Ugh, SSL Certificates

Through much trial and error I think I have it figured out:  there are three ways to go when it comes to SSL certificates for your business server needs, and each one can be painful.

1. Self-signed certificates:  With Server 2003 a self-signed certificate meant that you just had to ignore that overly dire warning you were given in your browser.  It turns out that it is difficult for non-techies to ignore and has been quite a source of worry for the end user, who then decides that the system is broken and finds something else to do.  SBS 2008 changed that in that it becomes a pain in the neck to get your Outlook to work.
2. Get a certificate from your favorite Certification Authority, like my favorite registrar Register.com.  It's fast, easy, and somewhat expensive - a certificate for a single domain name (remote.yourdomain.com  is probably the one to invest in) is $72.00 per subdomain for three years.  Then it gets ridiculous:  Outlook 2007+, Windows Server 2008 SBS or Exchange 2007 and 2010 want you to have a valid certificate that applies to each required subdomain, so a "wildcard certificate" would seem to be in order - I confirmed this by calling Register.com's tech support and asking them which certificate I should use to secure my SBS 2008 - they recommended the wildcard certificate as the answer to all of my needs.  $730 for 3 years.  Fortunately there are ways around this, so DON'T DO IT. See the excellent Third Tier Blog's explanation of how to configure your DNS to work around this.
3. Get your certificates from StartSSL.  While I have not tried the truly free certificates that they offer, I did undergo the personal and organization validations which were $49.90 each (total of $99.90, I'm not sure what it will cost come renewal time) with the certs being good for two years.  Since I manage systems for multiple organizations it makes sense for me to validate each organization so that my personal details don't appear on their certificates!  Validating yourself and your organization means getting together your personal identifying docs like your drivers license, birth certificate, and phone bill, then your business identifying docs like Articles of Incorporation, Certificate of Insurance, and maybe your business license - whatever you can show that proves you are you and your business is on board with your plans to get a certificate with their name on it (meaning a letter from the owner or CEO).  When requesting certificates you have no option for a "wildcard" certificate, but you may specify as many subdomains as you desire for each of your verified domains - sweet.

An interesting note about StartSSL:  there has been some debate as to the legitimacy of StartSSL as a valid Certification Authority, especially with regards to the free certificates.  While it is easy to get their free certs if you can prove you own the domain, it is also easy to get certs from other CA's.  The barriers to entry to receive a basic SSL cert from the Registrars and other commercial CA's are:  verifying that you own the domain and paying their fees.  StartSSL's Class 1 performs domain name ownership verification.  StartSSL's Class 2 validates your identity using personal documents and business documents then calls your organization and verifies the info, even asking to speak with the owner or CEO!

The real debate is not whether freedom reduces crime with regards to SSL (IMHO it does not - even scammers know it takes money to make money) but whether users have the ability to truly trust an organization - a valid certificate is certainly NOT a guarantee you won't be ripped off, and I feel annoyed that SSL is presented in such a manner - like somehow the crummy lock icon means the web site is not owned and operated by a bunch of crooks

Since StartSSL isn't always considered when adding the Root CA's to OS's and devices you may also have some certificate issues, especially with ActiveSync - by the way, check your Exchange connectivity and certificate problems at https://www.testexchangeconnectivity.com/.

More about SBS 2008 Installation. . .

The SBS 2008 installation process on an HP Server is buggier than a bucket of roaches.  If you don't hold your mouth right while setting it up it just won't take.

• Use the Manufacturer's "Easy Setup" CD to perform the setup, but DO NOT EVER put in a password for the Administrator, leave it blank or there is a good chance that the installation will fail, particularly the setup of Exchange.
• SBS 2008 can take a very long time to start up, especially after applying updates.  Don't panic, give it time to finish and it should be fine.  In my experience I worry the most at the black screen with a working mouse pointer but nothing else - just leave it be, it may take a half hour before it comes up!  (Update 14-Jan-11 - My half-hour black screen was due to a defective hard disk, it was a one week old server, and I received SMART errors on startup.  Restored to a new HDD and boot times are in line with what they should be!)
• Don't apply updates during the installation even though this is the course of action recommended in the dialog, you should install them after the installation completes and you have run the Connect to the Internet Wizard.  Running the updates during the setup has resulted in a failure of Exchange to properly complete setup.
• Run all updates after completing the initial setup (including setting up your Remote and certificates) and before adding any other applications, users, or computers.
• Use the SBS 2008 Best Practices Analyzer and do what is says.  I don't know why MS doesn't implement these practices during the install process, but it will make for a smoother server experience.

