Archive for the ‘SBS 2003’ Category

Configure Cisco ASA for SBS 2008/2011 Network using ASDM

Following is an outline as to how to configure a Cisco ASA 5505 for an SBS 2008/2011 network, including basic router configurations, IP addressing, and port forwarding, using the GUI/ASDM. The ASDM version used at the time of writing is 6.4(5), and ASA Version 8.2(5).  For the record this can be accomplished much more easily from the CLI/Command Line Interface, but we SBS folk tend to like to do things from a GUI.  I will however post a follow-up article outlining how to do so from the CLI, using only a handful of commands. [Updte: for CLI instructions see: https://blog.lan-tech.ca/2012/01/25/configure-cisco-asa-for-sbs-20082011-network-using-cli/ ]

It is assumed the ASA is still set to factory defaults. If so, skip to “Basic Router configuration”.

Reset to factory defaults:

Since this article is dedicated to using the ASDM console, to reset from within, simply log on, select “File” from the menu, and then “Reset Device to the Factory Default Configuration”.  If you do not have access to the ASDM console, i.e. you do not know the IP, you can use the blue console cable and access through Telnet. Once connected to the CLI (Command Line Interface) enter the following commands:

  • enable
  • config t
  • config factory-default  (press the space bar a few times when “more” is displayed to get back to the prompt)
  • reload save-config noconfirm  (to write to flash memory)
  • the unit will reboot with factory defaults

Basic Router configuration:

We will run the Start up Wizard to do the basic configuration. During the process do not make changes to the internal interface IP or Internal DHCP settings.

Launch the ASDM using https://192.168.1.1 , choose to ignore the certificate error, and select “run Startup Wizard”. When prompted for a username and password leave both blank. You can also start the wizard from within the ASDM from the menu under Wizards, Startup Wizard.

[ Edit: In case it is confusing; after publishing it was pointed out you can see the 192.168.111.254 current ASA address in the title bar. Please ignore, it is unrelated to the configuration. ]

Starting Point: In the first window accept the default “modify existing configuration” and click next.

image

Basic Configuration:  If you like you can change the ASA Host Name and domain, but I is not necessary. I strongly recommend changing the password, and make it secure. When you log back in later the user name will still be blank.

image

Interface Section: Leave all a defaults.

image

Switch Port Allocation:  Again the defaults are fine for this configuration.

image

Interface IP Address Configuration: Presumably you have been assigned a static public IP by your ISP where you are running a mail server. If so select “Use the following IP address”, enter the appropriate IP and subnet mask under “Outside Address”. (Note: you will need to add a static route for the default gateway later)

If  using DHCP with your ISP, select “Use DHCP” and check “Obtain default route using DHCP” (which will automatically add the default gateway).  When using DHCP you will probably also want to set up a DDNS service.  To do so see the following article: Using DDNS Services with SBS 2008/2011

The wizard will not allow you to continue without entering a DMZ address.  You will not be using the DMZ in this configuration so simply pick a private IP outside of any subnet you plan to use, and select a subnet mask of 255.255.255.0, if presented with a DMZ related error you can ignore.

image

DHCP Server:  We will deal with DHCP later along with the inside interface IP. Leave the current defaults “Enable DHCP” and the IP range for now.

image

Address Translation (NAT/PAT):  You will want to use PAT, so accept the defaults.

image

Administrative Access:  This determines from which IP’s or subnets you can access the ASA 5505 to manage it, and using which protocols. The current default is using the ASDM from the 192.168.1.0 subnet. If you plan to change the IP of the router to a different subnet you need to add it now, before making changes to the inside interface’s IP.  Assuming you later plan to use 192.168.123.0/24 (/24 = subnet mask 255.255.255.0) for your local network, I recommend adding that subnet to the inside interfaces, using two rules, one for HTTPS/ADSM and the other for Telnet, by clicking the “edit” button”.  Leave the “Enable HTTP server for HTTPS/ASDM access to this ASA” checked near the bottom.

image

Startup Wizard Summary: This page displays a summary of your choices. Review and click finish.

image

Disable DHCP:  Assuming you are running SBS 2008/2011 Standard and not SBS 20011 Essentials, you will need to turn off DHCP on the inside interface of the Cisco as the SBS server should most definitely be the DHCP server. If not convinced see: Do I absolutely have to run DHCP on SBS 2008?  If running SBS Essentials the default is to have the router as the DHCP server, though it does not have to be. To disable DHCP, log back into the ASDM if you are no longer connected, and navigate to; Configuration | Device Management | DHCP | DHCP Server | highlight the inside interface and click Edit” | uncheck “Enable DHCP server”. Then click OK and Apply at the bottom.

image

Change Inside interface (LAN) IP:  As mentioned earlier, for the purposes of this article we will use 192.168.123.x (properly represented as 192.168.123.0/24) and choose 192.168.123.254 as the router inside interface IP but for your configuration match the current subnet of your SBS server.

