Category Archives: SBS 2008

Install a Certificate for Remote Desktop Services or Terminal Services on a Terminal Server

You’ll need a .pfx certificate in this guide, so once you have your certificate and any intermediates that need to be installed, export the certificate and include the entire chain the export, assign a password and then save the .pfx somewhere where you can access it from the terminal server.

On the Terminal Server in Question:

  1. Click “Start” and then “Run”.
  2. Enter “mmc” and then click “OK”.
  3. Click on the “File” menu and then select “Add/Remove Snap-in…”.
  4. Click “Certificates” and then click “Add >”, when prompted choose option “Computer Account” and then click “Next >”.
  5. Select “Local Computer” and then click “Finish”.
  6. Click “OK” to complete the add snap-in wizard and then expand “Certificates (Local Server)”.
  7. Right click on the “Personal” folder and then select “All Tasks”, then “Import…”.
  8. Click “Next >” and then locate the .pfx you’ve saved earlier. Click “Next >”
  9. Enter your password, and then click “Next >”, click “Next >”, click “Finish”.
  10. Now open “Remote Desktop Session Host Configuration”.
  11. Right click on “RDP-tcp” in the center of the window and select “Properties”.
  12. On the “General” tab, click the “Select” button, Select your certificate, and then click “OK”.
  13. Click “OK” one more time, and then all future connections will be secured by the certificate.

 

Apply Internet Explorer Settings with Group Policy without preventing users from making additional changes

Let’s say you want to roll out some default settings to IE, but you don’t want to prevent users from making additional changes. In the past I’ve seen this done through the Site to Zone Assignment List GPO but you end up with users who can’t modify those settings once they are set at the GPO level. The problem is this: say you’ve got a partial list of websites that should be placed in Trusted sites, but you don’t have the full list and you know users are going to need to add additional sites ad hoc.

Here is the better way to configure these settings:

  1. Open Group Policy Management Console, and Create a new GPO
  2. Expand User Configuration, Policies, Windows Settings, and Internet Explorer Maintenance, and finally Security
  3. Double click on “Security Zones and Content Rating”
  4. If and when the “Internet Explorer Enhanced Security Configuration” warning appears click on “Continue”
  5. Change the “Security and Privacy Settings” section to “Import the current security zones and privacy settings” and then click the “Modify Settings” button
  6. Make all of the appropriate changes for your environment and then press OK. These will now be the default settings for any users whom this GPO effects.

To be clear, I’ve not tested to see if these settings will re-apply if they are removed by the users, but my hunch is that if the users tries to remove any of these settings, they will be reapplied the next time the GPO is processed.

Renewing a 3rd Party SSL Certificate on SBS 2008

Here is how to renew a certificate that’s expired or about to expire on your SBS 2008 Server.

  1. Open the Windows SBS Console
  2. Click on Network
  3. Click on “Add a trusted Certificate”
  4. Click “Next”
  5. Click “I want to renew my Current Trusted Certificate with the same provider” Click Next.
  6. Click Save to file and save the file.
  7. In this case we’re using godaddy, so log into the godaddy website using you username and password.
  8. Purchase a SSL renewal if you’ve not already done so and then launch your SSL Certificate control panel.
  9. Click Request Certificate on the right hand side
  10. Copy the contents of the saved file from step 6 into the CSR section of the godaddy renewal wizard. Click Next on the CSR wizard twice. Click Finished on the CSR renewal wizard.
  11. Approve the confirmation email that godaddy sends, and then log back into your SSL Certificate control panel at godaddy.
  12. Wait for the Certificate to be processed, and then download the certificate with the updated expiration date. Select the Exchange 2010 download format.
  13. Extract the files to a folder, and then return to your “Add a trusted Certificate” wizard.
  14. Select the option for “I have a certificate from my certificate provider” and then click “Next”
  15. Click the “Browse” button and select the .crt file from the folder you just created. Click “Next”.
  16. Wait for the wizard to complete. If the wizard fails follow these instructions:
  17. Right click on your .crt file and select install. Follow the wizard to install it.
  18. Open your TS Gateway Manager, verify that on the “SSL Certificate” tab the proper certificate and expiration date are listed”
  19. Open your Exchange Management Shell
  20. Run the following command and make not of the new certificate’s thumbprint. “Dir cert:\LocalMachine\MY | fl
  21. Run a “get-exchangecertificate | fl” to see a list of all certificates and what services they are tied to.
  22. Verify that the newly installed certificate is configured for IIS, and any other services it should be attached to.
  23. Connect to https://127.0.0.1/owa and verify that the certificate being used is the newest certificate.
  24. If IIS is not using the correct certificate you’ll need to run this command from the exchange management shell: Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXXXXXXXXXX –services “iis,IMAP,POP” where the XXX is the new thumbprint and the services listed are the ones that should be using the new cert.

