How to set time server on PDC

  1. Log in to your PDC Server and open the command prompt as administrator.
  2. Configure the external time sources, type: w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org
  3. Make your PDC a reliable time source for the clients. Type: w32tm /config /reliable:yes
  4. Restart the w32time service: net stop w32time && net start w32time
  5. The windows time service should begin synchronizing the time.
  6. You can check the external NTP servers in the time configuration by typing: w32tm /query /configuration
Advertisements

Change Remote Desktop Gateway Port and Remote Web App Port

 

The default Remote Desktop (RD) Gateway encapsulates RDP in HTTPS packets listens on port 443 (for TCP) and port 3391 (for UDP). Many times you are limited to one public IP address and the port 443 is already occupied by some other service.

In that case you should change the port 443 to something else. Bellow is the procedure of doing it:

Open  Remote Desktop Gateway Manager (Start > Administrative Tools > Remote Desktop Services):

  1. Right-click the Remote Desktop Gateway server name and select Properties.
  2. Select the Transport Settings tab.
  3. Modify the HTTP and/or UDP port number and click OK.

 

2016_04_20_15_45_27_MAIL.MATJAZ.SI_2014_Remote_Desktop_Connection

Now, when accessing with the RDP client you have to specify the RD Gateway server name with the custom port  you have to specified before.

2016_04_20_15_59_13_

 

In case you are using also published Remote Web Apps you have to use a powershell trick to change the TCP port to your custom.  Remote Desktop Gateway Port. On your RD Connection Broker use powershell commands below to change the published gateway to include your custom port:

Import-Module RemoteDesktop

Set-RDSessionCollectionConfiguration -CollectionName “MySessionCollection” -CustomRdpProperty “gatewayhostname:s:my.gateway.server:4343”

 

Windows Server Remote Desktop Services grace period expoired

Remove the RDS licensing time-bomb registry entry with the help of Sysinternals PSExec (Regedit alone couldn’t do it because it had to be run under highest privileges):

psexec -s -i regedit.exe:

Locate the registry key: HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

 

Remove the registry key GracePeriod and reboot the computer.

Bind multiple sites on same IP address and Port in SSL

Until IIS 7.5, the major limitation of IIS is that IIS will allow you to bind only one site for one IP: Port combination using an SSL certificate.  If you try to bind a second site on the IP address to the same certificate, IIS will give you an error when starting the site up stating that there is a conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address and port, we need to use a special mechanism. Before we go there let’s understand why it is not possible for IIS to allow the binding of multiple sites on same IP: Port combination using an SSL certificate.

Classic Chicken and Egg Problem

We know that IIS identifies a site using three piece of data:

1. IP-Address

2. Port

3. Host Header

You can have multiple HTTP site configured with different combination of above. The binding, for example 192.168.1.0:80 can be configured to site “MyServer1.com”. That means if I browse to IP-address 192.168.1.0 over port 80 then I will hit the site “MyServer1.com”. I can have the binding as 192.168.1.0:80:myserver2.com configured for site “MyServer2.com”. That means when I browse the site over IP-address 192.168.1.0 over port 80 with a host header as “myserver2.com” then I will hit the site MyServer2.com. This allows multiple DNS hostnames on a single server at the same IP address.

However this doesn’t work in HTTPS. To know why it doesn’t work in HTTPS lets understand the SSL handshake briefly.

1. Client – > (SSL Handshake) – > “ Hello, I support XYZ algorithm for encryption”

2. Server -> (SSL Handshake) -> “Hi there, Okay so here is my public certificate. Let’s use algorithm X”

3. Client -> (SSL Handshake)-> “Great we can use that”

4. Client -> (In Encrypted format)-> “HTTP Request”

5. Server -> (In Encrypted format)-> “HTTP Response”

<And now cycle continues>

Now let’s say hypothetically, you have set two sites on same IP-address and port and different host headers and you set two different certificates on both of them.

Look at the steps in SSL Handshake, Client sends the HTTP Request only in Step 4. That means Server doesn’t know what host header HTTP request is referring to until step 4. So at Step 2, Server has only IP-Address and Port information with it, so how can server figure out which certificate it needs to send to the Client as you have bind two certificates to same IP-Address and port.

