Archive for SBS

Renew SSL Certificate for 2012 R2 Essentials

These are the steps I recently followed to renew a third party (GoDaddy) SSL certificate on a 2012 R2 Essentials server. Although these steps have been documented many, many times over the years, it doesn’t hurt to review the process and make sure it works properly.

The overall process has three major parts to it:

  • Generate SSL request on the server
  • Request and rekey the certificate on GoDaddy’s site and download new certificate
  • Install the intermediate cert and your domain SSL cert on the server

Part One – Server

  • Open up the Essentials dashboard, click on Quick Status from the left column of the screen, then click Anywhere Access from the middle column, and finally click “Click to configure Anywhere Access” from the right column of the screen.
  • In the next window ( Settings – Anywhere Access) click on the Configure… button. Please note, there’s a red X in my screen shot. That’s because my SSL certificate is about to expire. However, DO NOT click on the “Repair…” button. Just click on the “Configure…” button
  • In the next windows (Set up Anywhere Access) make sure that you UNcheck the option labeled “Skip Domain name setup. I have already set up my domain”


  • In the next window, select “Import a new trusted SSL certificate”
  • In the next window, first verify your domain name to be registered, which should already be correct as we are renewing an existing SSL certificate. Then click to enable the option “I want to purchase a trusted SSL certificate for this domain”
  • The next screen is the important one. It should display for you automatically the certificate request that you will need. If you need to , open up Notepad and then copy everything inside the box, starting with “—-BEGIN NEW CERTIFICATE” all the way to the very end.


If you wish, leave this window open while you go to Part Two and request the new certificate from GoDaddy

Part Two – GoDaddy

  • Open up a browser, go to GoDaddy’s web site, login, and go to your registered SSL for your domain and select to purchase/renew it. I’m not including screen shots of this process. Go Daddy will generate an email to verify you are the owner of this certificate.
  • Once that is done and approved you can proceed on the GoDaddy site to rekey your certificate. It will ask you to copy/paste in the certificate request info we just generate (that starts with “—-BEGIN NEW CERTIFICATE REQUEST…”
  • After you paste and submit this information, GoDaddy will generate another email to you with the link to download the certificate and instructions for installing it.
  • When you are at the screen to download your certificate, you must select what Server type you will be using this on. From the drop down, select IIS. Then download the generated zip file. If you are not doing this step from the server, then you will need to copy the zip file over to the server.
  • Unzip the zip file on the server. You will have two files, one with a  .p7b suffix and the other with a .crt suffix

Part Three – Server

Before we go back to the Essentials  dashboard that we left open, we first need to go to MMC and insert the new p7b intermediate file from GoDaddy.

  • The steps to do this is provided by GoDaddy (click here). In short:
    • Run C, add the Certificates add-in, select Computer Account, select Local Computer.
    • Once Certificates is added, drill down to Certificates > Intermediate Certification Authorities, right click and select All Tasks > Import.
    • Click to browse, change the file extension in the browse window to “all files”, then locate the .p7b file that came from the zip file, and load it. Once done, you can close MMC.
  • Now we return to the Essentials dashboard that we left open. If it’s still sitting on the “Generate a certificate request’ window, go ahead and click Next.
  • On the next window (“A trusted SSL certificate is in progress…”), click on the first option: “I have the trusted SSL certificate…” and click Next
  • On the next screen (Import the trusted certificate), click to Browse, change the file extension again to “all files” then locate the file ending with .crt that you unzipped, and click Next.
  • Wait while the new certificate is installed. You will get a green check window indicating that the domain is set up. You have one final step – to add this to Anywhere Access
  • On the next screen, you can select to enable VPN access and/or Remote Web Access. I only select Remote Web Access, as I use my network firewall/router box for VPN connectivity.
  • Go ahead and select what you need, and you will be all done. You will also see that the red X we saw earlier should now have disappeared, since the SSL certificate is now up to date.

Shrink ShareWebDB Log File on SBS 2008

There’s a well known issue on SBS 2008 servers where the SharePoint Config Log file continues to expand. This SQL log file can rapidly grow in size, eating up valuable disk space on your system C: drive.

