Pages

Sunday 31 October 2010

Exchange 2010 Post Installation Tasks

This previous post details a typical Exchange 2010 installation. Once installed there are some post-installation tasks to perform (what is presented below is not an exhaustive list)

  • Enter the Product Key

The key is not required during the install process. In unlicensed mode, you have 120 days, during which your Server will function as Exchange Standard Edition. Every time you launch the Exchange 2010 Management Console you are reminded of the number of days left

postinstall1


You can determine the trial period time by using the following cmdlet:

[PS] C:\>Get-ExchangeServer | Where-Object {$_.IsExchange2007TrialEdition -match $true} | ft name,rem* -au

To enter the product key you can use the Management Console or the Exchange Shell. To use the console see below:

postinstall2

 

To use the shell type the following cmdlet:

[PS] C:\>Set-ExchangeServer -Identity srvmail -ProductKey ASMTV-GMXFD-C23GH-8SSAS-ADSAP

  • Verify a Successful Installation

You will want to make sure that the installation was a success. Setup logs can help with this. All of the setup logs for Exchange are found in a folder on the root of the system drive (E.g. C:\ExchangeSetupLogs). Within this folder holds the ExchangeSetupLog file. This log file records the status of every task that the installer performs when installing and configuring Exchange.

  • Check Services

I have found that on reboot, the server does not always start the necessary exchange services like it should. You can determine this using the following cmdlet:

[PS] E:\>Test-Service Health | fl

Saturday 30 October 2010

Installing Exchange 2010 - Exchange Server Operating System PreReqs

Before we install Exchange 2010, we must ensure that the certain operating system components are in place.
On the Start menu, navigate to All Programs > Accessories > Windows PowerShell. Open an elevated Windows PowerShell console, and run the following command:

[PS] Import-Module ServerManager

Then copy and paste the following commands to install the pre-requisite operating system components needed to later build a hub transport server, client access server and mailbox server all in one go.

[PS]Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,
Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

On servers that will have the Client Access server role installed, after the system restarts, log on as an administrator, open an elevated Windows PowerShell console, and configure the Net.Tcp Port Sharing Service for automatic startup by running the following command


[PS] Set-Service NetTcpPortSharing -StartupType Automatic

For Edge Servers, you will need the AD LDS role installed, an internal card configured to use a AD DNS server and the server configured to be in a workgroup. Additional operating system requirements can be added by using the following:

[PS] Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

Friday 29 October 2010

Installation of Exchange 2010 (Typical)

This is a walk-through of a typical Exchange 2010 installation. The slides include a preparation of the Schema (/PrepareSchema), configuration partition (/PrepareAD)  and domain partition (/PrepareAllDomains).

Notice that the Schema Preparation should be made on the Schema Master FSMO role holder. You can determine this by using the netdom utility.

Once the Active Directory has been prepared, its time to turn your attention to the installation of Exchange 2010 server proper. There are a number of Server 2008 R2 pre-requisites that are required. These are mentioned in here. Once this has been done execute the setup.exe on the CD. Follow the next couple of steps as illustrated below.

Tuesday 26 October 2010

Create a Client Configuration File for RemoteApp and Desktop Connection

Another method that allows you to launch applications from the client that applies specifically to Windows 7 clients is the use of configuration files. The previous post relies on the client visiting a website and is especially useful when you have a mixed bag of clients. The configuration file is a little like the .rdp and .msi methods of remote application distribution. To start, log on to your RDCB server:

To create a configuration file
  1. On the RD Connection Broker server, open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
  2. In the left pane, click Remote Desktop Connection Manager:, where is the name of the Remote Desktop Connection Broker (RD Connection Broker) server.
  3. On the Action menu, click Create Configuration File.
  4. In the Create Configuration File dialog box, in the RAD Connection feed URL box, enter the RemoteApp and Desktop Connection URL that specifies the Remote Desktop Web Access (RD Web Access) server that provides RemoteApp and Desktop Connection resources to users. When you specify the URL, use the fully qualified domain name (FQDN) of the RD Web Access server. For example, enter https://rdwaserver/RDWeb/Feed/webfeed.aspx.
    noteNote
    RDWeb is the default virtual directory name used by RD Web Access. If your implementation of RD Web Access uses a different virtual directory name, provide that name in the URL.

