Adding a 2003 server to existing SBS 2003 domain

Our charity has been running SBS 2003 R2 for some while to support Exchnage Mail, File and printer services and so on.  We have installed a second Windows 2003 R2 server on which we will run MS SQL Server 2005.

What we want to do is to allow users to log into the domain managed by the SBS server and also allow them access to the SQL server without having to log into a local account on that machine. We thought that this would just involve setting the SQL server as a member of the SBS domain and then setting up suitable group policies - we've got most of the way there - although the SBS server sees the SQLserver, we always get an 'invalid path' message when we try and manage the server or view logs etc.

Where can we find a detailed step by step information on how to do this?  Are there any server or CAL conflicts that we need to be aware of?

Any help would be welcomed.

Its unlikely a CAL issue.  I would remove it from the domain and then add it back into the domain again, if you haven't tried this already.  When you say you are getting an invalid path error when trying to view logs or manage the system, can you clarify this for me?  For example, are you using Active Directory Users and Computers in order to browse AD to the member server, right click, and select "Manage"?

Thanks for your prompt response.

We've tried removing it from the domain and adding it back.

When we go into  the Manage Server panel on the SBS 2003 server, go to Computers, select Manage server computers, we see the local SBS server and the SQL server in the list. When we select the SQL server (server 2003 R2) by clicking on it, and then try and "Manage the server" or "View Event Logs", the response after a few seconds is that the path to that member server is invalid. We do get an empty management tree window from the SQL server.

FWIW, we can't change the FIrewall settings on the SBS server as these appear to be controlled by Trend anti-virus software installed on the server (by some previous IT specialist)  Could this be the source of problem? or not...

Thanks

Brian Rich

It is most likely Windows Firewall.  Its also most likely set in the SBS Group Policies for member servers.  You'd have to load the Group Policy Management Console to manage these properly.  If you don't have it, you can download it from Microsoft.  Please let me know if you have difficulty opening and managing these.  Be careful with them, but this is where you can easily manage the Group Policies for your domain.  Trying to do it elsewhere will be an exercise in frustration.

We have the Group Policy Manager Console installed on both servers  - we used this to set up a security group on the SBS server and added the 2003 server in, as described in this link:

http://technet.microsoft.com/en-us/library/cc875844.aspx

We used the High Security - Member Server Baseline.inf template to set up the security group, so I'm wondering if this template is the cause of the problem. I'm not sure how to proceed on changing this.

As a temporary measure, I disabled the firewall on the Windows 2003 server, and everything came alive and started working properly - so your suggestion of the Firewall looks correct. If I knew which ports to open, I suppose I could enable the firewall again. I'd like to do this as it is an obvious security issue at the moment.

Can you suggest the best way to proceed?

Thanks for your support

Brian

Hi Brian,

I think there's a setting in Group Policy under the Windows Firewall seciont called "Allow Remote Administration"  I believe this opens up the ports necessary for this function.  You will also need to open port 1433, this is the MS SQL port.  To further secure the server, you might want to modify the scope of these rules to only be allowed on your local subnet.

[ Here's a link to an article ] that talks about the remote administration ports for Windows Firewall and where to set them in Group Policy, even though its for another purpose.

Brian and Chris:

You might also want to look at the Internet Protocol properties on the NIC on your SQL Server - and uninstall the Trend Micro Firewall if it is present.  Trend  (CSM - old version, or Worry Free Security - new version) is a great product, IMHO, but it has this nasty little habit of wanting to install its own firewall product on a client.

Bob Hood

Hood Consulting Group