A lot of companies start with a Lync standard edition in a POC, when the POC is approved they upgrade their standard pool to an enterprise pool. You cannot upgrade you existing standard pool to an enterprise pool, but have to create a new enterprise pool, which I did.
Firstly a bit of explanation about the Prove Of Concept. The network with this customer are basically islands where only a limited number of ports are opened between these networks. This has as a result that if two users, each located on a different network try to communicate with each other. As the client ports are blocked they need to use an edge server's MCU to successfully communicate with each other. So in the POC two servers where deployed, a Single edge and a single Standard front-end server/pool.
The POC was deployed in the production environment where Exchange UM plus multiple application where integrated as trusted applications in Lync. also a PBX gateway ad voice route was defined.
As this is a production environment, with real live user accounts it seemed best the deploy the new environment along side to the existing POC deployment. After the new deployment was in place the users where migrated to the new pool.
[Code]
Get-csuser | where {$_.registrarpool -like "lcsserver.contosso.com"} | Move-CsUser -Target lcspool01.contosso.com
[/Code]
The following step is to move the conferencing directory to the now pool:
[Code]
Get-CsConferenceDirectory | where {$_.RegistrarPool -like "lcsserver.contosso.com"} | Move-CsConferenceDirectory -Target lcspool01.contosso.com
[/Code]
As Exchange UM was set up, we needed to move the Exchange Um Contact.
[Code]
Get-ExUmContact | Move-ExUMContact -Target lcspool01.contosso.com
[/Code]
Then launched the Lync Topology builder.
Removed the association of the front-end pool with the edge pool.
Removed the PSTN gateway
removed the voice route
[Code]
Get-CsVoiceRoute | Remove-CsVoiceRoute
[/Code]
Removed the trusted application servers.
Removed the edge Server
Published the topology and ran the deployment wizard on all the servers to update their configuration.
Checked and moved remaining application end-points
[Code]
Get-CSApplicationEndPoint | where {$_.Registrarpool -like "lcsserver.contosso.com"} | Move-CSApplicationEndPoint -Target lcspool01.contosso.com
[/Code]
Opened the topology builder again. Removed the Standard edition front-end pool and published the topology. Be sure to wait for replication between all the different step, advancing to fast can result in temporary errors.
Search This Blog
Monday, February 20, 2012
Sunday, February 19, 2012
Powershell Get service status compared to stratup type.
I like using command type tools, in stead of the GUI. One of my favourites is surely Powershell. Now what I find disappointing is that you cannot get the start-up type of a service using the get-service cmdlet. The only way to get the startup type and compare it to its current status is using WMI.
Following comandlet lists of service where the startup type is set to automatic but where the current status is stopped.
[Code]
Get-WmiObject -Class Win32_Service -Filter "StartMode='Auto' AND State='Stopped'" | sort DisplayName | Format-Table DisplayName, StartMode, State
[/Code]
Following comandlet lists of service where the startup type is set to automatic but where the current status is stopped.
[Code]
Get-WmiObject -Class Win32_Service -Filter "StartMode='Auto' AND State='Stopped'" | sort DisplayName | Format-Table DisplayName, StartMode, State
[/Code]
Monday, December 5, 2011
Exchange 2010 SP2 released
It seems that Microsoft released Exchange 2010 SP2 about 10 hours ago. You can get it here:
http://www.microsoft.com/download/en/details.aspx?id=28190
http://www.microsoft.com/download/en/details.aspx?id=28190
Wednesday, October 26, 2011
Oh Certificate where art thou
A few days back i had to replace the external certificate on an edge server with a new third party certificate. I created a new certificate request (with private key) and mailed it to the guy who was responsible for requesting the certificate with VeriSign. Moments later i received my SAN certificate.
I logged on to the edge server and opened the Lync Deployment Wizard to import the certificate using the GUI. I select import new certificate and browsed to the path where i placed the certificate. Clicked import, and verified that the command completed successfully.
In the same window I now ran the assign new certificate wizard, to assign the newly imported certificate to the external interface of the edge server. To my surprise I could only select one of the old certificates. The newly imported certificate could not be seen.
I wondered if something went wrong during the import, so I opened the local computer certificate store. Well nothing wrong to see here, the certificate is nicely imported in the local personnel certificate store of the computer. Clicked the Refresh button in the deployment wizard, ran the assign new certificate again, but still no luck.
Damn, what is going on here? Ghost in the machine? You know what, i will start all over again. So removed the certificate from the local certificate store. Opened the deployment wizard, imported the certificate using the wizard. Again the wizard told me the certificate imported successfully. But the greater was my disappointment, when i discovered that the certificate was still not present.
Ok, had it using the GUI, will use Powershell this time, that will always work. Imported the certificate using powershell, and tried to assign. No, still no certificate available. Ok, this is really the Ghost in the machine, you know those days when you cant seem to achieve anything.
Tried all over again, but this time i checked the html files which are created in the temp folder by lync (%userprofile%\appdate\local\Microsoft\temp). Although the wizard reported that the command completed successfully, I could see that the certificate was not imported. As reason the log file logged the following: Certificate already present or could not process the private key.
Opened the local computer certificate store, and now saw something fishy. The old certificate, which was generated by the internal CA, had a key displayed in the icon for the certificate. The new certificate, although present did not display that key. The picture below displays a certificate which has a valid private key.
That convinced me that there was something wrong with the private key of the certificate. I have seen this situation in Exchange, and has been widely documented on the internet, but never saw it in Lync before. Nevertheless we are talking about certificates no matter where they are applied to. So this made me decide to use the same sollution, which is repairing the certificate using Certutil.
Opened the certificate, clicked the Details tab and copied the serial number of the certificate.
Then opened a dos-box in administrative mode, where i used following command:
[Code]
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate).
[/Code]
Which gave me following result:
Open the deployment wizard and could successfully assign the certificate this time. You see experience comes in handy ;) !
Discovered a bit later that the friendly name was missing from the certificate when i opened the certificate wizard (Deployment Wizard). You can also assign a friendly name to the certificate using certutil.
Required steps:
First you need to create a inf file that contains the friendly name you wish to assign to the certificate. Open notepad and insert following text:
[Version]
Signature = "$Windows NT$"
[Properties]
11 = "{text}Friendly Name"
Adjust Friendly Name to the friendly name you wish to assign to your certificate. Save the notepad as an INF file in certain directory. I used C:\Temp\FriendlyName.inf.
Second, open the command prompt in administrative mode, and type following command:
[Code]
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate) C:\Temp\FriendlyName.inf
[/Code]
Reassign the certificate in the certificate wizard and you will see that the certificate now displays the friendly name you have defined in the inf file.
I logged on to the edge server and opened the Lync Deployment Wizard to import the certificate using the GUI. I select import new certificate and browsed to the path where i placed the certificate. Clicked import, and verified that the command completed successfully.
In the same window I now ran the assign new certificate wizard, to assign the newly imported certificate to the external interface of the edge server. To my surprise I could only select one of the old certificates. The newly imported certificate could not be seen.
I wondered if something went wrong during the import, so I opened the local computer certificate store. Well nothing wrong to see here, the certificate is nicely imported in the local personnel certificate store of the computer. Clicked the Refresh button in the deployment wizard, ran the assign new certificate again, but still no luck.
Damn, what is going on here? Ghost in the machine? You know what, i will start all over again. So removed the certificate from the local certificate store. Opened the deployment wizard, imported the certificate using the wizard. Again the wizard told me the certificate imported successfully. But the greater was my disappointment, when i discovered that the certificate was still not present.
Ok, had it using the GUI, will use Powershell this time, that will always work. Imported the certificate using powershell, and tried to assign. No, still no certificate available. Ok, this is really the Ghost in the machine, you know those days when you cant seem to achieve anything.
Tried all over again, but this time i checked the html files which are created in the temp folder by lync (%userprofile%\appdate\local\Microsoft\temp). Although the wizard reported that the command completed successfully, I could see that the certificate was not imported. As reason the log file logged the following: Certificate already present or could not process the private key.
