tag:blogger.com,1999:blog-88206956333086555302024-03-16T19:52:10.133+01:00The Real ShrimpThe Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.comBlogger125125tag:blogger.com,1999:blog-8820695633308655530.post-9888393855546543622023-07-20T13:14:00.001+02:002023-07-20T13:14:48.526+02:00 Powershell Graph is case sensitive<p> Powershell Graph is case sensitive</p><p>I needed to get the deviceid from devices which were members of a group.</p><p>The deviceid is kept in the additionalproperties which is a multivated value.</p><p>To make myself easy, i placed all objects in a varable called Members. Then i tried to get the deviceid values:</p><p>"($Members.additionalProperties).deviceid" which returned nothing.</p><p>I looked at the value and saw that the Object is written as deviceId, so when i ran</p><p>"($Members.additionalProperties).deviceId" the proper device ID's were returned.</p>The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-41261575392337773192023-07-19T11:58:00.001+02:002023-07-19T11:58:22.511+02:00Winget Language incorrect<p> While opening terminal, i was notified that a newer stable version of powershell had been released. So i ran the command to update Powershell in the Terminal using WinGet</p><p></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj2W8CYTH-QOzfYQtjhJYt6ELTiC9_5EEiF4VZd1wpU2s0i90yGkqS3vu3ZQzVnJ473bq_1YIKhTTp7NKErVPcphsHafJuVsHz65x6dkmTBjArMg_8gysFc6ll4KBl532uwYs2sT5TdBEXJKMyfA6nLWkshCs5lKfCt8toVhS8v_FqI9kgZWZLoR-D7Tv3R" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="239" data-original-width="1108" height="69" src="https://blogger.googleusercontent.com/img/a/AVvXsEj2W8CYTH-QOzfYQtjhJYt6ELTiC9_5EEiF4VZd1wpU2s0i90yGkqS3vu3ZQzVnJ473bq_1YIKhTTp7NKErVPcphsHafJuVsHz65x6dkmTBjArMg_8gysFc6ll4KBl532uwYs2sT5TdBEXJKMyfA6nLWkshCs5lKfCt8toVhS8v_FqI9kgZWZLoR-D7Tv3R" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>I noticed that the language was in french. I searched the internet and came accros following post on GetHub:<p></p><p><a href="https://github.com/microsoft/winget-cli/issues/238">winget is localized for my region, even when my UI-language is set to en-US · Issue #238 · microsoft/winget-cli (github.com)</a></p><p>Yet when i verified my language settings for my account, it was set to en-US as prefered display language. I then searched for a way to manage the language using powershell.</p><p>The command i came up with was Get-WinUserLanguageList.</p><p>When i got my lst i saw that i had two language Tags:</p><p></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSwDkh37hcZXVZyiJF05cGxfnsAjYqXWTTiH2PGx3n3TcAbBCXnPqoKnzke48DsEwfSuaI-5w-tOcnkPOxAHe8r0jCqd6rs1PZ1VBbFcroL7Ei9gCpR60Cm35hS0_wUdhTPoIScP6CNmIyRJLySyqbWjRtP2dXCgdrHA2_lJroJ_FlzxbifqE3CaflM3Sq" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="484" data-original-width="693" height="223" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSwDkh37hcZXVZyiJF05cGxfnsAjYqXWTTiH2PGx3n3TcAbBCXnPqoKnzke48DsEwfSuaI-5w-tOcnkPOxAHe8r0jCqd6rs1PZ1VBbFcroL7Ei9gCpR60Cm35hS0_wUdhTPoIScP6CNmIyRJLySyqbWjRtP2dXCgdrHA2_lJroJ_FlzxbifqE3CaflM3Sq" width="320" /></a></div><div class="separator" style="clear: both; text-align: left;">This gave me <span> an idea why Winget was in french.</span></div><div class="separator" style="clear: both; text-align: left;"><span>I decided to remove the fr-BE language Tag from the list.</span></div><div class="separator" style="clear: both; text-align: left;"><span>The Set-WinUserLanguageList is somewhat poorly documented, wherefore i needed to put some effect in removing the Franch Langeuage Tag. Succeeded to remove the language Tag by following code:</span></div><p></p><div style="background-color: #1f1f1f; color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 14px; line-height: 19px; white-space: pre;"><div><span style="color: #9cdcfe;">$LangList</span> <span style="color: #d4d4d4;">=</span> <span style="color: #dcdcaa;">Get-WinUserLanguageList</span></div><div><span style="color: #9cdcfe;">$MarkedLang</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$LangList</span> <span style="color: #d4d4d4;">|</span> <span style="color: #c586c0;">where</span> LanguageTag <span style="color: #d4d4d4;">-eq</span> <span style="color: #ce9178;">"fr-BE"</span></div><div><span style="color: #9cdcfe;">$LangList</span><span style="color: #dcdcaa;">.Remove</span>(<span style="color: #9cdcfe;">$MarkedLang</span>)</div><div><span style="color: #dcdcaa;">Set-WinUserLanguageList</span> <span style="color: #9cdcfe;">$Langlist</span></div></div><div class="separator" style="clear: both; text-align: left;"></div><p>And now language of winget appears in English:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgeSwz5iJ0pLJrWwHh56bjS512wTbX0xq7Rp1A_IZ8wREsnB1nzy0ounETokrvE9rTMUytxa1js6f70F_de2pLjdJze4hhTX3W7PDpvsLeq8Yo3dKMkDrZTl40kliDgVKaXx303zL4w0Mkl0rqJ_1Q4uLxppQ0CaRu-fRztskf6R_3jXu7sukqMv8GaayH8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="623" data-original-width="1105" height="180" src="https://blogger.googleusercontent.com/img/a/AVvXsEgeSwz5iJ0pLJrWwHh56bjS512wTbX0xq7Rp1A_IZ8wREsnB1nzy0ounETokrvE9rTMUytxa1js6f70F_de2pLjdJze4hhTX3W7PDpvsLeq8Yo3dKMkDrZTl40kliDgVKaXx303zL4w0Mkl0rqJ_1Q4uLxppQ0CaRu-fRztskf6R_3jXu7sukqMv8GaayH8" width="320" /></a></div><br /><br /><br /><br /><p></p>The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-15315552544288178612023-05-16T14:11:00.002+02:002023-05-16T14:14:41.278+02:00<h2 style="text-align: left;"> Create Testusers in AzureAD with Powershell Graph</h2><div><br /></div><div><div style="background-color: black; color: white; font-family: Consolas, "Courier New", monospace; font-size: 14px; line-height: 19px; white-space: pre;"><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #7ca668;"># The Real Shrimp</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #7ca668;">#Functions</span></div><div><span style="color: #569cd6;">Function</span> <span style="color: #dcdcaa;">Get-RandomPassword</span></div><div>{</div><div> <span style="color: #7ca668;">#define parameters</span></div><div> <span style="color: #c586c0;">param</span>([<span style="color: #569cd6;">int</span>]<span style="color: #9cdcfe;">$PasswordLength</span> <span style="color: #d4d4d4;">=</span> <span style="color: #b5cea8;">10</span>)</div><div> </div><div> <span style="color: #7ca668;">#ASCII Character set for Password</span></div><div> <span style="color: #9cdcfe;">$CharacterSet</span> <span style="color: #d4d4d4;">=</span> <span style="color: #569cd6;">@</span>{</div><div> <span style="color: #9cdcfe;">Uppercase</span> <span style="color: #d4d4d4;">=</span> (<span style="color: #b5cea8;">97</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">122</span>) <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Get-Random</span> <span style="color: #d4d4d4;">-</span>Count <span style="color: #b5cea8;">10</span> <span style="color: #d4d4d4;">|</span> <span style="color: #c586c0;">%</span> {[<span style="color: #569cd6;">char</span>]<span style="color: #9cdcfe;">$_</span>}</div><div> <span style="color: #9cdcfe;">Lowercase</span> <span style="color: #d4d4d4;">=</span> (<span style="color: #b5cea8;">65</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">90</span>) <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Get-Random</span> <span style="color: #d4d4d4;">-</span>Count <span style="color: #b5cea8;">10</span> <span style="color: #d4d4d4;">|</span> <span style="color: #c586c0;">%</span> {[<span style="color: #569cd6;">char</span>]<span style="color: #9cdcfe;">$_</span>}</div><div> <span style="color: #9cdcfe;">Numeric</span> <span style="color: #d4d4d4;">=</span> (<span style="color: #b5cea8;">48</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">57</span>) <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Get-Random</span> <span style="color: #d4d4d4;">-</span>Count <span style="color: #b5cea8;">10</span> <span style="color: #d4d4d4;">|</span> <span style="color: #c586c0;">%</span> {[<span style="color: #569cd6;">char</span>]<span style="color: #9cdcfe;">$_</span>}</div><div> <span style="color: #9cdcfe;">SpecialChar</span> <span style="color: #d4d4d4;">=</span> (<span style="color: #b5cea8;">33</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">47</span>)<span style="color: #d4d4d4;">+</span>(<span style="color: #b5cea8;">58</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">64</span>)<span style="color: #d4d4d4;">+</span>(<span style="color: #b5cea8;">91</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">96</span>)<span style="color: #d4d4d4;">+</span>(<span style="color: #b5cea8;">123</span><span style="color: #d4d4d4;">..</span><span style="color: #b5cea8;">126</span>) <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Get-Random</span> <span style="color: #d4d4d4;">-</span>Count <span style="color: #b5cea8;">10</span> <span style="color: #d4d4d4;">|</span> <span style="color: #c586c0;">%</span> {[<span style="color: #569cd6;">char</span>]<span style="color: #9cdcfe;">$_</span>}</div><div> }</div><div> </div><div> <span style="color: #7ca668;">#Frame Random Password from given character set</span></div><div> <span style="color: #9cdcfe;">$StringSet</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$CharacterSet</span><span style="color: #dcdcaa;">.Uppercase</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$CharacterSet</span><span style="color: #dcdcaa;">.Lowercase</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$CharacterSet</span><span style="color: #dcdcaa;">.Numeric</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$CharacterSet</span><span style="color: #dcdcaa;">.SpecialChar</span></div><div> </div><div> <span style="color: #d4d4d4;">-join</span>(<span style="color: #dcdcaa;">Get-Random</span> <span style="color: #d4d4d4;">-</span>Count <span style="color: #9cdcfe;">$PasswordLength</span> <span style="color: #d4d4d4;">-</span>InputObject <span style="color: #9cdcfe;">$StringSet</span>)</div><div>}</div><div><span style="color: #7ca668;">#Read more: https://www.sharepointdiary.com/2020/04/powershell-generate-random-password.html#ixzz81sBsb0UW</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #7ca668;"># Custom Objects</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #9cdcfe;">$Results</span> <span style="color: #d4d4d4;">=</span> <span style="color: #dcdcaa;">New-Object</span> System.Collections.ArrayList</div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #7ca668;"># Script</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #dcdcaa;">Write-Host</span> <span style="color: #ce9178;">"This script creates a number of testusees in a designated tenant"</span> <span style="color: #d4d4d4;">-</span>ForegroundColor Green</div><div><span style="color: #c586c0;">Do</span> {</div><div> <span style="color: #dcdcaa;">Write-Host</span> <span style="color: #ce9178;">"Enter a Tenant ID, please"</span> <span style="color: #d4d4d4;">-</span>ForegroundColor Green</div><div> <span style="color: #9cdcfe;">$TenantID</span> <span style="color: #d4d4d4;">=</span> <span style="color: #dcdcaa;">Read-Host</span></div><div> <span style="color: #9cdcfe;">$TenantIdCount</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$TenantId</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Measure-Object</span> <span style="color: #d4d4d4;">-</span>Character</div><div> }</div><div><span style="color: #c586c0;">Until</span> (<span style="color: #9cdcfe;">$TenantIdCount</span><span style="color: #dcdcaa;">.characters</span> <span style="color: #d4d4d4;">-eq</span> <span style="color: #ce9178;">"36"</span>)</div><div><span style="color: #c586c0;">Do</span> {</div><div> <span style="color: #dcdcaa;">Write-Host</span> <span style="color: #ce9178;">"Enter the number of test users to create"</span> <span style="color: #d4d4d4;">-</span>ForegroundColor Green</div><div> [<span style="color: #569cd6;">Int</span>]<span style="color: #9cdcfe;">$TestUsers</span> <span style="color: #d4d4d4;">=</span> <span style="color: #dcdcaa;">Read-Host</span></div><div>}</div><div><span style="color: #c586c0;">Until</span> (<span style="color: #9cdcfe;">$TestUsers</span> <span style="color: #d4d4d4;">-is</span> [<span style="color: #569cd6;">Int</span>])</div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #7ca668;"># Connecting to the tenant</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #9cdcfe;">$Scopes</span> <span style="color: #d4d4d4;">=</span> (<span style="color: #dcdcaa;">Find-MgGraphCommand</span> <span style="color: #d4d4d4;">-</span>Command <span style="color: #dcdcaa;">New-MgUser</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Select-Object</span> Permissions).Permissions</div><div><span style="color: #dcdcaa;">Connect-MgGraph</span> <span style="color: #d4d4d4;">-</span>Scopes User.ReadWrite.all<span style="color: #d4d4d4;">,</span> Domain.Read.All <span style="color: #d4d4d4;">-</span>TenantId <span style="color: #9cdcfe;">$TenantID</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #7ca668;"># Gathering</span></div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #9cdcfe;">$PrefDomain</span> <span style="color: #d4d4d4;">=</span> (<span style="color: #dcdcaa;">Get-MgDomain</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Where-Object</span> {<span style="color: #9cdcfe;">$_</span><span style="color: #dcdcaa;">.IsDefault</span> <span style="color: #d4d4d4;">-eq</span> <span style="color: #569cd6;">$true</span>}).Id</div><div><span style="color: #7ca668;">####################################################################################</span></div><div><span style="color: #b5cea8;">1</span><span style="color: #d4d4d4;">..