When a request comes to HTTP.SYS layer, the HTTP.SYS reads the site configuration, including the certificate used to encrypt/decrypt the data. The host name is encrypted in SSL Blob that the client sends. However, IIS needs to know the host name in order to get the right certificate. Without the host name IIS cannot get to the correct site. As IIS is not able to get to the correct site so it cannot get the right certificate to decrypt the SSL blob to get the host name. This is the classic Chicken and Egg problem. We are turning into circles with no way out.

This is the precise reason; HTTP server can only allow one site per IP-Address: Port combination for HTTPS browsing. If you need to bind another site over HTTPS then you need to get either a different IP-Address or bind the site to a different port.

Sometimes getting a new IP-Address or port for each website becomes costly affair. So how we can attach two website to HTTPS over same IP: Port. There are two ways to do it in IIS7.

Wild Card Certificate.

A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you can get a certificate which is issued to *.mydomain.com. This certificate will secure www.mydomain.com, secure.mydomain.com, welcome.mydomain.com etc. Basically it will work on any subdomain that replaces the wildcard character (*).

Setting up the Wild Card Certificate

Step 1: Install the wildcard certificate.

Verify if the certificate is properly installed.

1. Select Start –> Run

2. Type in “MMC” and hit enter

3. From the console, select File –> Add / Remove Snap-in

4. Select Certificates from the Add / Remove dialog

5. Select Computer Account when prompt for which certificates the snap-in will manager.

6. Select Local Computer when prompted

7. Click OK to add the Snap-in to the MMC

8. Locate your SSL certificate

9. Right click on the certificate and select properties

10. You should see the * in the friendly name.

clip_image002

Once you have installed the certificate then the issued to should be the *.mydomain.com

clip_image004

Step 2: Setup the wildcard certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.myserver.com              10.0.1.1              80                  443
Test2                        test2.myserver.com               10.0.1.1              80                  443

Test3                        test3.myserver.com                10.0.1.1             80                  443

IIS6

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

To know how to bind the certificates in IIS6 please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https://test1.myserver.com, https://test2.myserver.com or https://test3.myserver.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:test1.myserver.com”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:test2.myserver.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:test3.myserver.com”

clip_image007

You can also change this by changing the metabase.xml for that particular site.

For Example your site id is 1 then you would see following in the Metabase.xml

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

IIS7

In IIS7, attaching a wild card certificate is much easier. You can attach the certificate to the website you need to attach to. The moment you select the wildcard certificate the hostname field in the UI will be enabled. You can type the host header in it. You can do the same procedure for multiple sites.

clip_image009

How Wild Card Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (wildcard certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that wildcard certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of Wild Card Certificate.

There are certain limitations of wild card certificate.

1) It can only be applicable to single level of subdomain. For example you got a wild cart certificate for *.mydomain.com then you can bind this certificate to sites such as site1.mydomain.com or site2.mydomain.com. However, you cannot bind the wildcard certificate to Site1.myexample.mydomain.com or Site1.example2.mydomain.com or xyz.abc.mydomain.com etc.

That means the wild cart certificate will work only till first level of subdomain.

2) The wild card certificate will work only if the site has same domain name. That means if you have certificate for *.mydomain.com then you cannot bind this certificate to sites such as www.example.com or www.mydomain2.com etc. Wild card certificate will work only for sites which have same domain name.

3) You can set the wildcard certificate only for one top level domain. For example you can bind a wild card certificate forwww.test1.myserver.com or www.test2.myserver.com, but you cannot bind the same certificate for hostheader www.test2.myserver.org orwww.test2.myserver.net etc.

SAN Certificate (Subject Alternative Name Certificate)

You can setup the wildcard certificate if the domain name for all the sites are same and first level subdomain changes. What if you want to set up the sites which should work on two different domain names, for example, a site with host header as www.testserver1.com and another site with hostheader as www.testserver2.com. In this case Wildcard certificate won’t help you. To resolve this issue we have SAN Certificate.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for myserver.com, and then add more SAN values to have the same certificate protect myserver.org, myserver.net and even myserver2.com orwww.example.com.

