October 2004 - Posts
This information comes from the Microsoft “Securing your SBS2003 Network” document, which can be found at: http://download.microsoft.com/download/1/f/1/1f15a874-f696-4992-b5ad-b1e7b258de1c/SecuringSBSnetwork.doc
Services and TCP Port Numbers
TCP Port Number
Allow if you are using Exchange to receive Internet e-mail.
80 (required for HTTP requests for your site) and 443 (required for HTTPS requests using Secure Sockets Layer (SSL), which secures communications from your server and a Web browser)
Allow if users on the Internet need to access specific Web-site services on your server.
Web-site services that use port 80 and/or port 443 include the following:
-Microsoft® Office Outlook® Web Access (OWA)
-Windows Small Business Server 2003 server performance and usage reports
-Outlook Mobile Access (OMA).
-Business Web site (wwwroot), which allows users to access the company's Internet Web site from the Internet.
-Outlook via the Internet (RPC over HTTP) feature of Outlook 2003.
Windows SharePoint Services intranet site
Allow if users securely access the intranet Web site created by Microsoft® Windows® SharePoint™ Services from the Internet.
Remote Web Workplace
4125 and 443
Allow if users securely access Remote Web Workplace to:
-Connect to the local network from OWA
-Create a direct Remote Desktop Web (RWW) Connection to client computers on the local network.
-Use the Windows SharePoint Services intranet site (this also requires port 444, as noted above).
-Download Connection Manager to configure the remote client computer for remote access (using remote access also requires that port 1723 be open, as noted below).
Virtual private network (VPN)
Allow if remote clients connect securely to the network using a VPN connection to use resources as if the client was connected locally.
Allow if remote clients connect to the computer running Windows Small Business Server 2003 using Terminal Services.
File transfer protocol (FTP)
Allow if remote clients use file transfer protocol (FTP) to connect to the computer running Windows Small Business Server 2003.
Two things to note:
First, Dave points out that: there have been a number of posts for help with W32Time errors in SBS 2003. It appears that two KBs on these issues were released this week. The first one seems to directly address the problems I've seen posted (and seen on my server), and the second references a packet filter for NTP that is incorrectly created by the CEICW. Here are the links:
1. Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003
2. The server cannot synchronize with an external time source after you run the Configure E-mail and Internet Connection Wizard on Windows Small Business Server 2003
Second, Les adds: do fix your NTP packet filter (#2 above). But even then, occasionally you'll get time sync errors after a server restart. Save the following in a .bat file, put it in a convenient location, and execute it whenever you see time sync problems:
w32tm /config /manualpeerlist:time.windows.com,0x8 /syncfromflags:MANUAL
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait
Les Connor [SBS Community Member]
DonDinCT asked this great question on the NG:
“When I generate a certificate for my server during installation, does it only work for the default web site ? Do I need to create a seperate certificate for each web site that I add ?”
And John gave this equally great response:
The certificate is automatically added to the companyweb and default web sites. You can manually add it to others if you would like. If you want to add the existing one:
- Right click on the site and go to properties
- Go to security tab
- Click the server certificate button
- Click next and choose assign an existing certificate
- The SBS created cert should be in the list. Just pick that cert and click Next
- Set the SSL port and finish the wizard.
John Bay, MCSE 2003
Microsoft Support Engineer
The following info came from the SBS Product team on the best way to change the password on the Administrator account:
To change the password, however, you can use any of the methods that any user would use to change their own password, plus some others. For example:
1. When logged in as Administrator, press Ctrl-Alt-Del, click the "Change > Password" button, and change the password.
-- or --
2. Open Active Directory Users and Computers, find the Administrator object, right-click on it and select "Reset Password."
Note that option 1 is preferred, as option 2 forces the password to be reset, which can cause the account to lose access to encrypted files and potentially other data.