</span><span style="color: #9cdcfe;">$TestUsers</span> <span style="color: #d4d4d4;">|</span> <span style="color: #c586c0;">foreach</span> {</div><div><span style="color: #7ca668;"># Create Password Profile</span></div><div> <span style="color: #9cdcfe;">$PasswordProfile</span> <span style="color: #d4d4d4;">=</span> <span style="color: #569cd6;">@</span>{</div><div> <span style="color: #9cdcfe;">Password</span> <span style="color: #d4d4d4;">=</span> <span style="color: #dcdcaa;">Get-RandomPassword</span> <span style="color: #d4d4d4;">-</span>PasswordLength <span style="color: #b5cea8;">12</span></div><div> <span style="color: #9cdcfe;">ForceChangePasswordNextSignIn</span> <span style="color: #d4d4d4;">=</span> <span style="color: #569cd6;">$true</span></div><div> <span style="color: #9cdcfe;">ForceChangePasswordNextSignInWithMfa</span> <span style="color: #d4d4d4;">=</span> <span style="color: #569cd6;">$true</span></div><div> }</div><div> <span style="color: #9cdcfe;">$Passw</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$PasswordProfile</span><span style="color: #dcdcaa;">.Password</span></div><div> <span style="color: #7ca668;"># Creating DisplayName</span></div><div> <span style="color: #9cdcfe;">$NumCount</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$_</span></div><div> <span style="color: #9cdcfe;">$BaseUsFirstName</span> <span style="color: #d4d4d4;">=</span> <span style="color: #ce9178;">"Test"</span></div><div> <span style="color: #9cdcfe;">$BaseUsLastName</span> <span style="color: #d4d4d4;">=</span> <span style="color: #ce9178;">"User"</span></div><div> <span style="color: #9cdcfe;">$DisplayName</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$BaseUsFirstName</span> <span style="color: #d4d4d4;">+</span> <span style="color: #ce9178;">" "</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$BaseUsLastName</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$NumCount</span></div><div> <span style="color: #dcdcaa;">Write-Host</span> <span style="color: #ce9178;">"</span><span style="color: #569cd6;">$(</span><span style="color: #9cdcfe;">$DisplayName</span><span style="color: #569cd6;">)</span><span style="color: #ce9178;">"</span></div><div> <span style="color: #7ca668;"># Creating MailNickName</span></div><div> <span style="color: #9cdcfe;">$MailNickName</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$BaseUsFirstName</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$BaseUsLastName</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$NumCount</span></div><div> <span style="color: #7ca668;"># Creating UserPrincipamName</span></div><div> <span style="color: #9cdcfe;">$UserPrincipalName</span> <span style="color: #d4d4d4;">=</span> <span style="color: #9cdcfe;">$MailNickName</span> <span style="color: #d4d4d4;">+</span> <span style="color: #ce9178;">"@"</span> <span style="color: #d4d4d4;">+</span> <span style="color: #9cdcfe;">$PrefDomain</span></div><div> <span style="color: #7ca668;"># Creating User</span></div><div> <span style="color: #dcdcaa;">New-MgUser</span> <span style="color: #d4d4d4;">-</span>DisplayName <span style="color: #9cdcfe;">$DisplayName</span> <span style="color: #d4d4d4;">-</span>PasswordProfile <span style="color: #9cdcfe;">$PasswordProfile</span> <span style="color: #d4d4d4;">-</span>AccountEnabled <span style="color: #d4d4d4;">-</span>userPrincipalName <span style="color: #9cdcfe;">$UserPrincipalName</span> <span style="color: #d4d4d4;">-</span>MailNickName <span style="color: #9cdcfe;">$MailNickName</span></div><div> <span style="color: #9cdcfe;">$result</span> <span style="color: #d4d4d4;">=</span> <span style="color: #dcdcaa;">New-Object</span> <span style="color: #d4d4d4;">-</span>TypeName psobject</div><div> <span style="color: #9cdcfe;">$Result</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Add-Member</span> <span style="color: #d4d4d4;">-</span>Name DisplayName <span style="color: #d4d4d4;">-</span>MemberType NoteProperty <span style="color: #d4d4d4;">-</span>Value <span style="color: #9cdcfe;">$DisplayName</span></div><div> <span style="color: #9cdcfe;">$Result</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Add-Member</span> <span style="color: #d4d4d4;">-</span>Name UserPrincipalName <span style="color: #d4d4d4;">-</span>MemberType NoteProperty <span style="color: #d4d4d4;">-</span>Value <span style="color: #9cdcfe;">$UserPrincipalName</span></div><div> <span style="color: #9cdcfe;">$result</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Add-Member</span> <span style="color: #d4d4d4;">-</span>Name Password <span style="color: #d4d4d4;">-</span>MemberType NoteProperty <span style="color: #d4d4d4;">-</span>Value <span style="color: #9cdcfe;">$Passw</span></div><div> <span style="color: #9cdcfe;">$Results</span><span style="color: #dcdcaa;">.add</span>(<span style="color: #9cdcfe;">$Result</span>) <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Out-Null</span></div><div>}</div><div><span style="color: #7ca668;"># exporting data</span></div><div><span style="color: #9cdcfe;">$FileName</span> <span style="color: #d4d4d4;">=</span> <span style="color: #ce9178;">"testusers"</span><span style="color: #d4d4d4;">+</span><span style="color: #ce9178;">"-"</span><span style="color: #d4d4d4;">+</span><span style="color: #569cd6;">$</span>(<span style="color: #9cdcfe;">$PrefDomain</span>).csv</div><div><span style="color: #9cdcfe;">$Results</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Select-Object</span> <span style="color: #d4d4d4;">*</span> <span style="color: #d4d4d4;">|</span> <span style="color: #dcdcaa;">Export-csv</span> <span style="color: #d4d4d4;">-</span>Path C:\temp\<span style="color: #9cdcfe;">$FileName</span> <span style="color: #d4d4d4;">-</span>Delimiter <span style="color: #ce9178;">";"</span></div><div><span style="color: #dcdcaa;">Notepad.exe</span> C:\Temp\<span style="color: #9cdcfe;">$FileName</span></div></div></div>The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-48193776793853286412021-10-13T11:03:00.002+02:002021-10-13T11:03:23.482+02:00 Local DHCP Groups missing on the DHCP Server.<p> Local DHCP Groups missing on the DHCP Server.</p><p>Run NETSH DHCP Add Securitygroups on the DHCP Server.</p><p>Restart the DHCP Service</p><p>Add the Domain DHCP group to the corresponding DHCP local group.</p>The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-718112167916395862018-02-25T13:49:00.001+01:002018-02-25T13:53:26.048+01:00Cannot login to Exchange 2013/2016 Exchange Control PanelWe recently started our migration from Exchange 2010 SP3 (RUP18) to Exchange 2016.<br />
After installing Exchange 2016, we ran in a heap of trouble when opening the Exchange 2016 Administrative Center, or when we tried to open OWA on Exchange 2016. <br />
<br />
When browsing ECP/OWA, we would not even receive a login screan, We merely got "500 Unexected Error".<br />
<br />
Searching the internet lead me to following Technet Forum post:<br />
https://social.technet.microsoft.com/Forums/ie/en-US/777b51ee-330d-43cc-a56e-4614d44aed7b/unable-to-access-owa-or-ecp-something-went-wrong-or-500-unexpected-error?forum=exchangesvrclients<br />
<br />
After removing the value's in MSEXchCanaryData, and recycling the Application pools in IIS I was able to login.<br />
<blockquote class="tr_bq">
<span style="background-color: white; color: #2a2a2a; display: inline; float: none; font-family: "segoe ui" , "lucida grande" , "verdana" , "arial" , "helvetica" , sans-serif; font-size: 14px; font-style: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">You have to open the ADSI editor on the primary domain controller (start-->administrative tools-->ADSI edit), go to CN=Services --> CN=Microsoft Exchange --> CN=<your name="" site=""> Right click CN=Client Access and click properties. Scroll down to msExchCanaryData0. You have to click edit and copy the data from Data0, Data1 and Data2 (you may have more or less) to a notepad file. Then erase the data from those settings. Now log onto the CAS server and open IIS management. Go to application pools and right click MSExchangeOWAAppPool and click Recycling. Then restart all of the mailbox servers. </your></span></blockquote>
[Quote]Marshall Lucas[/unquote]<br />
<br />
A collegae tried to login as well, but he failed. He did get a login screen but after logging in he would still received " 500 Unexected Error". It could not be an infrastructural problem because i was able to login, wherefore we excluded any issue on part of ISS. We compared both our admin accounts and discover that my admin account was fitted with a mailbox (probably created during a test, and neglected to clean afterwards). We enabled his account with a mailbox, and now he was able to login.<br />
<br />
I know from experience that Administrator do not need a mailbox to logon to ECP, if the Administrator does not have a mailbox attached, it would use a system mailbox instead. So the next step was to verify the arbitration mailboxes:<br />
<br />
Get-Mailbox -arbitration | fl name, DistinguisgedName<br />
<br />
Which returned me 5 arbitration mailboxes, 3 SystemMailboxes, one discoverymailbox and one Migration mailbox. Which looks more or less OK, wherefore i dismissed that the issue was being caused by the lack of a missing arbitration mailbox.<br />
<br />
Moved all retrieved arbitration mailboxes to Exchange 2016, but it did resolve the issue either.<br /><br />Whent on seaching for two more days, and everything kept on pointing in the direction of a missing arbitration mailbox. I decided to verify the accounts in AD against the mailboxes retrieved from Powershell:<br /><br />Get-Mailbox -arbitration | fl name, DistinguisgedName<br /><br />Get-ADUser -Filter "Name -like 'SystemMailbox*'" -server Root<br /><br />Where i saw the catch, In Active Directory we had 6 SystemMailbox accounts, and we only had 3 SystemMailboxes which we actually mailbox enabled. I decided to make every SystemMailbox account mailbox enabled, which resolved the issue.<br /><br />Get-ADUser -Filter "Name -like 'SystemMailbox*'" -server Root -Property Mail | ? {$_.Mail -eq $null} | foreach {Get-User $_.DistinguishedName | Enable-Mailbox -Database "Exchange2016DB"}<blockquote class="tr_bq">
</blockquote>
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-35448740663735402452017-02-13T10:20:00.007+01:002017-02-13T10:20:57.949+01:00Move-ADDirectoryServerOperationMasterRoleDo not use the server FQDN for the Identity in the Move-ADDirectoryServerOperationMasterRole Cmdlet, it will fail if you do:<br />
<br />
Move-ADDirectoryServerOperationMasterRole -Identity "DC001.domain<br />
.suf" -OperationMasterRole InfrastructureMaster<br />
<br />
Move-ADDirectoryServerOperationMasterRole : Cannot find directory server with identity:"DC001.domain<br />
.suf"<br />
<br />
Correct Syntax=<br />
Move-ADDirectoryServerOperationMasterRole -Identity "DC001" -OperationMasterRole InfrastructureMaster<br />
<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-76013356507010175632013-08-26T18:19:00.000+02:002013-08-26T18:19:45.321+02:00Screen Flickers when installing a Windows Server 2012 on Windows Server 2008 Hyper-VWhen you install Windows Server 2012 on a Windows Server 2008 r2, you might see that the virtual machine is unresponsive and that the screen of the virtual machine is constantly flickering. This is caused usually because the virtual machine has not enough virtual memory configured. I have seen this issue occurring if the virtual machine has less ten 2048MB of memory assigned. Increasing the virtual machine's memory to more or equal to 2048MB resolves the issue.The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-48222004256802934892013-06-25T13:10:00.002+02:002013-06-25T13:10:23.593+02:00Capital letters and Cisco RCC/Microsoft Lync Yesterday i was working on a project that involves a new implementation of Lync 2013 and Cisco Cups.<br />
We had enabled a user for RCC within Cisco and Lync, but the user was unable to register on the Cisco Cups Server.<br />
<br />
The Cisco Cups is configured as a static route within Lync 2013, where it is used for a Cisco Sip domain called cups.contoso.com.<br />
<br />
We configured the user using the following settings:<br />
LineUri = TEL:3567;phone-context=dialstring<br />
LineServerUri = %UserName%@cups.contoso.com (where %UserName% is the Sam Account name of the user).<br />
<br />
[Get-csuser "alfa" | Set-CsUser -RemoteCallControlTelephonyEnabled $True -LineUri "TEL:3567;phone-context=dialstring" -LineServerUri "alfa@cups.contoso.com"]<br />
<br />
After enabling the user for RCC, we saw that the Lync client of the user was unable to register itself within the Cisco Cups Server to enable RCC. We enable logging on the Lync Server/client, where we saw that the registration was canceled by the Cisco Cups server. Where the Snooper reported "Call Leg does not exist".<br />
We could clearly see that Lync ad Cisco where communicating, but at a certain point Cisco Cups sends a Cancel to the client in which the Client ends the communication.<br />
<br />