This will be the gateway IP for PC’s and servers on the SBS network. Navigate to: Configuration | Device Setup | Interfaces | Highlight the inside interface and select Edit and change the IP to that of your choosing. Click OK, then check the box “ Enable traffic between two or more hosts connected to the same interface” at the bottom, and Apply.

Note: Should you choose to enable a VPN, using the Cisco or the SBS built-in VPN, the site from which a client connects, must use a different Network ID (Subnet) than that of the SBS LAN. As a result, nobody connecting from a remote site that uses 192.168.1.x locally can connect to resources on this network. Therefore it is always a best practice to avoid common subnets like; 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x 10.0.0.x, and 10.10.10.x. However if your SBS is already configured you would need to change the network addressing for the entire network. In the event you were to choose to do so make sure you use the wizard for changing the server IP located under SBS console | networking | Connectivity | Connect to the Internet.  You also have to change any DHCP scopes, reservations, exclusions and device with statically assigned IP’s such as printers.

image

Add a static route for the router’s default gateway:  As mentioned before if you have with a static public IP assigned to the outside interface, you also have to create a static route to assign a default gateway to allow the router Internet access.  To do so select Device Setup | expand routing | Static Routes | and on the right click Add.  Select the outside interface, choose “any” for the Network from the drop down list and insert the gateway address assigned by the ISP, with a metric of 1.  The remaining items should retain the default settings. Click OK and Apply.

image

If you have not already done so, I would recommend saving all changes at this point by selecting from the menu File and then “Save running configuration to flash”, or at ant point simply press Ctrl+S to save.

Configure port forwarding:

SBS requires several ports be forwarded for various services.  Below is an outline as to how to configure port forwarding for SMTP (port 25). You will need to do this for each of the services in the following list that you plan to use:

  • SMTP port 25 Exchange
  • HTTPS / SSL port 443  Outlook web Access, Remote Web Workplace (Remote Web Access), and SharePoint
  • SharePoint custom port 987  (SBS 2003 not required)
  • RWW & Sharepoint 4125  (SBS 2003 only, not required for SBS 2008/2011)
  • PPTP port 1723 SBS VPN. The Cisco VPN is far more secure and moves authentication to the perimeter of the network. Far better to use it than the SBS VPN since it is included with the ASA 55050
  • RDP port 3389 (Definitely not recommended. Much safer to use RWW/RWA)

Add a NAT Rule:  Login into the ASDM, remembering to use the new IP address of the router. Navigate to Firewall | NAT Rules. on the right under addresses there is an option to +Add, select this and then Network Object. Enter the name of the Object, in this case the SBS, enter the IP (in our example 192.168.123.10) and  a subnet mask of 255.255.255.255.  (Adding a network object is not completely necessary but makes reviewing configurations at a later date easier to understand as items are referenced by name rather than IP)

image

Next in the same Window, under “Configuration > Firewall  NAT Rules” in the tile bar, click +Add and select Add Static NAT Rule. In the resulting window set the “Original” Interface to inside and next to source click the drop down list button. Select your new object (SBS-Server in this example).  Set “Translated” Interface to outside, and check the box to “use interface IP address”.  Select Enable Port Address Translation (PAT), TCP, and enter either the port number, or in the case of most services you can enter the service name, if it is known to the Cisco router. A drop down list of known service will appear when you start to type the service name if one exists. If using non-standard services, enter the port number using the format tcp/987. The Original and Translated ports in this case should be the same.

image

Click OK and this will add the rule to the list of static rules.

image

Add an Access Rule:  Next, again in the firewall section, Navigate to Access Rules | Add | Add Access Rule.  Change the Interface to Outside, the Source will be “any”, Destination the outside interface, Service can again be selected from the drop down list, and add a description if you like.  Leave the “More Options” section set to defaults. Click OK and Apply.

image

Repeat the above steps for all services you will be using, probably HTTPS/443 and SharePoint/987, and don’t for get to save ( Ctrl+S) when complete.

This should complete the SBS requirements.

