How to respond to negative feedback online

From restaurants to sports equipment vendors, no business is immune from negative feedback online. With more and more people spending hours on the Internet every day, customers are quick to voice their opinions about businesses. And their comments aren’t always positive. You might wonder how do you respond when you receive a negative review from […]

4 benefits of online scheduling

As healthcare practices across the nation continue to find out, patients place ever-diminishing levels of importance on care alone. While it is and will forever be a factor that influences a person’s decision, convenience has become another key area patients look at when choosing a healthcare facility. Online scheduling, in particular, has become something more […]

Things to consider when buying a new computer

Purchasing a new computer can be a daunting task, especially if you’re not familiar with its components. You’ll want to make sure you make the right choice so you don’t end up buying one that becomes obsolete within just a few months. How much money should you spend? Which model is the best for you? […]

How boring brands can win on social media

As a business owner, you may think social media isn’t worth the effort. You may have dabbled in Twitter, Facebook, or LinkedIn and seen minimal (if any) results. Of course there are other businesses that do well on these platforms – like Nike or Google – you may think. But these are exciting brands! What […]

Microsoft launches Office 2016 for Mac

Mac users who have been using Office 2011 now have a reason to smile: Microsoft finally released the latest Office 2016 for Mac in September. Office 2016 is packed with powerful new features for Microsoft’s core applications, including Word, PowerPoint, Excel, and Outlook, all of which are designed to run and perform seamlessly on the […]

Best storm preparation is communication

There is nothing worse for a company and its customers than being forced to close because of inclement weather. And with winter almost upon us once again, now is a good time to make sure your business continuity plan is prepared for anything and everything mother nature is looking to throw your way. By communicating […]

How to enable relaying for external clients on SBS 2008/2011 and or Exchange 2007/2010 with different sending email address’s

I sometimes come across customers that would like to relay email through their Exchange Sever from external clients and maybe use a different sending address.  Here is how I configure this. First, we will create a new receive connector via the Exchange Powershell. To do so, open up the Exchange Management Shell (powershell) Once this loads, use the following command New-ReceiveConnector -Name ‘ExternalRelay’ -Usage ‘Client’ -RemoteIPRanges ’′ -Server ‘SERVER’ Here is an example: Now we have created the Receive Connector, and you will see this in the Exchange Management Console. Let’s check our work, even though it was only one line of text Now we can verify the network, authentication, and permission groups settings to see how a Client receive connector has been configured. If you go to the properties, you will see that it’s listening on port 587 , that it has enabled Basic authentication over TLS, and that it is only allowing Exchange Users (Authenticated Users) to connect. You will see all of this by looking at the connector in the Exchange Management Console. NOTE: Make sure that port 587 is open in your firewall or this will not work for external users Further inspection of the AD permissions on the receive connector show that authenticated users have the ms-Exch-SMTP-Accept-Any-Recipient right. This is the correct relay permission and you should never have it be owned by anonymous users. You can view and verify this by running the following powershell command: Get-ADPermission “ExternalRelay” | where {$_.ExtendedRights -match “ms-Exch-SMTP-Accept-Any-Recipient”} | fl You will see the output looking like: If it says under user “NT AUTHORITYANONYMOUS” then you have an open relay. Stop and delete the connector! Next, we need to set some additional parameters to make this work. To allow the authenticated user to be able to send email with a different address, we will use the following powershell command   Get-ReceiveConnector ExternalRelay | add-ADPermission -User “NT AUTHORITYAuthenticated Users”-ExtendedRights “ms-Exch-SMTP-Accept-Any-sender” looking like: If you are running an SBS 2008 or SBS 2011 server, this also applies: If you have successfully run the Internet Address Management Wizard from the SBS Console, then your Exchange certificate for TLS has already been installed and configured. You can verify this by running the Get-ExchangeCertificate commandlet and find the certificate with your external DNS domain name. The certificate will have IPWS listed under Services, which stands for IMAP, POP, Web and SMTP respectively.   At this point, make sure that your Client receive connector is configured with the same FQDN that is listed in the subject of your Exchange certificate. This will be displayed in the banner: Once all of this is done, you are ready to setup Outlook, Outlook Express, Windows Mail, etc. Important points here are: The client machine must trust both the Exchange certificate and the Root CA in which it was created from. A good test is to open IE on the client and browse OWA to see if you get the certificate warning(s). You must configure the mail client to connect on port 587 and to send the proper credentials for authentication. The server requires a TLS connection, you must specify this in the mail client   Some of this information in this blog was obtained from the SBS Blog team at Lyle Epstein Kortek Solutions Lyle Epstein’s Systems Engineer Blog

