Compulinx Training Exchange 2010 and Server 2008 R2 Training

Citrix XenApp6 Discovery Fails “Errors occurred when using CTXS-XA1 in the discovery process” An Unexpected Error Occurred

2011-09-09T11:27:00.001+01:00

This error may appear when you try to run the discovery process using the Xenapp6 evaluation VHD. I was using the VHD on Hyper-V and decided to change over to VMWare VSphere. I managed to convert the virtual machine to be used on VMWare (using the Standalone Converter http://downloads.vmware.com/d/info/infrastructure_operations_management/vmware_vcenter_converter_standalone/5_0). That worked fine but the problems started when trying to use XenApp 6 on a VM hosted on Vsphere. I tried using the local Administrator account (the one used to create the original image) but could not run the discovery process using Citrix Delivery Services Console. I then tried this:

Logon as the local Administrator
Try to run the discovery process
If it fails (as it did for me) open a command console
Change directory to the following path: C:\Program Files (x86)\Citrix\Independent Management Architecture
Type the following command: dsmaint config /user:administrator /pwd:Evaluation1 /dsn:"c:\Program Files (x86)\Citrix\Independent Management Architecture\mf20.dsn"
For the password use your local administrator account password
You will see the following output:
Attempting to connect to the data store with new configuration settings.
Successfully connected to the data store.
Configuration successfully changed.
Please restart the IMA Service for changes to take effect.
Open Services in Admin Tools and stop the Citrix Independent Management Architecture
Using the same command console type the following command: dsmaint recreatelhc
Now restart the Citrix Independent Management Architecture service
Try the discovery process again and it should work!

Reset Licence Administration Console Password Citrix XenApp 6

2011-09-08T09:37:00.001+01:00

If you need to change the administration account (Admin) for Citrix XenApp 6, try the following steps:

Locate the Server.xml file (C:\Program Files (x86)\Citrix\Licensing\LS\conf)
Edit with WordPad
Locate the following entry <user firstName="System" id="admin" lastName="Administrator" password
Delete the encrypted password between quotation marks
Replace with a clear text password of your choice
Set passwordExpired to True
Save the xml file
Restart the Citrix Licensing service
Open the Licence Administration console once more and select Administration
Logon using using the new password. You will be requested to change the password.
Hey Presto!

Citrix XenApp 6 Fundamentals Installation Has Failed

2011-09-04T19:00:00.001+01:00

I had a problem installing XenApp Fundamentals. During the installation process I received an installation error that indicated that the installation had failed and that I should check the ‘Citrix Access Essentials Install Log.txt’

I presumed that installing the program on Server 2008 R2 would be enough. However the setup that finally worked for me was as follows:

Install a fresh 2008 R2 member server
Do not install any roles, features or Windows updates
Configure the correct network settings
Disable the firewall (I prefer this but you may not be able to!)
Join the server to your existing AD domain
Install the .NET 3.5.1 Feature using the Server Manager
Install the Remote Desktop Host services role using Server Manager
Run the Citrix XenApp 6 Fundamentals Installation

If you follow the above procedure, you should be OK. Also when applying a licence, make sure that the name you use is matches the NetBIOS name of the server (case-sensitive).

Move Arbitration Mailboxes In Exchange 2010

2011-08-24T10:22:00.001+01:00

Quite simple really. I have found that in certain situations, (help in backup) I have needed to delete databases (perhaps several databases exist on a single drive). You can move mailboxes from one database to another simply by typing the following cmdlet:

[PS] Get-Mailbox –Database TheDatabaseID | New-MoveRequest –TargetDatabase TheDatabaseID

Now this will move the ‘regular’ mailboxes but not those marked as arbitration mailboxes. You can identify those by using the following:

[PS] Get-Mailbox –Database TheDatabaseID –Arbitration

Now you know what mailboxes to look out for, move them to the database of preference.

[PS] Get-Mailbox –Database TheDatabaseID –Arbitration | New-MoveRequest –TargetDatabase TheDatabaseID.

And then check that the arbitration mailboxes have been moved to an alternative database. You can also check out the move requests themselves:

[PS] Get-MoveRequest

Now that the mailboxes (hidden ones included) have been moved, try deleting the database now. It should work but remember that you will still have to remove the database files manually.

For Matt and Mark!

Exchange 2010 MountDial

2011-08-21T22:41:00.001+01:00

The setting is set per server. You can determine the value on your server by typing the following cmdlet:

[PS] Get-MailboxServer | FL Name,AutoDatabaseMountDial

MountDial determines if a passive copy of a DAG can automatically come online based on how many log files being copied to it. If you run the above command, you will see one of several values for AutoDatabaseMountDial including:

BestAvailability
GoodAvailability
Lossless

These mean the following:

BestAvailability

If you specify this value, the database automatically mounts immediately after a failover if the copy queue length is less than or equal to 12. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than 12, the database doesn't automatically mount. When the copy queue length is less than or equal to 12, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.

GoodAvailability

If you specify this value, the database automatically mounts immediately after a failover if the copy queue length is less than or equal to six. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than six, the database doesn't automatically mount. When the copy queue length is less than or equal to six, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.

Lossless

If you specify this value, the database doesn't automatically mount until all logs that were generated on the active copy have been copied to the passive copy.

BestEffort

This will mount no matter the copy queue length. Be careful with this setting as you could loose a lot of mailbox data!

To manually switch from passive to active type the following cmdlets:

[PS] Move-ActiveMailboxDatabase DB4 -ActivateOnServer MBX3 -MountDialOverride:None

As the MountDialOverride property is set to ‘none’ whatever is currently set (probably the default) remains.

The default on my server is GoodAvailability. So, replace none with one of the three options listed above to change this.

Read an earlier post regarding DAGs

Ref.

How to Export Exchange 2010 Queues

2011-08-20T13:34:00.001+01:00

You can use the Shell to export messages from a queue on a computer that has the Microsoft Exchange Server 2010 Hub Transport server role or the Edge Transport server role installed to a specified file path. You can't use Queue Viewer to perform this task. However, you can use Queue Viewer to locate, identify, and suspend the messages before you perform this task.

Messages that get ‘stuck’ in a queue can be exported to a folder and you can later resubmit the messages once you fix the mail flow problem. To export a message (or all messages in a queue) you should first suspend the queue. Suspension does not prevent messages entering the queue, but it will stop them leaving. The following cmdlet suspends the queue.

[PS] Get-TransportServer | Get-Queue

This command will show you the queues on your transport servers (you may have more than one in your site).

You might have an example where your messages are failing to be sent because of name resolution:

You can see that the DeliveryType is set to DNSConnectorDelivery. The messages are queued for delivery to an external recipient by using an SMTP connector that's located on the local server and that's configured to use Domain Name System (DNS) for routing resolution.

To export the messages, first suspend the queue:

[PS] Suspend-Queue –Identity SRV1\20

Now that the queue is suspended you suspend the messages.

[PS]Get-Queue -Identity srv1\20 | Get-Message -ResultSize unlimited | Suspend-Message –Confirm:$False

-ResultSize unlimited is used as the default is set to 1000.

Now the messages are suspended you can export them. To see the list of messages in the queue type the following:

[PS] Get-Queue -Identity srv1\20 | Get-Message -ResultSize unlimited

The status should show the messages are suspended and you should see the Email subject heading and from address. Notice how the message ID is created and includes the Queue ID.

Now to export a single message:

[PS] Get-Message -Identity srv1\20\75 | AssembleMessage -Path c:\exportfolder\email1

To export all the messages from the queue is a bit more complicated. Try the following:

[PS] $array = @(Get-Message -Queue srv222\20 -ResultSize unlimited)
[PS] $array | ForEach-Object {$i++;Export-Message $_.Identity | AssembleMessage -Path ("c:\exportfolder\"+ $i +".eml")}

The above cmdlets will produce .eml files in c:\exportfolder\ with names like 1.eml, 2.eml. At a later stage you can ‘import’ the messages back into the submission queue by using the replay directory. The Replay directory receives messages from foreign gateway servers and can also be used to resubmit messages that administrators export from the queues of Exchange 2010 servers. Read this post for more.

How to Change the Version of Windows 2008 r2 Standard to Enterprise Without Reinstalling

2011-08-16T22:47:00.001+01:00

Useful procedure for changing the product version of windows 2008 r2 standard to enterprise without reinstalling from media.

To determine the installed edition, run:
DISM /online /Get-CurrentEdition

To check the possible target editions, run:
DISM /online /Get-TargetEditions

Finally, to initiate an upgrade, run:
DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

For example, to upgrade to Enterprise from a downlevel version, run:
DISM /online /Set-Edition:ServerEnterprise /ProductKey:YOUR SETUP KEY

(Thanks to Kimani and Jon)

Role-Based Access Control (RBAC) Exchange 2010 Legal Hold and Discovery Search

2011-08-12T16:12:00.001+01:00

RBAC can be used to allow administrators to perform a specific exchange task by being assigned a management role that has permissions to perform the task. Administrators can be assigned these roles directly, or multiple roles can be grouped together into management role groups. Management role groups are infact AD universal security groups. As you will see however, Exchange administrators should NOT be added to these groups using AD tools directly!

Each management role consists of management role entries. A management role entry is an EMS cmdlet or a script that users in a management role can execute.

For a list of management roles, type the following cmdlet:

[PS] Get-ManagementRole | Get-ManagentRoleEntry

The list you will see has quite a few roles!

If you take just one role for example, say ‘databases’ you will begin to see what's involved:

[PS] Get-ManagementRole –Identity Databases | Get-ManagementRoleEntry

So, users are assigned a management role (that can execute scripts that are defined by management role entries) by being assigned to a management role group. This can be very useful. For example we can create a management role group that only allows users to create exchange recipients. After we create the group and add users, management role(s) are then assigned to the group.

Several role groups exist in Exchange 2010 by default.

[PS] Get-RoleGroup

If we take a single role group for example ‘Help Desk’

[PS] Get-RoleGroup –Identity “Help Desk” | fl

The will list associated parameters for this group.

As you can see from the above screenshot, the roles assigned to the Help Desk management role group are shown. These are ‘User Options’ and ‘View Only’. You can also see under role assignments that it shows that these roles are assigned to help-desk! These default role groups can be found in AD in the Microsoft Exchange Security Groups

To add users to the role group of Help Desk use the following cmdlet:

[PS] Add-RoleGroupMember –Identity “Help Desk” -Member “Andrew Stevens”

This will add Andrew Stevens to the Help Desk role group. To determine the membership of the management role group try the following:

[PS] Get-RoleGroupMember -Identity "Help Desk"

This is great if the Help Desk group has the needed management roles assigned to it. From the screenshot above this includes management roles of “User Options” and View-only Recipients”.

User Options is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "User Options" | Get-ManagementRoleEntry

View-Only Recipients is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "View-only Recipients" | Get-ManagementRoleEntry

So you can see what Andrew Stevens can do having been placed in the Help Desk group.

You can also customize a role group to contain the roles that you need if you find the default roles assigned to a group do not fit correctly. If you find yourself changing the roles assigned to the default groups beyond recognition you might as well create a new group.

So, to add a role to an existing group try the following:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk" -Role "MailBox Import Export"

Now type the following again to determine the roles now ‘held’ by the Help Desk group:

[PS] Get-RoleGroup –Identity “Help Desk” | fl

You will notice that the RoleAssignments has changed to include Mailbox Import Export!

To remove the assignment type the following:

[PS] Remove-ManagementRoleAssignment -Identity "Mailbox Import Export-Help Desk"

If you need to you can create a role group from scratch. Lets create a role group called London Help Desk and assign roles to the group:

[PS] New-RoleGroup "Help Desk London" -Roles "User Options","View-Only Recipients"

Try the Get-RoleGroup cmdlet and you should see it listed.

So far the London help Desk team have the role of View-Only recipients and User Options. This is no different to the default Help Desk assignments. However you can add to it

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" -Role "MailBox Import Export"

Legal Hold

An interesting role is Legal Hold. A legal hold in Exchange 2010 will keep e-mails even if the user tries to delete them. Note, the user will think the e-mail is deleted. The only way to actually see the e-mails is by doing a discovery search, and opening the discovery mailbox.

The legal hold role has the following assignments:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

The output will show you that both Organization and Discovery Management groups have this role by default.

To grant our London Help Desk team Legal Hold type the following cmdlet:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" –Role “Legal Hold”

Type the following cmdlet for confirmation:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

You should now see Help Desk London listed.

To turn this feature on we need to enable it for specific mailboxes. First you must have the role to do so. As mentioned, those in the Organization Management (and Discovery Management) have the Legal Hold role assigned. If you are doing this as a Domain Administrator then you are a member of Organization Management already.

[PS] Get-RoleGroup -Identity "Organization Management" | ft name,members

Now, determine which recipients you wish to define Legal Hold to and type the following:

[PS] Set-Mailbox –Identity “A User” –LitigationHoldEnabled $True

To check to see which mailbox has been enabled, type the following cmdlet:

[PS] Get-Mailbox | ft name,lit* –au

Performing a Discovery Search

You can still find and open the deleted emails using a discovery search. A discovery search can be made against any organisation mailbox (not just those on litigation hold). Here’s what happens:

User deletes a message.
The message moves to a 'Deleted Items' folder. At this point the user can see the deleted messages and can move the deleted message back to the inbox. This is known as a 'soft delete'. Messages can also be moved to the 'dumpster' by emptying the deleted items folder.This is a 'hard delete'.
Message moves to the 'Dumpster'. This removes the message from view. Deleted item retention is 14 days by default. Users can still recover items by using the recover deleted items tool (right click deleted items in OWA and select 'recover deleted items')
If the end user purges data from the "Recover Deleted Items" view (hard delete from the Recoverable Items\Deletions folder), the item will be moved to the Recoverable Items\Purges folder. The purges folder is a special folder that sits within the dumpster. The user will not be able to see the deleted message from this folder. However administrators granted the rights to perform 'discovery searches' can search through the purges folder and restore deleted items.

Enabling Litigation Hold means that items never will be purged from the “Purges” subfolder, which of course results mailboxes growing considerably in size over time!

To perform a discovery search perform the following steps:

1. Perform a discovery search for the item you need to restore. This first involves navigating a browser to https://servername/ecp. This is on the CAS role (ecp is the exchange control panel). In Figure 1, the user ‘Al Pacino’ is in the LegalAdmins role group. This group has been assigned the roles ‘User Options and View-only Recipients’ (which is the same as the default Help Desk role). At this point Al cannot perform a discovery search and this is his ECP view (only Users & Groups).

2. Assign the Mailbox Search role to the LegalAdmins group using the following cmdlet: [PS] New-ManagementRoleAssignment -SecurityGroup LegalAdmins -Role "Mailbox Search"

3. The above screenshot shows us the ECP view after applying this step. You can now see that the ‘Reporting’ link is shown. Select this link.

4. After you select this link you should see a similar view as shown above. Remember that you can also add a user to the Discovery Management role group instead of creating a group and assigning roles to it.

Select 'New'.

5. As you can see there are a number of search methods. Select mailbox to search and select the user mailbox that has purged deleted items.

6. Provide a search name

7. Select 'Select a mailbox in which to store the search results' and choose the 'Discovery Search Mailbox' and click save.

8. After the search has completed (you may have to refresh) select the link that says open by the results output on the right hand side.

9. If you cant open the discovery search mailbox, you will need to grant the user access to it by typing in the following:

[PS] Add-MailboxPermission DiscoverySearchMailbox -User al -AccessRights FullAccess
NB. I changed the alias of the mailbox to this simpler name

10. You should now be able to open the discovery search mailbox. Once opened, navigate on the left to the search name and open the sent\deleted items folder. You should be able to find the item that was purged.

NB. If you wish you can create a new discovery search mailbox by using the following cmdlet:

[PS] New-Mailbox "HelpDeskDiscovery" -UserPrincipalName HelpDeskDiscovery@yourcompany.com –Discovery.

[PS] Add-MailboxPermission HelpDeskDiscovery -User al -AccessRights FullAccess

In the above example, our test user Al, can perform the discovery search and open the discovery search mailbox to find deleted items.

RMS Shared Identity user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 Not Found

2011-08-04T17:20:00.001+01:00

Having removed an Exchange Server (and arbitration mailboxes), reinstalling a second Exchange 2010 can be problematic. The deletion of the discovery mailbox will mean that the reinstallation of your Exchange 2010 server will fail. Run the following command:

[PS] New-Mailbox -Arbitration -Name FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 -UserPrincipalName FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@<Default_Accepted_Domain>

This should allow you to now rerun the installation program without failure.

Cannot Uninstall Exchange 2010 Because of Arbitration Mailboxes

2011-08-03T09:05:00.001+01:00

To list the arbitration mailboxes type the following command:

[PS] Get-Mailbox –Database database name -Arbitration

This will list all the mailboxes that can be moved or removed.

To move them to another database, type the following command:

[PS] Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2

To remove the mailboxes, type the following command:

[PS] Get-Mailbox -Arbitration -Database db1 | Remove-Mailbox -Arbitration –RemoveLastArbitrationMailboxAllowed

Once you do this hopefully you should be able to uninstall Exchange using the Control panel

SQL Backup Strategies Part 2 How To Backup and Restore…

2011-07-18T17:12:00.001+01:00

In a previous post I tried to detail some appropriate backup strategies. This post builds on these concepts and provides some practical details on what to do.

Perform Full Database Backups

A full database backup is a page-level copy of the entire database to backup media. You can execute a full database backup using any recovery model (i.e Simple, Bulk-Logged or Full).

To perform a full backup use the following:

USE master;
GO
BACKUP DATABASE CompulinxDB
TO DISK = ‘D:\Backups\compulinxFULL.bak’
WITH RETAINDAYS = 7, INIT;

RETAINDAYS does not actually delete anything, it is just marking the file to tell SQL Server not to overwrite this file before the retain time is up (in the above case 7 days).

INIT This option indicates that SQL Server will overwrite any existing backups on the target media with new backups. In other words, the backup that you are taking with this statement will be
the initial backup on the media.

It is considered good practice to ‘stripe’ the backup to two files on separate disks (and even controllers). So, the following syntax can be used

USE master;
GO
BACKUP DATABASE CompulinxDB

TO DISK = ‘D:\Backups\compulinxFULL.bak
DISK = ‘E:\Backups\compulinxFULL.bak
INIT;
GO

Differential Backup

The following can be used to make differential backups. Here the differential is appended to media containing the full backup:

USE master;
GO
BACKUP DATABASE CompulinxDB

TO DISK = ‘D:\Backups\compulinxFull.bak’
WITH DIFFERENTIAL,
RETAINDAYS = 7, NOINIT;
GO

Notice the use of the command NOINT. This option indicates that SQL Server will append this backup to any other backups on the target media. This option allows you to take multiple backups and target them to the same media set.

Perform Transaction Log Backups

Transaction log backups allow the DBA to manage the transaction log size while not requiring the overhead of taking frequent database backups. This is especially useful for large databases that are only moderately volatile. Before you will be able to take a valid Transaction log backup, you must do two things:

Make sure that the recovery model is set to Full or Bulk-Logged
Take a full database backup that will act as the initial point in the recovery process.

Try using the following T-SQL syntax:

USE master;
GO
BACKUP LOG CompulinxDB
TO DISK = ‘D:\Backups\compulinxTLOG.bak’
WITH INIT;
GO

Notice the use of LOG. If you wanted to take a subsequent backup of the transaction log and append it to the existing media, the statement would look like this:

USE master;
GO
BACKUP LOG CompulinxDB
TO DISK = ‘D:\Backups\compulinxTLOG.bak’
WITH NOINIT;
GO

At this point, if the database were damaged due to a corruption or loss of a data device, you would have to capture the orphaned log. You can do this with the following:

USE master;
GO
BACKUP LOG CompulinxDB
TO DISK = ‘D:\Backups\compulinxTLog.bak’
WITH NOINIT, NO_TRUNCATE, NORECOVERY;
GO

The above syntax has some new points to consider. NO_TRUNCATE will make a copy of the log but does not truncate the log. NORECOVERY allows you to capture a trailing log before making a restore. The database will be placed into a ‘restoring state’. Remember the database will not be accessible until a restore is made.

The database will look something like the following:

Partial Database Backups

In part one I mentioned backing up filegroups; ‘Breaking a large database into files or filegroups for backup allows you to back up portions of it on a rotating schedule when it might be too time-consuming to back up the entire database at once’. Perhaps only a small portion of the database is changing. If this is the case we can backup a filegroup (the group of data files that is dynamic) and therefore make a partial backup. You can also make the non-volatile data read only.

USE master;
GO
BACKUP DATABASE CompulinxDB READ_WRITE_FILEGROUPS
TO DISK = ‘E:\Backups\compulinxDB_Partial.bak’
WITH INIT;
GO

Notice the use of READ_WRITE_FILEGROUPS. This causes SQL to backup only the primary filegroup and any other read/write filegroups in the collection.

