Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Planning is everything 1

Status
Not open for further replies.
markdmac

markdmac

MIS
Dec 20, 2003
12,340
US
When rolling out EBS, be sure to plan things out thoroughly and be sure to set up a test lab that fully duplicates your live environment.

My company deployed our first TAP customer on EBS. We have about 250 man hours into the project. A lot of time was spent/wasted because our customer's environment was more complex than what the typical EBS deployment will look like. We had multiple DCs in different physical locations. If you have the same thing, then be very careful about installing the TMG server in between the DCs. It will cause replication issues during setup that will block installation.

During our installation we had problems installing the management tools. This turned out to be a problem with SCE services not being started(pronounced SKI). If you run into any problems, check your services and make sure everything set to automatic is in fact started.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Hi markdmac

I'm planning to implement EBS for a smaller customer too...
They're using SBS 2003 and we're planning the migration to EBS.
What are your experiences regarding the hardware sizing for this system i.e processor/memory/disks ?

Thanks in advance

cheers Till
 
Go large on everything is my experience. According to Microsoft, my full time employer has more experience with EBS than any other company presently. We have the distinction of performing the first RTM installation world wide and we have to date deployed the most complex roll outs as well as part of TAP programs.

Memory is everything as is disk space for an EBS roll out. Go with a minimum of 8GB of memory for all three servers. Your best bet is of course to look at the minimum requirements for EBS and go above those.

We did one installation (the first RTM one) that uses a single 2008 server running Hyper-V with the three EBS servers running as virtual machines. That box has 32GB of RAM. Each virtual machine has about 640GB of disk space available.

If you are converting from SBS, I highly recommend you virtualize your SBS machine and perform the upgrade against the virtual version of your server. That way if anything goes wrong you can power back on the real SBS server and still be in working order.

There are some issues with EBS that make me feel it is not yet ready for prime time. Namely, the replacement mode installation which does NOT work. I had a 17 hour support call with Microsoft over that before we got the SCE to work right. There is a DLL that does not get put back on the box in replacement mode. I'll try to get details on that for you and post details.

The installation itself is a bit flawed as well. It is hard coded to use Pacific Time Zone. Don't change that until after all the servers are up and running or you will encounter problems.

When the initial wizard starts for the installation (management server installation), just prior to where it will say syncing time with domain, you will want to press Ctrl+Shift+Esc to launch the task manager. Then use the File/Run command from there to launch CMD.

Once CMD is running, use NET TIME /SETSNTP:SERVERNAME to configure the authoritative time server for your domain (your SBS server name). Then use NET START W32TIME to start the time service. You will find your installation won't hang if you do this, it likely WILL hang if you do not.

Another problem to look out for is with the Security Server. You will find you will be getting WMI errors on all the servers. You need to create a rule in TMG to allow WMI access.

1. Firewall Policy -> Right-click -> Edit System Policy... -> Authentication Services\Active Directory -> Uncheck "Enforce strict RPC compliance "
2. Firewall Policy -> Right-click -> Edit System Policy... -> Diagnostic Services\Windows Network -> Check "Enable this configuration group"
3. Firewall Policy -> New ACCESS Rule:
* Name: allow WMI
* Action: Allow
* Protocols: All outbound
* From: Localhost & ManagementServer
* To: Localhost & ManagementServer
4. Right-click "allow WMI" -> Configure RPC Protocol -> Uncheck "Enforce strict RPC compliance "
5. Apply the settings, wait 2 minutes to take effect
6. Close wmimgmt.msc to close active connections and reopen

If you change the Admin password, you need to make sure you also change it in the SCE configuration or all the built in tools stop working. This is a truly dumb part of this server offering. Changing the Domain Admin password requires special steps rather than giving you a tool to reset that password.

In the SCE Console, reset the administrator password for all DOMAIN\Administrator entries under Type: Action Account and also for the Data Warehouse Action Account Type: Windows

Restart all 3 OpsMgr services after updating.

To avoid problems in the future, check “Password Never Expires” on the administrator account. This is different from “account never expires”.

This is documented in this article:

936221 The Run As Account that you create in System Center Operations Manager 2007 or in System Center Essentials 2007 does not run a task successfully


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Hi Mark

wow thanks a lot, that was really detailled and really helpful

cheers Till
 
As promised, if you have an EBS server fail and need to do a replacement mode installation, you will want to have a good copy of this DLL to manually put back in place because the replacement mode installation messes this up.

C:/Program Files/Windows Essential Business Server/Bin/msfpccom.interop.dll

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
One other item I want to mention about EBS, on the security server there is a link for the ISA Best Practices Analyzer (ISABPA).

The ISABPA tool has not yet been updated for 64bit systems and while it will give you some good information, it will also give you incorrect/misleading information. As an example, it will report that the system has more memory than it can use and will suggest you edit the BOOT.INI file. Windows 2008 does not have a BOOT.INI file! An x86 server cannot access more than 4GB of memory, but an x64 system can. So the "error" is a false positive detection and the recommended fix does not even apply to the system.



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Mark,

Do you know if any documenetation exists on configuring EBS to work with an existing firewall? Thanks fot all the great info you have provided thus far!

hdavidson.
 
The only thing you will need to do is pass whatever ports you want to the security server. You could eliminate the ISA server, but then why get EBS? Half the tools would need to be re-engineered.

