How to firewall Active Directory (sbcore shuts me down)

Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is more
than one domain controller in the network:

------
Event Type: Error
Event Source: SBCore
Event Category: None
Event ID: 1011
User: N/A
Computer: ComputerName
Multiple domain controllers running Windows Server 2003 for Small
Business Server have been detected in your domain. To prevent this
computer from shutting down in the future, you must remove all but one
of these from the domain.
------

The problem is that
- The network is "the Internet" (public IP). The name of the domain
probably matches by chance with that of somebody else in the world.
- I don't know anything about active directory or windows domains or
windows itself, I am a linuxer, so please explain in simple terms :-)
- We cannot remove the domain or our Oracle won't start anymore.

But we don't really use that domain. It happened to be automatically
configured at the time we installed oracle, and now we can't remove it.

So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory, but
also sbcore wouldn't detect any other computer of the same domain or in
the same network and won't shut down our server.

Can you help me?
What ports do I have to firewall for this? Is it feasible at all?

Thank in advance

On Thu, 17 Mar 2011 01:20:30 +0100
noad <> wrote:

> Hi all
> We have a windows SBS 2003 which keeps shutting down every few days
> because it says we don't comply with the EULA, apparently there is
> more than one domain controller in the network:
>
> ------
> Event Type: Error
> Event Source: SBCore
> Event Category: None
> Event ID: 1011
> User: N/A
> Computer: ComputerName
> Multiple domain controllers running Windows Server 2003 for Small
> Business Server have been detected in your domain. To prevent this
> computer from shutting down in the future, you must remove all but one
> of these from the domain.
> ------
>
> The problem is that
> - The network is "the Internet" (public IP). The name of the domain
> probably matches by chance with that of somebody else in the world.

No, it doesn't do that. There are SBS consultants who like to use a
single generic name for most or all of the customer domains they
install.

So, *do* you have another domain controller within the same broadcast
domain (no relation)? Do you perhaps have a fairly busy Samba server? A
Samba server will normally advertise itself as a potential master
browser, and may under some conditions appear to be a domain controller.
Indeed it can actually *be* a domain controller, though this will not
happen accidentally, it does need quite a bit of configuration. It
should never appear to be an SBS, but that message may be misleading, as
SBS will not tolerate *any* domain controller that is not one of its own
member servers, replicating its own AD information.

SBS will shut down its DHCP server if it sees another on the broadcast
domain, but that is quite a different issue, not what you are seeing.

--
Joe

noad wrote:

> Hi all
> We have a windows SBS 2003 which keeps shutting down every few days
> because it says we don't comply with the EULA, apparently there is
> more than one domain controller in the network:

SBS is *not* limited to a single DC in AD. It *is* limited to a single
_SBS_ in AD.



> The problem is that
> - The network is "the Internet" (public IP).

Really? Your network is the whole internet?

> The name of the domain
> probably matches by chance with that of somebody else in the world.

Shouldn't matter.

> - I don't know anything about active directory or windows domains or
> windows itself, I am a linuxer, so please explain in simple terms :-)

We need a better explanation of your environment.


> - We cannot remove the domain or our Oracle won't start anymore.
>
> But we don't really use that domain. It happened to be automatically
> configured at the time we installed oracle, and now we can't remove
> it.

If this is an SBS box, you don't have a choice. SBS insists on running
AD (and being a DC), so if you'd set it up and managed not to setup AD,
you'd still be getting SBCore errors.


> So I would like to firewall every access to active directory stuff,
> inbound and outbound, so that nobody can use our active directory, but
> also sbcore wouldn't detect any other computer of the same domain or
> in the same network and won't shut down our server.
>
> Can you help me?
> What ports do I have to firewall for this? Is it feasible at all?

What exactly is this server doing? And where does it live? Does it have
clients properly connected to it (as SBS normally would have)? How do
you connect to it (and for what - you've mentioned Oracle)?

IF:

* it's in the cloud, and
* there are no clients, and
* it's really just an application server (of some description)

Then you can probably firewall it off from the net almost completely,
and just leave open whatever access is needed for "the application(s)".

If it's SBS Premium, you have ISA available as an option (possibly
ISA2000, maybe ISA2004 if you requested the upgrade discs at the time
they were available) to do this; if it's Standard, then you could use
the Windows Firewall.

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

Joe wrote:

> On Thu, 17 Mar 2011 01:20:30 +0100
> noad <> wrote:
>
> > Hi all
> > We have a windows SBS 2003 which keeps shutting down every few days
> > because it says we don't comply with the EULA, apparently there is
> > more than one domain controller in the network:
> >
> > ------
> > Event Type: Error
> > Event Source: SBCore
> > Event Category: None
> > Event ID: 1011
> > User: N/A
> > Computer: ComputerName
> > Multiple domain controllers running Windows Server 2003 for Small
> > Business Server have been detected in your domain. To prevent this
> > computer from shutting down in the future, you must remove all but
> > one of these from the domain.
> > ------
> >
> > The problem is that
> > - The network is "the Internet" (public IP). The name of the domain
> > probably matches by chance with that of somebody else in the world.
>
> No, it doesn't do that. There are SBS consultants who like to use a
> single generic name for most or all of the customer domains they
> install.

