Friday, 9 September 2011

Citrix XenApp6 Discovery Fails “Errors occurred when using CTXS-XA1 in the discovery process” An Unexpected Error Occurred


This error may appear when you try to run the discovery process using the Xenapp6 evaluation VHD. I was using the VHD on Hyper-V and decided to change over to VMWare VSphere. I managed to convert the virtual machine to be used on VMWare (using the Standalone Converter That worked fine but the problems started when trying to use XenApp 6 on a VM hosted on Vsphere. I tried using the local Administrator account (the one used to create the original image) but could not run the discovery process using Citrix Delivery Services Console. I then tried this:

  1. Logon as the local Administrator
  2. Try to run the discovery process
  3. If it fails (as it did for me) open a command console
  4. Change directory to the following path: C:\Program Files (x86)\Citrix\Independent Management Architecture
  5. Type the following command: dsmaint config /user:administrator /pwd:Evaluation1 /dsn:"c:\Program Files (x86)\Citrix\Independent Management Architecture\mf20.dsn"
  6. For the password use your local administrator account password
  7. You will see the following output:

    Attempting to connect to the data store with new configuration settings.
    Successfully connected to the data store.
    Configuration successfully changed.
    Please restart the IMA Service for changes to take effect.

  8. Open Services in Admin Tools and stop the Citrix Independent Management Architecture
  9. Using the same command console type the following command: dsmaint recreatelhc
  10. Now restart the Citrix Independent Management Architecture service
  11. Try the discovery process again and it should work!

Thursday, 8 September 2011

Reset Licence Administration Console Password Citrix XenApp 6

If you need to change the administration account (Admin) for Citrix XenApp 6, try the following steps:

  1. Locate the Server.xml file (C:\Program Files (x86)\Citrix\Licensing\LS\conf)
  2. Edit with WordPad
  3. Locate the following entry <user firstName="System" id="admin" lastName="Administrator" password
  4. Delete the encrypted password between quotation marks
  5. Replace with a clear text password of your choice
  6. Set passwordExpired to True
  7. Save the xml file
  8. Restart the Citrix Licensing service
  9. Open the Licence Administration console once more and select Administration
  10. Logon using using the new password. You will be requested to change the password.
  11. Hey Presto!

Sunday, 4 September 2011

Citrix XenApp 6 Fundamentals Installation Has Failed

I had a problem installing XenApp Fundamentals. During the installation process I received an installation error that indicated that the installation had failed and that I should check the ‘Citrix Access Essentials Install Log.txt’

I presumed that installing the program on Server 2008 R2 would be enough. However the setup that finally worked for me was as follows:

  1. Install a fresh 2008 R2 member server
  2. Do not install any roles, features or Windows updates
  3. Configure the correct network settings
  4. Disable the firewall (I prefer this but you may not be able to!)
  5. Join the server to your existing AD domain
  6. Install the .NET 3.5.1 Feature using the Server Manager
  7. Install the Remote Desktop Host services role using Server Manager
  8. Run the Citrix XenApp 6 Fundamentals Installation

If you follow the above procedure, you should be OK. Also when applying a licence, make sure that the name you use is matches the NetBIOS name of the server (case-sensitive).

Wednesday, 24 August 2011

Move Arbitration Mailboxes In Exchange 2010

Quite simple really. I have found that in certain situations, (help in backup) I have needed to delete databases (perhaps several databases exist on a single drive). You can move mailboxes from one database to another simply by typing the following cmdlet:

[PS] Get-Mailbox –Database TheDatabaseID  | New-MoveRequest –TargetDatabase TheDatabaseID

Now this will move the ‘regular’ mailboxes but not those marked as arbitration mailboxes. You can identify those by using the following:

[PS] Get-Mailbox –Database TheDatabaseID –Arbitration

Now you know what mailboxes to look out for, move them to the database of preference.

[PS] Get-Mailbox –Database TheDatabaseID –Arbitration | New-MoveRequest –TargetDatabase TheDatabaseID.

And then check that the arbitration mailboxes have been moved to an alternative database. You can also check out the move requests themselves:

[PS] Get-MoveRequest

Now that the mailboxes (hidden ones included) have been moved, try deleting the database now. It should work but remember that you will still have to remove the database files manually.

For Matt and Mark!

Sunday, 21 August 2011

Exchange 2010 MountDial

The setting is set per server. You can determine the value on your server by typing the following cmdlet:

[PS] Get-MailboxServer | FL Name,AutoDatabaseMountDial

MountDial determines if a passive copy of a DAG can automatically come online based on how many log files being copied to it. If you run the above command, you will see one of several values for AutoDatabaseMountDial including:

  1. BestAvailability
  2. GoodAvailability
  3. Lossless

These mean the following:


If you specify this value, the database automatically mounts immediately after a failover if the copy queue length is less than or equal to 12. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than 12, the database doesn't automatically mount. When the copy queue length is less than or equal to 12, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.


If you specify this value, the database automatically mounts immediately after a failover if the copy queue length is less than or equal to six. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than six, the database doesn't automatically mount. When the copy queue length is less than or equal to six, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.


If you specify this value, the database doesn't automatically mount until all logs that were generated on the active copy have been copied to the passive copy.


This will mount no matter the copy queue length. Be careful with this setting as you could loose a lot of mailbox data!


To manually switch from passive to active type the following cmdlets:

[PS] Move-ActiveMailboxDatabase DB4 -ActivateOnServer MBX3 -MountDialOverride:None
As the MountDialOverride property is set to ‘none’ whatever is currently set (probably the default) remains. 
The default on my server is GoodAvailability. So, replace none with one of the three options listed above to change this.
Read an earlier post regarding DAGs 

Saturday, 20 August 2011

How to Export Exchange 2010 Queues

You can use the Shell to export messages from a queue on a computer that has the Microsoft Exchange Server 2010 Hub Transport server role or the Edge Transport server role installed to a specified file path. You can't use Queue Viewer to perform this task. However, you can use Queue Viewer to locate, identify, and suspend the messages before you perform this task.

Messages that get ‘stuck’ in a queue can be exported to a folder and you can later resubmit the messages once you fix the mail flow problem. To export a message (or all messages in a queue) you should first suspend the queue. Suspension does not prevent messages entering the queue, but it will stop them leaving. The following cmdlet suspends the queue.

[PS] Get-TransportServer | Get-Queue

This command will show you the queues on your transport servers (you may have more than one in your site).

You might have an example where your messages are failing to be sent because of name resolution:




You can see that the DeliveryType is set to DNSConnectorDelivery. The messages are queued for delivery to an external recipient by using an SMTP connector that's located on the local server and that's configured to use Domain Name System (DNS) for routing resolution.

To export the messages, first suspend the queue:

[PS] Suspend-Queue –Identity SRV1\20

Now that the queue is suspended you suspend the messages.

[PS]Get-Queue -Identity srv1\20 | Get-Message -ResultSize unlimited | Suspend-Message –Confirm:$False

-ResultSize unlimited is used as the default is set to 1000.

Now the messages are suspended you can export them. To see the list of messages in the queue type the following:

[PS] Get-Queue -Identity srv1\20 | Get-Message -ResultSize unlimited

The status should show the messages are suspended and you should see the Email subject heading and from address. Notice how the message ID is created and includes the Queue ID.

Now to export a single message:

[PS] Get-Message -Identity srv1\20\75 | AssembleMessage -Path c:\exportfolder\email1


To export all the messages from the queue is a bit more complicated. Try the following:

  • [PS] $array = @(Get-Message -Queue srv222\20 -ResultSize unlimited)
  • [PS] $array | ForEach-Object {$i++;Export-Message $_.Identity | AssembleMessage -Path ("c:\exportfolder\"+ $i +".eml")}

The above cmdlets will produce .eml files in c:\exportfolder\ with names like 1.eml, 2.eml. At a later stage you can ‘import’ the messages back into the submission queue by using the replay directory. The Replay directory receives messages from foreign gateway servers and can also be used to resubmit messages that administrators export from the queues of Exchange 2010 servers. Read this post for more.

Tuesday, 16 August 2011

How to Change the Version of Windows 2008 r2 Standard to Enterprise Without Reinstalling

Useful procedure for changing the product version of windows 2008 r2 standard to enterprise without reinstalling from media.

