Discussion:
How to firewall Active Directory (sbcore shuts me down)
(too old to reply)
noad
2011-03-17 00:20:30 UTC
Permalink
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is more
than one domain controller in the network:

------
Event Type: Error
Event Source: SBCore
Event Category: None
Event ID: 1011
User: N/A
Computer: ComputerName
Multiple domain controllers running Windows Server 2003 for Small
Business Server have been detected in your domain. To prevent this
computer from shutting down in the future, you must remove all but one
of these from the domain.
------

The problem is that
- The network is "the Internet" (public IP). The name of the domain
probably matches by chance with that of somebody else in the world.
- I don't know anything about active directory or windows domains or
windows itself, I am a linuxer, so please explain in simple terms :-)
- We cannot remove the domain or our Oracle won't start anymore.

But we don't really use that domain. It happened to be automatically
configured at the time we installed oracle, and now we can't remove it.

So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory, but
also sbcore wouldn't detect any other computer of the same domain or in
the same network and won't shut down our server.

Can you help me?
What ports do I have to firewall for this? Is it feasible at all?

Thank in advance
Joe
2011-03-17 09:14:56 UTC
Permalink
On Thu, 17 Mar 2011 01:20:30 +0100
Post by noad
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is
------
Event Type: Error
Event Source: SBCore
Event Category: None
Event ID: 1011
User: N/A
Computer: ComputerName
Multiple domain controllers running Windows Server 2003 for Small
Business Server have been detected in your domain. To prevent this
computer from shutting down in the future, you must remove all but one
of these from the domain.
------
The problem is that
- The network is "the Internet" (public IP). The name of the domain
probably matches by chance with that of somebody else in the world.
No, it doesn't do that. There are SBS consultants who like to use a
single generic name for most or all of the customer domains they
install.

So, *do* you have another domain controller within the same broadcast
domain (no relation)? Do you perhaps have a fairly busy Samba server? A
Samba server will normally advertise itself as a potential master
browser, and may under some conditions appear to be a domain controller.
Indeed it can actually *be* a domain controller, though this will not
happen accidentally, it does need quite a bit of configuration. It
should never appear to be an SBS, but that message may be misleading, as
SBS will not tolerate *any* domain controller that is not one of its own
member servers, replicating its own AD information.

SBS will shut down its DHCP server if it sees another on the broadcast
domain, but that is quite a different issue, not what you are seeing.
--
Joe
Steve Foster
2011-03-17 18:00:20 UTC
Permalink
Post by Joe
On Thu, 17 Mar 2011 01:20:30 +0100
Post by noad
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is
------
Event Type: Error
Event Source: SBCore
Event Category: None
Event ID: 1011
User: N/A
Computer: ComputerName
Multiple domain controllers running Windows Server 2003 for Small
Business Server have been detected in your domain. To prevent this
computer from shutting down in the future, you must remove all but
one of these from the domain.
------
The problem is that
- The network is "the Internet" (public IP). The name of the domain
probably matches by chance with that of somebody else in the world.
No, it doesn't do that. There are SBS consultants who like to use a
single generic name for most or all of the customer domains they
install.
Not that this is relevant. I could stand up as many SBS boxes as I
like, build them all as GENERIC.LOCAL and put 'em all on the same
subnet with nary a hitch (other than the DCHP issue you mention later).
Post by Joe
So, do you have another domain controller within the same broadcast
domain (no relation)? Do you perhaps have a fairly busy Samba server?
A Samba server will normally advertise itself as a potential master
browser, and may under some conditions appear to be a domain
controller. Indeed it can actually be a domain controller, though
this will not happen accidentally, it does need quite a bit of
configuration. It should never appear to be an SBS, but that message
may be misleading, as SBS will not tolerate any domain controller
that is not one of its own member servers, replicating its own AD
information.
What a load of tripe. You *can* have Samba DCs in an SBS network, and
you can have multiple distinct ADs (this doesn't mean they can't have
identical DNS names!) on the same subnet.