The reason for the Cancel is still unclear, so we retrieved the Logs from the Cisco Cups server. There we saw that the Cancel was send after giving an unspecified error on the dial string. We verified the dialstring within Lync again and confirmed that it was set correctly. As we had no real clue as what was going on, a colleague retyped the dialString within Lync, but receive the notification that nothing changed. 5 minutes later the configuration started working. Upon investigating what had changed, we saw that the colleague typed the following LuniUri: <span style="background-color: yellow;">tel</span>:3567;phone-context=dialstring. He had specified regular letters instead if capitals for the TEL letters. To prove if this was indeed causing the issue, we enabled another account for RCC where we also specified TEL in capital letters. The user was unable to register in Cisco Cups, after changing the letters to regular, the user was able to register and use RCC.<br />
<br />
By psoting this encounter, I hope to spare somebody's time in troubleshooting this issue..<br />
<br />
<br />
<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-31194904332083478042013-03-31T14:37:00.000+02:002013-03-31T14:37:01.681+02:00Beware of Exchange Web ServicesI would like to point out that Exchange Web Services allows EWS clients to retrieve mail although Outlook Anywhere is disabled.<br />
A customer of mine was not comfortable with Outlook Anywhere as an un-managed computer could be used to retrieve mail. So they wanted to delay the deployment of Outlook Anywhere until proper IPsec policies where in place. However we decided to publish EWS to allow Lync to retrieve Free/busy information for remote workers. To our surprise we discovered that Outlook mail was able to access his mailbox on Exchange 2010 although Outlook Anywhere was disabled.<br />
<br />
Now there are a number of measurements you can take to prevent access although allowing EWS to be published externally. One option is to set the access to EWS by the mailbox features.<br />
The can be done by using the Set-Casmailbox for the users. This is an "per user" approach in which you can allow some users and disallow some others.<br />
<br />
You can also set it on the organizational level in which you allow or disallow it for the complete environment.<br />
This is done via the Set-OrganizationConfig.<br />
<br />
However both settings do not consider external and internal access. This means if you disable the setting then those client will also not be able to connect to EWS from a corporate or trusted network.<br />
<br />
http://msdn.microsoft.com/en-us/library/exchange/ff406134(v=exchg.140).aspx<br />
<br />
<br />
<br />
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-18816385184966462752013-01-08T20:36:00.001+01:002013-01-08T20:36:48.525+01:00Securing POP and SMTP traffic from POP clients in Exchange 2010I working on an exchange migration from Exchange 2003 to Exchange 2010. The customer is using a mixed environment with Microsoft Windows (Windows XP/Vista and Seven) clients, and Linux Unix clients which use POP and IMAP to retrieve mail from Exchange 2003. The Windows Clients use Outlook 2010, while the Linux clients use and a number of application which use IMAP or POP3 to access there mailboxes.<br />
<br />
The customer wants to keep the IMAP/POP functionality in the new Exchange 2010 environment available, but wants to secure it where possible. In answer to that question i replied that we would keep the functionality, but switch to SSL encrypted communication between the clients and the servers. To do so, i also recommended that the clients would use the client submission port (TCP587(RFC5321)) in stead of simple SMTP (TCP25) to send to the server(s). Where we would also impose authentication. This way IMAP/POP and SMTP traffic would be encrypted and would only occur via authenticated users.<br />
Enforcing the clients to use the client submission port enhances security as you would not need to create a relay receive connector for the clients on TCP port 25.<br />
<br />
I knew this all is possible from theory but never implemented this before, as this is the first time i come across an environment where they still use IMAP/POP3 in a real live environment. To make sure i knew how to implement the theory i started playing in my test environment during the Christmas holidays.<br />
<br />
In my test environment I have a single Exchange 2010 server with the three required roles installed (HUB/CAS/MBX), and downloaded and installed Mozilla Thunderbird as a POP client.<br />
<br />
<b>Certificate:</b><br />
As we are going to use TLS to digitally encrypt the communications channels, we have to make sure that the intended FQDN's are present in the SSL certificate. The Exchange environment already has and SSL certificate assigned to it for SMTP and IIS, and we are going to reuse that SSL certificate to secure the POP3 access.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQLNtIVOl1h0MpD34XO_sFaUB1AOhgS81wFrD79NESP8InrKOqKbdOjYm9MknF_OYldnCXmFia-anRO462pRZbwwsPGr0jD6mhEA8FTi1lpvVmL_yfCHtLryRQx2H2jigzB__fqDdHHh3h/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQLNtIVOl1h0MpD34XO_sFaUB1AOhgS81wFrD79NESP8InrKOqKbdOjYm9MknF_OYldnCXmFia-anRO462pRZbwwsPGr0jD6mhEA8FTi1lpvVmL_yfCHtLryRQx2H2jigzB__fqDdHHh3h/s320/1.png" width="320" /></a></div>
In the screenshot you will see that the hostname of the server is present in the certificate, and that is the FQDN we intend to use for POP and SMTP communication. Now we need to see, to which service the certificate is assigned.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxtMozkXHCCmJnE_Xx3W5Ggnc1B87xhoBuMSq05dw5xHGXnhpAMz48z_JFNYWeuLb6laMNz4PnjKXIuDVnGNCr5n8TRUO7hy1Z4zTJdU8T6WtFa7jKM4_p0zgH71WKVX1fGl_S415pLUzp/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxtMozkXHCCmJnE_Xx3W5Ggnc1B87xhoBuMSq05dw5xHGXnhpAMz48z_JFNYWeuLb6laMNz4PnjKXIuDVnGNCr5n8TRUO7hy1Z4zTJdU8T6WtFa7jKM4_p0zgH71WKVX1fGl_S415pLUzp/s320/2.png" width="320" /></a></div>
<blockquote class="tr_bq">
<i style="background-color: #3d85c6;">Note: You can run previous commands in a single line by running "Get-ExchangeCertificate | fl CertifiacteDomains, Services"</i></blockquote>
In the screenshot you will see that the POP and Imap Service are already assigned in my case, this was because i toke the screenshots after testing and not while testing. To assign the Certificate to the IMAP/POP3 service, you need to run following command:<br />
If you have multiple certificates in use:<br />
List certificates:<br />
[Code]<br />
Get-exchangeCertificate<br />
[/Code]<br />
select the required certificate and assign it to the requested services<br />
[Code]<br />
Get-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | Enable-ExchangeCertificate -Services "POP, IMAP"<br />
[/Code]<br />
The required certificate is now assigned to the IMAP and POP3 service.<br />
<blockquote class="tr_bq">
<span style="background-color: #3d85c6;"><i>Note: If the MSExchangePOP3 or MSExchangeIMAP where already started before assigning the certificate, you will need to restart these services. Is required each time you change or reassign a certificate to a service</i>.</span></blockquote>
<b>Configuring the Client Access Server</b><br />
Open the Exchange Management Console, go to server configuration and Client Access Server Role.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMWB3xB1lka4Xn5ekeeDORwFeYD7b9h_fbPBcr40u1KJlzcBSpj_gRl2RIdpxp3Dpx3fRmIVeRvk3VVeNix1IeBz3lsz3uaDifwkQ54eC4rvqwTdSYf76qg8G8qYSOQVl1EkJZKMMnlUzB/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMWB3xB1lka4Xn5ekeeDORwFeYD7b9h_fbPBcr40u1KJlzcBSpj_gRl2RIdpxp3Dpx3fRmIVeRvk3VVeNix1IeBz3lsz3uaDifwkQ54eC4rvqwTdSYf76qg8G8qYSOQVl1EkJZKMMnlUzB/s320/3.png" width="320" /></a></div>
Go to tab Bindings, and configure the IP addresses on which the Service should listen. By default it lists all IPv4 and IPv6 addresses, but I removed the IPv6 addresses as i do not use IPv6 in the test environment.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitqLTsv_Y5jnCYmttPEZhumhzq4O6xaShXABFWMXu8wy0MwbxeThPc6KYiYIV39CRU5o6g3xLDsKzrTYc1qof4v1zqpvsT3HCDQV3yu29z1AC7LRL4N-qkuBiR2mVfOJSJndv1AJSGt0k_/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitqLTsv_Y5jnCYmttPEZhumhzq4O6xaShXABFWMXu8wy0MwbxeThPc6KYiYIV39CRU5o6g3xLDsKzrTYc1qof4v1zqpvsT3HCDQV3yu29z1AC7LRL4N-qkuBiR2mVfOJSJndv1AJSGt0k_/s320/4.png" width="285" /></a></div>
<br />
<blockquote class="tr_bq">
<span style="background-color: #3d85c6;"> <i>Note: I still allow connection over port 110, but you can remove that if you wish to allow only secured communication (which will be done with my customer). </i> </span></blockquote>
Then go to the Authentication Tab, modify the authentication if required and verify that the certificate name is the name of the certificate which you selected in previous step.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy2aYQCEiqNT7mNKvyv8NyUmK0HuCVvLQw2MblogpGpthU-ywVr1QjKKFTA_AESK8FaKTlqeV1j6_fuWXS74XCuyP3RTx7dmLQ2mFfj2OfY9eg8plXJ9dgfyVYdReL0n4jGNX3RQUcj12F/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy2aYQCEiqNT7mNKvyv8NyUmK0HuCVvLQw2MblogpGpthU-ywVr1QjKKFTA_AESK8FaKTlqeV1j6_fuWXS74XCuyP3RTx7dmLQ2mFfj2OfY9eg8plXJ9dgfyVYdReL0n4jGNX3RQUcj12F/s320/5.png" width="285" /></a></div>
<blockquote class="tr_bq">
<i style="background-color: #3d85c6;">Note: These are basically the default settings as Exchange 2010 aims to be secure by default.</i></blockquote>
We do not need to modify the other tabs.<br />
<b><br /></b>
<b>IMAP</b><br />
Now verify that the same settings apply to IMAP, which it should as it is designed to be secure by default.<br />
<blockquote class="tr_bq">
<span style="background-color: #3d85c6;"><i>Note: Modify the bindings if you wish to only allow secure connections.</i> </span> </blockquote>
<b>Starting the required services</b><br />
The Imap and POP3 service are set to manual start in which they are not started automatically. If you wish to supply access by these services, you have to change the start-up mode to automatic. In my test environment i merely started the services as they are only required for testing the configuration.<br />
To change the startup mode:<br />
[Code]<br />
Get-service -name msexchangepop3, msexchangeimap4 | Set-Service -StartupType Automatic<br />
[/Code]<br />
Start-Service<br />
[Code]<br />
Get-service -name msexchangepop3, msexchangeimap4 | Start-Service<br />
[/Code]<br />
<br />
<b>Configure SMTP access (Client Submission Port)</b><br />
We want user to authenticate and use TLS encryption when sending (relaying) mail through Exchange 2010.<br />
Open the Exchange Management Console, go to server configuration and Hub Transport Server Role.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkf0vlra6_WxnEEQYnavTe9D-MlAehzOSeS18ReViNV65nRTOS07oEQXZXpSgHouV8D6pkhX6AqjvJ0KlgX8Ve0BjCT4trceHtwkgUqEymhLeTEoSPw2Dc08yQxoZZRmFsgWPWcrKKw5G2/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkf0vlra6_WxnEEQYnavTe9D-MlAehzOSeS18ReViNV65nRTOS07oEQXZXpSgHouV8D6pkhX6AqjvJ0KlgX8Ve0BjCT4trceHtwkgUqEymhLeTEoSPw2Dc08yQxoZZRmFsgWPWcrKKw5G2/s320/6.png" width="320" /></a></div>
<br />
Select the receive connector for the client submission port which is called "Client" by defaul, but which i renamed to "Client Exch02". Right click and select Properties. Verify that the client network is allowed to use the connector in the Network Tab. Go to the Authentication Tab and select "Transport Layer Security (TLS)", "Basic Authentication" and "Offer Basic Authentication only after Starting TLS".<br />
<blockquote class="tr_bq">
<span style="background-color: #3d85c6;"> Note: I have tried with TLS alone, but then the credentials are not accepted. I could only make with work with basic authentication, but that is no issue as the Authentication is done in a TLS encrypted tunnel in which the communication is encrypted anyways. This is why you need to make sure that "Offer Basic Authentication only after Starting TLS" is also selected. </span></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ3r4EJyFqSRB_ZVRTU0PQVCXtG5FNhL23DCDKgoT5titmDK0fhyphenhyphenFGT4HcVSPDpojyd93ku_fmvBpdY8XEMiOXhiwoLIkOf8w1xe5v9mCYvZyJHDlhpvWOaKtbhc_Z5kn2s2hzCVkFUgV3/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ3r4EJyFqSRB_ZVRTU0PQVCXtG5FNhL23DCDKgoT5titmDK0fhyphenhyphenFGT4HcVSPDpojyd93ku_fmvBpdY8XEMiOXhiwoLIkOf8w1xe5v9mCYvZyJHDlhpvWOaKtbhc_Z5kn2s2hzCVkFUgV3/s320/7.png" width="286" /></a></div>
In the "Permission Groups" setting you have to make sure that "Exchange Users" and "Exchange Servers" is checked.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGvahnDPsZZm9DRJ-ACC00IAAhkznOqbQ2drQr26q7qQxcFg4-2_2RMKT2KpkMpKFZp-3Z7vOq8b1Xfq-xkDNmNakpcDSmTu8vA0HPfuPBdliH3YAhHlI1o9225CNERqFoeCF8lD4boz0K/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGvahnDPsZZm9DRJ-ACC00IAAhkznOqbQ2drQr26q7qQxcFg4-2_2RMKT2KpkMpKFZp-3Z7vOq8b1Xfq-xkDNmNakpcDSmTu8vA0HPfuPBdliH3YAhHlI1o9225CNERqFoeCF8lD4boz0K/s320/8.png" width="285" /></a></div>
<br />
<b>Client Configuration</b><br />
As client i choose to use Mozilla Thunderbird, as it is a widely used client in Windows and operating Systems.<br />
I am not going to completely explain the configuration of the client as it is pretty straight forward, yet i am showing the setting in the client to prove that communication is indeed TLS encrypted and authentication is required to send mail (SMTP).<br />
POP3 Settings:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguEA5X9rnHe_U73eNbd10IAHh7ZY8mqlEle30xSPSWthgmIz4SfGEk6_x85mit34aYdMiD1QMSy8nGaaQ9pbt5HZzpYgMgzvcsSHgA1ouGnTXF9hDjwelkOinI8gcpYrjN_mjt4lx1LP6x/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguEA5X9rnHe_U73eNbd10IAHh7ZY8mqlEle30xSPSWthgmIz4SfGEk6_x85mit34aYdMiD1QMSy8nGaaQ9pbt5HZzpYgMgzvcsSHgA1ouGnTXF9hDjwelkOinI8gcpYrjN_mjt4lx1LP6x/s320/9.png" width="296" /></a></div>