I first blogged about this back in December 2008 (view blog).

I posted a second blog post 4 years late in December 2012 (view blog) which provided the recommended Microsoft fix (KB 2000544) to truncate the log file, creating a batch command file and an associated SQL command file to truncate this log file.

I only have a few SBS 2008 servers still installed out in the field. But recently I discovered that there is another similar SQL log file that can grow in size: ShareWebDB_log.ldf file.

On this particular server, the ShareWebDB log file had grown to over 200GB in size. Ouch! Ouch! Ouch!


The solution is to mimic the two files created for the SharePoint log file solution, but have it truncate the ShareWebDB log file instead.

STEP 1: Create the SQL command file

Download the SQL file from my web site (logshrink2.sql.txt), save it to the root of your C: drive, and then rename it to logshrink2.sql

declare @ConfigDB varchar(255);
declare @ConfigDBLog varchar(255);
declare @ConfigDBCmd varchar(255);
select @ConfigDB =  name from sys.databases where name like ‘ShareWebDb%’;
set @ConfigDBCmd = ‘BACKUP database [‘ + RTRIM(@ConfigDB) + ‘] to disk=”C:\windows\temp\before2.bkf”’;
set @ConfigDBCmd = ‘use [‘ + RTRIM(@COnfigDB) + ‘]’;
set @ConfigDBCmd = ‘BACKUP LOG [‘ + RTRIM(@ConfigDB) + ‘] WITH TRUNCATE_ONLY’;
set @ConfigDBCmd = ‘use [‘ + RTRIM(@COnfigDB) + ‘]’;
select @ConfigDBLog =  name from sys.database_files where name like ‘ShareWebDb_log’;
set @ConfigDBCmd = ‘use [‘ +  RTRIM(@ConfigDB) + ‘] DBCC SHRINKFILE([‘ + RTRIM(@ConfigDB) + ‘_log],1)’;
set @ConfigDBCmd = ‘BACKUP database [‘ + RTRIM(@ConfigDB) + ‘] to disk=”C:\windows\temp\after2.bkf”’;

STEP 2: Create the DOS batch command file

Next, download the DOS batch command file from my web site (logshrink2.cmd.txt), save it to the root of your C: drive, and then rename it to logshrink2.cmd

dir c:\windows\sysmsi\ssee\mssql.2005\mssql\ShareWebDb* /s
sqlcmd -S \\.\pipe\mssql$microsoft##ssee\sql\query -E -i c:\logshrink2.sql
dir c:\windows\sysmsi\ssee\mssql.2005\mssql\ShareWebDb* /s

STEP 3: Run the command file with administrator rights

Finally, open up File Explorer, right click on the logshrink2.cmd file, and click to “Run as administrator”

RESULT: Here is a screen shot of running this on the server with a 200GB log file:


Security Patch MS16-072 Breaks GPO on SBS 2008, SBS 2011, and Windows Server 2008/2008R2

Microsoft recently released security hotfix MS16-072 last week. This patch attempts to improve GPO security. But as my fellow MVP’s Susan Bradley and Wayne Small have discovered, this new security update can actually break certain GPO based processes, such as WSUS.

Note: Microsoft has not released a fix to this, nor are we expecting them to do so. But the blog posts below offer instructions for manually fixing this issue.

Here are the two blog posts that Wayne Small posted on his site, identifying the problem and suggested work arounds:

Susan Bradley forwarded the following post from Group Policy Central which includes a PowerShell script and further instructions from Microsoft to manually fix this problem.

Cannot RDP into Windows 10 Computer

Working with a customer that has SBS 2008 and upgraded a local computer to Windows 10. We discovered that we could not RDP into that workstation either locally using “mstsc” nor remotely using Remote Web Workplace (RWW).

Turns out the fix is very easy.

By default, Windows 10 has Remote Desktop turned off in the firewall settings for the local workstation.

