SBS2003 – Required Ports

This information comes from the Microsoft “Securing your SBS2003 Network” document, which can be found at:

Services and TCP Port Numbers


TCP Port Number

Inbound Access




Allow if you are using Exchange to receive Internet e-mail.

Web server

80 (required for HTTP requests for your site) and 443 (required for HTTPS requests using Secure Sockets Layer (SSL), which secures communications from your server and a Web browser)

Allow if users on the Internet need to access specific Web-site services on your server.

Web-site services that use port 80 and/or port 443 include the following:

-Microsoft® Office Outlook® Web Access (OWA)

-Windows Small Business Server 2003 server performance and usage reports

-Outlook Mobile Access (OMA).

-Business Web site (wwwroot), which allows users to access the company’s Internet Web site from the Internet.

-Outlook via the Internet (RPC over HTTP) feature of Outlook 2003.

Windows SharePoint Services intranet site


Allow if users securely access the intranet Web site created by Microsoft® Windows® SharePoint™ Services from the Internet.

Remote Web Workplace

4125 and 443

Allow if users securely access Remote Web Workplace to:

-Connect to the local network from OWA

-Create a direct Remote Desktop Web (RWW) Connection to client computers on the local network.

-Use the Windows SharePoint Services intranet site (this also requires port 444, as noted above).

-Download Connection Manager to configure the remote client computer for remote access (using remote access also requires that port 1723 be open, as noted below).

Virtual private network (VPN)


Allow if remote clients connect securely to the network using a VPN connection to use resources as if the client was connected locally.

Terminal Services


Allow if remote clients connect to the computer running Windows Small Business Server 2003 using Terminal Services.

File transfer protocol (FTP)


Allow if remote clients use file transfer protocol (FTP) to connect to the computer running Windows Small Business Server 2003.


2004-10-30 “Sgt Peppers Lonely Hearts Club Band”

With Halloween just around the corner, I will avoid the lure of doing a song about goblins and witches. Lord, knows, we have enough virus and worms to deal with.

OTOH, it was back in 1984, just 20 years ago, that several significant events happened in the computer world – the Apple Macintosh and the IBM PC AT were introduced (who can forget the famouse Apple Mac commercial during the Super Bowl), DOS 3.0 was released, the 3.5″ floppy made its first appearance, Dell Corp was founded, as wellas probably the first public warning about computer viruses.

Musically, the Pointer Sisters samg “I’m so Excited”, the Boss (Bruce Springsteen) released “Born in the USA” and Tina Turner sang “What’s Love Got to do with it”

Was it really twenty years ago that all that happened. Well, without anymore words, the song of the week comes from the Beatles:

Sgt. Pepper’s Lonely Hearts Club Band

aka Mister Bill Gates Lovely DOS Club Band

It was twenty years ago today,

Mister Bill Gates taught the world to play.
They’ve been working in Seattle now,
but they’re guaranteed to raise a smile.
So may I introduce to you:

the act you’ve known for all these years,
Mister Bill Gates Lovely DOS Club Band.

We’re Mister Bill Gates Lovely DOS Club Band,
We hope you will enjoy the show,
We’re Mister Bill Gates Lovely DOS Club Band,
Sit back and let the software go.
Mister Bill Gates lovely, Mister Bill Gates lovely,
Mister Bill Gates Lovely DOS Club Band.

It’s wonderful to be here, It’s certainly a thrill.
You’re such a lovely group of techs,
we’d like to take you home with us,
we’d love to take you home.

I don’t really want to stop the code,
but I thought that you might like to know,
that the ‘prez’ is going to sing a song,
and he wants you all to sing along.
So let me introduce to you: the one and only Steven Ballmer:
Mister Bill Gates Lovely DOS Club Band

Steven Ballmer …

Kevin Weilbacher [SBS-MVP]
“The days pass by so quickly now, the nights are seldom long”

Dealing with W32 Time errors in SBS2003

Two things to note:

First, Dave points out that: there have been a number of posts for help with W32Time errors in SBS 2003.  It appears that two KBs on these issues were released this week.  The first one seems to directly address the problems I’ve seen posted (and seen on my server), and the second references a packet filter for NTP that is incorrectly created by the CEICW. Here are the links:

1. Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003;en-us;875424

2. The server cannot synchronize with an external time source after you run  the Configure E-mail and Internet Connection Wizard on Windows Small Business Server 2003;en-us;887355

Second, Les adds: do fix your NTP packet filter (#2 above). But even then, occasionally you’ll get time sync errors after a server restart. Save the following in a .bat file, put it in a convenient location, and execute it whenever you see time sync problems:

w32tm /config /,0x8 /syncfromflags:MANUAL
w32tm /config /update
net stop w32time
net start w32time
w32tm /resync /nowait

Les Connor [SBS Community Member]

Generating web cert for other sites on the server

DonDinCT asked this great question on the NG:

“When I generate a certificate for my server during installation, does it only work for the default web site ?  Do I need to create a seperate certificate for each web site that I add ?”

