The Change IP Wizard does not update System Center Essentials Group Policy Objects in Windows Essential Business Server
[Today's post comes to us courtesy of Damian Leibaschoff]
When the Management server is configured in Windows Essential Business Server 2008, 2 group policies are configured as part of the System Center Essentials (SCE) deployment. These policies allow the Management server to deploy the SCE agent and access SCE Managed Computers in your domain.
One of these policies is the "SCE Managed Computers Group Policy (MGMT_MG)" (Note that the name in the parenthesis will vary depending on the server name you have used for your management server, on this case, the management server is called MGMT), this policy defines firewall exceptions that apply to members of the "SCE Managed Computers" group among other things. We will discuss the impact of this policy on another post, but keep in mind that this policy will define which machines can access remote desktop on the machines where the policy is applied to, and by default that is the Management server IP only.
Another policy is the "System Center Essentials All Computers Policy", this applies to all computers in the domain and it also defines firewall exceptions among other things. We will discuss the impact of this policy on a different post, but do keep in mind that by default, the firewall actions defined on this group policy will affect what machines can access shares and remote manage the machine where the policy is applied to, and by default that is the Management server IP only.
These firewall exceptions on both group policies are set based on the IP of the Management server, only allowing the Management server access to the machines where the policies are applied to.
After running the Change IP Wizard on the Management server, the new IP will NOT be updated in the previously mentioned policies, thus, proper access for SCE to connect to the managed computers or when trying to deploy its agent to a new computer will be affected and potentially fail.
To correct this you must manually update the policies with the correct IP for the Management server after you have completed the Change IP wizard. For that, follow these steps:
1-On the Management server, go to start, Run, and type GPMC.MSC and then click ok.
2-Expand the Forest, Domains, your domain, and select "SCE Managed Computers Group Policy (MGMT_MG)" (Note that the name in brackets might be different). Use Right-Click Edit once selected.
3-Expand Computer Configuration\Policies\Administrative templates\Network\Network Connections\Windows Firewall\Domain Profile
4-Edit the following value: "Windows Firewall: Allow inbound Remote Desktop exceptions" and configure it using the new IP for the Management server. Please note that if you are allowing RDP or RWW connections from the Internet, this policy might cause some conflicts, so it might be necessary to change this policy to allow a bigger range of exceptions.
Repeat Steps 1-3 but for the "System Center Essentials All Computers Policy"
4-Edit the following values with the new Management server IP: "Windows Firewall: Allow inbound file and printer sharing exception" , and "Windows Firewall: Allow inbound remote administration exception" . Once again, these policies might be too restrictive for your environment, on this case only the Management server would be able to access other workstation's shares, so keep that in mind when planning your network.
If you would like more information about changing the IP of your EBS server, please check the following link