Cannot connect this computer to the network, Windows SBS 2011 Essentials

Today I was getting an error “an unknown error has occurred” when trying to use the SBS 2011 Essentials connector to add a computer to the console. In this particular setup, the customer was migrating from Windows 2003 to Windows SBS 2011 Essentials.   Troubleshooting First thing to check are the logs. I looked at to find the exact location of the files. When I looked at the ClientDeploy.log file, I see the error [4284] 120810.150151.4347: ClientSetup: Start of ClientDeploy [4284] 120810.150152.2147: General: Initializing…C:WindowsTempClient Deployment FilesClientDeploy.exe [4284] 120810.150152.2459: ClientSetup: Loading Wizard Data [4284] 120810.150154.0399: ClientSetup: Current DeploymentStatus=Running [4284] 120810.150205.5059: ClientSetup: Showing the Client Deployment Wizard [4284] 120810.150206.6447: ClientSetup: Adding Server Info data in the Product Registry [4284] 120810.150206.8943: ClientSetup: Set the Deployment Sync Event [4760] 120810.150219.6707: ClientSetup: Running ValidateUser Tasks at WizardPage DomainUserCred [4760] 120810.150219.7019: ClientSetup: Entering ConnectorWizardForm.RunTasks [4760] 120810.150219.7019: ClientSetup: Running Task with Id=ClientDeploy.ValidateUser [4760] 120810.150219.8267: ClientSetup: Entering ValidateUserTask.Run [4760] 120810.150219.9047: ClientSetup: Install root cert to local trusted store [4760] 120810.150219.9671: ClientSetup: Validating User [4760] 120810.150219.9671: ClientSetup: Call MachineIdentityManager.GetMachineStatus [4760] 120810.150231.2459: ClientSetup: MachineIdentityManager.GetMachineStatus had errors: ErrorCatalog:OtherError ErrorCode:-2146233087 BaseException: Microsoft.WindowsServerSolutions.Devices.Identity.MachineIdentityException: MachineIdentityManager.GetMachineStatus    at Microsoft.WindowsServerSolutions.Devices.Identity.MachineIdentityManager.GetMachineStatus(String serverName, String userName, String password, String machineName, Boolean& isAdmin)    at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.ValidateUserTask.Run(WizData data) [4760] 120810.150231.2459: ClientSetup: Exiting ValidateUserTask.Run [4760] 120810.150231.2459: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed [4760] 120810.150231.2459: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot [4760] 120810.150231.2459: ClientSetup: Exting ConnectorWizardForm.RunTasks [4284] 120810.150231.2615: ClientSetup: JoinNetwork Tasks returned TaskStatus=Failed [4284] 120810.150233.7887: ClientSetup: Back from the Client Deployment Wizard [4284] 120810.150233.8043: ClientSetup: Saving Wizard Data [4284] 120810.150233.8043: ClientSetup: End of ClientDeploy: ErrorCode=1603 So now I know the error is MachineIdentityManager.GetMachineStatus had errors: ErrorCatalog:OtherError ErrorCode:-2146233087   Let’s get to troubleshooting this issue. Per other articles and forum posts I read, it was recommended to re-run the wizard a second time. I went ahead and did that, same issue in my case. It was also suggested to run the wizard while logged in as a local admin, non domain joined and I got the same results. I noticed that when I restarted the new SBS 2011 Essentials server that it would take a very long time till I got a CTRL-ALT-DELETE login screen, basically just sitting there “applying settings”. At first I thought it was caused by my NIC being teamed, but after disabling the team I had the same results. So I can rule out teaming being my issue. I then took a look at the event logs on the client machine. I did not see any issues related. I thought it might be .NET 4, but I verified I didn’t even have it installed before I ran the wizard. Other postings indicated it could be a .NET issue. I then attempted to connect to the new server by doing https://SBS-11E:65515/connect and did not get any certificate errors. The next step was to look at the server being the issue. I logged in to my existing 2003 Domain Controller and looked at the event logs. I saw NTFRS replication was failing. So this is a problem. To fix it, I went ahead and attempted to ping the new SBS 2011 Essentials server by FQDN. This failed, so I opened up DNS.  