SBS 2011 How To Backup Your EFS Recovery Agent Certificate

Backup your EFS what? That is the reaction I have had from most people I mentioned this to.

I am working on a document to walk through migrating Active Directory from SBS 2011 to Windows Server 2016. As part of that document I wanted to include backing up the EFS Recovery Agent Certificate. Only I couldn’t because on my SBS Server, something had broken.

First off, a bit of background. If you don’t know, EFS is the Encrypted File System that is built into Windows. It allows anyone to encrypt a file.

Read more of this post

OK so… That works.

Having spent several hours working on my IPCOP install article, it was proving to be a bit of a pain to upload it.

I broke it down into 3 smaller articles, that are now of course, published in reverse order as you scroll this page.

Here are the links to the individual entries..

Part 1

Part 2

Part 3

Hope it may be useful to you!

Testing Testing…

Just testing the Windows Live Writer upload – as it is failing my IPCOP article.

Do you ever get that sinking feeling?

Oh man, what a day.

I have to say this is about as low as i have felt for quite some time, and believe me, that is saying something.

Where to begin?

Well let’s first acknowledge that once again i have failed in my attempt to actually keep a blog, and it is something like 6 months since my last entry. Recently i have revisited those posts and it has been at the back of my mind to get back on here and write some of my obviously hilarious observations and day to day goings on. I would say shenanigans but i don’t know how to spell it.

What is going on right now is, i have been made redundant. Yep. As i write i have something like 2 months to find a new job, or face the prospect of loosing my home… and god knows what else.

Probably my sanity.

But wait, help is at hand. I was offered a job yesterday.

Now, in the current economic crisis we all face i am going to sound incredibly ungrateful, but i don’t want it.

From what i gather i will be driving around London in a van, fixing desktop pc’s. Or taking phone calls on all manner of subjects non IT related. The prospect of working nights and weekends also doesn’t fill me with joy – and especially when you consider i will be doing all of this for at least £5000 less than i currently earn.

I am not so stupid to believe i wont have to take any pay cut in order to get a job, but i don’t think anyone would be keen on this, put in my position.

Matters are compounded when you learn you missed out on several positions at a good company by a matter of days, a company, had i been smart enough at the time, i would already be working for.

Yes, they offered me a job about a year ago and i turned them down. I try not to regret things, just find the positives and look forward, but this one hurts.

Rant over.

My Granddad died last Friday. A big shock. He was fantastically intelligent, even well into his eighties he was studying C++ at the local college, he never stopped, never really retired, and will be missed by a great many people. I wont say much more as i will probably sob into the keyboard, and no one wants to see that. My other Granddad died just a few months ago and i still don’t think that has really hit me.

Stella is walking now, she is 11 months, she will be one on October the 15th. She really does change every day, whether it be dancing to the Kings of Leon, incredibly inappropriate Sex_On_Fire, or Sitting down to watch Thomas (the tank engine) now named Thomas and friends, or In the night garden, which i have not seen but sounds absolutely mental.

Peep Show starts tonight, which should lift my mood as it always does.

Life has a funny way of working out, and i am sure this dark mood will pass and i will see things clearer in a few days time.

It’s all going wrong on Friday. Remember, The wizard is your friend.

I finally finished my long anticipated (by me anyway) article on how to publish Small Business Server 2008 yesterday and sent it over to my editor for, well, editing i guess. Also so that they could run through the procedure and confirm it works.

I like to tinker with things, and usually this isn’t a bad thing because you can improve the way something works, or just learn a bit more about something, by breaking it and fixing it and vowing never to do it again. Small Business Server is in no way an exception to the rule. Rather, it seems, something you should never tinker with.

Now of course i knew that. My experience with Small Business Server 2003, and briefly with SBS 2000 has taught me nothing if not – Just use the wizard – and for gods sake don’t do anything else.

So imagine my surprise when after about 3 weeks of research and documentation i logon to the SBS Server to check how something works, to find that in fact it doesn’t work anymore. it’s broken.

Part of the guide shows how to remove forms based authentication from Outlook Web Access – so that we can use the ISA Server to do the forms based authentication. This works fine. However when you are inside the network you can no longer then use Outlook Web Access at all. This is not fine.

There are things you could do to avoid this issue if we were not using SBS – but we are.