Automatically Print Server 2008 Backup Confirmation/Results Logs

Please Note This Does Not Work For Server 2008 R2.  MS opted to axe the plaintext files.  Back to the drawing board . . .  I'll be using the tips at http://www.techrepublic.com/blog/networking/four-ways-to-manage-windows-server-2008-backup-on-multiple-servers/4159 in the mean time.

For a year I've looked for a way to confirm Server 2008 backup results without regularly logging in and examining the Server Manager, perusing the System Logs, or buying a backup software package.  Windows Backup makes quite readable reports in the \%systemfolder%\logs\WindowsServerBackup\ folder that can be viewed in Notepad.  These files are created upon the completion of each backup, and seem to stick around for a couple of weeks.

Scheduling the following .bat files to run after your backup has completed will yield printed backup reports that will list what is backed up in the first report, then a second report with any exceptions which will be blank except for the number "1" in the bottom center of the page if there are no exceptions.

Create a text file called prtbaklog.bat containing the following:

@echo off

setlocal

if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)

set device=%1

set prt=N

for /f "Tokens=*" %%i in ('dir /o-d /b "C:\windows\logs\WindowsServerBackup\Backup-*.log"') do call :print %%i

endlocal

goto :EOF

:print

if not "%prt%" EQU "N" goto :EOF

set prt=Y

"C:\Program Files\Windows NT\Accessories\wordpad.exe" /pt "C:\windows\logs\WindowsServerBackup\%1" %device%

The  prtbaklog.bat is invoked with the following command syntax:

prtbaklog.bat \\servername\printername


Next create the following .bat file entitled prtbakfail.bat"

@echo off

setlocal

if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)

set device=%1

set prt=N

for /f "Tokens=*" %%j in ('dir /o-d /b "C:\windows\logs\WindowsServerBackup\Backup_Error*.log"') do call :print %%j

endlocal

goto :EOF

:print

if not "%prt%" EQU "N" goto :EOF

set prt=Y

"C:\Program Files\Windows NT\Accessories\wordpad.exe" /pt "C:\windows\logs\WindowsServerBackup\%1" %device%

Again, schedule it to run after your backup has completed with the command syntax:

prtbakfail.bat \\servername\sharename

Site to Site IPCop to pfSense VPN

NOTE:  Spoofing the MAC Address of your WAN adapter breaks IPSec in PFSense 1.2.3

Since IPCop seems to have slowed development to a slow drip (last stable update was 1.4.21 and it was made available in 2008, but a new beta was recently released - you can get it here), I am beginning the migration from IPCop to pfSense.  The extra features and reports will be most welcome, but this will require replacing 20+ IPCop's across four states - all are connected to one central IPCop via VPN.  I must focus on minimizing disruption to the end users - simultaneous replacement of all of the units is out of the question.

I considered an IPCop and an pfSense firewall running in a side-by-side configuration with the new pfSense on our second public IP, but this means added hardware and complication with regards to routing.

Once these settings have been completed it is a ready drop-in for the IPCop and the far IPCop should require no additional configuration.

Rummaging around in the IPCop docs I found that its bundled VPN server uses IPSec.  Rummaging around in the pfSense forums yielded a sparse description of the settings that allowed pfSense and IPCop to establish VPN communications - see http://www.perkiset.org/forum/all_things_general_tech/vpn_tunnel_helper_pfsense_to_ipcop-t2661.0.html - thanks to the author Perkiset for these nuggets of wisdom.  While his exact configuration did not work for me, a slight variation did.  I've reposted his settings but revised them with the ones that worked for me.

