Archive for category EBS
Reinstall EBS 2008 Management Server
Posted by Mark Raborn in EBS on 2010/01/06
WIGITAL recently had a RAID 1 array in an Essential Business Server fail. This array was the System Volume on the Management Server. Parity could not be restored… system down! Numerous sectors on both mirrored disks ultimately verified to have called it quits. This server was out to pasture and this time, no happy cows. Mooo!
So… how to restore Essential Business Server from the Installation Wizards ??? In considering EBS restoration, think data first. In the Management Server, there’s plenty of it. The data to be restored in EBS includes the following:
MANAGEMENT SERVER
- Active Directory Domain Services logs
- Active Directory Domain Services database (NTDS.dit)
- Active Directory Domain Services SYSVOL file
- Microsoft SQL Server® database for System Center Essentials
- SQL Server database for Windows Server Update Services
- SQL Server database for Administration Console
For reference, the messaging and security servers include…
MESSAGING SERVER
- Microsoft Exchange Server database
SECURITY SERVER
- SQL Server database for Forefront TMG
NOTE: Reinstalling the Management Server into Essential Business Server is about a 4-5 hour affair if things go well. Assuring the health of the second Domain Controller ( the Messaging Server ) is an advisable first step.
Replace a Server in Windows Essential Business Server
For walkthroughs on restoring EBS, the best article in my opinion is on TechNet ( currently as of 2010-01-06 ) . It walks through every step needed to start restoration of the servers .
TECHNET – Replace a Server in Windows Essential Business Server
Please follow the steps carefully and pay attention to the details. Not every aspect of restoring an EBS management server is covered but the article gets the ball rolling. Additional guidance may be necessary as you go deeper into the EBS Installation Wizards themselves during re-install. In this particular case, the wizards worked very well with one exception… The Wizard Restore for the Management Server will eventually go looking for an authoritative time source in the domain, and because we’re restoring the Management Server, it will not find one. We discuss this through the rest of this post as a help to other pros working on this platform.
EBS Links to be aware of relating to restoration:
Change Installation Settings for Server Replacement
How to repair Windows Essential Business Server components using MMS.msi
Windows Essential Business Server Backup and Restore
How to Reinstall Microsoft Forefront Security for Exchange Server in Essential Business Server
Update Rollup 1 for EBS 2008 and Updated Preparation and Planning Wizards are Released
EBS 2008 Management Restoration – the PDC Emulator Operations Master and Authoritative Time Source
The Essential Business Server Installation Wizard is designed to look for a Domain Controller holding the PDC Emulator Operations Master role and then look to it as the authoritative time source in the EBS domain. Unfortunately during our “RESTORATION” , the PDC Operations Master is literally the server we are restoring. Therefore… the wizards insistence on locating an authoritative time source cannot be met (yet).
The PDC Operations Master ( in Windows 2008 ) emulates the functions of a Primary Domain Controller PDC for pre-Windows 2000 client. Only one server in the domain performs this role and in an EBS environment, that server is the Management Server “by design”
Since during the restoration of the Management Server their is no PDC remaining (it has failed in our case), there are two errors that will occur while running the Restoration Wizards.
- in the stage where the Management Server is re-joined to the domain, the EBS Installation Wizard will fail when “Synchronizing time with domain”. Time synchronization fails because the authoritative time source is no longer there (… only true when restoring an EBS Management Server)
- when the PDC is eventually found (by making some changes to the second domain controller), the Messaging Server will become the PDC but will still not be seen as an Authoritative Time Source until the necessary changes are made to it’s registry. This sets W32time “on that system” as authoritative and ”Synchronizing time with domain” can then be accomplished.
When restoring a Management Server in EBS 2008, be prepared to make a few changes in advance.
in two steps:
1.) ”forcefully” transfer the PDC Operations Master role to the Messaging Server ( the EBS environments second domain controller)
2.) make the Messaging Server authoritative as the domains time source.
Forcefully Transfer PDC Operations Master Role to Messaging Server
The following knowledge base article ( Microsoft KB324801) describes How to view and transfer FSMO roles in Windows Server 2003 . While this article accurately describes the transfer of roles, it does not touch on some of the language used when the transfer is “forceful”. Since there is no Management Server acting as PDC , there is no PDC to respond to the transfer request, and therefore, a forceful transfer will be necessary. NOTE: A forceful transfer occurs when the Domain Controller requesting the transfer of the role ( in our case, the PDC Operations Master role ) cannot find the Domain Controller to which that role has been assigned .