Note: if you need more information on install the certificate in exchange you can read this.

Note: if you can’t figure out where the “TS Gateway Manager” you can read a write up on how to enable it here.

Installing 32 Bit Print Drivers on Server 2008 R2 or 2008 x64

Remember the days when you could right click inside of the “Printers and Faxes” window and add an additional print driver? Me too, but those days are gone my friend. Apparently Microsoft fired the “good ideas” guy.

So you’ve got 32 bit Clients and a 64 bit Server sharing a printer huh? Are Clients prompting for the driver every time you try to connect…?

Follow these steps to resolve it:

  1. First download both the 32 and 64 bit version of the EXACT SAME DRIVER, make sure they are exactly the same, (Lexmark 4600 and Lexmark 4600 XL are not the same,  make sure yours are the same)
  2. Once both are extracted you can add them one of two ways

Method one: Installing them from the server

  1. Open Server Manager
  2. Click Roles
  3. Add the Print and Document Services Role (really you say?  Yes really.)
  4. After the Role finishes installing, click on Administrative Tools, and then Print Management
  5. Inside Print Management, expand Print Servers
  6. Right Click on the Print Server in question, and then Select Properties….
  7. Click on the Drivers tab and then Click Add. Click Next. Check off both X64 and x86 Drivers, and Click Next. When prompted select the location for one or the other, and when prompted again, specify the location of the remaining driver.
  8. Now Create a new printer, using the installed driver, and share it.

Method two: Installing the Drivers from the Client

  1. Install and share the printer as you normally would on the 2008 server
  2. From the client browse to the server using \\%servername%
  3. Open the folder “Printers and Faxes” from the \\%servername% window
  4. Right click on the empty white space and select “Server Properties”
  5. Click on the Drivers tab and then Click Add. Click Next. When prompted select the location of the remaining driver.

Remote Web Workplace 2008 Users can only see one or few computers in the list of computers to connect to (RDP)

I just noticed that some of my users that use Remote Web Workplace (on SBS 2008) don’t have the ability to connect to certain computers within the network when they attempt to view a list of all computers. To be honest, I’m not quite certain how the list was originally created for each user, and I’m far to lazy to spend any time trying to figure that out.

I’m already certain that users have the right to connect to each PC because there is already a group policy in place that grants Domain Users RDP permissions to each computer in the domain (You can read about how to do that here), it’s just that when they click to view a list of computers to connect to on the RWW website, they only see one computer, or at best a few computers.

I’ve tried to find a more eloquent way to do this, but failed. The only way I could change this list was to make individual changes to each User’s or Computer’s properties within the Windows SBS Console, this is fine for networks with 5 computers, but if you’ve got 50 computers this could become painful.

Here are the steps to add computers to a user’s list:

  1. Open the Windows SBS Console
  2. Click on “Users and Groups” at the top
  3. on the “Users” tab, Right click the user in question and select “Edit user account properties”
  4. Select “Computers” on the left
  5. Highlight each computer individually, and then check the box labeled “Can remotely access this computer”
  6. Click Apply when done, and have the user log off of the RWW site, and log back on
  7. They should now be able to see all computers when they view the list of computers to connect to.

This can also be performed on a computer basis by following these steps:

  1. Open the Windows SBS Console
  2. Click on “Network” at the top
  3. on the “Computers” tab, Right click the computer in question and select “View computer properties”
  4. Select “User Access” on the left
  5. Highlight each user individually, and then check the box labeled “Can log on remotely to this computer”
  6. Click Apply when done, and have the user log off of the RWW site, and log back on
  7. They should now be able to see all computers when they view the list of computers to connect to

That should do it, if anyone knows of a faster/better/easier way to do this please let me know.

When trying to use Remote Web Workplace on an SBS 2008 server you get error: (error 50331688)

Recently came across this problem on a SBS 2008 deployment (just missed the SBS 2011 release), where users who were trying to connect to their computers using the Remote Web Workplace, but were unable and were getting this error:

An internal error has occurred (error 50331688). For more information, please
contact your network administrator or Microsoft Product Support.

Turns out the problem is related to the Terminal Services Gateway not having a certificate configured.

To resolve this follow these steps:

  1. Open TS Gateway Manager MMC
  2. Select your server in the Left hand pane
  3. In the Middle pane, click “View or modify certificate properties”
  4. Click “Select an existing Certificate for SSL encryption (recommended)”
  5. Click “Browse Certificates….”
  6. Select the correct 3rd party certificate from the list, and then click “Install”
  7. Click “Apply”, and then try to connect via RWW again.

This should also resolve any issues you have when trying to connect in via RDP when using a Terminal Services Gateway.