To determine the installed edition, run:
DISM /online /Get-CurrentEdition

To check the possible target editions, run:
DISM /online /Get-TargetEditions

Finally, to initiate an upgrade, run:
DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

For example, to upgrade to Enterprise from a downlevel version, run:
DISM /online /Set-Edition:ServerEnterprise /ProductKey:YOUR SETUP KEY

(Thanks to Kimani and Jon)

Friday, 12 August 2011

Role-Based Access Control (RBAC) Exchange 2010 Legal Hold and Discovery Search

RBAC can be used to allow administrators to perform a specific exchange task by being assigned a management role that has permissions to perform the task. Administrators can be assigned these roles directly, or multiple roles can be grouped together into management role groups. Management role groups are infact AD universal security groups. As you will see however, Exchange administrators should NOT be added to these groups using AD tools directly!

Each management role consists of management role entries. A management role entry is an EMS cmdlet or a script that users in a management role can execute.

For a list of management roles, type the following cmdlet:

[PS] Get-ManagementRole | Get-ManagentRoleEntry

The list you will see has quite a few roles!

If you take just one role for example, say ‘databases’ you will begin to see what's involved:

[PS] Get-ManagementRole –Identity Databases | Get-ManagementRoleEntry


So, users are assigned a management role (that can execute scripts that are defined by management role entries) by being assigned to a management role group. This can be very useful. For example we can create a management role group that only allows users to create exchange recipients. After we create the group and add users, management role(s) are then assigned to the group.

Several role groups exist in Exchange 2010 by default.

[PS] Get-RoleGroup


If we take a single role group for example ‘Help Desk’

[PS] Get-RoleGroup –Identity “Help Desk” | fl

The will list associated parameters for this group.


As you can see from the above screenshot, the roles assigned to the Help Desk management role group are shown. These are ‘User Options’ and ‘View Only’. You can also see under role assignments that it shows that these roles are assigned to help-desk! These default role groups can be found in AD in the Microsoft Exchange Security Groups

To add users to the role group of Help Desk use the following cmdlet:

[PS] Add-RoleGroupMember –Identity “Help Desk”  -Member “Andrew Stevens”

This will add Andrew Stevens to the Help Desk role group. To determine the membership of the management role group try the following:

[PS] Get-RoleGroupMember -Identity "Help Desk"

This is great if the Help Desk group has the needed management roles assigned to it. From the screenshot above this includes management roles of “User Options” and View-only Recipients”.

User Options is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "User Options" | Get-ManagementRoleEntry


View-Only Recipients is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "View-only Recipients" | Get-ManagementRoleEntry


So you can see what Andrew Stevens can do having been placed in the Help Desk group.


You can also customize a role group to contain the roles that you need if you find the default roles assigned to a group do not fit correctly. If you find yourself changing the roles assigned to the default groups beyond recognition you might as well create a new group.

So, to add a role to an existing group try the following:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk" -Role "MailBox Import Export"

Now type the following again to determine the roles now ‘held’ by the Help Desk group:

[PS] Get-RoleGroup –Identity “Help Desk” | fl

You will notice that the RoleAssignments has changed to include Mailbox Import Export!

To remove the assignment type the following:

[PS] Remove-ManagementRoleAssignment -Identity "Mailbox Import Export-Help Desk"

If you need to you can create a role group from scratch. Lets create a role group called London Help Desk and assign roles to the group:

[PS] New-RoleGroup "Help Desk London" -Roles "User Options","View-Only Recipients"

Try the Get-RoleGroup cmdlet and you should see it listed.

So far the London help Desk team have the role of View-Only recipients and User Options. This is no different to the default Help Desk assignments. However you can add to it

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" -Role "MailBox Import Export"


Legal Hold

An interesting role is Legal Hold. A legal hold in Exchange 2010 will keep e-mails even if the user tries to delete them. Note, the user will think the e-mail is deleted. The only way to actually see the e-mails is by doing a discovery search, and opening the discovery mailbox.

The legal hold role has the following assignments:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

The output will show you that both Organization and Discovery Management groups have this role by default.

To grant our London Help Desk team Legal Hold type the following cmdlet:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" –Role “Legal Hold”

Type the following cmdlet for confirmation:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

You should now see Help Desk London listed.

To turn this feature on we need to enable it for specific mailboxes. First you must have the role to do so. As mentioned, those in the Organization Management (and Discovery Management) have the Legal Hold role assigned. If you are doing this as a Domain Administrator then you are a member of Organization Management already.

[PS] Get-RoleGroup -Identity "Organization Management" | ft name,members

Now, determine which recipients you wish to define Legal Hold to and type the following:

[PS] Set-Mailbox –Identity “A User” –LitigationHoldEnabled $True

To check to see which mailbox has been enabled, type the following cmdlet:

[PS] Get-Mailbox  | ft name,lit* –au


Performing a Discovery Search

You can still find and open the deleted emails using a discovery search. A discovery search can be made against any organisation mailbox (not just those on litigation hold). Here’s what happens:

  1. User deletes a message.
  2. The message moves to a 'Deleted Items' folder. At this point the user can see the deleted messages and can move the deleted message back to the inbox. This is known as a 'soft delete'. Messages can also be moved to the 'dumpster' by emptying the deleted items folder.This is a 'hard delete'.
  3. Message moves to the 'Dumpster'. This removes the message from view. Deleted item retention is 14 days by default. Users can still recover items by using the recover deleted items tool (right click deleted items in OWA and select 'recover deleted items')
  4. If the end user purges data from the "Recover Deleted Items" view (hard delete from the Recoverable Items\Deletions folder), the item will be moved to the Recoverable Items\Purges folder. The purges folder is a special folder that sits within the dumpster. The user will not be able to see the deleted message from this folder. However administrators granted the rights to perform 'discovery searches' can search through the purges folder and restore deleted items.

Enabling Litigation Hold means that items never will be purged from the “Purges” subfolder, which of course results mailboxes growing considerably in size over time!

To perform a discovery search perform the following steps:

1. Perform a discovery search for the item you need to restore. This first involves navigating a browser to https://servername/ecp. This is on the CAS role (ecp is the exchange control panel). In Figure 1, the user ‘Al Pacino’ is in the LegalAdmins role group. This group has been assigned the roles ‘User Options and View-only Recipients’ (which is the same as the default Help Desk role). At this point Al cannot perform a discovery search and this is his ECP view (only Users & Groups). 


2. Assign the Mailbox Search role to the LegalAdmins group using the following cmdlet: [PS] New-ManagementRoleAssignment -SecurityGroup LegalAdmins -Role "Mailbox Search"


3. The above screenshot shows us the ECP view after applying this step. You can now see that the ‘Reporting’ link is shown. Select this link.


4. After you select this link you should see a similar view as shown above. Remember that you can also add a user to the Discovery Management role group instead of creating a group and assigning roles to it.

Select 'New'.


5. As you can see there are a number of search methods. Select mailbox to search and select the user mailbox that has purged deleted items.

6. Provide a search name

7. Select 'Select a mailbox in which to store the search results' and choose the 'Discovery Search Mailbox' and click save.

8. After the search has completed (you may have to refresh) select the link that says open by the results output on the right hand side.

9. If you cant open the discovery search mailbox, you will need to grant the user access to it by typing in the following:

[PS] Add-MailboxPermission DiscoverySearchMailbox -User al -AccessRights FullAccess
NB. I changed the alias of the mailbox to this simpler name

10. You should now be able to open the discovery search mailbox. Once opened, navigate on the left to the search name and open the sent\deleted items folder. You should be able to find the item that was purged.

NB. If you wish you can create a new discovery search mailbox by using the following cmdlet:

[PS] New-Mailbox "HelpDeskDiscovery" -UserPrincipalName –Discovery.

[PS] Add-MailboxPermission HelpDeskDiscovery -User al -AccessRights FullAccess


In the above example, our test user Al, can perform the discovery search and open the discovery search mailbox to find deleted items.

Thursday, 4 August 2011

RMS Shared Identity user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 Not Found

Having removed an Exchange Server (and arbitration mailboxes), reinstalling a second  Exchange 2010 can be problematic. The deletion of the discovery mailbox will mean that the reinstallation of your Exchange 2010 server will fail. Run the following command:

[PS] New-Mailbox -Arbitration -Name FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 -UserPrincipalName FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@<Default_Accepted_Domain>

This should allow you to now rerun the installation program without failure.