SBS Product Team
Remember, removing a computer from the Domain not only permits you to rename the machine, you destroy all machine-specific configurations you made so may have to be re-configured manually.
- Remove workstation from Domain
- Remove machine account using SBServer Server Management
- Verify no record exists for that name in DHCP
- Verify no record exists for that name in DNS
- Change machine name
- Rejoin Domain
The details can be found here (thanks to the M&M queens!)
I've skinnied their instruction down just for quick reading::
1. Download & Install IMF - go to http://www.microsoft.com/downloads/details.aspx?FamilyId=C1B08F7B-8CAF-4147-B074-8C9C8F277071&displaylang=en
In ESM, go to Global Settings, right click Message Delivery, Properties, tab Intelligent Message Filtering, and configure your various thresholds. Example: set gateway treshold to 5, blocking messages to Archive and SCL rating to 2. Then all email with an SCL rating equal or greater than 5 will be Archived. All email with an SCL rating greater than 2, will be moved to the user's Junk E-mail folder. You will want to experiment with the treshold settings. Note: every time you change the SCL rating, you will have to restart the Microsoft Exchange Information Store service.
Still in ESM, go to Servers > Servername > Protocols > SMTP, right click Intelligent Message Filtering Properties and enable the Default SMTP Virtual Server.
2. Download and install the IMF Archive Manager - go to http://www.gotdotnet.com/workspaces/workspace.aspx?id=e8728572-3a4e-425a-9b26-a3fda0d06fee
By default when IMF archives a message, it does not archive the SCL rating assigned to the message. To do so, create a registry key DWORD value, ArchiveSCL, and assign it a value of 1. Run RegEdit, and navigate to HKLM > SOFTWARE > Microsoft >Exchange, right-click ContentFilter, click New, and then click DWORD value.
Type ArchiveSCL for the registry key value. Right-click ArchiveSCL, and then click Modify. In Edit DWORD, under Value Data, type 1.
3. Configure Outlook to display the SCL rating.
Here a picture is worth a thousand words: http://www.smallbizserver.net/Default.aspx?PageContentID=12&tabid=174
There are many questions in the NG about what to tell your ISP in order to have email forwarded to your SBS server. Here's a sample Q&A:
Q: I followed the SBS 2003 setup suggestion, and my internal domain name is called abc.local. I have also registered an Internet domain name xyz.com. I'm now ready to move from external POP3 accounts to an internally hosted Exchange mailboxes. The domain folks are ready to reconfigure the MX record, and they want to know the "name of the server" and it's static IP address. If the server name is "bubba", do I tell them to use bubba.abc.local or bubba.xyz.com when creating the MX record? I know this is rather basic, but I have hunted all over and am still confused. Thanks!
A: First, understand that the Public DNS is totally handled by your ISP. You don't need to change anything on your SBS machine. The public dns name of the computer can be anything you want.
By default you may already have the name "www", but you should add a second name for mail, such as "mail" or "owa" because it is more typical for owa or pop3 users to access a mail server with "mail" rather than with "www". MX records refer to an A record on the same dns server.
You basically want an MX record pointing to, for example: mail.xyz.com and then an A record pointing mail.XYZ.com to your public IP address. Or if you wanted to use 'owa' instead of 'mail', you could have them add two records such as:
MX record = owa
A record = owa 184.108.40.206
The public DNS name you tell your ISP doesn't have to have any correlation with your private names.
Another response: Set the domain to abc.local as discussed previously. When the installation is finished and you are going through the to do list you will run the connect internet wizard, at that time you will set the server, exchange, to mail.abc.com and create a certificate for that name. The server would answer, internally, to servername.abc.local and externally to mail.abc.com. Your external DNS servers should have a record for mail.abc.com pointing to the external ip address of your router.
[This was posted in the public NG on 10/23/2004 by Jeff]
I have information on Swing Migration that I can send out to you if you want to visit www.SBSmigration.com to request it.
