Tag: Small Business Server

Enabling NTP service on Windows Server 2008 / 2008R2

Published on in Management, Windows SBS Server, Windows Server by Elvis

Setting time server on Windows Server 2008 or 2008 R2 appears to be still difficult for some administrators. For this reason I have decided to write on my blog how to set it from command prompt. It exists also a version to modify the same settings from registry, but I prefer other ways.
If you want to set time services, the command prompt must be opened as administrator. There you must write some commands:

  • w32tm /config /manualpeerlist:ntp1.arnes.si /syncfromflags:MANUAL /reliable:yes – this command will configure the NTP server to ntp1.arnes.si (of course you can use other servers) and set the synchronization. Switch syncfromflags has two options MANUAL if you synchronize from the manual peer list (in our case), or DOMHIER if you want to synchronize from the DC (this of course exclude manualpeerlist switch). Switch Reliable sets this computer as a reliable time service.
  • w32tm /config /update – of course you must update the configuration and this is done in this step.
  • net stop w32time and net start w32time – you must restart the time service for applying the use of the desired configuration.
  • w32tm /resync /rediscover – this step is an optional, but is very good for testing. The only thing we do here is forcing the synchronization. This is very nice to test if everything is OK.

This are commands to set NTP time server, but don’t forget that the NTP server must be reachable from your computer. There are a lot of errors in this step,so put a look to firewalls if the port UDP 123 is open. The list of NTP servers is here. You will found one that is OK for you.

Disable screen saver, enabled with group policy (Windows 7)

Published on in Windows, Windows Server by Elvis

Of course, at the beginning, you must exclude the computer from the region where the policy is applied. If the policy is still active at the computer, you cannot change any setting applied with GP.
After GP is disabled, you must change few values in the registry:

  • 1. The registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    • ScreenSaverActive for Enable (1) or Disable (0) screen saver
    • ScreenSaverIsSecure for Enable (1) or Disable (0) password protected screen saver
    • ScreenSaveTimeOut for number of seconds that the screen saver will be going on
  • 2. The registry key HKEY_CURRENT_USERControl PanelDesktop – I suggest to view and set up the same values also here (keys are very similar), but this is not a group policy setting; it is a normal windows setting.

Remark 1: I found in some cases also an another registry key to be modified: HKEY_CURRENT_USERSoftwarePolicesMicrosoftWindowsControl PanelDesktop. Please look also at this point..

Error 503 when browsing companyweb on SBS 2011

Published on in Windows SBS Server by Elvis

This is just another case, when you will receive “HTTP Error 503. The service is unavailable”.
In my case I have started form this warning:

Log Name: Application
Source: Microsoft-Windows-User Profiles General
Event ID: 1509
Level: Warning
User: DOMAINspwebabb
Description: Windows cannot copy file ?C:UsersDefaultAppDataLocalMicrosoftExchange Serverv14Configuration5464_100.sqm to location ?C:UsersTEMP.DOMAIN.001AppDataLocalMicrosoftExchange Serverv14Configuration5464_100.sqm. This error may be caused by network problems or insufficient security rights.
DETAIL – Access is denied.

At first sight I ignored this issue (it seems to be an Exchange problem),but when I look into the username,I saw it was a SharePoint related problem. To repair it, you must give to the reported file sufficient rights. You can do this by going to the specified folder, right click on the file and select the properties. On the Security tab click Advanced and Continue on the warning. When the dialog box is open, the only thing you have to do is to check the “Include inheritable permissions from this object’s parent” checkbox. Close all the windows with OK and from the Administrative command prompt type IISReset /noforce.
That’s all..

Solving the Error 10016 on SBS 2008 and SBS 2011

Published on in Windows SBS Server, Windows Server by Elvis

A very common problem in the SBS server is the Error 10016. This error occurs as a result of incorrect rights on the service IIS WAMREG admin. This issue is not difficult to solve, but you must correct the registry key and the DCOM object:

  • Run regedit.exe and locate HKEY_CLASSES_ROOTAppID{61738644-F196-11D0-9953-00C04FD919C1} key
  • Right click on the key and select Permissions and then Advanced
  • The first thing to do is to give the ownership to the Administrators group in the Owner tab
  • After this, you have to switch to the Permissions tab and add to the Administrators group full control rights. DO NOT CHANGE OTHER PERMISSIONS!
  • Now you have to open the Component service (dcomcnfg.exe) and navigate to the Console Root > Component services > My Computer > DCOM Config. On this location you will find the IIS WAMREG admin component. Right click on it and select Properties.
  • On the Security tab, under Launch and Activation Permissions,select Edit
  • Here you must enable the Local Activation right to the SharePoint Farm Account
  • Close all windows with OK.