How to Restore

OK, now we know how to set the different recovery methods for SQL, the different backup methods that use these recovery types and actually how to implement a backup. However, a backup is only as good as knowing how to restore the database.

How to Perform a Full Database Restore

There may be several reasons why you need to perform a full database restore. These include the following:

You need to restore a database to single point-in-time
You need to restore a database because the database is damaged
You need to move the database to a different server altogether

To demonstrate this we need to do the following:

Take a full database backup (make a baseline backup)
Next we have to modify the data in some way (perhaps by deleting a row?)
Then performing the restore so that we get our original database again.

So, to take a full database backup,

Make sure the database recovery model is set to Full (see the post before this one for details). I’m using the AdventureWorks DB. It’s a little big but there you go!
Take a full database backup using the following syntax (also shown above)

USE master;
GO
BACKUP DATABASE AdventureWorks
TO DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH RETAINDAYS = 7, INIT;

3. Using the the following T-SQL code determine the first name of an employee with the last name of Abel

USE AdventureWorks;
GO
SELECT FirstName
FROM person.Contact
WHERE LastName = 'Abel';
GO

The answer that should be returned is Catherine. I used to go out with a Catherine…

4. Let’s say Catherine wants to change her first name (perhaps to Irene, I won’t say it…). You can use the following to do this:

USE AdventureWorks;
GO
Update Person.Contact
SET FirstName = 'Irene'
Where LastName = 'Abel'

5. Now make a differential backup which will record the change of Catherine to Irene. You can do this using the following (this is also shown above). This should only take 0.684 seconds (or there a bouts!)

USE master;
GO
BACKUP DATABASE AdventureWorks

TO DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH DIFFERENTIAL,
RETAINDAYS = 7, NOINIT;
GO

6. Now we need to restore the database using the full database so the first name is Catherine once more. To do this using the interface, simply right click your database and select restore:

7. Select Database and the following window will appear:

8. Using the backup history, you can select the correct backup or you can find it using the ellipses button on the right. Whatever you choose, select the full database checkbox only. Not the differential.

9. Click the Options page to see the restore options. As we are restoring over the top of an already existing database, select the Overwrite option. This prevents you from accidentally overwriting a database. The default is off. Click OK.

10. If you run the query to find the first name of the customer Abel, it should be Catherine.

A. Full Backup Restore (without differential)

You can do the restore without using the interface, by using the following T-SQL code.

USE master;
GO
RESTORE DATABASE AdventureWorks
FROM DISK = ‘E:\Backups\ADWORKSFULL.bak’
WITH FILE = 1,
REPLACE,
GO

Notice the use of FILE. The file value refers to a backup set file number. This option allows you to specify a specific backup in a media set based on its position number. This value was actually shown in the figure under point 7 above. You need this information to ensure that you are restoring the correct backup from the media if there are multiple backups stored on the same media. To determine the different backup set file numbers, try the following:

RESTORE Headeronly
FROM DISK= ‘E:\Backups\ADWORKSFULL.bak’
GO

Using REPLACE this restore will overwrite the existing AdventureWorks database on this server with the Full database backup. The first name of customer Abel is now Catherine.

B. Restore with Differential

Since we took a differential database backup after the customer name was updated to Irene we can restore the database using both the baseline full backup and the differential using the following:

USE master;
GO
RESTORE DATABASE AdventureWorks
FROM DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH FILE = 1,
REPLACE,
NORECOVERY;
GO

This looks almost identical to our initial restore code except that we use NORECOVERY. This will put the database into a recovery state allowing us to then include the differential backup (allowing us to get the updated record that has changed customer Catherine to Irene). Just refresh the database in the interface and you will see. We can now include the differential backup while the AdventureWorks is in a recovery state. Remember you can ignore any previous differential backups since the ‘last’ differential is the only one you need. I have taken 2 differential backups following the full backups so the ‘position’ number equals 3. Its this file number that I’m interested in.

USE master;
GO
RESTORE DATABASE AdventureWorks
FROM DISK = ‘E:\Backups\ADWORKSFULL.bak’
WITH FILE = 3
GO

We do not use the REPLACE option as we are using the differential and not the full backup. Also notice that there is no indication that this is a differential. A query should show that the customer is Irene.

C. Restore with Full Backup, Differential and T-Log

To do this delete the backup file first and lets start from scratch. Once deleted, make sure our customer record is set back to Catherine. Then take another full backup.

USE AdventureWorks;
GO
Update Person.Contact
SET FirstName = 'Catherine'
Where LastName = 'Abel'

USE master;
GO
BACKUP DATABASE AdventureWorks
TO DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH RETAINDAYS = 7, INIT;

Now that we have our initial backup once more, lets change the customer name to Irene, check and take a differential backup

USE AdventureWorks;
GO
Update Person.Contact
SET FirstName = 'Irene'
Where LastName = 'Abel'

USE AdventureWorks;
GO
SELECT FirstName
FROM person.Contact
WHERE LastName = 'Abel';
GO

USE master;
GO
BACKUP DATABASE AdventureWorks

TO DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH DIFFERENTIAL,
RETAINDAYS = 7, NOINIT;
GO

Now you can check the File Position numbers, and you should see two files.

RESTORE Headeronly
FROM DISK= 'E:\Backups\ADWORKSFull.bak'
GO

OK, now we can change the customer name again (perhaps to Letitia…) and after take a T-Log backup.

USE AdventureWorks;
GO
Update Person.Contact
SET FirstName = 'Letitia'
Where LastName = 'Abel'

USE master;
GO
BACKUP LOG AdventureWorks
TO DISK = 'E:\Backups\ADWORKSTLOG.bak'
WITH INIT;
GO

Two .bak files now exist. Lets make a final change to our database. Change Letitia to Magda and check. Then we can backup the T-Log

USE AdventureWorks;
GO
Update Person.Contact
SET FirstName = 'Magda'
Where LastName = 'Abel'

USE AdventureWorks;
GO
SELECT FirstName
FROM person.Contact
WHERE LastName = 'Abel';
GO

USE master;
GO
BACKUP LOG AdventureWorks
TO DISK = 'E:\Backups\ADWORKSTLOG.bak'
WITH NOINIT;
GO

Now if you check the file position numbers for the T-Log you should see two entries:

RESTORE Headeronly
FROM DISK= 'E:\Backups\ADWORKSTLOG.bak'
GO

OK, so to recap the name changed from Catherine to Irene to Letitia to Magda. Say we want to restore the whole thing. Remove the database. Then restore the database using the full backup. AdventureWorks will be put into into restoring mode.

USE master;
GO
RESTORE DATABASE AdventureWorks
FROM DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH FILE = 1,
REPLACE,
NORECOVERY;
GO

Now that's done, use the last differential. Check the file position numbers:

RESTORE Headeronly
FROM DISK= 'E:\Backups\ADWORKSFULL.bak'
GO

In my case position 2.

USE master;
GO
RESTORE DATABASE AdventureWorks
FROM DISK = 'E:\Backups\ADWORKSFULL.bak'
WITH FILE = 2
GO

Now, that's been sorted I apply the T-Log backup. Use position 1 then 2 in that order

USE master;
GO
RESTORE LOG AdventureWorks
FROM DISK = ‘E:\Backups\ADWORKSTLOG.bak’
WITH FILE = 1,
NORECOVERY;
GO

USE master;
GO
RESTORE LOG AdventureWorks
FROM DISK = ‘E:\Backups\ADWORKSTLOG.bak’
WITH FILE = 2,
RECOVERY;
GO

The final log is restored with the RECOVERY option to make the database accessible to users. In a real recovery scenario, this will usually be the orphaned log.

SQL 2008 Backup Strategies

2011-07-13T23:09:00.001+01:00

For some reason I have found the SQL recovery models and backup strategies a strange mix of being confusing but interesting. To help understand the subject of backup/restore and SQL’s different recovery models I thought I’d share my understanding with the world at large. Maybe if anyone out there is reading this you can contribute as well.

The backup strategy you use depends on a variety of recoverability considerations:

What is the level of transaction volume. Does the database change minute-by-minute or say hour-by-hour?
What is considered to be an acceptable recovery time?
What is considered an acceptable level of data loss? Maybe you need to return to an exact moment in time.
How big can a backup be?

A backup strategy will require you to make decisions as to which kind of backup to make. And there are several. So you will need a fundamental understanding of these backup types.

Full Database Backup

A full database backup will truncate the transaction log and then copy every remaining data page and transaction log page to the backup media. The transaction log truncation will be non-reorganizing, meaning that no attempt is made to defrag/compact the log. It is simply truncated to the point of the last required transaction. Most backup strategies require a full database backup as the baseline for recovery. Remember that the log file will be truncated! From what I've read there is little point on having multiple log files. Keep just one. Also place the transaction log on a separate physical structure from the database. That way a loss of the disk containing the data files will not affect the log file. This may also help performance as log files are written to sequentially. Also, use RAID 1 so the log will be available in case of device loss. Regular backups will mean that not only will the log file not get too big but this will help prevent fragmentation.

Differential Backup

A differential backup will store all of the database pages that have been modified since the last full database backup. Note that this is a true differential backup and not an incremental backup. This means that each differential backup is inclusive of all transactions executed since the last full database backup and not simply since the last differential backup.

File or Filegroup Backup

If you are dealing with a very large database, you can back up individual files or filegroups. Breaking a large database into files or filegroups for backup allows you to back up portions of it on a rotating schedule when it might be too time-consuming to back up the entire database at once. If there is a failure affecting only one file or filegroup, only that portion and subsequent transaction logs would need to be restored. The log file is not in a filegroup.

Transaction Log Backup

This backup type will perform a non-reorganizing backup of the transaction log and store the transactions to the backup media. The backup types mentioned above store copies of the data pages at a particular time. This type of backup stores the actual transactions statements. When you restore using the full or differential backups, using the transaction log backup as well will involve replaying (if that’s the right word?) or re-executing the transactions on the log backup again which would be written back to the database. This process could take some time.

Recovery Models

Now that we understand (I hope) the different backup types, you need consider SQL’s three recovery models. Recovery is all about how the log file is treated by the SQL server on a day-to-day basis and what is made available for backup. Remember its all about the log file! Recovery in this context is about the level of logging and log retention.

You can determine the recovery model (which by default will be full) in the following way:

Connect the SQL Server Management Studio to the correct instance hosting the database
Expand the Databases folder and locate the right database
Right click the database and select Properties
Select Options
Decide on the recovery model by selecting Recovery Model

You can alter the recovery model using the following statement:

alter database TESTDB
set recovery Full

You should realize that the recovery model you choose will impact on the backup method you choose.

Simple

Simple means that the log file will be truncated each time the data pages and log pages held in RAM are flushed are written to disk (checkpointed). This keeps the log file small (there’s no point in backing up the log, in fact you can’t) which is good. But, you will not be able to recover to a point in time. You wouldn’t usually use this one. You might if it was a read-only database or you were developing a database application perhaps.

Bulk-Logged

The bulk-logged recovery model uses less disk space than a full logging solution by performing minimal transaction logging for the following operations:

SELECT INTO
bulk-load
CREATE INDEX
All operations involving text and image data types

A database that is in bulk-logged recovery mode cannot be recovered to a specific point in time if a bulk transaction has occurred. You still require log backups. A bulk insert (where you might be inserting a million rows into a table) would cause the log file to become very large if every transaction was recorded (if in Full mode) and would have performance implications. So you can switch to bulk logged from full just before the bulk operation. Once complete you set the recovery model back to full. The bulk operation would be logged as a kind of summary statement. So every transaction would be recorded while being in Full mode, then a summary of the bulk operation and then a continuation of all transactions when in Full mode again. What about the point-in-time recoveries? If the database is in the bulk-logged recovery model and no bulk actions have occurred since the last full backup, the database can be restored to a point in time. If, however, a bulk action has occurred, it can only be fully restored. So, it minimally logs bulk transactions but fully logs other transactions.

Full

The full recovery model is what you would use most of the time. It will give you the best recoverable opportunity at the expense of logging overhead however. Microsoft recommend that you use this model over the other two. The full recovery model will log every transaction to the log and is persistent after a checkpoint. A transaction is a change and any change on the database will cause an entry to be added to the log! A read does not cause a change so this of course will not cause an entry to be made to the log.

OK, so we are happy with the different backup types and with the different recovery models. The recovery models really describe how the transaction log is written to and whether the log truncates after a checkpoint or after a backup. With this combined knowledge we can consider the following backup strategies:

Strategy One: Simple

This strategy is suitable under the following conditions:

The database is relatively small
The database does not change minute-by-minute (less volatile)

With this strategy transaction log growth is kept under control, you won’t have to backup the transaction logs but this will mean there may be a small amount of data loss.

How do you do it ?

Set the recovery model to simple
Take full backups on a schedule of your choice (every night perhaps)
If there is a failure you will have to restore the most recent full database backup. That’s it.

Simple recovery means no transaction logs to use in the restore process. You won’t be able to return to a point-in-time and data loss will probably occur. But this of course depends on how dynamic the database is.

Strategy Two: The Database Only Backup Strategy

This strategy is suitable under the following conditions:

Low transaction volume
The transaction log be on a separate hard disk from database. Hardware failure of the database does not affect the log.

With this strategy, the transaction log is truncated because of a full database backup.

How do you do it?

Set the recovery model to Full or Bulk-Logged.
Take full database backups on your preferred schedule (perhaps every night)
If there is a database disk failure, begin by backing up the orphaned log
Restore from the most recent full backup followed by a restore of the orphaned log.

As you can see, database only backup can be restored to a point-in-time where the that time starts from the last full backup to time of disaster. The orphaned log would have transactions from the last full backup to time of disaster. As long as the log stays safe on another disk from the database your OK. If you lose the log though you lose transactions from the last full backup to time of disaster. As long as you make regular full backups and you have low transaction volume you should be OK.

Strategy Three: The Transaction Log Backup Strategy

This strategy is suitable under the following conditions:

Higher transaction volumes (causing increased log growth)
Longer restore time is acceptable

Instead of backing up the database file as a way of truncating the log, you backup the transaction log file. Backing up the transaction log will truncate log and keep its size under control. Although the backup up time will be relatively quick to do, the restore process will take time.

How do you do it?

Set the recovery model to Full or Bulk-Logged.
Take a full database backup that will act as the transaction log baseline (perhaps at 1:00AM)
Take regularly scheduled full database backups with periodic log backups in between (perhaps every at 6 hour intervals; 7:00 AM, 1:00 PM, 7:00 PM)
If there is a database disk failure, begin by taking a backup of the orphaned log immediately
Restore the most recent full database backup, followed by each of the subsequent log backups in the order that they were taken.
Finally, restore the orphaned log.

So if your first full backup was taken on Monday at 1:00 AM and a disk failure occurred at 6:00 PM on Tuesday you would take the following steps:

Immediately take a backup of the orphaned log file
Restore in the following order:
- Full backup from Tuesday 1:00AM
- T-log backup from Tuesday 7:00 AM
- T-log backup from Tuesday 1:00 PM
- Orphaned log at Tuesday 6:00 PM
Pray

Strategy Four: The Differential Backup Strategy

The transaction log strategy described above can be slow. The more you have the longer it will take to restore the database to the point of failure. If the changes made to a database are restricted to a particular number or subset of data pages, you could take differential backups instead of full backups. The transaction logs would then need to be restored only from the point of the latest differential backup.

Set the recovery model to Full or Bulk-Logged.
Take a full database backup that will act as the transaction log baseline.
Take periodic full database backups as needed (perhaps once once a week)
Take differential backups between the full database backups to record only the data pages that have been modified since the last full database backup
Take transaction log backups between the differential backups to record the individual transactions between each of the differentials.
If there is a database disk failure, begin by taking a backup of the orphaned log.
Restore the most recent full database backup followed by the most recent differential backup.
Restore all transaction log backups taken since the last differential backup in the order that the backups were taken.
Finally, restore the orphaned log.

Assuming the above model, a disaster at 1:00 Wednesday would require the following steps:

Immediately take a backup of the orphaned log file
Restore in the following order:
- Full backup from Monday 1:00 AM
- Differential from Tuesday 6:00 PM
- Transaction log from Wednesday 10:00 AM
- Orphaned log at Wednesday 1:00 AM
Beer

Pre-requisites for Installing SQL Server 2008 on Windows Server 2008 R2 Using PowerShell

2011-07-04T23:18:00.001+01:00

First step is to allow execution of scripts by changing the execution policy:

[PS] Set-ExecutionPolicy unrestricted (then say ‘Yes’)

Then copy and paste the following commands to install the pre-requisite operating system components needed

[PS] Add-WindowsFeature AS-NET-Framework,web-server,Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Basic-Auth,Web-Windows-Auth,Web-Client-Auth,Web-Cert-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Lgcy-Scripting,Web-Lgcy-Mgmt-Console –restart

Troubleshooting Exchange 2010 Management Tools Startup Issues

2011-07-03T22:07:00.000+01:00

Pretty good article on how to fix PowerShell errors

http://blogs.technet.com/b/jribeiro/archive/2010/04/05/troubleshooting-exchange-2010-management-tools-startup-issues.aspx

How to Convert .wav Files to .gsm Files

2011-06-15T23:48:00.001+01:00

This is how you convert wav files to gsm files used by Asterisk

for i in *.wav
do
        sox $i -r 8000 -c 1 $(basename $i .wav).gsm resample -ql
done

How to Configure Asterisk…a very basic guide!

2011-06-13T15:04:00.001+01:00

After hours of work and frustration I was greeted with “Is that it?” by her-indoors and “Dad can we play now…this stuff is totally boring!” by the little one. Well it was worth it…

First thing get yourself Asterisk running on Centos (maybe on VMWare etc.). The following link to MiamiManni on YouTube will provide all the information on how to install the operating system and install Asterisk. This guy is brilliant! The only two files that you need to configure are the sip.conf and extensions.conf files. The following configurations should work for you. As you can see I have configured only two SIP phones in my lab.

sip.conf

[general]
port=5060
bindaddr=0.0.0.0
context=other

[2000]
type=friend
context=my-phones
secret=a_good_password
host=dynamic

[2001]
type=friend
context=my-phones
secret=a_good_password
host=dynamic

[ext-sip-account]
type=friend
context=from-voip-provider
username=your_username
fromuser=your_DID
secret=account_password
host=voip_provider_fqdn
fromdomain=voip_provider_fqdn

qualify=yes
insecure=port,invite
nat=yes

extensions.conf

[globals]

[general]
autofallthrough=yes

[my-phones]
exten => 2000,1,Dial(SIP/2000,20)
exten => 2000,2,Voicemail(2000,u)

exten => 2001,1,Dial(SIP/2001,20)
exten => 2001,2,Voicemail(2001,u)

exten => 2999,1,VoiceMailMain(${CALLERID(num)},s)

exten => _X.,1,Dial(SIP/${EXTEN}@ext-sip-account)

[from-voip-provider]
exten => your_DID_Number,1,Dial(SIP/2000,20)

As said, this will provide you with just the basics.

Remember to open the following ports:

SIP 5004-5100 TCP and UDP

STUN 3400-3499 TCP and UDP

RTPSIP 10000-20000 UDP

Remember to reload asterisk in the CLI> after you make changes to the sip.conf and extensions.conf changes.

You can test trunk registration by typing “CLI> sip show registry”

Connect CentOS to Windows 7 or 2008

2011-06-08T23:06:00.000+01:00

I needed to connect my CentOS system to a Windows 7 machine (which is in a workgroup) quickly.

Yum install samba3x
Yum install samba3x-client
Yum install samba3x-swat

Once installed I was able to connect to a Windows share by typing

smbclient //WindowsNetBIOSName/ShareName –U Username (on WindowsMachine)

You should be prompted for a password for Windows user account. Using ‘get’ command I was able to copy a file to the CentOS machine.

Kaspersky Engine Does Not Update in Forefront Protection for Exchange 2010

2011-06-01T21:44:00.001+01:00

I found that FPE Kaspersky anti-virus engine failed to update. FPE should use the Kaspersky 8 engine and not the Kaspersky 5 engine (which has stopped being published).

Download the localenginemapping.cab from this location: http://go.microsoft.com/fwlink/?LinkId=196982
To enable Kaspersky 8, copy the localenginemapping.cab to the following location ( …\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\metadata). The settings will take effect automatically. The next engine update will provide the Kaspersky 8 engine.

If you need to determine your Exchange server rollup version you can run this script

FPE and FOPE ?

2011-05-31T10:01:00.001+01:00

Check out this webcast that describes what Exchange provides in terms of anti-spam and anti-virus and how Forefront Protection for Exchange (FPE) and Forefront Online Protection for Exchange (FOPE) improves things.

Click here!

FPE homepage

FOPE homepage

Don't put CAS in the Perimeter network!