Wednesday, 3 August 2011

Cannot Uninstall Exchange 2010 Because of Arbitration Mailboxes

To list the arbitration mailboxes type the following command:

[PS] Get-Mailbox –Database database name  -Arbitration

This will list all the mailboxes that can be moved or removed.

To move them to another database, type the following command:

[PS] Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2

To remove the mailboxes, type the following command:

[PS] Get-Mailbox -Arbitration -Database db1 | Remove-Mailbox -Arbitration –RemoveLastArbitrationMailboxAllowed

Once you do this hopefully you should be able to uninstall Exchange using the Control panel

Monday, 18 July 2011

SQL Backup Strategies Part 2 How To Backup and Restore…

In a previous post I tried to detail some appropriate backup strategies.  This post builds on these concepts and provides some practical details on what to do.

Perform Full Database Backups

A full database backup is a page-level copy of the entire database to backup media. You can execute a full database backup using any recovery model (i.e Simple, Bulk-Logged or Full).

To perform a full backup use the following:

USE master;
TO DISK = ‘D:\Backups\compulinxFULL.bak’

RETAINDAYS does not actually delete anything, it is just marking the file to tell SQL Server not to overwrite this file before the retain time is up (in the above case 7 days).

INIT This option indicates that SQL Server will overwrite any existing backups on the target media with new backups. In other words, the backup that you are taking with this statement will be
the initial backup on the media.


It is considered good practice to ‘stripe’ the backup to two files on separate disks (and even controllers).  So, the following syntax can be used

USE master;

TO DISK = ‘D:\Backups\compulinxFULL.bak
DISK = ‘E:\Backups\compulinxFULL.bak


Differential Backup

The following can be used to make differential backups. Here the differential is appended to media containing the full backup:

USE master;

TO DISK = ‘D:\Backups\compulinxFull.bak’

Notice the use of the command NOINT. This option indicates that SQL Server will append this backup to any other backups on the target media. This option allows you to take multiple backups and target them to the same media set.


Perform Transaction Log Backups

Transaction log backups allow the DBA to manage the transaction log size while not requiring the overhead of taking frequent database backups. This is especially useful for large databases that are only moderately volatile. Before you will be able to take a valid Transaction log backup, you must do two things:

  1. Make sure that the recovery model is set to Full or Bulk-Logged
  2. Take a full database backup that will act as the initial point in the recovery process.

Try using the following T-SQL syntax:

USE master;
TO DISK = ‘D:\Backups\compulinxTLOG.bak’

Notice the use of LOG. If you wanted to take a subsequent backup of the transaction log and append it to the existing media, the statement would look like this:

USE master;
TO DISK = ‘D:\Backups\compulinxTLOG.bak’

At this point, if the database were damaged due to a corruption or loss of a data device, you would have to capture the orphaned log. You can do this with the following:

USE master;
TO DISK = ‘D:\Backups\compulinxTLog.bak’

The above syntax has some new points to consider. NO_TRUNCATE will make a copy of the log but does not truncate the log. NORECOVERY allows you to capture a trailing log before making a restore. The database will be placed into a ‘restoring state’. Remember the database will not be accessible until a restore is made.

The database will look something like the following:



 Partial Database Backups

In part one I mentioned backing up filegroups; ‘Breaking a large database into files or filegroups for backup allows you to back up portions of it on a rotating schedule when it might be too time-consuming to back up the entire database at once’. Perhaps only a small portion of the database is changing. If this is the case we can backup a filegroup (the group of data files that is dynamic) and therefore make a partial backup. You can also make the non-volatile data read only.

USE master;
TO DISK = ‘E:\Backups\compulinxDB_Partial.bak’

Notice the use of READ_WRITE_FILEGROUPS. This causes SQL to backup only the primary filegroup and any other read/write filegroups in the collection.


How to Restore

OK, now we know how to set the different recovery methods for SQL, the different backup methods that use these recovery types and actually how to implement a backup. However, a backup is only as good as knowing how to restore the database.


How to Perform a Full Database Restore

There may be several reasons why you need to perform a full database restore. These include the following:

  1. You need to restore a database to single point-in-time
  2. You need to restore a database because the database is damaged
  3. You need to move the database to a different server altogether

To demonstrate this we need to do the following:

  1. Take a full database backup (make a baseline backup)
  2. Next we have to modify the data in some way (perhaps by deleting a row?)
  3. Then performing the restore so that we get our original database again.

So, to take a full database backup,

  1. Make sure the database recovery model is set to Full (see the post before this one for details). I’m using the AdventureWorks DB. It’s a little big but there you go!
  2. Take a full database backup using the following syntax (also shown above)

USE master;
TO DISK = 'E:\Backups\ADWORKSFULL.bak'

3.    Using the the following T-SQL code determine the first name of an employee with the last name of Abel

USE AdventureWorks;
SELECT FirstName
FROM person.Contact
WHERE LastName = 'Abel';

The answer that should be returned is Catherine. I used to go out with a Catherine…

4.   Let’s say Catherine wants to change her first name (perhaps to Irene, I won’t say it…). You can use the following to do this:

USE AdventureWorks;
Update Person.Contact
SET FirstName = 'Irene'
Where LastName = 'Abel'

5.   Now make a differential backup which will record the change of Catherine to Irene. You can do this using the following (this is also shown above). This should only take 0.684 seconds (or there a bouts!)

USE master;

TO DISK = 'E:\Backups\ADWORKSFULL.bak'

6.   Now we need to restore the database using the full database so the first name is Catherine once more. To do this using the interface, simply right click your database and select restore:




7.   Select Database and the following window will appear:




8.   Using the backup history, you can select the correct backup or you can find it using the ellipses button on the right. Whatever you choose, select the full database checkbox only. Not the differential.




9.   Click the Options page to see the restore options. As we are restoring over the top of an already existing database, select the Overwrite option. This prevents you from accidentally overwriting a database. The default is off. Click OK.




10.  If you run the query to find the first name of the customer Abel, it should be Catherine.



A. Full Backup Restore (without differential)

You can do the restore without using the interface, by using the following T-SQL code.

USE master;

Notice the use of FILE. The file value refers to a backup set file number. This option allows you to specify a specific backup in a media set based on its position number. This value was actually shown in the figure under point 7 above. You need this information to ensure that you are restoring the correct backup from the media if there are multiple backups stored on the same media. To determine the different backup set file numbers, try the following:

RESTORE Headeronly

Using REPLACE this restore will overwrite the existing AdventureWorks database on this server with the Full database backup. The first name of customer Abel is now Catherine.


B. Restore with Differential

Since we took a differential database backup after the customer name was updated to Irene we can restore the database using both the baseline full backup and the differential using the following:

USE master;

This looks almost identical to our initial restore code except that we use NORECOVERY. This will put the database into a recovery state allowing us to then include the differential backup (allowing us to get the updated record that has changed customer Catherine to Irene). Just refresh the database in the interface and you will see. We can now include the differential backup while the AdventureWorks is in a recovery state. Remember you can ignore any previous differential backups since the ‘last’ differential is the only one you need. I have taken 2 differential backups following the full backups so the ‘position’ number equals 3. Its this file number that I’m interested in.

USE master;

We do not use the REPLACE option as we are using the differential and not the full backup. Also notice that there is no indication that this is a differential. A query should show that the customer is Irene.


C. Restore with Full Backup, Differential and T-Log

To do this delete the backup file first and lets start from scratch. Once deleted, make sure our customer record is set back to Catherine. Then take another full backup.

USE AdventureWorks;
Update Person.Contact
SET FirstName = 'Catherine'
Where LastName = 'Abel'


USE master;
TO DISK = 'E:\Backups\ADWORKSFULL.bak'

Now that we have our initial backup once more, lets change the customer name to Irene, check and take a differential backup

USE AdventureWorks;
Update Person.Contact
SET FirstName = 'Irene'
Where LastName = 'Abel'


USE AdventureWorks;
SELECT FirstName
FROM person.Contact
WHERE LastName = 'Abel';


USE master;

TO DISK = 'E:\Backups\ADWORKSFULL.bak'

Now you can check the File Position numbers, and you should see two files.

