstations to the
          domain using
http://<servername>/connectcomputer, then the permissions may not
          be getting set correctly to allow access via WMI.  Then, that problem is being
          compensated for by disabling the Windows Firewall which unnecessarily weakens
          the security of the network.

          ** I would note that there is a small issue with the WMI Provider when joining a
          Vista Client to an SBS Domain, but that’s been fully covered by this KB article
          & Patch:  
http://support.microsoft.com/kb/926505

"I agree with Netman, they need to have a Standard and an Advanced mode for
their wizards, and have it ask you at the beginning of the install which method
you want.  This way people like me could better control the Wizards functions
(I.E. tell it the CORRECT DHCP Scope options)"

          In my opinion, if you are a more advanced user you should understand that
          because there are so many different things running concurrently in SBS, it is
          even more important to make sure that all these parts are carefully synchronized
          so you don’t spend hours upon hours troubleshooting some problem that could have
          been avoided if you used the wizard to simultaneously configure all the parts.
          The additional benefit is that if you can be much more confident that making a
          small modification to one part of the network won’t create a conflict with
          another.

          Let’s say, for instance, that you needed to change the server’s local IP address
          so that it doesn’t conflict with a new VOIP system (this has happened to me a
          couple of times — some of those VOIP folks like their IP addresses to be set
          their way and I didn’t really want or need to argue with them).  Normally, on a
          stand-alone network that had all that SBS is running you’d have to change
          settings in at least eight different places (including rewriting dozens of ISA
          rules) and then hope you got them all while you watched the event logs for
          errors and ran diags.  With SBS, it’s as simple as running the Change Server IP
          Address Wizard which will take care of everything.
          (See:  
http://techsoeasy.spaces.live.com/blog/cns!AB2725BC5698FCB8!303.entry for
          details).

          Basically a task that could otherwise take half a day is accomplished in 5
          minutes.

"I would say use the wizards simply because it has then been done ‘by the book’
and so is easier for the next person to maintain because it has MS standard
settings rather than your customisation."

          andyalder, who I think stumbled upon this thread by accident, has provided the
          most brilliant answer of all (
http:#19618127 — which leew and red were quick to recognize).  
          This whole notion of "not trusting Microsoft" (leew you are such a flip-flopper on
          this) is really hogwash.  You don’t have to trust Microsoft or anyone when you
          use the wizards.  I’ve already demonstrated that they are wholey
          transparant…you just need to read what’s on your screen to see that.  And the
          wizards along with SBS’s default configuration was not just "decided upon" by
          some Microsoft project manager.  The process was guided by the input from the
          entire SBS development team, over 50 SBS MVP’s, hundreds of beta testers and now
          tens of thousands of successful implementations are proving that it works in
          most every instance.  I know for sure that even though I’ve installed and
          configured over 100 SBS networks to date, that I certainly believe that I know
          better than all these folks.  I absolutely know enough at this point to question
          the process though… and I do that regularly.  However, since the vast majority
          of my career life has not been spent in IT Consulting, but like most of my
          clients I was running a small business, so my perspective remains from the view
          of the business owner who doesn’t spend $10,000 or $15,000 very often and wants
          to make sure that he gets the BEST possible value for the money… not just
          today, but for the life of the asset.

          One small business I was involved with for over 10 years was my family’s fine
          dining restaurant in Arizona.  We had a rich history that spanned over 50 years
          with three generations of family involvement.  During my time there, the
          restaurant earned the Mobil Travel Guide Five-Star Award and the AAA
          Five-Diamond Award for many consecutive years.  Usually, when you think of
          Five-Star Restaurants, you think of a charismatic chef who produces masterful
          creations and is perhaps the "star" of the establishment.  But our family had a
          philosophy that if a single person created recipes that only a select few could
          produce, we would just be another one of those popular places that disappears
          after a few months or a couple of years.  Instead, because we had a recipe book
          that was managed by my Aunt in consultation with the chef, Maitre d’, and the
          rest of the management team, which could be produced consistently to high
          standards by any number of our kitchen staff, our restaurant maintained the
          position of being the highest rated restaurant in Arizona for almost 40 years.
          Although it is no longer there today (due to urban development), it is still
          thought of as "the best that ever was".