2011-05-28T22:35:00.001+01:00

The following link provides a good read on why Microsoft does not support putting your CAS servers in the DMZ. Well Done Exchange Team!

http://blogs.technet.com/b/exchange/archive/2009/10/21/3408587.aspx

Enable Anti-Spam Functionality on a Hub Transport Server

2011-05-26T12:57:00.003+01:00

In some small organizations, it may make sense to run Microsoft Exchange Server 2010 anti-spam features on Hub Transport servers. For example, some organizations may not have enough e-mail volume to justify the cost of installing and maintaining a full perimeter network together with an Edge Transport server.
You can enable Exchange anti-spam functionality on Hub Transport servers.

Run the following command from the %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts folder:

./install-AntispamAgents.ps1

After the script has run, restart the Microsoft Exchange Transport service by running the following command:

Restart-Service MSExchangeTransport.

You must specify all internal SMTP servers on the transport configuration object in Active Directory forest before you run connection filtering. Specify the internal SMTP
servers by using the InternalSMTPServers parameter on the Set-TransportConfig cmdlet.

Set-TransportConfig -InternalSMTPServers 192.168.3.1

Hyper-V Export Error: “Failed to Create Export Directory”

2011-05-24T23:57:00.001+01:00

If you receive this error while trying to export your VMs in Hyper-V, don’t despair! Just rename the virtual machine name in the management console and it will work (as if by magic…)

Enable PowerShell Remoting While Running VMWare Workstation in a Domain

2011-05-16T11:47:00.003+01:00

After trying to configure WinRM I received the following error:

To avoid this I found the following link very usefull

How to Build a VDI Infrastructure Using VM Pools

2011-05-16T09:33:00.000+01:00

In previous posts I have detailed steps to create Remote Desktop Services application hosting. The flip side of hosting applications using RDS services on Windows Server 2008 R2, is to use RDS services to provide a pool of virtual machines (Windows 7 clients) that users can connect to and use as there own desktops In some of the training schools I attend, this provides a real benefit. Students can connect to a single virtual machine being hosted on Hyper-V. The VM connected to is a member of a pool of VMs. Once the session is over and the student logs off, the VM is returned to a saved Hyper-V snapshot ready to start over again.

This post will detail steps to create a VDI Infrastructure by using different RDS services including Remote
Desktop Virtualization Host Server. At its most basic, Virtual Desktop Infrastructure (VDI) is a deployment design that puts the user desktop on a virtual machine (VM) in the datacenter, rather than on the physical computer at someone’s desk. There are different types of VDI. These include:

Users can connect to a Virtual Desktop (VD) that has specifically been assigned to that user by using the Remote Desktop Connection Client. The user does not have to know which VM the VD is actually on.
A pool of desktops available to a set of users on a temporary basis. It is this that we will be trying to create.

Some terms that are often used when discussing VDI include the following:

The computer that is running the RDC client and that someone sits in front of is called the client.
The VM that this person is connecting to is the endpoint, or the guest (a guest of the RD Virtualization Host it’s running on).
Preparing a VM to be used (for example, bringing it out of hibernation) is called orchestration.
Moving a VM to a new RD Virtualization Host is called placement. Placement is not part of the basic RDS VDI solution but might be supported via a filter plug-in.

The following diagram hopes to expose how a typical VDI 'comes together', and shows you the different RDS services involved. Central to VDI is the role of the Connection Broker. Clients can make connection requests using a web interface, RDC client etc.
As you can see, clients can connect to the VDI in a number of different ways, some of which have been investigated in earlier posts. My personal favourite is by Remote Desktop Web Access! In all these cases, the request is brokered by the RD Connection Broker. RD Connection Broker works with RDP clients back to RDP 5.2 (which was available for Windows XP SP2 and Windows Server 2003), so the vast majority of Microsoft RDP clients are supported.
To support Microsoft VDI, you’ll need to do the following.

Install the RD Virtualization Host.
Install and configure the RD Connection Broker (including the Remote Desktop Session Host in redirector mode on the same computer).
Install and configure RD Web Access to allow users to discover the VMs.
Configure the VMs to work with VDI.
Create pools (and assign personal desktops if required).

We will look at these in turn.

Install the RD Virtualization Host

Install Hyper-V Server 2008 R2 on a suitable machine ( I am not adding Hyper-V as a role but as an operating system which can be downloaded from Microsoft HERE.
Once Hyper-V is installed configure it to have suitable NetBIOS name, IP domain membership etc.
Next enable PowerShell v2 on the system by following an earlier post
Next you will need to consider management of your Hyper-V server from say a Windows 7 machine. This machine needs to be domain joined and you need to be in as a Domain Administrator. The details can be found by following an earlier post and essentially involves adding the RSAT tools. Don’t forget to also add Server Manager as well because you will need to use this interface in the configuration of the Hyper-V server in addition to Hyper-V management!
The next big step is to Install Remote Desktop Virtualization Host on your Hyper-V server. An earlier post details how to do this and you will see how you benefit from installing PowerShell which you did in an above step.

Install and Configure the RD Connection Broker and RD Session Host Roles

On a separate server you will need to install the RD Connection Broker role and RD Session Host role. The RDCB is real brains behind the whole thing. The RDSH role is co-resident with RDCB but it doesn’t have to be.

Log on to the computer as a member of the Domain Administrators group
Select Start Administrative Tools Server Manager.
In the Roles Summary section, click Add Roles.
On the Before You Begin page, click Next.
Select the Remote Desktop Services check box, and then click Next.
Select the Remote Desktop Connection Broker and Remote Desktop Session Host role services check box and then click Next
Click Next on the application compatibility warning
Select ‘Require Network Level Authentication’ and click Next
Select ‘Configure Later’ on the Licensing Mode and click Next
Add Domain Users to allow your users access
Click next on the Client Experience page.
Click Install on the confirmation page.
You will now have to restart the RDCB/RDSH server

Now the two roles have been installed on a server you should continue by configuring the roles.

On the same server, select Admin Tools
Select to Remote Desktop Services
Select Remote Desktop Connection Manager (this is configuring RDCB)
Select RD Virtualisation Host Servers (shown below) and right click
Select Add RD Virtualisation Host Server and enter the name of your Hyper-V machine installed earlier
You should then see the number of virtual machines created on your Hyper-V system. NB. That this works specifically with Hyper-V and no other Hypervisor. The number seen represents all Hyper-V hosted virtual machines be they on or off.
Select Remote Desktop Connection Manager:ServerName which can be found on the top left part of the window. Their are a number of different configuration settings here (shown below)
You can change the Display Name. This name will appear in the Web Portal (on RD Web Access). This is shown below:
On the RD Web Access tab enter the name of the RD Web Access server. If you don’t have one installed I will go though this later, but don’t forget this needs to be added here! The RDWA server account is made a member of the local TS Web Access Computer Group.
You should see ‘1’ RD Virtualisation Host Server has been added (from step 5 above)
You can now configure ‘RD Session Host server for redirection’. Select Configure. As this server is also running as a RDSH machine, the same server name should be present. See the diagram below:
You can also enable redirection for earlier clients as shown above.
Select Admin Tools
Select Remote Desktop Services
Select Remote Desktop Session Host Configuration (this is configuring the RDSH). Remember that both RDSH and RDCB are on the same machine but you could have them running on separate machines.
Under Remote Desktop Connection Broker on the main page, select ‘Member of Farm in RD Connection Broker’.
On the RD Connection Broker Tab, select Change Settings
Ensure that the Virtual Machine Redirection button is selected
Add the RDCB server name to the RD Connection Broker Server Name field:
You may receive an error. Ensure that the RDSH computer account has been added to the local computer group ‘Session Broker Computers’ on the RDCB.
On the Digital Signature tab, you are required to define a suitable certificate. The following post will describe how to create the certificate using Active Directory Certificate Services. The certificate can be shared (I mean it can be the same certificate) amongst all the RD servers. You do this by exporting the certificate. I have gone to some length to explain this in the referred post.

Install and configure RD Web Access

On a separate server add the RD Web Access Server Role: Log on to the computer as a member of the Domain Administrators group
Select Start Administrative Tools Server Manager
In the Roles Summary section, click Add Roles
On the Before You Begin page, click Next
Select the Remote Desktop Services check box, and then click Next.
Select the Remote Desktop Web Access role service check box and then click Next.
Continue on through the wizard and do not change any of the required components.
Once the role has been installed, you should import the server certificate that you have used on the RDCB/RDSH server. If you have created this certificate correctly, you should have defined the right Subject Alternative names which will mean that when a user connects to the RDWA server using the web portal, no errors should occur.
Once the certificate is in place reboot the server.
Once restarted, select Admin Tools
Select Remote Desktop Services
Select Remote Desktop Web Access Configuration
Sign in as Administrator and select configure. The interface is shown below:
Select the RD Connection Broker and add the RDCB name as the Source Name.
You should not receive any errors if you have added the RDWA computer account to the local TS Web Access Computer Group on the RDCB server (see step 9 of Install RDCB and RDSH above)

Configure the VMs to work with VDI

In my test infrastructure I have installed two Windows 7 virtual machines on Hyper-V. The following configuration is made on both of course.

Each machine needs to be joined to the domain
Click Start, Control Panel, System and Security, click on System, Advanced System Settings and select the Remote tab. Select the radio button that allows connections using Network Level Authentication. Also select the Select Users button. Define which users should have remote access. You will most likely add Domain Users.

You will then need to enable RemoteRPC. Remote Procedure calls (RPCs) allow other processes to connect with the operating system. They’re required to allow the VM Host Agent to wake up the VM. To allow RPC connectivity,
set the value of AllowRemoteRPC to 1 in the location HKLM/System/CurrentControlSet/Control/Terminal Server.
We next should configure each Windows 7 machines firewall to allow for Remote Desktop. Select Start, type ‘Fire’ and from the list given select ‘Allow Program Through the Windows Firewall’. Select Change Settings and select ‘Remote Desktop’ on the Domain Profile
You will next need to configure RD virtualization host RDP permissions. This is a little tricky. I have found that running a PowerShell script to be the easiest solution. The script can be found here. A copy can be found at the bottom of this post. Just copy the script to a text document and save as a file with a PS1 extension.
Select Start and simply type ‘Power’ in the search field. Select the PowerShell icon that appears (you should run this as an Administrator).
Type the cmdlet set-executionpolicy unrestricted
Locate the directory that your script is in (created in step 5) and type the following cmdlet: .\yourscript.ps1 –RDVHost yourdomain\RD Virtualisation Server replacing the script, domain and RD virtualisation server with your own
Remember to do this on each Windows 7 machine!
Your next move is to take snapshots of the virtual machines running on your Hyper-V system. Make sure you log off each Windows 7 system. Select each Windows 7 virtual machine and select snapshot as indicated below:
Once each snapshot has been taken, ensure that each one is renamed with RDV_Rollback in the snapshot name:
The above procedure will automatically roll the VM back to this snapshot after the user logs off.

Create VM Pools

Our next task is to create a VM Pool on the RD Connection Broker.

Log on as Domain Admin on the RD Connection Broker.
Open the RD Connection Manager from the RD Services in Admin Tools.
Select RD Virtualisation Host Servers
Under Actions on the right hand side, select ‘Create Virtual Desktop Pool’
Click Next on the Welcome screen
You should now see all of your virtual machines created on your Hyper-V system.
Using CTRL key select each Windows 7 machine. Click Next
Enter a name for the pool. Something like ‘Windows 7 Pool’.
Enter the name for the Pool ID. Something like ‘Pool1’

How Does the User Connect?

A user can connect to the pool using the web portal hosted on the RD Web Access Server.

Opens a browser and types the URL of the RDWA server followed by /owa (E.g. https://RDWAserver/rdweb)
Sign in as an ordinary user
You should now see the Windows 7 pool created above:
Select the pool and provide the password

Using the Powershell to Send Email Messages (Send-MailMessage)

2011-03-30T13:21:00.002+01:00

With Exchange 2007 SP2 you can send emails from within powershell! To avoid authentication issues, your default receive connector must allow anonymous users to connect. This is normally required when you allow connections to your exchange server from the Internet. You can do this from the shell:

To determine your connector name:

[PS] Get-ReceiveConnector

This will provide the following output (EX1 being the name of my exchange server)

Identity Bindings Enabled

-------- -------- -------
EX1\Default EX1 {:::25, 0.0.0.0:25} True

EX1\Client EX1 {:::587, 0.0.0.0:587} True

Now you can determine the current permissions set on the Default connector:

[PS] Get-ReceiveConnector "EX1\Default EX1" ft name,perm* -au

This will provide the current permissions set on the connector. If the connector has not been configured to receive mail from the Internet, then you will most likely NOT see "Anonymous" listed. This will need to be included. You can do this as follows:

[PS] Get-ReceiveConnector "EX1\Default EX1" |Set-ReceiveConnector -PermissionGroups AnonymousUsers, ExchangeUsers, ExchangeServers, ExchangeLegacyServers

Once this is done, you can send email from the powershell. Here's an example where the administrator (user currently running powershell) sends an email to a recipient (usermailbox) called ben:

[PS] Send-MailMessage -From administrator@compulinx.local -To ben@compulinx.local -Subject "Test Email" -Body "Hi Ben ...Just a test" -SmtpServer ex1.compulinx.local

How to Setup a Remote Desktop Session Host Farm using NLB on Server 2008 R2 (Part 2)

2011-03-24T22:55:00.001Z

In a earlier post I went through installing a single remote desktop session host server. The post can be found here. The screenshots shown below overview the installation of the RDSH role.
As this is a test lab, I will not be installing a Licensing Server.

VIEW SLIDE SHOW

DOWNLOAD ALL

So, install the RDSH role on both servers and add ‘Domain Users’ to the local ‘Remote Desktop Users’ group.
RDSH Certificates Template
We now need to configure the RDSH servers to use machine certificates obtained from an enterprise CA. All servers involved in the provision of remote applications to connecting clients require machine certificates. Each server will obtain its own machine certificate from an Enterprise CA. This will be used for remote desktop connections. However, I have found that you will need to share a signing certificate amongst both RDSH and RDCB servers (this certificate originated from RDSH1). I will show you how to create a suitable certificate template on the CA which we will use to enrol a needed certificate on each RDSH server.

On the Enterprise CA, under the Certificate Template Node, select Manage and duplicate a Web Server certificate. Select Windows 2008.
Give the certificate an appropriate name.
On the Security tab, ensure that all servers involved are placed on the security ACL tab with 'Read' and 'Enrol' permissions.
On the Request Handling tab, ensure that the Allow Private Key to be Exported is selected
On the Subject Name tab, ensure the Supply in the Request radio button is selected.
Select the Certificate Template Node, right click and select New. Locate the duplicated certificate just created and ensure that it is listed in the Certificate Template list.

VIEW SLIDE SHOW

DOWNLOAD ALL

Now that you have created a new certificate template that will be used by the Remote Desktop servers, you should define revocation information on certificates your CA will publish. This is detailed in an earlier post (See Step 1 Configure Enterprise CA to Support AIA Extension to Support OCSP). This post will also explain the importance of OSCP in overcoming any revocation errors that you might receive when connecting externally.

The next logical step would be to obtain suitable machine certificates for the RDS servers.
Manually Obtain Machine Certificates on Your RDS Servers
Now that the RDS certificate template and the correct revocation settings have been made, you can now obtain the necessary machine certificates. Use the following procedure:

On your RDS servers, log on as Administrator
Type MMC in Run
Select File, Add Remove Snap-in
Under Available snap-ins, select Certificates and click Add
Select Computer account and click next
Select Local computer and click finish and click Ok
On the Certificates snap-in, select the Personal node, right click and select All Tasks, Request New Certificate
Click Next on the Before You Begin window and click Next again
Select the certificate template created above and select the blue hyperlink
Under the Subject tab type a suitable Common Name. If the certificate is to be used and sent externally (on the Internet) then you should use a public DNS name. Click Add.
Under Alternative name, select DNS and add names corresponding to both public DNS and any private FQDNs. The DNS name should also include the name of the farm that you intend to use (plan wisely!). At this point, you should add the host record (mapping farm name to an IP address) to your internal DNS server. The IP address used will be the IP used for your NLB cluster (more on this later!)
Under General tab, write a suitable name and description for the certificate.
Under Private Key select make Private Key Exportable. You may need to copy the certificate to other servers at some point (that is certificate and private key)
Click Apply and OK to finish the wizard
You should repeat this procedure on both RDSH, RDCB servers and for the RDWA server (with suitable external and internal names).

Once you complete the certificate request, you should see your certificate in your certificate MMC personal store. Now you have them, now you need to assign them correctly.
Configuration of Remote Desktop Session Host Configuration and its Certificate (Do this on each RDS server)

Select Admin Tools, RDS and then open Remote Desktop Session Host Configuration.
Under Connections select RDP-TCP properties
On the General tab you will probably find the Certificate is set to Default. Using the select key make sure you define the certificate you installed above.

This should be done for each RDS server (each server should use its own certificate obtained from the Enterprise CA).
To configure a certificate used to digitally sign the RDP file (Do this on both RDSH servers farm members)
I have found that it helps to use the same machine certificate across both RDSH servers and on the RDCB server. You will have to export the certificate with private key (therefore a .pfx file) from RDSH1 to RDSH2 and to RDCB. To export the certificate, just right click on the personal machine certificate in a MMC and select Export. Then import the certificate onto the other machines using a MMC once more. Once the certificate has been exported/imported you can now deal with configuring that certificate to digitally sign the RDP file.
First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager.

Log on to RDSH1 as Domain\Administrator.
Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
Under the Overview section, click Change next to Digital Signature Settings.
Select the Sign with a digital certificate check box.
Click Change.
On the Confirm Certificate page, select the appropriate certificate, and then click OK.
Click OK to close the RemoteApp Deployment Settings dialog box.

Certificates and Domain Joined Clients
Domain joined clients will automatically have the CA root certificates stored in their trusted root store. They will not need personal machine certificates only the trusted root certificate in order to validate certificates received from the RDSH servers.

Configure the RD Connection Broker server (RDCB server)

On a separate member server, install the RD Connection Broker role service. Import the digital certificate used by RDSH server to the Personal certificate store of the computer (remembering to import a PFX file). Then configure the imported certificate used to digitally sign the RDP file.

Open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
Under the Virtual Desktops: Resources and Configuration heading, click Specify next to Digital Certificate.
On the Digital Signature tab, select the Sign with a Digital Certificate check box.
Click Select.
In the Confirm Certificate dialog box, click the certificate that you want to use for signing the RDP files, and then click OK.

Configure the RD Web Access server (RDWA server)

On a separate member server, install the RD Web Access role service.You will need to obtain a certificate for this server like you obtained a certificate for the RDSH server from the Enterprise CA.

Setting Up Authorization
A chain of authorization needs to be set up. The RDSH servers needs to authorize the RDCB and in turn the RDCB will authorize the RDWA server. You must add Web Access and Connection Broker Servers to TS Web Access Group on Session Host Servers (RDSH1 & RDSH2)

On each of your RD Session Hosts go to Start > Administrative Tools > Computer Management.

Open Local Users and Groups and select the Groups sub-folder on the left, then double click the “TS Web Access Computers” group in the center.
Add the names of your RD Web Access and Connection Broker servers.

Add Web Access Servers to TS Web Access Group on Connection Broker Server.
Now on the Connection Broker add the Web Access servers to the TS Web Access group. You can do this through Computer Management like above or you can do it using the RD Connection Manager.

Go to Start > Admin Tools > Remote Desktop Services > Remote Desktop Connection Manager.

On the Actions pane, click Add RD Web Access Server.

Enter the FQDNs of any RDWA servers

Add Session Hosts to Session Broker Computers Group on Connection Broker
Now we need to add our Session Hosts to a group to give them the ability to use the Connection Broker. Add them to the local group in Computer Management.

Add each RDSH server to the list

Configure Session Hosts to Use Connection Broker (RD1 & RD2)
Now all of our Session Hosts need to be configured to use the Connection Broker’s services. On each RDSH:

Select Admin Tools, Remote Desktop Service, Remote Desktop Session Host Configuration.

Double-click ‘Member of Farm in RD Connection Broker’ which is under ‘RD Connection Broker’

Under the RD Connection Broker tab click the Change Settings button.