RESTORE Headeronly
FROM DISK= 'E:\Backups\ADWORKSFull.bak'

OK, now we can change the customer name again (perhaps to Letitia…) and after take a T-Log backup.

USE AdventureWorks;
Update Person.Contact
SET FirstName = 'Letitia'
Where LastName = 'Abel'


USE master;
BACKUP LOG AdventureWorks
TO DISK = 'E:\Backups\ADWORKSTLOG.bak'

Two .bak files now exist. Lets make a final change to our database. Change Letitia to Magda and check. Then we can backup the T-Log

USE AdventureWorks;
Update Person.Contact
SET FirstName = 'Magda'
Where LastName = 'Abel'


USE AdventureWorks;
SELECT FirstName
FROM person.Contact
WHERE LastName = 'Abel';


USE master;
BACKUP LOG AdventureWorks
TO DISK = 'E:\Backups\ADWORKSTLOG.bak'

Now if you check the file position numbers for the T-Log you should see two entries:

RESTORE Headeronly

OK, so to recap the name changed from Catherine to Irene to Letitia to Magda. Say we want to restore the whole thing. Remove the database. Then restore the database using the full backup. AdventureWorks will be put into into restoring mode.

USE master;

Now that's done, use the last differential. Check the file position numbers:

RESTORE Headeronly

In my case position 2.

USE master;

Now, that's been sorted I apply the T-Log backup. Use position 1 then 2 in that order

USE master;
RESTORE LOG AdventureWorks


USE master;
RESTORE LOG AdventureWorks

The final log is restored with the RECOVERY option to make the database accessible to users. In a real recovery scenario, this will usually be the orphaned log.

Wednesday, 13 July 2011

SQL 2008 Backup Strategies

For some reason I have found the SQL recovery models and backup strategies a strange mix of being confusing but interesting. To help understand the subject of backup/restore and SQL’s different recovery models I thought I’d share my understanding with the world at large. Maybe if anyone out there is reading this you can contribute as well.

The backup strategy you use depends on a variety of recoverability considerations:

  • What is the level of transaction volume. Does the database change minute-by-minute or say hour-by-hour?
  • What is considered to be an acceptable recovery time?
  • What is considered an acceptable level of data loss? Maybe you need to return to an exact moment in time.
  • How big can a backup be?

A backup strategy will require you to make decisions as to which kind of backup to make. And there are several. So you will need a fundamental understanding of these backup types.

Full Database Backup

A full database backup will truncate the transaction log and then copy every remaining data page and transaction log page to the backup media. The transaction log truncation will be non-reorganizing, meaning that no attempt is made to defrag/compact the log. It is simply truncated to the point of the last required transaction. Most backup strategies require a full database backup as the baseline for recovery. Remember that the log file will be truncated! From what I've read there is little point on having multiple log files. Keep just one. Also place the transaction log on a separate physical structure from the database. That way a loss of the disk containing the data files will not affect the log file. This may also help performance as log files are written to sequentially. Also, use RAID 1 so the log will be available in case of device loss. Regular backups will mean that not only will the log file not get too big but this will help prevent fragmentation.

Differential Backup

A differential backup will store all of the database pages that have been modified since the last full database backup. Note that this is a true differential backup and not an incremental backup. This means that each differential backup is inclusive of all transactions executed since the last full database backup and not simply since the last differential backup.

File or Filegroup Backup

If you are dealing with a very large database, you can back up individual files or filegroups. Breaking a large database into files or filegroups for backup allows you to back up portions of it on a rotating schedule when it might be too time-consuming to back up the entire database at once. If there is a failure affecting only one file or filegroup, only that portion and subsequent transaction logs would need to be restored. The log file is not in a filegroup.

Transaction Log Backup

This backup type will perform a non-reorganizing backup of the transaction log and store the transactions to the backup media. The backup types mentioned above store copies of the data pages at a particular time. This type of backup stores the actual transactions statements. When you restore using the full or differential backups, using the transaction log backup as well will involve replaying (if that’s the right word?) or re-executing the transactions on the log backup again which would be written back to the database. This process could take some time.

Recovery Models

Now that we understand (I hope) the different backup types, you need consider SQL’s three recovery models. Recovery is all about how the log file is treated by the SQL server on a day-to-day basis and what is made available for backup. Remember its all about the log file! Recovery in this context is about the level of logging and log retention.

You can determine the recovery model (which by default will be full) in the following way:

  1. Connect the SQL Server Management Studio to the correct instance hosting the database
  2. Expand the Databases folder and locate the right database
  3. Right click the database and select Properties
  4. Select Options
  5. Decide on the recovery model by selecting Recovery Model



You can alter the recovery model using the following statement:

alter database TESTDB
set recovery Full

You should realize that the recovery model you choose will impact on the backup method you choose.


Simple means that the log file will be truncated each time the data pages and log pages held in RAM are flushed are written to disk (checkpointed).  This keeps the log file small (there’s no point in backing up the log, in fact you can’t) which is good. But, you will not be able to recover to a point in time. You wouldn’t usually use this one. You might if it was a read-only database or you were developing a database application perhaps.


The bulk-logged recovery model uses less disk space than a full logging solution by performing minimal transaction logging for the following operations:

  • bulk-load
  • All operations involving text and image data types

A database that is in bulk-logged recovery mode cannot be recovered to a specific point in time if a bulk transaction has occurred. You still require log backups. A bulk insert (where you might be inserting a million rows into a table) would cause the log file to become very large if every transaction was recorded (if in Full mode) and would have performance implications. So you can switch to bulk logged from full just before the bulk operation. Once complete you set the recovery model back to full.  The bulk operation would be logged as a kind of summary statement. So every transaction would be recorded while being in Full mode, then a summary of the bulk operation and then a continuation of all transactions when in Full mode again. What about the point-in-time recoveries? If the database is in the bulk-logged recovery model and no bulk actions have occurred since the last full backup, the database can be restored to a point in time. If, however, a bulk action has occurred, it can only be fully restored. So, it minimally logs bulk transactions but fully logs other transactions.


The full recovery model is what you would use most of the time. It will give you the best recoverable opportunity at the expense of logging overhead however. Microsoft recommend that you use this model over the other two. The full recovery model will log every transaction to the log and is persistent after a checkpoint. A transaction is a change and any change on the database will cause an entry to be added to the log! A read does not cause a change so this of course will not cause an entry to be made to the log.


OK, so we are happy with the different backup types and with the different recovery models. The recovery models really describe how the transaction log is written to and whether the log truncates after a checkpoint or after a backup. With this combined knowledge we can consider the following backup strategies:


Strategy One: Simple

This strategy is suitable under the following conditions:

  1. The database is relatively small
  2. The database does not change minute-by-minute (less volatile)

With this strategy transaction log growth is kept under control, you won’t have to backup the transaction logs but this will mean there may be a small amount of data loss.

How do you do it ?

  1. Set the recovery model to simple
  2. Take full backups on a schedule of your choice (every night perhaps)
  3. If there is a failure you will have to restore the most recent full database backup. That’s it.

Simple recovery means no transaction logs to use in the restore process. You won’t be able to return to a point-in-time and data loss will probably occur. But this of course depends on how dynamic the database is.


simple backup

Strategy Two: The Database Only Backup Strategy

This strategy is suitable under the following conditions:

  1. Low transaction volume
  2. The transaction log be on a separate hard disk from database. Hardware failure of the database does not affect the log.

With this strategy, the transaction log is truncated because of a full database backup.

How do you do it?

  1. Set the recovery model to Full or Bulk-Logged.
  2. Take full database backups on your preferred schedule (perhaps every night)
  3. If there is a database disk failure, begin by backing up the orphaned log
  4. Restore from the most recent full backup followed by a restore of the orphaned log.

As you can see, database only backup can be restored to a point-in-time where the that time starts from the last full backup to time of disaster. The orphaned log would have transactions from the last full backup to time of disaster. As long as the log stays safe on another disk from the database your OK. If you lose the log though you lose transactions from the last full backup to time of disaster. As long as you make regular full backups and you have low transaction volume you should be OK.