The problem I’m looking at is this :

I want to protect my network with ISA Server. So instead of using a standard firewall/router and opening up the ports to my SBS Server, i open them up and direct them to my ISA Server. I then tell ISA that i have servers behind it running applications – like Outlook Web Access, and i want people to be able to connect to them. ISA will usually proxy the requests – but the server itself is not actually accessible. What i mean by this is if we use Forms based authentication for OWA – when you go to https://server.domain.com/owayou are actually hitting an ISA Server Form, not the form on the SBS/Exchange Server.

The issue here is that if both the ISA and Exchange server are using Forms based authentication – it doesn’t work.  So on one server you must switch this off. Usually the Exchange Server.

If you switch if off on the ISA Server – you are basically making it behave as if it is a normal Firewall/Router and you cant use any of the more advanced application filtering that ISA was designed for.

For the RWW i had already figured that i had to just open the ports because of the RWW logon page – another forms based page that you really cant turn off.

What was frustrating me here – is that ISA was passing the traffic to the RWW, but when i clicked on check my email – i had to logon again, when i clicked on internal website, i had to logon again. I understand the reasoning for this – but would my users accept 3 different logons – when if using a standard router, they would just have the one logon and that would be that.

Looking at it from a security point of view, i guess i could argue that it was ok to have 3 separate logons, but i think i would be trying to convince myself it was ok rather than actually believing it – the only security here would be username/password – and if they were already in the RWW they have a username and a password. So what’s the point?

It does seem as if i am resigned to the fact that i wont be able to use ISA Server to publish the SBS Server as successfully as i was hoping – although i cant help thinking if i can just change that setting…..

That leads us back to the first point – don’t tweak your SBS. That really is all you need to know. If it doesn’t have a wizard – you probably shouldn’t be doing it.

I found that very hard to ‘deal with’ / ‘understand’ when i first started out, because being trained as an MCSE you are shown the enterprise way of doing things, using scripts or just directly using MMC tools.

Using the wizards kind of felt like cheating – I’m an mcse i know how to do this without using the wizard and that’s what ill do.’ was my general opinion of all things SBS – and the amount of problems i used to have was ten fold to what i have now. Having sat down and read the SBS Administrators companion as well as Harry Brelsfords little red book i changed my mind. It was like a light went on in my head, OHHHHHHHHHHHHHH i thought, That makes sense, and Oh – and the wizard does all of that for you as well – why don’t i use the wizards? and from that day forth i was converted. It’s surprising still how much thought has gone into the design of these products, and just how complicated they are, and how simplified they have been by these incredible wizards.

So i am left now with the task of rewriting part 2 and 3 of my guide  – however something tells me it will be much easier now.

This aside – i think it will still be of interest to some people to use ISA – even as a stop gap between Forefront Threat Management Gateway – i know we are deploying it along side our SBS 2008 boxes – because our customers currently have SBS 2003 Premium, and will still want the control over outbound access as well as inbound.

In fact you could look at it as just outbound protection… but it isn’t. Not being able to publishing the Web Applications directly via ISA is a disappointment, but it will still protect folders and directories we don’t want published.

And it will still give us more control over access to the server remotely than we would otherwise have, but somehow these problems have taken the shine off of things…

Not sure about these hearts?

Yep i like David Bowie, I like Pink Floyd. I do not like little pink hearts. How do i turn these off?

Sunday. Yet more tales of IT woe.

Not being one to take things easy at the weekend – and taking the opportunity of having the network closed down, it is an ideal day to catch on up Windows Updates and playing about with all those little ‘tweaks’ you want to try during the week but never get around to it.

Well, i cant say i had learnt my lesson from Friday or indeed Saturday. I don’t think i wrote about this yet  but once i had everything up and running again yesterday morning i went through and applied about 40 updates to the server. I know how important it is to keep the servers patched – but i also know what can happen without properly testing updates before you apply them. LOL.

Testing – i don’t know if it is because we don’t have the time. Or if we don’t have the equipment. Likely as not it is because we cant be bothered – but the only updates that are tested are the ones applied to our own systems first. With no testing.

So perhaps again i am demonstrating why these problems are all self inflicted, and with a little time and effort you can have a network which doesn’t suffer from such problems. However i would also at this point stress that the at no time has our customer(s) experienced any downtime due to my seemingly uninterested approach to system administration. I am always conscious that a fellow IT Pro may stumble upon and read my blog – and laugh to themselves that if i only had done X or Y then i could have avoided all of Z – perhaps this is true. No it’s definitely true. But we have all been there and at least I’m being honest about it.

Anyway i digress.

Update number 40 of 40. A SQL Server 2000 SP4 (KB948110).