Swing Migration is a method for upgrade/migration that I've recently documented and created as a complete project package called a Swing It!! Kit. It's a set of documentation that walks you through an entire process to move the entire configuration identity from the old SBS to a new SBS or Windows server.
You get a clean server installation, but the same domain name, same server name, same AD, same Group Policies, same IP, same network paths, same user and computer accounts...and you can forklift the Exchange onto the new server without breaking single instance storage.
The work can be completed offline, meaning that you can keep your existing server running (including the Exchange) while you build the new server, and the downtime involved is only the time it takes to move an offline copy of the Exchange and the datafiles over to the new server. You can complete the entire installation of the new server, including 3rd Party apps, all in
advance of shutting down the domain. Some folks have done the entire change over with as little as 2-3 hours downtime.
Swing Migration is a process by which you can add a temp DC to you network, capture the AD information, then swing it back onto a new server and complete the installation of a new server using the previous server's identity. I have detailed information about this available for free on request at www.SBSmigration.com.
The main difference in this process and what you suggested is that you will be renaming your server if you do a DCpromo of a different box. You have namespace problems created not only in Exchange, but also for all network related issues. Swing Migration solves that.
The Swing It!! Kit that is the project reference is available in one of two versions. One is just the reference documentation, the Technician Kit includes the docs and about 10 tools that make the migration process faster, easier, and better documented. Technician Kit is $200US and the Reference Kit is $125...but the Technician Kit is clearly more popular since I've been
making them available. Both include support from me on the docs and tools in completing a swing migration project.
I will be happy to answer as many questions as I can here in the NG so that everyone can stay in the conversation. If you want purchase information or the Reviewers Technical Guide that explains the concepts and has many Q&A bits in it, ask at the information website.
I realize that the website is a little "lean" right now since it's under construction at this time...but that's almost complete ... hopefully in the next week I will have the full package of information available to browse there, or download...including secure payment and ordering option.
Situation: When you try to access the "Manage Small Business Server Backup" inside "Server Management", and you get the following message:
“You do not have the correct permissions to view this page. For more information contact your system administrator. To view this page, you must be a member of the Domain Admins security group.“
Go to IIS manager
Open the Default Website and you should see the Backup virtual directory.
Right click Backup and select Properties.
Go to the Directory Security tab, click Edit in Authentication and access control.
Verify Integrated Windows Authentication is the only authentication method.
Amy asked: Does anyone know of a utility for Outlook 2003 that will create a pop-up when new mail arrives? This pop-up needs to stay on the screen, like the older versions of Outlook had.
Eric responded: This feature is included in Outlook 2003 already. Open up Outlook and follow this click process: Tools - Options - Preferences - Email Options - Advanced Email Options - Display a New Desktop Alert. There is also a box there called, "Desktop Alert Settings" which will allow you to choose how long the alert remains visible and how transparent the alert is.
Amy asks: But the longest that it can display is 30 seconds. I need it to stay on the screen until the user removes it. I don't see this option. Have I missed it?
Michael responds: You can do this by creating a rule in Outlook and using a "Desktop Alert.". Add "Display item in New Item Alert Window" to the rule - It opens a little dialog box in the middle of the desktop - that stays up until someone hits "Open Item/Close"
Corey explains further:
Amy, go to Tools -> Rules and Alerts
Create a new rule by selecting New Rule...
Select the 'Start from a blank rule' radio button.
Choose 'Check messages when they arrive'
Then, choose the 'on this machine only' checkbox or whatever else may apply. Click Next.
Then select 'display a specific message in the New Item Alert window' checkbox.
Click on 'specific message' to define the message.
You may also want a few of the other options depending on the situation.
Click Next again without setting exceptions. Click Finish.
This pops up a New Item Alerts window that stays put!
Someone recently asked: I have a number of calendars that are in the 'public folders' folder. Is there any way that I can get the 'reminder pop up' to work. I notice that Outlook doesn't
support this facility when the calendar is in the Public Folders but is there a way around this or another piece of software?
