Archive for Chad Gross
Third Thursday Webinar: Disaster Recovery options in Sharepoint
Posted by: | CommentsIt’s Third Thursday already! This Thursday at Noon eastern, Third Tier’s Chad Gross will present Disaster Recovery Options in Sharepiont. Sharepoint is an awesome application but if you’re like a lot of IT Pros then the idea of storing files, contacts, calendar, forms all in a SQL database is a bit scary because we aren’t SQL experts. Fortunately for us, Microsoft has implemented several new options for data recovery in sharepoint and the sql part turns out not to be that difficult. Chad will demonstrate how to recover data in Sharepoint using a variety of methods.
Third Tier has invited you to attend an online meeting using Live Meeting.
Follow these steps:
1. Copy this address and paste it into your web browser:
https://www.livemeeting.com/cc/harborcomputerservices/join
2. Copy and paste the required information:
Meeting ID: JCHM5Z
Entry Code: g$P5j6,Kq
Location: https://www.livemeeting.com/cc/harborcomputerservices
Where did it all go?
Posted by: | CommentsOk – so I have a somewhat funny story to share . . . About a week ago, I received a monitoring alert via Kaseya that free space on the C: drive on my SBS 2008 server was getting low. I logged in to the server, opened My Computer and it showed that I was using 73 GB of my 80GB C: partition. So I downloaded TreeSize Free to see what was taking up all of the space. The problem I ran in to was that TreeSize was showing that I was only using 31.9 GB of space on my C: – no where near the 73 GB that Windows was reporting. TreeSize did indicate that it couldn’t access the C:\PerfLogs or C:\System Volume Information. I manually verified the PerfLogs folder was empty, and I did find that I had approx 8GB in ShadowCopies for the C: drive that I didn’t need since all of my critical shares had been moved to a different partition, so I disabled ShadowCopies on the C: drive, but that still left me with a 33GB discrepancy between Windows & TreeSize . . .
At this point, I am going to share two crucial bits of information: 1) This is the first time I’ve dealt with low-drive space on a Windows 2008 box. 2) I’ve been using TreeSize for years, and by force of habit, I always open My Computer, right-click on the drive I want to scan and launch TreeSize from the context menu. So can you see where I went wrong?
Yep – I was quietly bitten by UAC in SBS 2008. By launching TreeSize in my normal fashion, TreeSize was not running with elevated permissions and was unable to access all of the directories on the drive, many of which were several layers deep. Interestingly enough, TreeSize Free didn’t throw any errors when it encountered a directory it couldn’t access. Once I launched TreeSize Free from the Start Menu with elevated permissions, it was able to scan the full drive and show me my smoking gun – 27GB of IIS logs for the WSUS Administration site collected over the last 12 months. So after cleaning up my unnecessary Shadow Copies & purging old IIS logs, I’m back to 41.2 GB (51.5%) free space on my C: drive . . .
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support 
Blog 
Twitter 
Facebook 
LinkedINGroup Policy Loopback Processing
Posted by: | CommentsSubtitled – “Wow, I learned something new today!”
So in the Third Tier support queue today, Jon posed an interesting question:
How do I exclude Folder Redirection from applying to one domain-joined laptop that is out of the office & disconnected from the domain most of the time?
To revisit Group Policy basics for everyone – GPOs can apply to either computer accounts or user accounts. GPOs that apply to computer accounts are processed when computers boot up (we’ve all seen the “Applying Computer Settings” message during startup), and GPOs that apply to user accounts are processed during login. Obviously, Folder Redirection is a user setting in Group Policies, and GPOs don’t have the same targeting options that Group Policy Preferences do. So how do we have different GP user settings implemented when users log in to specific machines? Via User Group Policy loopback processing, of course . . .
So what is User Group Policy loopback processing? It is a Group Policy setting that applies to Computer accounts. When enabled, it effectively tells a computer to process User Settings in GPOs that apply to the computer account whenever a user logs on to that computer. As a result, we are able to define user GP settings in a GPO applied to computer accounts instead of user accounts.
User Group Policy loopback processing can be enabled in one of two modes: merge or replace. In merge mode, both GPOs applying to the user account and GPOs applying to the computer account are processed when a user logs in. GPOs that apply to the computer account are processed second and therefore take precedence – if a setting is defined in both the GPO(s) applying to the user account, and the GPO(s) applying to the computer account, the setting in the GPO(s) applying to the computer account will be enforced. With the replace mode, GPOs applying to the user account are not processed – only the GPOs applying to the computer account are applied.