Opened the local computer certificate store, and now saw something fishy. The old certificate, which was generated by the internal CA, had a key displayed in the icon for the certificate. The new certificate, although present did not display that key. The picture below displays a certificate which has a valid private key.
That convinced me that there was something wrong with the private key of the certificate. I have seen this situation in Exchange, and has been widely documented on the internet, but never saw it in Lync before. Nevertheless we are talking about certificates no matter where they are applied to. So this made me decide to use the same sollution, which is repairing the certificate using Certutil.
Opened the certificate, clicked the Details tab and copied the serial number of the certificate.
Then opened a dos-box in administrative mode, where i used following command:
[Code]
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate).
[/Code]
Which gave me following result:
Discovered a bit later that the friendly name was missing from the certificate when i opened the certificate wizard (Deployment Wizard). You can also assign a friendly name to the certificate using certutil.
Required steps:
First you need to create a inf file that contains the friendly name you wish to assign to the certificate. Open notepad and insert following text:
[Version]
Signature = "$Windows NT$"
[Properties]
11 = "{text}Friendly Name"
Adjust Friendly Name to the friendly name you wish to assign to your certificate. Save the notepad as an INF file in certain directory. I used C:\Temp\FriendlyName.inf.
Second, open the command prompt in administrative mode, and type following command:
[Code]
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate) C:\Temp\FriendlyName.inf
[/Code]
Reassign the certificate in the certificate wizard and you will see that the certificate now displays the friendly name you have defined in the inf file.
Monday, October 17, 2011
Lync Location Policy
This is the second article in the article series about policies in Lync 2010. The policies we are going to discuss are the location policies. The whole idea and wherefore it is designed is to provide an indication of where the user is located when calling 911. The E.911 solution has been in place for many years for hard phones, but soft phones or IP phones where not covered by the traditional E.911 system.
Enhanced 911, E-911 or E911 in North America is one example of the modern evolution of telecommunications based system meant as an easy way to link people experiencing an emergency with the public resources that can help. The dial-three-digits concept first originated in the United Kingdom in 1937. It has spread to continents and countries across the globe. Today other easy dial codes including the 112 that was adopted by the European Union in 1991 and others like it have been deployed to provide free-of-charge calling to those who need help during emergencies. The Emergency telephone number article contains comprehensive information regarding other emergency dialing codes for countries outside North America. (Source:http://en.wikipedia.org/wiki/Enhanced_9-1-1)
In Lync 2010 Microsoft incorporated a location mechanism to provide location awareness for Llync clients and Lync client phones.
I not going going to blog about the complete E.911 implementation on Lync, because this has already been done numerous time on other blogs, and there is no point in reinvented hot water over and over again. The most complete article i have ever read on the subject, is an article from Mark King which you can find on following location: http://blog.unplugthepbx.com/2011/07/06/lync-e911-deployment/.
It gives a thorough understanding of what E.911 is in Lync and how to implement it.
What we will be focusing on is the policies that come with the E.911 implementation in Lync. One thing i do need to point out is that the Enhanced 911 implementation is only supported in North America. For the rest of the world you can configure it, but there are no agencies that verify the location, so all location are unverified.
Which brings us to custom, suggested and validated locations.
Custom:
Custom locations are when you allow the users to configure there own location in the client. This information is stored in the PersonalLisDB.cashe file, which is located in the user profile on the computer. When the computer recognizes the location of the user, it will reuse the information stored in the local LIS db. The location is recognized on the Mac address of the default gateway. The locale database can store up to 10 locations.
Suggested:
Suggested locations are locations that have been set by the Location Information Service database stored on the Lync Back-end server. This database is build up by the Lync administrators where he/she defines certain parameters required to build location awareness. These parameters are:
- Subnets
- Switches
- SwitchPorts
- Wireless access points
Validated:
Validated locations are locations that have been derived from the location parameters stored in the LIS database on the Lync Back-end infrastructure. The location is verified and validated by MSAG, but as noted before is only supported in North America.
Note: Europe will probably be working on a similar solution for the near future.
Central Database:
The location information is stored in location database which is called LIS.mdf on the Lync back-end server.
Policy:
When we search for location in the Lync Management Shell, we get following result:
Get-command "*Location*"
CommandType Name Definition
----------- ---- ----------
Cmdlet Get-CsConfigurationStoreLoca... Get-CsConfigurationStoreLoca...
Cmdlet Get-CsLisLocation Get-CsLisLocation [-Unrefere...
Cmdlet Get-CsLocationPolicy Get-CsLocationPolicy [[-Iden...
Cmdlet Get-Location Get-Location [-PSProvider
Cmdlet New-CsLocationPolicy New-CsLocationPolicy [-Ident...
Cmdlet Pop-Location Pop-Location [-PassThru] [-S...
Cmdlet Push-Location Push-Location [[-Path]
Cmdlet Remove-CsLisLocation Remove-CsLisLocation -Locati...
Cmdlet Remove-CsLocationPolicy Remove-CsLocationPolicy [-Id...
Cmdlet Set-CsConfigurationStoreLoca... Set-CsConfigurationStoreLoca...
Cmdlet Set-CsLisLocation Set-CsLisLocation -Location ...
Cmdlet Set-CsLocationPolicy Set-CsLocationPolicy [[-Iden...
Cmdlet Set-Location Set-Location [[-Path]
We will not be explaining every setting, because we will have to write a short book, which information is already available on the Microsoft website. We will be focusing the Set-CSLocationPolicy and the Get-CSLoactionpolicy. There is no reason to explain both cmdlets as get-CsLocationPolicy gets the location policy and Set-CSLocationPolicy set the parameters for the location policy.
Get-CsLocationPolicy:
Gets all location policies, as you know Lync policies are in-band provisioned and can be applied to following scopes:
- Global
- Site
- Tag (User/Service/Pool)
Identity [mandatory = Name of the location policy) : Tag:Loctest
Description (optional = description of the location policy) :
EnhancedEmergencyServicesEnabled (Mandatory = specifies whenever E911 is enabled) : False
Only supported in North America.
LocationRequired (Mandatory = Specifies if location needs to be set) : no
Options are Yes, No and Disclaimer
- Yes: When LocationRequired is set to Yes, the set your location will turn up Red in the Lync client. Location is required but can be ignored.
- No: Location is not required. The user will not be prompted for a location, but can still be set if the user does so.
- Disclaimer: The user sees that the location is marked red, prompting the user to set a location, if the user removes the prompt without setting the location, the user will receive a disclaimer. The disclaimer has to be set using the Set-CsEnhancedEmergancyServiceDisclaimer.
UseLocationForE911Only (Mandatory = Location information can be used by the Microsoft Lync 2010 client for various reasons (such as notifying teammates of current location). Set this value to True to ensure location information is available only for use with an emergency call.) : False
PstnUsage (Optional =
The public switched telephone network (PSTN) usage that will be used to determine which voice route will be used to route 911 calls from clients using this profile.) :
EmergencyDialString (Optional = The number that is dialed to reach emergency services. For example 911, 112, 100) :
EmergencyDialMask (Optional = The number entered here is translated to the value in EmergencyDialString. Example: if you enter 112 here and enter 100 in the EmergencyDialString, 112 will be translated to 100) :
NotificationUri (Optional: One or more SIP Uniform Resource Identifiers (URIs) to be notified when an emergency call is made. For example, the company security office could be notified through an instant message whenever an emergency call is made.) :
ConferenceUri (Optional: The SIP Uniform Resource Identifier (URI), in this case the telephone number, of a third party that will be conferenced in to any emergency calls that are made. For example, the company security office could receive a call when an emergency call is made and listen in or participate in that call (depending on the value of the ConferenceMode property). :
ConferenceMode (Optional:
If a value is specified for the ConferenceUri parameter, the ConferenceMode parameter determines whether a third party can participate in the call or can only listen in. Available values are:
- oneway: Third party can only listen to the conversation between the caller and the Public Safety Answering Point (PSAP) operator.
