Windows Server 2003 & Windows 11

[YeOldeStonecat]

You were wise to get out, because you are never going to get this, ever, in most of the SMB space.

Referring to basic security in the "S" side of the SMB space....yes you can (get them on supported/patching/managed AV/MFA/offsite backup/etc)

...the smaller side of the SMB space is the vast majority of our customers.

Another thing to think about....that 2003 server..how old is the hardware? I'd go out on a limb and wager it's a bare metal install. And likely on spindle hard drives. Likely starting to tip toe on thin ice....

 

[britechguy]

Referring to basic security in the "S" side of the SMB space....

Which, of course, I was not. I don't quote what I quote because I'm talking about something else entirely.

This was what I quoted, and was replying to: "Having a fully matched and supported fleet of machines, with functional AV, and cloud services backed with proper MFA is the bare minimum."

You will be incredibly lucky if you ever have "a fully matched and supported fleet of machines" in most tiny sized small businesses that have grown slowly, over time, and acquired equipment as they have done so.

I simply presume anyone running Windows has functional AV.

Many tiny businesses do not use and will not be using cloud services.

I'm done arguing MFA. Those who want to use it use it, those who don't don't where any option exists. It's far more common than it once was, but it's not universal, or even close.

So I stand by my assessment that if what was stated "is the bare minimum" you need to get out of this space, because you are virtually never going to get that package, and you aren't going to be able to force it, either.

 

[Sky-Knight]

@britechguy

I don't have to force anything, the market is doing it for me. I got out because I was sick of being the whipping post for the idiots that don't understand, or feel it's necessary.

And you being an apologist for that stupidity doesn't help.

MFA all the things, or go out of business. That will be the next half decade.

 

[YeOldeStonecat]

I know regions can vary, and I sorta know the region you're in, I just can't get what makes SMBs so resistant to "IT guidance" in other areas (according to other IT people in those area). It's not like I live in Beverly Hills or downtown Manhattan and I'm spoiled by mega-rich businesses. Honestly I find business where I am...to be fairly open and receptive to guidance from us, it's what they hire an IT guy for. And the technology is doing that for us anyways....people have been starting to get used to it from other things they use. Microsoft or Google flips it on, we make it easier and more painless for our clients to use on a day to day basis. The "big 2" for email are already doing the work for us.

apologies for my misplacing a m with a p....sometimes my fingers or my head get dyslexic in the mornings when typing fast.

 

[britechguy]

I just can't get what makes SMBs so resistant to "IT guidance" in other areas

It's not a matter of being resistant to guidance, it's money.

The first thing in the prior list was, "fully matched and supported fleet of machines." I expect supported (to the maximum extent possible, but I do walk in to situations such as the Windows Server 2003 one all the time) but matched, good luck. The set of 4 machines I just acquired for this tiny business is probably the first time in their entire history where they had 4 matched machines, ever. And because what's been acquired are custom builds, and the rate at which technology changes, getting another matched one will likely become impossible in very short order.

Tiny small businesses very seldom have matched fleets of machines, and don't have the money to create one just because that's what I, or any IT person, might prefer.

There are still a huge number of residential and small (as in very small) business users who do not trust the cloud and will not use subscription service for something like Office because they just don't need or want much of what M365 offers and, again, money. This business I'm working with was absolutely thrilled to learn that there are options other than M365 because all they use, and likely ever will use, are the word processor and spreadsheet.

There are lots and lots of businesses that do just fine but are still, in the grand scheme of things, operating on a shoestring budget compared to those that have their own IT departments or even who can afford to engage an MSP. Those sorts of businesses aren't going away anytime soon. Anyone who thinks they're going to "convert" them to be what they want them to be, tech wise, is living in a fantasy world. If you do business in that arena, you have to meet people where they are and generally get them to where they need to be via stepwise refinement. And if you can't or won't do that, you really do have to exit that space.