In Jon’s specific case, he wanted to exclude Folder Redirection for one remote laptop. The folder redirection settings in Group Policies do not have a “disable” option – only “Not Configured” or enabled via the “Basic” or “Advanced” modes. Since there isn’t an option to explicitly disable Folder Redirection, the merge option would not meet Jon’s needs, since the user GPOs would be applied and Folder Redirection would remain enabled on the laptop. By using the “Replace” mode and not defining Folder Redirection in the GPO that applies to the computer account, Jon is able to achieve his desired result.
Take-aways on User Group Policy Loopback Processing:
- This is a COMPUTER setting, which is found under Computer Configuration | Administrative Templates | System | Group Policy | User Group Policy Loopback Processing Mode
- You want to create a new OU in AD that is dedicated to computer accounts that will have loopback processing enabled.
- Create a new GPO in your new OU to enable User Group Policy Loopback Processing and set the appropriate mode (merge / replace).
- You will define the user settings you want to apply to the loopback-enabled PCs via GPOs in this same new OU. You can define these settings either in the same GPO where you enabled the User Group Policy Loopback Processing setting, or you create another new GPO in the same OU for your user settings.
- Remember that when using the REPLACE mode, none of your other user GPOs will be applied when a user logs in to a machine that has loopback processing enabled. ONLY the user settings that are defined in the GPOs that apply to that machine will be applied.
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support Blog Twitter Facebook LinkedINManaging SBS 2008: Sharepoint Recording Posted
Posted by: | CommentsThe recording for the March Managing SBS 2008: Sharepoint with Chad Gross has been posted. Chad covered Sharepoint from a real world small business point of view complete with suggestions on where the demonstrated feature would be valued by your customer.
This recording and all previous are available on the Store tab of our website. http://www.thirdtier.net/store
Migrating a WSS 3.0 Site to SBS 2008
Posted by: | CommentsOk, so I’ll give Nicky kudos for beating me to the punch on this topic. But, I’m also going to provide a better way to accomplish this task 
So let’s consider this scenario. You have an SBS 2003 box, and at some point in time you completed a side-by-side installation of Windows SharePoint Services 3.0, and you have been using your WSS 3 site instead of the default WSS 2 companyweb site on SBS 2003. Now you have this shiny new SBS 2008 box that is running WSS 3.0 already.
Nick’s article gives you an option to move your WSS 3.0 site from your SBS 2003 box to the companyweb site on your SBS 2008 box. But there’s one downfall – by using the backup & restore functionality in SharePoint’s stsadm utility, you’re effectively deleting the stock SBS 2008 companyweb site, and putting your existing WSS 3.0 site in its place. That may not be a huge deal, but what if you want to use the SBS fax service and have faxes routed to your companyweb? Well the fax library doesn’t exist (unless you’ve manually created it exactly like the SBS team had it). Not to mention, your WSS 3.0 site that you restored most likely isn’t set up with the same security that the stock SBS 2008 companyweb used – meaning new users won’t automatically have access to the site unless you tweak the permissions.
Instead of yanking out the stock SBS 2008 companyweb and replacing it with your existing WSS 3.0 site, the better solution is to integrate your existing site into the SBS 2008 companyweb. And believe it or not – it is entirely possible (and even pretty simple) to do so
First and foremost – in order for this to succeed, you need to be running the same version of WSS 3.0 on both your SBS 2003 and SBS 2008. On both servers, open SharePoint 3.0 Central Administration, navigate to the Operations tab, then click on the Servers in Farm link. This will show your server along with its WSS version (e.g. 12.0.0.6303). Install any missing Service Packs / Updates so both servers are at the same version. Penny has a great post here on identifying what updates correspond to what SharePoint version.
On your SBS 2003 box, open a command prompt and navigate to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\bin and enter the following command:
stsadm –o export –url http://[sitename] –filename [output path] –overwrite –includeusersecurity –versions 4
Where [sitename] = the name of your existing WSS 3 site and [output path] is the path to the directory where you want to store the export (e.g. D:\WSSExport\sitename.dat ). If the path includes long file/folder names, enclose the entire path in double quotes (e.g. “D:\WSS Export\sitename.dat”
This command exports the contents of the specified site. The –overwrite flag tells stsadm to replace the output file if it already exists. The –includeusersecurity flag does just that – tells stsadm to include user security settings for all entities in the site. Finally, the –versions 4 flag tells stsadm to export all versions of list items and documents.
