Sometimes you want to block a port but use a hardware firewall to achieve this.

An example is an SBS network with a dual NIC configuration but does not have ISA. We want to block port 25 on the PCs because from time to time a virus may slip through the cracks and cause the server to be blacklisted.

Because all traffic is routed through the SBS server's public network interface we cannot block port 25 at the firewall without also stopping Exchange from working.

In this case we can apply a group policy to all PCs to block the ports using IPSec.

1. On the SBS machine, open Group Policy Management and edit the appropriate GPO for all the client machines(not include the server itself).
2. Expand to Computer Configuration->Windows Settings->Security Settings->IP Security Policies.
3. Right click IP Security Policies and select Create IP Security Policy.
4. Follow the wizard and name the rule.
5. Uncheck Activate the Default Response Rule.
6. Click Finish and the Edit Properties window will pop up.
7. Click Add to add a new rule and select Next.
8. Click Next and select Local Area Network(LAN).
9. Click Add to add a new IP Filter List.
10. Type a name and click Add.
11. Follow the Wizard and click Next twice.
12. The source IP address is My IP Address. Click Next.
13. The Destination IP address is Any IP Address. Click Next.
14. Select the protocol type as TCP. Click Next.
15. Type "25" in To This Port and click Next.
16. Click Finish and we've created a IP Filter List for TCP port 25.
17. Click Add again and this time select UDP instead of TCP.
18. We can set port number 25 in From This Port as well.
19. After creating IP Filter lists, type Next in the Security Rule Wizard to create a Filter Action.
20. Select Add and follow the wizard to select Block. Now we've created a new Filter Action which is blocking the traffic.
21. Click Finish and close all the windows.
22. In Group Policy Editor, right click the newly created IP Security Policy, select Assign.
23. Close Group Policy Editor and type "gpupdate /force" to refresh the policy.

Please note: do not apply the group policy to the Exchange server otherwise port 25 will be blocked on the server as well.

More information: How to Use Internet Protocol Security to Secure network traffic between two hosts in Windows 2000

Windows Server 2003 offers WMI filtering for group policies. For example you can have a policy apply only to a specific model of laptop. Unfortunately you can only apply one WMI filter to each policy.

There is a tool called Scriptomatic which reveals all of the WMI classes, properties, and methods you need to use the WMI filtering capability.

For more information on WMI filters see page 759 of "Mastering Windows Server 2003".

If you are seeing error 9548 in the Application logs, an account was probably disabled. Grant the SELF user, associated external account and full mailbox rights. Or if this is for many users, use the nomas.exe tool, but this has to be requested by Microsoft Product Support Services (PSS). See http://www.msexchange.org/articles/NoMAS-Tool.html

This will also cause mail to not be delivered to disabled user accounts. See this article for more information.

To resolve, define the "SELF" account as the associated external account in Mailbox Rights. This sets the msExchMasterAccountSid attribute.

This can be fixed on a larger scale by running an LDAP query and applying the master account sid attribute using the NoMas tool, but it is only available by request to Microsoft PSS. For more information about the NoMas-tool, refer to msexchange.org (http://www.msexchange.org/articles/NoMAS-Tool.html).

The default limit of each database in Exchange 2003 Standard Edition. With Service Pack 2 this default was changed to 18GB. This limit can be increased up to 75GB. Enterprize Edition allows for databases up to 18TB.

The database size is checked at 5:00am every 24 hours by default (this can be changed). Event ID 9689 will be logged in the application log the first time that the database limit has been exceeded. The second time this event is logged, the database will be taken offline. You can re-mount the database but will have 24 hours to fix the issue before the database goes offline again.

To change the database limit, use regedit to navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store GUID

and create a DWORD called Database Size Limit in Gb

Enter the new limit in GB, between 1 and 75 for Exchange 2003 Standard and between 1 and 8000 for Exchange 2003 Enterprize. Make sure to enter this number in decimal, not hex.

More info: Petri KB and MS Exchange Team Blog

See also: BlackBerry

Historically there has been some controversy about whether or not BES should be installed on SBS. I always try to avoid it and recommend Windows Mobile based devices as the support for them is already built into Exchange, and we don't have to worry about a third party application with its compatibility issues.