Which it seems has some issues. It seems to have issues with services restarting and if working remotely will completely close the server off to remote connections for roughly one hour. Among the services to be stopped are the exchange Information Store and Seemingly the World Wide Web Publishing service. Arrgh what am i to do now? All was working well, i just apply some updates and crash, there goes my connection.

Well for any other IT Pro it may be game over until Monday. Angry users phoning up complaining of no email or network – and the IT Pro forced to concede a reboot is required (have you tried turning it off and on again?)

But no. We you see use HP Servers. HP Servers with ILO. What does ILO stand for – Integrated Lights Out. And it couldn’t be more accurate. As long as the server has power to it, and i mean it could be switched off sitting 3 miles under the earth – inside a small room with a sign on the door saying ‘beware of the leopard’ we can get to it. (Of course it needs an internet connection as well but let’s not split hairs)

So to recap, as long as the server has mains power, and an active internet connection we can connect to it – we can then use wonderful tools like remote power management, and even the remote console, which runs through Java and telnet so we can get complete system access – from post. In fact i have used this tool a few times to change BIOS settings remotely – now that IS NOT for the faint of heart.

So i lost my connection mid update – which is never good because you end up in some kind limbo where you know the server is carrying on without a care in the world, your session is still running as well, your just not there, and cant get back in.

Connecting via ILO i log in to find many services stopped. A quick check on taskmgr and i can see the update processes are no longer running, and decided to reboot. The server comes up fine and Lights Out has saved the day.

This morning was a different story. I decide another server is in need of my gentle touch and log in and commence the updates. I glance over after 45 minutes to see my connection, disconnected and the last update progress indicator was SQL Server 2000 SP4…. Not again… oh well ill just use….

Shivers run down my spine as i have a sneaking suspicion someone unpatched the lights out interface some time ago and we never got around to plugging it back in. Well you wouldn’t would you?

So, time for some ‘blue sky thinking’ lets see.

I attempt a lights out connection, which fails. Hmm ok maybe the cable isn’t unplugged maybe the router isn’t doing the port forward correctly – ill ping the interface from the router. Nope, this routers firmware is not on the revision which includes the ping tool. Great – do i fancy a remote firmware upgrade? what’s the worse that could happen? As if i haven’t suffered enough.

Now this feature is nice, i really like this about the Draytek Vigors, you can probably do this with other routers but i haven’t ever seen it, and cant shout about it.

An ftp session into the router, upload the new firmware image, and reboot. Simple as that. And it works – keeping in place the existing settings as well. Quick tip on that if you are going to do this – use the .all version of the firmware not the .rst – the rst file WILL erase your settings.

Ok logged back in and trying the ping – nope request timed out.

How about a vpn into the router – and try to bypass ISA on the SBS box (really clutching at straws now)

Reconfigure the router to allow the vpn to terminate there, log in – ping/rdp/ no luck. Even tried the ISA Server MMC which is installed on my trusty laptop – i know this will fail even before i try but I’m desperate now…

Right, that’s it. Better phone the boss. Straight to voicemail and i don’t bother to leave one i don’t know what it is but voicemail greetings irritate me. Actually you may have noticed a lot of things irritate me.

Ok well ill put the router back to rights and have a think about it and come back to it later. I really have no idea how I’m going to get out of this but I’m sure ill think of something.

Router reconfigured, i hit the VPN dial button.. what’s this… verifying username and password? – connected?   could i have not configured the router properly. Most likely. Ipconfig /all – no. I’m in. I’m back IN. Amazing.

RDP back on to the server , where my original session is sitting there waiting – to finish updating you must restart.

Oh absolutely brilliant. Glad i didn’t leave that humbling voicemail after all.

So, it would appear this update likes to cut you off – seemingly for the fun of it.

Well reading the KB article, it seems to make more sense, a restart of the MSSQL$MSFW could definitely explain why i was cut off.

So, provision needs to be made i think and more checks in place that our lights out connections are actually connected.

Whilst this could be seen as embarrassing for me as an engineer, (i would agree) i think it will also server as a reminder/warning to any who may read this blog. Check your servers. Check them NOW!

We can never assume. We can never rely. We are the IT Admin and we are.. something.

So after all that excitement i got up. It was Sunday after all. I watched Scrubs on the telly – which is all E4 ever seem to show, had a lovely Sausage & Egg sandwich for breakfast and relaxed with Baby Stella before i headed out to football.

I play for a 5aside team locally – we are not the best, but we have a laugh which is all we are interested in. Today we had a full squad of 8 (5 on the field with 3 rolling subs) playing against a team who had just 5, no subs.