OTOH, it is possible to set up multiple, separate, SBS AD networks that
share "the network" and mess things up sufficiently to cause the posted
error (every time someone designs a foolproof system, the universe
responds with "better" idiots).
--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net
Joe
2011-03-17 21:00:37 UTC
Permalink
On Thu, 17 Mar 2011 18:00:20 +0000 (UTC)
Post by Steve Foster
What a load of tripe. You *can* have Samba DCs in an SBS network, and
you can have multiple distinct ADs (this doesn't mean they can't have
identical DNS names!) on the same subnet.
OTOH, it is possible to set up multiple, separate, SBS AD networks
that share "the network" and mess things up sufficiently to cause the
posted error (every time someone designs a foolproof system, the
universe responds with "better" idiots).
OK, I stand corrected, I've never tried actually configuring a Samba
DC. But it seemed that Samba was the most likely cause of the problem,
as I'm sure the OP would know if he did have a second SBS nearby.
--
Joe
Charlie Russel-MVP
2011-03-17 21:50:16 UTC
Permalink
doesn't require a second SBS, just ANY domain controller that somehow has
ANY of the FSMO roles transferred to it.

You can have multiple domain controllers. But the SBS server must always
hold all of the FSMO roles. Full stop. No ifs, ands, or buts.
--
Charlie.
http://blogs.msmvps.com/Russel
Post by Joe
On Thu, 17 Mar 2011 18:00:20 +0000 (UTC)
Post by Steve Foster
What a load of tripe. You *can* have Samba DCs in an SBS network, and
you can have multiple distinct ADs (this doesn't mean they can't have
identical DNS names!) on the same subnet.
OTOH, it is possible to set up multiple, separate, SBS AD networks
that share "the network" and mess things up sufficiently to cause the
posted error (every time someone designs a foolproof system, the
universe responds with "better" idiots).
OK, I stand corrected, I've never tried actually configuring a Samba
DC. But it seemed that Samba was the most likely cause of the problem,
as I'm sure the OP would know if he did have a second SBS nearby.
--
Joe
Steve Foster
2011-03-19 16:48:48 UTC
Permalink
Post by Charlie Russel-MVP
doesn't require a second SBS, just ANY domain controller that somehow
has ANY of the FSMO roles transferred to it.
You can have multiple domain controllers. But the SBS server must
always hold all of the FSMO roles. Full stop. No ifs, ands, or buts.
Yes, but don't you get a different SBCore error for missing FSMOs
(something about being out of licensing compliance, IIRC)?
--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net
Steve Foster
2011-03-17 17:51:41 UTC
Permalink
Post by noad
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is
SBS is *not* limited to a single DC in AD. It *is* limited to a single
_SBS_ in AD.
Post by noad
The problem is that
- The network is "the Internet" (public IP).
Really? Your network is the whole internet?
Post by noad
The name of the domain
probably matches by chance with that of somebody else in the world.
Shouldn't matter.
Post by noad
- I don't know anything about active directory or windows domains or
windows itself, I am a linuxer, so please explain in simple terms :-)
We need a better explanation of your environment.
Post by noad
- We cannot remove the domain or our Oracle won't start anymore.
But we don't really use that domain. It happened to be automatically
configured at the time we installed oracle, and now we can't remove it.
If this is an SBS box, you don't have a choice. SBS insists on running
AD (and being a DC), so if you'd set it up and managed not to setup AD,
you'd still be getting SBCore errors.
Post by noad
So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory, but
also sbcore wouldn't detect any other computer of the same domain or
in the same network and won't shut down our server.
Can you help me?
What ports do I have to firewall for this? Is it feasible at all?
What exactly is this server doing? And where does it live? Does it have
clients properly connected to it (as SBS normally would have)? How do
you connect to it (and for what - you've mentioned Oracle)?

IF:

* it's in the cloud, and
* there are no clients, and
* it's really just an application server (of some description)

Then you can probably firewall it off from the net almost completely,
and just leave open whatever access is needed for "the application(s)".