IPCop Box:

• Use pre-shared key
• Local and remote addresses thus: (a).(b).(c).0/255.255.255.0 where a b c is the LAN address of the remote network
• Dead Peer detection set to restart
• IKE Encryption: Blowfish 256, Blowfish 128
• IKE Integrity: SHA and MD5
• IKE Grouptype: MODP 1536
• ESP Encryption: Blowfish 256, Blowfish 128
• ESP Integrity: SHA1 & MD5
• ESP Grouptype: Phase1 Group
• ESP Keylife: 8 hours
• IKE + ESP: Unchecked
• IKE Aggressive: Not checked
• PFS: Checked
• Negotiate Payload: Unchecked

pfSense Box:

• Local subnet: LAN subnet
• Remote subnet: (a).(b).(c).0 / 24
• Remote gateway is the public address or domain name of the remote network
• Negotiation Mode: Main
• Indentifier: My IP Address
• Encryption Algo: Blowfish
• Hash Algo: SHA1
• DH Key Group: 5
• Lifetime - leave blank
• Authentication method: preshared-key
• Phase 2, Protocol: ESP
• Encryption Algo: Blowfish
• Hash Algos: SHA1 & MD5
• PFS Keygroup: 2
• Lifetime: 28800 Seconds
• Ping Host: This is redundant to the Dead Peer detection in IPCop, which will execute a restart

Migrating SBS 2003 to SBS 2008? Is your target server a ML150G6?

You may have serious headaches during this migration.  Mine lasted four days, with most of the time spent watching Microsoft Support clean up the Active Directory on the source server.  A Blue Screen of Death was my ultimate reward towards the end of each install.

BSOD Error:  STOP 0x0000003B  System_Service_Exception

I checked that all firmware was up to date, I reseated everything I could possible reseat (RAM, CPU, HDD cables, and even the fan connectors), and I spent a lot of time on the phone with HP and Microsoft.  Ultimately I gave up on the idea of a "swing migration" - using the MS migration tools to move the user and computer accounts, exchange mailboxes, etc. - and am going with the "side-by-side migration" that any sane admin would do in a small business environment.

Ultimately my Microsoft support rep says that there have been reports of similar issues when doing the migration from SBS 2k3 to SBS 2k8 where the target server is an ML150, and that I should just proceed with the side-by-side migration.

Heres a side-by-side migration in a nutshell:

• Load a fresh copy of SBS 2k8 into your new server with a new domain name and server name.
• Give your new server its own IP on the subnet.
• Set up usernames that are identical to your old servers usernames, if you can set up identical passwords, do that also.  I reset everyones passwords on the 2k3, kept a list of them, and set up the users in 2k8 with the same passwords as I assigned in 2k3 - this will make for easy migration of redirected My Documents folders.
• Export all of your users Exchange info in the SBS 2k3 to some kind of external drive using Exmerge.
• While the export is happening, complete the SBS 2k8 Internet configurations, then set up your SBS 2k8 to redirect the users documents.
• Import the PST's into each mailbox on the SBS 2k8's Exchange 2007 using these instructions on Technet.  Check the users Outlook - their old stuff will now be there after you reconfigure Outlook to point at the new SBS 2k8.
• Use Profwiz from Forensit.com to migrate each desktop from the old domain into the new domain, which will preserve the users desktops, favorites, etc.   Before running Profwiz delete the migrating users' Outlook profile from the Mail in Preferences (you backed up the mailboxes, right?).  (WARNING:  This doesn't work on Windows Vista or 7 - it mudges up the profile and you risk losing their profile data - you will need to back up their docs, favorites, etc., and manually change the domain)
• If the users un/pw is the same, the users My Documents will be automatically copied and redirected from the 2k3 to the 2k8 when you log in.  Expect the 1st login to take a few minutes.
• Reconfigure each desktop's Outlook to point to the new server and check that it works.
• Move the client's line of business applications and databases and share folders as required to support them.
• Fix all the little things that broke during the process.
• If an end-user needs remote desktop access via the RWW you must run the http://connect wizard - the problem is that it doesn't migrate domain accounts, only local accounts, so you will need to use Profwiz (XP and lower!) then once this is complete run the http://connect wizard to complete the process.  The connect wizard also allows for automatic configuration of Outlook.
• Fix file synchronization on each desktop (because your desktops will still try to synchronize with the old server!) by signing in as a user with local administrative privileges, opening My Computer, selecting Tools, Offline Files, then holding CTRL+SHIFT and clicking on the Delete Files . . . button.  Be certain that you have the contents of My Documents moved to the new server before doing this!