SMTP Settings:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZEUhhyphenhyphen3TOsoKVUPk4fD3nBatIG3W91_PVGcolD9pFSMIEkRz_KDexwMlew-02bgOEbmLlU_HwnSuq5r_HO3Wn4twQOXp6mhw_bdNDWXmY8mNjdiGpUrvcL8D5HdNuIubWUdzSVUJH2Xn/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZEUhhyphenhyphen3TOsoKVUPk4fD3nBatIG3W91_PVGcolD9pFSMIEkRz_KDexwMlew-02bgOEbmLlU_HwnSuq5r_HO3Wn4twQOXp6mhw_bdNDWXmY8mNjdiGpUrvcL8D5HdNuIubWUdzSVUJH2Xn/s320/10.png" width="296" /></a></div>
Here you see that authentication is required.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbmLRJ3OdLSUU7ou0dZEk3GsrogzH_yqmzrPBDSVD6nSxteJ9lv7Z6q1t5EPVpfOJEcel8BY7_kTvdv7B2y4m1h7l5su-zLAt44RklOLWk3JdhmBLsVS7PY5LzdDvbYeVST55PSZHeWQyz/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbmLRJ3OdLSUU7ou0dZEk3GsrogzH_yqmzrPBDSVD6nSxteJ9lv7Z6q1t5EPVpfOJEcel8BY7_kTvdv7B2y4m1h7l5su-zLAt44RklOLWk3JdhmBLsVS7PY5LzdDvbYeVST55PSZHeWQyz/s320/11.png" width="320" /></a></div>
To client submission connector allows relaying for Exchange Authenticated users, so you have allowed relaying but on a more secure reliable way. If you have applications which need to send or relay SMTP traffic via your Exchange 2010 environment, you should investigate if the same settings can be used for these applications. <br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com1tag:blogger.com,1999:blog-8820695633308655530.post-8364409874657425102012-11-13T11:57:00.000+01:002012-11-13T11:57:22.120+01:00Lync Monitoring: An error has occurred during report processing. (rsProcessingAborted)You get following error when trying to view the "all incidents reports" in Lync reporting services:<br />
<br />
<br />
<div class="MsoNormal">
<span style="color: #1f497d;">“An error has occurred during
report processing. (rsProcessingAborted) Query Execution Failed for Dataset
“GetAll”. (rsErrorExecutingCommand) Error convirting data type nvarchar to
Datatime.” <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #1f497d;"><br /></span></div>
<div class="MsoNormal">
The problem is caused by the language settings within Internet Explorer. More particular the date formatting that is used in different parts of the world. In my case Belgium/Europe we use the following formatting: dd/mm/yyyy while in the US the date format is mm/dd/yyyy. This date formating causes the report to fail, therefore following error is displayed:</div>
<div class="MsoNormal">
"<span style="color: #1f497d;">Error convirting data type nvarchar to Datatime."</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In order to get the correct date formating which the report is expecting, you need to add the EN-US language to Internet Explorer:<span style="color: #1f497d;"> </span></div>
<div class="MsoNormal">
<span style="color: #1f497d;"><br /></span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
Open Internet explorer, Go to
Internet Options, Appearance and select language. <span style="color: #1f497d;"><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwew5B_ck5K9Mgl4MgC32AniaedNd9kawS05k_ckB8b-RTseMQV_r32B19rE50s-GGaXFfyjZi4cOvwl3o2PRSvW-4dQIsWfuwdeXwtTAk8QLP26oFaAwvwbu3e3_LFr6Zymnqg2ALJozo/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwew5B_ck5K9Mgl4MgC32AniaedNd9kawS05k_ckB8b-RTseMQV_r32B19rE50s-GGaXFfyjZi4cOvwl3o2PRSvW-4dQIsWfuwdeXwtTAk8QLP26oFaAwvwbu3e3_LFr6Zymnqg2ALJozo/s320/1.png" width="209" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvw18bZpb9cjHq55n_P8lNhlPIFEuz1K49Uy3OkNjgzBwwPwntsl_wt65xIW7NbYKFf1G97sD35ZQYdqTtkBSH5WQGJZgWfaqGotf0t_nsnqcDutBJUa5bmn1z78YKYzZCo_vgF3nd6LGZ/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvw18bZpb9cjHq55n_P8lNhlPIFEuz1K49Uy3OkNjgzBwwPwntsl_wt65xIW7NbYKFf1G97sD35ZQYdqTtkBSH5WQGJZgWfaqGotf0t_nsnqcDutBJUa5bmn1z78YKYzZCo_vgF3nd6LGZ/s320/2.png" width="250" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf5XMz8b0BwzuaxEEFC2JWz7wr23QlGWeb2ydHVwg-ZiBRCObV7vlUcdbumm8IEk7z3ZiXIZ3eab4xBhbKXlh3CZ4F-yHP7H8zDE0kwjglMY8Zm9FGgme4HtLDZj6gmqcrc_ogF2MijLWz/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf5XMz8b0BwzuaxEEFC2JWz7wr23QlGWeb2ydHVwg-ZiBRCObV7vlUcdbumm8IEk7z3ZiXIZ3eab4xBhbKXlh3CZ4F-yHP7H8zDE0kwjglMY8Zm9FGgme4HtLDZj6gmqcrc_ogF2MijLWz/s320/3.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
Move En-US to first place and click ok.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqqE1QX-UgnOGPG0PHO8DZkyiRoBYaIXDDbYb0VBwNvl3Dt1x-b1MaI0UNpuMXtgGP-eBUXUAo-00v2i8W6A0X1fGlI1ZIf9IQHbfngFRdEVkN5C3URIMyuSbzEUgv8fn02cLAgFWTLDyt/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqqE1QX-UgnOGPG0PHO8DZkyiRoBYaIXDDbYb0VBwNvl3Dt1x-b1MaI0UNpuMXtgGP-eBUXUAo-00v2i8W6A0X1fGlI1ZIf9IQHbfngFRdEVkN5C3URIMyuSbzEUgv8fn02cLAgFWTLDyt/s320/4.png" width="250" /></a></div>
<div class="MsoNormal">
<br /></div>
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin;"><br /><!--[endif]--></span><br />
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com1tag:blogger.com,1999:blog-8820695633308655530.post-83474534357822659862012-10-01T20:07:00.000+02:002014-11-14T10:55:47.189+01:00Windows Server 2008 R2 RepairI am having trouble with my test server which is running my virtual environment. It is running on hardware that is not really supported by Windows Server 2008 R2, and because of that the system sometimes reboots.<br />
These reboots can cause virtual machines to become corrupt, if the reboot happens in a major write operation.<br />
<br />
Now a week ago the server rebooted again unexpectedly and because of this my Lync Server would no longer boot up. I tried repairing the machine using SFC tool with the known syntax:<br />
[Code]<br />
SFC /ScanNow /OffBootDir C: /OffWinDir C:\Windows<br />
[/Code]<br />
<br />
It can happen that following message appears:<br />
"There is a Windows Repair pending which requires a reboot of the system"<br />
<br />
If this message apears, you can revert the pending changes, or remove/rename the pending.xml file.<br />
<br />
To revert the pending change, use following code:<br />
[Code]<br />
dism.exe /image:C:\ /cleanup-image /revertpendingactions<div>
[/Code]<br /><br />
Rename the pending.xml, which is found under C;\Windows\System32.<br />
<br />
But after the reboot the system wouldn't boot. The next step would be to repair the Windows boot loader using StartRep.exe<br />
Started the system in repair modus (CMD), where the systems start in X:\Windows\System32<br />
type X\Resources\Recovery\StartRep.exe and press enter. The system asks you if you wish to repair the system boot loader, where you click Finnish. After clicking finish the system restarted perfectly into Windows, even all Lync services where started as intended. </div>
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-10248795941834573392012-10-01T19:51:00.001+02:002012-11-18T13:32:58.441+01:00Installing Lync 2013 on Windows Server 2012I wanted to install Lync 2013 on Windows Server 2012 in a test environment to get acquainted with the product. I downloaded the Windows Server virtual disk (VHD) from the Microsoft Website, booted up the disk and added it to my testdomain.<br />
<br />
When provisioning your virtual machine, i would like to note that you need to provide at least 3072MB to the virtual machine, otherwise the installation of the front-end server will fail with following exclussion: "81" Is not a valid value for Configuration Option 'Max Server Memmory'. I started off with the Hyper-V default, which is 1024 which make the Lync role installation fail. <span style="background-color: white; color: #333333; display: inline ! important; float: none; font-family: inherit; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 16px; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span><br />
<br />
The first step is to install the Lync 2013 prerequisites. Unlike Windows Server 2008R2, we do not need to import the server module and use the add-WindowsFeature CMDlet, no In Windows Server 2012 you can kickof the installation of the prerequisites by using the Install-WindowsFeature CMDlet. The major of prerequisites are installed by following line:<br />
[Code]<br />
<br />
<strike>install-WindowsFeature Web-Server Web-WebServer, web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Http-Tracing, Web-Performance, Web-Stat-Compression, Web-Dyn-Compression, Web-Security, Web-Filtering, Web-Client-Auth, Web-Windows-Auth, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools, NET-Framework-45-Feature, NET-Framework-45-Core, NET-WCF-Services45, NET-WCF-TCP-PortSharing45, RSAT-AD-Tools, Windows-Identity-Foundation, Web-ISAPI-Ext, Web-ISAPI-Filter, Desktop-Experience, Server-Media-Foundation, web-asp-net, web-asp-net45</strike><br />
<br />
[/Code]<br />
besides these prerequisites you also need to install the Web-Net-Ext (.Net extensibility 3.5), yet when you add Web-Net-Ext to the previous line you will see that the feature fails to install. This is because the sources for this feature have been stripped from Windows Server 2012. To add this feature you have to define the source in order to install it. These sources are not available on the VHD, so you will need to download the ISO itself. Once you have the iso you can find the sources under Sources\SXS\. My CD-rom drive on the server is Z, so I installed it with following line:<br />
[Code]<br />
Install-WindowsFeature Web-Net-Ext -Source Z:\Sources\SXS\<br />
[/Code]<br />
<br />
<br />
###############################################################################<br />
#<span class="Apple-tab-span" style="white-space: pre;"> </span>De Greyt Jurgen<span class="Apple-tab-span" style="white-space: pre;"> </span> # <br />
#<span class="Apple-tab-span" style="white-space: pre;"> </span>15/11/2012<span class="Apple-tab-span" style="white-space: pre;"> </span> #<br />
#<span class="Apple-tab-span" style="white-space: pre;"> </span>Modified 8/11/2012<span class="Apple-tab-span" style="white-space: pre;"> </span> #<br />
###############################################################################<br />
#Active Directory Remote administration tools<br />
Add-WindowsFeature RSAT-ADDS<br />
<br />
#Identity Framework<br />
Add-windowsFeature Windows-Identity-Foundation<br />
<br />
#Message Queying<br />
Add-windowsFeature MSMQ-Server, MSMQ-Directory<br />
<br />
#IIS<br />
Add-windowsFeature Web-Server, Web-Scripting-Tools, Web-Windows-Auth, Web-asp-net, Web-log-Libraries, web-http-tracing, web-stat-Compression, Web-Dyn-Compression, Web-Default-Doc, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-HTTP-Errors, Web-HTTP-Logging, Web-Net-Ext, Web-Client-Auth, Web-Filtering, Web-Mgmt-Console, Web-Asp-Net45, Web-Net-Ext45<br />
<br />
#.Net Framework<br />
Add-windowsFeature NET-WCF-HTTP-Activation45<br />
<br />
#Media<br />
Add-windowsFeature Server-Media-Foundation<br />
###############################################################################<br />
<br />
<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-16929238820748065382012-07-29T19:34:00.001+02:002012-07-29T19:34:41.231+02:00learning some new tricksWhen configuring my network interfaces i usually use netsh to configure them. When being accustomed to using netsh it is pretty simple. To find the name of your interfaces you would use "netsh int ip show interfaces." To configure the ip addresses you would use the following syntax "Netsh Int Ip set address "local area connection" static 10.10.10.1 255.255.255.0 10.10.10.254 10. Adding DNS servers would be done with the following Synctax: Netsh int ip set dnsserver "Local Area Connection" static 10.10.10.10, adding a dns could be done by netsh int ip add dnsserver "Local Area Connection" 10.10.10.20.<br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">Now i was playing with Windows Server 2012, and wanted to challenge myself into configuring the interface through powershell. I guessed it was possible as I saw some NetIP commandlets in previous encounters. </span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">The first thing i did was trying to find the right cmdlets, the best to search them i used following synctax:</span><br />
<span style="background-color: white;">Get-Command "Set*NetIP*" </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3DCgJtoI0aawf4mzqi8nZk8WQjUdArtO0tySoqr9mkAD7tHKkGLhnv2kg3ncaTEcXkGad752RMBB5P1IkeCVR4vBxbfA-QkRHIs73_qROIjzpELT7BoLkoGdcLLsAfJYXJMn-ounSB5qy/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3DCgJtoI0aawf4mzqi8nZk8WQjUdArtO0tySoqr9mkAD7tHKkGLhnv2kg3ncaTEcXkGad752RMBB5P1IkeCVR4vBxbfA-QkRHIs73_qROIjzpELT7BoLkoGdcLLsAfJYXJMn-ounSB5qy/s320/1.png" width="320" /></a></div>
This gave me a few hints to continue my search: In the same manner as with NETSH i need to find out the name of the interface i am willing to configure. Set-NetIpInterface, suggest that there would also exist an Get-NetIpInterface cmdlet. Putting my thinking into practice showed me the configured interfaces on the server.<br />
Get-NetIpInteface<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_NZ-a-DtiRNbaPMHHFZgNLcHbAo_M6oq-IiQsIxAcrxHhqSwmrp15D48K1rs-aS7KOCGvaSUpXXD05JoLKvKwcsogUJKdNAeISsUGLI0BOWOPbWpPuIRIzAB4h9mNtyw0z_Vb0wIhL9y-/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_NZ-a-DtiRNbaPMHHFZgNLcHbAo_M6oq-IiQsIxAcrxHhqSwmrp15D48K1rs-aS7KOCGvaSUpXXD05JoLKvKwcsogUJKdNAeISsUGLI0BOWOPbWpPuIRIzAB4h9mNtyw0z_Vb0wIhL9y-/s320/2.png" width="320" /></a></div>