Additional Features you may wish to enable:

  • To enable pinging of internet IP’s from the LAN for testing, navigate to: Configuration | Firewall | Service Policy Rules | highlight the policy under Global Policy and click edit | Rule Actions | check the box for ICMP | click OK and Apply.
  • To allow Tracert to internet IP’s, add the ICMP rule above, then while still under the Firewall configuration switch to the Access Rules item click Add | Add Access Rule | then set the interface outside, action is Permit, and Source/Destination is any. Under Service, enter icmp, it should auto-fill or you can use the drop down list line and click OK.  Click OK again in the Add Access Rule dialog and Apply the results to finish the process.

Missing SBS 2008/2011 drive space

Internet forums are full of questions entitled “where is my missing drive space”, or “HELP! I am running out of drive space on the system partition”. There are some known issues, addressed below, where SBS is known to generate large log files but very often it is due to hidden contents of user folders. The Redirected Folders feature is usually enabled  with SBS and with the default Group Policy a users folder is protected and hidden from view by all others, including Domain Administrators. Therefore when browsing to a user’s private folders such as My Documents, not only will you be denied access, but the properties of the folder will show:  Size = 0 bytes, and Contains = 0 Files, 0 Folders.

image

This is due to a permission set by group policy, within the Small Business Server Folder Redirection Policy, when the folder was created.

image

Editing the policy will not change existing folder permissions. You can change the permissions if required, though I strongly discourage doing so if for no other reason that user’s have a right to privacy. If you feel you must, Susan Bradley has nicely outlined the process in the following link:  http://msmvps.com/blogs/bradley/archive/2010/02/28/getting-access-to-the-my-documents-redirected-folders.aspx

However, even though you cannot open the file, it is possible to see the contents of the folders (folder and file names) and the size of the contents by using an application named Treesize Professional from:  http://www.jam-software.com/treesize/  There is a 30 day free trial period, but I recommend buying it to have in your “tool box” to quickly locate that user that has 30GB of movies saved in their redirected my documents. Treesize will provide a very nice graphical overview of drive space distribution and you can quickly drill down to the source of the problem. As an example; in the following two images of the same directory, Windows shows 113 MB in use, where Treesize includes the hidden directories and accurately reveals 58.4 GB of consumed drive space.

image

image

Treesize can be used in many other ways for storage management but is invaluable in locating folders that are consuming large amounts of space on your drives.

Other known issues:

Tree size can also help to locate other space consuming culprits. Once located the information and links below, organized by file paths, may be able to assist with resolving.

The following link reviews numerous known file locations that have a tendency to accumulate large log files. This link is extremely valuable in addressing the key space issues with SBS:  http://blogs.technet.com/b/sbs/archive/2010/03/02/recovering-disk-space-on-the-c-drive-in-small-business-server-2008.aspx

  • C:\inetpub\logs\LogFiles
  • C:\Program Files\Windows Small Business Server\Logs\
  • C:\Program Files\Windows Small Business Server\Logs\WebWorkplace
  • C:\Program Files\Windows Small Business Server\Logs\MonitoringServiceLogs
  • C:\Program Files\Windows Small Business Server\Data\badmail
  • C:\Windows\system32\winevt\logs\
  • c:\Windows\system32\certlog
  • C:\Windows\SYSYSI\SSEE\MSSQL.2005\MSSQL
  • C:\Windows\System32\LogFiles\

C:\WSUS  Windows Server Update Services can build up many unnecessary updates that can be cleaned up by running the WSUS “Server Cleanup Wizard” located under Administrative Tools | Windows Server Update Services | SBSname | Options | Server Cleanup Wizard

C:\Program Files\Microsoft\Exchange Server\Mailbox\xxxx Storage Group Keep in mind deleted e-mails are retained in the Exchange database until you do a backup using an Exchange aware backup application such as the built-in SBS backup utility.

C:\Windows\winsxs:   See: “How to Alleviate Disk Space Pressure Caused By a Large Windows Component Store (WinSxS) Directory”  http://support.microsoft.com/?kbid=2592038  https://support.microsoft.com/en-us/kb/2795190

C:\Windows\System32\logfiles\WMI\trace.log  You can stop this logging by editing the registry key (if necessary) to 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger\Start = 0

You may also want to review an excellent article by Lee Wilbur on regaining space and managing the system partition:  http://www.lwcomputing.com/tips/static/bootdrivesize.asp

Should you need to gain additional space you can also move some of the SBS data files to another drive or partition such as Exchange, Users Shared Data and Redirected Folders, Sharepoint, and WSUS. To do so use the SBS wizards in the SBS console:  http://technet.microsoft.com/en-us/library/cc527581(WS.10).aspx

image

 

Added Nov 30, 2011…….