Here’s how to fix it:

  • Open up Control Panel and go to System & Security –> Windows Firewall
  • Click on “Allow an app or feature through Windows Firewall” option located in the left frame
  • Click on the Change settings button
  • If you do not have administrator access to this workstation, you will be prompted to enter an administrator username and password
  • Scroll down and locate Remote Desktop. Click on the box to select it, and then click on the appropriate boxes under the Domain and Private columns.
  • Click OK.
  • I suggest you then run gpupdate /force from a command prompt, first on the server, and then from the workstation. For the workstation, you may be prompted to logout to apply the update.

SBS 2011, Windows Server Backup, and VSSAdmin List Writers Issue

One of my customers runs a SBS 2011 server with Exchange 2010. I consider it a very clean server. Suddenly, after three years, I had issues with the Windows Server Backup.

Opening the WSB console, I would get the message Reading Data, please wait….

I knew that the first thing I should check was the VSS writers. When I tried to run vssadmin list writers from an admin level command prompt,  I would get the message: Waiting for responses. These may be delayed if a shadow copy is being prepared.

Rebooting the server didn’t help.

I tried the wbadmin delete catalog command, but that didn’t help.

I then found this blog post from which provided instructions for stopping specific services, reregistering VSS related DLL’s, and then restarting service. Eventually this solution worked for me!

Here’s a look at each of the looking at each of these three parts of the solution:

Step 1 – Stop specific services

You can run these commands one at a time from a command line prompt, or put them into a  batch file and run them:

net stop “System Event Notification Service”
net stop “Background Intelligent Transfer Service”
net stop “COM+ Event System”
net stop “Microsoft Software Shadow Copy Provider”
net stop “Volume Shadow Copy”
net stop VSS
net stop SWPRV

Note #1: Stopping the COM+ Event System will also cause several other dependent services to be stopped. Take a note of these dependent services so you can make sure they are restarted later on

Note #2: When I ran these commands, the COM+ Event System service did not successfully stop — it will have a status of  “Stopping…”. But it needs to be successfully stopped for the rest of the solution to work. If this happens to you, here’s how to stop it:

    • Open up another command prompt window
    • Type: sc queryex eventsystem and press Enter
    • Note the associated PID# for this service. Let’s say the PID# is 408
    • Next type:  taskkill /pid 408 /F  and press enter’’

Step 2 – Reregister DLLs

Now copy the following commands into a batch file and run it from the command line

regsvr32 /s ATL.DLL
regsvr32 /s comsvcs.DLL
regsvr32 /s credui.DLL
regsvr32 /s CRYPTNET.DLL
regsvr32 /s CRYPTUI.DLL
regsvr32 /s dhcpqec.DLL
regsvr32 /s dssenh.DLL
regsvr32 /s eapqec.DLL
regsvr32 /s esscli.DLL
regsvr32 /s FastProx.DLL
regsvr32 /s FirewallAPI.DLL
regsvr32 /s kmsvc.DLL
regsvr32 /s lsmproxy.DLL
regsvr32 /s MSCTF.DLL
regsvr32 /s msi.DLL
regsvr32 /s msxml3.DLL
regsvr32 /s ncprov.DLL
regsvr32 /s ole32.DLL
regsvr32 /s OLEACC.DLL
regsvr32 /s OLEAUT32.DLL
regsvr32 /s PROPSYS.DLL
regsvr32 /s QAgent.DLL
regsvr32 /s qagentrt.DLL
regsvr32 /s QUtil.DLL
regsvr32 /s raschap.DLL
regsvr32 /s RASQEC.DLL
regsvr32 /s rastls.DLL
regsvr32 /s repdrvfs.DLL
regsvr32 /s RPCRT4.DLL
regsvr32 /s rsaenh.DLL
regsvr32 /s SHELL32.DLL
regsvr32 /s shsvcs.DLL
regsvr32 /s /i swprv.DLL
regsvr32 /s tschannel.DLL
regsvr32 /s USERENV.DLL
regsvr32 /s vss_ps.DLL
regsvr32 /s wbemcons.DLL
regsvr32 /s wbemcore.DLL
regsvr32 /s wbemess.DLL
regsvr32 /s wbemsvc.DLL
regsvr32 /s WINHTTP.DLL
regsvr32 /s WINTRUST.DLL
regsvr32 /s wmiprvsd.DLL
regsvr32 /s wmisvc.DLL
regsvr32 /s wmiutils.DLL
regsvr32 /s wuaueng.DLL