This showed that the interface we are trying to configure is called "Ethernet", the second cmdlet we where interested in was the Set-NetIPAddress cmdlet. Now we need to find out how we link the IpAddess that is specified in the Set-NetIpAddress is linked to the correct interface. To Find out i checked the help file of the Set-NetIpAddress: Get-Help "Set-NetIpaddress"<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6sA8JpcutayT9p7uuk9Er1Dj8W3k6j5XNQoPinxIva6npUBa6T4oVnXAezlrsJFnravFSMDYAIji7hjaJT6pnZ2Nbs2xgm6qBE3EW9ET5dVFpxu0VRGfJja-jAwKLg8XPEWKZQi_IE45-/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6sA8JpcutayT9p7uuk9Er1Dj8W3k6j5XNQoPinxIva6npUBa6T4oVnXAezlrsJFnravFSMDYAIji7hjaJT6pnZ2Nbs2xgm6qBE3EW9ET5dVFpxu0VRGfJja-jAwKLg8XPEWKZQi_IE45-/s320/3.png" width="320" /></a></div>
This showed me the new-netipaddress cmdlet, which led me to the following string:<br />
New-NetIpAddress -Ipaddress 192.168.0.3 -DefaultGateway 192.168.0.254 -InterfaceAlias Ethernet -AddressFamily IPv4 -PrefixLength 24<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPXS5IlbfwldWqD-7DDNu8_Jlg2Kd6mohwVUbHsRVqAi8HFpXtpWUqGZ3Us7YsLm3HQdFN8wwyIxp_GVCErXXNh_slWB-NyWJT4GmTjq-YcS2w8S96bzZ4erbqLRSywJc8L2siF5bvCIgR/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPXS5IlbfwldWqD-7DDNu8_Jlg2Kd6mohwVUbHsRVqAi8HFpXtpWUqGZ3Us7YsLm3HQdFN8wwyIxp_GVCErXXNh_slWB-NyWJT4GmTjq-YcS2w8S96bzZ4erbqLRSywJc8L2siF5bvCIgR/s320/4.png" width="320" /></a></div>
The new-NetIpAddress Cmdlet does not allow DNS or WINS to be set. Setting the DNS server would be done by the Set-DNSClientServerAddress cmdlet.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqPt3qJG8QTxZr4boEzorENUBmphyphenhyphenDOcyvFDWG40Sis9ivUbBSl9Dyv3V5cDl_neEiOmXvOE79EVcCh4KaAwKPt4Lrj_G1yrKvdhB3dYd7Rzs7xKciSu4MJqITv2TRX_uxlu-J_C42LcpH/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqPt3qJG8QTxZr4boEzorENUBmphyphenhyphenDOcyvFDWG40Sis9ivUbBSl9Dyv3V5cDl_neEiOmXvOE79EVcCh4KaAwKPt4Lrj_G1yrKvdhB3dYd7Rzs7xKciSu4MJqITv2TRX_uxlu-J_C42LcpH/s320/3.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
To set the DNS server we need to have the Interface Index number of the interface where we want to link the DNS servers settings to. The interface index number is shown by the Get-NetIpInterface cmdlet.</div>
<div class="separator" style="clear: both; text-align: left;">
Setting the DNS Server is done with following Syntax:</div>
<div class="separator" style="clear: both; text-align: left;">
Set-DNSClientServerAddress -Address <i>IP First Server</i>, <i>IP Second Server</i> -InterfaceIndex <i>'Indexnumber'</i></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkNH0KMdMpwo9gu0Y8qfN4KylidqX_ajW6nVAFJ5bvXvxMoTj4n-WYA74qYIO6POAPA8X-EHTDMptVf1yDcrWwP45Fk3j6pDgC4D95OFEstPhl0YTw_hK2gegLU_Yhv7_NYYMxouQr5FW1/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="15" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkNH0KMdMpwo9gu0Y8qfN4KylidqX_ajW6nVAFJ5bvXvxMoTj4n-WYA74qYIO6POAPA8X-EHTDMptVf1yDcrWwP45Fk3j6pDgC4D95OFEstPhl0YTw_hK2gegLU_Yhv7_NYYMxouQr5FW1/s320/5.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
To Check your configuration afterwards you can use Get-netipconfiguration -InterfaceAlias <i>Ethernet</i> | fl<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjiT88EysOa5urq80LoIww5wrnv53WxTVRFvDW_zqmXIRmE_O__e6BUVJI7WLhXFkVHX2W9xGxnVo3hvu9_NaYD8MorsEDnBHP-JKq8asrqx0mCwW-DsH0G_RkfU2u-iX-8fLRpfxnwoqd/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjiT88EysOa5urq80LoIww5wrnv53WxTVRFvDW_zqmXIRmE_O__e6BUVJI7WLhXFkVHX2W9xGxnVo3hvu9_NaYD8MorsEDnBHP-JKq8asrqx0mCwW-DsH0G_RkfU2u-iX-8fLRpfxnwoqd/s320/6.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
For all the netsh diehards, netsh still runs under Windows Server 2012.</div>
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-15621922287504537362012-06-03T16:18:00.000+02:002012-06-03T16:24:20.253+02:00Certificates, certificates, all I see are certificates...I was working on a Lync implementation for a local ISP. The design was set forward with one single site, which contains a Director, Front-end and edge pool, where each pool contains two servers for High Availability. After deploying the edge servers we noticed that the XDS replication was not occurring from the front-end servers to the Edge servers. We checked the Lync file share and the network to verify that the Front-end server could talk to the Edge servers on port 4443. Everything turned out OK, yet no matter what we did, the replication towards the edge servers didn't kick off.<br />
<br />
While searching the internet for a possible solution, the following comment kept spinning in my mind:<br />
"Replication issue's with the edge server are usually Network or certificate related." As we had checked the network, we started troubleshooting the certificates again. The certificates turned out OK, yet when investigating the certificates I did see that the Trusted Root Certificate store did contain a lot of certificates. I didn't count them, but usually you will see around 30 root certificates, the root CA container of the edge did contain so many certificates they didn't fit in a single view.<br />
<br />
I started logging using the Lync Logging tool, yet this only gave the following warning: Master Directory not discovered yet. Investigated the eventlog where the following warning drew my attention in the system log:<br />
<br />
<span lang="nl-BE"></span><br />
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Log Name: System</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Source: Schannel</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Date: </span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Event ID: 36885</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Task Category: None</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Level: Warning</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Keywords: </span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">User: SYSTEM</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Computer: </span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">Description:</span></span></span></div>
<div style="margin: 0;">
<span style="font-family: Calibri,sans-serif; font-size: x-small;"><span style="font-size: 11pt;"><span lang="en-US">When
asking for client authentication, this server sends a list of trusted
certificate authorities to the client. The client uses this list to
choose
a client certificate that is trusted by the server. Currently, this
server trusts so many certificate authorities that the list has </span><span lang="en-US" style="background-color: yellow;">grown too long. This list has thus been truncated</span><span lang="en-US">.
The administrator of this machine should review the certificate
authorities trusted for client authentication and remove those that do
not really need to be trusted.</span></span></span></div>
<br />
<br />
I searched the Microsoft Forums where I found following thread:<br />
http://social.technet.microsoft.com/Forums/en-AU/ocsedge/thread/1cd3be72-1f65-48ae-aa8c-498f79917492<br />
<br />
We added the registry DWORD and replication kicked of perfectly.<br />
<br />
Edit the registry on the Edge server to add a DWord value, SendTrustedIssuerList, to the <br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL key and assign it a value of 0. This will prevent schannell.dll from truncating the Root CA list from the edge server, and allow validation tests to pass.<br />
<br />
<span style="font-family: Helvetica; font-size: small;"><span style="font-family: Helvetica; font-size: small;"></span></span><br />
<div align="left">
More info on this registry setting can be found here:</div>
<div align="left">
<br /></div>
<br />
This entry controls the flag controlling sending of list of trusted
issuers. In the case of servers that trust hundreds of certificate
authorities for client authentication, there are too many issuers for
the server to be able to send them all to the client when requesting
client authentication. In this situation, this registry key can be set,
and instead of sending a partial list, Schannel will not send any to the
client.<br />
Not sending a list of trusted issuers might impact
what the client sends when asked for a client certificate. For example,
when Internet Explorer receives a request for client authentication, it
only displays the client certificates that chain up to one of the
certificate authorities that is sent by the server. If the server did
not send a list, then Internet Explorer displays all of the client
certificates that are installed on the client machine. This behaviour
might be desirable, when PKI environments include cross certificates,
the client and server certificates will not have the same Root CA and
therefore, Internet Explorer cannot chose a certificate that chains up
to on of the server’s CAs. By configuring the server to not send a
trusted issuer list then Internet Explorer will send all its
certificates.<br />
This entry does not exist in the registry by default. This value is true by default.<br />
<span style="font-family: Helvetica; font-size: small;"><span style="font-family: Helvetica; font-size: small;"></span></span><br />
<div align="left">
<br /></div>
<div align="left">
http://technet.microsoft.com/en-us/library/cc776467%28v=ws.10%29.aspx</div>
<br />
<br />
<br />
A few days later we where testing the web conferencing and discovered that only anonymous users where able to join a conference. When a user selected domain user, in the web-interface following error would occur:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8jpckEUdDzKmnM4EhrPrKnisHaLJCaVrWMAkyz1OPLaD-SGTq5YCO6mtJHfyYZbfhYJXZIdyTA0r2Svrf426LkeJ1B3ftyf3ajymALpofY3_Raeg_-oQANLaiVEp6YozaMTyNNfLYtuQu/s1600/image001.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8jpckEUdDzKmnM4EhrPrKnisHaLJCaVrWMAkyz1OPLaD-SGTq5YCO6mtJHfyYZbfhYJXZIdyTA0r2Svrf426LkeJ1B3ftyf3ajymALpofY3_Raeg_-oQANLaiVEp6YozaMTyNNfLYtuQu/s320/image001.png" width="173" /></a></div>
<br />
We enabled logging with the web-client and this showed us the following:<br />
<br />
We applied the same registry setting to the Directors and front-end pool servers. After applying the settings user where able to join a conference using the Lync web client. <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com1tag:blogger.com,1999:blog-8820695633308655530.post-48632799069932632222012-03-19T21:37:00.000+01:002013-04-10T13:39:16.358+02:00Multiple Exchange UM servers and microsoft Lync<div style="font-family: inherit;">
<span style="color: white; font-size: small;">A few weeks ago I was troubleshooting an issue with the Exchange 2010 UM auto attendant. When we called the attendant and asked to call a user within the organization the call would fail. </span></div>
<div style="font-family: inherit;">
<span style="color: white; font-size: small;"> <span lang="EN-GB"> </span></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">This customer has two exchange UM servers, Node01 and Node02. We configured Exchange UM to use Lync as UM IP Gateway and everything worked
well, except the Exchange UM attendant. When calling the attendant and asking
the attendant to call a user, the call failed. We also saw the following event appearing in the application eventlog:</span></span><br />
<span style="color: white;"><br /></span>
<span style="color: white;"><b>Event ID: 1400 Source: MSExchange Unified Messaging</b>The following UM IP gateways did not respond as expected to a SIP OPTIONS request.</span><br />
<span style="color: white;">Transport = TLS, Address = lyncpool.domain.com, Port = 5061, Response Code = 0, Message = This operation has timed out.<span style="font-size: small;"><span lang="EN-GB"> </span></span></span><br />
<span style="color: white;"><br /></span>
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">1400
(Warning/MSExchange Unified Messaging) appearing regular in the event logs on
the exchange UM servers, but didn't pay to much attention to it as everything
was working (did only test the Exchange UM mailbox and not the Auto Attendant). Exchange has the Lync mediation server pool configured as
UMIPGateway using a TLS communication. The TLS certificate that was placed on
the Exchange for UM had following parameters configured: </span></span><br />
<ul>
<li><span style="font-size: small;"><span lang="EN-GB" style="color: white;">Common Name:
UM.domain.local </span></span></li>
<li><span style="font-size: small;"><span lang="EN-GB" style="color: white;">Subject Alternative Names: um.domain.local, Node01.domain.local, Node02.domain.local. </span></span></li>
</ul>
</div>
<div style="font-family: inherit;">
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">I would like to express the fact that users where able to
access their UM mailbox, and where able to retrieve or leave a spoken message in the UM
mailbox using Lync (so here was TLS communication between Lync and Exchange).<br />
<br />
In order to troubleshoot this, I increased the event logging level on the
Exchange servers to expert level for Exchange UM and installed Wireshark to
monitor the network traffic, and enabled logging on the Lync servers. Restarted testing with the Exchange UM
attendant to call a Lync user. </span></span></div>
<div style="font-family: inherit;">
<span style="color: white;"><br /></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">As expected the call failed. The application log
on the exchange server and Lync logging didn't show any useful information, besides that the communication terminated unexpectedly.