And John gave this equally great response:

The certificate is automatically added to the companyweb and default web sites. You can manually add it to others if you would like. If you want to add the existing one:

  • Right click on the site and go to properties

  • Go to security tab

  • Click the server certificate button

  • Click next and choose assign an existing certificate

  • The SBS created cert should be in the list.  Just pick that cert and click Next

  • Set the SSL port and finish the wizard.

    Best Regards,
    John Bay, MCSE 2003
    Microsoft Support Engineer

How to change Administrator password

The following info came from the SBS Product team on the best way to change the password on the Administrator account:

To change the password, however, you can use any of the methods that any user would use to change their own password, plus some others. For example:

1. When logged in as Administrator, press Ctrl-Alt-Del, click the “Change > Password” button, and change the password.
— or —
2. Open Active Directory Users and Computers, find the Administrator object, right-click on it and select “Reset Password.”

Note that option 1 is preferred, as option 2 forces the password to be reset, which can cause the account to lose access to encrypted files and potentially other data.

David Jones
SBS Product Team

How to change the computer name of a workstation

Remember, removing a computer from the Domain not only permits you to rename the machine, you destroy all machine-specific configurations you made so may have to be re-configured manually.

– Remove workstation from Domain
– Remove machine account using SBServer Server Management
– Verify no record exists for that name in DHCP
– Verify no record exists for that name in DNS
– Change machine name
– Rejoin Domain

Installing IMF and displaying SCL rating

The details can be found here (thanks to the M&M queens!)

I’ve skinnied their instruction down just for quick reading::

1. Download & Install IMF – go to

In ESM, go to Global Settings, right click Message Delivery, Properties, tab Intelligent Message Filtering, and configure your various thresholds. Example: set gateway treshold to 5, blocking messages to Archive and SCL rating to 2. Then all email with an SCL rating equal or greater than 5 will be Archived. All email with an SCL rating greater than 2, will be moved to the user’s Junk E-mail folder. You will want to experiment with the treshold settings.  Note: every time you change the SCL rating, you will have to restart the Microsoft Exchange Information Store service.

Still in ESM, go to Servers > Servername > Protocols > SMTP, right click Intelligent Message Filtering Properties and enable the Default SMTP Virtual Server.

2. Download and install the IMF Archive Manager – go to

By default when IMF archives a message, it does not archive the SCL rating assigned to the message. To do so, create a registry key DWORD value, ArchiveSCL, and assign it a value of 1. Run RegEdit, and navigate to HKLM > SOFTWARE > Microsoft >Exchange, right-click ContentFilter, click New, and then click DWORD value.

Type ArchiveSCL for the registry key value. Right-click ArchiveSCL, and then click Modify. In Edit DWORD, under Value Data, type 1.

3. Configure Outlook to display the SCL rating.

Here a picture is worth a thousand words:

How to setup your MX record

There are many questions in the NG about what to tell your ISP in order to have email forwarded to your SBS server. Here’s a sample Q&A:

Q: I followed the SBS 2003 setup suggestion, and my internal domain name is called abc.local. I have also registered an Internet domain name I’m now ready to move from external POP3 accounts to an internally hosted Exchange mailboxes. The domain folks are ready to reconfigure the MX record, and they want to know the “name of the server” and it’s static IP address. If the server name is “bubba”, do I tell them to use or when creating the MX record? I know this is rather basic, but I have hunted all over and am still confused. Thanks!

A: First, understand that the Public DNS is totally handled by your ISP.  You don’t need to change anything on your SBS machine. The public dns name of the computer can be anything you want. 

By default you may already have the name “www”, but you should add a second name for mail, such as “mail” or “owa” because it is more typical for owa or pop3 users to access a mail server with “mail” rather than with “www”. MX records refer to an A record on the same dns server. 

You basically want an MX record pointing to, for example: and then an A record pointing to your public IP address. Or if you wanted to use ‘owa’ instead of ‘mail’, you could have them add two records such as:
MX record    = owa
A record       =  owa

The public DNS name you tell your ISP doesn’t have to have any correlation with your private names.

