Wednesday, 30 March 2011

Using the Powershell to Send Email Messages (Send-MailMessage)

With Exchange 2007 SP2 you can send emails from within powershell! To avoid authentication issues, your default receive connector must allow anonymous users to connect. This is normally required when you allow connections to your exchange server from the Internet. You can do this from the shell:

To determine your connector name:

[PS] Get-ReceiveConnector

This will provide the following output (EX1 being the name of my exchange server)

Identity Bindings Enabled

-------- -------- -------
EX1\Default EX1 {:::25,} True

EX1\Client EX1 {:::587,} True
Now you can determine the current permissions set on the Default connector:
[PS] Get-ReceiveConnector "EX1\Default EX1" ft name,perm* -au
This will provide the current permissions set on the connector. If the connector has not been configured to receive mail from the Internet, then you will most likely NOT see "Anonymous" listed. This will need to be included. You can do this as follows:
[PS] Get-ReceiveConnector "EX1\Default EX1" |Set-ReceiveConnector -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Once this is done, you can send email from the powershell. Here's an example where the administrator (user currently running powershell) sends an email to a recipient (usermailbox) called ben:
[PS] Send-MailMessage -From administrator@compulinx.local -To ben@compulinx.local -Subject "Test Email" -Body "Hi Ben ...Just a test" -SmtpServer ex1.compulinx.local

Thursday, 24 March 2011

How to Setup a Remote Desktop Session Host Farm using NLB on Server 2008 R2 (Part 2)

In a earlier post I went through installing a single remote desktop session host server. The post can be found here. The screenshots shown below overview the installation of the RDSH role.
As this is a test lab, I will not be installing a Licensing Server.
So, install the RDSH role on both servers and add ‘Domain Users’ to the local ‘Remote Desktop Users’ group.
RDSH Certificates Template
We now need to configure the RDSH servers to use machine certificates obtained from an enterprise CA. All servers involved in the provision of remote applications to connecting clients require machine certificates. Each server will obtain its own machine certificate from an Enterprise CA. This will be used for remote desktop connections. However, I have found that you will need to share a signing certificate amongst both RDSH and RDCB servers (this certificate originated from RDSH1). I will show you how to create a suitable certificate template on the CA which we will use to enrol a needed certificate on each RDSH server.
  1. On the Enterprise CA, under the Certificate Template Node, select Manage and duplicate a Web Server certificate. Select Windows 2008.
  2. Give the certificate an appropriate name.
  3. On the Security tab, ensure that all servers involved are placed on the security ACL tab with 'Read' and 'Enrol' permissions.
  4. On the Request Handling tab, ensure that the Allow Private Key to be Exported is selected
  5. On the Subject Name tab, ensure the Supply in the Request radio button is selected.
  6. Select the Certificate Template Node, right click and select New. Locate the duplicated certificate just created and ensure that it is listed in the Certificate Template list.
Now that you have created a new certificate template that will be used by the Remote Desktop servers, you should define revocation information on certificates your CA will publish. This is detailed in an earlier post (See Step 1 Configure Enterprise CA to Support AIA Extension to Support OCSP). This post will also explain the importance of OSCP in overcoming any revocation errors that you might receive when connecting externally.