It is always fairly even between the two teams – but they seem to have the edge fitness wise, as our 3 man advantage didn’t seem to be helping much. With a few minutes to go we were 9-7 up, but we failed to take advantage and eventually drew 9-9. We were all gutted, not least of all poor Dan, the goalkeeper. I still stride on looking for my first goal, but i did chip in with an assist today which was nice, calmly riding two harsh challenges to pass into the path of the gaffer who netted from the edge of the D.

I could write football reviews – i think id do a good job. I can do myself a lot of favours as well because if the truth be told i stumbled over the ball, just about kept my balance before the ball hit my ankle and flew towards his feet – but i like my first version better. Oh well – next week is another chance, another attempt to improve my fitness and another chance to get my goal.

My attention now turns to this evening’s FIFA contest 0 i missed last night as me and Kat were at an engagement party but the next duel has been scheduled for 10pm this evening, the mighty RedParkRyan’s Man UTD team taking on the fearsome BennySlayer’s Arsenal side. With some tactical changes afoot, i feel confident i can build on my 5-1 victory.

it’s shocking how seriously we take this game, i wish i could record the headset chat as Ryan’s attitude after i score would do seriously well on YouTube i think.

Anyway that really is enough blogging for one day – i am going to see if i can get rid of these pink hearts.

Have you tried turning it off and on again?

Saturday morning, i am not relaxing with a nice lie in – no I’m vpn’d into my customer site trying to resolve the issue from yesterday – some consolation I’m sitting in bed in my boxers :I too much information?

A quick check on all the logs – no issues reported, and a successful backup. A good way to start. I run the Exchange BPA – with a health check scan, and that doesn’t report anything critical so i feel like i am ok to do a much needed reboot.

Twenty minutes later I’m back in, a quick scan through event viewer – nope it still looks ok. Let’s try installing this MSA.

Log in to the console, add an exchange server, accepting the defaults – with one exception I’m not using the EUQ integration this time, let’s stick with good old Outlook junk mail folder.

Install in progress… usually a time to sit back and relax (yeah right) and it ‘looks’ like its doing more than it did before but you can never be sure as the descriptions on the progress indicator are not always that helpful. Validating install….. ohhh not again…

Nope that’s right, not again. A few minutes of Validating seem to do the trick as i am greeted by the most glorious site i have seen this early on a weekend for quite some time –

Starting Messaging Security Agent.

And a few minutes later….

I had to read it a few times just to be sure – and i swear one time i read it it did actually say something different.

Success. We have Success.

I quickly download the two patches for WFBS 5.1 from Trends website, and install them.

A little check over of all the settings and i am happy to open up inbound email again.

Let’s monitor the Real Time Scanning for the inevitable deluge of spam that’s heading my way.

hmmmmmmmmmmmmmm nothing coming in, lets reply to a test message i sent out earlier.

Yep it’s appeared in the RTS but not in the mailbox. It isn’t in the Message Tracking Logs either.

Back in my own Outlook Web Access i see the message has been rejected :

#5.7.1 SMTP; 550 5.7.1 Sender ID (PRA) Not Permitted> #SMTP#

This i know is a Sender ID bug with exchange 2003 – something to do with how exchange handles SPF records when email is sent via a smart host – the fix escapes me for the moment, after all it is still early. So i opt for disabling SenderID for the time being, happy that mail is flowing at least.

All in all not a bad result. The moral of this story then? I was going to say – if it isn’t broke, don’t fix it. But of course in this instance it was sort of broke, so I’m not sure it counts. But that is a good moral anyway so we’ll stick with that.

I will shortly be up and about – shopping no doubt – but it doesn’t matter, nothing can bring me down after this and the fantastic drubbing i dished out last night on Fifa (5-1), i think it’s going to be a good day.

With all the excitement i almost forgot to say why i had started a blog. Well  i don’t know really – it is something i have been interested in doing for a while, but i never really thought i had much to say.

And to be fair i probably still don’t.

Well a few days ago i was asked to be an author for the excellent www.smallbizserver.net site by the site owner Mariette Knapp, a Small Business Server MVP. I have written and published one article already which you can look at here : How to use Small Business Server 2003 Health Monitor to Alert you to Full Mailboxes

Ill be publishing more articles as time goes on hopefully, and will be putting sneak previews on my blog.

My next article will be about how to publish Small Business Server 2008 using ISA Server 2006.

Have a good weekend!

%d bloggers like this: