How to firewall Active Directory (sbcore shuts me down)

Discussion in 'Windows Small Business Server' started by noad, Mar 17, 2011.

  1. noad

    noad Guest

    Hi all
    We have a windows SBS 2003 which keeps shutting down every few days
    because it says we don't comply with the EULA, apparently there is more
    than one domain controller in the network:

    Event Type: Error
    Event Source: SBCore
    Event Category: None
    Event ID: 1011
    User: N/A
    Computer: ComputerName
    Multiple domain controllers running Windows Server 2003 for Small
    Business Server have been detected in your domain. To prevent this
    computer from shutting down in the future, you must remove all but one
    of these from the domain.

    The problem is that
    - The network is "the Internet" (public IP). The name of the domain
    probably matches by chance with that of somebody else in the world.
    - I don't know anything about active directory or windows domains or
    windows itself, I am a linuxer, so please explain in simple terms :)
    - We cannot remove the domain or our Oracle won't start anymore.

    But we don't really use that domain. It happened to be automatically
    configured at the time we installed oracle, and now we can't remove it.

    So I would like to firewall every access to active directory stuff,
    inbound and outbound, so that nobody can use our active directory, but
    also sbcore wouldn't detect any other computer of the same domain or in
    the same network and won't shut down our server.

    Can you help me?
    What ports do I have to firewall for this? Is it feasible at all?

    Thank in advance
    noad, Mar 17, 2011
    1. Advertisements

  2. noad

    Joe Guest

    No, it doesn't do that. There are SBS consultants who like to use a
    single generic name for most or all of the customer domains they

    So, *do* you have another domain controller within the same broadcast
    domain (no relation)? Do you perhaps have a fairly busy Samba server? A
    Samba server will normally advertise itself as a potential master
    browser, and may under some conditions appear to be a domain controller.
    Indeed it can actually *be* a domain controller, though this will not
    happen accidentally, it does need quite a bit of configuration. It
    should never appear to be an SBS, but that message may be misleading, as
    SBS will not tolerate *any* domain controller that is not one of its own
    member servers, replicating its own AD information.

    SBS will shut down its DHCP server if it sees another on the broadcast
    domain, but that is quite a different issue, not what you are seeing.
    Joe, Mar 17, 2011
    1. Advertisements

  3. noad

    Steve Foster Guest

    SBS is *not* limited to a single DC in AD. It *is* limited to a single
    _SBS_ in AD.

    Really? Your network is the whole internet?
    Shouldn't matter.
    We need a better explanation of your environment.

    If this is an SBS box, you don't have a choice. SBS insists on running
    AD (and being a DC), so if you'd set it up and managed not to setup AD,
    you'd still be getting SBCore errors.

    What exactly is this server doing? And where does it live? Does it have
    clients properly connected to it (as SBS normally would have)? How do
    you connect to it (and for what - you've mentioned Oracle)?


    * it's in the cloud, and
    * there are no clients, and
    * it's really just an application server (of some description)

    Then you can probably firewall it off from the net almost completely,
    and just leave open whatever access is needed for "the application(s)".

    If it's SBS Premium, you have ISA available as an option (possibly
    ISA2000, maybe ISA2004 if you requested the upgrade discs at the time
    they were available) to do this; if it's Standard, then you could use
    the Windows Firewall.
    Steve Foster, Mar 17, 2011
  4. noad

    Steve Foster Guest

    Not that this is relevant. I could stand up as many SBS boxes as I
    like, build them all as GENERIC.LOCAL and put 'em all on the same
    subnet with nary a hitch (other than the DCHP issue you mention later).

    What a load of tripe. You *can* have Samba DCs in an SBS network, and
    you can have multiple distinct ADs (this doesn't mean they can't have
    identical DNS names!) on the same subnet.

    OTOH, it is possible to set up multiple, separate, SBS AD networks that
    share "the network" and mess things up sufficiently to cause the posted
    error (every time someone designs a foolproof system, the universe
    responds with "better" idiots).
    Steve Foster, Mar 17, 2011
  5. noad

    Joe Guest

    OK, I stand corrected, I've never tried actually configuring a Samba
    DC. But it seemed that Samba was the most likely cause of the problem,
    as I'm sure the OP would know if he did have a second SBS nearby.
    Joe, Mar 17, 2011
  6. noad

    noad Guest

    Oh thanks, I hadn't realized this.

    It has a public IP so, yes

    But you are right, maybe the netmask is meaningful and it's . Do you think it has found other SBS servers in the /24
    network or in the whole internet?
    It's just a server running a single application, Oracle.
    People do not even log in, they usually connect to Oracle remotely. If
    they login (rarely) with Remote Desktop it is via local users of the
    machine. There are no other machines connected to the domain.

    But the IP is public (with a /24 netmask)

    Oracle won't run without the domain. We tried to remove that and Oracle
    stopped working, so we had to restore the machine from backup (maybe a
    System Restore would also have worked, we didn't try).

    So what is the mechanism, in your opinion, with which SBS finds other
    SBS servers in our "domain"?

    I see. Thanks for telling, this is important for deciding what to do.

    You are right, we could firewall everything except Oracle and Remote

    However if possible I would firewall the reverse of this: firewall out
    only active directory. If you know what ports it uses...
    It's standard but we have an external firewall. Actually it is a virtual
    machine so we also have a firewall in the virtualization host.

    Thank you
    noad, Mar 17, 2011
  7. doesn't require a second SBS, just ANY domain controller that somehow has
    ANY of the FSMO roles transferred to it.

    You can have multiple domain controllers. But the SBS server must always
    hold all of the FSMO roles. Full stop. No ifs, ands, or buts.
    Charlie Russel-MVP, Mar 17, 2011
  8. noad

    Steve Foster Guest

    Yes, but don't you get a different SBCore error for missing FSMOs
    (something about being out of licensing compliance, IIRC)?
    Steve Foster, Mar 19, 2011
  9. noad

    Steve Foster Guest

    Broadcasts are normally "in subnet" only, so if it's found another
    "SBS" by broadcast, it'd almost certainly be "local".

    But it's just as likely to be a false positive (ie something off in the
    configuration confusing it).
    That would be the best option.

    Lots of options then:

    * reassign a local IP to it, use the host firewall and publish the
    appropriate ports for Oracle & RD.

    * add another virtual nic to the SBS, make that internal (and connected
    to a new virtual switch) and then the SBS wizards can lock it down
    right (the preferred config for SBS 2003 was 2 nic) - AD will only talk
    to the internal nic then.

    * use the external firewall to restrict ports to just Oracle & RD.
    Steve Foster, Mar 19, 2011
  10. noad

    Heidi.linda Guest

    You have a windows server with no router/firewall between it and the
    outside world? o_O
    Heidi.linda, Mar 21, 2011
  11. noad

    Heidi.linda Guest

    Surely the most obvious solution, if you're a "linuxer" is to stick a
    little linux box between this server and the outside world, forwarding
    only the relevant traffic with iptables? I really wouldn't be
    comfortable putting anything directly on the internet, especially if I
    didn't know exactly what ports it was listening on and what
    restrictions were in place for the connections it accepted on those
    Heidi.linda, Mar 21, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.