          I tell that story because I think it says a lot about my committment to
          consistency, which most of you feel probably doesn’t exist in the IT world. I can
          tell you that the food world is no different… maintaining a level of unfailing
          quality that your customers can count on requires keeping the your efforts well
          rooted in the foundation of what’s proven to work so that you can build upon
          success.  Then, when you take a chance or two with something new and different
          (SharePoint Services, or a CRM implementation), your customers will be right
          there with you instead of second guessing every suggestion you make.
          Furthermore, I’d point out that while I don’t quite understand the context that
          ChiefIT’s comment "Anyone who says they know everything there is to know about
          computers, is just lying" was aimed towards, I can’t help but think that anyone
          who chooses to ignore the wizards falls into the category of those who think they
          know everything.

"I like hearing advice from folks who are more knowledgeable than I am with
computers while looking at the grass roots of the system. I learn better and
quicker that way."

          Of course every project we undertake is ultimately a learning experience,
          but learning is not the primary objective when deploying a Server and complete
          network infrastructure for a paying client.  That’s something you need to do on
          your own time with your own test installations.  When you do that, you will find
          that the wizards don’t hide anything.  Everything is spelled out VERY CLEARLY on
          both the first page (which tells you what it’s going to do) and the last page
          which provides you the EXACT details of what it’s doing.  If you like, you can
          print out that last page, quit the wizard and then make the entries manually if
          that helps you understand it better.  But when deploying an SBS for a paying
          client who expects the product to deliver everything it claims, the server
          should be installed and configured in the quickest method possible to provide
          all features that will benefit the organization including it’s low, long-term
          management costs.

Let me also add…
Every time a wizard is run, a complete log of it’s actions is created in
C:\Program Files\Microsoft Windows Small Business Server\Support
I highly recommend that you poke around in the C:\Program Files\Microsoft Windows Small Business Server
directory to see what else is there.  In doing so, you’ll find that every time the CEICW is run
it creates both a full outline of what its doing, plus it creates a .vbs file of its settings
in case you need to revert back to a previous setting.  (You’ll find that in
C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW)
I welcome any comments or feedback.

 

It seems though, as though nobody could rise to the challenge.  RTFW!

The Planet now is offering Hosted Small Business Server

The Planet has now started offering Hosted Small Business Server — they’ve published the white paper linked below which presents a rather compelling financial argument if you believe their numbers.  Unfortunately, I don’t.  Its not that I don’t think there is a place for hosted SBS, or that its not a value… I just don’t like made-up financial pro-formas that seem to ignore important facts.  I’ll be writing more about this later.
 

The Change IP Address Tool

Changing the IP address on your SBS is much more than just changing the IP address of the Local Area Network Interface. There are at least EIGHT areas that must be modified and some of those require multiple changes. Luckily, SBS has the Change IP Address Tool! Many enterprise network administrators wish they had this on their servers. Here’s what it does (as quoted from Microsoft’s SBS Training Guide):

Configuration Actions

Once the user specifies a new IP address by running the Change IP Address Wizard and clicking "OK," the wizard will perform a series of actions to configure the server and appropriate services to use the new IP address.

Note: The tool will need to be able to detect whether the ISA, DHCP, and WINS services are enabled; if any of them are not, then the Wizard will not perform the configuration actions for those services.

Network Card

The tool will modify the IP address of the local network card to the new IP address and set the subnet mask appropriately. The Default Gateway of the internal network card will not be changed, so if there was a Default Gateway defined, it will still be defined after running the tool. If the Default Gateway is blank, (as it should be in most cases), then it will stay blank. In addition, the DNS and WINS server entries for the server will be changed to point back to the server itself. Therefore, on the external network adapter, the DNS settings will be configured to point to the internal network adapter.

DHCP Service

If the new IP address is in the same scope of the old IP address, the tool will simply add a new exclusion to the DHCP scope for the new server IP address. It will also set the following DHCP Scope Options. The tool will check the 003 Router option of the DHCP service, and if the router option is not set to the SBS server itself, it will not modify this option. Otherwise, it will reset the 003 Router option to match the new IP address of the SBS server.

If the new IP address is in a different scope from the old IP address, the tool will create a new scope based off of the new IP address, and follow the same configuration tasks that Server Setup performs.

DNS Service

The tool will update the DNS listeners by adding the new IP address to the list of IP addresses to listen to. It will also delete the reverse lookup zone if the zone no longer matches the new IP address, and create a new reverse lookup zone.

ISA/RRAS

If ISA is installed, the tool will need to construct a new LAT based upon the new IP address, and the outgoing Web requests configuration of ISA to remove the old IP address and add a listener for the new IP address.

If the server has been configured for a dial-up connection, the tool will modify the client address set created by ICW to change the IP address to the new private IP address of the SBS server.