Strategy Three: The Transaction Log Backup Strategy

This strategy is suitable under the following conditions:

  1. Higher transaction volumes (causing increased log growth)
  2. Longer restore time is acceptable

Instead of backing up the database file as a way of truncating the log, you backup the transaction log file. Backing up the transaction log will truncate log and keep its size under control. Although the backup up time will be relatively quick to do, the restore process will take time.

How do you do it?

  1. Set the recovery model to Full or Bulk-Logged.
  2. Take a full database backup that will act as the transaction log baseline (perhaps at 1:00AM)
  3. Take regularly scheduled full database backups with periodic log backups in between (perhaps every at 6 hour intervals; 7:00 AM, 1:00 PM, 7:00 PM)
  4. If there is a database disk failure, begin by taking a backup of the orphaned log immediately
  5. Restore the most recent full database backup, followed by each of the subsequent log backups in the order that they were taken.
  6. Finally, restore the orphaned log.


So if your first full backup was taken on Monday at 1:00 AM and a disk failure occurred at 6:00 PM on Tuesday you would take the following steps:

  1. Immediately take a backup of the orphaned log file
  2. Restore in the following order:
    • Full backup from Tuesday 1:00AM
    • T-log backup from Tuesday 7:00 AM
    • T-log backup from Tuesday 1:00 PM
    • Orphaned log at Tuesday 6:00 PM
  3. Pray


Strategy Four: The Differential Backup Strategy

The transaction log strategy described above can be slow. The more you have the longer it will take to restore the database to the point of failure. If the changes made to a database are restricted to a particular number or subset of data pages, you could take differential backups instead of full backups. The transaction logs would then need to be restored only from the point of the latest differential backup.

  1. Set the recovery model to Full or Bulk-Logged.
  2. Take a full database backup that will act as the transaction log baseline.
  3. Take periodic full database backups as needed (perhaps once once a week)
  4. Take differential backups between the full database backups to record only the data pages that have been modified since the last full database backup
  5. Take transaction log backups between the differential backups to record the individual transactions between each of the differentials.
  6. If there is a database disk failure, begin by taking a backup of the orphaned log.
  7. Restore the most recent full database backup followed by the most recent differential backup.
  8. Restore all transaction log backups taken since the last differential backup in the order that the backups were taken.
  9. Finally, restore the orphaned log.


Assuming the above model, a disaster at 1:00 Wednesday would require the following steps:

  1. Immediately take a backup of the orphaned log file
  2. Restore in the following order:
    • Full backup from Monday 1:00 AM
    • Differential from Tuesday 6:00 PM
    • Transaction log from Wednesday 10:00 AM
    • Orphaned log at Wednesday 1:00 AM
  3. Beer

Monday, 4 July 2011

Pre-requisites for Installing SQL Server 2008 on Windows Server 2008 R2 Using PowerShell

First step is to allow execution of scripts by changing the execution policy:

[PS] Set-ExecutionPolicy unrestricted (then say ‘Yes’)


Then copy and paste the following commands to install the pre-requisite operating system components needed

[PS] Add-WindowsFeature AS-NET-Framework,web-server,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Basic-Auth,Web-Windows-Auth,Web-Client-Auth,Web-Cert-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Lgcy-Scripting,Web-Lgcy-Mgmt-Console –restart

Wednesday, 15 June 2011

How to Convert .wav Files to .gsm Files

This is how you convert wav files to gsm files used by Asterisk
for i in *.wav
sox $i -r 8000 -c 1 $(basename $i .wav).gsm resample -ql

Monday, 13 June 2011

How to Configure Asterisk…a very basic guide!

After hours of work and frustration I was greeted with “Is that it?” by her-indoors and “Dad can we play now…this stuff is totally boring!” by the little one. Well it was worth it…

First thing get yourself Asterisk running on Centos (maybe on VMWare etc.). The following link to MiamiManni on YouTube will provide all the information on how to install the operating system and install Asterisk. This guy is brilliant! The only two files that you need to configure are the sip.conf and extensions.conf files. The following configurations should work for you. As you can see I have configured only two SIP phones in my lab.



register => username:account_password@voip_provider_fqdn/username









exten => 2000,1,Dial(SIP/2000,20)
exten => 2000,2,Voicemail(2000,u)

exten => 2001,1,Dial(SIP/2001,20)
exten => 2001,2,Voicemail(2001,u)

exten => 2999,1,VoiceMailMain(${CALLERID(num)},s)

exten => _X.,1,Dial(SIP/${EXTEN}@ext-sip-account)

exten => your_DID_Number,1,Dial(SIP/2000,20)

As said, this will provide you with just the basics.

Remember to open the following ports:

SIP 5004-5100 TCP and UDP

STUN 3400-3499 TCP and UDP

RTPSIP 10000-20000 UDP

Remember to reload asterisk in the CLI> after you make changes to the sip.conf and extensions.conf changes.

You can test trunk registration by typing “CLI> sip show registry”



Wednesday, 8 June 2011

Connect CentOS to Windows 7 or 2008

I needed to connect my CentOS system to a Windows 7 machine (which is in a workgroup) quickly.

  • Yum install samba3x
  • Yum install samba3x-client
  • Yum install samba3x-swat

Once installed I was able to connect to a Windows share by typing

smbclient //WindowsNetBIOSName/ShareName –U Username (on WindowsMachine)

You should be prompted for a password for Windows user account. Using ‘get’ command I was able to copy a file to the CentOS machine.

Wednesday, 1 June 2011

Kaspersky Engine Does Not Update in Forefront Protection for Exchange 2010

I found that FPE Kaspersky anti-virus engine failed to update.  FPE should use the Kaspersky 8 engine and not the Kaspersky 5 engine (which has stopped being published).

  1. Download the from this location:
  2. To enable Kaspersky 8, copy the to the following location ( …\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\metadata). The settings will take effect automatically. The next engine update will provide the Kaspersky 8 engine.

If you need to determine your Exchange server rollup version you can run this script

Tuesday, 31 May 2011

FPE and FOPE ?

Check out this webcast that describes what Exchange provides in terms of anti-spam and anti-virus and how Forefront Protection for Exchange (FPE) and Forefront Online Protection for Exchange (FOPE) improves things.

Click here! 

FPE homepage

FOPE homepage

Saturday, 28 May 2011

Don't put CAS in the Perimeter network!

The following link provides a good read on why Microsoft does not support putting your CAS servers in the DMZ. Well Done Exchange Team!

Thursday, 26 May 2011

Enable Anti-Spam Functionality on a Hub Transport Server

In some small organizations, it may make sense to run Microsoft Exchange Server 2010 anti-spam features on Hub Transport servers. For example, some organizations may not have enough e-mail volume to justify the cost of installing and maintaining a full perimeter network together with an Edge Transport server.
You can enable Exchange anti-spam functionality on Hub Transport servers.

Run the following command from the %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts folder:


After the script has run, restart the Microsoft Exchange Transport service by running the following command:

Restart-Service MSExchangeTransport.

You must specify all internal SMTP servers on the transport configuration object in Active Directory forest before you run connection filtering. Specify the internal SMTP
servers by using the InternalSMTPServers parameter on the Set-TransportConfig cmdlet.

Set-TransportConfig -InternalSMTPServers

Tuesday, 24 May 2011

Hyper-V Export Error: “Failed to Create Export Directory”

If you receive this error while trying to export your VMs in Hyper-V, don’t despair! Just rename the virtual machine name in the management console and it will work (as if by magic…)


Monday, 16 May 2011

Enable PowerShell Remoting While Running VMWare Workstation in a Domain

After trying to configure WinRM I received the following error:


To avoid this I found the following link very usefull

How to Build a VDI Infrastructure Using VM Pools

In previous posts I have detailed steps to create Remote Desktop Services application hosting. The flip side of hosting applications using RDS services on Windows Server  2008 R2, is to use RDS services to provide a pool of virtual machines (Windows 7 clients) that users can connect to and use as there own desktops In some of the training schools I attend, this provides a real benefit. Students can connect to a single virtual machine being hosted on Hyper-V. The VM connected to is a member of a pool of VMs. Once the session is over and the student logs off, the VM is returned to a saved Hyper-V snapshot ready to start over again.