- twoway: Third party can listen in and participate in the call between the caller and the PSAP operator.) :
Remarks:
The location policy cannot be set or changed by the user if LIS information is provided by the location database. To retrieve the information that is used for LIS, use following CMDLet: Get-CsNetworkConfiguration.
Friday, September 30, 2011
Lync 2010 Policies and settings
It is pretty obvious that Lync is a very complicated product, that aligns with many features in a corporate network. For example, Lync integrates or provides telephone, provides numerous forms of collaboration and presence.
We are not going to talk about the various features in Lync, Which have been widely discussed on other blogs. But lets talk about the numerous policies and configurations that help you manage this product. We clearly put the focus on policies, and add the configuration as a bonus, as many settings link to configuration settings.
When talking about policies we have following policy scopes in mind:
1. Client Policies
We start off by discussing client policies.
Client policies apply to the Lync client as the name suggests. But before starting to describe what can be applied using client policies, it is interesting to look at how policies are applied in Lync 2010.
When talking about client policies, we have to make an distinction between two types of policies. Namely the "Out-of-band provisioning" policies and the "In-band provisioning" policies.
1.1 Precedence
As we are talking about client settings, the settings can be applied at several levels. The settings can be done by tattooing the registry, group policies, Lync policies, or configuring the options by hand in the client. It is important to understand which setting takes precedence when being set.
The precedence is set from 1 to 4, in which 1 takes precedence over 2, 3, and 4.
1.2 "Out-of-band provisioning" policies
"Out-of-band provisioning" or group policies have been replaced by "In-Band provisioning" policies. Out-of-band provisioning" policies are applied using group policy, and therefore have the limitation that come with group policies. "In-Band provisioning" do not use group policies and therefore do not have the limitations of group policies. Does this mean that group policies are gone? No, they are not, Goup Policies can still be used, and are applied to the client before the client logs on the Lync infrastructure.
These policies are available as a ADM file which is part of the Lync 2010 client download from the partner website. This communicator.adm file can be imported in any group policy template and applied to a computer, set of computers, user or off course a set of users.
The communicator.adm file contains 15 policy settings:
Now explaining how group policies work and how they are applied is really not the scope of this article. Yet i do want to point out why group policies have a certain disadvantage, and why Microsoft moved away from group policies and implemented the new way of assigning policies (in-band provisioning). Group policies are typically applied at logon, and are refreshed every 90 to 120 minutes by default (90+ random offset of 30 minutes). So when applying new settings this setting are not automatically applied, unless the policies are refreshed manually on the client. A second disadvantage is that you are not really sure that the policies set are actually applied. It could be that a corporate user who logs on to the network using VPN, does not get his/her policies applied, due to slow link detection. Or that the remote user logs on to the network using a computer that has not been subjected to group policies (home computer, none Windows system).
1.3 In-band provisioning
Microsoft acknowledged the problem with group policies, and developed a new way of assigning policies in Lync 2010. The new way is known as in-band provisioning. The policies are applied through Lync itself and the policies are stored in the Lync CMS store and replicated to the local copy of the database.
The policies are applied as soon as replication has been done, and the policy is assigned to a certain level. The levels to which a policy can be applied is Global, Site, and Tag.
The following CMDlets are used to manage the client policies:
Information on the settings and applying the policy can be found here: http://technet.microsoft.com/en-us/library/gg398300.aspx
We are not going to talk about the various features in Lync, Which have been widely discussed on other blogs. But lets talk about the numerous policies and configurations that help you manage this product. We clearly put the focus on policies, and add the configuration as a bonus, as many settings link to configuration settings.
When talking about policies we have following policy scopes in mind:
- Client Policies
- Location Policies
- Voice Policies
- Conferencing Policies
- Presence Policies
- Archiving Policies
- Pin Policies
- External Access Policies
- Hosted Voice Mail Policies
- Client Version Policies
1. Client Policies
We start off by discussing client policies.
Client policies apply to the Lync client as the name suggests. But before starting to describe what can be applied using client policies, it is interesting to look at how policies are applied in Lync 2010.
When talking about client policies, we have to make an distinction between two types of policies. Namely the "Out-of-band provisioning" policies and the "In-band provisioning" policies.
1.1 Precedence
As we are talking about client settings, the settings can be applied at several levels. The settings can be done by tattooing the registry, group policies, Lync policies, or configuring the options by hand in the client. It is important to understand which setting takes precedence when being set.
The precedence is set from 1 to 4, in which 1 takes precedence over 2, 3, and 4.
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator
- Lync Server In-brand provisioning
- Lync Option Dialog box
1.2 "Out-of-band provisioning" policies
"Out-of-band provisioning" or group policies have been replaced by "In-Band provisioning" policies. Out-of-band provisioning" policies are applied using group policy, and therefore have the limitation that come with group policies. "In-Band provisioning" do not use group policies and therefore do not have the limitations of group policies. Does this mean that group policies are gone? No, they are not, Goup Policies can still be used, and are applied to the client before the client logs on the Lync infrastructure.
These policies are available as a ADM file which is part of the Lync 2010 client download from the partner website. This communicator.adm file can be imported in any group policy template and applied to a computer, set of computers, user or off course a set of users.
The communicator.adm file contains 15 policy settings:
- Specify Transport and server: Allows you to specify the name of your front-end and edge server. This way you do not need to provide the DNS names required for client Autodiscovery on the WAN or LAN.
- Enable Strict DNS naming for server name: When not set, or disabled the client will connect to the SIP server that has the domain name of the SIP address. Meaning that if your SIP address is sip:Me@example.com, the sip server should be sip.example.com. If you enable this setting, the client will communicate with whatever server that has the SIP domain configured. In case the policy is enabled the client could communicate with a server called whatever.example.com, in which you would allow a potential risk for spoofers to mimic the sip server. Does only apply when TLS is used (default).
- Configure SIP security mode: If you enable this policy the client requires TLS to be used, in which the client will not fall back to TCP in case TLS cannot be used. This setting if enabled also requires the client to authenticate using Kerberos or NTLM. If this setting is enabled all communications must run through the SIP server, in which peer 2 peer communications are disabled.
- Configure SIP compression mode: whether or not to use SIP compression. By default the network adapter speed specifies whether compression is or is not used. Enabling this setting could increase logon time.
- Prevent users from running Microsoft Lync: States whether or not the lync client can be used by that particular user or machine.
- Allow storage of user password: If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password.
- Require logon credentials: Requires the user to provide logon credentials for Microsoft Lync rather than automatically using the Windows credentials when Microsoft Lync authenticates the user using NTLM or Kerberos. If you enable this policy setting, Microsoft Lync requires the user to provide logon credentials. If you disable or do not configure this policy setting, Microsoft Lync authenticates the user based on the logon credentials for Windows.
- Disable HTTP fallback for SIP connection: Prevents from HTTP being used for SIP connection in case TLS or TCP fail.
- Disable version Server check: Prevents Microsoft Lync from checking the server version before signing in.
- Additional Server version support: Specify a semicolon separated list of server version names,
e.g. RTC/2.8;RTC/2.9, to which Microsoft Lync allows logon in addition to the server versions that are supported by default. Space character is treated as part of the version string. - Enable using BITS to download address book service files: This policy allows Microsoft Lync to use BITS (Background Intelligent Transfer Service) to download the Address Book Services files.
- Use compact DELTA file for GAL: This policy allows Microsoft Lync to use compact delta file for GAL.
- Help menu: This policy is used to extend the Help Menu in Microsoft Lync. An administrator can specify a help web site for Microsoft Lync using these keys. Help Menu Text is a string value that specifies the text to display to the user in the Help Menu for the help web site. Help Menu URL is a string value that specifies which web site to open when the user selects the Help Menu Text item in the Help Menu. Note that both Help Menu Text and Help Menu URL need to be specified in order for the Help Menu item to appear in Microsoft Lync.