 

[YeOldeStonecat]

I actually agree with a bit of that (surprising huh?)
However I'll inject that...while there are many small businesses on a tight budget (and all those other negative connotations you listed)....there's often wiggle room to be had.
*Matching systems. I don't recall tossing that term out there, I'll often say it's nice to have all our clients on "true business grade computers"...yes we strive for that. But we'll take on clients that may have motherboard of the month club cloners...after a discussion of some upgrade/replacement plan. Most important right out of the gate at least is that they're on a supported OS. If any lingering Win7 computers...a plan to replace..or at least upgrade...those...pronto.
*The term "convert them"...I prefer to use the term "educate", or "advise". I don't consider that a fantasy world either. I have lived in this precise arena for around 30 years.."IT for SMB". Sure...we run into those businesses that simply don't want to bother in the least bit. And that's fine. Not all people are perfect matches for each other. Not all businesses are matches for each other. I'm excited to meet businesses who immediately jump at the opportunity to get "up to speed right away". And I'm still excited to meet businesses who are willing to have a conversation and engage us with the goal of "getting up to speed over time"... (stepwise refinement as you phrased it). And I'm aware that, not all potential clients are a good match for us, and be perfectly fine walking away and look for others who will be in either category 1, or 2. There are PLENTY of businesses out there who will fit in category 1 and 2...to be more than enough to keep our plates full.

 

[britechguy]

@YeOldeStonecat

By the way, when I said "convert" I meant get them to change, wholesale, all at once, and to suit my every desire.

I generally have quite a bit of luck in getting people to listen to reason and work toward a goal. But its a process, it occurs over time, and I often have to work with "what's available now" at every step of that process. That's the reality.

 

[britechguy]

Well, since the option of dumping the Windows Server 2003 that's in the mix is not something that can happen in the very near term, I was thrilled that it really was as simple as running the following PowerShell command:
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
letting the computer restart and enable it, then logging in when first access was attempted to get the shop's brand spankin' new CAD/CAM workstation talking to the server again.

We're talking about storage replacement paths now, and given that the total data involved is about 850GB (give or take), the options are myriad, including having everything that they're currently storing on that ancient server safely tucked in the cloud. And since with the current arrangement the backup of the backups is already stored in cloud storage, the client is not afraid of it, either.

The question becomes what option(s) are best for them for the long term. My guess is that we'll end up with a combination of local backup and storage with both of these then backed up to the cloud. But it may end up being cloud-only for anything not resident on the individual computers on the LAN since they have, in effect, been storing virtually everything on the server with mighty little at all on each individual computer.

 

[Sky-Knight]

"fully matched and supported fleet of machines."

Typo's suck... what I meant to say was "fully patched, and supported fleet of machines"

I don't expect SMBs to have a uniform fleet, they buy rigs based on when they need it. Which is why I did so much with Dell refurbs, and still do!

A solid fleet need not be expensive, indeed my methods are CHEAPER than the obvious alternatives over time.

 

[britechguy]

But what do you mean by "fully patched" and "supported."

Anything that runs Windows 10 or later should be "fully patched" as far as the OS does this all by its lonesome unless someone intentionally disables Windows Update. That's one of the biggest selling points of Windows As A Service - it should take care of itself. You need to occasionally check that it is, indeed, doing this, but . . . In the case of small entities or homes, you might also activate the specific "service station" software the hardware maker (whether computer, or component) might come into the mix as well.

As to "supported," I know of very few small businesses that do not keep their computers well past the warranty period and I've virtually never called on any manufacturer for support unless the device is still under warranty. I, and others like me, exist for the care and feeding of hardware that's perfectly fine for the tasks required in shape to do them.

So long as the hardware can run a currently supported version of Windows and it's not bogged down by what it actually needs to do, or literally falling apart, it's fine for the home and tiny business market segment.

 

[Sky-Knight]

@britechguy

Oh I don't care about warranties... as long as there's a plan involved to handle downtime. Most small clients opt for used machines that have warranties on them, but often they run outside the warranty and no one cares because the boxes are so cheap we have spares sitting there waiting for someone to need them. An office with 3-4 computers in it would only have 1 spare, but it's there.

Those machines run, as long as Microsoft hands me patches for them. "Supported" means the software vendors. I cannot support software that's out of support for obvious reasons.

Now SERVERS... THOSE I demand warranties on. Because no business can afford downtime of days if not weeks while we figure out how to fix it or redeploy it. Which is another reason why I lean on M365 so much, no server, no UPS, downtime measured in hours per year, for a fee lower than the cost of financing the server.