  5. Click Save, specify a file name and a folder location, and then click Save.
  6. Distribute the configuration file to the end users.
  7. Allow users to run the webfeed program
End users will be able to see the remote applications by going to All Programs, RemoteApps and Desktop Connections.
To update the list of programs on the client in the event of adding new remote applications on RDSH server do the following:
  1. Launch Control Panel on your Windows 7 client
  2. Go to RemoteApp and Desktop Connections (if using 'Category' view type this in)
  3. Click Properties
  4. Under Update click Update Now

Running the Remote Applications from the Client (RDS Pt4)

To verify the functionality of a RemoteApp program deployment, log on as a domain user and connect to the RemoteApp program by using Remote Desktop Web Access (RD Web Access).
To connect to the RemoteApp program
  1. Log on to the domain joined Windows 7 client asan ordinary domain user
  2. Click Start, point to All Programs, and then click Internet Explorer.
  3. In the Address bar, type https://rdwa.compulinx.local/RDWeb and then press ENTER.
  4. In the Domain\user name box, type Domain\UserName
  5. In the Password box, type the password that you specified for the account and click Sign in.
    noteNote
    In you receive a prompt asking you to install the Microsoft Remote Desktop Services Web Access Control, click Run Add-on, and then click Run.

  6. Click Calculator, and then click Connect.
Well done chaps! If you find you get certificate warnings then make sure you have correctly added the certificate thumbprint to the Default Domain Group Policy setting and ran a Gpudate/force (for both RDSH and RDWA servers)

Installing and Configuring RemoteApp (RDS Pt3)

Ensure that 'Domain Users' are included in the local group on 'Remote Desktop Users' on the RDSH server. A chain of authorization is set up. The RDSH server will use the RDCB as a web access server and in turn the RDCB will use the RDWA server.
You must add the RDCB server computer account object to the TS Web Access Computers security group on RDSH server.

 To add RDCB server to the TS Web Access Computers group on RDSH server
  1. Log on to RDSH server as Domain\Administrator.
  2. Click Start, point to Administrative Tools, and then click Computer Management.
  3. Expand Local Users and Groups, and then click Groups.
  4. Right-click TS Web Access Computers, and then click Add to Group.
  5. Click Add.
  6. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
  7. In the Object Types dialog box, select the Computers check box, and then click OK.
  8. In the Enter the object names to select box, type the rdcb server name and then click OK.
  9. Click OK to close the TS Web Access Computers dialog box.
Next, you must add the RDWA server computer account object to the TS Web Access Computers security group on the RDCB server computer.

To add RDWA server to the TS Web Access Computers group on RDCB server
  1. Log on to RDCB server as Domain\Administrator.
  2. Click Start, point to Administrative Tools, and then click Computer Management.
  3. Expand Local Users and Groups, and then click Groups.
  4. Right-click TS Web Access Computers, and then click Add to Group.
  5. Click Add.
  6. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
  7. In the Object Types dialog box, select the Computers check box, and then click OK.
  8. In the Enter the object names to select box, type the rdwa server account and then click OK.
  9. Click OK to close the TS Web Access Computers dialog box.
Next, you must add a RemoteApp program to RDSH server by using RemoteApp Manager.

To add a RemoteApp program by using RemoteApp Manager
  1. Log on to RDSH server as Domain\Administrator.
  2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
  3. In the Action pane, click Add RemoteApp Programs.
  4. On the Welcome to the RemoteApp Wizard page, click Next.
  5. On the Choose programs to add to the RemoteApp Program list page, select the Calculator check box, and then click Next.
  6. On the Review Settings page, click Finish.
 You can add Office 2007/2010 to the list. Do not install from the CD. This important! Go to the Contrrol Panel and type 'Install'. Select 'Install Application on Remote Desktop Server'. Also with Server 2008 R2, you can select a listed program and under properties and define 'user assignment' where you define which users can run the particular program.

Next, assign a RemoteApp source on the RD Web Access server (RDWA server). The calculator application is not running on the RDWA server. This is just a front-end interface for applications used by clients. So,

To assign a RemoteApp source on RDWA-SRV
  1. Log on to RDWA server as Domain\Administrator.
  2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Web Access Configuration.
  3. Click Continue to this website (not recommended).
    ImportantImportant
    You should see a warning because of the use of 'Localhost'. This is normal because the certificate defines the name using the FQDN. However, you may get problems such as not being able to display the web site. If this happens, within IIS, select the default Web Site and make sure that the bindings are set correctly to use the certificate obtained from the CA. Do not use self-signed certificate!

  4. In the Domain\user name box, type Domain\Administrator.
  5. In the Password box, type the password that you specified for Domain\Administrator, and then click Sign in.
  6. On the Configuration page, click An RD Connection Broker server.
  7. In the Source name box, type the name of the RDCB server and then click OK.
Finally, you must add a RemoteApp source on the RDCB server by using Remote Desktop Connection Manager. The broker needs to locate RDSH server to offer the applications to the RDWA server.

To add a RemoteApp source by using Remote Desktop Connection Manager
  1. Log on to RDCB server as Domain\Administrator.
  2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
  3. Click RemoteApp Sources, and then in the Actions pane, click Add RemoteApp Source.
  4. In the RemoteApp source name box, type the name of the RDSH server and then click Add.