- Launch Microsoft Link First Run: This policy defines the behavior of the Microsoft Lync First Run. Whether it's enabled or not, whether it should be launched automatically or not.
- Turn on tracing for Lync: Turn on tracing for Lync, primarily for use to assist customer problem solving. If this policy is not configured, then the user can specify the choice in Lync options. Otherwise, the corresponding behavior is enforced and the user has no choice.
Now explaining how group policies work and how they are applied is really not the scope of this article. Yet i do want to point out why group policies have a certain disadvantage, and why Microsoft moved away from group policies and implemented the new way of assigning policies (in-band provisioning). Group policies are typically applied at logon, and are refreshed every 90 to 120 minutes by default (90+ random offset of 30 minutes). So when applying new settings this setting are not automatically applied, unless the policies are refreshed manually on the client. A second disadvantage is that you are not really sure that the policies set are actually applied. It could be that a corporate user who logs on to the network using VPN, does not get his/her policies applied, due to slow link detection. Or that the remote user logs on to the network using a computer that has not been subjected to group policies (home computer, none Windows system).
1.3 In-band provisioning
Microsoft acknowledged the problem with group policies, and developed a new way of assigning policies in Lync 2010. The new way is known as in-band provisioning. The policies are applied through Lync itself and the policies are stored in the Lync CMS store and replicated to the local copy of the database.
The policies are applied as soon as replication has been done, and the policy is assigned to a certain level. The levels to which a policy can be applied is Global, Site, and Tag.
- Global: The global Lync infrastructure, in this case every lync client.
- Site: A Lync site, every client within a Lync site. The Lync organization can have multiple Lync Sites.
- Tag: the tag can be a user, group or service.
The following CMDlets are used to manage the client policies:
- Get-CsClientPolicy: Get the client policies which are configured, if you do not specify a name all client policies are returned.
- Grant-CsClientPolicy: Assigns the policy to a level (Global, Site, Tag). If you do not specify an identity the client policy is applied Global.
- New-CsClientPolicy: Creates a new client policy. Among other things, client policies help determine the features of Microsoft Lync 2010 that are made available to users; for example, you might give some users the right to transfer files while denying this right to other users.
- Remove-CsClientPolicy: Removes an existing client policy. Among other things, client policies help determine the features of Microsoft Lync 2010 that are available to users; for example, you might give some users the right to transfer files while denying this right to other users.
- Set-CsClientPolicy: Modifies the property values of an existing client policy. Among other things, client policies help determine the features of Microsoft Lync 2010 that are available to users; for example, you might give some users the right to transfer files while denying this right to other users.
- New-CsClientPolicyEntry: Allows you to assign new options to the client policy.
Information on the settings and applying the policy can be found here: http://technet.microsoft.com/en-us/library/gg398300.aspx
Thursday, September 1, 2011
Export/Import Contacts
Exporting an importing contacts has become easy since Powershell was introduced. In the old days we used tools as CSVDE or LDIFDE to export, import contact information. This article describes both ways.
CSVDE
Export
[Code]
CSVDE -f C:\Mailcontacts.csv -r ObjectClass=Contact -l Objectclass,DisplayName,GivenName,SN,Mail
[/Code]
Import
[Code]
CSVDE -i -f C:\Mailcontacts.csv
[/code]
LDIFDE
Export
[Code]
LDIFDE -f C:\MailContacts.ldf -r ("Objectclass=Contact") -l Objectclass,DisplayName,GivenName,SN,Mail
[/Code]
Import
[Code]
LDIFDE -i -f C:\Mailcontacts.ldf
[/Code]
Powershell
Get-contact | select-object Name, DisplayName, FirstName; LastName; WindowsEmailAddress | Export-csv C:\Mailcontacts.csv
$Contacts = import-csv C:\Mailcontacts.csv
Foreach ($_.Name in $Contacts) {New-contact -Name $_.Name -DisplayName $_DisplayName -FirstName $_FisrName -LastName $_LastName -Externaladdress $_.WindowsEmailAddress -Ou "OU=Contacts,DC=Domain,DC=Suffix,"}
You can of course combine these tools to export for example contacts out of Windows Server 2003 and import them in Windows Server 2008. Just remember that you need to modify the CSV tables to match the variables in the powershell Cmdlet.
CSVDE
Export
[Code]
CSVDE -f C:\Mailcontacts.csv -r ObjectClass=Contact -l Objectclass,DisplayName,GivenName,SN,Mail
[/Code]
Import
[Code]
CSVDE -i -f C:\Mailcontacts.csv
[/code]
LDIFDE
Export
[Code]
LDIFDE -f C:\MailContacts.ldf -r ("Objectclass=Contact") -l Objectclass,DisplayName,GivenName,SN,Mail
[/Code]
Import
[Code]
LDIFDE -i -f C:\Mailcontacts.ldf
[/Code]
Powershell
Get-contact | select-object Name, DisplayName, FirstName; LastName; WindowsEmailAddress | Export-csv C:\Mailcontacts.csv
$Contacts = import-csv C:\Mailcontacts.csv
Foreach ($_.Name in $Contacts) {New-contact -Name $_.Name -DisplayName $_DisplayName -FirstName $_FisrName -LastName $_LastName -Externaladdress $_.WindowsEmailAddress -Ou "OU=Contacts,DC=Domain,DC=Suffix,"}
You can of course combine these tools to export for example contacts out of Windows Server 2003 and import them in Windows Server 2008. Just remember that you need to modify the CSV tables to match the variables in the powershell Cmdlet.
Friday, August 26, 2011
OWA: options, ecp and rules trow in Unexpected error
Had this issue quit some time in my test environment, but never had the time nor the mood to resolve the issue.
The issue:
OWA works fine for normal e-mail usage, but when you try to set some options, rules a pop-up is displayed which say OWA encountered an unexpected error.
Troubleshooting the issue showed me that the Exchange Control Panel was also unreachable. When accessing Owa from the internet (public url), only the error was displayed with no further information. When trying to access the ECP from the private interface, i managed to retrieve more information on the error "EventID: 4, source: MSExchange Control Panel".
The next logical step is to check the eventvwr, where i discovered that the following event was logged each time i reproduced the issue:
Source: MSexchangeCommon
EventID:106
Performance counter updating error. Counter name is Total time for saving Admin Audit records, category name is MSExchange Admin Audit. Optional code: 1. Exception: The exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
I decided to try my luck on the Internet which led me to following tech-net forum-post:
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/5f1fd736-46b1-45cc-b028-934304163f76/
The solution provided in the forum did resolve the issue.
Open the command prompt in administrative modus, which starts by default in the %systemroot%\system32 folder. If not, go to that path and run following command:
[Code]
LODCTR /r (resets the performance counters)
IISRESET /noforce (restart the IIS services)
[/code]
more info on LODCTR can be found here:
http://technet.microsoft.com/en-us/library/bb490926.aspx
The issue:
OWA works fine for normal e-mail usage, but when you try to set some options, rules a pop-up is displayed which say OWA encountered an unexpected error.
Troubleshooting the issue showed me that the Exchange Control Panel was also unreachable. When accessing Owa from the internet (public url), only the error was displayed with no further information. When trying to access the ECP from the private interface, i managed to retrieve more information on the error "EventID: 4, source: MSExchange Control Panel".
The next logical step is to check the eventvwr, where i discovered that the following event was logged each time i reproduced the issue:
Source: MSexchangeCommon
EventID:106
Performance counter updating error. Counter name is Total time for saving Admin Audit records, category name is MSExchange Admin Audit. Optional code: 1. Exception: The exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
I decided to try my luck on the Internet which led me to following tech-net forum-post:
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/5f1fd736-46b1-45cc-b028-934304163f76/
The solution provided in the forum did resolve the issue.