I expanded the nodes under the AD zone, looking specifically at _msdcs stub. In that stub, I found references to my SBS 2011 Essentials sever with the wrong IP address, as well as additional entries with the correct IP. I deleted all the ones with the invalid IP address. The next step was to examine the Reverse DNS entries. In this particular customers case, no Reverse DNS was setup. I then opened a command prompt on the 2003 server and typed in NET STOP NETLOGON & NET START NETLOGON and pressed enter. The NETLOGON service restarted. I then tried to ping the SBS 2011 Essentials server by FQDN, for example ping SERVER-SBS11E.internaldomain.local which it now was able to resolve. I then re-ran the wizard, and this time it stopped me and gave me a warning that I was using my Domain Admin account. I didn’t really care in this case, and proceeded on. The wizard worked correctly and  believed I had solved the issue……… in fact, I was so happy to solve it that I updated the Microsoft Forums with my resolution. After visiting other computers in this clients office and running the wizard, I kept seeing errors in the event log about Group Policies. I thought something was still not fixed, and it might be my Active Directory being damaged. The reason I came to that conclusion was when I first did my site evaluation at this client I noticed if I edited the existing login script by going to domainnetlogon that the changes I made never seemed to actually take place when the user logged in.  I didn’t think much of it at the time, and was able to resolve my edit by going to the SYSVOL folder and finding the login batch file and editing it. I went ahead and rebooted the new SBS 2011 Essentials server to see if the startup still hung for a long time, or was now fixed since I fixed the bad DNS issues. The server hung for a long time, so that was not fixed. Going back to the workstation, I performed a GPUPDATE /FORCE. The results of that were that the workstation could not determine what domain or forest I was in. This was a serious issue that I needed to deal with. Since I thought that AD might be damaged, I did the following: On the Windows 2003 server, I saw in the Applications event viewer the following error, MS DTC could not correctly process a DC Promotion/Demotion event. The first thing for me to check was the health of Active Directory. I needed to perform a semantic database check for errors. On the SBS 2011 Essentials server, I went to the  Administrative command prompt  and typed NET STOP NTDS since this server is running Windows Server 2008, I can stop the directory services without rebooting to safe mode. For full instructions of this procedure, see Type Y to agree to stop additional services, and then press ENTER. At the command prompt, type ntdsutil, and then press ENTER. At the ntdsutil: prompt, type activate instance ntds, and then press ENTER. At the ntdsutil: prompt, type semantic database analysis, and then press ENTER. At the semantic checker: prompt, type verbose on, and then press ENTER. At the semantic checker: prompt, type go fixup, and then press ENTER. in my case, I found no errors as I received the following: that is a great thing to have no corruption! Next, type quit, and quit to return you back to a command prompt. Now we need to start our directory services back up. at the command prompt, type NET START NTDS I opened up the event viewer on the SBS 2011 Essentials server, and looking under system, I saw an error showing “The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.”   and The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. along with The “Windows default” Policy Module “Initialize” method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355).  The Active Directory containing the Certification Authority could not be contacted. and Active Directory Certificate Services for MCG-SBS11E-CA was started.  DC= do you see how DC= nothing above? This is caused when certificate services cannot figure out who is a domain controller. And finally, this event log error Dynamic registration or deletion of one or more DNS records associated with DNS domain ‘mcg.local.’ failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  So my issue still exists. It is not corrupted Active Directory, and still is pointing me to DNS as the bottom line. Here is how I fixed it. First, I opened up DNS on the SBS 2011 Essentials server.  I right clicked on my server and went to properties . I then selected the Forwards TAB. I noticed that the first entry, was invalid as this is my gateway, and the customer was currently using a home router which didn’t do anything for DNS related actions. My second server, being the old Windows 2003 server was listed, and my end goal once the migration was done was to turn off forwards. I went ahead and removed the server. I then went to command prompt and typed in nltest.exe /dsregdns   . I restarted the DNS service by typing NET STOP DNS & NET START DNS   followed by IPCONFIG /RegisterDNS I then decided to reboot and see if I still had my slow startup issue. After rebooting, it went right to the CTRL-ALT-DELETE screen, no more delay. I looked at the event logs and now see that my DC= is filled in with the proper information. This is a very good thing! I reran the wizard, and now I get Lyle Epstein Kortek Solutions Lyle Epstein’s Systems Engineer Blog

Group Policy folder redirection generates Error, The system call level is not correct.