Deploying Remote Desktop Web Access with Remote Desktop Connection Broker (RDS Pt2)

For this exercise, you will need a suitable certificate infrastructure in place. Some thought is needed. We will be deploying our remote desktop service to internal domain clients so certificate revocation checks should work by default. Consider the following certificate requirements:

  • The certificate must be trusted explicitly or from a trusted root certificate.
  • The certificate name or the Subject Alternative Name must match the fully-qualified domain name of the server.
  • The certificate must support Server Authentication or Remote Desktop Authentication Extended Key Usage.
  • Indirect certificate revocation lists are not supported.
  • Certificate revocation checks are performed by default.
  • When you use CredSSP, you can turn off certificate revocation checks by configuring the following registry entry to a value of 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
  • When you use Transport Layer Security (TLS), you can turn off certificate revocation checks by configuring the following registry entries to a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck
The last two points are not necessary to configure. What I recommend is constructing a certificate template based on Web Server (I seem to always use this!). The subject name should be set to be 'supplied in the request' and the remote desktop session host (RDSH) server should be listed on the ACL with enroll and read permissions. Also allow the private key to be exported. When the RDSH server makes the request from the CA using certificate snapin, you can supply the internal DNS name and external DNS names using the subject alternative name. Don't forget to supply the correct CRL locations on the CA itself BEFORE you make the certificate request. You might need to add a new CRL location perhaps to a DMZ web server. I will write a post on this later.

Once the RDSH server has a certificate do the following:
First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager.

To configure a certificate used to digitally sign the RDP file

  1. Log on to SRV1 as Domain\Administrator.
  2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
  3. Under the Overview section, click Change next to Digital Signature Settings.
  4. Select the Sign with a digital certificate check box.
  5. Click Change.
  6. On the Confirm Certificate page, select the appropriate certificate, and then click OK.
  7. Click OK to close the RemoteApp Deployment Settings dialog box.
You must add the thumbprint of the certificate used to digitally sign the RDP file to the Default Domain Group Policy setting. This is required so that the trusted publisher warning dialog box is not shown to the user each time the RemoteApp program is started.

To add the certificate thumbprint to the Default Domain Group Policy setting

  1. Log on to a domain controller as Domain\Administrator.
  2. Open the GPMC. To open the GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.
  3. Expand Forest: compulinx.local, expand Domains, and then expand compulinx.local
  4. Right-click Default Domain Policy, and then click Edit.
  5. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.
  6. Double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.
  7. Select the Enabled option.
  8. In the Comma-separated list of SHA1 trusted certificate thumbprints box, type the certificate thumbprint used to digitally sign the RDP file, and then click OK.
  9.  

Configure the domain joined client computer (Windows 7)

To configure the client computer, you must:Import the digital certificate used by RDSH server to the Trusted Root Certification Authorities certificate store of the computer account. You must import a PFX certificate file that includes the private key. I export the certficate first to a shared location and then import on the client machine using the certificate snapin.

 

Configure the RD Connection Broker server (RDCB server)

On a separate member server, install the RD Connection Broker role service. Import the digital certificate used by RDSH server to the Personal certificate store of the computer account (remebering to import a PFX certificate like you did above). Configure a certificate used to digitally sign the RDP file.

To configure a certificate used to digitally sign the RDP file

  1. Open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
  2. Under the Virtual Desktops: Resources and Configuration heading, click Specify next to Digital Certificate.
  3. On the Digital Signature tab, select the Sign with a Digital Certificate check box.
  4. Click Select.
  5. In the Confirm Certificate dialog box, click the certificate that you want to use for signing the RDP files, and then click OK.

Configure the RD Web Access server (RDWA server) 

On a separate member server, install the RD Web Access role service.You will need to obtain a certificate for this server like you obtained a certificate for the RDSH server. You can duplicate the 'Web Server' template as before,making sure the ACL is correct etc. 
Add the thumbprint of the certificate used for the RD Web Access server to the Default Domain Group Policy setting by using the GPMC as also done above under the configuration of RDSH server.



      Installing Remote Desktop Session Host (RDS Pt1)

      The next four posts will demonstrate how to setup remote desktop services so that clients can run specific remote applications using a web browser. This will involve running the applications on a Remote Desktop Session Host (RDSH) server (once called a Terminal server). A Remote Desktop Connection Broker (RDCB) will be used to connect the RDSH with the Remote Desktop Web Application server (RDWA). The use of the RDCB will be useful later when we try clustering servers. For this exercise we are not concerned with clustering. You will need 4 servers and a Windows 7 client, all in a single AD domain.

