I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
4. Right click your new policy > Edit.
5. Navigate to;
[box]
Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections
[/box]
6. Set the policy to disabled.
7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).
SBS Note
An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under ‘My Business’.
Related Articles, References, Credits, or External Links
I’ve never really been a fan of SBS Server, Theres too many ‘wizards’, and things that are either automatically configured for you, or wont work until you’ve configured something else, I’ve a boat-load of problems with it over the years.
Last week saw me retiring an SBS 2011 server, and migrating to a 2016 domain, with Exchange 2016 server. But how to gracefully remove Exchange 2010 from the old SBS server?
Solution
Firstly, SBS or not, this is in essence just an Exchange 2010 to Exchange 2016 migration, and all the methods and prerequisites are the same. I’ve covered that entire procedure before in the following series of articles, go there and run though them and then come back here when you are ready to uninstall Exchange 2010.
So you’ve gone though the above procedure at this point? Anyway to summarise, make sure before proceeding that;
All 2010/2007 Mailbox Databases are dismounted and removed.
All 2010/2007 Public folder Databases are dismounted and removed.
The 2010/2007 Exchange Server is NOT responsible for any Offline Address Books.
Open Toolbox > Queue Viewer > Make sure the queues are empty.
The server is NOT set as a source server on your ‘Send Connector’.
The 2010/2007 Exchange Management consoles are CLOSED.
Open and Administrative Command Window, then navigate to the folder that Exchange is installed into and change directory to the ‘Bin’ directory, (in most cases this will be on the C: drive). Then use the command line option to remove Exchange;
SBS 2011: Remove Exchange 2010 Gracefully
[box]
cd "C:\Program Files\Microsoft\Exchange Server\V14\Bin"
setup.com /mode:uninstall
[/box]
SBS 2007: Remove Exchange 2007 Gracefully
[box]
cd "C:\Program Files\Microsoft\Exchange Server\Bin"
setup.com /mode:uninstall
[/box]
SBS Exchange Removal Things That Might Go Wrong!
Error:
There are 1 messages waiting in the ‘{server-name}\{Queue-name}’ queue. Proceeding with the removal of the server role may result in data loss.
There are 2 messages waiting in the ‘{server-name}\Submission’ queue. Proceeding with the removal of the server role may result in data loss.
This computer is configured as a source transport server for 1 connector(s) in the organization. These must be moved or deleted before Setup can continue.
The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
Exchange Server setup encountered an error.
As the message indicates there’s messages still in the queues on the Exchange 2010 server. Open Exchange Managmeent Center > Toolbox > Queue Viewer > And delete them (you may need to restart the transport service as well).
Error:
Hub Transport Role Checks FAILED
This computer is configured as a source transport server for 1 connector(s) in the organization. These must be moved or deleted before Setup can continue.
The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
Exchange Server setup encountered an error.
This is because the Exchange 2010 server, is still listed as a source server on your Exchange environments send connector, open exchange management on your NEW Exchange server > Mail flow > Send connectors. Remove the old Exchange 2010 server.
Related Articles, References, Credits, or External Links
SBS 2003 Internet connection wizard (ICW) keeps launching all the time.
Solution
SBS Stop Internet Connection Wizard (ICW).
1. Start Run > msconfig {enter}
2. Select the startup Tab
3. Untick icwnotify > Apply > Close
4. Exit without Restart.
5. Right Click the Taskbar > Task Manager > Rocesses
6. Locate icwnotify.exe > Right Click > End Process Tree > Yes.
Related Articles, References, Credits, or External Links
The firewall policy that Server 2008 uses out of the box only allows RDP connections from the local LAN. This is great in an office environment, but it you have remote VPN clients (On a different IP range) that can’t get access to your client PC’s or member servers via RDP, not so good. If you have a member server running terminal services for example, then having RDP blocked will stop it working.
You would think that, to fix the problem you would change the policies either at..
Windows Firewall: Allow inbound remote administration exception.
or
Windows Firewall: Allow inbound Remote Desktop exceptions.
But I did that and it still didn’t work!
Solution
1. Assuming the affected machines are in the My Business > Computers > SBSComputers OU in Active Directory. (If not either move them or change policies accordingly).
2. On the SBS Server, Click Start > Administrative Tools > Group Policy Management > Navigate to Computer Configuration > Policies > Administrative Templates >Network > Network Connections > Windows Firewall > Domain Profile > Locate “Windows Firewall: Define inbound Port Exceptions” > Double Click it > Click Enabled > Click Show
3. CLick Add > In the “Enter the Item to be added” box type the following,
3389:TCP:*:enabled:RDP
Note: the asterisk denotes accept traffic from any IP, you can enter a range of IP addresses i.e. 192.168.1.0/24 or a single IP address like 172.16.3.1, or the word localsubnet, or a combination, seperated by commas e.g.