So in preparation for understanding this in Restoration terms… when the EBS Installation Wizard of a Management Server reaches the following stage ( it will fail ):
- Management Server Installation (title bar)
- Progress of joining the domain (heading)
- Please wait while the Management server joins the domain (caption)
- Synchronizing time with domain (STAGE of Overall progress)
To accomplish transfer of the PDC Operations Master role from the Management Server to the Messaging Server, use the above proceedure ( How to view and transfer FSMO roles in Windows Server 2003 ). The language of the pop-up windows in a “forceful” transfer will be similar to the following (and I’m paraphrasing)
POP-UP WINDOWS
- “Are you sure you want to change the Operations Master?” [ OK ]
- “This computer is a non-replication partner. Do you want to continue with the transfer?” [ OK ]
POP-UP WINDOWS – AFTER FAILING TO MAKE CONTACT WITH THE PDC ROLE (because it’s not there to respond)
- “Under some circumstances a forced transfer can be achieved. Do you want to attempt a forced transfer?” [ OK ]
- “The operations master role was successfully transferred.” [ OK ]
Make the Messaging Server Authortative for Time Synchronization
To satisfy the Installation Wizard Time Synchronization request, the next step is to make the Messaging Server authoritative for W32time in the windows domain. Check out these two articles on how to do that.
Configuring the Windows Time Service by the veteran Mitch Tulloch
and TechNet – AD DS: The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source
Complete the Essential Business Server Installation Wizard and Restore the Management Server
Now that the Messaging Server can respond to the EBS Installation Wizard “Time Synchronization Request”, we click retry and the process moves forward. To finish installing the EBS 2008 Management Server, please follow the TechNet articles at http://technet.microsoft.com/en-us/library/cc512500(WS.10).aspx . This is the lengthiest part of the restoration and may require 3 or more hours with Updates. It is a good time to read up on the restoration of the Management Server data that will be restored once the EBS Management Server is up and running again.
Reversing the PDC and Authoritative Time Source Changes and Establishing the EBS 2008 Management Server as Authoritative
To return the EBS environment to it’s default state, it’s necesarry to return the PDC Operations Master role to the Management Server. You will note that this is not done automatically by the EBS Restpration process when restoring a management server to EBS. This must be manually achieved when once the Management Server is restored to an existing EBS domain.
Log on to the EBS 2008 Management Server
- GO TO Start | Run | type dsa.msc
- Right Click on Active Directory Users and Computers ( the top node in the navigation pane ) | navigate to All Tasks and click Operations Master
- Select that tab [ PDC ]
- Under the field that titled Operations master: observe the language – “To transfer the operations master role to the following computer, click Change.” and note the filed list the EBSMGMT.domain.local server.
- click the Change button
- at the “Are you sure you want to transfer the operations master role?” prompt, click Yes
- “The operations master role was successfully transfered.”
- note that you will see the EBSMGMT.domain.local server listed as the PDC Operations master
Log on to the EBS 2008 Messaging Server
- GO TO Start | Run | type dsa.msc
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
- Double click the REG_SZ object Type and change the value to NT5DS
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
- Double click the REG_DWORD object AnnounceFlags and change the value to A
- ** change back any additional time setting adjustments you may have made
- GO TO Start | Run | type cmd
- at the command prompt type net stop w32time && net start w32time
- close your editors
Log on to the EBS 2008 Management Server
- GO TO Start | Run | type dsa.msc
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
- Double click the REG_SZ object Type and change the value to NTP
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
- Double click the REG_DWORD object AnnounceFlags and change the value to 5
- GO TO Start | Run | type cmd
- at the command prompt type net stop w32time && net start w32time
- close your editors
Begin the process of restoring your Management Server data from BACKUPS.
MANAGEMENT SERVER data to be restored
- Active Directory Domain Services logs
- Active Directory Domain Services database (NTDS.dit)
- Active Directory Domain Services SYSVOL file
- Microsoft SQL Server® database for System Center Essentials
- SQL Server database for Windows Server Update Services
- SQL Server database for Administration Console
EBS 2008 Backup and Restore Links
Good articles to be aware of in backing up and restoring EBS
Back Up Using Windows Essential Business Server Tools
Moving Data Files for Windows Essential Business Server
Solving AD Replication issues with EBS 2008 Planning and Preperation Wizard
Essential Business Server 2008 Blog
thank you…
WIGITAL Computing Pros serves computing and network infrastructure needs in Southern California. Thank you for reading.