In the resulting RD Connection Broker Settings window, you specify how this RD Session Host server will interact with RD Connection Broker—that is, what the relationship is. Choose Farm Member and then enter the RD Connection Broker server FQDN and the farm name in the input boxes (see above). You should use the FQDN rather than flat NetBIOS name. This name should be one of the subject names used in the certificate created.
Click OK and you will be back on the RD Connection Broker Properties tab. The check box next to Participate in Connection Broker Load Balancing is selected by default. Leave it selected.
The weight describes its capacity relative to the other RD Session Host servers in the farm. Although all RD Session Host servers should be configured identically, not all will necessarily have the same amount of
memory or the same number of processor cores. For example, if a server is only 75% as powerful as other servers in the farm, then you can reduce its weight to allow it only 75% as many connections as the other servers. The default value is 100.
Also by default, the redirection method—how a client connects to the RD Session Host server once RD Connection Broker decides which server should accommodate the connection—is set to Use IP Address Redirection. If the initial load balancer allows clients to connect directly to RD Session Host servers in the farm, keep this default
setting. Unless you have a good reason, you should leave Use IP Address Redirection.
In the bottom section of this page, select the IP address that will be used for reconnections to this server. NOTE If you have more than one network adapter that you want to use, you can choose them all by checking the box next to each network adapter.
Perform this process for each member of the farm, taking care to use the same farm name and the same redirection method on all farm members.

Configure RemoteApp to Connect to RD Server Farm
We need to provide the RD farm address so that clients will connect to it when running RemoteApps. On each Session Host:

Select Start, Admin Tools, Remote Desktop Services and RemoteApp Manager

Next to RD Session Host Server Settings click Change.

In the RD Session Host Server tab type the FQDN of the farm then click OK.

Configure Connection Broker for RemoteApp Programs Source
Now it’s time to configure a RemoteApp source for the Connection Broker. On the Connection Broker :

Select Start Admin Tools, Remote Desktop Services, Remote Desktop Connection Manager.

Click RemoteApp Sources in the left hand tree, then choose Add RemoteApp Source in the right Actions pane.

Type the DNS name for the RD server farm then click Add.

Configure Web Access Servers to Use Connection Broker RemoteApp Source
If you have come this far your doing well! We need to make sure the Web Access Server is configured to use Connection Broker as the source for our RemoteApps. On each Web Access server :

Select Start, Admin Tools, Remote Deskt0p Services, Remote Desktop Web Access Configuration.

Supply Domain Admin credentials and sign-in.

Click the Configuration tab heading. Then for “Select the source to use:” choose “An RD Connection Broker server”. Then type in the Connection Broker server name in the “Source name:” field. Click OK. Remember, the RD Connection Broker server has been added to the TS Web Access Computers group on each farm member (RDSH1 and RDSH2).Also we have added the RD Web Access computer account to the TS Web Access Computers group on the RD Connection Broker.

Configuration of NLB
We now need to consider our method of initial load balancing. Remember, clients don’t talk to the RD Connection Broker role service directly; they connect to a farm, which sends this connection to the RD Connection Broker to let it find the right endpoint. So, the farm is connected to first (lets call it the initial connection) and then the connection broker, and then to RD Session Host server in the farm! We will use NLB as our method of load balancing the initial connection to the RDSH farm.
NLB distributes incoming connections evenly across each load-balanced server on the principle that if the incoming requests are evenly distributed, the traffic should be, too. NLB is best for load-balancing servers when the connections are very short, like web servers, or in this case, the initial connection in a farm that is participating in RD Connection Broker load balancing. NLB is more complicated to set up than RR DNS, but it’s capable of detecting when a server is no longer available and will not attempt to send connections to it.
To configure an NLB cluster, you need to complete the following steps.

If you have a network adapter dedicated to NLB, you need to configure it with static IP and subnet mask
Install the NLB Manager on a host node or other management machine. To do
this, open Server Manager and select the Features section. Click Add Features, select the check box next to Network Load Balancing, and click Install.
Configure the NLB cluster.

Open NLB Manager on one of the farm members from Start, All Programs, Administrative Tools, Network Load Balancing Manager or by typing nlbmgr in the Run text box on the Start menu. Right-click Network Load Balancing Clusters and choose New Cluster.
In the Host input box, enter the name of one of the NLB hosts (one of the RD Session Host server farm members) and click Connect. All available network adapters on that server show up in the lower pane. Select the NLB network adapter and click Next (I am using only a single adapter on each RDSH machine)
The IP address and subnet mask assigned to the network adapter will show up in the next window. The priority number is a unique number that differentiates the servers. Accept the default value. If you need to make any changes to the address, click Edit and make your changes. Leave the Initial Host State as Started, and click Next.
On the next screen, click Add and add a unique IP address and subnet mask that will be shared by all cluster members, and then click OK. When users request access to the farm, they will be sent to this address instead of a specific RD Session Host server. This is the ‘Cluster Address’
On the Cluster Parameters page, accept the defaults, including Unicast for the Cluster Operation Mode setting, and click Next. All cluster host adapters must use the same operation mode or NLB will not function.
On the New Cluster: Port Rules page, you need to make a few changes to the default settings. Click Edit, and then change the starting and ending port range to 3389 (in both the To and From fields) because you will be using this cluster to load-balance RDP traffic only. In the Protocols section, select TCP. In the Filtering Mode section, choose
Multiple Hosts to allow multiple hosts to handle traffic for this port rule. For Affinity, you have three choices; none, single and network. Choose Affinity: None so that incoming connections can be sent to any member of the farm. (There’s no reason to set affinity when the connections are being redirected, and doing so could make your load-balancing efforts useless by sending repeated connection requests to the same server.)

4. Add a DNS entry mapping the farm name to the cluster IP address.

How to Configure File Server Resource Manager (FSRM) to Send an Email

2011-03-09T22:36:00.000Z

You can ensure FSRM servers send emails to configured administrators as follows:

1. After installing the FSRM role service, open the snap-in from Admin Tools
2. Right click File Server Resource Manager (Local) and select Configure Options
3. In the configure options window, configure the SMTP Server Name (the Exchange Server)
4. Configure the Default Administrator Recipients email address
5. Configure the Default From Email Address

The Default From Email Address is the address for the FSRM server (which can be an ordinary mailbox built earlier). When the FSRM server wants to send an email of notification (perhaps because someone oversteps their quota or places an incorrect file type into a folder) it will use this email address. The server authenticates using its computer account and then submits the email to exchange. So for this to work you need to allow the FSRM to send the email on the mailbox behalf. You can do this by typing the following cmd in powershell on or connected to the Exchange server:

[PS] Add-Adpermission -Identity "fsrm" -user "compulinx\srvExchange$" -extendedrights "Send-as"

Where fsrm is the mailbox that the server (srvExchange$) uses. You can click the 'Test Email' button to make sure it works.

How to Setup a Remote Desktop Session Host Farm using NLB on Server 2008 R2 (Part 1)

2011-03-03T00:19:00.044Z

A RD Session Host server farm consists of two or more RD Session Host servers with the same software configuration (for example, security settings and device redirection policies) and application sets, all represented under a single farm name so that they appear to the client as a single server. Server farms are load-balanced so that the workload is distributed evenly among all farm members. Because the servers are configured the same way, it does not matter to users which server they get directed to. All servers should provide the same user experience.

When a client connects to RDSH farm, the client makes an initial connection to a particular RDSH server which redirects the client to a Remote Desktop Connection Broker (RDCB) which then brokers a connection to an individual RDSH of the farm. Initial connections can be load balanced in three main ways:

DNS Round Robin
Network Load Balancing
Dedicated RDSH Redirector

DNS RR is not so clever. By creating multiple host records for each member of the farm, you distribute client connections to the farm. If however a farm member goes down, DNS will continue to hand the host record out to requesting clients despite the fact that a member server is down.

A dedicated redirector is an RD Session Host server whose sole role is to redirect initial connection requests to RDCB. To avoid asking working RD Session Host farm servers to handle incoming connections, you can dedicate a server to do this work. The only catch to using a dedicated redirector is that it represents a single point of failure.

We will configure initial connection load balancing by using load Network Load Balancing (NLB):

As you can see in the diagram above, the client makes an initial connection via the RD Web Access server to RDSH 1. This could be infact to RDSH1 or RDSH2 as these two servers will be in a NLB cluster. Either server will then redirect the connection to the RDCB. The RD Connection Broker finds the most suitable endpoint for the connection request and gets its IP address. The result is passed back to the RDSH and then back to the client. The client then connects directly to the RDSH that the RD Connection Broker has deemed most suitable.

If an RDSH server goes offline how does the RDCB know? It monitors whether the connections it redirects are successful. If redirection fails the RDCB begins pinging the suspect RDSH server and if this fails then the RDSH is removed from its database.

Part Two

Remote Powershell

2011-02-20T23:21:00.003Z

On my travels I picked up this useful method of remoting into another machines powershell. Windows 7 and Server 2008 R2 have WinRm packed inside so you dont need to download anything. If your not sure you can try typing the following:

[PS] Get-Service winrm

On the server you want to remote into (lets call it the target), type the following:

[PS] Enable-PSRemoting

This command will start the WinRM service and sets the startup type to Automatic. It will also enables a firewall exception for WS-Management communications and create a listener to accept requests on any IP address.
The next step involves establishing which machines can connect to the target (that is your client). On the target type the following:

[PS] cd wsman:
(note the colon:)

[PS] cd localhost\client

[PS] dir

You should see a table displayed indicating that the TrustedHosts has a no value. This has to be changed so that your client can connect. To do this type the following but note you MUST be in the WSMan namespace as shown above!

[PS] Set-Item TrustedHosts *

You should then restart the WinRm service

[PS] Restart-Service winrm

You could have performed the action by typing one single cmdlet:

[PS] Set-Item WSMan:\localhost\Client\TrustedHosts *

Now that your target is configured, you need to configure the client. Type the following:

[PS] New-PSSession -computername "FQDN of the Target"

You should now see a table displayed referencing your session with an ID number. To display the session created at any time type the following:

[PS] Get-PSsession

To enter the session type the following:

[PS] Enter-PSsession -id (the numerical value of the session e.g. 1)

You should now be in the remote powershell! To end the session type the following:

[PS] Exit-PSsession

and to remove the seesion entirely type the following:

[PS] Remove-PSsession

If you want to connect to the powershell of Exchange 2010, you can do so by doing the following:

You first need to create a session variable (this I've called session) that creates a new PSsession. This time we use a ConnectionUri rather than a computer FQDN like above.Notice the use of the IIS virtual directory. You can see in the command below that you also need to specify a credential of the connecting user.

[PS] $session = New-PSSession -Configurationname Microsoft.Exchange –ConnectionUri http://servername/powershell -Credential (DomainName\UserName)

You should be prompted to provide the password of the account used. Now that your session is stored you can import the server-side powershell session to the client side one. To do this type the following:

[PS] Import-PSSession $session

It takes some time to import the exchange cmdlets. Once it is completed, you can use all exchange cmdlets in your Windows Powershell session.

As before you can remove the session one your done by the typing the following:

[PS] Remove-PSSession $session

How to Setup a Simple WSUS Server on Server 2008 R2

2011-02-11T13:30:00.008Z

In its most basic form, a WSUS deployment consists of a single server on the local intranet inside the DMZ and inside the Internet firewall. This server will be used to connect to Microsoft Update and download available updates in a process that is called synchronization. You will synchronize the WSUS server with the Windows Update servers on a regular basis, and the WSUS server will verify that available updates have been synchronized to the WSUS server. The initial synchronization will take an extended period of time if your Internet connection speed is good and longer if it is not. Subsequent synchronizations will be faster
because the WSUS server is only synchronizing new updates that have been made available.

WSUS uses port 80 and 443 to obtain updates from Microsoft Update servers. You can change them (which I have needed to do). Automatic Updating is the client-side part of WSUS deployments. The service has to use the port assigned to the WSUS website in IIS. If there are no websites running on the server where you install WSUS, you can choose to use the default website (port 80) or a custom website and ports.

WSUS on Server 2008 R2 uses Computer Groups to target client machines that require the updates. There are two default groups that are defined: All Computers and Unassigned Computers. You can create additional groups assigned specific computers to these groups so that WSUS can target specific client needs.

WSUS servers can be chained together in larger networks. This takes on two methods:

In autonomous mode, the upstream server, or the server connected to Microsoft Update, shares synchronization information with its downstream partner but does not share its computer group information. This way, the available updates are passed from WSUS server to WSUS server while maintaining the integrity of the individual computer groups.
In replica mode, the upstream server shares its synchronization information and its computer group information with its downstream partners. The downstream partners hold the same information and are thus functional replicas of the upstream WSUS server.

Servers/clients not Connected to The Network.
If you machines that live in isolation, you can export the updates to external media (flash,drive,CD etc.) and sneakernet to the isolated network. You then import the updates to a isolated WSUS server and deploy the updates from there.

Space Requirements - Keep it Local
Microsoft recommends that you haveat least 20GB of local storage at a minimum and actually recommends 30GB. Keep in mind that these numbers are only estimates and could go higher than 30GB depending on your network needs and particular situation. 1GB minimum free space on the system partition is recommended. 2GB minimum free space on the volume on which the database files will be stored is recommended.

WSUS uses the Background Intelligent Transfer Service 2.0 (BITS 2.0) protocol for all of its file transfer needs. Each time files are downloaded from servers to clients, they are moved using “spare” bandwidth. This technology also makes it possible to continue downloads, even if the computer is shut down in the middle of a download, once the computer is restarted.

Software Requirements
Before installing WSUS in your environment, you must ensure that both the WSUS server(s) and clients meet the minimum software requirements.

The WSUS servers must have at least the following installed:

Windows Server 2003 with Service Pack 1, Windows Server 2008, or Windows Server 2008 R2.
Internet Information Services (IIS).
Windows Installer 3.1 or newer.
.NET Framework 2.0 or newer.
If you are using a separate database server, you must have a computer installed that is running SQL Server 2005 with Service Pack 2 or newer. We will use an Internal Database.

To run the WSUS Administration Console, you must have the following installed:

Windows XP with Service Pack 2, Windows Vista, Windows Server 2003, Windows Server 2008 Windows Server 2008 R2, or Windows 7
Microsoft Management Console 3.0
Microsoft Report Viewer Redistributable 2005

WSUS clients must be running one of the following operating systems:

Windows 7
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows Vista
Windows XP
Windows 2000 with Service Pack 4

The Windows Internal Database does not support remote connections, so you will not be able to install the WSUS Administration Console on another computer if you are using the Windows Internal Database.

Configuring Prerequisites for WSUS 3.0
You will need to install IIS and Report Viewer 2008 SP1Redistributable (at time of writing)

Log on to the computer as a member of the local Administrators group
Select Start Administrative Tools Server Manager.
In the Roles Summary section, click Add Roles.
On the Before You Begin page, click Next.
Select the Web Server (IIS) check box, click Add Required Features, and then click Next.
Read the Web Server (IIS) page. On the Select Role Services page, ensure that only the following check boxes are selected:

Static Content
Default Document
ASP.NET
.NET Extensibility
ISAPI Extensions
ISAPI Filters
Windows Authentication
Request Filtering
Dynamic Content Compression
IIS 6 Metabase Compatibility

7. Click Install. This may take a few minutes to complete.

8. When the installation is complete, click Close

Finally, you can install the Report Viewer 2008 SP1 Redistributable

Download the Microsoft Report Viewer Redistributable from http://tinyurl.com/
l6oex2.
Double-click ReportViewer.exe, and then click Next to start the installation.
Select the “I have read and accept the license terms” check box, and then click Install.
When the installation is complete, click Finish

Installing and Configuring WSUS 3.0
WSUS 3.0 is packaged as a stand-alone installer available from the Microsoft Download Center. On Server 2008 R2 (thats what were using here) it is included as a role:

Log on to the computer as a member of the local Administrators group
Select Start Administrative Tools Server Manager.
In the Roles Summary section, click Add Roles.
Select the WSUS role and click Next (this might take a while).
Click Install
On the Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard click Next
Select the I Agree radio button and click next
Select the appropriate Update Source (Store Updates Locally)
Select Install Windows Internal Database on this Computer and leave the default path
Select Create a Windows Server Update Services 3.0 SP2 Web Site (NB The listening port of 8530)
Click Next and Finish
On the Windows Server Update Services Configuration Wizard consider your firewall settings and Internet connectivity and click Next
On the Join the Microsoft Update Improvement Program deselect the checkbox and click next
Choose the Upstream Server by synchronizing from Microsoft Update
On Specify Proxy Server, do not configure and click next
On the Connect to Upstream Server click Start Connecting
On the Choose Languages select Download Languages Only in these Languages and select English
On Choose Products choose your update types. By default, WSUS chooses all Windows and
Microsoft Office updates.
Choose the classification of updates. By default, WSUS chooses only critical updates, definition updates, and security updates. Click Next.
On the Set Sync Schedule page, choose the “Synchronize manually” option, and then click Next. If you would rather choose automatic synchronization, you can do it from this step in the configuration wizard.
On the Finished page, click Finish to launch the WSUS Administration Console and begin initial synchronization.

Pointing Your Clients to the WSUS Server
Client computers use the Windows automatic updating client to receive WSUS updates and can be configured by using a Group Policy object.

In the Group Policy Object Editor, navigate to Computer Configuration\Administrative Templates\Windows Components\Windows Update.
Double-click Configure Automatic Updates, and then select the Enabled option.
> For the “Configure automatic updating” box, select the appropriate setting. The choices are “Notify for download and notify for install,” “Auto download and notify for install,” “Auto download and schedule the install,” and “Allow local admin to choose setting.”
> If you choose “Auto download and schedule the install,” you must enter the day and time for which the updates are scheduled.

The other GPO configuration needed is "Specify Intranet Microsoft Update Location". Supply server FQDN names in both fields as shown below

Once the clients have restarted and obtained the above cofigurations, they will be found in the unassigned computer groups. You can create additional groups and move these computers into those groups. You can then approve updates to the various groups.

BitLocker Drive Encryption

2011-02-05T23:07:00.000Z

BitLocker Drive Encryption is a technology designed to provide protection for entire disk drives. BitLocker to Go is a development on the same technology available with Windows 7 that enables encryption of USB flash drives. You can therefore protect drives in the event of theft and data on drives that might exist on decommissioned servers.

Protection using BitLocker can be enhanced with a TPM chip on the computers' motherboard. TPM (Trusted Platform Module 1.2). BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your operating system, BitLocker requests the key from the TPM chip and then uses it to unlock the drive. If the drive is put in a different computer it will stay locked until it is manually unlocked using a recovery key. When using a BitLocker-encrypted drive, if you add new files to the drive, they are automatically encrypted.

If the machines do not have TPM, drives (fixed or removable) can be unlocked with a password or a smart card, or you can set the drive to automatically unlock when you log onto the computer.

To add BitLocker on Server 2008 R2 (REQUIRES TPM!)

Open Server Manager.
Right-click Features.
Click Add Features.
Select BitLocker Drive Encryption
Restart your computer
Close the Server Manager window
Open Control Panel, System and Security and open BitLocker Drive Encryption
Click Turn On BitLocker

BitLocker Drive Encryption is available on Windows 7 Enterprise and Ultimate editions. However, the USB and other portable drives encrypted with BitLocker to Go cannot be accessed directly in Windows Vista or Windows XP. Microsoft has released a special utility with the name BitLocker To Go Reader (bitlockertogo.exe), which is a program that works on computers running Windows Vista or Windows XP, allowing you to open and view the content of removable drives that have been protected (or encrypted) with BitLocker Drive Encryption in Windows 7. BitLocker To Go Reader allows people running Windows 7 to share their BitLocker-protected data on removable drives, such as USB flash drives or external hard drives, with anyone running Windows 7, Windows Vista, or Windows XP.Windows XP.This will only work however if the drives have been encrypted with a password.

Before you turn on BitLocker in control panel you should see the following:

After you click Turn on BitLocker the following window will appear:

Type in a complex password and confirm. The next window to appear will ask you how you want to save a recovery key in the event of forgetting the password (print or save to file). Choose one and on the next window start encrypting.

How to Setup Server 2008 SSTP VPN Server: Obtaining Server SAN Certificate from an Enterprise CA

2011-01-25T00:45:00.000Z

Coming Soon!

How to Setup Server 2008 SSTP VPN Server: Obtaining Server SAN Certificate by Advanced Request to StandAlone CA

2011-01-25T00:43:00.000Z

Before you setup the VPN server you should sort out your certificates.If you have a Stand Alone Root CA the following post will help (I hope!)

Add the CA role using Server Manager. As mentioned the first thing to obtain on the VPN server is a server authentication certificate from the CA. You can do this using a variety of methods including these. Included is the following:

Using the Certificate Enrollment wizard with a standalone CA

1. In the Computer Certificates snap-in, right-click the Personal folder, point to All Tasks, point to Advanced Operations, and then click Create Custom Request.

2. Click Next

3. Click Proceed without enrollment policy, and then click Next.

4. In the Template field select No Template (Legacy Key) and For Request format, click either PKCS #10 or CMC. PKCS #10 is generally accepted by all CAs.

5. Click Next

6. Click the Details arrow, and then click Properties. You will need to configure all the certificate request options so that the issued certificate will be suitable for TLS/SSL.