This post will detail steps to create a VDI Infrastructure by using different RDS services including Remote
Desktop Virtualization Host Server. At its most basic, Virtual Desktop Infrastructure (VDI) is a deployment design that puts the user desktop on a virtual machine (VM) in the datacenter, rather than on the physical computer at someone’s desk. There are different types of VDI. These include:
  1. Users can connect to a Virtual Desktop (VD) that has specifically been assigned to that user by using the Remote Desktop Connection Client. The user does not have to know which VM the VD is actually on.
  2. A pool of desktops available to a set of users on a temporary basis. It is this that we will be trying to create.
Some terms that are often used when discussing VDI include the following:
  • The computer that is running the RDC client and that someone sits in front of is called the client.
  • The VM that this person is connecting to is the endpoint, or the guest (a guest of the RD Virtualization Host it’s running on).
  • Preparing a VM to be used (for example, bringing it out of hibernation) is called orchestration.
  • Moving a VM to a new RD Virtualization Host is called placement. Placement is not part of the basic RDS VDI solution but might be supported via a filter plug-in.
The following diagram hopes to expose how a typical VDI 'comes together', and shows you the different RDS services involved. Central to VDI is the role of the Connection Broker. Clients can make connection requests using a web interface, RDC client etc. 
vdi1  As you can see, clients can connect to the VDI in a number of different ways, some of which have been investigated in earlier posts. My personal favourite is by Remote Desktop Web Access! In all these cases, the request is brokered by the RD  Connection Broker. RD Connection Broker works with RDP clients back to RDP 5.2 (which was available for Windows XP SP2 and Windows Server 2003), so the vast majority of Microsoft RDP clients are supported.
To support Microsoft VDI, you’ll need to do the following.
  • Install the RD Virtualization Host.
  • Install and configure the RD Connection Broker (including the Remote Desktop Session Host in redirector mode on the same computer).
  • Install and configure RD Web Access to allow users to discover the VMs.
  • Configure the VMs to work with VDI.
  • Create pools (and assign personal desktops if required).
We will look at these in turn.

Install the RD Virtualization Host

  • Install Hyper-V Server 2008 R2 on a suitable machine ( I am not adding Hyper-V as a role but as an operating system which can be downloaded from Microsoft HERE.
  • Once Hyper-V is installed configure it to have suitable NetBIOS name, IP domain membership etc.
  • Next enable PowerShell v2 on the system by following an earlier post
  • Next you will need to consider management of your Hyper-V server from say a Windows 7 machine. This machine needs to be domain joined and you need to be in as a Domain Administrator. The details can be found by following an earlier post and essentially involves adding the RSAT tools. Don’t forget to also add Server Manager as well because you will need to use this interface in the configuration of the Hyper-V server in addition to Hyper-V management!
  • The next big step is to Install Remote Desktop Virtualization Host on your Hyper-V server. An earlier post details how to do this and you will see how you benefit from installing PowerShell which you did in an above step.

Install and Configure the RD Connection Broker and RD Session Host Roles

On a separate server you will need to install the RD Connection Broker role and RD Session Host role. The RDCB is real brains behind the whole thing. The RDSH role is co-resident with RDCB but it doesn’t have to be.
  1. Log on to the computer as a member of the Domain Administrators group
  2. Select Start Administrative Tools Server Manager.
  3. In the Roles Summary section, click Add Roles.
  4. On the Before You Begin page, click Next.
  5. Select the Remote Desktop Services check box, and then click Next.
  6. Select the Remote Desktop Connection Broker and Remote Desktop Session Host role services check box and then click Next
  7. Click Next on the application compatibility warning
  8. Select ‘Require Network Level Authentication’ and click Next
  9. Select ‘Configure Later’ on the Licensing Mode and click Next
  10. Add Domain Users to allow your users access
  11. Click next on the Client Experience page.
  12. Click Install on the confirmation page.
  13. You will now have to restart the RDCB/RDSH server
Now the two roles have been installed on a server you should continue by configuring the roles.
  1. On the same server, select Admin Tools
  2. Select to Remote Desktop Services
  3. Select Remote Desktop Connection Manager (this is configuring RDCB)
  4. Select RD Virtualisation Host Servers (shown below) and right click


  5. Select Add RD Virtualisation Host Server and enter the name of your Hyper-V machine installed earlier
  6. You should then see the number of virtual machines created on your Hyper-V system. NB. That this works specifically with Hyper-V and no other Hypervisor. The number seen represents all Hyper-V hosted virtual machines be they on or off.
  7. Select Remote Desktop Connection Manager:ServerName  which can be found on the top left part of the window. Their are a number of different configuration settings here (shown below)


  8. You can change the Display Name. This name will appear in the Web Portal (on RD Web Access). This is shown below:


  9. On the RD Web Access tab enter the name of the RD Web Access server. If you don’t have one installed I will go though this later, but don’t forget this needs to be added here! The RDWA server account is made a member of the local TS Web Access Computer Group.
  10. You should see ‘1’ RD Virtualisation Host Server has been added (from step 5 above)
  11. You can now configure ‘RD Session Host server for redirection’. Select Configure. As this server is also running as a RDSH machine, the same server name should be present. See the diagram below:


  12. You can also enable redirection for earlier clients as shown above.
  13. Select Admin Tools
  14. Select Remote Desktop Services
  15. Select Remote Desktop Session Host Configuration (this is configuring the RDSH). Remember that both RDSH and RDCB are on the same machine but you could have them running on separate machines.
  16. Under Remote Desktop Connection Broker on the main page, select ‘Member of Farm in RD Connection Broker’.
  17. On the RD Connection Broker Tab, select Change Settings
  18. Ensure that the Virtual Machine Redirection button is selected
  19. Add the RDCB server name to the RD Connection Broker Server Name field:


  20. You may receive an error. Ensure that the RDSH computer account has been added to the local computer group ‘Session Broker Computers’ on the RDCB.
  21. On the Digital Signature tab, you are required to define a suitable certificate. The following post will describe how to create the certificate using Active Directory Certificate Services. The certificate can be shared (I mean it can be the same certificate) amongst all the RD servers. You do this by exporting the certificate. I have gone to some length to explain this in the referred post.

Install and configure RD Web Access

  1. On a separate server add the RD Web Access Server Role: Log on to the computer as a member of the Domain Administrators group
  2. Select Start Administrative Tools Server Manager
  3. In the Roles Summary section, click Add Roles
  4. On the Before You Begin page, click Next
  5. Select the Remote Desktop Services check box, and then click Next.
  6. Select the Remote Desktop Web Access role service check box and then click Next.
  7. Continue on through the wizard and do not change any of the required components.
  8. Once the role has been installed, you should import the server certificate that you have used on the RDCB/RDSH server. If you have created this certificate correctly, you should have defined the right Subject Alternative names which will mean that when a user connects to the RDWA server using the web portal, no errors should occur.
  9. Once the certificate is in place reboot the server.
  10. Once restarted, select Admin Tools
  11. Select Remote Desktop Services
  12. Select Remote Desktop Web Access Configuration
  13. Sign in as Administrator and select configure. The interface is shown below:


  14. Select the RD Connection Broker and add the RDCB name as the Source Name.
  15. You should not receive any errors if you have added the RDWA computer account to the local TS Web Access Computer Group on the RDCB server (see step 9 of Install RDCB and RDSH above)

Configure the VMs to work with VDI

In my test infrastructure I have installed two Windows 7 virtual machines on Hyper-V. The following configuration is made on both of course.
  1. Each machine needs to be joined to the domain
  2. Click Start, Control Panel, System and Security, click on System, Advanced System Settings and select the Remote tab. Select the radio button that allows connections using Network Level Authentication. Also select the Select Users button. Define which users should have remote access. You will most likely add Domain Users.


  3. You will then need to enable RemoteRPC. Remote Procedure calls (RPCs) allow other processes to connect with the operating system. They’re required to allow the VM Host Agent to wake up the VM. To allow RPC connectivity,
    set the value of AllowRemoteRPC to 1 in the location HKLM/System/CurrentControlSet/Control/Terminal Server.