Open the command prompt in administrative modus, which starts by default in the %systemroot%\system32 folder. If not, go to that path and run following command:
[Code]
LODCTR /r (resets the performance counters)
IISRESET /noforce (restart the IIS services)
[/code]
more info on LODCTR can be found here:
http://technet.microsoft.com/en-us/library/bb490926.aspx
Thursday, August 25, 2011
Reinstallation of the Client access server role fails with MSI error 1630 -2920
Sometimes i try to contribute on technical forums for people who have some questions regarding certain software products in which i have some level of expertise. A few days back somebody asked a question regarding authentication in OWA (Exchange 2010). As the question was pretty forward, i decided to test the solution on my test environment, before writing it down as an answer.
The implementation and test ran according to plan, meaning that the solution in mind proved to be a valid solution. As i had proven my plan i reverted back to the previous configuration. After logging back into OWA, i received the following error message: "Owa encountered an error. If the problem consists, please contact your administrator".
The Authentication did not seem to be a problem, as the error occurs after the user is authenticated an reverted to the mailbox.
As the problem originated after adjusting the authentication mechanism, i decided to try several authentication mechanisms to see if they would provide me back with a working configuration. None of them did.
Restoring was not an option, as in this lab only the databases are backed up. Therefore i decided to reset the owa virtual directory (remove and recreate). The reset procedure completed successfully (used powershell), but it did not resolve the issue. Even after rebooting the server, the problem did persist.
In an final attempt to resolve the issue i decided to reinstall the Client Access server role. I know a harsh solution but i am running out of options here.
The un-install went well, but after reinstalling the client access server role the installation fails at 23% when copying installation files. This led me to believe there was an issue with the installation files. Re-downloaded the installation files and started the install from there. Still no go, again at 23% the install reverts back with a failure. Ok now, i am in a world of hurt. The client access server role has been removed, so there is no way for anybody to access his mailbox.
The install logs only show the following:
[08/25/2011 08:24:37.0634] [1] Installing MSI package 'E:\Software\Microsoft\Exchange Server 2010\exchangeserver.msi'.
[08/25/2011 08:24:37.0637] [1] Configuring an existing product. Product code: {4934D1EA-BE46-48B1-8847-F1AF20E892C1}. Property values: DISABLEERRORREPORTING=1 PRODUCTLANGUAGELCID=1033 DEFAULTLANGUAGENAME=ENU DEFAULTLANGUAGELCID=1033 INSTALLCOMMENT="Installed language for this product: English (United States)" REBOOT=ReallySuppress ADDLOCAL=ClientAccess
[08/25/2011 08:25:04.0269] [1] [WARNING] Unexpected Error
Searching the Internet did not provide any clue into solving this issue. As the problem seems to occur when copying installation files, i suspected a version mismatch. This led me to UN-install the Exchange roll-up packs one by one.
1. Uninstalled Exchange 2010 RUP4, no luck.
2. Uninstalled Exchange 2010 RUP3v3 (remember?), and BANG, we have a winner.
After uninstalling Rollup 3 version 3, i was able to install the client access server role (looks like RUP3 is cursed).
At the end all is well, as i resolved the issue but it toke me quit some time to resolve the issue. Writing this down i hope someone with similar issues stumbles on my blog, in which he shortens his burden.
The implementation and test ran according to plan, meaning that the solution in mind proved to be a valid solution. As i had proven my plan i reverted back to the previous configuration. After logging back into OWA, i received the following error message: "Owa encountered an error. If the problem consists, please contact your administrator".
The Authentication did not seem to be a problem, as the error occurs after the user is authenticated an reverted to the mailbox.
As the problem originated after adjusting the authentication mechanism, i decided to try several authentication mechanisms to see if they would provide me back with a working configuration. None of them did.
Restoring was not an option, as in this lab only the databases are backed up. Therefore i decided to reset the owa virtual directory (remove and recreate). The reset procedure completed successfully (used powershell), but it did not resolve the issue. Even after rebooting the server, the problem did persist.
In an final attempt to resolve the issue i decided to reinstall the Client Access server role. I know a harsh solution but i am running out of options here.
The un-install went well, but after reinstalling the client access server role the installation fails at 23% when copying installation files. This led me to believe there was an issue with the installation files. Re-downloaded the installation files and started the install from there. Still no go, again at 23% the install reverts back with a failure. Ok now, i am in a world of hurt. The client access server role has been removed, so there is no way for anybody to access his mailbox.
The install logs only show the following:
[08/25/2011 08:24:37.0634] [1] Installing MSI package 'E:\Software\Microsoft\Exchange Server 2010\exchangeserver.msi'.
[08/25/2011 08:24:37.0637] [1] Configuring an existing product. Product code: {4934D1EA-BE46-48B1-8847-F1AF20E892C1}. Property values: DISABLEERRORREPORTING=1 PRODUCTLANGUAGELCID=1033 DEFAULTLANGUAGENAME=ENU DEFAULTLANGUAGELCID=1033 INSTALLCOMMENT="Installed language for this product: English (United States)" REBOOT=ReallySuppress ADDLOCAL=ClientAccess
[08/25/2011 08:25:04.0269] [1] [WARNING] Unexpected Error
Searching the Internet did not provide any clue into solving this issue. As the problem seems to occur when copying installation files, i suspected a version mismatch. This led me to UN-install the Exchange roll-up packs one by one.
1. Uninstalled Exchange 2010 RUP4, no luck.
2. Uninstalled Exchange 2010 RUP3v3 (remember?), and BANG, we have a winner.
After uninstalling Rollup 3 version 3, i was able to install the client access server role (looks like RUP3 is cursed).
At the end all is well, as i resolved the issue but it toke me quit some time to resolve the issue. Writing this down i hope someone with similar issues stumbles on my blog, in which he shortens his burden.
Sunday, August 21, 2011
Lync2010 Certificate import failes
In previous article I explained a few issues which i encountered while trying to publish the Lync2010 topology. The next step was to install the lync server itself. This spindled off pretty well and ran as expected. The next step however gave me a bit of a challenge.
Microsoft did a good job in creating a wizard that addresses every step of the installation process in the correct order. After Lync has been installed it is time to request and assign a certificate to the Lync server. This can be performed by using powershell or the GUI. I choose to run the GUI (lazy; i know) in stead of the poowershell commandlets.
The wizard however failed, claiming that the RPC server of the
CA is unavailable.
RPC error usually point to network and/or DNS problems, so started troubleshooting network or dns issues. Whatever i tested all tests returned positive, meaning i could not discover any network or dns issues. This started to look as the ghost in the machine case. Checking the certificate request log clearly states that the CA in unavailable (C:\Users\%username%\Appdata\Local\Temp\Request-CSCertificate-[2011_08_21][16_01_34].html); but as i couldn't discover any i decided to alter the certificate request. I changed certain parameters as adding credentials to the request, but they all failed to make the difference. In a final attempt i enable the check-mark to make the private key exportable, which eventually resolved the issue.
Microsoft did a good job in creating a wizard that addresses every step of the installation process in the correct order. After Lync has been installed it is time to request and assign a certificate to the Lync server. This can be performed by using powershell or the GUI. I choose to run the GUI (lazy; i know) in stead of the poowershell commandlets.
The wizard however failed, claiming that the RPC server of the
CA is unavailable.
RPC error usually point to network and/or DNS problems, so started troubleshooting network or dns issues. Whatever i tested all tests returned positive, meaning i could not discover any network or dns issues. This started to look as the ghost in the machine case. Checking the certificate request log clearly states that the CA in unavailable (C:\Users\%username%\Appdata\Local\Temp\Request-CSCertificate-[2011_08_21][16_01_34].html); but as i couldn't discover any i decided to alter the certificate request. I changed certain parameters as adding credentials to the request, but they all failed to make the difference. In a final attempt i enable the check-mark to make the private key exportable, which eventually resolved the issue.
Thursday, August 18, 2011
Lync2010
Been a while since I posted something on my blog. It could be that I was missing the inspiration or lacking interesting stuff to blog about.