By default, stsadm will create a new file when the output file reaches 25MB in size. So if your resulting export is 90 MB, you will have four files – the first three being 25 MB each, and the last being 15 MB.
Once the export completes, copy your export file(s) to your SBS 2008 box. Then, on your SBS 2008 server, open a command prompt with administrator privileges. Navigate to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\bin and enter the following command:
stsadm –o import –url http://companyweb –filename [input path] –includeusersecurity
Obviously, [input path] is the path to the location of the export files you copied to your SBS 2008 box. Again, if there is a long file / folder name, enclose the entire path in double quotes. If the output produced more than one file, you should specify the first file in this command e.g. “D:\WSS Import\sitename.dat”
When the command completes, you can navigate to http://companyweb. Your first impression will be that you are looking at your original WSS 3.0 site – because the companyweb will be using the theme, Quick Launch & Top Link bars from the imported site. However, the two sites have actually been merged in to one.
- Every list, library, and sub-site from your previous site that did not already exist in the SBS 2008 companyweb was created with the previous security settings and all content (including versions) restored.
- Every list, library, and sub-site that exists in both sites have been merged, so that content from the export has been added to the corresponding entity in the SBS 2008 companyweb. (For example – if your original WSS 3.0 site included an Announcements list, you will see that both your previous announcements and the SBS 2008 companyweb announcements exist in the same announcements list).
- SBS 2008 companyweb entities are still present – including the Fax Center document library and the Archived E-Mails sub-site.
- Security for the two sites have been merged. The default groups used by SBS 2008 are still present and granted access. Additionally, user permissions from your original site have been merged in to the site as well.
At this point, you just have some basic tweaking to do – including adding the Fax Center library and/or Archived E-Mails sub-site to the Quick Launch, etc.
For simplified administration moving forward, I recommend reviewing permissions throughout the site and replacing permissions on the old site with the groups used by SBS 2008. The fewer groups that are used, and the fewer explicit permissions granted to specific users, the easier your SharePoint security administration will be moving forward. Note that you can add Active Directory Security Groups as members to SharePoint groups. This way you can use SharePoint groups to control access to libraries, lists, & sub-sites in SharePoint. Additionally, you can then create new User Roles in your SBS 2008 Console that include membership to necessary AD Security Groups. This way, when you create a new user via the SBS 2008 console, you can select the correct User Role, and the resulting new user will automatically have access to the right areas in your companyweb.
Windows SharePoint Services 3.0 and the IIS default web site
Posted by: | CommentsSo I was visiting with a friend last night, and he indicated that he was having a bit of a problem with his WSS 3.0 installation. Short story is that he has a dedicated Win2k8 box acting as a web server on his domain for internal sites. They have several web-based LOB apps that run on that box, all as virtual directories under the default web site. Even though they are running SBS 2003 with its WSS 2.0 companyweb, they wanted to install WSS 3 to take advantage of the new wiki site template. So, they installed WSS 3 on the web server, which immediately broke their LOB apps.
So what happened?
When you first install WSS 3.0 and run the SharePoint Configuration Wizard, SharePoint creates a new web application (SharePoint – 80) and creates a new web site in IIS that takes over the default site. Dana recognized this, so within IIS he edited the bindings for the SharePoint site to use port 81, allowing him to re-enable the original default website in IIS and get his LOB apps back. The problem? Not only was it a pain having to enter :81 after the servername to access the site, but clicking links on the SharePoint site continued to want to use port 80, resulting in constant 404 errors.
So how did we fix it?
If you’re new to SharePoint, it is worth taking a little time to explain some of the architecture and terminology around SharePoint 3.0 to help put the answer in to context. First, it is important to understand the distinction between a SharePoint web application, and an IIS web site. SharePoint (whether WSS or MOSS) can have multiple web applications. These are created via SharePoint Central Administration. You can think of a SharePoint Web Application as your top-level SharePoint site – but it is distinctly different from a website in IIS. An IIS site that is mapped to a SharePoint web application can be thought of as a gateway to access the SharePoint web application. You can delete the site from IIS without affecting any of the content in the SharePoint application. (Obviously you won’t be able to access the SharePoint web application without an IIS site, but none of the SharePoint web application content or configuration is stored in the IIS site).
There are several benefits to this approach – including the ability to have multiple IIS sites mapped to a single web application, with each site being bound by a different SharePoint security zone. The distinction between the web application and the IIS site in Dana’s situation is that the original IIS site that was bound to port 80 with no host header was separate from the actual SharePoint web application, and even though that was the initial IIS site created to access the SharePoint web application, it isn’t necessary to use that IIS site.