On the General Tab under Friendly Name type a name for your certificate and a description
In the Subject name area under Type, click Common Name
In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add e.g www.compulinxtraining.com
In the Alternative name area under Type, click DNS
In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add e.g www.compulinxtraining.com
Repeat the last few steps and add all necessary DNS names (both external Internet registered names and internal DNS name of the VPN srvxyz.compulinxtraining.local for example)

7. On the Extensions tab click the Key usage arrow. In the Available options list, click Digital signature, and then click Add. Click Key encipherment, and then click Add.

8. Click the Extended Key Usage (application policies) arrow. In the Available options list, click Server Authentication and Client Authentication, and then click Add.

9. On the Private Key tab, click the Cryptographic Service Provider arrow. Because we selected the Legacy key in step 4 above, the Microsoft RSA SChannel Cryptographic Provider is enabled.

10. Click the Key options arrow. In the Key size list, select a key size. If desired, select the Make private key exportable check box. Do not select either the Allow private key to be archived or Strong private key protection check box.

11. Click the Select Hash Algorithm arrow. In the Hash Algorithm list, select the desired hash algorithm. E.g SHA-1

12. Click OK and then click Next

13. Enter a path and file name indicating where the request file will be saved and select Base 64 format and click Finish

Next, submit the certificate request and complete certificate enrollment by using Certreq.exe

1. Open a command prompt

2. Type certreq -submit -config <CertificateRequest.req>

E.g certreq -submit -config srvXYZ\CompulinxCARoot c:\VPNCertReq

This should return a RequestID. The request for your certificate will need to be issued by the CA administrator (the request will be found in the Pending Request folder. Simply right click the request and issue it).

3. Type certreq –retrieve -config and press ENTER. Where the CertificateResponse is the name given to the certificate you get back from the CA and will be placed in the directory you run the command from in command prompt

E.g certreq -retrieve -config srvxyz\CompulinxCARoot 19 MyVPNCert.cer

4. After you retrieve the certificate, you must install it. This command imports the certificate into the appropriate store and then links the certificate to the private key.
Type certreq –accept -config and press ENTER

E.g certreq -accept -config srvxyz\CompulinxCARoot MyVPNCert.cer

So, you need to submit, retrieve and then accept.

How to Setup Server 2008 R2 Online Responder Service - Avoid the Dreaded 0x80092013 with SSTP VPN

2011-01-23T16:20:00.007Z

In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.

Time. Certificates are issued for a fixed period of time and considered valid as long as the expiration date of the certificate is not reached, unless revoked before that date.
Revocation status. Certificates can be revoked before their expiration date because of multiple reasons such as key compromise or suspension. Before performing any operation, applications often validate that the certificate was not revoked.

Revocation can be made by using Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) and is used when we VPN with SSTP.

Step One
Configure Enterprise CA to Support AIA Extension to Support OCSP

To advertise that revocation status information for a particular CA can be obtained via OCSP, the CA must include a pointer to the OCSP Responder in the certificate. This is done by adding an OCSP URI to the AIA extension of the certificate. This is a configuration made on the CA and will be applied to certificates issued by the CA.

1. Open the Certification Authority Snap-in on the CA, as an Enterprise Administrator

2. Right click on the CA name, and select Properties

3. Click on the Extension Tab. From the Select Extension drop down Box, select Authority Information Access (AIA). This is shown below. For Internet clients, select Add and enter a public DNS entry e.g http://www.compulinxtraining.com/ocsp

4. Check the Checkbox for Include in the online certificate status protocol (OCSP) extension.

5. Click OK, to close the CA Properties.

Step Two
Configure Enterprise CA with OSCP Signing Template

1. On the Enterprise CA, select Certificate Templates, right click and select Manage. This will open a complete list of the CAs templates in the Certificate Template Console.

2. Locate the OCSP Certificate Template, Right-click, and select Properties

3. On the Security Tab, add the hostname of the soon to be OCSP Server, and give the server Read and Enroll permissions to the template. Click OK.

4. In the Certification Authority management console, Right-click on the Certificates Templates node, and from the context menu, select New and then "Certificate Template to issue.

5. Select the OCSP Response Signing Template, and select OK.

Step Three
Installing and Configuring the OCSP Responder Role

1. To install the OCSP Responder, add the Online Responder role found under Active Directory Certificate Services

2. Open the Online Responder snapin in Administrative Tools

3. Select Revocation Configuration, right click and select Add Revocation Configuration. A wizard will open.

4. Name the configuration with a friendly name

5. Select a certificate for an existing Enterprise CA

6. Select Browse CA certificate published in Active Directory. Click Browse. You should see your CA certificate so select it and click OK.

7. Next you will need to select a certificate that will be used for signing OCSP responses. For a particular Revocation Configuration, the OCSP Signing certificate must be issued by the CA for which the OCSP Responder will answer revocation status requests. Select Automatically select a signing certificate and select the OCSP template you configured in step two above. Click Next.

8. The OCSP responder will obtain its CRL from the CA so you do not have to add any other provider. Finish the wizard.

How to Setup Server 2008 SSTP VPN Server Introduction

2011-01-11T01:55:00.006Z

Hope you all had a good Christmas! In the next couple of posts I will showing you how to build SSTP VPN servers on server 2008 R2. The process is a little involved and will cover not only how RRAS configuration, but CA configuration and how to use the new Online Responder Service.
VPN technology has moved on in Windows Server 2008. Now we can use SSTP (as far as I can see just for 'Client to Router' connections). This means you can still VPN to a network in situations where the traditional technologies have been blocked (TCP 1723 PPTP for example). SSTP uses TCP 443.

A big problem I have found in the SSTP VPN is the certificate revocation check. Before a client manages to connect to the VPN server, a certificate revocation check needs to be made. The client will need to access the certificate revocation list (CRL) which is on the CA but could be hosted on another server. This check uses http not https. This can complicate things because you dont want Internet based clients connecting to an internal CA to check for revocation using unsecured http. You can publish the CRL to a Certificate Distribution Point (CDP) away from the CA. This can be to a web server. The client then receives the VPN certificate sent from the SSTP VPN server and will need to determine if its been revoked (by the way, depending on the method of client authentication, the client will need the CA root certificate and perhaps a user certificate - more on this later). The client can determine the CDP by referencing the CDP extension on the VPN certificate (which is usually an Internet registered DNS address). An HTTP connection is made to the CRL Web Server and the client downloads the full CRL. The client can check for revocation status and then VPN to the SSTP VPN server.

Server 2008 supports not only the traditional CRL method of revocation but also the Online Responder Service OCSP. The main advantage here is that the client does not require periodic downloading of a CRL. The client gets an accurate point-in-time status check to determine the validity of the certificate sent by the VPN server. A downside to OCSP is that it is supported by Windows 7 and Vista clients only.

Transport Rules on Exchange 2007 and Exchange 2010

2010-11-28T22:32:00.006Z

Transport rules, like journaling rules in the previous post, occur at the organisation level on transport servers. All messages must pass through a transport server and so we can apply rules to determine how a message is processed.

Imagine you suspect employees selling company secrets regarding a new product currently under development to a rival drug company. Lets say the new product is known to internal employees only and no outside parties are aware of the products development. How can you route out the dodgy emailers? With transport rules! The following screen shots should help show how its done:

Open the EMC and browse to the Organization Configuration Hub Transport node in the Console tree.In the Work area, select the Transport Rules tab.

In the Actions pane, click the New Transport Rule action. This launches the New Transport Rule wizard.

Write a suitable name and optional comment. Select Enable Rule and click next.

Under the Conditions, select 'sent to users inside or outside the organisation' and select 'the subject field or the body of the message contains specific words'. Make sure to select the link 'inside' and change the scope to 'outside'. Also click the link 'Specific Words' and add a suitable key word. Click next.

Select 'Blind Carbon Copy' and add the journal mailbox to define a recipient of messages.

Transport Rules Conflicting with Journal Rules

Perhaps you might have a transport rule which prevents certain messages from being sent from certain recipients to others. If emails are being dropped, then how can they be journaled? You will need to change the order of agent priority. The Transport Agent will by default process the message before the Journaling Agent. To determine the current state of priority, type the following cmdlet:

[PS] Get-TransportAgent

As you can see above, the Transport Agent is set to run before the Journaling Agent. Emails will be dropped before they can be journaled. To change the priority, type the following:

[PS] Set-TransportAgent -Identity "Journaling Agent" -Priority 1

Finally as show in the Powershell, you must restart the Transport Service

Journaling on Exchange 2007 & 2010

2010-11-28T10:34:00.014Z

Journaling allows you to record all messages flowing in and out of an organization and helps with legal and regulatory compliance.
In Exchange, you can configure journaling on a mailbox database. Every message sent or received by every user on that database will be sent to the Journaling mailbox. When you turn on journaling at the database level, this is known as standard journaling.
You can also enable standard journaling with the EMS using the Set-MailboxDatabase cmdlet. Specify the JournalRecipient parameter and include the address of the journal mailbox. The following command
demonstrates this usage:

[PS] Set-MailboxDatabase “DB1” -JournalRecipient journal@compulinx.com

As the above command shows, an already created mailbox called journal is used (of course any recipient can be used!)

If you want to turn off journaling on a mailbox database, you use the same command, except specify $null instead of a journal mailbox:
[PS] Set-MailboxDatabase “DB01” -JournalRecipient $null

Configure Journaling for Specific Users

You can configure a journaling rule which will journal messages written by a recipient (in this case Jocelyn) and will be sent to a specific mailbox like the journal mailbox we saw earlier.

[PS] New-journalRule -Name 'Monitor Jocelyn' -JournalEmailAddress journal@compulinx.com -Scope 'Global' -Enabled $true -Recipient 'jocelyn@compulinx.com'

The 'Scope' determines which type of messages are journaled. This can be Global (all messages), Internal (messages inside the organization) or External (messages outside the organization).

An important consideration is that messages sent to journal@compulinx.com come from the established rule. Infact the journal mailbox used here should only accept messages from the journal agent. Its the journal agent that is responsible for applying the journaling rule (Monitor Jocelyn) and for sending reports to the journal mailbox. You must make sure that no false data is sent to the journal mailbox. To complete what we have done so far, type the following:

[PS] Set-Mailbox “Journal Mailbox” -AcceptMessagesOnlyFrom “Microsoft Exchange” -RequireSenderAuthenticationEnabled $true

BackUp of Exchange 2007 SP1 on Server 2003

2010-11-26T13:04:00.021Z

The main backup types considered here are

Full and Copy
Differential
Incremental

Here are just a few notes...

The backup process is quite straight forward with Server 2003's NTBackup:

Launch NTBackup by typing NTBackup in the the Run box
Select the 'Advanced Mode' link
Select the 'Backup' tab
Select Microsoft Exchange Server and drill down to the storage group needed to back up
Define a suitable backup location
Click the Start Backup button
As this will be a Full backup, select the 'Replace the data on the media with this backup'
Click the 'Start Backup' button

To simulate a corrupt database

Now dismount the database you just backed up using the console
Now delete the database in Windows Explorer C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group.
Delete the .edb file
Open NTBackup as you did above but this time select the 'Restore and Manage Media' tab
Select the appropriate backup
Click Start Restore
Define a temporary location for log and patch files
Select Last restore set
Select Mount Database After Restore. Click OK.
Check out the storage group in Windows Explorer and you should see the database is back (and you should still have access to your email)

Recovery Storage Groups

Its possible we may need to restore a particular mail message or an entire mailbox. You can retrieve deleted messages using outlook but if you permanently delete the message (hold the shift key down when you delete the message) or you go beyond the 14 day retention limit you would need to restore from backup. If you delete a mailbox it is kept in the database for 30 days, but if you go over this you will need to restore the mailbox from backup. The problem is that when you restore from backup, you will restore all the mailboxes not just the mailbox of interest.

I will show you how to create and use a Recovery Storage Group using Powershell:

Create a Recovery Storage Group

Login as a valid Exchange recipient and make sure you have email in your Inbox.
Using the methods shown above, backup your mailbox server
Now, login as the user in step 1. and delete an email message (permanently using the shift key)
Now create a Recovery Storage Group in the Powershell: [PS] New-StorageGroup –Server SRV161 –LogFolderPath “C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\RSG" –Name “Recovery Storage Group” –SystemFolderPath “C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\RSG” –Recovery

You can determine if the RSG has been built by using the Get-StorageGroup cmdlet (observe the 'Recovery' attribute)

In the next three steps we create a new mailbox database in the recovery storage group, allow it to be overwritten and finally overwrite it by restoring the backed up database.

Add a Recovery Database

[PS] New-MailboxDatabase –MailboxDatabaseToRecover “DB1” –StorageGroup “SRV161\Recovery Storage Group” –EDBFilePath “C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\RSG\DB1.edb” The -MailboxDatabaseToRecover references the production database that has been backedup and contains our deleted email.
With the Mailbox Database created in the Recovery Storage Group we now need to configure it to allow overwrites by running the Set-MailboxDatabase cmdlet with the –AllowRestore parameter. [PS]Set-MailboxDatabase -Identity "SRV161\Recovery Storage Group\DB1" -AllowFileRestore $true
Now restore the database using NTBackup
We now need to mount the restore Mailbox Database using the Mount-Database cmdlet: [PS] Mount-Database –Identity “SRV161\Recovery Storage Group\DB1”
Now we want to merge the mailbox data of an existing user in the recovery database to the production mailbox database: [PS]Restore-Mailbox –Identity paulwest -RSGDatabase “servername\RSG name\database name”

If you need to recover mailbox data for all users in the RSG, you would need to use the following command:

[PS]Get-MailboxStatistics -Database “Recovery Storage Group\Mailbox Database” | Restore-Mailbox

You should now remove the recovery database and recovery storage group using the following cmdlets:

[PS]Remove-MailboxDatabase –Identity “SRV161\Recovery Storage Group\DB1”

[PS]Remove-StorageGroup –Identity “SRV161\Recovery Storage Group”

Message Retention Compliance in Exchange 2010

2010-11-20T22:42:00.080Z

Keeping particularly important emails in a users mailbox over a long period of time chews into available disk space. One common option is to transfer these emails to a PST file either on the users machine or a network share. Doing this will save space on the mailbox server but will most likely cause problems when you try to collect the data again. You have to search for the PST files, hope they are not password protected and after that search through the files themselves looking for the emails you want to restore.

There are two methods of managing retention compliance in Exchange 2010:

Use 'Managed Folders' as used in Exchange 2007
Use 'Retention Tags' a new approach used only in Exchange 2010

Using Managed Folders

Managed folders involves the user deliberately dragging their important emails into administrator built folders which are visible in Outlook. The point to take home here is that the user has to do some dragging action! A lot of people simply can't be bothered to file emails into folders and prefer to search through their mail looking for key words.This is where retention tags can be used. We will talk about that later.

There are 4 main steps to managed folder configuration:

Create managed folders
Set managed content settings
Create managed folder policies
Apply the managed folder policy to the mailbox
Schedule the messaging records management enforcement process

1. Create the Managed Folder

Managed folders come in two flavours. Default and custom. The default managed folders include the familiar folders like 'Inbox' and 'Sent Items'. You can create a custom managed folder that appears under the folder 'Managed Folder'.

1. Open the EMC and browse to the Organization Configuration Mailbox node in the Console tree.

2. In the Actions pane, click the New Managed Custom Folder task to launch the configuration wizard.

3. Enter the name of the folder in the Name field. The field below it can be used to define a different name when the folder is viewed in Outlook. By default, this field is set to the same value that you type in the Name field. You can define a storage quota in KB and also set a comment for this folder that the user sees when the folder is opened. Enter this comment in the field Display The Following Comment When The Folder Is Viewed In Outlook. If you check the box Do Not Allow Users To Minimize This Comment In Outlook, then the comment is always visible to the user.

You can do the same in the shell:

[PS] New-ManagedFolder -Name 'Test Folder' -StorageQuota '51 MB' -Comment 'This folder is used only testing' -MustDisplayCommentEnabled $true

2. Set Managed Content Settings

In this step you define how long items stay in a folder before an action is performed. You can also choose to forward a copy of any message placed in the folder to another mailbox (journaling).

1. Right click the Custom Managed Folder created in step one. This will launch the following window:

2. In the New Managed Content Settings wizard, type a name for content settings, such as Delete After 12 Months.

3. From the Message Type drop-down list, select the type of content that you want this setting to apply to. For example, you can apply the setting to specific items such as email only. Or you can apply the setting to every item type by choosing All Mailbox Content.

4. Check the Length Of Retention Period (Days) box and type the number of days that you want the items to be retained before an action is taken on them.

5. In the Retention Period Starts box, you can choose when the retention period starts. It can start either when the item is delivered or when it is moved into the folder. For example, if you want to create a setting to delete items after one year, you could set the retention period for 365 days.

6. In the field Action To Take At The End Of The Retention Period, choose what happens to the item when the period is over. If you choose to move it to a managed folder, click the Browse button to select that folder. Then click next.

7. At the Journaling screen, you can choose to forward copies of the message to a mailbox when it’s placed in the folder. Check the Forward Copies To option and click the Browse button to select the mailbox. You can also define a label for the message in the field Assign The Following Label To The Copy Of The Message. Doing so can make the messages easier to sort through. Click Next to continue.

The settings for the managed folder are now configured and the folder is ready to be added to a managed folder policy.

3. Create Managed Folder Policy

A managed folder policy will be used to link the created managed folder to your mailboxes.

1. Open the EMC and browse to the Organization Configuration Mailbox node in the Console tree

2. Select the New Managed Folder Mailbox Policy task in the Actions pane.

3. In the New Managed Folder Mailbox Policy wizard, enter a name for this policy in the field
Managed Folder Mailbox Policy Name.

4. Click the Add button to add a managed folder to this policy. The Select Managed Folder dialog box will be displayed. Select either a managed default folder or a managed custom folder and click OK.

4. Apply the Managed Folder Policy to Mailboxes

1. Browse to the Recipient Configuration Mailbox node in the Console tree.

2. From the list of mailboxes displayed in the Results pane, select one or more mailboxes that you want to apply the policy to.

3. Click the Properties option for the selected mailboxes in the Actions pane.

4. In the properties dialog box, select the Mailbox Settings tab.

5. Select the Messaging Records Management option in the list of mailbox settings and click the Properties button above the list.

6. In the Messaging Records Management dialog box, select the Managed Folder Mailbox Policy check box. Click the Browse button to select the policy that you just created.

7. click OK to close the Messaging Records Management dialog box.

5. Schedule the Messaging Records Management Enforcement Process

The final thing we need to do is to schedule the messaging records management enforcement process to run at a specified time. The messaging records management enforcement process is disabled by
default. This means that although you have applied a managed folder mailbox policy to one or more recipients, the respective managed folders will not show up in the user’s client (Outlook 2007 or OWA 2007) until the process has run at least one time.

In the Exchange Management Console, click the Mailbox subnode under the Server Configuration work center node.
Select the respective Mailbox server in the Result pane.
Now click the Properties link under the mailbox server name in the Action pane.
Click the Messaging Records Management tab.
The Messaging Records Management Enforcement Process is set to Never Run. Change that to Use Custom Schedule, then click the Customize button
In the schedule, specify the times and days when the managed folder assistant
should run.

If you want to force a newly created managed folder to appear in the mailboxes, before the schedule runs you can use the Start-ManagedFolderAssistant CMDlet in the EMS to process all mailboxes immediately. This can be a resource-intensive process for the mailbox server and the network in general so be careful!

Retension Tags

Retension Tags are new to Exchange 2010! As mentioned above, managed folders require users to move mail into folders that the Exchange administrator has created. With retension tags users apply retension settings directly to mail in the their inbox. Users can also create their own folders and apply retension settings to these folders much like the administrator.

The process of creating and using retension tags is similar to using managed folders:

Create the retension tags
Link retension tags to retention policies
Apply the retension policies to mailboxes

Create Retension Tags

Using these parameters, you can create meaningful retention tags for your content. The following example creates a tag that archives every message after 1 years (365 days). Achives will be mentioned later.

[PS] New-RetentionPolicyTag “RPT-ArchiveAfter1Year1” -Type All -MessageClass E‑mail -AgeLimitForRetention 365 -RetentionAction MoveToArchive -RetentionEnabled $True

Link Retention Tags to Retention Policies

Now that you have a retention tag created, you need to create a retention policy to link the tag to. The following retension policy (called RP Staff) is created and linked to the tag created above.

[PS] New-RetentionPolicy “RP Staff” -RetentionPolicyTagLinks “RPT-ArchiveAfter1Year”

If a retension tags ALREADY exists, you use the set-retensionpolicy cmdlet:

[PS] Set-RetentionPolicy "RP Staff" -RetentionPolicyTagLinks "RPTag ArchiveAfter1Year"

Apply Retention Policies to Mailboxes
After the retention policy is created and retention tags are linked to it, you can apply the policy to mailboxes. To do this, use the Set-Mailbox cmdlet with the RetentionPolicy parameter

[PS] Set-Mailbox “Paul Pidgeon“ -RetentionPolicy "RP Staff"

When you apply the above cmdlet, you will be asked to confirm that clients are using the right version of Outlook. Outlook 2007 or earlier dont have all client features enabled.