.

How to configure SSTP VPN on SBS 2011

Published on in Deployment, Windows SBS Server, Windows Server by Elvis

Many times, in small companies, we need connectivity to internal network from anywhere. The easiest way to establish that connectivity is VPN network via SSTP protocol. In this case, we only need to open the port 443 (which is already open in SBS) and public a trusted certificate. There is a difference with PPTP VPN, because this type of VPN connection requires the port 1723, which is not always open (I mean airports, hotels, …).
Now we know why we can choose the SSTP connection. Let’s see what are special requirements for SSTP:

  • it is supported only by Windows Vista SP1 or newer OS,
  • a public trusted certificate for HTTPS traffic must be installed on SBS (it exists also a workaround with self-sign,but I don’t recommend it).

This type of VPN is not native supported to be configured from the SBS console. We must do this  with few more steps, but is not so difficulty and I think everyone can do it:

  • For the first thing, we have to enable the VPN connections in the SBS console. Of course here we will configure the PPTP VPN, as this is the only scenario supported in the SBS console.For the same reason we will receive a warning, that we must open the port 1723 on router, but this is not necessary if we want to use only the SSTP VPN. You can ignore the router configuration.
  • We have to continue the configuration in Routing and Remote Access, where we must enable the desired number of ports. We enable this by clicking the right button on Ports and we select Properties.At this point we will see a window, where we have to select WAN Miniport (SSTP) and click Configure. Here we must enable Remote Access connectionand setup the desired number of SSTP connections.In most cases you have to do this step twice. For an unknown reason to me, after you click OK, the check mark on Remote access connections will disappear. The final view must be like this one (depends on the number of connections).
  • From now we will work in the command prompt (don’t forget to run it as Administrator) and we will do the correct installation of certificates, we need to establish the sessions. At the beginning, we want to know how the certificates are installed now. We can check this with the command netsh http show ssl.As you can see, on the port 443, there is installed a certificate only on the IPv4 protocol. A certificate hash must be the same as on our public trusted certificate (you can check this in the mmc). The second thing we see, is that is used the wrong Application ID for establishing the SSTP VPN. The current Application ID is from the TS Gateway; for the SSTP it must be BA195980-CD49-458b-9E23-C84EE0ADCD75.
  • We have to change the Application ID. First we must delete the current certificates form the 443 port with the command netsh http delete sslcert ipport=0.0.0.0:443. If we find an installed certificate also on IPv6, then we must uninstall also this one: http delete sslcert ipport=[::]:443.
  • Now we must install the certificates on the IPv4 and the IPv6 to the right Application ID with the commands netsh http add sslcert ipport=0.0.0.0:443 certhash=certificate_hash appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY for the Ipv4 and netsh http add sslcert ipport=[::]:443 certhash= certificate_hash appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY for the IPv6. Of course the certificate_hashis the hash of our public trusted certificate – the same we uninstalled previously and used for RWW and OWA.
  • In the end we have to restart some services. Here we have more services, which depend on each other. The simplest way to restart all of them is using the command net stop sstpsvc to stop and net start remoteaccess to start them.
  • The only thing now we have to do is to test, if everything is OK. This can be done by connecting to the application web site. We open the Internet Explorer and connect to the address https://remote.sbsdomain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75, where remote.sbsdomain.comis a public internet address to connect to yours SBS server. The page must be blank, without any content!

This is all. If you have any problem, of course, you can do this process more times, but be careful to check the two registry keys:
HKLM System CurrentControlSet Services Sstpsvc Parameters Sha256CertificateHash
HKLM System CurrentControlSet Services Sstpsvc Parameters Sha1CertificateHash
This two keys should not be there, but if they are there, you can simply delete them..