However the wireshark traces showed that only authentication traffic was
passing between the two servers. Although the log did not explicit showed that
authentication was falling i did presume that TLS authentication was failing as
that was the only traffic between the two servers that was recorded. </span></span></div>
<div style="font-family: inherit;">
<span style="color: white;"><br /></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">I
inspected the Exchange Certificate over and over again, but to my knowledge
nothing was wrong with the certificate. Spending hours searching the INTERNET I
found two similar cases, one had the same event ID but was using OCS and had a
wild card certificate which was not supported. The other one had a single UM
server and he opened a call with Microsoft, troubleshooting with Microsoft
pointed out that the problem occurred because the Subject name of his
certificate was set to the external name of Exchange OWA.<br />
<br />
At first I didn't pay much attention to the post, because i was still convinced that all PKI requirements where met. Up to that point I didn't pay that much attention to the common name value, and made sure that all the names that could be used in the communication with the server array is present in the Alternate Subject Names. The common name value was always set to the external name of the server array, which is according to Microsoft best practice:</span></span><br />
<span style="color: white;"><br /></span>
<span style="color: white; font-size: small;">[Quote]</span><br />
<span style="color: white;">As a best practice, you should minimize the number of certificates you
use for your Client Access servers, reverse proxy servers, and transport
servers (Edge and Hub). We recommend using a single certificate for all
of these service endpoints in each datacenter. This approach minimizes
the number of certificates that are needed, which reduces both cost and
complexity for the solution.</span><br />
<span style="color: white; font-size: small;">[Unquote] <br />
</span><br />
<span style="color: white; font-size: small;">Source: http://technet.microsoft.com/en-us/library/dd638104.aspx </span><br />
<span style="color: white;"><br /></span>
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">Running out of Idea's I decided to change the Unified Messaging certificate to match the common name to the FQDN of the server on one server. Stopped the MSexchangeUM service on the other to make sure that the one would be used that had the new certificate. Resumed testing, to my surprise the attendant is now able to call
users through Lync.<br /> </span></span><br />
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">Surprised by this outcome, made me wonder and doubt everything I knew from PKI so far. As with every issue I encounter, I will always try to explain that issue to myself in which I can explain why the issue occurred and what I can do to prevent it.</span></span><br />
<span style="color: white;"><br /></span>
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">Been deploying Exchange for many years now, and never ran into any issue's regarding PKI, and this encounter shacked my world. It seemed that the way I was deploying Exchange Certificates had a flaw But if it has a flaw, how come I never ran into any similar issue's before? </span></span></div>
<div style="font-family: inherit;">
<span style="font-size: small;"><span lang="EN-GB" style="color: white;">Have to admit that I haven't deployed a lot UM server roles, as many enterprise already have an existing solution. But surely did a fair share of Exchange deployments with multiple Hub/Cas servers and never ran into issue concerning certificates. </span></span></div>
<div style="font-family: inherit;">
<span style="color: white;"><br /></span></div>
<span style="color: white; font-size: small;">Maybe there was nothing wrong with the certificate in which the common name of the array can still be used if I change the UM server name by using the Set-UMServer cmdlet. The UM server was still pointing to each server individually. But if changing the UM server to represent the name of the array, will we loose high availability? As in when Round robin is used, clients are pointed to servers that may or may not be on-line...</span><br />
<span style="color: white;"><br /></span>
<span style="color: white; font-size: small;">What about manageability? If the common name has to be the FQDN of the server, you would need to run a certificate request on each server, and each server will have its own private key. But If you use one common certificate for all, you would need to change the certificate on all servers if you wish them to use the same private key.</span><br />
<span style="color: white; font-size: small;"><br /></span>
<span style="color: white; font-size: small;">Is there an advantage of using a singe shared private key among all your servers? Hmmm, not sure. In case of Exchange UM surely not, as it is real-time, and in case of fail-over the session would always be lost. But what in other commodities (SMTP, HTTPS, RPC/MAPI)? No, I don't think so. Even if you have hardware load-balancers in place, a new session will be created when a fail over occurs.</span><br />
<span style="color: white;"><br /></span>
<span style="color: white; font-size: small;">The more I keep pondering about the subject, the more questions arise in my mind. </span><br />
<br />
<br />
<span style="color: black;"><span style="font-size: small;"> </span></span><br />
<br />
<span style="color: black;"><span style="font-size: small;"> </span></span><br />
<div style="font-family: inherit;">
<br /></div>
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-63967517811575562212012-03-18T15:38:00.002+01:002012-03-18T15:39:41.375+01:00Windows Server 8 - DCPromo? Install domain Controller using the Command Line.I am playing around with Windows Server 8, and wanted to setup a first domain controller for the Windows Server 8 test domain. Since I like the command-line, I configured the Ip address using the netsh cmdlet and changed the computer name using netdom. After the reboot, I reopened Powershell and ran "DcPromo", which gave me following answer:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUFps8z2KqA_tiT_fPHvXnmjCDrlusCfjxxOAd78W7wAg_y_bHx2BanD3pI0zJztTXUIUr2Lr2PLyYaH6U-2VRTQA9jGQUkrvGllvwg4gsQlQ3VZW6WlEn4UJE2V2D9nVx4i40_FIJ4aZo/s1600/dcpromo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUFps8z2KqA_tiT_fPHvXnmjCDrlusCfjxxOAd78W7wAg_y_bHx2BanD3pI0zJztTXUIUr2Lr2PLyYaH6U-2VRTQA9jGQUkrvGllvwg4gsQlQ3VZW6WlEn4UJE2V2D9nVx4i40_FIJ4aZo/s320/dcpromo.png" width="320" /></a></div>
Darn, did DCpromo get removed? No, I not want to use the server manager, I want to use the command line tools ;). Lets try CMD.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl8PzOasmyKFd76JQizGlxApdl7krYEcjaXdUFI7C2SqWrEcq50ChXtIhLeM2uQRbmB2zpaMOQuR7fRtPGVjrRfCZ3M49DdZCU0G6juYqBtyuk4J1eiwp7Ywmed0cWHDp94kxvlrBgoDsh/s1600/dcpromo2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl8PzOasmyKFd76JQizGlxApdl7krYEcjaXdUFI7C2SqWrEcq50ChXtIhLeM2uQRbmB2zpaMOQuR7fRtPGVjrRfCZ3M49DdZCU0G6juYqBtyuk4J1eiwp7Ywmed0cWHDp94kxvlrBgoDsh/s320/dcpromo2.png" width="320" /></a></div>
Doh, what about powershell cmdlets?<br />
First we Import the server manager to check the availability of Active Directory services:<br />
[Code]<br />
Import-Module Servermanager<br />
Get-WindowsFeature<br />
[/code]<br />
The feature we where looking for is the "AD-Domain-Services"<br />
Add the feature using the Add-WindowsFeature CmdLet<br />
[Code]<br />
Add-Windowsfeature AD-Domain-Services<br />
[/Code]<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHz4GpSSPccTm-7S1KpR7MQTJOeAubnEzADsZh5dAbdZKVp0Vp2GjWcB3R9Ik2b0RSKUbk9UZwvVj2vgQCeNpFo2SZiE_76QxSeKCDlCmVPubK1r_EulrI6gfrGI6VRpBLKUGmDsvLRDYS/s1600/dcpromo3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHz4GpSSPccTm-7S1KpR7MQTJOeAubnEzADsZh5dAbdZKVp0Vp2GjWcB3R9Ik2b0RSKUbk9UZwvVj2vgQCeNpFo2SZiE_76QxSeKCDlCmVPubK1r_EulrI6gfrGI6VRpBLKUGmDsvLRDYS/s320/dcpromo3.png" width="320" /></a></div>
Once the feature is installed you get access to a new powershell module. You can always check the installed modules by using the Get-Module CmdLet.<br />
The new commandlet that is available is the ADDSDeployment. Import the new module:<br />
[Code]<br />
Import-Module ADDSDeployment<br />
[/Code]<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi68qsTgmse333mHl1aVJLumwnI6oRffGbaZka8D1b5E8H5Xgzauje78m1XWaoG395gy8c74QR3AOS_r8xFapnScmqoCS8kQ819LTCyuSxRVF_msP_0CGp7iPL6n5p4RBkiVw8aPxnzRyYJ/s1600/Adds4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="45" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi68qsTgmse333mHl1aVJLumwnI6oRffGbaZka8D1b5E8H5Xgzauje78m1XWaoG395gy8c74QR3AOS_r8xFapnScmqoCS8kQ819LTCyuSxRVF_msP_0CGp7iPL6n5p4RBkiVw8aPxnzRyYJ/s320/Adds4.png" width="320" /></a></div>
No we are finally ready to install the Active Directory roles:<br />
I used following command for setting up my Windows Server 8 test forest/domain<br />
[Code]<br />
Install-ADDSForest -CreateDNSDelegation:<i>$False</i> -DataBasePath:<i>C:\NTDS\ADDSDB</i> -ForestMode <i>Win8</i> -DomainName <i>W8Test.local</i> -DomainMode <i>Win8</i> -DomainNetBiosName <i>W8Test</i> -InstallDNS:<i>$True</i> -LogPath <i>C:\NTDS\Log</i> -SysvolPath <i>C:\NTDS\Sysvol</i> -RebootOnCompletion:<i>$True</i><br />
[/Code]<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh97APWY8tnKdapKJI6VDe1yzNRRmKusn5S6Den4iokdeyxuP4WA239h7xSsZGBVT74c2bxmvXXP2AuHN5nCJGI0aXw4ZNq7N4yzY0ugYaly3LG7s27grP_T6AldlIzzH_bHLJOR4qriHOO/s1600/Adds5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh97APWY8tnKdapKJI6VDe1yzNRRmKusn5S6Den4iokdeyxuP4WA239h7xSsZGBVT74c2bxmvXXP2AuHN5nCJGI0aXw4ZNq7N4yzY0ugYaly3LG7s27grP_T6AldlIzzH_bHLJOR4qriHOO/s320/Adds5.png" width="320" /></a></div>
You can also add the -Force parameter if you do not want to be promted.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP_hepu6Ynq8tx8d8rTMvBNflJvNborsLozAiQ188Cr2OORyHcrsjbKeXVwuS0bLIPETUHu-BUYAasUSzG44F4H7T0J80W7gF7ydnOPZrHaUr_CawXbKlmSyLcE8wLP_UhhQdFVAf5-CSE/s1600/adds6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP_hepu6Ynq8tx8d8rTMvBNflJvNborsLozAiQ188Cr2OORyHcrsjbKeXVwuS0bLIPETUHu-BUYAasUSzG44F4H7T0J80W7gF7ydnOPZrHaUr_CawXbKlmSyLcE8wLP_UhhQdFVAf5-CSE/s320/adds6.png" width="320" /></a></div>
<br />
On completion the server will reboot, in which we have deployed our first Windows Server 8 domain Controller in our new Windows Server 8 Forest and domain.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF495xb4fjSlCBWYGyBDJEdCB1uESY_uu2r4k5GRnYcwMnL4zFAlZBCtcEWhPxdH_yz_awoQnhEq4pDs-p4LM00xOtDhJA7_PgMBo0fWYwxjVLwUbQMuHpU4KcqNBqZEb9Ox5sMGTl6NBf/s1600/ADDS7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF495xb4fjSlCBWYGyBDJEdCB1uESY_uu2r4k5GRnYcwMnL4zFAlZBCtcEWhPxdH_yz_awoQnhEq4pDs-p4LM00xOtDhJA7_PgMBo0fWYwxjVLwUbQMuHpU4KcqNBqZEb9Ox5sMGTl6NBf/s320/ADDS7.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZah93QsCfWEAvfNga48Ywrj7-PdOOiRNrqaTq3TsCpRyMcxtEnBdOVTzRfSAnp8UYaqFoGqQyRmsIUD6IlxIzLB4BID6qJrngxbDL8vUezA3Yuq4tAS2GbDTMEJQliKk9tk0eemnUyG2X/s1600/adds8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZah93QsCfWEAvfNga48Ywrj7-PdOOiRNrqaTq3TsCpRyMcxtEnBdOVTzRfSAnp8UYaqFoGqQyRmsIUD6IlxIzLB4BID6qJrngxbDL8vUezA3Yuq4tAS2GbDTMEJQliKk9tk0eemnUyG2X/s320/adds8.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com1tag:blogger.com,1999:blog-8820695633308655530.post-83936102543211596902012-03-14T18:20:00.002+01:002012-03-14T18:25:05.669+01:00Bus Crash Switzerland<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9-YBqRmOV1NmyXX-6kg4-0B4pTy0GWVCEVU8xiMGcxQMYyKwWevrYorws2K-kdoLXv86VqFkJjfBuDhoNBIJctlVTGHNhxlTDUmihzX-RX1C9zcAMK9VkcWfrJkI1_FjwHhUDI7H5jUrI/s1600/706px-Candle-flame-no-reflection.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9-YBqRmOV1NmyXX-6kg4-0B4pTy0GWVCEVU8xiMGcxQMYyKwWevrYorws2K-kdoLXv86VqFkJjfBuDhoNBIJctlVTGHNhxlTDUmihzX-RX1C9zcAMK9VkcWfrJkI1_FjwHhUDI7H5jUrI/s320/706px-Candle-flame-no-reflection.jpg" width="320" /></a></div>
Last night a terrible accident happened in a Swiss tunnel, tacking the lives of 28 people of which 22 children. As a father of 3 I would to express my deepest condolences with the ones who are left behind.The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-38951388112141545002012-02-20T20:19:00.000+01:002012-02-20T20:19:00.712+01:00Decommission Lync 2010 standard poolA lot of companies start with a Lync standard edition in a POC, when the POC is approved they upgrade their standard pool to an enterprise pool. You cannot upgrade you existing standard pool to an enterprise pool, but have to create a new enterprise pool, which I did.<br />
<br />
Firstly a bit of explanation about the Prove Of Concept. The network with this customer are basically islands where only a limited number of ports are opened between these networks. This has as a result that if two users, each located on a different network try to communicate with each other. As the client ports are blocked they need to use an edge server's MCU to successfully communicate with each other. So in the POC two servers where deployed, a Single edge and a single Standard front-end server/pool.<br />
The POC was deployed in the production environment where Exchange UM plus multiple application where integrated as trusted applications in Lync. also a PBX gateway ad voice route was defined.<br />
<br />
As this is a production environment, with real live user accounts it seemed best the deploy the new environment along side to the existing POC deployment. After the new deployment was in place the users where migrated to the new pool.<br />
<br />
[Code]<br />
Get-csuser | where {$_.registrarpool -like "lcsserver.contosso.com"} | Move-CsUser -Target lcspool01.contosso.com<br />
[/Code]<br />
<br />
The following step is to move the conferencing directory to the now pool:<br />
<br />
[Code] <br />
Get-CsConferenceDirectory | where {$_.RegistrarPool -like "lcsserver.contosso.com"} | Move-CsConferenceDirectory -Target lcspool01.contosso.com<br />
[/Code]<br />
<br />
As Exchange UM was set up, we needed to move the Exchange Um Contact.<br />
<br />
[Code]<br />
Get-ExUmContact | Move-ExUMContact -Target lcspool01.contosso.com<br />
[/Code]<br />
<br />
Then launched the Lync Topology builder.<br />
Removed the association of the front-end pool with the edge pool.<br />
Removed the PSTN gateway<br />
removed the voice route<br />