Recently I was working on a client who is setup with a SBS 2008 server and workstations running Windows 7 Professional SP1. I noticed that when a particular user would login it would take upwards of 10 minutes for the welcome screen to go away and the desktop to be displayed. As part of the troubleshooting, I had the user login to a different workstation with their same credentials and we experienced the same slow login. when I looked at the event log, I saw the following error: Log Name:       Application Source:         Microsoft-Windows-Folder Redirection Date:           4/21/2012 10:57:42 PM Event ID:       502 Task Category: None Level:          Error Keywords:       User:           DOMAINfirstlast Computer:       DOMAIN-PC.DOMAIN.local Description: Failed to apply policy and redirect folder “Documents” to “SERVERRedirectedFoldersfirstlastMy Documents”. Redirection options=0×9021. The following error occurred: “Failed to copy files from “SERVERRedirectedFoldersfirstlastDocuments” to “SERVERRedirectedFoldersfirstlastMy Documents””. Error details: “The system call level is not correct. “. I did some research on this error, and came up with one valid result, which claimed that it was being caused by server quotas. As part of the trouble shooting, I turned off quota’s on the server, however I had previously checked the users properties in the SBS 2008 console and verified Folder Redirection was enabled, but the quota’s box was unchecked. I do question why the policy was attempting to take the same server and users folder and move files from the “Documents” folder to the “My Documents” folder. As I checked the GPO, it is set to move the files from the old location which is a default setting. So to take the troubleshooting a step further, I ran GPRESULT /V > C:gpresult.txt  and viewed this text file. I do not see anything out of the ordinary being applied to the computer. Now, when I check the GPO’s on server, I see a old GPO that was created and is no longer being applied. In that GPO, I see the following: As you can see from this screenshot, the disabled “Folder Redirection” GPO had the policy pointed to the SERVERRedirectedFolders%USERNAME%Documents but if we look at the Small Business Server Folder Redirection Policy which is created by the Small Business Server, it is pointed to SERVERRedirectedFolders%USERNAME%My Documents   as shown below On the Windows 7 machine, when I look at the properties of the “My Documents” folder, I see it is still pointed to the old policy’s setting, of SERVERRedirectedFolders%USERNAME%Documents as shown below: So how do we go about fixing this? Well, the best way to fix this is to edit the current GPO, Small Business Server Folder Redirection Policy. On this GPO, I changed the setting “Move the contents of Documents to the new location” to disabled by unchecking the box as shown below: Then, on the Windows 7 machine, at the command prompt type in GPUPDATE /FORCE and then logoff Now I login as that user, and look at the event log. We now see success, as the policy does not need to move the existing “Documents” to “My Documents” and the policy is able to successfully apply as shown below. Now there is one more step to fix this issue. I will need to copy the data from the “Documents” folder to the “My Documents” folder. When I attempted to look at the old Documents folder, it was now empty. The reason for this, Offline Files are enabled on the Windows 7 machine, and as it couldn’t connect to the previous path, all the time the user was saving documents it was offline as you can see in the previous picture of the properties of My Documents it was missing the green sync icon. So when I logged in to the computer with the fixed policy, the Windows Sync Center determined it was now online and able to write to SERVERRedirectedFoldersfirstlastMy Documents , and it has the data in the CSC cache, so it just copied the data back to the server for me. If you don’t have Offline Files enabled, simply copy the data from Documents to My Documents folder. Here is a screenshot showing it now online   If you are wondering why there are two My Documents folders, the second one that is not Sync’d is actually Documents. I just deleted this folder as it is not valid. I suggest re-enabling this policy setting once the issue is resolved so that if you have a user who didn’t have this policy applying or in the SBS Console you checked the box  and you now want it, that the files are moved from their default location to the server location. I also saw that Microsoft released a hotfix titled You encounter a long logon time after you enable the “Do not automatically make redirected folders available offline” Group Policy setting in Windows 7 or in Windows Server 2008 R2 at   however, in this case it does not apply. As you can see, the error The system call level is not correct is a very generic error which by just looking at it, tells you almost nothing. Lyle Epstein Kortek Solutions Lyle Epstein’s Systems Engineer Blog