My notes from today’s Microsoft Partner Program webcast…

Remote Access

Self-Issued vs. Third Party certificates

  • SBS2008 creates a self-issued certificate that can be used.
  • Clients and computers have to install this certificate in order to trust it.
  • 3rd-party certificates are easier to implement and manager.  They are not more or less secure, but they’re easier to use.  They have become very inexpensive.
  • Fix My Network wizard will automate updating the Root Certificate
  • “Add a Trusted Certificate Wizard” will automatically generate and give you a certificate request hash.
  • Installing trusted certificate on client computers
    • From a domain-joined computer, go to \\sites\public\downloads and download/extract “Install Certificate Package.zip”
    • From a non-domain joined computer, download “Install Certificate Package.zip” and copy to a USB key or CD
    • This package will also deploy your certificate to mobile devices via ActiveSync

Remote Web Workplace

  • Available to members of Remote Web Workplace group
  • RDP client has to be version 6.0 or later
  • SBS ports 80, 443, 987, and 3389 must be open on the server firewall
  • Ports 80, 443, and 987 must be open and forwarded to SBS server
  • Terminal Services gateway is now used instead of clients directly connecting to port 3389
  • Access at http://remote.<public-domain-name>
  • Customizable features:
    • RWW user access
    • RWW sign-in page
    • RWW home page
    • Check email
    • Connect to computer
    • Internal web site (SharePoint)
    • Change password
    • Help
    • Organizational links
    • Administration links

Terminal Services Gateway

  • User outside network connects to port 443.
  • Server verifies SSL certificate and then creates Connection Authorization Policy (CAP)
  • Server creates Resource Allocation Policy (RAP) that allows you to connect to other servers in the environment
  • Connections out to the other machines still go out, internally, through port 3389

Mobile Device Support

  • Exchange ActiveSync (EAS)
  • Devices support: Windows Mobile 5.0 (with Messaging and Security Feature Pack) or higher
  • Direct push
  • Device security policy enforcement
  • Remove device wipe
  • For remote access, use remote.<public-domain-name>
  • SPAddCert.exe allows you to add certificates to:  Windows Mobile 5.0, Windows Mobile 2003, or Windows Mobile 2002
  • On Windows Mobile 5, download “Install Certificate Package.zip”

VPN Support

  • Not configured by default
  • Microsoft feels that you really should use Remote Web Workplace
  • Wizard is provided to turn on VPN

Computer Management

Pre-deployment

  • Check application compatibility
  • Check for latest BIOS
  • Check drivers are up to date
  • Make sure all Windows updates and service packs are in place
  • Network configured properly
  • Local administrator password is set and documented

Connecting client computers

  • From IE go to http://connect
  • There is also a “Connect Computer Wizard” that can be run from a USB drive
  • You can also have users manually join the domain
  • The Wizard will ask if you are setting up for yourself or setting up for others.
  • Client Advisor utility checks that you have patches, .NET Framework 2, RDP 6, etc.
  • Can move profile data

Managing Client Computers

  • From the SBS Console, you can open the properties for a client computer and assign who is a local administrator on the machine, and who can remotely access the machine.
  • Can offer remote assistance from the SBS console

Redirecting User’s Folders

  • Applies GPO to redirect
  • 2GB default storage quota
  • Can modify whether this happens

Enabling Client-side Faxing

  • Available in Windows Vista editions
  • Faxing capabilities
  • Scanning capabilities
  • Users must be a member of the Windows SBS Fax Users group

Backup

Backup in Windows Server 2008 was rewritten from scratch.
Performs block level backup using VSS.
Users volume snapshots.
Stores incremental, restores full.

You can select what to backup at the volume level.  Everything on the system drive is always selected.

Simplified restoration and operating system recovery.  You can recover the whole server from any of the incremental backups.

Wbadmin command-line tool.

Configure backup performance.

No negative performance on the server while the backup is running.  Allows you to take a higher number of backups during the day (more restore points to go back to)

Supported backup hardware:

  • External hard disks: USB 2.0 or IEEE 1394
  • Internal hard disks (as long as they don’t store data)
  • Removable media drives
  • Backup disks are formatted and must be exclusively used for backup.

Recommendations:

  • Rotate multiple disks (the wizards keep track of these for you).
  • Use disks with 2.5 times the storage capacity of backup items.

Windows Recovery Environment (WinRe)

  • Launch on-disk using F8
  • Relies on Windows boot manager and boot loader

Manual diagnosis and repair

  • Startup repair
  • System restore
  • Windows backup disaster recovery
  • Command prompt (Regedit, ChkDsk)
  • You can restore to dissimilar hardware, but the processor architecture on both machines must match

You can perform a full server restore by inserting your SBS 2008 installation DVD and choosing “Repair your Computer”.  It can read off the USB disk and recover the whole server.  COOL!!!!

SBS uses a plug-in to Windows Server Backup to back up Exchange.  This is unique to SBS/EBS.  It also backs up SharePoint.  Users CAN recover Exchange or SharePoint separately from the rest of the system.  Note that Exchange recovery is on the entire store (not block level).

Read more posts from John R. Pattison about Windows Small Business Server 2008