The simplest solution for Dana was to create a new IIS site that used a host header to access his SharePoint web application. This is actually very simple and straight-forward to do from within SharePoint Central Administration:
- Open SharePoint Central Administration (Start | Administrative Tools | SharePoint 3.0 Central Administration) on your SharePoint server.
- Click on the Application Management tab
- Click on the link to Create or Extend an Existing Web Application
- Click the link to Extend an Existing Web Application (we are extending an existing web application to another IIS site)
- Select the web application you want to extend. (The default SharePoint web application on a stand-alone WSS installation is SharePoint – 80. On SBS 2008, the companyweb application is remote.yourdomain.com:987 )
- Select the option to create a new website and enter a description that is meaningful to you (this will display in IIS)
- Change the port to 80
- Enter a value for the host header (in Dana’s case, we used wiki – obviously, you will need to create the necessary DNS records so your host header name can be resolved via your internal DNS. I personally prefer to create a CNAME (alias) that resolves to the host (server) that is running SharePoint. Alternately, you could also create a new A record).
- In a typical small business deployment, you will accept the default security configuration options
- Select the appropriate zone and click OK.
This will create a new site in IIS that is mapped to the web application you selected. After we had created the new site for Dana and created the necessary CNAME record for wiki in his DNS, we were able to browse to http://wiki on his internal systems and access the SharePoint application successfully, and navigate without 404 errors.
Additionally, we were able to delete the original IIS site that Dana had changed the bindings to port 81. Since Dana & co were now accessing the web application via the new site (http://wiki) we didn’t need the original site on port 81 any more. We also did this within SharePoint central administration:
- Go to the Application Management tab
- Click the link to Remove SharePoint from IIS Web Site
- Select the web application
- Select the site
- Optionally select to delete the site from IIS (which we did select in Dana’s case)
So why was Dana getting the 404 errors after he changed the bindings to a new port number in IIS? If you go back to the page where we extended the web application, take note of the description under the Load Balanced URL section:
The description reads: “The load balanced URL is the domain name for all sites users will access in this SharePoint Web application. This URL domain will be used in all links shown on pages within the web application. By default, it is set to the current servername and port.”
When the SharePoint Configuration Wizard created the initial web site in IIS, the SharePoint load balanced URL for that site was http://servername:80 - which will resolve to the default website on that server. When Dana changed the port to 81 and re-enabled the original default website, links in the SharePoint web application (when accessed from the original IIS site) all used the Load Balanced URL, which resolved to the re-enabled default website on port 80 – thus resulting in the 404 errors.
The moral of the story here? Well there are a couple:
- You can have as many IIS sites linked to a single SharePoint web application as you want.
- When administering SharePoint, do as much as you can in SharePoint Central Administration. Chances are you won’t get the results you want if you try to make changes (such as site bindings) via IIS.
One of my personal rules when it comes to IIS is to leave the default website alone. Personally, I always create new websites in IIS and use host headers to access those sites – so everything is accessible on port 80 (assuming http) and users don’t have to remember weird port numbers, etc. Additionally, using host headers gives you the freedom to move websites to different web servers without affecting the end-user experience. Just update your DNS record for the host header value to point to the new server and voila! – users are accessing the same site via the same URL and have no idea it has been moved to a different physical box. And this is true of all web applications I use – DotNetNuke, Community Server, etc.
The only exception to my rule of putting each web application in their own IIS web site is when we need multiple apps all on the same server accessible via SSL. Since SSL traffic is encrypted, IIS is unable to inspect the host headers, meaning it can only direct SSL requests to the correct site based on the IP / port combination. So, to have multiple web apps on a single box accessible via SSL, we either need to have multiple sites all on one IP listening on different ports (443, 444, etc.), or multiple IPs on the box so each site can listen on 443 on a separate IP, OR configure the different web applications as virtual directories under one IIS site that is listening on 443 for the one / all IP addresses. Depending on the number of applications you need accessible via SSL, it can makes more sense to configure those apps as virtual directories under a single site, so you reduce your administrative overhead by not having to administer multiple IP addresses / ports / SSL certificates. But even then, I create a new site in IIS to put everything under instead of using the default site. Yeah, I know – I’m weird like that
Of course – there is always more than one way to skin a cat, so there is a completely different method we could have taken to fix Dana’s issue as well.