Step 3 – Scan these DLL’s

Next, we will check the integrity of the following three DLLs

sfc /SCANFILE=%windir%\system32\catsrv.DLL
sfc /SCANFILE=%windir%\system32\catsrvut.DLL
sfc /SCANFILE=%windir%\system32\CLBCatQ.DLL

Step 4 – Restart Services

Finally, let’s restart the services we stopped

net start “COM+ Event System”
net start “System Event Notification Service”
net start “Background Intelligent Transfer Service”
net start “Microsoft Software Shadow Copy Provider”
net start “Volume Shadow Copy”

Step 5 – Rerun VSSADMIN

Go ahead and try to rerun the vssadmin list writers command and see if it works.

Long Live Exchange Public Folders!

Back in 1996, Microsoft introduced Public Folders as a replacement for social aliases, and was “designed from the ground up to enhance group collaboration applications” (per this Lane Severson blog post)

By the time that Exchange 2003 was released (13 years ago!), however,  the rumors that public folders would be discontinued in a future release of Exchange were swirling around. Take for instance this WindowsIT Pro post from 2004:

The handwriting has been on the wall for public folders for a year or two. I first heard a Microsoft speaker strongly discourage use of public folders at the MEC 2002 conference. An administrator who attended the same session was in a state of near panic because her university has thousands of public folders in active use.

In a TechRepublic 2010 post it was declared that public folders would probably be gone by Exchange 2013:

Since before the release of Exchange 2007, Microsoft has been telling us that public folders will eventually be discontinued. This hasn’t happened just yet though. Public folders are alive and well in Exchange 2010. Even so, public folders probably won’t be supported in the next version of Exchange.

So here we are in 2016, and guess what? Not only are public folders still around, Microsoft has decided that “public folders are great” per this Microsoft Technet FAQ:

No. Public folders are great for Outlook integration, simple sharing scenarios, and for allowing large audiences to access the same data.

And on February 1, 2016, Microsoft announced they will be increasing the number of public folder mailboxes in Exchange 2016 from 100 to 1,000!

Happy 20th birthday to Public Folders!

Setup BlackBerry Priv for Exchange Email

I have a customer that still uses Blackberry phone with their SBS 2011 server with Exchange 2010. Their previous BlackBerry 10 connected up with no problems to Exchange and ActiveSync several years ago. The owner recently replaced his BB10 with a newer BB Priv.

When he went to configure his new phone to Exchange, however, it was asking him to install a SSL security certificate, which the previous phone did not require.

Listed below are the steps we took to get his phone connected to Exchange.

Two things to note before we begin:

  • The person with the phone needs to setup up an alternate email (such as GMail) on the phone before proceeding. The reason will become obvious below.
  • You need access to the SBS/Exchange server to export the SSL certificate, and then email the exported certificate file to the user

So, let’s get started

Part 1 – From the SBS/Exchange Server, create an exported PFX certificate file

  1. From the server, open up MMC from an administrator level command prompt
  2. Select to load the Certificates snap-in to the local Computer account.
    (Note: if you do not know how to do this process, see this Microsoft article for detail instructions)
  3. Drill down Certificates –> Personal –> Certificates and locate your SSL certificate from the middle pane
  4. Right click on the certificate, then select All Tasks –> Export
  5. Click Next –> Click Yes, export Private Key –> verify PFX format is selected
  6. Enter a password when prompted (keep it short – very short, like ‘abc’)
  7. Click browse to assign a filename and select a location to save the exported file

Part 2 – Send PFX file to user’s alternate mail account

  1. Now, you need to email the PFX certificate file you just created to the user, sending it as an attachment to the user’s alternate email account on his or her phone.
  2. How you do this is up to you – I’m sure you can figure out this step.

Part 3 – User creates Exchange account and installs SSL certificate on the phone

The following instructions are general in nature, and not specific, because I did not do these steps myself. My customer was able to do it, with just a couple of corrections that I was able to walk him through by phone.