Recently I did my first steps in the world of Lync2010. Prepared a server for a fresh install of the lync2010 standard server. read the prerequisites and installed them as required. Everything ran smooth until it was time to publish my Topology. It kept failing with following message "An error occurred: “Microsoft.Rtc.Management.Deployment.DeploymentException” “Cannot determine where to install database files because Windows Management Instrumentation on the database server is unavailable from your computer or user account. To continue, you can resolve this issue, or you can specify where you want to install the files."".
Searching google directed me to a Microsoft article stating that the Windows Firewall is blocking the remote administration ports. Now this could not be the case as the firewall is disabled by policy in my lab environment. As it was already late, I decided to give it a rest until the following morning.
The following morning I tried several other steps, but they kept failing with the same error message. Decided to place my hopes on google again, which led me to the following article: "http://jthys.wordpress.com/2010/12/02/lync-server-2010-topology-deployment-error/"
Eureka, modified my pool name to the host name of the standard server, which enabled me to publish my topology.
Now we are off to installing the First Lync2010 standard server within the pool. Installing the Standard server requires some prerequisites to be installed prior to installing Lync2010. I have taken the liberty to provide the correct command here:
[Code]
servermanagercmd -i web-static-content web-default-doc web-dir-browsing web-http-errors Web-Http-Redirect Web-Asp-Net Web-ISAPI-Ext Web-ISAPI-Filter Web-Http-Logging Web-Request-Monitor Web-Http-Tracing Web-Client-Auth Web-Basic-Auth Web-Windows-Auth Web-Stat-Compression Web-Mgmt-Console Web-Scripting-Tools MSMQ-Directory
[/Code]
The installation required two other options which need to be installed earlier:
In order to run the Lync installation wizzard .net-frameworks is required:
[Code]
Servermanagercmd -i Net-Framework
[/code]
For the Active Directory Forest/domain extension the AD Rsat tools are required:
[Code]
Servermanagercmd -i rsat-adds
[/code]
I found a nice set of articles on installing a Lync2010 lab environment, a big thanks to the author Jeff Schertz.
http://blog.schertz.name/2010/09/lync2010rc-deployment-part1/
Recently I did my first steps in the world of Lync2010. Prepared a server for a fresh install of the lync2010 standard server. read the prerequisites and installed them as required. Everything ran smooth until it was time to publish my Topology. It kept failing with following message "An error occurred: “Microsoft.Rtc.Management.Deployment.DeploymentException” “Cannot determine where to install database files because Windows Management Instrumentation on the database server is unavailable from your computer or user account. To continue, you can resolve this issue, or you can specify where you want to install the files."".
Searching google directed me to a Microsoft article stating that the Windows Firewall is blocking the remote administration ports. Now this could not be the case as the firewall is disabled by policy in my lab environment. As it was already late, I decided to give it a rest until the following morning.
The following morning I tried several other steps, but they kept failing with the same error message. Decided to place my hopes on google again, which led me to the following article: "http://jthys.wordpress.com/2010/12/02/lync-server-2010-topology-deployment-error/"
Eureka, modified my pool name to the host name of the standard server, which enabled me to publish my topology.
Now we are off to installing the First Lync2010 standard server within the pool. Installing the Standard server requires some prerequisites to be installed prior to installing Lync2010. I have taken the liberty to provide the correct command here:
[Code]
servermanagercmd -i web-static-content web-default-doc web-dir-browsing web-http-errors Web-Http-Redirect Web-Asp-Net Web-ISAPI-Ext Web-ISAPI-Filter Web-Http-Logging Web-Request-Monitor Web-Http-Tracing Web-Client-Auth Web-Basic-Auth Web-Windows-Auth Web-Stat-Compression Web-Mgmt-Console Web-Scripting-Tools MSMQ-Directory
[/Code]
The installation required two other options which need to be installed earlier:
In order to run the Lync installation wizzard .net-frameworks is required:
[Code]
Servermanagercmd -i Net-Framework
[/code]
For the Active Directory Forest/domain extension the AD Rsat tools are required:
[Code]
Servermanagercmd -i rsat-adds
[/code]
I found a nice set of articles on installing a Lync2010 lab environment, a big thanks to the author Jeff Schertz.
http://blog.schertz.name/2010/09/lync2010rc-deployment-part1/
Friday, March 18, 2011
Online Archive - Office 2007 support
Today a customer called me to ask if Microsoft Office 2007 Standard edition supports the Exchange 2010 on-line archive.
As I recalled a message on the Exchange team blog, telling that Office 2007 finally supported the Exchange on-line Archive. I replied "Yes, Outlook 2007 supports the Exchange 2010 On-line archive". http://blogs.technet.com/b/exchange/archive/2010/12/20/3411710.aspx
He replied a bit surprised claiming that all his Office 2007 professional Editions see the on-line archive, while all the standard editions do not.
My first hunch was that those clients must be missing the patch which enables the on-line archive. Yet the customer replied that all patches where installed, even the February roll up for office 2007 (http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2475891&kbln=en-us).
Investigating the issue a bit further revealed that not all Outlook 2007 versions are the same. Following link explains that Office 2010/2007 standard editions do not support the Exchange 2010 On-line Archive:
http://office.microsoft.com/en-us/outlook-help/license-requirements-for-personal-archive-and-retention-policies-HA102576659.aspx
As I recalled a message on the Exchange team blog, telling that Office 2007 finally supported the Exchange on-line Archive. I replied "Yes, Outlook 2007 supports the Exchange 2010 On-line archive". http://blogs.technet.com/b/exchange/archive/2010/12/20/3411710.aspx
He replied a bit surprised claiming that all his Office 2007 professional Editions see the on-line archive, while all the standard editions do not.
My first hunch was that those clients must be missing the patch which enables the on-line archive. Yet the customer replied that all patches where installed, even the February roll up for office 2007 (http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2475891&kbln=en-us).
Investigating the issue a bit further revealed that not all Outlook 2007 versions are the same. Following link explains that Office 2010/2007 standard editions do not support the Exchange 2010 On-line Archive:
http://office.microsoft.com/en-us/outlook-help/license-requirements-for-personal-archive-and-retention-policies-HA102576659.aspx
Wednesday, February 16, 2011
Exchange 2010 Prerequisites
I have created yet another script that installs the Exchange 2010 Prerequisites on Windows Server 2008 R2.
[Code]
#JUDG Therealshrimp.blogspot.com 2011#
#This script installs the Exchange prerequisites according to roll#
Write-host "This script will install the Exchange 2010 prerequisites according to the role(s) you sellect." -ForegroundColor Blue -BackgroundColor White
Write-Host "********************************************************************************************"
#----------------------------------------------------------------------------------------------------------#
# Patches Required for Exchange 2010 on Windows Server 2008 R2 #
#----------------------------------------------------------------------------------------------------------#
Write-Host "This script Presumes that following prerequisites have been met:
The following hotfixes are required for the Client Access server for Windows Server 2008 R2:
* Install the update described in Knowledge Base article 979099, An update is available to remove the application manifest expiry feature from AD RMS clients. Without this update, the AD RMS features may stop working.
* Install the hotfix described in Knowledge Base article 982867, WCF services that are hosted by computers together with a NLB fail in .NET Framework 3.5 SP1. For more information, see these MSDN Code Gallery pages:
o For additional background information, see KB982867 - WCF: Enable WebHeader settings on the RST/SCT.
o For the available downloads, see KB982867 - WCF: Enable WebHeader settings on the RST/SCT.
* Install the update described in Knowledge Base article 979744, A .NET Framework 2.0-based Multi-AppDomain application stops responding when you run the application.
* Install the update described in Knowledge Base article 983440, An ASP.NET 2.0 hotfix rollup package is available for Windows 7 and for Windows Server 2008 R2. For more information, see these MSDN Code Gallery pages:
o For additional background information, see KB983440 - Win7 rollup package (PR for QFE 810219).
o For the available downloads, see KB983440 - Win7 rollup package (PR for QFE 810219).