Doubling up on the firewall is not necessary, but also does not present a problem. Treat the firewall as if it is just a router when you configure EBS.

On the firewall side, set any NAT ports to all be directed to the Security Server and let it do the redirection as it is supposed to.


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
SECURITY SERVER REPLACEMENT MODE INSTALLATION

Had our first security server need to be reinstalled and it looks like we uncovered yet another bug. Only took a total of 20 hours to sort out so I am sharing this information to spare others from the ordeal.

The symptom: You perform a replacement mode installation. Setup is successful for all steps and then fails at the very end after installing TMG.

Resolution:
Delete the ISAServerDefaultSettings.xml file on the Management server at C:\Program files\Windows Business Server Essentials\Data.

Explanation:

The end step of the security server installation is to copy the settings XML file to the management server. The setup utility is apparently incapable of overwriting that file and installation will abort despite all the real installation having been successful. Delete or rename the file anytime prior to the very end of the TMG installation and installation should complete.


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Recently noticed that Group Policy Preferences were not mapping drives as expected. This it turned out was due to the Group Policy Preferences Client Side Extensions not being installed.

[blue]
GPP CSEs for Windows Vista (KB943729)
GPP CSEs for Windows Vista x64 Edition (KB943729)
GPP CSEs for Windows Server 2003 (KB943729)
GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
GPP CSEs for Windows XP (KB943729)
GPP CSEs for Windows XP x64 Edition (KB943729)
[/blue]


When implementing Drive Maps, I discovered it is important to create actions for NEW computers as well. A Replace method will not create a mapping if none exists.

I've found three ways to deploy this.

A. Use SCE and just approve it in the list of updates.
1. From the SCE console, select the Update space and on the right side click on "import from Microsoft Update Catalog".
2. If this is the first time on the site you will need to install a small activex component
3. Search for the CSE update we want to distribute and add it

B. Create our own package in SCE using some SCE tricks I learned:
1. Copy the “WUSA.exe”, “CMD.exe” to a new folder.
2. In the folder, create a bat file, for example, Windows6.0-KB943729-x86.bat. Then edit it to ensure it contains the following command:
Windows6.0-KB943729-x86.MSU
3. In the SCE console, navigate to the SOFTWARE pane.
4. Select “New software package”, browse to the new folder and select the CMD.exe
5. Select the check box of “Include all files and sub-folder in this location”.
6. In the installation parameter, input “-c Windows6.0-KB943729-x86.bat”.
7. Click Create and deploy this package to the VISTA clients.
C. Script it using a command line:
WUSA Windows6.0-KB943729-x86.msu /Quiet /NoRestart

The problem with options two and three is they will apparently fail on systems with UAC turned on.

The reason this can't be pushed out via normal software deployment is that the files for Vista are MSU and not MSI. GPOs only support MSI, MST and EXE files for software pushes.

The above requirement applies to SBS 2008 as well however the solution options related to SCE do not.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
I am currently experiencing the replacement mode woes after my messaging server died and I didn't have RAID 1. I have fixed that now and I am trying to get the server back up. When do you need to replace C:/Program Files/Windows Essential Business Server/Bin/msfpccom.interop.dll with "good" copy? Can you copy this from say the management server? My messaging server gets to the Exchange install and then fails at the end of it when it is trying to create the Edge Subscription. It cannot seem to programitically setup the subscription. I can set it manually and it works. I am currently talking to Microsoft but the tech is in a diff time zone and I get a response once a day. I am curious about the dll but does anyone have any other ideas? I attached a screenshot of the error. My email is totally down and I am desperate. Any help would be appreciated. Thanks in advance.
 
 http://download.jayhowerter.com/error.jpg
jayed,
I'm afraid you are the first person I know of that has had to do a messaging server replacement mode installation. So I am not at all surprised that you have encountered problems.

If you suspect that the same DLL is a problem (I don't think it will be) you can copy it over anytime before the wizard completes.

I'd suggest that you ask your contact for your PSS case to escalate the issue immediately. If you are paying for an incident and this is a business down situation, you should be able to get them to upgrade the case to a severity A issue. That means that they will work the case 24/7 and you need to be willing to do the same. I recommend that you have some food standing by so you are ready for an all nighter. You can also request that they escalate the case to a higher level technician.

Contact me via one of my FAQs and I'll give you the name of who you should request be brought in to support you. I won't post their name publicly for fear of them getting inundated with mail.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
I am going through the partner support because I am a registered partner with the Action Pack. I will ask them to escalate. I don't know if they will since I am not paying for a support instance.
 
Even better if you are a partner. You have to specifically let them know that it is business down and they will escalate. I worked very closely with the team when EBS was first rolling out, my company did the first RTM installation (we are MS Gold Certified Partners). Click on my user name to get to my profile and then contact me from any of my FAQs and I will let you know who you want to ask them to call in to assist. There is only one guy that has the best chance of assisting you QUICKLY. The other engineers are all competent and will eventually find an answer but speed is the name of the game right now so your customer gets back up and running.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
385
gbaughma
gbaughma
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
90
juniper911
juniper911
techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
250
araheusaff
araheusaff
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
197
mangentle
mangentle
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
292
pomazip
pomazip

Part and Inventory Search

Sponsor

Back
Top