Sometimes I get creative with my RMM so we can use a desktop as a "server" for on premise stuff like Quickbooks or some estimation app. And I have a plan in place to relatively quickly restore service to another system if that system faults.

But no I'm talking about tiny mom and pop shops. I assisted a tiny electrical contracting company this morning during my lunch break that has 5 desktops and a laptop... Nothing else... that's the ENTIRE company. They've started swapping machines out for 8th gen or younger equipment, but they've had 4th gen whatevers there for YEARS. One of the systems I replaced in Q4 originally shipped with Windows 7 on it!

I use hardware until it's utterly beyond all hope. It's the software I care about. The authentication systems I care about. The BDR plan... I care about.

And I LOVE watching those little places light up when they see phone signon take a password right out of their life forever, while also keeping the baddies away. Trivial effort, and yet so rewarding.

Anyway my desktop of choice is a refurbished Dell Optiplex of whatever model is appropriate. Dell Command Update + RMM = fully automated hardware updates too! Which is rather important with all these firmware issues flying around. But that's what I do, organize the junk into something that replicates enterprise readiness, without the new car smell.

 

[britechguy]

Well, today has added a new wrinkle in this, and a frustrating one. The first two machines I set up used a personal MS Account that linked to the OOBE Windows user account that was set up. On both of those machines we just enabled SMB1 and, instantly and automagically, the server was seen and we simply had to enter the login credentials (and check the box to remember them) and, voilà, the network drive was mapped to the server and has stayed that way for two weeks and one week, respectively.

It's also important to note that this was one of those cases where a single email address had been associated both with the personal and business MS accounts, and the business account is tied to GoDaddy. Part of today's work was finally, and completely separating that email address from the personal account. It's now associated strictly with the business account. The personal account now uses a freshly created outlook.com address.

The machine today was set up going in the "work or school account" direction rather than the personal account direction. This is probably what is at the root of the major problem: I can't get this machine to talk to the Windows Server 2003 machine. It can be seen on the network, but there is no way to log in to it. If you try it always wants you to enter a PIN (by default) for the MS-Account to log in to the server, but there is no way to make that work. You can't even create an account under 2003 that includes an at sign in the name. If I try the "other options" the options I'm presented with do NOT include one for a straight username and password for the server side, it's always demanding an email address and password. There apparently once was an option for just username and password (and that's what I was asked for on the other two machines) but it's not showing up now.

I suspect this is because Azure AD has entered the picture, which it had not on the other machine. SMB1 is enabled on this new machine that was set up with the business account. Here are three screenshots that I hope might help shed some light:








Note well that second shot, which shows "Other Users." On all of these machines I have been setting up a local account which is the one which will be used day to day. This one was no different. What is different is that the other "Chris" user is never presented on the login screen, and what is there is "Other User" (literally) which you can't do anything with.

If I need to N&P this machine, and start from scratch using the personal account that's what I'll do, but I'd like to avoid that if possible. I'd also love to know why this inability to actually connect to the server even exists.

I am also asking, respectfully, for no lectures about why I should not use SMB1. I am well aware that it's "not ideal," to put it mildly, but it's what I must work with for the moment. Getting it out of the picture is phase 2, which will come, but at this point in time it's got to be made to work. If it's not a solution to the issue, or an explanation of what's going on even if there is no fix, I really don't need or want to hear it. This is a situation that can be solved, and the focus should be on the how, not meta-analysis of why we should not be doing this in the first place. It is what it is for the time being.

 

[Sky-Knight]

You'll probably need to map a drive with net use. There are ways via the GUI to kick Windows 11 to use the old model authentication window but that causes more problems than it solves.

So instead, drop to a command prompt and net use \\server\share /persistent:yes /user:username password

Ensure it's not an elevated command prompt, that will map into a different user context. You need a normal user command prompt, Windows Terminal will work too, but you need to run cmd.exe in it first. The above command doesn't like executing the way you'd expect in powershell.

 

[britechguy]

You'll probably need to map a drive with net use.

Thank you. Much appreciated.

 

[YeOldeStonecat]

Yeah windows SMB does not speak "hello"...unless the server is AzureAD Joined or at least hybrid synced.
So...Robs suggestion above..the old "net use"...just type in that with the regular local user account password (I take it the workstation is not local domain joined).