Not that this is relevant. I could stand up as many SBS boxes as I
like, build them all as GENERIC.LOCAL and put 'em all on the same
subnet with nary a hitch (other than the DCHP issue you mention later).


> So, do you have another domain controller within the same broadcast
> domain (no relation)? Do you perhaps have a fairly busy Samba server?
> A Samba server will normally advertise itself as a potential master
> browser, and may under some conditions appear to be a domain
> controller. Indeed it can actually be a domain controller, though
> this will not happen accidentally, it does need quite a bit of
> configuration. It should never appear to be an SBS, but that message
> may be misleading, as SBS will not tolerate any domain controller
> that is not one of its own member servers, replicating its own AD
> information.

What a load of tripe. You *can* have Samba DCs in an SBS network, and
you can have multiple distinct ADs (this doesn't mean they can't have
identical DNS names!) on the same subnet.

OTOH, it is possible to set up multiple, separate, SBS AD networks that
share "the network" and mess things up sufficiently to cause the posted
error (every time someone designs a foolproof system, the universe
responds with "better" idiots).

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

On Thu, 17 Mar 2011 18:00:20 +0000 (UTC)
"Steve Foster" <> wrote:

>
> What a load of tripe. You *can* have Samba DCs in an SBS network, and
> you can have multiple distinct ADs (this doesn't mean they can't have
> identical DNS names!) on the same subnet.
>
> OTOH, it is possible to set up multiple, separate, SBS AD networks
> that share "the network" and mess things up sufficiently to cause the
> posted error (every time someone designs a foolproof system, the
> universe responds with "better" idiots).
>
OK, I stand corrected, I've never tried actually configuring a Samba
DC. But it seemed that Samba was the most likely cause of the problem,
as I'm sure the OP would know if he did have a second SBS nearby.

--
Joe

On 03/17/2011 06:51 PM, Steve Foster wrote:
> noad wrote:
>
>> Hi all
>> We have a windows SBS 2003 which keeps shutting down every few days
>> because it says we don't comply with the EULA, apparently there is
>> more than one domain controller in the network:
>
> SBS is *not* limited to a single DC in AD. It *is* limited to a single
> _SBS_ in AD.


Oh thanks, I hadn't realized this.


>> The problem is that
>> - The network is "the Internet" (public IP).
>
> Really? Your network is the whole internet?

It has a public IP so, yes

But you are right, maybe the netmask is meaningful and it's
255.255.255.0 . Do you think it has found other SBS servers in the /24
network or in the whole internet?

>> The name of the domain
>> probably matches by chance with that of somebody else in the world.
>
> Shouldn't matter.
>
>> - I don't know anything about active directory or windows domains or
>> windows itself, I am a linuxer, so please explain in simple terms :-)
>
> We need a better explanation of your environment.

It's just a server running a single application, Oracle.
People do not even log in, they usually connect to Oracle remotely. If
they login (rarely) with Remote Desktop it is via local users of the
machine. There are no other machines connected to the domain.

But the IP is public (with a /24 netmask)

Oracle won't run without the domain. We tried to remove that and Oracle
stopped working, so we had to restore the machine from backup (maybe a
System Restore would also have worked, we didn't try).


So what is the mechanism, in your opinion, with which SBS finds other
SBS servers in our "domain"?

>> - We cannot remove the domain or our Oracle won't start anymore.
>>
>> But we don't really use that domain. It happened to be automatically
>> configured at the time we installed oracle, and now we can't remove
>> it.
>
> If this is an SBS box, you don't have a choice. SBS insists on running
> AD (and being a DC), so if you'd set it up and managed not to setup AD,
> you'd still be getting SBCore errors.


I see. Thanks for telling, this is important for deciding what to do.


>> So I would like to firewall every access to active directory stuff,
>> inbound and outbound, so that nobody can use our active directory, but
>> also sbcore wouldn't detect any other computer of the same domain or
>> in the same network and won't shut down our server.
>>
>> Can you help me?
>> What ports do I have to firewall for this? Is it feasible at all?
>
> What exactly is this server doing? And where does it live? Does it have
> clients properly connected to it (as SBS normally would have)? How do
> you connect to it (and for what - you've mentioned Oracle)?
>
> IF:
>
> * it's in the cloud, and
> * there are no clients, and
> * it's really just an application server (of some description)

Exactly

> Then you can probably firewall it off from the net almost completely,
> and just leave open whatever access is needed for "the application(s)".

You are right, we could firewall everything except Oracle and Remote
Desktop.

However if possible I would firewall the reverse of this: firewall out
only active directory. If you know what ports it uses...

> If it's SBS Premium, you have ISA available as an option (possibly
> ISA2000, maybe ISA2004 if you requested the upgrade discs at the time
> they were available) to do this; if it's Standard, then you could use
> the Windows Firewall.

It's standard but we have an external firewall. Actually it is a virtual
machine so we also have a firewall in the virtualization host.

Thank you

doesn't require a second SBS, just ANY domain controller that somehow has
ANY of the FSMO roles transferred to it.