Sue Mosher provided the following link for this solution:
Situation: SBS 2003 Premium Edition. I have installed ReportServices for SqlServer 2000. Errors occur on backup - event id 6004, Description: Sqllib error: Database RptServer is not simple.
Solution: Open SQL Manager and go to the properties of each database. Make sure the backup type is set to simple.
This might help someone down the road. Thanks to RT for posting this in the public NG!
I had issues printing files (the would never reach the printer) that spooled larger then 7MB on my HP DeskJet 9650.
It turned out I had to increase the users C drive quota from 1GB to 2GB.
This info was posted by Pete, who encountered the problem and then was gracious enough to post how he fixed it!
Hi, I have a problem with clients connecting to an SBS server over the internet using IMAP and outlook express. I've opened TCP 143 on destination router, opened the IMAP protocol on the ISA server, the Exchange IMAP service is started, the IMAP protocol is enabled and I've created a server publishing rule for IMAP in ISA.
The IMAP virtual server is set to 'simple authentication & security layer' and a valid local certificate (set to FQDN of server) is assigned. The client appears to find the SBS server ok and seems to connect but always fails on the 'authorizing' stage. I'm prompted for the username/password/domain fields which I've tried every combination of accounts I know work but it never lets me through. When I hit cancel the error message says "NTLM Authentication failed. One or more authentication methods were attempted. There are no more authentication methods lef to try with your IMAP server".
In the accounts settings for Outlook Express, the mailbox I'm trying to connect to is definately using the correct username password and is enabled for IMAP. I've selected to logon using SPA.
Hello again. Found the problem. The exchange alias for the mailboxes I was attempting to connect to was different to the corresponding domain account (the account had been renamed but the alias was the same as the original domain account name).
I tried this suggestion from Olaf:
If NT-Username and Exchange-Alias aren't the same, you'll have to set
(in your IMAP-Client) the username as follows:
<NetbiosDomainname>\<Username>\<exchange-alias> for IMAP (and POP)
for sending Mail (SMTP) "<NetbiosDomainname>\<Username>" will do.
This is a quite odd thing with Exchange and IMAP/POP.
But I couldn't get that to work (Outlook Express 6 client), any other suggestion still appreciated. By renaming the exchange alias to the same as the corresponding domain account fixed the problem.
If you use the View Usage report generated byu SBS2003, you may notice that one or more users will show up with an unusually high number of outgoing mail. Your first reaction may be: Is my server being used as a relay? Or have I been hacked?
But don't worry -- it's just a flaw in the way it counts outgoing mail IF you send an email to multiple different email domains.Unfortunately there's not a fix for it right now. Read more at KB 867457!
This post comes via Ray and Damian at Microsoft, via Les!
Sometimes, things just get so screwed up that you want to re-create the virtual directories. I know the feeling. Thanks to Ray Fong and Damian Leibaschoff (both MS) for previous posts, here is how to do it.
In IIS, expand Default Web site and remove the following virtual directories:
- (Do not remove EXCHANGE-OMA)
Then, enable real time editing of the metabase in IIS admin, for this:
1. Open properties on the server object.
2. Check the box 'Enable direct metabase edit'
3. After this, open windows explorer and navigate to the following directory: windows\system32\inetsrv
4. Edit metabase.xml (make a backup first) with notepad and navigate to the following section: /LM/DS2MB/HighWaterMarks
5. Set the Value="207778" to zero or delete it. This value will be located in a string value like the following (The value may be different):
Value="207778" <----- Set this to "0"
6. Alternatively, you can use Metaedit to make these changes.
7. Save the file.
8. Run IISRESET and then re-start the MsExchangeSA service.
The deleted virtual directories should get re-created after a few minutes from the information that Exchange keeps in Active Directory.
Les Connor [SBS Community Member]
SBS Rocks !