If it's SBS Premium, you have ISA available as an option (possibly
ISA2000, maybe ISA2004 if you requested the upgrade discs at the time
they were available) to do this; if it's Standard, then you could use
the Windows Firewall.
--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net
noad
2011-03-17 21:27:25 UTC
Permalink
Post by Steve Foster
Post by noad
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is
SBS is *not* limited to a single DC in AD. It *is* limited to a single
_SBS_ in AD.
Oh thanks, I hadn't realized this.
Post by Steve Foster
Post by noad
The problem is that
- The network is "the Internet" (public IP).
Really? Your network is the whole internet?
It has a public IP so, yes

But you are right, maybe the netmask is meaningful and it's
255.255.255.0 . Do you think it has found other SBS servers in the /24
network or in the whole internet?
Post by Steve Foster
Post by noad
The name of the domain
probably matches by chance with that of somebody else in the world.
Shouldn't matter.
Post by noad
- I don't know anything about active directory or windows domains or
windows itself, I am a linuxer, so please explain in simple terms :-)
We need a better explanation of your environment.
It's just a server running a single application, Oracle.
People do not even log in, they usually connect to Oracle remotely. If
they login (rarely) with Remote Desktop it is via local users of the
machine. There are no other machines connected to the domain.

But the IP is public (with a /24 netmask)

Oracle won't run without the domain. We tried to remove that and Oracle
stopped working, so we had to restore the machine from backup (maybe a
System Restore would also have worked, we didn't try).


So what is the mechanism, in your opinion, with which SBS finds other
SBS servers in our "domain"?
Post by Steve Foster
Post by noad
- We cannot remove the domain or our Oracle won't start anymore.
But we don't really use that domain. It happened to be automatically
configured at the time we installed oracle, and now we can't remove it.
If this is an SBS box, you don't have a choice. SBS insists on running
AD (and being a DC), so if you'd set it up and managed not to setup AD,
you'd still be getting SBCore errors.
I see. Thanks for telling, this is important for deciding what to do.
Post by Steve Foster
Post by noad
So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory, but
also sbcore wouldn't detect any other computer of the same domain or
in the same network and won't shut down our server.
Can you help me?
What ports do I have to firewall for this? Is it feasible at all?
What exactly is this server doing? And where does it live? Does it have
clients properly connected to it (as SBS normally would have)? How do
you connect to it (and for what - you've mentioned Oracle)?
* it's in the cloud, and
* there are no clients, and
* it's really just an application server (of some description)
Exactly
Post by Steve Foster
Then you can probably firewall it off from the net almost completely,
and just leave open whatever access is needed for "the application(s)".
You are right, we could firewall everything except Oracle and Remote
Desktop.

However if possible I would firewall the reverse of this: firewall out
only active directory. If you know what ports it uses...
Post by Steve Foster
If it's SBS Premium, you have ISA available as an option (possibly
ISA2000, maybe ISA2004 if you requested the upgrade discs at the time
they were available) to do this; if it's Standard, then you could use
the Windows Firewall.
It's standard but we have an external firewall. Actually it is a virtual
machine so we also have a firewall in the virtualization host.

Thank you
Steve Foster
2011-03-19 16:58:58 UTC
Permalink
Post by noad
Post by Steve Foster
Post by noad
The problem is that
- The network is "the Internet" (public IP).
Really? Your network is the whole internet?
It has a public IP so, yes
But you are right, maybe the netmask is meaningful and it's
255.255.255.0 . Do you think it has found other SBS servers in the /24
network or in the whole internet?
Broadcasts are normally "in subnet" only, so if it's found another
"SBS" by broadcast, it'd almost certainly be "local".