You can have multiple domain controllers. But the SBS server must always
hold all of the FSMO roles. Full stop. No ifs, ands, or buts.

--
Charlie.
http://blogs.msmvps.com/Russel


"Joe" <> wrote in message
news: ...
> On Thu, 17 Mar 2011 18:00:20 +0000 (UTC)
> "Steve Foster" <> wrote:
>
>>
>> What a load of tripe. You *can* have Samba DCs in an SBS network, and
>> you can have multiple distinct ADs (this doesn't mean they can't have
>> identical DNS names!) on the same subnet.
>>
>> OTOH, it is possible to set up multiple, separate, SBS AD networks
>> that share "the network" and mess things up sufficiently to cause the
>> posted error (every time someone designs a foolproof system, the
>> universe responds with "better" idiots).
>>
> OK, I stand corrected, I've never tried actually configuring a Samba
> DC. But it seemed that Samba was the most likely cause of the problem,
> as I'm sure the OP would know if he did have a second SBS nearby.
>
> --
> Joe
>

Charlie Russel-MVP wrote:

> doesn't require a second SBS, just ANY domain controller that somehow
> has ANY of the FSMO roles transferred to it.
>
> You can have multiple domain controllers. But the SBS server must
> always hold all of the FSMO roles. Full stop. No ifs, ands, or buts.

Yes, but don't you get a different SBCore error for missing FSMOs
(something about being out of licensing compliance, IIRC)?

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

noad wrote:

> >> The problem is that
> >> - The network is "the Internet" (public IP).
> >
> > Really? Your network is the whole internet?
>
> It has a public IP so, yes
>
> But you are right, maybe the netmask is meaningful and it's
> 255.255.255.0 . Do you think it has found other SBS servers in the /24
> network or in the whole internet?

Broadcasts are normally "in subnet" only, so if it's found another
"SBS" by broadcast, it'd almost certainly be "local".

But it's just as likely to be a false positive (ie something off in the
configuration confusing it).

> >> So I would like to firewall every access to active directory stuff,
> >> inbound and outbound, so that nobody can use our active directory,
> but >> also sbcore wouldn't detect any other computer of the same
> domain or >> in the same network and won't shut down our server.
> > >
> >> Can you help me?
> >> What ports do I have to firewall for this? Is it feasible at all?
> >
> > What exactly is this server doing? And where does it live? Does it
> > have clients properly connected to it (as SBS normally would have)?
> > How do you connect to it (and for what - you've mentioned Oracle)?
> >
> > IF:
> >
> > * it's in the cloud, and
> > * there are no clients, and
> > * it's really just an application server (of some description)
>
> Exactly
>
> > Then you can probably firewall it off from the net almost
> > completely, and just leave open whatever access is needed for "the
> > application(s)".
>
> You are right, we could firewall everything except Oracle and Remote
> Desktop.

That would be the best option.


> However if possible I would firewall the reverse of this: firewall out
> only active directory. If you know what ports it uses...
>
> > If it's SBS Premium, you have ISA available as an option (possibly
> > ISA2000, maybe ISA2004 if you requested the upgrade discs at the
> > time they were available) to do this; if it's Standard, then you
> > could use the Windows Firewall.
>
> It's standard but we have an external firewall. Actually it is a
> virtual machine so we also have a firewall in the virtualization host.

Lots of options then:

* reassign a local IP to it, use the host firewall and publish the
appropriate ports for Oracle & RD.

* add another virtual nic to the SBS, make that internal (and connected
to a new virtual switch) and then the SBS wizards can lock it down
right (the preferred config for SBS 2003 was 2 nic) - AD will only talk
to the internal nic then.

* use the external firewall to restrict ports to just Oracle & RD.

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net

You have a windows server with no router/firewall between it and the
outside world? o.O


On Mar 17, 12:20*am, noad <n...@nowhere.net> wrote:
> Hi all
> We have a windows SBS 2003 which keeps shutting down every few days
> because it says we don't comply with the EULA, apparently there is more
> than one domain controller in the network:
>
> ------
> Event Type: * * Error
> Event Source: * SBCore
> Event Category: None
> Event ID: * * * *1011
> User: * *N/A
> Computer: * * * ComputerName
> Multiple domain controllers running Windows Server 2003 for Small
> Business Server have been detected in your domain. To prevent this
> computer from shutting down in the future, you must remove all but one
> of these from the domain.
> ------
>
> The problem is that
> - The network is "the Internet" (public IP). The name of the domain
> probably matches by chance with that of somebody else in the world.
> - I don't know anything about active directory or windows domains or
> windows itself, I am a linuxer, so please explain in simple terms :-)
> - We cannot remove the domain or our Oracle won't start anymore.
>
> But we don't really use that domain. It happened to be automatically
> configured at the time we installed oracle, and now we can't remove it.
>
> So I would like to firewall every access to active directory stuff,
> inbound and outbound, so that nobody can use our active directory, but
> also sbcore wouldn't detect any other computer of the same domain or in
> the same network and won't shut down our server.
>
> Can you help me?
> What ports do I have to firewall for this? Is it feasible at all?
>
> Thank in advance