That said, sometimes it is unavoidable, and you have to do something you'd prefer not to. I installed BES on SBS 2003 and I have documented the process here. It actually went fairly smoothly. I believe some of the past issues may have been worked out, so if you're reading this and have an experience to share please use the comments at the bottom of this page - I'd love to hear from you!

Installing an MSDE database instance

1. Locate the MSDE files on the SBS 2003 CD 3 or download from Microsoft.
2. Open a command prompt window (Start, Run, cmd, clickOK).
3. On the Command Prompt, change to the directory where the MSDE files are located e.g. cd D:\SBS\MONITOR\MSDE
4. Enter the following command to create the new instance:
   setup INSTANCENAME=”BESMgmt” SAPWD=”AStrongSAPwd” /L*v C:\MSDELog.log
5. Start the service: Start -> Run -> Services.msc -> Click OK. Scroll down to the instance you just created MSSQL$BESMGMT, select and click start service.
6. Check the log file to make sure everything installed correctly at C:\MSDELog.log

Enabling TCP/IP on the MSDE Database

1. Then click start, run, type svrnetcn
2. Enable TCP/IP and Named Pipes for the BESMgmt database
3. Click Properties of the TCP/IP and change the port number to 1433
4. Restart the service againt to apply these changes (note you will have to restart ALL services listening on the same port. eg. on SBS 2003 I had to restart both MSSQL$BESMGMT and MSSQL$SHAREPOINT)

Prep

1. Ensure the port 3101 TCP is open on the firewall (Outbound ONLY).
2. Create a new user called BESadmin and ensure you create a mailbox. Ensure this user is ONLY a member of "Domain users"
3. Make BESadmin a local Administrator of the server. This is done in AD via the "Built-in" Administrators group
4. Go to Administrative Tools on in Group Policy Management, edit the "Domain Controller Security Policy" and expand the "Local Policies" and "User Right Assignment". You need to add BESadmin to "Log on Locally" and "log on as Service".
5. Open Exchange System Manager and right mouse click on "DOMAINNAME (Exchange)" and select Delegate Control. Follow the steps and add BESadmin as an Exchange View Only Administrator.
6. In Exchange manager expand the servers folder and right mouse click on your server and select properties. On the security tab select BESadmin and add the permissions "Administer Information Store, Receive As, Send As"
7. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As". (This will overcome some MS patches that prevent BES sending emails)

Installation

1. Log on as BESadmin and install the BES software, normally you just install "BlackBerry Enterprise Server" as most sites don't use the MDS services (MDS is a much heavier install). Follow the prompts of the install and the server will be required to restart half way through the install. Restart the server and log back on as BESadmin and the install will continue. (Make sure the Connect Test works and the SRP ID etc is validated during the install
   
   Database Location: Local
   Microsoft SQL Server Name: SERVER\BESMgmt
   Database Name: BESMgmt
   Port: 1433
   Data Directory: C:\Program Files\Microsoft SQL Server\
   Backup Directory: C:\Program Files\Microsoft SQL Server\
   Database Authentication: Windows (trusted)
   
   You'll get a prompt that database 'BESMgmt' does not currently exist. Do you want to create it? Choose Yes.
2. After the install is finished open BlackBerry Manager, an error will appear about MAPI client which you can just hit OK. The MAPI setting windows will appear so just add the server name back in and select "Check Name", if it resolves just hit OK and the manager will start.
3. Within Blackberry Manager click on Blackberry Domain in the left column and then the users SERVERS tab in the center section, select your server within this tab and view the properties below. Ensure that "SRP Status:" is Connected (This can take a few minutes the first time so refresh the screen a few times). Once your status is connected you can start adding users.
4. Within Blackberry Manager click on you server name in the left column and then the users TAB in the centre section, just add a user and the click on that user. You will see all the users’ properties and a drop down menu called "Service Access” and select “Set Activation Password” and set a password of “a” for example.
5. Turn on you BlackBerry device and ensure Wireless is enabled. Go into “Options/Settings” and “Time & Date” and set the correct zone and time etc. Then from the home screen go to enterprise activation and enter the users email address and enter the password that was set in step 4. Press the track wheel and select Activate. Within a minute you should get data returned which indicates the process is functioning correct.