[Code]<br />
Get-CsVoiceRoute | Remove-CsVoiceRoute<br />
[/Code]<br />
<br />
Removed the trusted application servers.<br />
Removed the edge Server<br />
Published the topology and ran the deployment wizard on all the servers to update their configuration. <br />
<br />
Checked and moved remaining application end-points<br />
[Code]<br />
Get-CSApplicationEndPoint | where {$_.Registrarpool -like "lcsserver.contosso.com"} | Move-CSApplicationEndPoint -Target lcspool01.contosso.com<br />
[/Code]<br />
<br />
Opened the topology builder again. Removed the Standard edition front-end pool and published the topology. Be sure to wait for replication between all the different step, advancing to fast can result in temporary errors. <br />
<br />
<br />
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-58806166181376613232012-02-19T12:27:00.000+01:002012-02-19T12:27:01.144+01:00Powershell Get service status compared to stratup type.I like using command type tools, in stead of the GUI. One of my favourites is surely Powershell. Now what I find disappointing is that you cannot get the start-up type of a service using the get-service cmdlet. The only way to get the startup type and compare it to its current status is using WMI.<br />
<br />
Following comandlet lists of service where the startup type is set to automatic but where the current status is stopped. <br />
<br />
[Code] <br />
Get-WmiObject -Class Win32_Service -Filter "StartMode='Auto' AND
State='Stopped'" | sort DisplayName | Format-Table DisplayName,
StartMode, State<br />
[/Code]The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-66694079871344421432011-12-05T16:43:00.001+01:002011-12-05T16:43:59.975+01:00Exchange 2010 SP2 releasedIt seems that Microsoft released Exchange 2010 SP2 about 10 hours ago. You can get it here:<br />
http://www.microsoft.com/download/en/details.aspx?id=28190The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-83882688143190329862011-10-26T19:37:00.000+02:002011-11-10T11:31:42.759+01:00Oh Certificate where art thouA few days back i had to replace the external certificate on an edge server with a new third party certificate. I created a new certificate request (with private key) and mailed it to the guy who was responsible for requesting the certificate with VeriSign. Moments later i received my SAN certificate.<br />
<br />
I logged on to the edge server and opened the Lync Deployment Wizard to import the certificate using the GUI. I select import new certificate and browsed to the path where i placed the certificate. Clicked import, and verified that the command completed successfully.<br />
<br />
In the same window I now ran the assign new certificate wizard, to assign the newly imported certificate to the external interface of the edge server. To my surprise I could only select one of the old certificates. The newly imported certificate could not be seen.<br />
<br />
I wondered if something went wrong during the import, so I opened the local computer certificate store. Well nothing wrong to see here, the certificate is nicely imported in the local personnel certificate store of the computer. Clicked the Refresh button in the deployment wizard, ran the assign new certificate again, but still no luck.<br />
<br />
Damn, what is going on here? Ghost in the machine? You know what, i will start all over again. So removed the certificate from the local certificate store. Opened the deployment wizard, imported the certificate using the wizard. Again the wizard told me the certificate imported successfully. But the greater was my disappointment, when i discovered that the certificate was still not present.<br />
<br />
Ok, had it using the GUI, will use Powershell this time, that will always work. Imported the certificate using powershell, and tried to assign. No, still no certificate available. Ok, this is really the Ghost in the machine, you know those days when you cant seem to achieve anything.<br />
<br />
Tried all over again, but this time i checked the html files which are created in the temp folder by lync (%userprofile%\appdate\local\Microsoft\temp). Although the wizard reported that the command completed successfully, I could see that the certificate was not imported. As reason the log file logged the following: Certificate already present or could not process the private key.<br />
<br />
Opened the local computer certificate store, and now saw something fishy. The old certificate, which was generated by the internal CA, had a key displayed in the icon for the certificate. The new certificate, although present did not display that key. The picture below displays a certificate which has a valid private key.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOs3BQ0VaGtTBQYgZPbm1wbdb4tERi2U3keQ49dliYWwBFC8VbSSrOrnffQEdwfFhOmtM817PSDOmCyh5HvpXLEzhQdSQ8nAOYPSrGyVfuWC1qkVoKYH-WawEovKz6xy8LH-5DhwTWOFxo/s1600/26-10-2011+19-09-57.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOs3BQ0VaGtTBQYgZPbm1wbdb4tERi2U3keQ49dliYWwBFC8VbSSrOrnffQEdwfFhOmtM817PSDOmCyh5HvpXLEzhQdSQ8nAOYPSrGyVfuWC1qkVoKYH-WawEovKz6xy8LH-5DhwTWOFxo/s1600/26-10-2011+19-09-57.png" /></a><br />
<br />
That convinced me that there was something wrong with the private key of the certificate. I have seen this situation in Exchange, and has been widely documented on the internet, but never saw it in Lync before. Nevertheless we are talking about certificates no matter where they are applied to. So this made me decide to use the same sollution, which is repairing the certificate using Certutil.<br />
<br />
Opened the certificate, clicked the Details tab and copied the serial number of the certificate.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVIW7zG8rrZJAcrUGn0DUt4NzrkRksbNz70LOZFs94OlSHJlCqeiPjT86SUoMhmua9OWzQpD1HSCXoUK-66UJYGN9h8zKnq5h4FsER5QseoE2A2ZldFgMfm9O03RSavOfgXhHM01ghJWUP/s1600/26-10-2011+19-19-15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVIW7zG8rrZJAcrUGn0DUt4NzrkRksbNz70LOZFs94OlSHJlCqeiPjT86SUoMhmua9OWzQpD1HSCXoUK-66UJYGN9h8zKnq5h4FsER5QseoE2A2ZldFgMfm9O03RSavOfgXhHM01ghJWUP/s320/26-10-2011+19-19-15.png" width="256" /></a></div>
<br />
Then opened a dos-box in administrative mode, where i used following command:<br />
[Code]<br />
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate).<br />
[/Code]<br />
Which gave me following result:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9eB1jUzfNdLN_6SVvqCbvMtLd6MJ9yfEYqzl5lsan9eYS2xR5i26_MkVHZjgHvlWkOhtGeipfm95wTuiTCTLo3QhtzQ74kZvWk6W9fy48yWuXqbigCxZLVgi-PO3qHDekYb-mh8PNEXo/s1600/26-10-2011+19-25-50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9eB1jUzfNdLN_6SVvqCbvMtLd6MJ9yfEYqzl5lsan9eYS2xR5i26_MkVHZjgHvlWkOhtGeipfm95wTuiTCTLo3QhtzQ74kZvWk6W9fy48yWuXqbigCxZLVgi-PO3qHDekYb-mh8PNEXo/s320/26-10-2011+19-25-50.png" width="320" /></a></div>
Open the deployment wizard and could successfully assign the certificate this time. You see experience comes in handy ;) !<br />
<br />
Discovered a bit later that the friendly name was missing from the certificate when i opened the certificate wizard (Deployment Wizard). You can also assign a friendly name to the certificate using certutil.<br />
<br />
<b>Required steps:</b> <br />
First you need to create a inf file that contains the friendly name you wish to assign to the certificate. Open notepad and insert following text:<br />
<br />
[Version]<br />Signature = "$Windows NT$"<br />[Properties]<br />11 = "{text}<i>Friendly Name</i>" <br />
<br />
Adjust <i>Friendly Name</i> to the friendly name you wish to assign to your certificate. Save the notepad as an INF file in certain directory. I used C:\Temp\FriendlyName.inf.<br />
<br />
Second, open the command prompt in administrative mode, and type following command:<br />
[Code]<br />
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate) C:\Temp\FriendlyName.inf<br />
[/Code]<br />
<br />
Reassign the certificate in the certificate wizard and you will see that the certificate now displays the friendly name you have defined in the inf file.<br />
<br />
<br />
<br />
<br />
The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com1tag:blogger.com,1999:blog-8820695633308655530.post-44084593284993275592011-10-17T15:46:00.000+02:002011-10-18T10:36:25.475+02:00Lync Location Policy <br />
This is the second article in the article series about policies in Lync 2010. The policies we are going to discuss are the location policies. The whole idea and wherefore it is designed is to provide an indication of where the user is located when calling 911. The E.911 solution has been in place for many years for hard phones, but soft phones or IP phones where not covered by the traditional E.911 system.<br />
<br />
<b>Enhanced 911</b>, <b>E-911</b> or <b>E911</b> in North America is one
example of the modern evolution of telecommunications based system
meant as an easy way to link people experiencing an emergency with the
public resources that can help. The dial-three-digits concept first
originated in the <a href="http://en.wikipedia.org/wiki/999_%28emergency_telephone_number%29#History" title="999 (emergency telephone number)">United Kingdom in 1937</a>. It has spread to continents and countries across the globe. Today other easy dial codes including the <a href="http://en.wikipedia.org/wiki/112_%28emergency_telephone_number%29" title="112 (emergency telephone number)">112</a> that was adopted by the <a href="http://en.wikipedia.org/wiki/European_Union" title="European Union">European Union</a> in 1991 and others like it have been deployed to provide free-of-charge calling to those who need help during emergencies. The <a href="http://en.wikipedia.org/wiki/Emergency_telephone_number" title="Emergency telephone number">Emergency telephone number</a> article contains comprehensive information regarding other emergency dialing codes for countries outside North America. (Source:http://en.wikipedia.org/wiki/Enhanced_9-1-1)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_bJF0irgtymiLcjMnG2girv1-yRErDljFJ7d9fpXLc9xAzoy_3mrzJ-zqbdh4EJDeSKYWj-IyOtSoD9IvdEfSZkL7CariPzftPLtXJB9QkHLWCYq1cHSZQAPKgENIjisRQ1Ho7P-VBRet/s1600/17-10-2011+13-23-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_bJF0irgtymiLcjMnG2girv1-yRErDljFJ7d9fpXLc9xAzoy_3mrzJ-zqbdh4EJDeSKYWj-IyOtSoD9IvdEfSZkL7CariPzftPLtXJB9QkHLWCYq1cHSZQAPKgENIjisRQ1Ho7P-VBRet/s320/17-10-2011+13-23-54.png" width="320" /></a></div>
<br />
<br />
In Lync 2010 Microsoft incorporated a location mechanism to provide location awareness for Llync clients and Lync client phones.<br />
<br />
I not going going to blog about the complete E.911 implementation on Lync, because this has already been done numerous time on other blogs, and there is no point in reinvented hot water over and over again. The most complete article i have ever read on the subject, is an article from Mark King which you can find on following location: http://blog.unplugthepbx.com/2011/07/06/lync-e911-deployment/.<br />
It gives a thorough understanding of what E.911 is in Lync and how to implement it.<br />
<br />
What we will be focusing on is the policies that come with the E.911 implementation in Lync. One thing i do need to point out is that the Enhanced 911 implementation is only supported in North America. For the rest of the world you can configure it, but there are no agencies that verify the location, so all location are unverified.<br />
<br />
Which brings us to custom, suggested and validated locations.<br />
<br />
<u><b>Custom: </b></u><br />
Custom locations are when you allow the users to configure there own location in the client. This information is stored in the PersonalLisDB.cashe file, which is located in the user profile on the computer. When the computer recognizes the location of the user, it will reuse the information stored in the local LIS db. The location is recognized on the Mac address of the default gateway. The locale database can store up to 10 locations.<br />
<br />
<u><b>Suggested:</b></u><br />
Suggested locations are locations that have been set by the Location Information Service database stored on the Lync Back-end server. This database is build up by the Lync administrators where he/she defines certain parameters required to build location awareness. These parameters are:<br />
<ul>
<li>Subnets</li>
<li>Switches</li>
<li>SwitchPorts</li>
<li>Wireless access points</li>
</ul>
So to recap, a suggested location is a location that has been derived from the information stored in the central Location Information Service database stored on the Lync Back-end infrastructure, which has not been validated by an organization that validates and represents <a href="http://www.oregon.gov/OMD/OEM/OR911/MSAG_GIS/MSAG_development_maintenance.pdf?ga=t">Master Street Address Guide</a>.<br />
<br />
<u><b>Validated:</b></u><br />
Validated locations are locations that have been derived from the location parameters stored in the LIS database on the Lync Back-end infrastructure. The location is verified and validated by MSAG, but as noted before is only supported in North America.<br />
<br />
Note: Europe will probably be working on a similar solution for the near future.<br />
<br />
<u><b>Central Database:</b></u> <br />
The location information is stored in location database which is called LIS.mdf on the Lync back-end server. <br />
<br />
<u><b>Policy:</b></u><br />
When we search for location in the Lync Management Shell, we get following result:<br />
Get-command "*Location*"<br />
CommandType Name Definition<br />
----------- ---- ----------<br />
Cmdlet Get-CsConfigurationStoreLoca... Get-CsConfigurationStoreLoca...<br />
Cmdlet Get-CsLisLocation Get-CsLisLocation [-Unrefere...<br />
Cmdlet Get-CsLocationPolicy Get-CsLocationPolicy [[-Iden...<br />
Cmdlet Get-Location Get-Location [-PSProvider <s...<br>Cmdlet Grant-CsLocationPolicy Grant-CsLocationPolicy [-Ide...<br />Cmdlet New-CsLocationPolicy New-CsLocationPolicy [-Ident...<br />Cmdlet Pop-Location Pop-Location [-PassThru] [-S...<br />Cmdlet Push-Location Push-Location [[-Path] <stri...<br>Cmdlet Remove-CsConfigurationStoreL... Remove-CsConfigurationStoreL...<br />Cmdlet Remove-CsLisLocation Remove-CsLisLocation -Locati...<br />Cmdlet Remove-CsLocationPolicy Remove-CsLocationPolicy [-Id...<br />Cmdlet Set-CsConfigurationStoreLoca... Set-CsConfigurationStoreLoca...<br />Cmdlet Set-CsLisLocation Set-CsLisLocation -Location ...<br />Cmdlet Set-CsLocationPolicy Set-CsLocationPolicy [[-Iden...<br />Cmdlet Set-Location Set-Location [[-Path] <strin...<br>Cmdlet Test-CsLocationPolicy Test-CsLocationPolicy [-Targ...</strin...<br></stri...<br></s...<br><br />