  4. We next should configure each Windows 7 machines firewall to allow for Remote Desktop. Select Start, type ‘Fire’ and from the list given select ‘Allow Program Through the Windows Firewall’. Select Change Settings and select ‘Remote Desktop’ on the Domain Profile

  5. You will next need to configure RD virtualization host RDP permissions. This is a little tricky. I have found that running a PowerShell script to be the easiest solution. The script can be found here. A copy can be found at the bottom of this post. Just copy the script to a text document and save as a file with a PS1 extension.
  6. Select Start and simply type ‘Power’ in the search field. Select the PowerShell icon that appears (you should run this as an Administrator).
  7. Type the cmdlet set-executionpolicy unrestricted
  8. Locate the directory  that your script is in (created in step 5) and type the following cmdlet: .\yourscript.ps1 –RDVHost yourdomain\RD Virtualisation Server replacing the script, domain and RD virtualisation server with your own

  9. Remember to do this on each Windows 7 machine!
  10. Your next move is to take snapshots of the virtual machines running on your Hyper-V system. Make sure you log off each Windows 7 system. Select each Windows 7 virtual machine and select snapshot as indicated below:

  11. Once each snapshot has been taken, ensure that each one is renamed with RDV_Rollback in the snapshot name:

  12. The above procedure will automatically roll the VM back to this snapshot after the user logs off.

Create VM Pools

Our next task is to create a VM Pool on the RD Connection Broker.
  1. Log on as Domain Admin on the RD Connection Broker.
  2. Open the RD Connection Manager from the RD Services in Admin Tools.
  3. Select RD Virtualisation Host Servers
  4. Under Actions on the right hand side, select ‘Create Virtual Desktop Pool’
  5. Click Next on the Welcome screen
  6. You should now see all of your virtual machines created on your Hyper-V system.
  7. Using CTRL key select each Windows 7 machine. Click Next
  8. Enter a name for the pool. Something like ‘Windows 7 Pool’.
  9. Enter the name for the Pool ID. Something like ‘Pool1’

How Does the User Connect?

A user can connect to the pool using the web portal hosted on the RD Web Access Server.
  1. Opens a browser and types the URL of the RDWA server followed by /owa (E.g. https://RDWAserver/rdweb)
  2. Sign in as an ordinary user
  3. You should now see the Windows 7 pool created above:

  4. Select the pool and provide the password

Wednesday, 30 March 2011

Using the Powershell to Send Email Messages (Send-MailMessage)

With Exchange 2007 SP2 you can send emails from within powershell! To avoid authentication issues, your default receive connector must allow anonymous users to connect. This is normally required when you allow connections to your exchange server from the Internet. You can do this from the shell:

To determine your connector name:

[PS] Get-ReceiveConnector

This will provide the following output (EX1 being the name of my exchange server)

Identity Bindings Enabled

-------- -------- -------
EX1\Default EX1 {:::25,} True

EX1\Client EX1 {:::587,} True
Now you can determine the current permissions set on the Default connector:
[PS] Get-ReceiveConnector "EX1\Default EX1" ft name,perm* -au
This will provide the current permissions set on the connector. If the connector has not been configured to receive mail from the Internet, then you will most likely NOT see "Anonymous" listed. This will need to be included. You can do this as follows:
[PS] Get-ReceiveConnector "EX1\Default EX1" |Set-ReceiveConnector -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Once this is done, you can send email from the powershell. Here's an example where the administrator (user currently running powershell) sends an email to a recipient (usermailbox) called ben:
[PS] Send-MailMessage -From administrator@compulinx.local -To ben@compulinx.local -Subject "Test Email" -Body "Hi Ben ...Just a test" -SmtpServer ex1.compulinx.local

Thursday, 24 March 2011

How to Setup a Remote Desktop Session Host Farm using NLB on Server 2008 R2 (Part 2)

In a earlier post I went through installing a single remote desktop session host server. The post can be found here. The screenshots shown below overview the installation of the RDSH role.
As this is a test lab, I will not be installing a Licensing Server.
So, install the RDSH role on both servers and add ‘Domain Users’ to the local ‘Remote Desktop Users’ group.
RDSH Certificates Template
We now need to configure the RDSH servers to use machine certificates obtained from an enterprise CA. All servers involved in the provision of remote applications to connecting clients require machine certificates. Each server will obtain its own machine certificate from an Enterprise CA. This will be used for remote desktop connections. However, I have found that you will need to share a signing certificate amongst both RDSH and RDCB servers (this certificate originated from RDSH1). I will show you how to create a suitable certificate template on the CA which we will use to enrol a needed certificate on each RDSH server.
  1. On the Enterprise CA, under the Certificate Template Node, select Manage and duplicate a Web Server certificate. Select Windows 2008.
  2. Give the certificate an appropriate name.
  3. On the Security tab, ensure that all servers involved are placed on the security ACL tab with 'Read' and 'Enrol' permissions.
  4. On the Request Handling tab, ensure that the Allow Private Key to be Exported is selected
  5. On the Subject Name tab, ensure the Supply in the Request radio button is selected.
  6. Select the Certificate Template Node, right click and select New. Locate the duplicated certificate just created and ensure that it is listed in the Certificate Template list.
Now that you have created a new certificate template that will be used by the Remote Desktop servers, you should define revocation information on certificates your CA will publish. This is detailed in an earlier post (See Step 1 Configure Enterprise CA to Support AIA Extension to Support OCSP). This post will also explain the importance of OSCP in overcoming any revocation errors that you might receive when connecting externally.

The next logical step would be to obtain suitable machine certificates for the RDS servers.
Manually Obtain Machine Certificates on Your RDS Servers
Now that the RDS certificate template and the correct revocation settings have been made, you can now obtain the necessary machine certificates. Use the following procedure:
  1. On your RDS servers, log on as Administrator
  2. Type MMC in Run
  3. Select File, Add Remove Snap-in
  4. Under Available snap-ins, select Certificates and click Add
  5. Select Computer account and click next
  6. Select Local computer and click finish and click Ok
  7. On the Certificates snap-in, select the Personal node, right click and select All Tasks, Request New Certificate
  8. Click Next on the Before You Begin window and click Next again
  9. Select the certificate template created above and select the blue hyperlink
  10. Under the Subject tab type a suitable Common Name. If the certificate is to be used and sent externally (on the Internet) then you should use a public DNS name. Click Add.
  11. Under Alternative name, select DNS and add names corresponding to both public DNS and any private FQDNs. The DNS name should also include the name of the farm that you intend to use (plan wisely!). At this point, you should add the host record (mapping farm name to an IP address) to your internal DNS server. The IP address used will be the IP used for your NLB cluster (more on this later!)
  12. Under General tab, write a suitable name and description for the certificate.
  13. Under Private Key select make Private Key Exportable. You may need to copy the certificate to other servers at some point (that is certificate and private key)
  14. Click Apply and OK to finish the wizard
  15. You should repeat this procedure on both RDSH, RDCB servers and for the RDWA server (with suitable external and internal names).
Once you complete the certificate request, you should see your certificate in your certificate MMC personal store. Now you have them, now you need to assign them correctly.
Configuration of Remote Desktop Session Host Configuration and its Certificate (Do this on each RDS server)
  1. Select Admin Tools, RDS and then open Remote Desktop Session Host Configuration.
  2. Under Connections select RDP-TCP properties
  3. On the General tab you will probably find the Certificate is set to Default. Using the select key make sure you define the certificate you installed above.
This should be done for each RDS server (each server should use its own certificate obtained from the Enterprise CA).
To configure a certificate used to digitally sign the RDP file (Do this on both RDSH servers farm members)
I have found that it helps to use the same machine certificate across both RDSH servers and on the RDCB server. You will have to export the certificate with private key (therefore a .pfx file) from RDSH1 to RDSH2 and to RDCB. To export the certificate, just right click on the personal machine certificate in a MMC and select Export. Then import the certificate onto the other machines using a MMC once more. Once the certificate has been  exported/imported you can now deal with configuring that certificate to digitally sign the RDP file.
First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager.
  1. Log on to RDSH1 as Domain\Administrator.
  2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
  3. Under the Overview section, click Change next to Digital Signature Settings.
  4. Select the Sign with a digital certificate check box.
  5. Click Change.
  6. On the Confirm Certificate page, select the appropriate certificate, and then click OK.
  7. Click OK to close the RemoteApp Deployment Settings dialog box.
Certificates and Domain Joined Clients
Domain joined clients will automatically have the CA root certificates stored in their trusted root store. They will not need personal machine certificates only the trusted root certificate in order to validate certificates received from the RDSH servers.
Configure the RD Connection Broker server (RDCB server)
On a separate member server, install the RD Connection Broker role service. Import the digital certificate used by RDSH server to the Personal certificate store of the computer (remembering to import a PFX file). Then configure the imported certificate used to digitally sign the RDP file.
  1. Open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
  2. Under the Virtual Desktops: Resources and Configuration heading, click Specify next to Digital Certificate.
  3. On the Digital Signature tab, select the Sign with a Digital Certificate check box.
  4. Click Select.
  5. In the Confirm Certificate dialog box, click the certificate that you want to use for signing the RDP files, and then click OK.
Configure the RD Web Access server (RDWA server)
On a separate member server, install the RD Web Access role service.You will need to obtain a certificate for this server like you obtained a certificate for the RDSH server from the Enterprise CA. 