The next logical step would be to obtain suitable machine certificates for the RDS servers.
Manually Obtain Machine Certificates on Your RDS Servers
Now that the RDS certificate template and the correct revocation settings have been made, you can now obtain the necessary machine certificates. Use the following procedure:
  1. On your RDS servers, log on as Administrator
  2. Type MMC in Run
  3. Select File, Add Remove Snap-in
  4. Under Available snap-ins, select Certificates and click Add
  5. Select Computer account and click next
  6. Select Local computer and click finish and click Ok
  7. On the Certificates snap-in, select the Personal node, right click and select All Tasks, Request New Certificate
  8. Click Next on the Before You Begin window and click Next again
  9. Select the certificate template created above and select the blue hyperlink
  10. Under the Subject tab type a suitable Common Name. If the certificate is to be used and sent externally (on the Internet) then you should use a public DNS name. Click Add.
  11. Under Alternative name, select DNS and add names corresponding to both public DNS and any private FQDNs. The DNS name should also include the name of the farm that you intend to use (plan wisely!). At this point, you should add the host record (mapping farm name to an IP address) to your internal DNS server. The IP address used will be the IP used for your NLB cluster (more on this later!)
  12. Under General tab, write a suitable name and description for the certificate.
  13. Under Private Key select make Private Key Exportable. You may need to copy the certificate to other servers at some point (that is certificate and private key)
  14. Click Apply and OK to finish the wizard
  15. You should repeat this procedure on both RDSH, RDCB servers and for the RDWA server (with suitable external and internal names).
Once you complete the certificate request, you should see your certificate in your certificate MMC personal store. Now you have them, now you need to assign them correctly.
Configuration of Remote Desktop Session Host Configuration and its Certificate (Do this on each RDS server)
  1. Select Admin Tools, RDS and then open Remote Desktop Session Host Configuration.
  2. Under Connections select RDP-TCP properties
  3. On the General tab you will probably find the Certificate is set to Default. Using the select key make sure you define the certificate you installed above.
This should be done for each RDS server (each server should use its own certificate obtained from the Enterprise CA).
To configure a certificate used to digitally sign the RDP file (Do this on both RDSH servers farm members)
I have found that it helps to use the same machine certificate across both RDSH servers and on the RDCB server. You will have to export the certificate with private key (therefore a .pfx file) from RDSH1 to RDSH2 and to RDCB. To export the certificate, just right click on the personal machine certificate in a MMC and select Export. Then import the certificate onto the other machines using a MMC once more. Once the certificate has been  exported/imported you can now deal with configuring that certificate to digitally sign the RDP file.
First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager.
  1. Log on to RDSH1 as Domain\Administrator.
  2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
  3. Under the Overview section, click Change next to Digital Signature Settings.
  4. Select the Sign with a digital certificate check box.
  5. Click Change.
  6. On the Confirm Certificate page, select the appropriate certificate, and then click OK.
  7. Click OK to close the RemoteApp Deployment Settings dialog box.
Certificates and Domain Joined Clients
Domain joined clients will automatically have the CA root certificates stored in their trusted root store. They will not need personal machine certificates only the trusted root certificate in order to validate certificates received from the RDSH servers.
Configure the RD Connection Broker server (RDCB server)
On a separate member server, install the RD Connection Broker role service. Import the digital certificate used by RDSH server to the Personal certificate store of the computer (remembering to import a PFX file). Then configure the imported certificate used to digitally sign the RDP file.
  1. Open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
  2. Under the Virtual Desktops: Resources and Configuration heading, click Specify next to Digital Certificate.
  3. On the Digital Signature tab, select the Sign with a Digital Certificate check box.
  4. Click Select.
  5. In the Confirm Certificate dialog box, click the certificate that you want to use for signing the RDP files, and then click OK.
Configure the RD Web Access server (RDWA server)
On a separate member server, install the RD Web Access role service.You will need to obtain a certificate for this server like you obtained a certificate for the RDSH server from the Enterprise CA. 

Setting Up Authorization
A chain of authorization needs to be set up. The RDSH servers needs to authorize the RDCB and in turn the RDCB will authorize the RDWA server. You must add Web Access and Connection Broker Servers to TS Web Access Group on Session Host Servers (RDSH1 & RDSH2)
  • On each of your RD Session Hosts go to Start > Administrative Tools > Computer Management.
  • Open Local Users and Groups and select the Groups sub-folder on the left, then double click the “TS Web Access Computers”  group in the center.
  • Add the names of your RD Web Access and Connection Broker servers.
Add Web Access Servers to TS Web Access Group on Connection Broker Server.
Now on the Connection Broker add the Web Access servers to the TS Web Access group.  You can do this through Computer Management like above or you can do it using the RD Connection Manager. 
  • Go to Start > Admin Tools > Remote Desktop Services > Remote Desktop Connection Manager.
  • On the Actions pane, click Add RD Web Access Server.
  • Enter the FQDNs of any RDWA servers

Add Session Hosts to Session Broker Computers Group on Connection Broker
Now we need to add our Session Hosts to a group to give them the ability to use the Connection Broker.  Add them to the local group in Computer Management.
  • Add each RDSH server to the list