You can see the domain names in the Subject Alternative Name option in the Certificate

clip_image011

clip_image012

Setup the SAN certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.test.edu               10.0.1.1              80                  443
Test2                        http://www.test.com               10.0.1.1              80                  443

Test3                    www.test.testing.com 10.0.1.1             80                  443

IIS 6

You need to select the SAN certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https:// http://www.test.edu, https://www.test.com or https://www.test.testing.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005[1]

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:www.test.edu”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:www.test.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:www.test.testing.com”

clip_image013

You can also change this by changing the metabase.xml for that particular site

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

clip_image015

IIS7

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates in IIS7 please follow the following link

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

To configure the SAN certificate you need to run the below command after changing the website name, ip-address and port and the host header value.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Go to the location “C:\Windows\System32\inetsrv”

Type the following command at the command prompt:

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

For example

appcmd set site /site.name:”Test1” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.edu’]

appcmd set site /site.name:”Test2” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.com’]

appcmd set site /site.name:”Test3” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.testing.com’]

clip_image017

Alternatively you can go to the applicationhost.config and modify the binding part of the website to add the host header. Do this for all the three sites. For example

<site name=”TestSite” id=”2″ >

<application path=”/” applicationPool=”TestSite”>

<virtualDirectory path=”/” physicalPath=”C:\Publish” />

</application>

<bindings>

<binding protocol=”http” bindingInformation=”*:8089:TestSite” />

<binding protocol=”https” bindingInformation=”*:443:TestSite” />

</bindings>

</site>

clip_image019

How SAN Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (SAN certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that SAN certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of SAN Certificate.

There are certain limitations of SAN certificate.

1) One major limitation of SAN certificate is if you have issued the SAN certificate for say two host-headers http://www.test1.com andwww.test2.edu but you need to setup a site for www.test3.net using the same certificate then you can’t use it. You need to get another SAN certificate from the CA with all the three host-headers. In short, for every addition of a host-header you need to get another SAN certificate.

2) There are certain limitations which are defined by the CA on the number of host-header you can add to the Certificate. That means, after a certain number of host-header you cannot add further host-header into it.

 

Taken from: https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/

How to migrate data between DPM disks

MigrateDatasourceDataFromDPM is a command-line script that lets you migrate DPM data for a data source  (e.g. replica volumes and recovery point volumes) across disks. Such a migration might be necessary when your disk is full and cannot expand, your disk is due for replacement, or disk errors show up.

Depending on how you have configured your environment, this could mean one or more of the following scenarios for moving data source data:

  1. DPM disk to DPM disk
  2. Data source to DPM disk
  3. Data source to custom volume

DPM disk to DPM disk Migration

When I migrate DPM disk to DPM disk, I received errors mentioning there wasn’t enough disk space. After research and reference I found out it is because of the data sources I used span across multiple disks. The best explanation for this behaviour I found was located in this article: Space needed to migrate a disk.  More detailed information on DPM disk to DPM disk migration can be found in the following article: How to Use The Migratedatasourcedatafromdpm.Ps1 DPM Powershell Script to Move Data.

Data Source to DPM Disk Migration

I want to emphasize the second scenario (Data Source to DPM Disk) for which I wasn’t able to find many relevant articles. When I used this option had a few issues.

From the articles mentioned above, these were outlined as the required steps: the first 3 lines set the variables required for the migrateddatasourcedatafromdpm script, as follows:

  • $PG is the protection group available in your DPM.
  • $DS are the data sources
  • $disk is the disk available on the server.

Please take note that the first disk is $disk[0]. The first protection group is $pg[0] and first data source is $ds[0]

$pg = Get-ProtectionGroup DPMTestServer 
$ds = Get-Datasource $pg[0] 
$disk = Get-DPMDisk –DPMServerName DPMTestServer

The following step is the script which runs the migration of data source (no 1) to disk assign (disk no 2):

./MigrateDatasourceDataFromDPM.ps1 –DPMServerName DPMTestServer –Source $ds[0] –Destination $disk[2]

If you have multiple data sources in one protection group, then change the value [0] to [1] and so on.

Here’s a screen shot of a sample DPMDisk output:

Screen shot of a sample DPMDisk output

Once the script has finished executing, you’ll need to run consistency check. This is expected as there have been changes made to the volume, and these will need to be re-synchronized by running a synchronization job with consistency checking.