Setting Up Authorization
A chain of authorization needs to be set up. The RDSH servers needs to authorize the RDCB and in turn the RDCB will authorize the RDWA server. You must add Web Access and Connection Broker Servers to TS Web Access Group on Session Host Servers (RDSH1 & RDSH2)
  • On each of your RD Session Hosts go to Start > Administrative Tools > Computer Management.
  • Open Local Users and Groups and select the Groups sub-folder on the left, then double click the “TS Web Access Computers”  group in the center.
  • Add the names of your RD Web Access and Connection Broker servers.
Add Web Access Servers to TS Web Access Group on Connection Broker Server.
Now on the Connection Broker add the Web Access servers to the TS Web Access group.  You can do this through Computer Management like above or you can do it using the RD Connection Manager. 
  • Go to Start > Admin Tools > Remote Desktop Services > Remote Desktop Connection Manager.
  • On the Actions pane, click Add RD Web Access Server.
  • Enter the FQDNs of any RDWA servers

Add Session Hosts to Session Broker Computers Group on Connection Broker
Now we need to add our Session Hosts to a group to give them the ability to use the Connection Broker.  Add them to the local group in Computer Management.
  • Add each RDSH server to the list

Configure Session Hosts to Use Connection Broker (RD1 & RD2)
Now all of our Session Hosts need to be configured to use the Connection Broker’s services.  On each RDSH:
  • Select Admin Tools, Remote Desktop Service, Remote Desktop Session Host Configuration.
  • Double-click ‘Member of Farm in RD Connection Broker’ which is under ‘RD Connection Broker’
  • Under the RD Connection Broker tab click the Change Settings button.
  • In the resulting RD Connection Broker Settings window, you specify how this RD Session Host server will interact with RD Connection Broker—that is, what the relationship is. Choose Farm Member and then enter the RD Connection Broker server FQDN and the farm name in the input boxes (see above). You should use the FQDN rather than flat NetBIOS name. This name should be one of the subject names used in the certificate created.
  • Click OK and you will be back on the RD Connection Broker Properties tab. The check box next to Participate in Connection Broker Load Balancing is selected by default. Leave it selected.
  • The weight describes its capacity relative to the other RD Session Host servers in the farm. Although all RD Session Host servers should be configured identically, not all will necessarily have the same amount of
    memory or the same number of processor cores. For example, if a server is only 75% as powerful as other servers in the farm, then you can reduce its weight to allow it only 75% as many connections as the other servers. The default value is 100.
  • Also by default, the redirection method—how a client connects to the RD Session Host server once RD Connection Broker decides which server should accommodate the connection—is set to Use IP Address Redirection. If the initial load balancer allows clients to connect directly to RD Session Host servers in the farm, keep this default
    setting. Unless you have a good reason, you should leave Use IP Address Redirection.
  • In the bottom section of this page, select the IP address that will be used for reconnections to this server. NOTE If you have more than one network adapter that you want to use, you can choose them all by checking the box next to each network adapter.
  • Perform this process for each member of the farm, taking care to use the same farm name and the same redirection method on all farm members.

Configure RemoteApp to Connect to RD Server Farm
We need to provide the RD farm address so that clients will connect to it when running RemoteApps.  On each Session Host:
  • Select Start, Admin Tools, Remote Desktop Services and RemoteApp Manager
  • Next to RD Session Host Server Settings click Change.
  • In the RD Session Host Server tab type the FQDN of the farm then click OK.

Configure Connection Broker for RemoteApp Programs Source
Now it’s time to configure a RemoteApp source for the Connection Broker.  On the Connection Broker :
  • Select Start Admin Tools, Remote Desktop Services, Remote Desktop Connection Manager.
  • Click RemoteApp Sources in the left hand tree, then choose Add RemoteApp Source in the right Actions pane.
  • Type the DNS name for the RD server farm then click Add.

Configure Web Access Servers to Use Connection Broker RemoteApp Source
If you have come this far your doing well! We need to make sure the Web Access Server is configured to use Connection Broker as the source for our RemoteApps.  On each Web Access server :
  • Select Start, Admin Tools, Remote Deskt0p Services, Remote Desktop Web Access Configuration.
  • Supply Domain Admin credentials and sign-in.
  • Click the Configuration tab heading.  Then for “Select the source to use:” choose “An RD Connection Broker server”.  Then type in the Connection Broker server name in the “Source name:” field.  Click OK. Remember, the RD Connection Broker server has been added to the TS Web Access Computers group on each farm member (RDSH1 and RDSH2).Also we have added the RD Web Access computer account to the TS Web Access Computers group on the RD Connection Broker.

Configuration of NLB
We now need to consider our method of initial load balancing. Remember, clients don’t talk to the RD Connection Broker role service directly; they connect to a farm, which sends this connection to the RD Connection Broker to let it find the right endpoint. So, the farm is connected to first  (lets call it the initial connection) and then the connection broker, and then to RD Session Host server in the farm! We will use NLB as our method of load balancing the initial connection to the RDSH farm.
NLB distributes incoming connections evenly across each load-balanced server on the principle that if the incoming requests are evenly distributed, the traffic should be, too. NLB is best for load-balancing servers when the connections are very short, like web servers, or in this case, the initial connection in a farm that is participating in RD Connection Broker load balancing. NLB is more complicated to set up than RR DNS, but it’s capable of detecting when a server is no longer available and will not attempt to send connections to it.
To configure an NLB cluster, you need to complete the following steps.
  1. If you have a network adapter dedicated to NLB, you need to configure it with static IP and subnet mask
  2. Install the NLB Manager on a host node or other management machine. To do
    this, open Server Manager and select the Features section. Click Add Features, select the check box next to Network Load Balancing, and click Install.
  3. Configure the NLB cluster.
  • Open NLB Manager on one of the farm members from Start, All Programs, Administrative Tools, Network Load Balancing Manager or by typing nlbmgr in the Run text box on the Start menu. Right-click Network Load Balancing Clusters and choose New Cluster.
  • In the Host input box, enter the name of one of the NLB hosts (one of the RD Session Host server farm members) and click Connect. All available network adapters on that server show up in the lower pane. Select the NLB network adapter and click Next (I am using only a single adapter on each RDSH machine)
  • The IP address and subnet mask assigned to the network adapter will show up in the next window. The priority number is a unique number that differentiates the servers. Accept the default value. If you need to make any changes to the address, click Edit and make your changes. Leave the Initial Host State as Started, and click Next.
  • On the next screen, click Add and add a unique IP address and subnet mask that will be shared by all cluster members, and then click OK. When users request access to the farm, they will be sent to this address instead of a specific RD Session Host server. This is the ‘Cluster Address’
  • On the Cluster Parameters page, accept the defaults, including Unicast for the Cluster Operation Mode setting, and click Next. All cluster host adapters must use the same operation mode or NLB will not function.
  • On the New Cluster: Port Rules page, you need to make a few changes to the default settings. Click Edit, and then change the starting and ending port range to 3389 (in both the To and From fields) because you will be using this cluster to load-balance RDP traffic only. In the Protocols section, select TCP. In the Filtering Mode section, choose
    Multiple Hosts to allow multiple hosts to handle traffic for this port rule. For Affinity, you have three choices; none, single and network. Choose Affinity: None so that incoming connections can be sent to any member of the farm. (There’s no reason to set affinity when the connections are being redirected, and doing so could make your load-balancing efforts useless by sending repeated connection requests to the same server.)
     4.  Add a DNS entry mapping the farm name to the cluster IP address.