 

[britechguy]

I go back to the client site in about an hour. I will be running the following command, using the appropriate credentials, in hopes that this solves the issue on "the cranky box:"

net use y: \\yserver\thingshared /user:XXXX PWD /persistent:yes /savecred

I want the credentials saved so this is "automagically reconnected" each and every time the machine reboots and without the need to reenter the user name or password.

[Addendum: You are correct that the workstation is not local (or otherwise) domain joined.]

 

[YeOldeStonecat]

Windows Homeless or pro?
For home...it'll remain "cranky" and sometimes need to be remapped. As Home edition isn't really meant to be "joined to a domain" or properly networked...so the duct tape and bubble gum approach often needs a revisit.

Another method, create a "logon.bat" file....have it in the startup menu. One of the drawbacks, if someone finds it and opens it, there's the users password right out in the open.

 

[britechguy]

It's Win11 Pro on all boxes involved. But only one of three set up so far has exhibited this crankiness. And I'm now definitely wondering if it's because the first two were set up using a personal Microsoft account (even though it shared the same email address at that time) while the cranky one was set up using a "work or school" Microsoft account affiliated with the GoDaddy setup they have.

I stupidly did the latter "just for curiosity" and this is one of those times where curiosity definitely did "kill the cat." But at least I've learned something likely to be of use at a later date.

This client is reasonably tech savvy, relatively speaking, so if the connection works, but proves to be fragile, I will show him exactly how to reissue this command via the CLI so that no file need be sitting around with the username and password. Of course, they have not exactly been tight about security on this, either, since it's a very small shop and the server is only on their LAN. I can't "fix" who already happens to know this information that likely shouldn't, but that wasn't on my watch, either.

 

[britechguy]

Another method, create a "logon.bat" file....have it in the startup menu. One of the drawbacks, if someone finds it and opens it, there's the users password right out in the open.

Well, this is "interesting." The command to map the network drive using good, old-fashioned username and password works just fine if you run it by hand in PowerShell or Command Prompt, or even if you have a BAT file and double click on it to run it.

But, I have placed that said BAT file in the user startup folder (which I opened using WinKey + R, and entering shell:startup) and it does not seem to want to run such that it works when the machine is restarted (and, I'd suppose, shutdown and powered up again, but I haven't tested that.

Is it necessary to put such a BAT file in the common startup folder instead? (shell:common startup rather than shell:startup)

If push comes to shove, I'll put the BAT file on the desktop so it can be double-clicked upon logging in, but I really don't want to do that if I can avoid it. It is outrageous to me that the entire connection to a Windows Server 2003 instance is working, no muss, no fuss, and flawlessly on two machines that were configured using a PERSONAL Microsoft Account linked Win11 user account, but it's being insane on a machine configured with a WORK/SCHOOL linked Win11 user account. If logic dictated things about this, it would be the exact opposite, but it's not!

[P.S. I did not name the BAT file logon.bat, but something more indicative of its exact function. If this turns out to be the hitch in the proverbial gitty-up . . .]

 

[britechguy]

Curiouser and curiouser . . .

I moved the BAT file to common startup rather than user startup, same issue. But, and it was a "but" I had not realized, it appears that either the message about not being able to map the network drive is spurious, or it's occurring because the attempt from "persistent" is occurring before Windows 11 is able to deal with networking.

If I wait a few moments after the error message regarding drive mapping appears, as boot progresses I see the "telltale flash" of the command prompt window running for the BAT file which issues the "net use" command again. If I open File Explorer then, the drive is mapped and functioning perfectly. At the same time, the icon that shows the problem persists for quite a while after that, even when all is fat and happy.

I also discovered that the /savecred and /persistent:yes switches conflict with each other. The /persistent:yes switch results in a successful connection again (along with the login credentials, of course) but /savecred doesn't.

This is just freakin' bizarre, as far as I'm concerned. But at least there is now access to the server drive from this machine. When it's time to set up the next CAD workstation, I'm sticking to using the owner's personal MS account to link to. I don't want to have to go through this crap again, and the other machines where I used that method allowed me to enter userid/password credentials and check the "remember" checkbox for the server connection and have been perfectly happy ever since!