* Install the update described in Knowledge Base article 977020, FIX: An application that is based on the Microsoft .NET Framework 2.0 Service Pack 2 and that invokes a Web service call asynchronously throws an exception on a computer that is running Windows 7." -foregroundcolor Yellow -backgroundcolor Blue
Write-Host "************************************************************************************************"
#-----------------------------------------------------------------------------------------------------------#
# Roles selection #
#-----------------------------------------------------------------------------------------------------------#
Write-host "Please select the role(s) you wish to install"
Write-Host "1: Base (Cas, Hub, Mailbox)"
Write-Host "2: Client Access Server"
Write-host "3: Hub Transport Server"
Write-host "4: Mailbox Server"
Write-host "5: Hub Transport/Client Access Server"
#------------------------------------------------------------------------------------------------------------#
# Function #
#------------------------------------------------------------------------------------------------------------#
function ProcessAnswer1
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
}
function ProcessAnswer2
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
}
function ProcessAnswer3
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
}
function ProcessAnswer4
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
}
function ProcessAnswer5
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
}
$Choise = read-host "Make a sellection between 1 and 5"
& "ProcessAnswer$Choise"
[/Code]
[Code]
#JUDG Therealshrimp.blogspot.com 2011#
#This script installs the Exchange prerequisites according to roll#
Write-host "This script will install the Exchange 2010 prerequisites according to the role(s) you sellect." -ForegroundColor Blue -BackgroundColor White
Write-Host "********************************************************************************************"
#----------------------------------------------------------------------------------------------------------#
# Patches Required for Exchange 2010 on Windows Server 2008 R2 #
#----------------------------------------------------------------------------------------------------------#
Write-Host "This script Presumes that following prerequisites have been met:
The following hotfixes are required for the Client Access server for Windows Server 2008 R2:
* Install the update described in Knowledge Base article 979099, An update is available to remove the application manifest expiry feature from AD RMS clients. Without this update, the AD RMS features may stop working.
* Install the hotfix described in Knowledge Base article 982867, WCF services that are hosted by computers together with a NLB fail in .NET Framework 3.5 SP1. For more information, see these MSDN Code Gallery pages:
o For additional background information, see KB982867 - WCF: Enable WebHeader settings on the RST/SCT.
o For the available downloads, see KB982867 - WCF: Enable WebHeader settings on the RST/SCT.
* Install the update described in Knowledge Base article 979744, A .NET Framework 2.0-based Multi-AppDomain application stops responding when you run the application.
* Install the update described in Knowledge Base article 983440, An ASP.NET 2.0 hotfix rollup package is available for Windows 7 and for Windows Server 2008 R2. For more information, see these MSDN Code Gallery pages:
o For additional background information, see KB983440 - Win7 rollup package (PR for QFE 810219).
o For the available downloads, see KB983440 - Win7 rollup package (PR for QFE 810219).
* Install the update described in Knowledge Base article 977020, FIX: An application that is based on the Microsoft .NET Framework 2.0 Service Pack 2 and that invokes a Web service call asynchronously throws an exception on a computer that is running Windows 7." -foregroundcolor Yellow -backgroundcolor Blue
Write-Host "************************************************************************************************"
#-----------------------------------------------------------------------------------------------------------#
# Roles selection #
#-----------------------------------------------------------------------------------------------------------#
Write-host "Please select the role(s) you wish to install"
Write-Host "1: Base (Cas, Hub, Mailbox)"
Write-Host "2: Client Access Server"
Write-host "3: Hub Transport Server"
Write-host "4: Mailbox Server"
Write-host "5: Hub Transport/Client Access Server"
#------------------------------------------------------------------------------------------------------------#
# Function #
#------------------------------------------------------------------------------------------------------------#
function ProcessAnswer1
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
}
function ProcessAnswer2
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
}
function ProcessAnswer3
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
}
function ProcessAnswer4
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
}
function ProcessAnswer5
{
Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
}
$Choise = read-host "Make a sellection between 1 and 5"
& "ProcessAnswer$Choise"
[/Code]
Thursday, February 10, 2011
Windows Server 2008 R2 SP1
The official release of SP1 for Windows Server 2008 R2/Windows 7 is anounced to be on the 22 of Februari.
http://blogs.technet.com/b/virtualization/archive/2011/02/09/windows-7-and-windows-server-2008-r2-sp1-add-new-virtualization-innovations.aspx
http://blogs.technet.com/b/virtualization/archive/2011/02/09/windows-7-and-windows-server-2008-r2-sp1-add-new-virtualization-innovations.aspx
Thursday, December 9, 2010
Configure CAS virtual directories
In some cases you need to define the external as internal url for your client access servers. This is the case when you use a wild card certificate. I thought of creating a script that asks for the url, and implements that url for all your virtual directories on all you client access servers.
[Code]
#TheRealShrimp.blogspot.com 8/12/2010#
Write-host "Please fill in the url you wish to use. Use the world wide web name (www.host.com)."
$url = Read-Host
#------------------------------------------------------------------------------------#
#Set the owa virtual directories#
#------------------------------------------------------------------------------------#
$Cas = get-owavirtualdirectory
Foreach ($_.Name in $Cas) {set-owavirtualdirectory $_.Name -internalurl https://"$url"/owa -externalurl https://"$url"/owa}
$Show = get-owavirtualdirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set the ActiveSync virtual directories#
#-------------------------------------------------------------------------------------#
$Active = Get-ActiveSyncVirtualDirectory
Foreach ($_.name in $Active) {Set-ActiveSyncVirtualDirectory $_.Name -internalurl https://"$url"/MicrosoSelect-Object-Server-ActiveSync -externalurl https://"$url"/MicrosoSelect-Object-Server-ActiveSync}
$Show = Get-ActiveSyncVirtualDirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set the Offline Address Book#
#-------------------------------------------------------------------------------------#
$Book = Get-OabVirtualDirectory
Foreach ($_.Name in $Book) {Set-OabVirtualDirectory $_.name -Internalurl https://"$url"/Oab -externalurl https://"$url"/Oab}
$Show = Get-OabVirtualDirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set the Exchange Control Panel#
#-------------------------------------------------------------------------------------#
$ExCoP = Get-EcpVirtualDirectory
Foreach ($_.Name in $ExCop) {Set-ecpVirtualDirectory $_.name -Internalurl https://"$url"/Ecp -externalurl https://"$url"/Ecp}
$Show = Get-EcpVirtualDirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set-Offline Address Book SCP
#-------------------------------------------------------------------------------------#
$Cas = Get-ClientAccessServer
ForEach ($_.Name in $Cas) {Set-ClientAccessServer $_.Name -AutoDiscoverServiceInternalUri https://"$Url"//Autodiscover/Autodiscover.xml}
#-------------------------------------------------------------------------------------#
[/Code]
[Code]
#TheRealShrimp.blogspot.com 8/12/2010#
Write-host "Please fill in the url you wish to use. Use the world wide web name (www.host.com)."
$url = Read-Host
#------------------------------------------------------------------------------------#
#Set the owa virtual directories#
#------------------------------------------------------------------------------------#
$Cas = get-owavirtualdirectory
Foreach ($_.Name in $Cas) {set-owavirtualdirectory $_.Name -internalurl https://"$url"/owa -externalurl https://"$url"/owa}
$Show = get-owavirtualdirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set the ActiveSync virtual directories#
#-------------------------------------------------------------------------------------#
$Active = Get-ActiveSyncVirtualDirectory
Foreach ($_.name in $Active) {Set-ActiveSyncVirtualDirectory $_.Name -internalurl https://"$url"/MicrosoSelect-Object-Server-ActiveSync -externalurl https://"$url"/MicrosoSelect-Object-Server-ActiveSync}
$Show = Get-ActiveSyncVirtualDirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set the Offline Address Book#
#-------------------------------------------------------------------------------------#
$Book = Get-OabVirtualDirectory
Foreach ($_.Name in $Book) {Set-OabVirtualDirectory $_.name -Internalurl https://"$url"/Oab -externalurl https://"$url"/Oab}
$Show = Get-OabVirtualDirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set the Exchange Control Panel#
#-------------------------------------------------------------------------------------#
$ExCoP = Get-EcpVirtualDirectory
Foreach ($_.Name in $ExCop) {Set-ecpVirtualDirectory $_.name -Internalurl https://"$url"/Ecp -externalurl https://"$url"/Ecp}
$Show = Get-EcpVirtualDirectory | Select-Object Name, Internalurl, Externalurl
write-host "Following url's have been set for Outlook Web App"
Write-Host $Show
#-------------------------------------------------------------------------------------#
#Set-Offline Address Book SCP
#-------------------------------------------------------------------------------------#
$Cas = Get-ClientAccessServer
ForEach ($_.Name in $Cas) {Set-ClientAccessServer $_.Name -AutoDiscoverServiceInternalUri https://"$Url"//Autodiscover/Autodiscover.xml}
#-------------------------------------------------------------------------------------#
[/Code]
Monday, November 8, 2010
Cannot move and/or delete items in OWA after installing Exchange 2010 SP1
Users report that they are unable to move and or delete items when using Outlook Web App. When they try to move or delete a message they get an unspecified error.