Mark Raborn
WIGITAL
EBS 2008 Certificates Installer for RWW Terminal Services Gateway and Outlook RPC / HTTP
Posted by Mark Raborn in EBS on 2009/07/23
Essential Business Server continues Microsoft’s commitment to offer integrated functionality in pre-configured Server packages for Small and Medium sized business. To achieve an out of the box secure environment in EBS, a Security Server is included in the topology as the edge ( or public ) facing connector between the open internet and the EBS 2008 environment.
SSL encryption is mandatory for Clients connecting to this server over the web
Today’s article focuses on
- the tasks of finding and installing EBS leaf and root certificates ( using the EBS Certificate Installer Package ) on computers that are not joined to the EBS 2008 domain.
- some essential information about EBS Certificates, what they do, and how to recreate them.
EBS 2008 Self Signed Leaf Certificate
** Please note: the certificate chain must be installed ”IF” users intend on using Remote Desktop through Terminal Services Gateway and/or want to connect to Exchange from Outlook using RPC / HTTP – - or – - these features will not work for connecting computers.
The EBS Root Certificate Package in Essential Business Server 2008
Essential Business Server includes a certificate installer to make adding the EBS Certificate Chain to any Client computer easy.
The location of that Certificate Package is on the EBS 2008 Management server in the following path
%ProgramFiles%\Windows Essential Business Server\Data\RWW Cert Package
An administrator would typically copy this package to removable media for provision to users and installation. Users cannot access the default location directly so the administrator must distribute the Certificate Installer.
To make a secure trusted SSL connection to EBS 2008 from the internet, Users must first install the Root Certificate as a Trusted Root Certificate in the Certificate store of their Client computers. These computers can be domain computers or non-domain computers. Non-domain computers must manually import the certificates.
EBS 2008 Certificates are usually imported in the following ways:
- DOMAIN: by joining the Client Computer to the Essential Business Server domain ( during which EBS 2008 automatically installs the certificates using group policy )
- NON-DOMAIN: install the EBS Root Certificate manually to a non-domain computer using the RWW Cert Package located in the path highlighted in red above
How To install the EBS 2008 Root Certificate on a Client Computer that is not joined to the EBS domain
- Log on to the EBS 2008 Management Server (using a Local or Domain Administrator account)
- using Explorer, browse to the folder
%ProgramFiles%\Windows Essential Business Server\Data\RWW Cert Package - copy the folder (including all the contents) to a storage media
- insert the media into the destination Client Computer
- open the RWW Cert Package and execute the CertificateInstaller.exe program
The Essential Business Server root certificate and leaf certificate ( used on the TMG External Listener ) will be installed. By default, the root certificate is installed in the Trusted Root Certification Authorities store.
About the SSL Certificate for Threat Management Gateway External Listener in EBS 2008
The secure socket layer certificate linked to the TMG External Listener is used primarily to encrypt traffic between the Security Server. Essential Business Server setup creates this certificate as a part of the setup process. The public facing certificate is what is know as a leaf certificate. Users connecting to EBS from the web are commonly expecting to use the following EBS 2008 functionality:
- Remote Web Workplace
- Outlook Web Access in Exchange Server 2007
EBS 2008 RWW Remote Web Workplace Logon
EBS 2008 - Check E-Mail (using Outlook Web Access ) and Connect to a Computer (using TS Gatway)
The SSL encryption provided by the certificate also supports other important remote access features as well and it is “essential” for the certificates to be installed for these features to work:
- Connect to a Computer ( via terminal services gateway ) on the EBS local area network
- Outlook Email client connecting to Exchange Server 2007 when connecting via Outlook RPC over HTTP using NTLM Authentication
EBS 2008 Remote Desktop Connection
EBS 2008 Connect Computer Terminal Services Gateway Logon
Creating a new EBS 2008 SSL Certificate and/or rename a new EBS 2008 SSL Certificate
Administrators can also add a new certificate to the Threat Management Gateway ( Security Server ) External Listener, replacing the existing one, by following these articles:
- Add EBS 2008 Certificate for Threat Management Gateway External Web Listener
- How To Change the Public Certificate used by Windows Essential Business Server for Incoming Web Requests
To learn more about Active Directory Certificate Services in Essential Business Server 2008, please read this TechNet article
You can learn more about EBS 2008 versions and the Threat Management Gateway MBE Security Server here ( or contact me at http://www.wigital.net ):
Thanks for reading. Please comment for the community. If this information has helped you, please link back here. It helps us as well as others who may need the information.
Thank you.
Mark Raborn
WIGITAL