SBS 2008 (which runs Exchange 2007) displays a 404 error when you try and view Outlook Web Access.
https://sites/owa and https://localhost/owa don’t work
Solution
A 404 Error just means page not found, so there are lots of different reasons why this might happen, this is just one of many fixes.
1. On the SBS Server > Click Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand {server name} > Sites > Expand SBS Web Applications > Ensure “owa” is listed below > Notice this site is in a stopped state (indicated by the arrow).
2. If you try and start the site it will probably complain that the port is in use (Look upwards and you will see the “Default Web Site” is running and will be using the same ports).
3. To stop the Default Web Site (if it’s running) Select “Site” > Right click “Default Web Site” > Manage Web Site > Stop.
4. The to Start the “SBS Web Applications” site, Select “Site” > Right click “SBS Web Applications” > Manage Web Site > Start.
Related Articles, References, Credits, or External Links
Every time you log into an SBS Server the “Windows SBS Console” loads, a lot of users will be quite happy with this, but it annoys me.
You can’t turn it off by simply ticking “Don’t Run” somewhere, like you can with “Server Manager” on the full server product, nor can you disable it with msconfig, or in the Registry.
Solution
1. On the SBS Server Click Start > Administrative Tools > Task Scheduler.
2. When it Loads > Expand Task Scheduler Library > Microsoft > Windows > Windows Small Business Server 2001 or 2008 > Select the ‘console’ task in the center window > then either “Delete” or “Disable” the task.
Related Articles, References, Credits, or External Links
Problem reoccurs on a rough 5-7 days cycle, rebooting the server solves the problem.
You may also see
System Event Log:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1054
Level: Error
User: SYSTEM
Description:
The processing of Group Policy failed. Windows could not obtain the name of a
domain controller. This could be caused by a name resolution failure. Verify
your Domain Name System (DNS) is configured and working correctly.
DNS Server Event log:
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Event ID: 408
Level: Error
Description:
The DNS server could not open socket for address 0.0.0.0.
Verify that this is a valid IP address for the server computer. If it is NOT
valid use the Interfaces dialog under Server Properties in the DNS Manager to
remove it from the list of IP interfaces. Then stop and restart the DNS
server. (If this was the only IP interface on this machine and the DNS server
may not have started as a result of this error. In that case remove the
DNSParameters ListenAddress value in the services section of the registry
and restart.)
If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Event ID: 404
Level: Error
Description:
The DNS server could not bind a Transmission Control Protocol (TCP) socket to
address 0.0.0.0. The event data is the error code. An IP address of 0.0.0.0
can indicate a valid "any address" configuration in which all configured IP
addresses on the computer are available for use.
Restart the DNS server or reboot the computer.
When trying to Open the Exchange Management Console
You will see the following error,
get-ExchangeServer Failed
Error:
No suitable domain controller was found in domain {your domain name}
Errors:
An Active Directory error 0x51 occurred when trying to check server
{your servername and your domain name} :389 suitability. The LDAP server is
unavailable.
Solution
It’s caused by a driver using the Transport Driver Interface, If you see this problem install this hotfix.
Been a while since I’ve seen this one, and strangely I didn’t document it. so when I was asked this morning I searched here on PeteNetLive, and In my personal database of solutions but the cupboard was bare.
Solution
1. Before you do anything make sure your SBS has plenty of space on the hard drive, simply running out of room on the system drive can cause SBS to lose its licences, make sure this is not your problem.
2. If you have plenty of room, then click Start > Run > services.msc {enter}. Locate the Licence Logging service > Right Click > Stop.
3. Locate the licstr.cpa file (it’s in C:windowssystem32 by default) > Rename it to licstr.OLD.
4. Locate the autolicstr.cpa (Should be in the same folder) and COPY it to your desktop to create a backup, Then rename the original to licstr.cpa
5. Back in the services console restart the “Licence Logging Service”.
6. Your licences should now be back in place.
7. Finally, you will notice there’s an option in the Licensing console to back up your licences, now would be a good time, to avoid having to do this again.
Related Articles, References, Credits, or External Links
By default the Administrators account in SBS 2008 is disabled, while this is not a bad thing and there are very valid reasons for it being disabled, some users still want to use it.
Solution
Option 1 – Create another “Admin” Account
1. Start > run > dsa.msc {enter} > Right click users > New User > follow the onscreen prompts.
2.Right click the user you have just created and add them to the following groups > Administrators > Denied RODC Password Replication > Domain Admins > Domain Users > Enterprise Admins > Exchange Organization Administrators > Group Policy Creator Owners > Schema Admins > WSS_ADMIN_WPG.
Note: You can also set the “Primary Group” to “Domain Admins.”
Option 2 – Enable the Administrator Account
1. You can quickly enable the Administrators account with the following command,
[box]net user administrator /active:yes[/box]
2. Remember you will still need to set a password for the account and it must comply with your password complexity policy if enabled.
Related Articles, References, Credits, or External Links