If a user is away for extended period of time she may not get to see email messages that are moved or deleted during that time. You can put the mailbox on hold (suspend the policy) by putting the mailbox on retention hold.

[PS] Set-Mailbox “Paul Pidgeon” -RetentionHoldEnabled $true

You can then take the mailbox out of retention hold by the following cmdlet:

[PS] Set-Mailbox "Paul Pidgeon" -RetentionHoldEnabled $False

If your users are using Outlook 2010 you can move away from using managed folders and start using retention tags. You can convert your existing managed folders into retention tags by using an existing managed folder as a template. The following example creates a new retention tag that mirrors an existing managed folder:

[PS] New-RetentionPolicyTag "RPT One" -ManagedFolderToUpgrade "MF One"

Archiving Email

Exchange 2010 gives users the ability to archive email in an online archive and avoid using PST files. Users can drag and drop email from their mailbox or from existing PSTs into their online archive, which has a bigger storage quota than the mailbox. Unlike PST files, the archive is accessible in Outlook Web Access as well as locally in Outlook 2010. Large amounts of data can reside in an archive folder because the archive is only available online. Users do not need to download many gigabytes of data into their Outlook client when working in cached mode with the online archive.

An archive for a user can be created when you create the mailbox or after the mailbox has been created. To create an archive when creating the mailbox use the following cmdlet:

[PS] New-Mailbox “Clint Eastwood” -UserPrincipalName clint@compulinxtraining.com -Archive

Archive mailboxes have size quotas applied to them like regular mailboxes but they don't restrict the users ability to send and receive mail if the quota is reached. There is a warning quota and a hard quota. When an archive reaches the warning quota, an event is logged in the server’s Application event

log. When the hard quota is reached, items can no longer be placed in the archive. You can modify the warning quota in the EMC or the EMS, but the hard quota must be modified in the EMS.

[PS] Set-Mailbox “Andrew Stevens” -ArchiveWarningQuota 20GB –ArchiveQuota 25GB

You can get useful information on your archives by typing the following:

[PS] Get-Mailbox | ft name,archive*

How to Obtain an Exchange Certificate (SAN) from a 2008 StandAlone CA

2010-11-14T22:42:00.014Z

This post will help you obtain a SAN certificate from a StandAlone CA (on Server 2008). You will need this for correct configuration of autodiscovery and outlookanywhere/availability service.

1. On your Exchange 2007 server (CAS), type the following cmdlet to make the necessary SAN certificate request which will be stored in the root of c:\. Notice the use of multiple names in the request.

[PS] New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "c=UK, s=London, l=London, o=CompulinxTraining, ou=ExchangeServers, cn=mail.compulinxtraining.com" -DomainName compulinxtraining.com, srv1.compulinxtraining.local, srv1, autodiscover.compulinxtraining.com -PrivateKeyExportable:$True

It should be noted that Exchange 2010 does NOT use the -path parameter as mentioned in step one. You will need to establish a variable. You could try the following:

$Data=New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=UK, s=London, l=London, o=CompulinxTraining, ou=ExchangeServers, cn=mail.compulinxtraining.com" -DomainName compulinxtraining.com, srv1.compulinxtraining.local, srv1, autodiscover.compulinxtraining.com -PrivateKeyExportable:$True
Set-Content -path "C:\req.req" -Value $Data
2. Once you have generated the request, visit your CA by opening a browser and type http://TheCAName/certsrv. Select 'Request a Certificate' and then select 'Advanced Certificate Request'. Then select 'Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file'. Copy and paste the contents of the request (all of it... even the lines!) into the 'Saved Request field and 'Submit' the request to your CA.

3. On the CA select 'Pending Request' and 'issue' the certificate.

4. Back on the Exchange Server, visit the home page again and check for the pending request. Save the the .cer file to a easy to find location on the server.

5. Create an MMC and add your Local Computer Certificate snap-in. Under personal 'import' your saved certificate. Once imported you will probably find that if you open it that it will not be trusted. You will have to download the root CA and import it to the trusted root store on the Exchange Certificate.
You may also find that the certificate has no private key. This will cause problems later on so you should repair the certificate by following these steps:

>Open MMC and add the Certificate Snap-In for the Local Computer account.

>Double-Click on the recently imported certificate. Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.

>Select the Details tab.

>Click on the Serial Number field and copy that string.Note: You may use CTRL+C, but not right-click and copy.

>Open up a command prompt session. (cmd.exe aka DOS Prompt)

>Type: certutil -repairstore my "SerialNumber" (SerialNumber is that which was copied down in step 4.)

>After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC)

>Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.

Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services via Enable Exchange Certificate (Courtesy of comodo.com)

6. Now you need to enable your certificate and bind it to the correct exchange services. Type the following cmdlet:
[PS] Get-ExchangeCertificate -Thumbprint ABCDEFetc. | Enable-ExchangeCertificate -Services IIS,SMTP

Exchange 2010 Post Installation Tasks

2010-10-31T21:31:00.000Z

This previous post details a typical Exchange 2010 installation. Once installed there are some post-installation tasks to perform (what is presented below is not an exhaustive list)

Enter the Product Key

The key is not required during the install process. In unlicensed mode, you have 120 days, during which your Server will function as Exchange Standard Edition. Every time you launch the Exchange 2010 Management Console you are reminded of the number of days left

You can determine the trial period time by using the following cmdlet:

[PS] C:\>Get-ExchangeServer | Where-Object {$_.IsExchange2007TrialEdition -match $true} | ft name,rem* -au

To enter the product key you can use the Management Console or the Exchange Shell. To use the console see below:

To use the shell type the following cmdlet:

[PS] C:\>Set-ExchangeServer -Identity srvmail -ProductKey ASMTV-GMXFD-C23GH-8SSAS-ADSAP

Verify a Successful Installation

You will want to make sure that the installation was a success. Setup logs can help with this. All of the setup logs for Exchange are found in a folder on the root of the system drive (E.g. C:\ExchangeSetupLogs). Within this folder holds the ExchangeSetupLog file. This log file records the status of every task that the installer performs when installing and configuring Exchange.

Check Services

I have found that on reboot, the server does not always start the necessary exchange services like it should. You can determine this using the following cmdlet:

[PS] E:\>Test-Service Health | fl

Installing Exchange 2010 - Exchange Server Operating System PreReqs

2010-10-30T19:14:00.011+01:00

Before we install Exchange 2010, we must ensure that the certain operating system components are in place.
On the Start menu, navigate to All Programs > Accessories > Windows PowerShell. Open an elevated Windows PowerShell console, and run the following command:

[PS] Import-Module ServerManager

Then copy and paste the following commands to install the pre-requisite operating system components needed to later build a hub transport server, client access server and mailbox server all in one go.

[PS]Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,
Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

On servers that will have the Client Access server role installed, after the system restarts, log on as an administrator, open an elevated Windows PowerShell console, and configure the Net.Tcp Port Sharing Service for automatic startup by running the following command

[PS] Set-Service NetTcpPortSharing -StartupType Automatic

For Edge Servers, you will need the AD LDS role installed, an internal card configured to use a AD DNS server and the server configured to be in a workgroup. Additional operating system requirements can be added by using the following:

[PS] Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

Installation of Exchange 2010 (Typical)

2010-10-29T19:48:00.001+01:00

This is a walk-through of a typical Exchange 2010 installation. The slides include a preparation of the Schema (/PrepareSchema), configuration partition (/PrepareAD) and domain partition (/PrepareAllDomains).

Notice that the Schema Preparation should be made on the Schema Master FSMO role holder. You can determine this by using the netdom utility.

Install Exchange 2010

VIEW SLIDE SHOW

DOWNLOAD ALL

Once the Active Directory has been prepared, its time to turn your attention to the installation of Exchange 2010 server proper. There are a number of Server 2008 R2 pre-requisites that are required. These are mentioned in here. Once this has been done execute the setup.exe on the CD. Follow the next couple of steps as illustrated below.

Install Exchange 2010 (Pt2)

VIEW SLIDE SHOW

DOWNLOAD ALL

Create a Client Configuration File for RemoteApp and Desktop Connection

2010-10-26T22:04:00.001+01:00

Another method that allows you to launch applications from the client that applies specifically to Windows 7 clients is the use of configuration files. The previous post relies on the client visiting a website and is especially useful when you have a mixed bag of clients. The configuration file is a little like the .rdp and .msi methods of remote application distribution. To start, log on to your RDCB server:

To create a configuration file

On the RD Connection Broker server, open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
In the left pane, click Remote Desktop Connection Manager:, where is the name of the Remote Desktop Connection Broker (RD Connection Broker) server.
On the Action menu, click Create Configuration File.

In the Create Configuration File dialog box, in the RAD Connection feed URL box, enter the RemoteApp and Desktop Connection URL that specifies the Remote Desktop Web Access (RD Web Access) server that provides RemoteApp and Desktop Connection resources to users. When you specify the URL, use the fully qualified domain name (FQDN) of the RD Web Access server. For example, enter https://rdwaserver/RDWeb/Feed/webfeed.aspx.

Note
RDWeb is the default virtual directory name used by RD Web Access. If your implementation of RD Web Access uses a different virtual directory name, provide that name in the URL.

Click Save, specify a file name and a folder location, and then click Save.
Distribute the configuration file to the end users.
Allow users to run the webfeed program

End users will be able to see the remote applications by going to All Programs, RemoteApps and Desktop Connections.
To update the list of programs on the client in the event of adding new remote applications on RDSH server do the following:

Launch Control Panel on your Windows 7 client
Go to RemoteApp and Desktop Connections (if using 'Category' view type this in)
Click Properties
Under Update click Update Now

Running the Remote Applications from the Client (RDS Pt4)

2010-10-26T14:22:00.002+01:00

To verify the functionality of a RemoteApp program deployment, log on as a domain user and connect to the RemoteApp program by using Remote Desktop Web Access (RD Web Access).
To connect to the RemoteApp program

Log on to the domain joined Windows 7 client asan ordinary domain user
Click Start, point to All Programs, and then click Internet Explorer.
In the Address bar, type https://rdwa.compulinx.local/RDWeb and then press ENTER.
In the Domain\user name box, type Domain\UserName

In the Password box, type the password that you specified for the account and click Sign in.

Note
In you receive a prompt asking you to install the Microsoft Remote Desktop Services Web Access Control, click Run Add-on, and then click Run.

Click Calculator, and then click Connect.

Well done chaps! If you find you get certificate warnings then make sure you have correctly added the certificate thumbprint to the Default Domain Group Policy setting and ran a Gpudate/force (for both RDSH and RDWA servers)

Installing and Configuring RemoteApp (RDS Pt3)

2010-10-26T11:50:00.005+01:00

Ensure that 'Domain Users' are included in the local group on 'Remote Desktop Users' on the RDSH server. A chain of authorization is set up. The RDSH server will use the RDCB as a web access server and in turn the RDCB will use the RDWA server.
You must add the RDCB server computer account object to the TS Web Access Computers security group on RDSH server.

To add RDCB server to the TS Web Access Computers group on RDSH server

Log on to RDSH server as Domain\Administrator.
Click Start, point to Administrative Tools, and then click Computer Management.
Expand Local Users and Groups, and then click Groups.
Right-click TS Web Access Computers, and then click Add to Group.
Click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
In the Object Types dialog box, select the Computers check box, and then click OK.
In the Enter the object names to select box, type the rdcb server name and then click OK.
Click OK to close the TS Web Access Computers dialog box.

Next, you must add the RDWA server computer account object to the TS Web Access Computers security group on the RDCB server computer.

To add RDWA server to the TS Web Access Computers group on RDCB server

Log on to RDCB server as Domain\Administrator.
Click Start, point to Administrative Tools, and then click Computer Management.
Expand Local Users and Groups, and then click Groups.
Right-click TS Web Access Computers, and then click Add to Group.
Click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
In the Object Types dialog box, select the Computers check box, and then click OK.
In the Enter the object names to select box, type the rdwa server account and then click OK.
Click OK to close the TS Web Access Computers dialog box.

Next, you must add a RemoteApp program to RDSH server by using RemoteApp Manager.

To add a RemoteApp program by using RemoteApp Manager

Log on to RDSH server as Domain\Administrator.
Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
In the Action pane, click Add RemoteApp Programs.
On the Welcome to the RemoteApp Wizard page, click Next.
On the Choose programs to add to the RemoteApp Program list page, select the Calculator check box, and then click Next.
On the Review Settings page, click Finish.

You can add Office 2007/2010 to the list. Do not install from the CD. This important! Go to the Contrrol Panel and type 'Install'. Select 'Install Application on Remote Desktop Server'. Also with Server 2008 R2, you can select a listed program and under properties and define 'user assignment' where you define which users can run the particular program.

Next, assign a RemoteApp source on the RD Web Access server (RDWA server). The calculator application is not running on the RDWA server. This is just a front-end interface for applications used by clients. So,

To assign a RemoteApp source on RDWA-SRV

Log on to RDWA server as Domain\Administrator.
Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Web Access Configuration.

Click Continue to this website (not recommended).

Important
You should see a warning because of the use of 'Localhost'. This is normal because the certificate defines the name using the FQDN. However, you may get problems such as not being able to display the web site. If this happens, within IIS, select the default Web Site and make sure that the bindings are set correctly to use the certificate obtained from the CA. Do not use self-signed certificate!

In the Domain\user name box, type Domain\Administrator.
In the Password box, type the password that you specified for Domain\Administrator, and then click Sign in.
On the Configuration page, click An RD Connection Broker server.
In the Source name box, type the name of the RDCB server and then click OK.

Finally, you must add a RemoteApp source on the RDCB server by using Remote Desktop Connection Manager. The broker needs to locate RDSH server to offer the applications to the RDWA server.

To add a RemoteApp source by using Remote Desktop Connection Manager

Log on to RDCB server as Domain\Administrator.
Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
Click RemoteApp Sources, and then in the Actions pane, click Add RemoteApp Source.
In the RemoteApp source name box, type the name of the RDSH server and then click Add.

Deploying Remote Desktop Web Access with Remote Desktop Connection Broker (RDS Pt2)

2010-10-26T09:56:00.008+01:00

For this exercise, you will need a suitable certificate infrastructure in place. Some thought is needed. We will be deploying our remote desktop service to internal domain clients so certificate revocation checks should work by default. Consider the following certificate requirements:

The certificate must be trusted explicitly or from a trusted root certificate.
The certificate name or the Subject Alternative Name must match the fully-qualified domain name of the server.
The certificate must support Server Authentication or Remote Desktop Authentication Extended Key Usage.
Indirect certificate revocation lists are not supported.
Certificate revocation checks are performed by default.
When you use CredSSP, you can turn off certificate revocation checks by configuring the following registry entry to a value of 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
When you use Transport Layer Security (TLS), you can turn off certificate revocation checks by configuring the following registry entries to a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck

The last two points are not necessary to configure. What I recommend is constructing a certificate template based on Web Server (I seem to always use this!). The subject name should be set to be 'supplied in the request' and the remote desktop session host (RDSH) server should be listed on the ACL with enroll and read permissions. Also allow the private key to be exported. When the RDSH server makes the request from the CA using certificate snapin, you can supply the internal DNS name and external DNS names using the subject alternative name. Don't forget to supply the correct CRL locations on the CA itself BEFORE you make the certificate request. You might need to add a new CRL location perhaps to a DMZ web server. I will write a post on this later.

Once the RDSH server has a certificate do the following:
First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager.

To configure a certificate used to digitally sign the RDP file

Log on to SRV1 as Domain\Administrator.
Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
Under the Overview section, click Change next to Digital Signature Settings.
Select the Sign with a digital certificate check box.
Click Change.
On the Confirm Certificate page, select the appropriate certificate, and then click OK.
Click OK to close the RemoteApp Deployment Settings dialog box.

You must add the thumbprint of the certificate used to digitally sign the RDP file to the Default Domain Group Policy setting. This is required so that the trusted publisher warning dialog box is not shown to the user each time the RemoteApp program is started.

To add the certificate thumbprint to the Default Domain Group Policy setting

Log on to a domain controller as Domain\Administrator.
Open the GPMC. To open the GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.
Expand Forest: compulinx.local, expand Domains, and then expand compulinx.local
Right-click Default Domain Policy, and then click Edit.
Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.
Double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.
Select the Enabled option.
In the Comma-separated list of SHA1 trusted certificate thumbprints box, type the certificate thumbprint used to digitally sign the RDP file, and then click OK.

Configure the domain joined client computer (Windows 7)

To configure the client computer, you must:Import the digital certificate used by RDSH server to the Trusted Root Certification Authorities certificate store of the computer account. You must import a PFX certificate file that includes the private key. I export the certficate first to a shared location and then import on the client machine using the certificate snapin.

Configure the RD Connection Broker server (RDCB server)

On a separate member server, install the RD Connection Broker role service. Import the digital certificate used by RDSH server to the Personal certificate store of the computer account (remebering to import a PFX certificate like you did above). Configure a certificate used to digitally sign the RDP file.

To configure a certificate used to digitally sign the RDP file

Open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
Under the Virtual Desktops: Resources and Configuration heading, click Specify next to Digital Certificate.
On the Digital Signature tab, select the Sign with a Digital Certificate check box.
Click Select.
In the Confirm Certificate dialog box, click the certificate that you want to use for signing the RDP files, and then click OK.

Configure the RD Web Access server (RDWA server)

On a separate member server, install the RD Web Access role service.You will need to obtain a certificate for this server like you obtained a certificate for the RDSH server. You can duplicate the 'Web Server' template as before,making sure the ACL is correct etc.
Add the thumbprint of the certificate used for the RD Web Access server to the Default Domain Group Policy setting by using the GPMC as also done above under the configuration of RDSH server.

Installing Remote Desktop Session Host (RDS Pt1)

2010-10-26T09:17:00.009+01:00

The next four posts will demonstrate how to setup remote desktop services so that clients can run specific remote applications using a web browser. This will involve running the applications on a Remote Desktop Session Host (RDSH) server (once called a Terminal server). A Remote Desktop Connection Broker (RDCB) will be used to connect the RDSH with the Remote Desktop Web Application server (RDWA). The use of the RDCB will be useful later when we try clustering servers. For this exercise we are not concerned with clustering. You will need 4 servers and a Windows 7 client, all in a single AD domain.

To install the RD Session Host role service

Log on to a member server as domain\Administrator.
Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
Under Roles Summary, click Add Roles.
On the Before You Begin page of the Add Roles Wizard, click Next.
On the Select Server Roles page, select the Remote Desktop Services check box, and then click Next.
On the Remote Desktop Services page, click Next.
On the Select Role Services page, select the Remote Desktop Session Host check box, and then click Next.
On the Uninstall and Reinstall Applications for Compatibility page, click Next.

On the Specify Authentication Method for Remote Desktop Session Host page, click Require Network Level Authentication, and then click Next.

Note
If client computers that are running Windows® XP will use this RD Session Host server, select Do not require Network Level Authentication.

On the Specify Licensing Mode page, select Configure later, and then click Next.

Note
For the purposes of this class, a Remote Desktop licensing mode is not configured. For use in a production environment, you must configure a Remote Desktop licensing mode.

On the Select User Groups Allowed Access To This Remote Desktop Session Host Server page, click Next.
On the Configure Client Experience page, click Next.
On the Confirm Installation Selections page, verify that the RD Session Host role service will be installed, and then click Install.
On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close, and then click Yes to restart the server.
After the server restarts and you log on to the computer as Domain\Administrator, the remaining steps of the installation finish. When the Installation Results page appears, confirm that installation of the RD Session Host role service succeeded, and then click Close to close the RD Session Host configuration window. Also, close Server Manager.

Add Domain Users to the Remote Desktop Users group

Log on to the RDSH server as Domain\Administrator.
Click Start, point to Administrative Tools, and then click Computer Management.
Expand Local Users and Groups, and then click Groups.
Right-click Remote Desktop Users, and then click Add to Group.
In the Remote Desktop Users dialog box, click Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type Domain Users and then click OK.
Click OK to close the Remote Desktop Users dialog box.