Extra

Note: Sites running SBS 2003 premium will need to change the BES "Web Server Listen Port" from 8080 to another available port (e.g. 8090 or 9090) as soon as it is installed. This port needs to be changed as the BES Web Server will be listening on the same port as ISA. To change this setting open Blackberry Manager, select MDS and then "edit Properties" and change the "Web Server Listen Port" to the desired port number.

a. Also ensure you review the IT Policy in BlackBerry Manager. This can be found in BlackBerry Domain > Global TAB > Edit properties. It is recommended that in the IT Policy you go into “Device Only Items” and set “Enable WAP config” to FALSE, this will force user to use the free browser (It uses the internet connection of your BES server). It is also highly recommended that you configure a password policy prior to rolling out any handhelds.

b. If you are unable to activate devices wirelessly you can test your connectivity to Blackberry buy running the following app from the command prompt:

C:\Program Files\Research In Motion BlackBerry Enterprise Server\Utility\BBSrpTest.exe

This will send a signal to BB and wait for a response, it this fails check your firewall settings (open and/or direct port 3101 TCP to you BES server)

c. If you have Domain Admins using BlackBerry devices you may have to run the following script if you are unable to send email for those users devices:

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=c om " /G "DOMAINNAME\BESadmin:CA;Send As"

Error When Changing the Port Number

I got the following error when I tried to change the port from 1433 to 1434. I ended up just changing it back to the default 1433 and it worked.

Failed to write License key to the Database . Refer to the installation log file for more information.

Digging into the log file it says: Failed to update the license keys as no database connections.

When following the Microsoft migration documentation, after completing the email migration you may decide to put off doing the intranet migration for another day.

This is fine unless the client is using POP3 connectors.

By default, the users aren't visible in the SBS Console until near the end of the migration. The problem is that the SBS POP3 Connector needs them to be visible to the SBS Console in order to associate them with a mailbox - it isn't enough to have the mailbox or the user account on the SBS server.

You may want to follow the migration document step by step, but in order to work around this problem you'll need to move the intranet before fixing the users.

Source: Paul Parnis on the sbsusers mailing list

See also: Working with the Domain Controller Diagnostic Utility

Source: David Overton's Blog

Given the recent comments about AD validation I thought I would share this excellent document on verifying your AD before you begin a migration (or at any other time)

Active Directory Health Check - Active Directory

This document outlines a basic procedure for validating the health of your domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations

I would add a couple of extra tests to the list in this document, which would be placed after the 1st DCDIAG test, also perform:

DCDIAG /test:DNS /DNSALL /e /v

DCDIAG /test:DcPromo /e /v

DCDIAG /test:RegisterInDNS

If you system passes these tests then it is a good indication of health.

Using Windows 7, when trying to remote control a machine using K-VNC, you may get the following error:

VNC Viewer: Error
setReflected: This function is not supported on this system. (120)

Although the remote machine running the Kaseya agent is using the KVNC server, the viewer part is actually using RealVNC viewer, which has been renamed to kvncviewer.exe.

There is a beta version of RealVNC that fixes this. Kaseya seem to have incorporated this version in the product. You shouldn't need to do anything other than run IE as Administrator the first time.

Make sure you add the Kaseya URL to your trusted sites.

The kvncviewer.exe file lives on the Kaseya server in the folder C:\Kaseya\WebPages\install. When you remote control an agent using K-VNC, this file is called by KRlyCCon.exe, both of which are copied to C:\Users\YourUserName\AppData\Local\Temp in Vista and Windows 7, or C:\Documents and Settings\YourUserName\Local Settings\Temp in Windows XP.

I have had cases where the KRlyCCon.exe file is copied to this path, but kvncviewer.exe is not. If you manually copy the file here it should work. This also seems to happen on Windows XP.