Configure Session Hosts to Use Connection Broker (RD1 & RD2)
Now all of our Session Hosts need to be configured to use the Connection Broker’s services.  On each RDSH:
  • Select Admin Tools, Remote Desktop Service, Remote Desktop Session Host Configuration.
  • Double-click ‘Member of Farm in RD Connection Broker’ which is under ‘RD Connection Broker’
  • Under the RD Connection Broker tab click the Change Settings button.
  • In the resulting RD Connection Broker Settings window, you specify how this RD Session Host server will interact with RD Connection Broker—that is, what the relationship is. Choose Farm Member and then enter the RD Connection Broker server FQDN and the farm name in the input boxes (see above). You should use the FQDN rather than flat NetBIOS name. This name should be one of the subject names used in the certificate created.
  • Click OK and you will be back on the RD Connection Broker Properties tab. The check box next to Participate in Connection Broker Load Balancing is selected by default. Leave it selected.
  • The weight describes its capacity relative to the other RD Session Host servers in the farm. Although all RD Session Host servers should be configured identically, not all will necessarily have the same amount of
    memory or the same number of processor cores. For example, if a server is only 75% as powerful as other servers in the farm, then you can reduce its weight to allow it only 75% as many connections as the other servers. The default value is 100.
  • Also by default, the redirection method—how a client connects to the RD Session Host server once RD Connection Broker decides which server should accommodate the connection—is set to Use IP Address Redirection. If the initial load balancer allows clients to connect directly to RD Session Host servers in the farm, keep this default
    setting. Unless you have a good reason, you should leave Use IP Address Redirection.
  • In the bottom section of this page, select the IP address that will be used for reconnections to this server. NOTE If you have more than one network adapter that you want to use, you can choose them all by checking the box next to each network adapter.
  • Perform this process for each member of the farm, taking care to use the same farm name and the same redirection method on all farm members.

Configure RemoteApp to Connect to RD Server Farm
We need to provide the RD farm address so that clients will connect to it when running RemoteApps.  On each Session Host:
  • Select Start, Admin Tools, Remote Desktop Services and RemoteApp Manager
  • Next to RD Session Host Server Settings click Change.
  • In the RD Session Host Server tab type the FQDN of the farm then click OK.

Configure Connection Broker for RemoteApp Programs Source
Now it’s time to configure a RemoteApp source for the Connection Broker.  On the Connection Broker :
  • Select Start Admin Tools, Remote Desktop Services, Remote Desktop Connection Manager.
  • Click RemoteApp Sources in the left hand tree, then choose Add RemoteApp Source in the right Actions pane.
  • Type the DNS name for the RD server farm then click Add.

Configure Web Access Servers to Use Connection Broker RemoteApp Source
If you have come this far your doing well! We need to make sure the Web Access Server is configured to use Connection Broker as the source for our RemoteApps.  On each Web Access server :
  • Select Start, Admin Tools, Remote Deskt0p Services, Remote Desktop Web Access Configuration.
  • Supply Domain Admin credentials and sign-in.
  • Click the Configuration tab heading.  Then for “Select the source to use:” choose “An RD Connection Broker server”.  Then type in the Connection Broker server name in the “Source name:” field.  Click OK. Remember, the RD Connection Broker server has been added to the TS Web Access Computers group on each farm member (RDSH1 and RDSH2).Also we have added the RD Web Access computer account to the TS Web Access Computers group on the RD Connection Broker.

Configuration of NLB
We now need to consider our method of initial load balancing. Remember, clients don’t talk to the RD Connection Broker role service directly; they connect to a farm, which sends this connection to the RD Connection Broker to let it find the right endpoint. So, the farm is connected to first  (lets call it the initial connection) and then the connection broker, and then to RD Session Host server in the farm! We will use NLB as our method of load balancing the initial connection to the RDSH farm.
NLB distributes incoming connections evenly across each load-balanced server on the principle that if the incoming requests are evenly distributed, the traffic should be, too. NLB is best for load-balancing servers when the connections are very short, like web servers, or in this case, the initial connection in a farm that is participating in RD Connection Broker load balancing. NLB is more complicated to set up than RR DNS, but it’s capable of detecting when a server is no longer available and will not attempt to send connections to it.
To configure an NLB cluster, you need to complete the following steps.
  1. If you have a network adapter dedicated to NLB, you need to configure it with static IP and subnet mask
  2. Install the NLB Manager on a host node or other management machine. To do
    this, open Server Manager and select the Features section. Click Add Features, select the check box next to Network Load Balancing, and click Install.
  3. Configure the NLB cluster.
  • Open NLB Manager on one of the farm members from Start, All Programs, Administrative Tools, Network Load Balancing Manager or by typing nlbmgr in the Run text box on the Start menu. Right-click Network Load Balancing Clusters and choose New Cluster.
  • In the Host input box, enter the name of one of the NLB hosts (one of the RD Session Host server farm members) and click Connect. All available network adapters on that server show up in the lower pane. Select the NLB network adapter and click Next (I am using only a single adapter on each RDSH machine)
  • The IP address and subnet mask assigned to the network adapter will show up in the next window. The priority number is a unique number that differentiates the servers. Accept the default value. If you need to make any changes to the address, click Edit and make your changes. Leave the Initial Host State as Started, and click Next.
  • On the next screen, click Add and add a unique IP address and subnet mask that will be shared by all cluster members, and then click OK. When users request access to the farm, they will be sent to this address instead of a specific RD Session Host server. This is the ‘Cluster Address’
  • On the Cluster Parameters page, accept the defaults, including Unicast for the Cluster Operation Mode setting, and click Next. All cluster host adapters must use the same operation mode or NLB will not function.
  • On the New Cluster: Port Rules page, you need to make a few changes to the default settings. Click Edit, and then change the starting and ending port range to 3389 (in both the To and From fields) because you will be using this cluster to load-balance RDP traffic only. In the Protocols section, select TCP. In the Filtering Mode section, choose
    Multiple Hosts to allow multiple hosts to handle traffic for this port rule. For Affinity, you have three choices; none, single and network. Choose Affinity: None so that incoming connections can be sent to any member of the farm. (There’s no reason to set affinity when the connections are being redirected, and doing so could make your load-balancing efforts useless by sending repeated connection requests to the same server.)
     4.  Add a DNS entry mapping the farm name to the cluster IP address.