If ISA is not installed, then the tool will check to see if RRAS is being used for firewall. If it is, the tool will update the IP address for inbound filters on the external network card.

Exchange

If Exchange is installed, and relay restrictions are defined for the SMTP service, the tool will delete the current relay restrictions, and add in a new set using the new IP address and subnet mask defined.

WINS

After making all changes, restart the WINS service to make sure changes are picked up.

Client Setup

The tool will update the server.txt file that is in the directory %system root%\Inetpub\ConnectComputer. It will need to modify the value for the server IP address to the new IP address of the server.

IIS

The tool will check the IIS permissions on the Default Web Site and its directories. For any directories that have had specific IP permissions set, the tool will modify those permissions to match the new local IP range.

If ISA is running on the server, the tool will run SBSIISConfig to configure IIS appropriately.

Logging

When the Change IP Address Tool is run, the tool will maintain a log of actions that it performs. This log file is kept in the directory %sbsprogramdir%\support. The file will be called changeiplog.txt. If the file does not already exist then the tool will create it. If the file does already exist, the tool will not overwrite the file but will instead append the new content to the end of the current file.

At the start of each run, the tool will log:

• Date/time of this run.

• Username of the user running the tool.

• Old IP address and subnet mask.

• New IP address and subnet mask.

• For each action performed by the tool, a success or failure message.

• If a failure occurs, log the error information provided by the service being configured.

• Any additional debugging information required.

How to properly rejoin a client workstation to an SBS 2003 Domain

connect

I can’t tell you how many times I’ve posted these steps in my answers to questions received on Experts-Exchange.com.  But more often than not, someone is trying to use one of the nifty SBS features and can’t get it going because they never joined their workstations to the domain using the Connectcomputer wizard.

You can find a list of all the things that Connectcomputer does over on Susan Bradley’s Blog.  But what do you do if you didn’t originally use this wizard to add the clients to the domain?  It’s not as simple as just unjoining the domain and rejoining it with the wizard because of all the places that need to be touched and all the features that need to be configured.

So, after many revisions, here are the current steps that must be taken at each workstation:

At the client machine:

  • Log in with THAT machine’s LOCAL administrator account.
  • Unjoin the domain into a WORKGROUP
  • Change the name of the computer (this is not an option, you must use a name that is unique and hasn’t been used before on your SBS)
  • Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients
  • Delete the following Registry Key entirely: HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer (if it exists)
  • Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
  • Reboot

Then on the server, from the Server Management Console:

  • Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
  • Add the client with it’s NEW name using the Setup Client Computers wizard.  When it finishes you will get a warning telling you how to finish the installation:

finish

Then, go back to the client machine, log back in with the local Administrator account.

  • If there is more than one network interface, make sure that the only one that’s enabled is the one connected to the SBS.
  • Open IE and enter http://<servername>/connectcomputer in the address bar
  • Supply the domain Administrator credentials when requested and assign appropriate user to the machine.  This will make sure that the user that was already assigned to the machine retains their profile.   The following screens are self explanatory:

accountinfo

assign

select

complete

  • After the machine reboots the second time, log in with the assigned user’s credentials to complete the process.

Once complete you will be able to enjoy all the client functionality that SBS promises and helps to make your users more productive.

If you have any problems with the user’s settings not being the same, please see this article on how to restore their original profile:

Migrate Profiles on Small Business Server Networks

 

Use the Correct Windows Small Business Server Template

This comes from Microsoft’s document on how to secure your SBS network which I thought was a good example of how SBS makes it easier to deploy and manage a small business network. Take note that all templates allow users to connect remotely — which comes from Microsoft’s philosophy of empowerment .

 

Windows SBS 2003 comes with predefined templates that are designed to give users only the level of access they need. For example, user accounts that are based on the User template do not have remote access to the local network by using a VPN connection, but user accounts based on the Mobile User template do have this access. The four templates are as follows:

Template Names and Descriptions

Template Name

Description

User

Accounts based on this template have access to shared folders, printers and faxes, e-mail, and the Internet. Accounts assigned this template can access the local network from a remote location by using Remote Web Workplace. Additionally, user accounts assigned with this template can open a Remote Desktop Connection to a computer that is running Windows XP Professional but not to a computer that is running Windows SBS 2003.

Mobile User

Accounts based on this template have all the permissions of the User template and can also access the local network from a remote location using Remote Web Workplace or a remote access connection.

Power User

Accounts based on this template have all the permissions of the Mobile User template and can also perform delegated management tasks. A Power User can log on remotely, but not locally, to a computer that is running Windows SBS 2003.