 

Taken from: http://blogs.technet.com/b/mspfe/archive/2011/06/08/how_2d00_to_2d00_migrate_2d00_data_2d00_protection_2d00_manager_2d00_resources_2d00_to_2d00_a_2d00_new_2d00_storage_2d00_location.aspx

HTTP Error 503 Accessing Company Web on SBS 2011 Standard

Taken from: http://blogs.technet.com/b/sbs/archive/2011/08/17/http-error-503-accessing-company-web-on-sbs-2011-standard.aspx

If your SharePoint service account passwords ever become out-of-sync, you will have issues trying to accesshttp://companyweb. The most common error you will see is “HTTP Error 503. The service is unavailable.” While this is the most common symptom, there are also several others depending on where you look and what account is out-of-sync, we have included many more symptoms toward the end of this post.

Background Information

In SBS 2011, we use 3 different accounts to run Windows SharePoint Foundation. The accounts we use are spfarm, spsearch, and spwebapp. For security reasons the passwords on these accounts are periodically reset. SharePoint manages the spsearch and spwebapp accounts and the Windows SBS Manager service manages the spfarm account. All of these accounts can be found under MyBusiness > Users > SBS Users.

Display Name Logon Account
SharePoint Farm Account spfarm
SharePoint Search Service Account spsearch
Windows SBS Internal Web site Account spwebapp

The password for spfarm is reset every 7 days that the Windows SBS Manager service is running. The passwords or spsearch and spwebapp are reset the first day of each month.

In addition to these passwords being stored in AD, they are also kept in the SharePoint configuration database and the services database. Due to this, the passwords can become out of sync. Passwords may get out of sync or expire due to the following causes:

  • A SharePoint database is restored that contains an out of date password.
  • The Windows SBS Manager service is broken/disabled.
  • The Windows SBS Manager is never allowed to run more than 7 days (server is rebooted ever <7 days).
  • The accounts passwords expire due to a combination of password expiration policy and date change. I.e. your passwords must be reset every 180 days and you change the date by more than 180 days.
  • You change your password policy to require passwords be changed more often than every 31 days.
  • Failed migration.

Of all these possible causes, the most common is restoring a database that contains an old password.

To check if your passwords are in sync, run the SharePoint 2010 Management Shell as an administrator. From the powershell then run Repair-SPManagedAccountDeployment. If one or more of the passwords is out-of-sync it will return an error.

clip_image002

Resolution

If you receive an error that your passwords are out of sync, perform the following steps for each out-of-sync account to resolve the issue.

  1. Reset the AD password for the out-of-sync account(s), the accounts can be found under MyBusiness>Users>SBSUsers. Please see above for more information on the accounts.  Note: Be sure to uncheck “User must change password at next logon”
  2. Sync the password for the account(s) from elevated SharePoint 2010 Management Shell (replace accountname with the affected account):
    Set-SPManagedAccount -UseExistingPassword -Identity $env:userdomain\accountname
  3. Run repair to verify that passwords are synced:
    Repair-SPManagedAccountDeployment
  4. IISreset /noforce

Symptoms

If your passwords are out of sync you may receive one or more of the following errors:

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5002
Level: Error
Computer: server.domain.local
Description: Application pool ‘SBS Sharepoint AppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5021
Level: Warning
Computer: server.domain.local
Description: The identity of application pool SBS Sharepoint AppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5057
Level: Warning
Computer: server.domain.local
Description: Application pool SBS Sharepoint AppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
Computer: server.domain.local
Description: An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: domain
Logon ID: 0x3e7
Logon Type: 4
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: spwebapp
Account Domain: domain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Following services may fail to start with a logon failure:

  • SharePoint 2010 VSS Writer
  • SharePoint 2010 Timer
  • SharePoint Foundation Search V4

Update

9/9/2011:  We have identified another cause of the 503 error and have detailed it here:http://blogs.technet.com/b/sbs/archive/2011/09/01/an-uncommon-reason-why-browsing-companyweb-may-fail-with-http-error-503-on-sbs-2011-standard.aspx.

Force-removing the RDS licensing time-bomb

Force-removing the RDS licensing time-bomb registry entry:

HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

RegEdit alone couldn’t do it. It had to actually be run under highest privileges with the help of Sysinternals: psexec -s -i regedit.exe

After another reboot things seem to be working now.