Archive for the ‘FAQs’ Category
Does WFBS 8.0 support Exchange 2010 SP3?
Friday, May 17th, 2013
I’ve seen this question asked a bit in the various mail lists and forums. The short answer is yes it does. Trend have documented here the supported Exchange versions for WFBS 8.0. This document was recently updated after they completed their testing using the final RTM version of Exchange 2010 Service Pack 3.
Tags: TrendMicro, WFBS 8.0
Posted in FAQs | No Comments »
User limits on Windows Server 2012 Essentials
Tuesday, March 5th, 2013
There’s more than a few questions about user limits, device limits and so on around Windows Server 2012 Essentials. Microsoft have a few blog posts, on this but are not really all that clear – so here’s my shot at answering those questions.
How many users can I run on my Windows Server 2012 Essentials server?
Windows Server 2012 Essentials comes with support out of the box for up to 25 users. You do not need to purchase additional CALS at that point – in fact there are no CALs that you can purchase for Windows Server 2012 Essentials at all. What you have when you purchase Windows Server 2012 Essentials is the right to create up to 25 users and allow them to access the server and it’s resources – note that I did not say that you have 25 CALs for users.
What if I want to have 26 or more users?
If you want more than 26 users, you can do that using the Transmog or inplace upgrade available from Microsoft. They describe it here. What you do here is basically get a Windows Server 2012 Standard Edition product key and enter that into your server – and after a couple of reboots, you have a Windows Server 2012 Standard Edition server with the Essentials bits still present and working. Two things you need to understand. Firstly – when you do this, you need to purchase Windows Server 2012 CALS for all users or devices that access this server – there is no limit to the number you can purchase – if you want you can put 500 users on your server now because it is basically a Windows Server 2012 Standard server now. The second thing you need to understand however is that the Windows Server 2012 Essentials features that were left on your server are only tested and supported for up to 75 users. So while you CAN have 500 users, Microsoft will tell you they only support up to 75 users as that is all they have tested and will guarantee. The article I linked to above will give you more information on that.
Boon Tee – fellow SBS MVP has a blog post here where he also summarises what Microsoft are trying to get across… should not be so hard should it? 
Tags: Windows Server 2012 Essentials
Posted in FAQs | No Comments »
What is the default password for Windows Server 2012 Essentials?
Thursday, February 28th, 2013
I was installing Window Server 2012 Essentials today for a client, and had laid down the base operating system and then walked away from the computer for a while. When I came back, I found the screen was locked and I didn’t know the password. Some investigation found that the default Administrator password used during the setup of Windows Server 2012 Essentials is Admin@123 – Microsoft documented it here which is where I found it.
Note – this is not a major security issue, as this password is only used for the base Windows installation. Once you either finish the new server installation or server migration, the local administrator password is set to whatever you’ve told it to be set to for the Domain Administrator.
Tags: Passwords, Security, Windows Server 2012 Essentials
Posted in FAQs | 1 Comment »
How can I install Windows Server 2012 Essentials without a product key?
Tuesday, December 11th, 2012
In short – you can’t. You can however install it using the trial/evaluation key available from Microsoft here and then later once you get the real product key you can put that in via the Properties of the Computer and activate it as fully licenses software.
Tags: Windows Server 2012 Essentials
Posted in FAQs | 1 Comment »
How many Network Cards are supported in Windows Server 2012 Essentials?
Monday, December 10th, 2012
This question is often asked by people as they try to setup things such as Network Teaming etc. It’s always been the case that Microsoft have NEVER supported more than one Network card since SBS 2008 era. Prior to that they supported two network cards, but only for Internet access and they’ve never supported network teaming at all. So – in Windows Server 2012 Essentials, Microsoft once again only support a single network card in the server. Here’s the official Microsoft word on Network Teaming as it relates to Windows Server 2012 Essentials
Tags: Windows Server 2012 Essentials
Posted in FAQs | No Comments »
What Exchange versions are supported with Windows Server 2012 Essentials?
Tuesday, November 6th, 2012
Microsoft designed Windows Server 2012 Essentials to work with onpremise Exchange server installations. Below is the list of Exchange versions they support with the WS2012E console integration and the ARRconfig tools.