Prevent Computers from Hibernating

Add this to your logon batch fine:

powercfg.exe /change "always on" /monitor-timeout-ac 20

powercfg.exe /SETACTIVE "always on"

Automatically Print NT Backup Logs - Revised

A serious shortcoming of today's printers is an inability to print output from MS-DOS (or is it a Windows shortcoming?)  One way around this is the wordpad /pt [filename] [printer] command.  Here's a revised PRTBAKLOG.bat file that will print the last NT Backup Log file to the specified printer.

@echo off
setlocal
if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)
set device=%1
set prt=N
for /f "Tokens=*" %%i in ('dir /o-d /b "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\backup*.log"') do call :print %%i
endlocal
goto :EOF
:print
if not "%prt%" EQU "N" goto :EOF
set prt=Y
"C:\Program Files\Windows NT\Accessories\wordpad.exe" /pt "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%1" %device%

There is also a notepad /p [filename] OR wordpad /p [filename] to send output to the default printer should you need it.

IPCop 2.0 - Withered on the Vine?

Our friends who have worked so hard on the IPCop system seem to have run out of steam - whether it is a lack of community support (the project is too much for one man, I'm certain), or an over-crowded roll-your-own firewall space (pfSense, UnTangle, Shorewall, and M0n0wall, to name the more popular distributions), I'm not certain.  What I am certain of is that the others have continued development where IPCop has stalled.

I've had repeated issues with unstable 3rd party addons (Squid and Squidguard addons called AdvProxy and URLFilter), but have otherwise been happy with IPCop.  What is spurring my move is not performance (though I think I can see some performance improvements when using other distros - I wish I had a good metric!) but the ability of the firewall to handle client VPN traffic such as a user inside of the network connecting via PPTP to a remote network - iptables apparently can't handle such a situation and won't allow the connection.

I will be reviewing pfSense, but more info on UnTangle and the others would be nice - what do you think of these?

/Update 11-Apr-11


A new IPCop 2.0 Beta has been released!  Visit http://sourceforge.net/projects/ipcop/files/IPCop%20Test%20Versions/ and try it out - don't put it on a production box as many features are incomplete but it is in a quite useable condition!


One thing that I've realized:  when comparing IPCop and pfSense it's important to consider the that the projects have different targets for their user base - IPCop is aimed at the small office/home office and pfSense is aimed at the big boys - the end products reflect this in their ease of configuration and available configuration options.

Installing Agris Software on Windows 7 64-bit

I contacted John Deere about Agris and asked whether they supported installing the current version of their software on Windows 7 64-bit edition.  They had said that it would work under Windows 7 after the next update (I think he said R15) but it would not be supported in the 64-bit Windows 7.

Don't forget that there is an XP Mode, and the system runs fine when it is in XP Mode!  Visit Microsoft's XP Mode Download Page and install it per the instructions on the Microsoft site.  Next find and run Windows XP Mode under the Windows Virtual PC Folder in your Start Menu.  The XP Mode initially uses an IP Address that cannot reach your Agris server so you will need to then go to the Menu Bar and Select Tools -> Settings ->  Networking then select Adapter 1 and change it to your wired or wireless network adapter depending on how you connect to your Agris server. 

This is an XP Virtual Machine, an imaginary computer within your computer - use it just like you did XP, map the network drive and install Pervasive SQL, Agris, and the Agris updates.  Run Agris from the XP Mode desktop and verify that it functions properly.

You will need to add any printers to the XP Mode using the traditional methods available to XP users.

Working?  Good!  Select CTRL+ALT+Delete from the XP Mode menu bar and select Shutdown.  Go to Start -> All Programs -> Windows Virtual PC -> Windows XP Mode Applications and you will see an Agris shortcut - copy it to your desktop for a quick way to run Agris without the apparent hassle of running the XP Virtual Machine.

W3SVC Log Files are Filling Up Your SBS's System Drive

I can't believe that I haven't encountered this sooner:  The system drive on an SBS 2003 was full.  I used my trusty SequoiaView and found that the W3SVC1 folder was 6.14GB - OUCH!  A quick Google search yielded an excellent discussion of how to deal with the matter.


At a command prompt enter this all on one line:


at 12:00 /EVERY:Su Forfiles.exe -p C:\WINDOWS\system32\LogFiles\W3SVC1 -m *.log -d -30 -c "Cmd.exe /C del @path\" 


This will schedule a job that will run every Sunday and remove W3SVC1 log files that are >30 days old.


Thanks to Tom Watson for posting this gem!