But it's just as likely to be a false positive (ie something off in the
configuration confusing it).
Post by noad
Post by Steve Foster
Post by noad
So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory,
but >> also sbcore wouldn't detect any other computer of the same
domain or >> in the same network and won't shut down our server.
Post by Steve Foster
Post by noad
Can you help me?
What ports do I have to firewall for this? Is it feasible at all?
What exactly is this server doing? And where does it live? Does it
have clients properly connected to it (as SBS normally would have)?
How do you connect to it (and for what - you've mentioned Oracle)?
* it's in the cloud, and
* there are no clients, and
* it's really just an application server (of some description)
Exactly
Post by Steve Foster
Then you can probably firewall it off from the net almost
completely, and just leave open whatever access is needed for "the
application(s)".
You are right, we could firewall everything except Oracle and Remote
Desktop.
That would be the best option.
Post by noad
However if possible I would firewall the reverse of this: firewall out
only active directory. If you know what ports it uses...
Post by Steve Foster
If it's SBS Premium, you have ISA available as an option (possibly
ISA2000, maybe ISA2004 if you requested the upgrade discs at the
time they were available) to do this; if it's Standard, then you
could use the Windows Firewall.
It's standard but we have an external firewall. Actually it is a
virtual machine so we also have a firewall in the virtualization host.
Lots of options then:

* reassign a local IP to it, use the host firewall and publish the
appropriate ports for Oracle & RD.

* add another virtual nic to the SBS, make that internal (and connected
to a new virtual switch) and then the SBS wizards can lock it down
right (the preferred config for SBS 2003 was 2 nic) - AD will only talk
to the internal nic then.

* use the external firewall to restrict ports to just Oracle & RD.
--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net
h***@gmail.com
2011-03-21 13:09:15 UTC
Permalink
You have a windows server with no router/firewall between it and the
outside world? o.O
Post by noad
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is more
------
Event Type:     Error
Event Source:   SBCore
Event Category: None
Event ID:        1011
User:    N/A
Computer:       ComputerName
Multiple domain controllers running Windows Server 2003 for Small
Business Server have been detected in your domain. To prevent this
computer from shutting down in the future, you must remove all but one
of these from the domain.
------
The problem is that
- The network is "the Internet" (public IP). The name of the domain
probably matches by chance with that of somebody else in the world.
- I don't know anything about active directory or windows domains or
windows itself, I am a linuxer, so please explain in simple terms :-)
- We cannot remove the domain or our Oracle won't start anymore.
But we don't really use that domain. It happened to be automatically
configured at the time we installed oracle, and now we can't remove it.
So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory, but
also sbcore wouldn't detect any other computer of the same domain or in
the same network and won't shut down our server.
Can you help me?
What ports do I have to firewall for this? Is it feasible at all?
Thank in advance
h***@gmail.com
2011-03-21 13:17:13 UTC
Permalink
Post by noad
Hi all
We have a windows SBS 2003 which keeps shutting down every few days
because it says we don't comply with the EULA, apparently there is more
------
Event Type:     Error
Event Source:   SBCore
Event Category: None
Event ID:        1011
User:    N/A
Computer:       ComputerName
Multiple domain controllers running Windows Server 2003 for Small
Business Server have been detected in your domain. To prevent this
computer from shutting down in the future, you must remove all but one
of these from the domain.
------
The problem is that
- The network is "the Internet" (public IP). The name of the domain
probably matches by chance with that of somebody else in the world.
- I don't know anything about active directory or windows domains or
windows itself, I am a linuxer, so please explain in simple terms :-)
- We cannot remove the domain or our Oracle won't start anymore.
But we don't really use that domain. It happened to be automatically
configured at the time we installed oracle, and now we can't remove it.
So I would like to firewall every access to active directory stuff,
inbound and outbound, so that nobody can use our active directory, but
also sbcore wouldn't detect any other computer of the same domain or in
the same network and won't shut down our server.
Can you help me?
What ports do I have to firewall for this? Is it feasible at all?
Thank in advance
Surely the most obvious solution, if you're a "linuxer" is to stick a
little linux box between this server and the outside world, forwarding
only the relevant traffic with iptables? I really wouldn't be
comfortable putting anything directly on the internet, especially if I
didn't know exactly what ports it was listening on and what
restrictions were in place for the connections it accepted on those
ports.

Loading...