C:\ProgramData\Microsoft\Windows\WER\ReportQueue  This contains error reports generated by Windows. These files on some systems, though not hidden, the folder properties show as 0 MB. TreeSize will also display the properties of this folder correctly. Though I don’t recommend disabling the reporting you can do so by going to: control panel | problem reports and solutions | advanced settings | off

C:\WINDOWS\system32\LogFiles\HTTPERR  These are HTTP error logs much of which is generated by IIS. If there are a large number of errors you should look into why, but you can reduce the chances of it filling up with log files again by applying the following  http://support.microsoft.com/kb/820729


Remember you can always download a trial copy of SBS to use for testing configurations and modifications from the Microsoft Evaluation Download Center:

http://technet.microsoft.com/en-ca/evalcenter/default.aspx?ocid=aff-c-ca-jtc–MVP52

Reset Domain Administrator Password

“Help! I cannot log onto my server, how do reset the domain admin’s password?”  This has been asked a thousand times. Rather than continually advising folk or posting elsewhere I thought it best to blog a few methods and in future provide a link to this site, feel free to do so yourself as well. Hopefully the following information will be used in a responsible manor. Keep in mind none of the following is my original material though have tried to give credit when possible. Use at your own risk, there are no guarantees or warrantees associated with any of the material below, and make sure you back up anything you can still access through shares and such before attempting. I have tried other methods not listed below that have corrupted Active Directory and resulted in server rebuilds or restores, so a backup is critical.

If it is a Domain Controller most of the free or inexpensive password tools will not work. You can buy enterprise software that will do the job, the most common being:
http://www.lostpassword.com/windows-enterprise.htm

Alternatively, the following is free, works well, but it involves many steps. Basically you reset the ASR password and then create a service that will automatically run when the server restarts to reset the password. To fully understand all the details, make sure you review all of the links within the article.  http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2008_ad.htm

There is a newer method that is easier with Server 2008 / Server 2008 R2 / SBS 2008 / SBS 2011  (I have not tested on server 2003, though the necessary files do exist). The original site outlining this seems to be off-line so I have posted the contents of the original site below. However, in an attempt to give credit to the author the original site link was: http://fracktured.com/2010/09/03/how-to-reset-lost-sbs-2008-domain-admin-password/  There is also a video outlining the same process that has since been posted at: http://www.youtube.com/watch?v=Ar-VoO9ogHc&feature=player_embedded#

The steps are as follows:

· Restart the server and boot to the DVD

· After selecting the appropriate installation language, select Repair Your Computer

· Start command prompt, and change the command line path to C:\ by entering c:\

· Enter cd c:\windows\system32

· Enter ren utilman.exe *.bak

· Enter copy cmd.exe utilman.exe

· Restart the server. this time do not boot to the DVD, just boot normally

· At the login screen, press the Windows+U keys on your keyboard. this will bring up the command prompt

· Enter net user [server admin username] [new password]

· On a regular Server 2008 install, [server admin username] will probably be administrator, but it could be any domain username with domain admin rights. [new password] will be the new password you want to set. If password complexity is enabled (which is the default on Server 2008) you will need have some UPPER case letters and/or numbers and/or symbols in the password.

· On SBS 2008, the administrator account is disabled by default. Even if you reset the administrator password, you still won’t be able to login because the account will still be disabled. Instead of administrator, you would use the server admin user name that was used when the server was first setup. If you don’t know the user name, you can enter net user to get a list of all domain user accounts. It won’t show you what users have what privileges, but it could help jog your memory.

· Now go back to the login screen and log in with the user name and new password you just set. for user name, be sure to use the domain\username format

· Once you have verified that you can log in with the new password, repeat steps 1-4

· Enter ren utilman.bak *.exe

· Restart the server and boot normally

 

SBS 2003 Daily Report indicates .NET Framework NGEN v4.0 automatic service is not running

It seems many have chosen to install .NET v4 updates on SBS 2003. When “Microsoft .NET Framework NGEN v4.0.30319_X86” is installed on SBS 2003 the normal state for this service is automatic but not started. This flags an “auto-started services not running” warning in the SBS daily reports. The message reads; “In normal conditions these services should be running. For details it is recommended that you review errors in the Event log related to the service”.

image

This can safely be ignored, however it can be annoying to see the message in every report. Microsoft has publish a “FixIt” and documentation to configure the warning to be ignored and thus remove it from the daily reports:  http://support.microsoft.com/kb/2290390

Tag Cloud