Open IIS manager, go to your default website, right click on it and select "Edit Bindings".
Check if any binding has a hostname configured. If one does, remove the hostname. You probably cannot remove the hostname, because the binding already exists. If so, remove the binding completly (where the hostname is specified). Restart IIS (IISRESET).
Open IIS manager, go to your default website, right click on it and select "Edit Bindings".
Check if any binding has a hostname configured. If one does, remove the hostname. You probably cannot remove the hostname, because the binding already exists. If so, remove the binding completly (where the hostname is specified). Restart IIS (IISRESET).
Friday, October 22, 2010
Corrupt VHD's
I had a power failure on my test machine which is running Windows Server 2008 R2 Hyer-V.
It had seven virtual machines, and one of them was configured as a file server with 4 VHD's of 200GB. Due to the power-failure 3 VHD's o this file server became corrupt.
I managed to repair 2 of them by compressing them in Hyper-V. The data of the 3rd i was able to recover through WinImage, which is able to open VHD files in an explorer like window.
It had seven virtual machines, and one of them was configured as a file server with 4 VHD's of 200GB. Due to the power-failure 3 VHD's o this file server became corrupt.
I managed to repair 2 of them by compressing them in Hyper-V. The data of the 3rd i was able to recover through WinImage, which is able to open VHD files in an explorer like window.
Sunday, May 30, 2010
Remote Desktop Web Access browser compatibility (Part 1)
As Microsoft Internet explorer is loosing its position on the market, we have to look in to other browsers and there compatibility with features we use in the Enterprise environment. One of them is the remote desktop services (formerly known as terminal services). Since Windows Server 2008 RTM the Microsoft Terminal Services has been extended with new features. One of these new features is called Remote Desktop Web Access, which provides a web interface where the user can access his or her applications.
First the basics: The Remote Desktop Web Access provide a web interface where you can get access to your Remote Desktop applications after being successfully authenticated.
In order to use the Remote Desktop Web Access Interface your browser must be able to use ActiveX controls. And that is where the most other browsers have a problem. Well the browsers do not have a problem, it is only that ActiveX is a closed standard used by Microsoft alone.
I have tested 4 browsers:
1) Internet Explorer (8.0)
2) Mozilla FireFox (3.6.3)
3) Opera (10.53)
4) Google Chrome (5.0.375.55)
We will look into each browser and look if it is able to use ActiveX controls and if it can be managed by group policies. Why look into group policies you might ask, well as a remote desktop administrator you cannot live without them (if you want to handle it propperly).
We do not really test Internet Explorer because there is no need to. Remember this browser is built by Microsoft, so totally relies on ActiveX and is fully manageable by GPO's. We will use Internet Explorer as are reference and see if the other bowsers can provide a equally look and feel as Internet Explorer when using the Remote Desktop Web Access.
Mozilla FireFox
Well this is really my personal favorite at the moment. At first we just fire up the browser and see if we could use the Remote Desktop Web Access interface. When browsing to the server hosting the Remote Desktop Web Access role, we nicely get our website which kindly reminds us to login. The look and the feel is what we expect and are used to see in Internet Explorer. After providing our credentials we are redirected to the page that should display the published applications.
As you see in the picture the website is what we are used to get when using Internet Explorer, but no applications are shown. Aven after refreshing the browser the applications are not shown. Now we know that the Remote Desktop Web interface requires ActiveX, so we look if FireFox support ActiveX in any way. The support pages of Mozilla are pretty clear whether or not they support ActiveX.[quote]
ActiveX is a Microsoft technology that is used to add functionality to Windows programs.
ActiveX "controls" are often used to enable Microsoft's Internet Explorer browser to view and use multimedia content embedded in web pages (for example, Flash applications). They are also used to add new functions to the browser (for example, toolbars).
Firefox does not support ActiveX technology for multiple reasons.
[/quote]
http://support.mozilla.com/en-US/kb/ActiveX
But often there are some mystified way to make certain things work although they are not supported by the vendor. We look around and found that it could be possible through certain add-ons for FireFox. The two we tested where:
1) IE View
2) Open in IE
3) Mediawrap
Mediawrap looked the most promising as according to the addon explanation, the addon allowed to translate ActiveX controls to Firefox compatible controls. Although the addon is still available you cannot install it in FireFox version 3.6.X as it isn't compatible. The other two options are not very seamless as they allow a link to be opened in Internet Explorer from the FireFox Browser. So redirecting an HTML link from FireFox to Internet Explorer. This is not helpfull as we would need a page that would refference a link to are Remote Desktop Web Access, that we would choose to open with Internet Explorer. If that where the case we would use Internet Explorer in the first case and not try to open FireFox first.
A major setback as we could not find ActiveX Support in FireFox. Now what about Group Policies? Can Mozilla Firefox be managed by policies?
Yes it can! A company called FrontMotion provided a custom ADM file to manage FireFox through Group Policy. you can find the ADM file here: http://www.frontmotion.com/Firefox/fmfirefox.htm
It are still ADM files, so not yet available to the newer ADMX standard. But you could probably migate the ADM file using AMDX Migrator from Microsoft.
The fact that Mozilla FireFox is managable through GPO's does provide a big plus to it being adopted in more and more larger Enterprises.
Friday, May 28, 2010
Windows 2008 R2 domain controllers and 3th part DNS servers
After promoting a Windows Server 2008 R2, we saw that the machine is unable to register the Key Management Service in DNS.
Following event appears in the event log:
Event ID 12293
Source Security-SPP
Publishing the Key Management Service (KMS) to DNS in the '%DomainName%' domain failed.
Info:
0x8007251E
It appears that this is a glitch in Windows Server 2008 R2 and Windows Seven when working with 3rth party DNS servers. Microsoft has acknowledged the issue and provided a patch. The patch and description can be found here:
http://support.microsoft.com/kb/977158
DNS updates may be incorrectly reported as failed when you use a third-party DNS server application for DNS registration on a computer that is running Windows Server 2008 R2 or Windows 7
Following event appears in the event log:
Event ID 12293
Source Security-SPP
Publishing the Key Management Service (KMS) to DNS in the '%DomainName%' domain failed.
Info:
0x8007251E
It appears that this is a glitch in Windows Server 2008 R2 and Windows Seven when working with 3rth party DNS servers. Microsoft has acknowledged the issue and provided a patch. The patch and description can be found here:
http://support.microsoft.com/kb/977158
DNS updates may be incorrectly reported as failed when you use a third-party DNS server application for DNS registration on a computer that is running Windows Server 2008 R2 or Windows 7
Sunday, May 16, 2010
Microsoft.Exchange.Search.ExSearch.exe
The process Microsoft.Exchange.Search.ExSearch.exe which is used for indexing the data in the user's mailboxes in Exchange 2010 can cause 100% CPU usage when one of the mailbox databases is dismounted.
Subscribe to:
Posts (Atom)