Administrator

Accounts based on this template have unrestricted system access to the Windows SBS network.

 

Imposing Parental Controls on your Employees

Of the thousands of questions I’ve answered at  Experts-Exchange, plenty have been seeking a way to solve the symptom of a much larger problem.  It’s quite easy to tell if the question was asked by someone who has a vested interest in the success of the business, or is merely concerned about solving the problem of the moment, by the way they react to my response.  (Which will always focus on the larger problem rather than providing a quick fix).

Sometimes the larger problem is technical, such as those caused by trying to use Windows XP Home workstations in an Active Directory domain.  There are certainly a lot of work-arounds, but if they can’t understand that IT is an investment (see my previous post about this) then I wonder why they installed an SBS to begin with.  There are other questions where the network administrator or IT consultant is asked to provide a solution for something when the larger problem has nothing to do with technology, but rather it’s caused by management (mismanagement, actually).

In the past few days, I have seen no less than 8 questions on Experts-Exchange seeking an answer of how to block or restrict user access to the Internet.  Here are a few examples (with original spelling/grammar):

What is the best way to restrict user access to the internet while ensuring that windows updates and antivirus defintions are being received.  All users and Power Users on their XP Machines

I am trying to deny internet access to certain users. I have looked up solutions on this web site and followed them. I create a GPO then stop the users from running iexplore.exe. No matter what a change the users are still able to access the internet

I want to block all Internet Explorer traffic on user’s PCs in my office. I want to make an exception on 3 paticular websites though.  I’m using Windows Server 2003 SBS.  Any ideas?

If you search for similar types of questions asked in the past, you’ll find thousands of requests.  This is one that I found particularly amusing:

ive got 4 people who are misusing the internet at work, and so i need to block their computers from accessing any websites at all, if possible to block their usernames also, so that no matter what comp they log into they cannot access the net.  ive been thinking if it is possible to do so with the lmhosts files on each computer?

ok so not only do i need to revoke all internet access i need it so that if they do try and access the net, they get directed to a file on their computers that i will emplace which will send a report to someone.

cheers for any light you can spread! 🙂

When I see these questions, I am often compelled to respond with something like this:

Instead of blocking Internet access, why not get a few 42″ display monitors and hang them in visible locations.  Then, use a remote control session to display employee activity for everyone to see.  That sure would stop Bob from viewing wildbabes.com or make it difficult for Susie to order a new pair of shoes from supershoedeals.com!  Because public humility in the workplace is much quicker than waiting for the HR director to get the report of attempted Internet use.

The fact is that the “computer activity monitoring” software industry, which was originally a hacker’s favorite tool and then became a legitimate tool when marketed to parents who needed to keep tabs on their 12-year-old’s activities, is now being offered as a “valuable” management tool.  Making such promises as allowing you to “efficiently spy on your employees from your own desk”.  Below is a screen shot of the control panel from a program called StaffCop, which I’m sure was named by someone who has absolutely no concept of employee morale — (I think it’s made in Russia):

clip_image0012

All of this reminds me of a wonderful story about an emperor who procured the most luxurious suit of invisible cloth.  Why do all of these managers think that the appropriate way to have someone do their work is to prevent them from doing something else?  When will that small child point out to them that the problem isn’t the Internet, but their own lack of management skills?  Not only are they unable to provide these employees with clear expectations and attainable goals, they somehow think that Internet access will prevent them from doing their work.

The irony, of course, is that the questions themselves are being asked on the very Internet which these folks seeking to block for others.  Apparently, these other employees know everything there is to doing their job correctly and efficiently, and never need to come up with new and innovative ideas which may improve their results.

I couldn’t imagine using Microsoft Office without things like Office Online help

clip_image0022

or the myriad of templates provided by Office Online.  These tools not only make my work look better, they have saved me countless hours of being frustrated with creating a document from scratch.

clip_image0032

Then, if I can’t find what I’m looking for, there are always the discussion groups.

clip_image0043

But, remember, if you block them from all of that… then they’ll also be blocked from this

clip_image0053

So, wake up people!  Take the time to sit with your employees and ensure that they have the proper tools, training and support to do their jobs well.  Provide them with clear expectations and attainable, measurable goals which are regularly reviewed (which used to mean annually, and now means either monthly or even weekly).  Most of all, give them respect.  If they respond well, you’ll both be rewarded.  If they don’t, then you’ll be glad you stopped treating them like children because can’t fire your kids.