Wednesday, 9 March 2011

How to Configure File Server Resource Manager (FSRM) to Send an Email

You can ensure FSRM servers send emails to configured administrators as follows:

1.  After installing the FSRM role service, open the snap-in from Admin Tools
2.  Right click File Server Resource Manager (Local) and select Configure Options
3.  In the configure options window, configure the SMTP Server Name (the Exchange Server)
4. Configure the Default Administrator Recipients email address
5. Configure the Default From Email Address

The Default From Email Address is the address for the FSRM server (which can be an ordinary mailbox built earlier). When the FSRM server wants to send an email of notification (perhaps because someone oversteps their quota or places an incorrect file type into a folder) it will use this email address. The server authenticates using its computer account and then submits the email to exchange. So for this to work you need to allow the FSRM to send the email on the mailbox behalf. You can do this by typing the following cmd in powershell on or connected to the Exchange server:

[PS] Add-Adpermission -Identity "fsrm" -user "compulinx\srvExchange$" -extendedrights "Send-as"

Where fsrm is the mailbox that the server (srvExchange$) uses. You can click the 'Test Email' button to make sure it works.

Thursday, 3 March 2011

How to Setup a Remote Desktop Session Host Farm using NLB on Server 2008 R2 (Part 1)

A RD Session Host server farm consists of two or more RD Session Host servers with the same software configuration (for example, security settings and device redirection policies) and application sets, all represented under a single farm name so that they appear to the client as a single server. Server farms are load-balanced so that the workload is distributed evenly among all farm members. Because the servers are configured the same way, it does not matter to users which server they get directed to. All servers should provide the same user experience.

When a client connects to RDSH farm, the client makes an initial connection to a particular RDSH server which redirects the client to a Remote Desktop Connection Broker (RDCB) which then brokers a connection to an individual RDSH of the farm. Initial connections can be load balanced in three main ways:
  1. DNS Round Robin
  2. Network Load Balancing
  3. Dedicated RDSH Redirector
DNS RR is not so clever. By creating multiple host records for each member of the farm, you distribute client connections to the farm. If however a farm member goes down, DNS will continue to hand the host record out to requesting clients despite the fact that a member server is down.

A dedicated redirector is an RD Session Host server whose sole role is to redirect initial connection requests to RDCB. To avoid asking working RD Session Host farm servers to handle incoming connections, you can dedicate a server to do this work. The only catch to using a dedicated redirector is that it represents a single point of failure.

We will configure initial connection load balancing by using load Network Load Balancing (NLB):

As you can see in the diagram above, the client makes an initial connection via the RD Web Access server to RDSH 1. This could be infact to RDSH1 or RDSH2 as these two servers will be in a NLB cluster. Either server will then redirect the connection to the RDCB. The RD Connection Broker finds the most suitable endpoint for the connection request and gets its IP address. The result is passed back to the RDSH and then back to the client. The client then connects directly to the RDSH that the RD Connection Broker has deemed most suitable.

If an RDSH server goes offline how does the RDCB know? It monitors whether the connections it redirects are successful. If redirection fails the RDCB begins pinging the suspect RDSH server and if this fails then the RDSH is removed from its database.