Let’s say there was a business need for Dana’s web applications (that were all virtual directories under the default site) to be accessible as virtual directories under his SharePoint site. This approach was actually recommended to Dana by other individuals telling him to add an Application Exclusion to the SharePoint site. Dana couldn’t find out how to do this – but there is good reason why: Application Exclusions don’t exist in SharePoint 3.0.
Here’s the deal: SharePoint 2.0 and 3.0 have considerable distinctions in their architecture. For example, when you extended SharePoint 2.0 to a website in IIS, SharePoint assumed that the entire IIS site would be devoted to the SharePoint application. As a result, if you wanted to have non-SharePoint virtual directories under the IIS site, you had to tell SharePoint 2.0 to exclude those virtual directories from its management, allowing the web applications in those virtual directories to work as intended.
SharePoint 3.0 uses a different approach. Instead of assuming the entire IIS site is devoted to the SharePoint web application, you have to explicitly tell SharePoint what paths in the IIS site are managed by SharePoint. When we create a new SharePoint Web Application, SharePoint assumes that it will manage the root path as well as everything below the /sites/ path. (Hint: when you create a new web application and are on the Create Site Collection page, this is why you have the to options for the URL: http://hostheader/ or http://hostheader/sites/ )
What this means is that SharePoint 3.0 plays very nicely with other web applications in the same IIS site. So in Dana’s case, when he first installed SharePoint 3.0 and it created a new IIS site that replaced his original default website, he could have simply recreated the virtual directories for each of his web based LOB apps under the IIS site SharePoint created as long as none of them used the sites name, since that was defined as a Managed Path for the SharePoint web application. And even then, if he wanted to use the sites path for a non-SharePoint application instead, he could have removed the sites path from SharePoint management.
You can administer SharePoint’s managed paths from SharePoint Central Administration. Simply navigate to the Application Management tab and click the link for Define Managed Paths. When you add a managed path, you specify what type of inclusion it will be. There are two types of inclusions – an explicit inclusion and a wildcard inclusion. An explicit inclusion means that SharePoint will manage just that path, where as a wildcard inclusion tells SharePoint that every path under the wildcard inclusion path should be managed. This is particularly useful if you are enabling self-site creation for users, so they could effectively create their own site collections (top-level SharePoint site) under a common directory (e.g /sites/).
Originally posted at www.msmvps.com/blogs/cgross
Managing SBS 2008: Sharepoint w/ Chad Gross
Posted by: | CommentsSave the Date! Third Thursday March 19th @ Noon (eastern)
This month we’re going to discuss Sharepoint. In this session Third Tier welcomes staff consultant, Chad Gross to educate us on what’s new in Sharepoint in SBS 2008 and how to manage it.
Chad will discuss document versioning, how to e-mail a Sharepoint document library, how to use the new e-mail archiving feature, and of course backup and disaster recovery among a few other things.
Amy & Chad will also banter a bit on why your customers should use Sharepoint.
Please join us!
When: Thursday, Mar 19, 2009 12:00 PM (EST)
Scheduled to Occur: Once
Duration: 1:30
Third Tier has invited you to attend an online meeting using
Microsoft Office Live Meeting.
https://www.livemeeting.com/cc/mvp/join?id=9THDZK&role=attend&pw=RpJ%285j%3A%2F6
Meeting time: Mar 19, 2009 12:00 PM (EST)
Add to my Outlook Calendar:
https://www.livemeeting.com/cc/mvp/meetingICS?id=9THDZK&role=attend&pw=RpJ%285j%3A%2F6&i=i.ics
AUDIO INFORMATION
-Computer Audio(Recommended)
To use computer audio, you need speakers and microphone, or a
headset.
FIRST-TIME USERS
To save time before the meeting, check your system to make sure it is
ready to use Microsoft Office Live Meeting.
http://go.microsoft.com/fwlink/?LinkId=90703
TROUBLESHOOTING
Unable to join the meeting? Follow these steps:
1. Copy this address and paste it into your web browser:
https://www.livemeeting.com/cc/mvp/join
2. Copy and paste the required information:
Meeting ID: 9THDZK
Entry Code: RpJ(5j:/6
Location: https://www.livemeeting.com/cc/mvp
If you still cannot enter the meeting, contact support:
http://r.office.microsoft.com/r/rlidLiveMeeting?p1=12&p2=en_US&p3=LMInfo&p4=support
NOTICE
Microsoft Office Live Meeting can be used to record meetings.
By participating in this meeting, you agree that your communications
may be monitored or recorded at any time during the meeting.