      To install the RD Session Host role service
      1. Log on to a member server as domain\Administrator.
      2. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
      3. Under Roles Summary, click Add Roles.
      4. On the Before You Begin page of the Add Roles Wizard, click Next.
      5. On the Select Server Roles page, select the Remote Desktop Services check box, and then click Next.
      6. On the Remote Desktop Services page, click Next.
      7. On the Select Role Services page, select the Remote Desktop Session Host check box, and then click Next.
      8. On the Uninstall and Reinstall Applications for Compatibility page, click Next.
      9. On the Specify Authentication Method for Remote Desktop Session Host page, click Require Network Level Authentication, and then click Next.
        noteNote
        If client computers that are running Windows® XP will use this RD Session Host server, select Do not require Network Level Authentication.

      10. On the Specify Licensing Mode page, select Configure later, and then click Next.
        noteNote
        For the purposes of this class, a Remote Desktop licensing mode is not configured. For use in a production environment, you must configure a Remote Desktop licensing mode.

      11. On the Select User Groups Allowed Access To This Remote Desktop Session Host Server page, click Next.
      12. On the Configure Client Experience page, click Next.
      13. On the Confirm Installation Selections page, verify that the RD Session Host role service will be installed, and then click Install.
      14. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close, and then click Yes to restart the server.
      15. After the server restarts and you log on to the computer as Domain\Administrator, the remaining steps of the installation finish. When the Installation Results page appears, confirm that installation of the RD Session Host role service succeeded, and then click Close to close the RD Session Host configuration window. Also, close Server Manager.
      Add Domain Users to the Remote Desktop Users group
      1. Log on to the RDSH server as Domain\Administrator.
      2. Click Start, point to Administrative Tools, and then click Computer Management.
      3. Expand Local Users and Groups, and then click Groups.
      4. Right-click Remote Desktop Users, and then click Add to Group.
      5. In the Remote Desktop Users dialog box, click Add.
      6. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select box, type Domain Users and then click OK.
      7. Click OK to close the Remote Desktop Users dialog box.

        Monday 18 October 2010

        How to Install Remote Desktop Virtualization Host on Server Core

        After installing Hyper-V R2 I found that installing Remote Desktop Virtualization Host was a little tricky. Here are some of the steps required:

        When you search for the available features on Hyper-V Server you can use DISM. For example “dism /online /Get-Features /Format:table”. This may give the following output:














        As you can see from the above table, the "RDVH" is not listed. However, if you have ran Powershell and run the following commands you will be able to see the feature:
        1. [PS] Import-Module ServerManager
        2. [PS] Get-WindowsFeature




        Now you can see the Remote Desktop Virtualization Host feature with a Name of RDS-Virtualization. You can now install the feature by typing the following:
        1. dism /online /Enable-Feature /FeatureName:VmHostAgent (type this as written)
        2. [PS] Import-Module ServerManager
        3. [PS] Add-WindowsFeature –Name RDS-Virtualization





          Friday 15 October 2010

          Management of Hyper-V from Windows 7

          Having played around on Server Core 2008 R2 I decided to install Hyper-V 2008 R2 on it. However, I found remote management a bit tricky. After a bit of searching I found some excellent articles answering  some of the problems I experienced. First to manage Hyper-V from Windows 7 you need to install the RSAT tools. You can download the x86/64 versions from the following http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en.
          You might find once you download them that you can't install them. The installer quits with the message "This update is not applicable for your computer." I found it necessary to uninstall SP1, install the RSAT tools and then put SP1 back on again.Once on Hyper-V management can be turned on by
          1. Go to Start > Control panel Under Programs, click on Get programs
          2. On the left panel, click on Turn Windows feature on or off
          3. On the feature list, expand Remote Server Administration roles > Role Administration Tools, mark Hyper-V Tools, then click OK
          4. Go to Administrative tools > Hyper-V Manager, launch it
          Now that its running you might find you cant connect to the Hyper-V server. The following article helped alot with this one: http://www.virtualizationadmin.com/articles-tutorials/microsoft-hyper-v-articles/installation-and-deployment/installing-hyper-v-tools-remote-management-windows-7.html

          Additionally, you might find that you connect but get bugged with the following error:

          "Hyper-V Error – Access Denied. Unable to establish communication between Hyper-V and Client"
           The following article provides a simple walkthrough regarding this; http://blog.mpecsinc.ca/2009/06/hyper-v-error-access-denied-unable-to.html

          Thursday 14 October 2010

          How to enable PowerShell in Server Core 2008 R2

          This is a bit of departure from my normal Exchange 2010 posts but I've been playing around with Server Core on Server 2008 R2. I thought it would be a good idea to provide details on how to install powershell on Server Core.

          • start /w ocsetup NetFx2-ServerCore
          • start /w ocsetup MicrosoftWindowsPowerShell
          • To run it just cd to c:\windows\system32\WindowsPowerShell\v1.0 and typed powershell
          Once you reboot the system, the PowerShell directory will be placed in the search path and you can just type powershell in any directory to access the PowerShell command prompt.