Exchange 2010 SP1
Exchange 2010 SP2
Exchange 2013
Personally, I’ve not tried Exchange 2013 as yet, so can’t vouch for it, but I will try it shortly and advise.
Tags: Exchange 2010, Exchange 2013, Exchange Server, Windows Server 2012 Essentials
Posted in FAQs | No Comments »
What inbound ports do I need to open on my firewall for Windows Server 2012 Essentials?
Wednesday, October 10th, 2012
Windows Server 2012 Essentials is different from previous versions of SBS as it’s designed to work with 3 different types mail systems. As a result the ports you need to have open on your firewall is also different.
If you have a uPnP router then the configuration wizards in Windows Server 2012 Essentials will do the work for you. If you like me elect to disable uPnP then you will need to configure the firewall port forwarding manually.
Here’s the list of ports you need to open on your firewall for Windows Server 2012 Essentials. Note that not ALL of them need to be open in order for things to work.
Port 25 – is NOT required to be open if you are using a cloud based mail system such as Office 365 then this port can and should be closed. ONLY if you have an onpremise Exchange or other mail server should you open this port to your network. If you have an onpremise Exchange or other mail server, then you will port forward this port to that server and not the Windows Server 2012 Essentials server. If you have no external email filtering or antispam software then you will need to leave this open for all external IPs. If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to.
Port 80 - does NOT need to be open at all in reality. It’s there to provide an easy redirect for our users when they go to access the Anywhere Access feature of Windows Server 2012 Essentials (formerly known as Remote Web Access). Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users – put this URL on the back of a business card for them to make it easy to handle.
Port 443 – this is a mandatory one. This needs to be open and forwarded to your Windows Server 2012 Essentials server to allow access to the Anywhere Access website. All traffic over this connection is encrypted so it’s safe and secure. If this is not open then none of these functions will work outside your office. This port is also used by default for the SSTP VPN protocol which is the default protocol in Windows Server 2012 Essentials.
Port 1723 – is an optional port on Windows Server 2012 Essentials. You see – the default protocol for VPN is now SSTP which runs over port 443. You will only need to open port 1723 if you have client PCs that can not use SSTP to access your server. Make sure if you have a more advanced router to also allow the GRE protocol (type 47) over this port.
Tags: Configuration, Firewall, Security, Windows Server 2012 Essentials
Posted in FAQs | 3 Comments »
Powershell gives “File cannot be loaded because the execution of scripts is disabled on this system”
Wednesday, October 3rd, 2012
You will get this on a server as standard error if you are trying to run scripts that you’ve created yourself. To get around the issue, you need to change the execution policy on the server to allow you to run unsigned scripts. Use the command below to do this.
Set-ExecutionPolicy Unrestricted
Tags: Powershell, Powershell Tips
Posted in FAQs | No Comments »
How to troubleshoot slow Internet surfing.
Monday, August 20th, 2012
There’s a lot of things that go on under the covers of a domain joined computer that you just don’t realise most of the time. One of the recent things I was involved in today was the investigation of a client network that had slow internet. Here’s how the problem was investigated.
- From the users desktop – see exactly how the problem manifests itself. For example, if it’s surfing to certain sites, note down exactly what sites the problem occurs with and what pages. You need to do this so you’ve got a very clear understanding of the issue before you start to investigate. Always do your tests from a clean reboot with no other programs open – that way you get more consistent results.
- Now run an Internet Speed test – I use www.speedtest.net for the most part is it gives some reasonably consistent results all round. Note the results.
- Once you’ve got your baseline for the problem – look at the basics. DNS is one of the most common things – so check to see if DNS name resolution is fast or slow. That’s easier said than done, so we’ll cheat for a moment. Change the TCP/IP DNS settings on this machine to point to an external DNS server – say Googles DNS servers 8.8.8.8 but don’t reboot the machine. Do your tests – that you did in Step 1 – is there an improvement? If so all you’ve proved at this point is that the DNS server that this machine was pointing to is not responding fast enough or not responding at all. If there is an improvement DO NOT leave the DNS pointing to the external DNS server. That’s going to then break your computers membership of the Active Directory domain over time.
- Given you found that changing the client computers DNS to point to the ISP or Google fixed it, you need to focus on the DNS server on that the client was pointing to originally – most likely it’s your domain controller in a small business or small business server environment. Check to see that the DNS server service is running correctly. Review the configuration of the DNS server itself. The DNS server itself will have one of three ways to resolve DNS records for any client requesting DNS resolution.