  1. First, user should open up the Gmail (or other) account on their phone, locate the email you sent them, and select to save (download) the attachment to the phone. Just download the file, do not try to install it.
  2. Now let’s start creating the Exchange account.
  3. Select Settings –> Accounts –> Add Accounts –> Exchange
  4. Enter your email address and password.
  5. Phone will go out and check things, and should come back asking for more server information.
  6. For your username: enter DOMAINNAME\USERNAME
  7. When prompted, select to install a certificate, and located the file you saved.
  8. For the server name/address, enter the URL you would use to access your OWA account – such as or
  9. Select SSL/TLS (Accept all certificates)

At this point, it should start setting up your email account. Good luck!

Error Occurred During Port Configuration – Access is Denied

2015-12-02_15-44-12 XEROX 7830Customer is running Windows Server 2012 R2 Essentials, and just had a Xerox WorkCentre 8530 delivered to their office.

Working with the local Xerox printer tech, we got the driver installed on the server and tested printing.

But he wanted to show me some things under the “Configure Port” option, but when we tried to do so, we got the following error message:

An error occurred during port configuration. Access is denied.

I was stumped, as I knew we were logged on as an administrator. I even tried using Print Management service.

I then found a helpful step-by-step solution to this problem over on the GeeksOnTech website. Their post includes screen shots, but here is a summary of the steps:

  1. Open up Devices & Printers
  2. Highlight the printer you want to change, then click on Print Server Properties from the menu bar
  3. On the next window, click the Ports tab, and then at the bottom of that same window click Change Port Settings
  4. Now select your printer, and then click Configure Port…

Hope this helps!

Windows 10 and SBS 2008 Remote Web Workplace RWW

Customer calls me today. One of his employees has Windows 10 at home, but is unable to remote into the SBS 2008 network at the office to access his office computer.

The error message looks something like this:

VBScript Remote Desktop Connection: The wizard cannot configure Remote Desktop Connection settings.  Make sure that the client version of Remote Desktop Protocol (RDP) 6.0 or later is installed on this computer.

Thanks to a post on the Microsoft forum, the resolution is fairly easy. It requires access to the server, but does not require rebooting the server.

Note: On the Windows 10 side, you need to make sure you are using Internet Explorer 11 (IE11) and not the new Microsoft Edge browser.

From the SBS server:

  • Navigate to this folder “C:\Program Files\Windows Small Business Server\Bin\webapp\Remote”
  • Locate and make a backup copy of the file tsweb.aspx
  • Edit tsweb.aspx and comment out the highlighted lined as shown below. (Note: to comment out a line, simply insert a single quote mark)
  • Open up Services (Start –> Run –> services.msc)
  • Locate Terminal Services and click to restart it.
  • It may prompt you that it must also restart an associated service, which you should approve.
  • That’s all that needs to be done on the server

From the home Windows 10 computer:

  • Open up Internet Explorer 11
  • Go to the URL you use to remote into the SBS 2008 server (e.g..,
  • Add the URL to Compatibility Settings (IE > Tools > Compatibility Settings > Add > Close)
  • Add the URL you are using to Trusted Sites (IE > Tools > Internet Options > Security > Trusted Sites)
  • Then close and restart IE 11

Give it a try!

Connector for Windows 10 to 2012 R2 Essentials Now Available

This information just came in today:

Windows 10 Client Connector for connecting to Windows Server 2012 R2 is now Released via Download Center

We have now officially released the Windows 10 connector for connecting to Windows Server 2012 R2 via Download Center. It is available from the following URL:

Please note: we do not have the fix for the auto-download and installation released yet. So you have to manually download and install this client connector on the Windows 10 client machine. Then you can run the client deploy to start the connecting.

For the servers in-place upgraded from Windows 7, 8.1 to 10,  you will need to manually download and install this client connector and do the connecting again.

If the machine ID is the same after the upgrade, then everything will be working automatically. However if the machine ID is somehow changed during the upgrade, then it will be treated as a new client, so you have to leave the domain and connect to the Essentials server again. The old client back up data will be in the archive folder on the Essentials server, and you can still use that to do the restore back to the upgraded Windows 10 client.