How to Install Remote Desktop Virtualization Host on Server Core

2010-10-18T21:20:00.013+01:00

After installing Hyper-V R2 I found that installing Remote Desktop Virtualization Host was a little tricky. Here are some of the steps required:

When you search for the available features on Hyper-V Server you can use DISM. For example “dism /online /Get-Features /Format:table”. This may give the following output:

As you can see from the above table, the "RDVH" is not listed. However, if you have ran Powershell and run the following commands you will be able to see the feature:

[PS] Import-Module ServerManager
[PS] Get-WindowsFeature

Now you can see the Remote Desktop Virtualization Host feature with a Name of RDS-Virtualization. You can now install the feature by typing the following:

dism /online /Enable-Feature /FeatureName:VmHostAgent (type this as written)
[PS] Import-Module ServerManager
[PS] Add-WindowsFeature –Name RDS-Virtualization

Management of Hyper-V from Windows 7

2010-10-15T17:27:00.001+01:00

Having played around on Server Core 2008 R2 I decided to install Hyper-V 2008 R2 on it. However, I found remote management a bit tricky. After a bit of searching I found some excellent articles answering some of the problems I experienced. First to manage Hyper-V from Windows 7 you need to install the RSAT tools. You can download the x86/64 versions from the following http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en.
You might find once you download them that you can't install them. The installer quits with the message "This update is not applicable for your computer." I found it necessary to uninstall SP1, install the RSAT tools and then put SP1 back on again.Once on Hyper-V management can be turned on by

Go to Start > Control panel Under Programs, click on Get programs
On the left panel, click on Turn Windows feature on or off
On the feature list, expand Remote Server Administration roles > Role Administration Tools, mark Hyper-V Tools, then click OK
Go to Administrative tools > Hyper-V Manager, launch it

Now that its running you might find you cant connect to the Hyper-V server. The following article helped alot with this one: http://www.virtualizationadmin.com/articles-tutorials/microsoft-hyper-v-articles/installation-and-deployment/installing-hyper-v-tools-remote-management-windows-7.html

Additionally, you might find that you connect but get bugged with the following error:

"Hyper-V Error – Access Denied. Unable to establish communication between Hyper-V and Client"
The following article provides a simple walkthrough regarding this; http://blog.mpecsinc.ca/2009/06/hyper-v-error-access-denied-unable-to.html

How to enable PowerShell in Server Core 2008 R2

2010-10-14T21:40:00.003+01:00

This is a bit of departure from my normal Exchange 2010 posts but I've been playing around with Server Core on Server 2008 R2. I thought it would be a good idea to provide details on how to install powershell on Server Core.

start /w ocsetup NetFx2-ServerCore
start /w ocsetup MicrosoftWindowsPowerShell
To run it just cd to c:\windows\system32\WindowsPowerShell\v1.0 and typed powershell

Once you reboot the system, the PowerShell directory will be placed in the search path and you can just type powershell in any directory to access the PowerShell command prompt.

How To Manage Address List Distribution (Offline Address Books)

2010-08-10T17:08:00.000+01:00

Address Lists can be made available to users offline by allowing them to download 'Offline Address Lists' or OABs. OAB are files containing address lists that can be downloaded to clients in two main ways:

Outlook 2007 clients can download OABs by connecting to a web service on the Exchange Server (virtual directory)
Outlook 2003 and earlier clients have to download OABs from a system public folder.

To create an OAB that relys on web based distribution try the following cmdlet:

[PS] New-OfflineAddressBook -Name "Trainers Starting with A OAB" -AddressLists "Trainers Starting with A"

Once the OAB has been created you can define which OAB users should receive. You can do this in two ways:

Attach an OAB to a mailbox database

[PS] Set-MailboxDatabase -Identity "DB1" -OfflineAddressBook "Trainers Starting with A"

2. Specify an OAB for particular users

[PS] Set-Mailbox "Andrew Stevens" -OfflineAddressBook "Trainers Starting with A"

How To Manage Address List Content

2010-08-10T10:41:00.003+01:00

Creating Address Lists

The following cmdlet will show you how to create an address list based on certain Active Directory attributes:

[PS] New-AddressList -Name "The Training Department" -IncludedRecipients MailboxUsers -ConditionalDepartment Training

The 'conditionaldepartment' attribute is based on a number of different AD attributes. Some of them are shown below:

1. Company
2. Department
3. State or province

Just include 'conditional' in front of these attributes as shown in the above cmdlet.

You can create an address list using custom filters rather that relying on the predefined AD attributes. This makes creating building address lists fun! For example, if you wanted to create an address list which defines usermailbox recipients that have a surname which starts with the letter 'A' try typing the following cmdlet:

[PS] New-AddressList -Name "Trainers Starting with A" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (Lastname -like 'A*'))}

You can update this address list by typing the following cmdlet:

[PS] Update-AddressList -Identity "Trainers Starting with A"

Who Can View the Address List Created

Now the address list has been created you can customize who can view the address list. By default all users can see the list but you can change this if you want. For example, considering the above address list you can only members of the Training Department to view 'Trainers Starting with A'. To do this use the following two cmdlets:

1. Remove the permission that allows all authenticated users to view the address list

[PS] Remove-ADPermission "Trainers Starting with A" -User "Authenticated Users" -ExtendedRights "Open Address List" -Confirm:$false

2. Define which security group can view the address list

[PS] Add-ADPermission "Trainers Starting with A" -User "Training Department" -ExtendedRights "Open Address List" -Confirm:$false

The above "Training Department" is a security group. If you want to view the membership of an address list try typing the following cmdlet:

[PS] Get-AddressList "Trainers Starting with A"

Email Address Policies

2010-08-05T22:19:00.001+01:00

Email Address Policies

Consider this scenario: You have decided on using a UPN suffix of companyname.com while using an AD domain name of companyname.local. This will enable your users to have a single log in name that matches their email address. As the domain name is companyname.local the default email address (smtp address) will be based on the same name. User Andrew would have therefore an email address of andrew@companyname.local

This of course is not suitable for Internet messaging and also does not match the upn suffix. To make this right we need to configure a second email address policy. In this policy, we would define an email address of @companyname.com and apply it to user mailboxes. That's recipients with mailboxes in your Exchange organization. Here's how to do it:

1. Configure an accepted domain based on the address (see earlier posts)
2. Use the following cmdlet to create an email address policy called compulinx.com

[PS] New-EmailAddressPolicy "compulinx.com" -IncludedRecipients MailboxUsers -EnabledPrimarySMTPAddress "SMTP:%g.%s@compulinx.com"

The variables used above will create a policy that uses firstname (g) and last name (s). Other variables are shown below

To apply a policy once created use the following cmdlet

[PS] Update-EmailAddressPolicy "Compulinx.com"

Manage Distribution Groups

2010-07-20T19:49:00.014+01:00

Messages can be sent to groups of recipients. These groups are called distribution groups. The following describes

1. How to create a new distribution group
2. How to mail enable an existing distribution group
3. How to modify the membership of the group

How to Create a New Distribution Group

An important initial consideration is that when you create a distribution group the group scope is universal and they can be security enabled (and can be assigned to an acl). When you create the group you decide this.
The following cmdlet will show you how to create a distribution group that is security enabled.

[PS] New-DistributionGroup "Sales" -Security

If the -Security parameter is left out then the group defaults to a distribution group.

How to Mail Enable an Existing Distribution Group

If you recall three different group scopes exist

1. Global
2. Domain local
3. Universal

You should understand that you can only mail enable existing universal groups (domain local and global groups have to be converted).

The following cmdlet will mail enable an existing universal group called HR

[PS] Enable-DistributionGroup "HR"

How to Modify the Membership of the Group

The following cmdlets will add and remove members from the distribution group called "HR"

[PS] Add-DistributionGroupMember "HR" -Member "Andrew Stevens"

[PS] Remove-DistributionGroupMember "HR" -Member "Andrew Stevens"

Dynamic Distribution Groups

In Exchange 2000/2003 these were called query based distribution groups. Membership is based on a recipient filter and can include all recipient types. By default these groups types only accept messages from authenticated users. Membership can change based on a particular attribute. For example, a recipient can be a member of DDG based on a department. The following example will create a DDG called 'students' and will include users that have mailboxes AND are in the students department.

[PS] New-DynamicDistributionGroup -Name "Students" -RecipientFilter {(RecipientType -eq 'UserMailbox') -and (Department -like 'Students*')}

To view the DDG type the following cmdlet

[PS] Get-DynamicDistributionGroup

To view the DDG membership, type the following cmdlet:

[PS] $Group = Get-DynamicDistributionGroup -Identity "Students"
[PS] Get-Recipient -RecipientPreviewFilter $Group.RecipientFilter

Recipient Bulk Management Tasks

2010-07-18T11:24:00.001+01:00

You can create new mailboxes using the New-Mailbox cmdlet as described earlier in this post. Sometimes, you may be asked to create a large number of user mailboxes based on a comma - separated value spreadsheet.
Fortunately, the Import-CSV cmdlet is helpful here. In this case you can easily import the CSV file and use the New-Mailbox cmdlet to quickly create the mailboxes.
The spreadsheet could look something like the following:

The spreadsheet provides minimal information (and needs to saved as a .CSV file).
To see the CSV file in powershell, simply type the following command:
[PS] Import-CSV c:\book3.csv | ft –au

To create new-mailboxes from this file try using the following cmdlet in powershell:
First you create a password variable
[PS] $Password = Read-Host “Enter a Password” –AsSecureString
Then, you can import the CSV file, loop through the file and create new mailboxes. Notice in the script below, that we can add the the new users to a specific organisational unit and we use the password variable to provide the needed passwords.
[PS] Import-Csv .\Book3.csv | foreach { New-Mailbox -Name $_.Name -FirstName $_.FirstName -LastName $_.LastName -Alias $_.Name -UserPrincipalName "$_.Name@compulinx.com" -OrganizationalUnit Staff -Password $Password -Database "EX1\store2\db01" -ResetPasswordOnNextLogon $true }
As the above script does not include –Department, your new mailboxes will not be assigned relevant departments. Lets say you need to now include the department for these users. You can once again refer to your CSV file.
If you type the following cmdlet, you will see that the sales group is empty

The following command will set a department property for each user defined in the CSV file.
[PS] C:\>Import-Csv .\Book3.csv | foreach {Set-User -Identity $_.name -Department $_.Department}
The following result will be displayed

Manage Recipient Accounts

2010-07-16T10:29:00.036+01:00

In Exchange 2010 their are many different recipient types. Recipients with user accounts have an Exchange mailbox connected or linked to the account.

Part One

Create a New User with a Mailbox (MailBox User)

This process serves two objectives; it will create an account in AD and will build a mailbox for the account in an Exchange database. To do this using the EMS type the following cmdlet:

[PS] New-Mailbox -Alias "Andrew" -Name "Andrew Stevens" -FirstName "Andrew" -LastName "Stevens" -UserPrinicipleName andrew@compulinx.com

You will be prompted to enter a password for the account and database

Mail Enable an Existing User

The following process will create a mailbox for an existing user account. To do this in the EMS, type the following cmdlet:

[PS] Enable-Mailbox [Username] or [DistinguishedName]

Part Two

Create a Mail-Enabled Contact (Mail Contact)

A contact is a type of recipient that doesn't have a mailbox in your Exchange organisation. Contacts are created when you want recipients to exist in an address list but those recipients don't own internal mailboxes. These are essentially the same type of contacts that are created in hotmail etc. and have external email addresses. Remember that contacts are objects in AD. To create a contact, type the following cmdlet:

[PS] New-MailContact [FullContactName] -ExternalEmailAddress [SMTPAddress]

Create a Mail Enabled User (Mail User)

This type of recipient has an AD account (you can log on with it) but has an external email address so the account will not own an internal mailbox. To create a mail user, type the following cmdlet:

[PS] New-MailUser -Name "Susan" -FirstName "Susan" -LastName "King" -ExternalEmailAddress susan@hotmail.com -UserPrincipleName susan@compulinx.com

Part Three

Modification of Mail Contact Information

To identify which attributes are associated with the mail-enabled contact just created, type the following cmdlet:

[PS] Get-Contact | Get-Member

As the output indicates, you can modify a number of different attributes. For example, to change the mobile phone number of a contact type the following cmdlet:

[PS] Set-Contact -Identity "Tony Almeida" -MobilePhone "1234567"

Modification of User Mailbox Information

To modify a user mailbox information like the address type the following cmdlet:

[PS] Set-User "Andrew Stevens" -StreetAddress "123 Exchange Street" -City "Exchange Town"

(Wow what an interesting place to live!)

Part Four

Hide a User From Address Lists using the EMS

You might want to hide a user from your address lists. Remember that once the user is hidden you will have problems creating an Outlook profile for the user. You should unhide the user account, create the profile and then rehide it again. Type the the following cmdlet:

[PS] Set-Mailbox "Andrew Stevens" -HiddenFromAddressListsEnabled $true

Part Five

Creating Resource Accounts

Why create resource accounts? A resource account can represent a physical item like a room or a projector. Recipients can request the use of such a resource perhaps in a meeting request and schedule its use. Resources can be configured to accept or reject meeting requests automatically (users have to manually accept or reject a meeting invitation). Also, resource mailboxes have an account in AD but you can't log on to a computer with it; its disabled. Lets first create a resource mailbox called "Room 1"

[PS] New-Mailbox "Room 1" -UserPrincipalName room1@compulinxonline.com -Room

You can replace the resource mailbox type of "-Room" with "-Equipment"

Now that you have created a resource mailbox it can be requested and booked. The 'Resource Booking Attendant' acts on behalf of the resource mailbox and automatically approves resource request. This needs to be turned on:

To do this in this in the EMS type the following:

[PS] Set-CalendarProcessing "Room 1" -AutomateProcessing AutoAccept

When someone makes a request for this resource (perhaps in a meeting request) you can reply to the requestor with a custom message. For example in the following example, if someone makes a request for Room 1 then you can remind the requestor that he/she can also request a projector:

You can do the same thing using the EMS. Type the following cmdlet:

[PS] Set-CalendarProcessing "Room 1" -AddAdditionalResponse $True -AdditionalResponse "If you need a projector make an additional request"

Part Six

Impose Storage Quotas on Specific Users

How much disk space is allowed for mail storage is set on the mailbox database but can be overridden on a per user basis. You can set this on the recipient properties of the user mailbox in the EMC or by using the shell:

[PS] Set-Mailbox "Andrew Stevens" -ProhibitSendQuota 150MB - ProhibitSendReceiveQuota 200MB -IssueWarrningQuota 100MB -UseDataBaseQuotaDefaults $False

Please note the following:

The ProhibitSendQuota defines when messages cannot be sent
The ProhibitSendReceiveQuota defines when messages cannot be sent or received
The IssueWarningQuota defines when a warning will be sent to the recipient indicating that they are getting close to the limit
UseDataBaseQuotaDefaults defines that quotas set on the database should be overruled

Impose Message Size Limits on Specific Users

This defines how large the messages can be (sending and receiving). Large messages take up more disk space and quotas are reached faster. Also large messages take longer to deliver backing up the mail queues.

[PS] Set-Mailbox "Andrew Stevens" -MaxSendSize 10MB -MaxReceiveSize 10MB

Disabling a Mailbox Using the EMS

Disabling a mailbox disconnects an AD account from the mailbox. Unlike removing the mailbox, the AD account is not deleted from AD.

[PS] Disable-Mailbox "Andrew Stevens" -Confirm:$False

Give a Different User Access to Your Mailbox

A variety of access levels can be granted using the EMS:

The following cmdlet will allow the recipient logged in as Martina to send an email as if it came from Andrew Stevens (her boss!)

[PS] Add-ADPermission "Andrew Stevens" -User "compulinx\martina" -Extendedrights "Send As"

This requires a little more explanation. When Martina logs in using perhaps OWA, she will not be able to define an alternative sender by default. In other words she will not see the from field in the new email message and therefore will not be able define an alternative sender (Andrew Stevens in this case). This requires the following configuration:

You should first click options as indicated in the below screen print

Next click 'Settings' and then 'Mail' as indicated below

By default the 'Always show Bcc' and 'Always show From' boxes are not selected. Select both boxes as shown. Now click 'My Mail' to return to the main interface.

Once you create a new message you will see the 'From' field where you can define an alternative sender:

If you replace any other sender in the 'From' field you will receive an error as you will only have permission to replace Martina with Andrew Stevens. You should see this error when you click send. Also you wont be able to send on behalf of another user if that user is hidden from address lists.

Internet Routing

2010-06-28T22:33:00.043+01:00

Routing mail throughout your internal infrastructure requires little extra configuration if you rely on your AD topology to do the job. Of course, you must have a well designed AD infrastructure for this to work! As the previous post explained, you may need to adjust your setup to correctly establish just how email is routed if the AD topology favours AD replication and not email routing (hub sites for example).
Routing mail out of your exchange organisation to recipients that don't have internal mailboxes, will NOT WORK by default. Sending and receiving an email to and from a hotmail account for example. This post will show you what configurations are required to get this going.

Part One

Configure Accepted Domains
Exchange will accept email if the domain is configured as an accepted domain. For example, If a hotmail user sends an email to andrew@compulinx.com, my exchange server will accept the email and send the message to the Andrew recipient mailbox. The message will only be accepted if compulinx.com is configured as an accepted domain. This would have been configured by default if the AD domain has the same name (this would be a split DNS). Many AD infrastructures use .local as a top level domain name and so in this case, compulinx.com (the Internet registered name) would be added as a accepted domain.
There are three main types of accepted domain:

Authoritative
Internal relay
External relay

In the example just given, compulinx.com is an authoritative domain. The exchange organisation is 'responsible' for this domain and has recipients with this email address.

Relay domains are not part of your exchange organisation. Internal relay domains would result in inbound emails being sent by your exchange server to another by using a send connector based on that domain name. This might be used where exchange is sharing the namespace with another email system. Messages are first sent to your exchange server, if no mailboxes exist then they are sent to a different server linked by a send connector.
An external relay will result in exchange not checking if a mailbox by that domain name exists in the organization. It will send the email to a different server probably in a completely different organization using a send connector. For example, email could arrive at your edge server, get cleaned up then sent by external relay to another organization.
The following cmdlets are used to configure these different accepted domains:

[PS] New-AcceptedDomain -Name "compulinx.com accepted domain" -DomainName compulinx.com -DomainType Authoritative

Different domain types can be used in the above cmdlets. These include the following:
Authoritative
InternalRelay
ExternalRelay

Part Two

External DNS configuration
Another important consideration is to make sure the accepted domain name is registered properly on the Internet. Using perhaps your ISP web site you should create an MX record that references your public IP address. E.g. mail.compulinx.com ..... your public ip address. This might take a while to update.

Part Three

Configure Remote Domains Message Settings
Remote domains are domains outside of your exchange organization, in other words domains that your exchange server is not authoritative for. When your exchange recipients send mail to an external address e.g. a hotmail address a default remote domain configuration is used (unless a more specific remote domain configuration has been made). These remote domains are organization wide (you can see them in the EMC under 'Organization Configration' and 'Hub Transport). There are two settings that can be applied to your remote domains:

1. Out-of-office messages (OOFs)
2. Message format

Out-of-office messages (OOFs)

As you can see in the above screenprint, OOFs can be set to provide automatic messages on receipt of email informing senders that you are not available. These senders could be internal or external recipients of your organisation. Note however that 'Allow external out-of-office messages only' (the one shown above) applies to messages created by Outlook 2007 (or newer), OWA in Exchange Server 2007/2010 and maked as external. The next option allows all clients (Outlook 2003/2007/2010 and OWA connected to Exchange 2003/2007/2010) to send OOF messages when replying to messages marked as external. The last option allows all clients (Outlook 2003/2007/2010 and OWA connected to Exchange 2003/2007/2010) to send OOF messages when replying to messages marked as internal.

Message Format

Message Format settings can be used where perhaps you dont want automatic replies (or NDRs) to be sent to particular remote domains (maybe domains you dont trust). Spammers can determine whether the email address they send spam to is invalid or not.

Part Four
Configuring Connectors to Send and Recieve Email To/From the Internet

1. Send Connectors

The following describes how to construct a necessary 'Send Connector' that will send Internet bound email from your Hub Transport server (i.e. not using an Edge server). This is not usually recommended. We will discuss the use of Edge servers in part 5.

Open the EMC and browse to the Organisation Confiuguration, Hub Transport node
Select New Send Connector in the Actions pane
Type a name for the connector
Select 'Internet' in the Intended Use For This Send Connector section
In the address space screen, click add and provide a * in the address field
Under network settings, use DNS MX records to route mail automatically
On the source server screen, make sure your Hub Transport server is listed and finish the wizard.

The following script should provide the same configuration:

[PS] new-SendConnector -Name 'Internet' -Usage 'Internet' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'EX1'

2. Receive Connectors

The following describes how to modify an existing receive connector to allow a Hub Transport server to receive email from the Internet. It is best practice to allow external NAT routers to forward TCP 25 (SMTP) traffic to a Edge server in your DMZ. Without Edge servers, first configure your NAT routers to port forward to a Hub Transport server. Receive connector configuration essentialy involves changing the connectors ACL to allow sending email servers to authenicate anonymously.