- Method one of DNS is via direct lookup in the DNS zones stored on the DNS server itself. This is typically limited to the internal AD zones that have been built as part of AD, but it might also extend to any other zones that have been created in the DNS Server itself.
- Method two of DNS resolution is where the DNS server will forward all requests it can’t answer itself to a 2nd DNS server. This is known as DNS forwarding and you can see this on the DNS forwarders tab of the DNS servers properties in the DNS MMC. If there is a server listed there, then you need to consider if that server is working correctly. The easiest way to do this is to remove it and substitute a known good server as we did before – why not use the ISP’s DNS or the Google DNS server 8.8.8.8. If that works then you’ve nailed the problem to being linked to that server.
- Method three of DNS resolution is where any of the above fail, there is the option (depending on the DNS servers configuration) for the DNS server to use Root Hints. Root Hints is a list of DNS servers that are the root of the Internets DNS fabric. This list is stored on the DNS server and you can see it on the Root Hints tab. Make sure that it’s populated of course as I have seen it be empty before which means nothing works at all.
Ok – hope that’s been helpful to you – let me know if there are more things like this that can help you investigate and troubleshoot better.
Tags: Troubleshooting
Posted in FAQs | No Comments »
What passwords do I change when I fire my IT Guy?
Monday, August 6th, 2012
Recently we took over a new site, and as part of that we went about changing passwords for a number of key services and a few more additional items. This then became a discussion amongst my fellow MVPs about what do you change when you take over a site, I took it to task to put together a list of passwords and things to review when you take over a site.
Network Related Items
Firstly, secure the most recent backups of the servers. That way if anything goes amiss, you have something to compare it to. Then create a new Admin account with a password only you know as a temporary backdoor – delete it once you have completed all the following.
- Remove remote access programs, i.e. logmein, kaseya agents etc – this is to ensure that the previous IT guy can’t get in remotely.
- Document the firewall open ports – ensure you know what remote access is available to everyone who has a password for the network.
- Review all Domain Admin passwords and ensure that the passwords are changed and comply with complexity requirements.
- Force all users password changes – just in case the old IT guy knows some of the users passwords – this way you can be sure he does not masquerade as one of them and do anything malicious
- Service Accounts – review the services.msc and ascertain what accounts are used and by what – change all passwords and then monitor the services for problems.
- Backups – both the service account and any encryption passwords used to encrypt the backups – this will ensure that should he get hold of the backup drive from this point on, he can’t restore any data.
- Task Scheduler– review to see if there are scheduled tasks with accounts and reset passwords as needed.
- Your Antivirus Console – ensure you change passwords here for all admin functions. Be careful that some software such as Trend WFBS and OfficeScan have seperate passwords for the Admin console and the ability to unload/uninstall the client software.
- UPS console – change this as it gives someone the ability to shutdown your servers
- Email Notifications within programs – i.e. ShadowProtect/ImageManager, Backup programs etc – check them to ascertain what accounts they use for their notifications – change these to ensure that they can’t be compromised
- Multifunction devices – i.e. scanners that authenticate to the server will have some form of account – review and change as needed.
- Router/Firewall admin – this is a key one
- Alerts – where do they go – remove old external parties as this might provide him with additional knowledge of what is going on in the network after you take over.
- Email Mailboxes – check for forwarders that might send information to people offsite.
- Switches in the network – again, you want full control as soon as possible.
Other Non Network Related Issues
- Alarm systems codes – very often the IT guy had these so he could access the office out of hours – you need to ensure you get all keys and swipe cards back as well as changing/revoking his access. I’d even go so far as to speak to the Alarm Monitoring company to ensure that his name was added to a black list.
External Facilities
- ISP Login details for your internet connection or Internet control panel
- DNS / domain name registrars passwords – ensure they are redirected to yourself or your client as per your standard protocol
- External antispam passwords – for facilities such as ExchangeDefender, Trend IMHS etc.
- Cloud services passwords – what other cloud facilities do you use that the old guy could access?
What else would you add to this list? The goal is to ensure that you get full control of the network as quickly as possible.
Tags: Business Focus
Posted in FAQs | 3 Comments »