Small Business Server 2003 Upgrade from Hell

Last week, I decided to take a few vacation days and fly out to Ogden, Utah to help my wife’s old company upgrade from Small Business Server (SBS) 2000 to SBS 2003.  They are a small, 10 person operation that manufactures high end ski and board apparel (www.descente.net or www.ridedna.com).  The have a main office in downtown Ogden, a warehouse about 5 blocks away and a Canadian office in Vancouver.

 

The primary reason for the upgrade is that the president now resides in Canada, and his mailbox is back in Ogden.  OWA is great, but it times out and the Exchange 2000 version was not the best and fastest interface.  So, RPC/HTTP aka Outlook over the Internet is the perfect solution!  BTW, his laptop runs Windows XP Japanese as well as Office 2000/Outlook 2003 Japanese but when I sit down it almost looks like I can read Japanese because I have almost everything memorized, I was often asked by other employees if I spoke Japanese.

 

Anyway, SBS has always meant in my mind “super tight integration of Microsoft Infrastructure products and a super easy GUI for non-computer type people to manage their business”.  Of course another way of saying this is “I am going to hate using the SBS tools, please god give me normal MMC consoles”.  I also thought, “what a simple upgrade this is going to be, should I fly out or can I do it over VPN if someone sites there on the phone with me”.  Flying turned out to be a godsend.

 

First of all, support calls for Microsoft employees are not free.  We either have to pay, or we get 3 Quick Assist calls that we can give to people.  These are mainly meant to give to the guys that stop you and say, “Hey you work for Microsoft?  I have Windows 98’ and I can’t print to this HP LaserJet II, can you help?”  In this case, I needed all three Quick Assists and didn’t have any with me so I bummed a couple from coworkers.

 

Here are the highlights:

 

Support Call 1:

SBS upgrade halted, keeps insisting that “All domain controllers could not be contacted”.   Some braniac when the system was first installed decided to implement a second DC on some old hardware.  The hardware failed shortly after installation and AD was never cleaned up. 

 

I made sure that all the roles were seized by their primary DC (they were).  And I tried to delete the DC out of the domain, no luck.  I used NTDSUTIL, ADSI Edit, DNS srv records, everything was gone, but it still insisted that “All domain controllers could not be contacted”.

 

Support ended up finding a way around this little check in the upgrade process and we were able to continue with the upgrade.

 

Support Call 2:

ISA 2004 is included in on the Technologies disk of SBS 2004 Premium Edition.  They don’t’ advertise that, but I feel it is critical because the ISA 2004 GUI is worlds better than ISA 2000/Proxy Server 2.0.

 

During the install, ISA would bomb out with a .Net runtime error.  It appeared that ISA completed installing itself and the MSDE for ISA, but it never installed the rules for SBS.

Turns out that the SBS wrapper around ISA 2004 forces it to utilize some of the SBS Admin tools that get installed.  The Admin tools were never installed during the upgrade, and I never unselected them.  To me, there must be a bug in the upgrade process or they purposely defaulted them not to be installed.

 

After installing SBS admin tools, I reran ISA setup and it went through fine.

 

Support Call 3:

After a long debate with SSL certs because for some reason their old SSL cert didn’t correctly move over to the Windows 2003 certificate store, I had to have the cert authority reissue it. 

 

After reissue, I imported it into both IIS and used it for the web listener in ISA.  It is a cert from www.xramp.com that has a public cert authority at very reasonable prices.

After OWA, OMA, and EAS were working, I decided to tackle RPC/HTTP for the president and their warehouse.  By this time, I had flown back home and I built a Windows XP Virtual Server image and joined it to their domain to test RPC/HTTP.  I VPN’d in from my Virtual Server image, joined the domain and got standard MAPI over TCP/IP working, cool!  I disconnected the VPN, and setup the RPC/HTTP proxy settings on the client, and I new that the Outlook settings were correct and the certs were good, but it wouldn’t connect.  It kept prompting me for login credentials.

 

Support traced the problem to the “Proxy Authentication Settings” being set to NTLM Authentication, for SBS apparently it must use Basic Authentication.  The support tech also claimed that you can’t hit the “Check Name” button when you use RPC/HTTP, which I knew for a fact not to be an issue when you initially create the profile with TCP/IP.  I tested this, and there isn’t an issue if you create a profile when you have the full MAPI TCP/IP connection, and later add RPC/HTTP.

 

Summary:

I am disappointed that this wasn’t as smooth as an update as I expected.  Again, SBS is targeted at business of 100 or less people that probably don’t have a full time IT person, or have access to $295 per incident support from Microsoft.

 

In dealing with the SBS products, there seems to be a GUI that has simplified administrative tasks, but the underlying technology seems to still be hobbled together.  Many of the products are wrapped or functionality is hidden/taken away, and don’t appear to be engineered from the beginning to work together on a single server.  Overall, I highly recommend SBS 2003 especially since the premium edition includes ISA 2004.  But, I think that we need to have the SBS teams sit in early on Windows, Exchange/Office, ISA, and SQL engineering design sessions and architect those products to operate better together on a single box to give SBS the reliability and ease of updates it deserves.