Open the EMC and browse to the Server Configuration, Hub Transport node
From the list of Hub Transport servers, select the server that you want to receive Internet mail on.
Select the defualt connector and properties
Select the permissions Groups tab
Select anonymous users and click OK

Part 5

Using Edge Transport Servers

Edge transport servers sit in a perimeter network (in a workgroup outside of your internal AD structure). Its focus is to relay inbound and outbound messages to and from an Exchange Organization while providing message hygiene and security. Because its in a workgroup, it does not have direct contact with AD. To perform its functions, it uses AD Lightweight Directory Services (was called ADAM) which is like a read only copy of AD (at least just part of it). Replication is one way only (from Hub Transport to Edge Server). Only recipient,configuration and topology information required by the Edge server to perform its functions of message relay, message hygiene, anti-spam and use of transport rules are replicated. The MSExchangeEdgeSync service which runs on the Hub Transport server will push AD changes to AD LDS on a scheduled basis.
The following section will explain how to install and configure an Edge Server:

On a server install the AD LDS role
Make sure the server has a FQDN (of AD domain name)
Add the .NET 3.5.1 feature
Assign the DNS IP address as the internal DNS server (on your DC)
Make sure you create a host record for the edge server on the internal DNS
Install the Edge Server role

I have found that self-signed certificates are used here. If deleted (perhaps by mistake), Test-Sychronization and Test-Edgesubscription will fail. To overcome this do the following:

On the Hub Transport Get-ExchangeCertificate to identify your certificates
Type New-ExchangeCertificate
Restart the Hub Transport service
If any edge subscriptions and/or send connectors exist on the Hub Transport remove them (no subcriptions will exist if this is a first time configuration!).
Restart the Hub Transport service again
Remove any existing subscriptions on the Edge server (none should exist)
Create a new subscription file on the Edge server by typing New-EdgeSubscription -FileName "c:\edsub1.xml"
Copy the file to the Hub Transport server
On the Hub Transport server browse to Organization Configuration, Hub Transport and on the action menu select New Edge Subscription
In the wizard define the site and xml file to be used as shown below

Once the edge subscription has been performed you can try a test. Try the following:

[PS] Test-EdgeSynchronization

And then try the following to start the synchronization process

[PS] Start-EdgeSynchronization

Another point to consider is to make sure that the "EdgeSync - Inbound to Default-First-Site-Name" send connector is configured correctly. The connector is shown below:

On the connectors properties, select the network tab as shown

You should define the IP address of the Hub Transport server as the smart host. Without it mail will go out successfully to the Internet but you will not receive it.

Internal Mail Routing

2010-06-07T21:39:00.008+01:00

Mail is 'moved' by transport servers. Hub transport servers move email throughout the intranet and to other sites that belong to the organization. Edge transport servers send mail to the Internet.

Exchange uses the organizations Active Directory infrastructure to route mail between sites. For every site that a mailbox server role resides, you must have a hub transport server. The mailbox server role sends and receives all mail to and from a hub transport server in the same site. All mail that enters and leaves your organization must pass through the hub transport server.

Transport servers use connectors to shift mail. During installation default recieve and send connectors are created which allow messages to flow throughout the organization.They are good to go! No extra configuration is needed. Messages will be sent from one hub transport (in your site) to other hub transport servers in other sites where a mailbox server holds the recipients mailbox.

As explained, internal mail flow works with no extra configuration. The AD site infrastructure is held in the forests configuration partition (which is replicated to all DCs forest wide). It is this site infrastructure which is used to route mail. Active directory sites represent areas of well connected, high speed LANs. Sites are connected by intersite link objects. This class of object allows AD replication to occur every 3 hours by default. These can be assigned cost values which dictate preference of use. In the diagram NewYork can connect to Tokyo by first connecting to London or by connecting to Paris.
Active directory sites represent areas of well connected, high speed LANs. Sites are connected by intersite link objects. This class of object allows AD replication to occur every 3 hours by default. These can be assigned cost values which dictate preference of use.

In the diagram NewYork can connect to Tokyo by first connecting to London or by connecting to Paris. The total cost of the route is the sum of all the site link costs along the way. The route via London has a total cost of 20. Via Paris the total cost is 25. Messages from NewYork would be sent via London to recipients in Tokyo. AD administrators therefore define the message path since Exchange routing 'rides on the back ' of AD replication topology. This may be fine for your organization. However, Exchange administrators can take control of the situation and assign special 'Exchange costs' that override the normal AD site link costs. Note that Exchange administrators do not need any AD permissions for this. If Exchange costs of 5 are assigned to the site links that connect NewYork to Paris and Paris to Tokyo then messages from NewYork to Tokyo would now pass through London instead of Paris. AD replication would still travel via Paris. Exchange site link costs can be set by using the following cmdlet:

[PS] Set-ADSiteLink NewYork -ExchangeCost 5

To remove the site link cost set the -ExchangeCost value to $null
Consider the following scenario:

Messages are sent along the path that has the lowest accumulative cost (in this case NewYork - Paris - Dubai - Tokyo for messages sent from NewYork to Tokyo). You should remember that NewYork would try to contact Tokyo directly. What I mean is Exchange to Exchange communication. The NewYork exchange server would first attempt to send messages to the Tokyo exchange server first and would use the NewYork - Paris - Dubai - Tokyo routing path to get there. If it cant make this direct communication NewYork would attempt to contact the closest exchange server according to the routing topology. This would be Dubai. As you can see, messages do not relay to hub transports on route to the final destination server but backoff to a server in a site which is along the routing path. Messages are queued here in a retry state. This is called queue point of failure.
Another consideration is bifurcation. A message sent from someone in NewYork to multiple recipients in different sites would be sent by the NewYork server to a server where a fork in the routing path exists. The bifurcated message is therefore relayed to an Exchange server in a site that represents a fork in the individual recipients routing paths. This is called delayed fan-out.
Direct server to server relay between NewYork and Tokyo will not occur if a hub site exits along the routing path. A hub site is a AD site that messages would be sent to along the least cost routing path. What I mean here is all messages. Perhaps you require messages to be relayed to hub transport in a particular site first rather than the usual direct relay. However, the hub site designated must exist along the least cost routing path between source and destination.
You can designate an AD site as a hub site by using the following cmdlet

[PS] Set-ADSite Paris -HubSiteEnabled $true

Exchange Servers and Certificates

2010-05-29T20:46:00.019+01:00

In a previous post I detailed how to configure Outlook Anywhere which relies on HTTPS. This must use a certificate infrastructure and this post I hope will instruct you on how to configure your CA, distribute the necessary Exchange certificate and how to configure Exchange and clients.

1. Install the Active Directory Certificate Services role on a member server or a domain controller. During installation of the service make sure that you choose an enterprise server.

2. Create a duplicate version 3 template of the web certificate. This version will allow you to create a certificate with multiple subject alternative names (a SAN certificate). Make sure that the CAS machine that is Internet facing is defined on the templates security tab (ACL).

3. Ensure that the template created is defined in the list of templates provided by your CA.

4. On the defined CAS, using an elevated MMC with added computer certificate, request a computer certificate from the CA.

5. During the request you can define multiple subject alternative names by adding different DNS names. The names I suggest are based on the following public (compulinx.com) and private (compulinx.local) DNS names.

   •Mail.compulinx.com
   •Compulinx.com
   •Autodiscover.compulinx.com
   •Ex1.compulinx.local
   •Compulinx.local
   •Autodiscover.compulinx.local

6. As you can see from point 5, multiple DNS names are included. These represent both public and private names (where mail is public and ex1 represents your exchange server NetBIOS name). The same certificate can be used for internal and external clients. You can choose not to include the internal names for security (personally I wouldn’t worry considering that if a hacker can make an intrusion using a NetBIOS name then you might as well give them a domain account!). However, you should include an SRV record in your DNS where autodiscover _TCP port 443 maps to the CAS machine.

7. Once the CAS machine has any Exchange certificate check in the trusted root folder for the root CA certificate. Copy this certficate to any workgroup client that will make use of Outlook and Outlook Anywhere.

8. You will need to establish that Exchange uses the requested certificate. First, determine what certificates are on board by using the following command:

[PS] Get-ExchangeCertificate -DomainName EX1 | fl subject,thumbprint

You will most likely find 2 certificates in the list; the certificate just requested and an original certificate which is self signed. You can delete this from the MMC personal certificates snap-in. We need to enable the certificate for use with various Exchange services.

[PS] Get-ExchangeCertificate -Thumbprint abcdef | Enable-ExchangeCertificate -Services "IIS,SMTP"

The Client Access Server Role Pt4

2010-05-28T09:55:00.033+01:00

Outlook Anywhere and Autodiscover

Microsoft Outlook 2007/2010 AutoDiscover is an Exchange Server 2007/2010 service, or more specifically Exchange Web Service, which allowed easy to configure Outlook 2007 profiles in your organization. In order to automatically configure and connect previous versions of Outlook to Exchange 2000 and 2003 Servers, you needed to do so using the Custom Installation Wizard from the Office Resource Kit or a similar tool. But now the users can configure their Outlook profile themselves, as they only need to click next a few times and specify their e-mail address and password. This will allow the construction of a Outlook 2007/10 profile to be built irrespective of whether the client machine is AD member or in a workgroup.

The last point made here is an important consideration. An AD machine member is able to query active directory and determine the location of the Exchange server and then communicate directly with that server. An employee on a home desktop would need to VPN into the office network and via the authenticated tunnel be able to make this query and exchange connection.

The Outlook client uses MAPI (Messaging Application Program Interface). It allows client programs to become 'messaging-aware'. Remember that its an API. It needs a transport mechanism to connect to your exchange server. Here comes RPC. MAPI calls are transported using RPC hence the expression MAPI over RPC. This all works great if your machine is physically on the office wire and AD authenticated or as mentioned you first VPN to the office. But you can also now connect Outlook without the use of a VPN!
RPC can be encapsulted by HTTPS which can then traverse your office firewall, become decapsulated by an RPC/HTTP proxy and allow communication with your Exchange server. This is called Outlook Anywhere and relies on the Autodiscover service for seamless Outlook configuration. To accomplish Outlook Anywhere and automatic configuration read on and follow the following steps...

Configuration of Outlook Anywhere

Outlook Anywhere is not enabled by default. Before enabling it ensure that you add the RPC/HTTP proxy feature on the CAS server.
Because HTTPS is used, ensure that you have a suitable SAN certificate installed. I will detail how to do this in a later post. It is worth remembering that the client machine must have the trusted root certificate installed.

You can enable Outlook Anywhere by using the following EMS command. As you can see, you will need to determine the method of authentication, the public DNS reference that users use to connect from the Internet and if SSL offloading is used.

[PS] Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic -ExternalHostName:mail.compulinx.com -SSLOffLoading:$false

If you need to change the authentication method later on you can by using the following:

[PS] Set-OulookAnywhere "EX1\RPC (Default Web Site)" -DefaultAuthenticationMethod NTLM

Configuration of Autodiscovery

Now the tricky bit! Autodiscovery allows the automatic configuration of Outlook 2007/10 and mobile devices. In a nutshell, the service provides an XML file to the client providing information on where and how to connect to your exchange server. Internal clients query AD (as domain members) to find the XML file. External Internet clients use DNS. Lets be more specific.

The LDAP query made by domain members is an attempt to locate the Service Connection Point (SCP) for the autodiscover service (which provides the XML file). The SCP object lives in the configuration partition with the other Exchange configuration objects. Try the following:

Open LDP
Click Browse then Search and supply the following information:

The output you should see will provide the ServiceBindingInformation (the location of the XML file). Something like this

serviceBindingInformation: https://EX1.compulinx.local/Autodiscover/Autodiscover.xml

As you can see this is the Internal domain reference of the Autodiscover web service and the XML file. Outlook will then connect to the service using the location information provided and download the XML file.

The file will provide the URL location for a number of different services running on the CAS server:

You can trace what happens during the connection by typing the following:

[PS] Test-OutlookWebServices andrew@compulinx.com

The output is lengthy, but you can determine a lot from it:

The SCP is located
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id : 1019
Type: Information
Message: A valid Autodiscover service connection point was found. The Autodiscover URL on this object is https://EX1.compulinx.local/Autodiscover/Autodiscover.xml.

The Autodiscover Service is contacted

RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1006
Type: Information
Message: Contacted the Autodiscover service at https://EX1.compulinx.local/Autodiscover/Autodiscover.xml.

The Availability Service is contacted (one of the URLs defined in the XML file)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1024
Type: Success
Message: [EXCH] Successfully contacted the AS service at https://EX1.compulinx.local/EWS/Exchange.asmx. The elapsed time was 93 milliseconds.

The Unified Messaging Service is contacted (one of the URLs defined in the XML file)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1026
Type: Success
Message: [EXCH] Successfully contacted the UM service at https://EX1.compulinx.local/EWS/Exchange.asmx. The elapsed time was 15 milliseconds.

The RPC/HTTP proxy is contacted (therefore Outlook Anywhere)
RunspaceId : 695c4068-4875-4de6-b59e-f4fabe967419
Id: 1128
Type: Success
Message: [EXPR] Successfully contacted the RPC/HTTP service at https://EX1.compulinx.local/rpc. The elapsed time was 0 milliseconds.

Notice here that the URLs reference the internal name space (ie. the domain.local reference as I am not using split DNS). This all indicates that internal users have no problem using autodiscovery to connect Outlook clients and have them configured automatically. But please understand that the URLs returned are internal references. Workgroup Internet users cant use these URLS (for one thing .local is being used and this is not a valid TLD).

External users must be able to obtain the XML file aswell and also the URLs returned must reference the public DNS namespace.
The CAS server running autodiscover can be found by updating the clients hosts file or updating the public DNS (i.e autodiscover.yourpulicname.com----public IP). During configuration of Outlook the user is promted to define a name, an email address and a password. The domain name is taken from this email address and the client appends autodiscover to the domain name. A public DNS lookup is made. Now the client will pass through the corporate firewall where HTTPS has been redirected to your CAS server.
The URL used is https://autodiscover.smtpdomain/Autodiscover/Autodiscover.xml. Once contacted the XML file will be returned. However this time the URLs are public.
You should make sure that the services autodiscovery puts you in touch with have both the correct internal and external references. From the test output above you can see that this needs to be checked for the following:

Web services virtual directory
Offline Address Book
Unified Messaging
Outlook Anywhere

The web services infact covers a lot of the services. Includes Out of Office, Availability Service for Free/Busy etc. and unified messaging. To determine current configuration type:

[PS]Get-WebServicesVirtualDirectory | fl

To configure the external and internal URLs type:

[PS] Set-WebServicesVirtualDirectory -Identity "EX1\EWS (Default Web Site)" -InternalURL https://EX1.compulinx.local/EWS/Exchange.asmx -ExternalURL https://mail.compulinx.com/EWS/Exchange.asmx -BasicAuthentication:$true

To determine the current configuration of the offline address book type:

[PS] Get-OABVirtualDirectory | fl

To configure the external and internal URLs type:

[PS] Set-OABVirtualDirectory -Identity "EX1\OAB (Default Web Site)" -InternalURL https://EX1.compulinx.local/OAB -ExternalURL https://mail.compulinx.com/OAB -RequireSSL:$true

To determine the URLs used Outlook Anywhere

[PS] Get-OutlookAnywhere | fl

To configure the correct external URL type:

[PS] Enable-OutlookAnywhere -DefaultAuthenticationMethod Basic -ExternalHostName:mail.compulinx.com -SSLOffLoading:$false

(You did this above when you enabled Outlook Anywhere)

You will also need to check and set the for ActiveSync:

[PS] Get-ActiveSyncVirtualDirectory | fl

[PS] Set-ActiveSyncVirtualDirectory -Identity "EX1\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL https://mail.compulinx.com/Microsoft-Server-ActiveSync

The Client Access Server Role Pt3

2010-05-05T19:26:00.048+01:00

Exchange 2010 and Mobile Devices

Mobile devices like PDAs and mobile phones can connect to Exchange 2010 to send/read email messages and other items such as calendar, contacts and tasks. The technology behind this is ActiveSync. ActiveSync is based on HTTP/HTTPS and is designed to connect mobile devices across the Internet.

Enabling/Disabling ActiveSync

ActiveSync is on by default but you can turn it off by configuring IIS on the CAS. To do this do the following:

   1. Open IIS Manager from Administrative Tools
   2. In the console tree open the Application Pools node
   3. Locate MSExchangeSyncApplicationPool
   4. Select Stop from the Actions Menu

This will disable ActiveSync. Conversely, choosing 'Start' will enable ActiveSync

Enabling/Disabling ActiveSync per User

ActiveSync can be enabled/disabled on a per user basis by performing the following steps:

[PS] Set-CASMailbox "Andrew Stevens" -ActiveSyncEnabled $True
[PS] Set-CASMailbox "Andrew Stevens" -ActiveSyncEnabled $False

Restrict Mobile Devices

By default users can synchronize any ActiveSync capable device with Exchange. You can prevent users from connecting with specific devices by using a devices 'Device ID'. However, you should understand that you can only determine this value once an ActiveSync device has connected and synchronized with Exchange.

The device ID can be determined by using the Get-ActiveSyncDeviceStatistics:

[PS] Get-ActiveSyncDeviceStatistics -MailBox: [alias] | ft DeviceModel, DeviceID, DevicePhoneNumber

The DeviceID is based on International Mobile Equipment Identity. As mentioned this can be obtained once synchronization has ocurred. You can get the number by typing *#06# on the mobile device.
You can add the device to a block list by typing the following:

[PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs 356059038180488

You can block every device except the device you want to use by the following command:

[PS] Set-CASMailbox [alias] -ActiveSyncAllowedDeviceIDs 356059038180488

With the above command every device is blocked except this one.
To clear the device id from the block list and the allowed list type the above commands but use $null instead of the IMEI number:

[PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs $Null

Mobile Device Policies

Different devices used by your users have different features and settings. You can define which features and settings are provided for your users by establishing Mobile Device Polices. By default, a single policy is built and is visible:

   1. In the EMC, browse to Organization Configuration, Client Access node
   2. Select Exchange ActiveSync Mailbox Policies
   3. You should see a policy called default

This policy is applied to all your users.

Create A New Mobile Device Policy

You can create a new policy in the EMS by typing the following:

[PS] New-ActiveSyncMailboxPolicy "Managers"

This creates a new policy with default settings and in this scenario the policy will be used for company managers.

Set the New Policy to Users and Groups

You can define which groups/users should use the new policy by the following:

[PS] Get-Mailbox andrew | Set-CASMailbox -ActiveSyncMailboxPolicy Managers

Disable/Enable Mobile Device Features

Once users and groups have been assigned you can control which features you want to be enabled/disabled.

These include the following features:

Removable storage
Camera
Wireless network adapter
Infrared port
Internet sharing
Remote desktop
Synchronization with a PC
Bluetooth functionality

These features can be turned off using the EMS. For example,

[PS] Set-ActiveSyncMailboxPolicy "Managers" -AllowCamera $false

This will turn off the use of the camera on the mobile device. However, this does depend on the device model and only really applies to Windows Mobile Devices.

Manage Synchronization Settings

You can also control synchronization settings. This would include the following items:
How old emails and calendar items have to be before they are no longer synchronized
Maximum size of email attachments
Direct Push which pushes email to devices and does not require manual or pre-defined time synchronization at the device end
Formatting of messages to HTML or text

This can all be done using the EMS. For example,

[PS] Set-ActiveSyncMailboxPolicy "Managers" -MaxEmailBodyTruncationSize 75 -AttachmentsEnabled $false

This will allow maximum email size to be 75KB and disable attachments.

Protection of Mobile Devices

Protection of devices is essential. A first step is ensuring password protection on the device. The password requirements can be quite granular:

As you can see the password setup can be quite involved. You can see from the above diagram that the number of failed attempts is set to 8. Anymore than this and the device is wiped clean destroying all data stored on the device! So I suggest you select Enable Password Recovery. If you do this a secondary password is generated and maintained on Exchange. An administrator can obtain this password as can the user via OWA.

If the administrator requires access to the recovery password simply select the users mailbox using the EMC and in the action pane click the Manage Mobile Phone option. The recovery password is displayed which can then be given to the user.

A user that has forgotten her password can determine the recovery password by going through control panel in OWA.

The recovery password can also be obtained using the EMS. You will need to enable the ShowRecoveryPassword parameter in order for the password to be displayed. Try the following:

[PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" -ShowRecoveryPassword | fl DevicePhoneNumber, RecoveryPassword

Remote Wipe

You can perform a remote wipe of a lost or stolen device. When I say wipe I really mean WIPE! Data on the device and any storage cards will be erased. The process can be performed using both console and shell. To perform a wipe using the shell, perform the following 2 steps:

1. Get a list of devices for the unfortunate user

[PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" | fl Identity

2. Wipe the device using the returned device ID

[PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity]

You can also perform the same thing and send a notification email to inform the person of the wipe (just to keep them happy!)

3. [PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity] -NotificationEmailAddresses "andrew@compulinx.com"