Another response: Set the domain to abc.local as discussed previously. When the installation is finished and you are going through the to do list you will run the connect internet wizard, at that time you will set the server, exchange, to and create a certificate for that name. The server would answer, internally, to and externally to Your external DNS servers should have a record for pointing to the external ip address of your router.

Overview on Jeff’s Swing Migration

[This was posted in the public NG on 10/23/2004 by Jeff]

I have information on Swing Migration that I can send out to you if you want to visit to request it.

Swing Migration is a method for upgrade/migration that I’ve recently documented and created as a complete project package called a Swing It!! Kit. It’s a set of documentation that walks you through an entire process to move the entire configuration identity from the old SBS to a new SBS or Windows server.

You get a clean server installation, but the same domain name, same server name, same AD, same Group Policies, same IP, same network paths, same user and computer accounts…and you can forklift the Exchange onto the new server without breaking single instance storage.

The work can be completed offline, meaning that you can keep your existing server running (including the Exchange) while you build the new server, and the downtime involved is only the time it takes to move an offline copy of the Exchange and the datafiles over to the new server. You can complete the entire installation of the new server, including 3rd Party apps, all in
advance of shutting down the domain. Some folks have done the entire change over with as little as 2-3 hours downtime.

Swing Migration is a process by which you can add a temp DC to you network, capture the AD information, then swing it back onto a new server and complete the installation of a new server using the previous server’s identity. I have detailed information about this available for free on request at

The main difference in this process and what you suggested is that you will be renaming your server if you do a DCpromo of a different box. You have namespace problems created not only in Exchange, but also for all network related issues. Swing Migration solves that.

The Swing It!! Kit that is the project reference is available in one of two versions. One is just the reference documentation, the Technician Kit includes the docs and about 10 tools that make the migration process faster, easier, and better documented. Technician Kit is $200US and the Reference Kit is $125…but the Technician Kit is clearly more popular since I’ve been
making them available. Both include support from me on the docs and tools in completing a swing migration project.

I will be happy to answer as many questions as I can here in the NG so that everyone can stay in the conversation. If you want purchase information or the Reviewers Technical Guide that explains the concepts and has many Q&A bits in it, ask at the information website.

I realize that the website is a little “lean” right now since it’s under construction at this time…but that’s almost complete … hopefully in the next week I will have the full package of information available to browse there, or download…including secure payment and ordering option.

Jeff Middleton

2004-10-23 “Rainbow Connection”

Often in life, as well as with dealing with computers and customers, things don’t always turn out the way we expect them to. And, we’re often surprised to see how the simple things in life may lead to the best solution.

SBS was one of the surprises for me. When I first started working as a consultant, I went looking for a product to fit the needs of the type of customers I wanted to target. What a surprise it was to find SBS. I mention this because there have been several recent posts from “new” SBS’ers who cannot believe what they get (for such a low price) in the SBS2003 Std and Premium packages.


One of the negatives (?) with SBS is that because there are so many separate applications bundled together, keeping your SBS servers up to date with service packs and hotfixes is almost a full time job in its own right.

Along those same lines, one of my all time favorite songs to play on the piano was made famous by nothing more than a green piece of cloth made up to look like a frog. Yep, Kermit the Frog’s hit song:

Rainbow Connection
(aka Download Connection)


Why are there so many files I must download
And why do they take so long?
Downloads are so slow, when disk drive are so full,
And downloads can fix what’s wrong.
So we’ve been told and some choose to believe it
I know they’re wrong, wait and see.
Someday we’ll find it, the download connection,
Where all of my patches will be.

Who said that every bug would be heard and answered
when shared on the newsgroup lists?
Somebody answered back,
and someone confirmed it,
But look now, there still isn’t a fix!
What’s so amazing that keeps us stargazing?
And what do we think we might see?
Someday we’ll find it, the download connection,
Where all of my patches will be.

All of us under its spell,
we know that it’s probably magic….

Have you been half asleep
while waiting for answers?
I’ve heard them calling my name.
Could this be the posting that gives me my answer?
The KB number might be one and the same.
I’ve heard it too many times to ignore it.
It’s something that I’m supposed to do.
Someday we’ll find it, the download connection,
When all of my downloads come true!
La, la la, La, la la la, La Laa, la la, La, La la laaaaaaa

Kevin Weilbacher [SBS-MVP]
“The days pass by so quickly now, the nights are seldom long”