<br />
We will not be explaining every setting, because we will have to write a short book, which information is already available on the Microsoft website. We will be focusing the Set-CSLocationPolicy and the Get-CSLoactionpolicy. There is no reason to explain both cmdlets as get-CsLocationPolicy gets the location policy and Set-CSLocationPolicy set the parameters for the location policy.<br />
<br />
<u><b>Get-CsLocationPolicy</b></u>:<br />
Gets all location policies, as you know Lync policies are in-band provisioned and can be applied to following scopes:<br />
<ul>
<li>Global</li>
<li>Site</li>
<li>Tag (User/Service/Pool)</li>
</ul>
We have a location policy which is called LocTest, which we will discuss here.<br />
<br />
Identity [mandatory = Name of the location policy) : Tag:Loctest <br />
<br />
Description (optional = description of the location policy) :<br />
<br />
EnhancedEmergencyServicesEnabled (Mandatory = specifies whenever E911 is enabled) : False<br />
Only supported in North America. <br />
<br />
LocationRequired (Mandatory = Specifies if location needs to be set) : no<br />
Options are Yes, No and Disclaimer<br />
<ul>
<li>Yes: When LocationRequired is set to Yes, the set your location will turn up Red in the Lync client. Location is required but can be ignored.</li>
<li>No: Location is not required. The user will not be prompted for a location, but can still be set if the user does so.</li>
<li>Disclaimer: The user sees that the location is marked red, prompting the user to set a location, if the user removes the prompt without setting the location, the user will receive a disclaimer. The disclaimer has to be set using the Set-CsEnhancedEmergancyServiceDisclaimer. </li>
</ul>
<br />
UseLocationForE911Only (Mandatory = Location information can be used by the Microsoft Lync 2010
client for various reasons (such as notifying teammates of current
location). Set this value to True to ensure location information is
available only for use with an emergency call.) : False<br />
<br />
PstnUsage (Optional = <br />
The public switched telephone network (PSTN) usage that
will be used to determine which voice route will be used to route 911
calls from clients using this profile.) :<br />
<br />
<br />
EmergencyDialString (Optional = The number that is dialed to reach emergency services. For example 911, 112, 100) :<br />
<br />
EmergencyDialMask (Optional = The number entered here is translated to the value in EmergencyDialString. Example: if you enter 112 here and enter 100 in the EmergencyDialString, 112 will be translated to 100) :<br />
<br />
NotificationUri (Optional: One or more SIP Uniform Resource Identifiers (URIs) to be
notified when an emergency call is made. For example, the company
security office could be notified through an instant message whenever an
emergency call is made.) :<br />
<br />
ConferenceUri (Optional: The SIP Uniform Resource Identifier (URI), in this case the
telephone number, of a third party that will be conferenced in to any
emergency calls that are made. For example, the company security office
could receive a call when an emergency call is made and listen in or
participate in that call (depending on the value of the ConferenceMode
property). :<br />
<br />
ConferenceMode (Optional: <br />
If a value is specified for the ConferenceUri parameter,
the ConferenceMode parameter determines whether a third party can
participate in the call or can only listen in. Available values are:<br />
- oneway: Third party can only listen to the
conversation between the caller and the Public Safety Answering Point
(PSAP) operator.<br />
- twoway: Third party can listen in and participate in the call between the caller and the PSAP operator.) :<br />
<br />
<u><b>Remarks: </b></u><br />
The location policy cannot be set or changed by the user if LIS information is provided by the location database. To retrieve the information that is used for LIS, use following CMDLet: Get-CsNetworkConfiguration.<br />
<br />
<br />
<br />
<br />
<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-87399987126608880122011-09-30T13:00:00.002+02:002011-10-03T17:38:32.630+02:00Lync 2010 Policies and settingsIt is pretty obvious that Lync is a very complicated product, that aligns with many features in a corporate network. For example, Lync integrates or provides telephone, provides numerous forms of collaboration and presence.<br />
We are not going to talk about the various features in Lync, Which have been widely discussed on other blogs. But lets talk about the numerous policies and configurations that help you manage this product. We clearly put the focus on policies, and add the configuration as a bonus, as many settings link to configuration settings.<br />
<br />
When talking about policies we have following policy scopes in mind: <br />
<ol>
<li>Client Policies</li>
<li>Location Policies</li>
<li>Voice Policies</li>
<li>Conferencing Policies</li>
<li>Presence Policies</li>
<li>Archiving Policies</li>
<li>Pin Policies</li>
<li>External Access Policies</li>
<li>Hosted Voice Mail Policies</li>
<li>Client Version Policies </li>
</ol>
Each scope will be discussed as a separate article.<br />
<br />
<u><b>1. Client Policies</b></u><br />
<br />
We start off by discussing client policies. <br />
Client policies apply to the Lync client as the name suggests. But before starting to describe what can be applied using client policies, it is interesting to look at how policies are applied in Lync 2010.<br />
<br />
When talking about client policies, we have to make an distinction between two types of policies. Namely the "Out-of-band provisioning" policies and the "In-band provisioning" policies.<br />
<br />
<u><b>1.1 Precedence</b></u><br />
As we are talking about client settings, the settings can be applied at several levels. The settings can be done by tattooing the registry, group policies, Lync policies, or configuring the options by hand in the client. It is important to understand which setting takes precedence when being set.<br />
<br />
The precedence is set from 1 to 4, in which 1 takes precedence over 2, 3, and 4.<br />
<ol>
<li>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator </li>
<li>HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator</li>
<li>Lync Server In-brand provisioning</li>
<li>Lync Option Dialog box</li>
</ol>
<ol>
</ol>
Note: Another important thing to say is that lync allows policies to be set at certain levels, an example of this is the client policy and the voice policy. The voice policy will overrule the client policy if the user is voice enabled. An example is delegations in outlook when scheduling an on-line meeting. If you want your users to be able to schedule a online meeting you have to set the client policy to EnableExchangeDelegateSync to true. However if the user who has delegated his calendar is voice enabled, we have to make sure that "DelegationEnabled" is set to true in the voice policy for that user. If the voice policy for that user still states "DelegationEnabled: False", delegates will be unable to schedule an online meeting for the voice enabled user. <u><b><br /></b></u><br />
<br />
<u><b>1.2 "Out-of-band provisioning" policies</b></u><br />
"Out-of-band provisioning" or group policies have been replaced by "In-Band provisioning" policies. Out-of-band provisioning" policies are applied using group policy, and therefore have the limitation that come with group policies. "In-Band provisioning" do not use group policies and therefore do not have the limitations of group policies. Does this mean that group policies are gone? No, they are not, Goup Policies can still be used, and are applied to the client before the client logs on the Lync infrastructure.<br />
<br />
These policies are available as a ADM file which is part of the Lync 2010 client download from the partner website. This communicator.adm file can be imported in any group policy template and applied to a computer, set of computers, user or off course a set of users.<br />
<br />
The communicator.adm file contains 15 policy settings:<br />
<ol>
<li> Specify Transport and server: Allows you to specify the name of your front-end and edge server. This way you do not need to provide the DNS names required for client Autodiscovery on the WAN or LAN.</li>
<li>Enable Strict DNS naming for server name: When not set, or disabled the client will connect to the SIP server that has the domain name of the SIP address. Meaning that if your SIP address is sip:Me@example.com, the sip server should be sip.example.com. If you enable this setting, the client will communicate with whatever server that has the SIP domain configured. In case the policy is enabled the client could communicate with a server called whatever.example.com, in which you would allow a potential risk for spoofers to mimic the sip server. Does only apply when TLS is used (default).</li>
<li>Configure SIP security mode: If you enable this policy the client requires TLS to be used, in which the client will not fall back to TCP in case TLS cannot be used. This setting if enabled also requires the client to authenticate using Kerberos or NTLM. If this setting is enabled all communications must run through the SIP server, in which peer 2 peer communications are disabled.</li>
<li>Configure SIP compression mode: whether or not to use SIP compression. By default the network adapter speed specifies whether compression is or is not used. Enabling this setting could increase logon time. </li>
<li>Prevent users from running Microsoft Lync: States whether or not the lync client can be used by that particular user or machine.</li>
<li>Allow storage of user password: If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password.</li>
<li>Require logon credentials: Requires the user to provide logon credentials for Microsoft Lync rather than automatically using the Windows credentials when Microsoft Lync authenticates the user using NTLM or Kerberos. If you enable this policy setting, Microsoft Lync requires the user to provide logon credentials. If you disable or do not configure this policy setting, Microsoft Lync authenticates the user based on the logon credentials for Windows.</li>
<li>Disable HTTP fallback for SIP connection: Prevents from HTTP being used for SIP connection in case TLS or TCP fail.</li>
<li>Disable version Server check: Prevents Microsoft Lync from checking the server version before signing in.</li>
<li>Additional Server version support: Specify a semicolon separated list of server version names,<br />e.g. RTC/2.8;RTC/2.9, to which Microsoft Lync allows logon in addition to the server versions that are supported by default. Space character is treated as part of the version string.</li>
<li>Enable using BITS to download address book service files: This policy allows Microsoft Lync to use BITS (Background Intelligent Transfer Service) to download the Address Book Services files.</li>
<li>Use compact DELTA file for GAL: This policy allows Microsoft Lync to use compact delta file for GAL.</li>
<li>Help menu: This policy is used to extend the Help Menu in Microsoft Lync. An administrator can specify a help web site for Microsoft Lync using these keys. Help Menu Text is a string value that specifies the text to display to the user in the Help Menu for the help web site. Help Menu URL is a string value that specifies which web site to open when the user selects the Help Menu Text item in the Help Menu. Note that both Help Menu Text and Help Menu URL need to be specified in order for the Help Menu item to appear in Microsoft Lync.</li>
<li>Launch Microsoft Link First Run: This policy defines the behavior of the Microsoft Lync First Run. Whether it's enabled or not, whether it should be launched automatically or not.</li>
<li>Turn on tracing for Lync: Turn on tracing for Lync, primarily for use to assist customer problem solving. If this policy is not configured, then the user can specify the choice in Lync options. Otherwise, the corresponding behavior is enforced and the user has no choice.</li>
</ol>
Note: policy 1, 2, 3, 5, 6, and 7 can be configured on both the user as the computer level of the policy. Yet the computer policy takes precedence over the user policy. All other policies only apply on the computer level of the policy.<br />
<br />
Now explaining how group policies work and how they are applied is really not the scope of this article. Yet i do want to point out why group policies have a certain disadvantage, and why Microsoft moved away from group policies and implemented the new way of assigning policies (in-band provisioning). Group policies are typically applied at logon, and are refreshed every 90 to 120 minutes by default (90+ random offset of 30 minutes). So when applying new settings this setting are not automatically applied, unless the policies are refreshed manually on the client. A second disadvantage is that you are not really sure that the policies set are actually applied. It could be that a corporate user who logs on to the network using VPN, does not get his/her policies applied, due to slow link detection. Or that the remote user logs on to the network using a computer that has not been subjected to group policies (home computer, none Windows system). <br />
<br />
<u><b>1.3 In-band provisioning</b></u><br />
Microsoft acknowledged the problem with group policies, and developed a new way of assigning policies in Lync 2010. The new way is known as in-band provisioning. The policies are applied through Lync itself and the policies are stored in the Lync CMS store and replicated to the local copy of the database.<br />
<br />
The policies are applied as soon as replication has been done, and the policy is assigned to a certain level. The levels to which a policy can be applied is Global, Site, and Tag.<br />
<ol>
<li>Global: The global Lync infrastructure, in this case every lync client.</li>
<li>Site: A Lync site, every client within a Lync site. The Lync organization can have multiple Lync Sites. </li>
<li>Tag: the tag can be a user, group or service.</li>
</ol>
The client policy can only be set by using the Lync Management Shell and not by the Lync Control Panel. Most of the settings that determine Microsoft Lync 2010 features and
functionality are configurable through Microsoft Lync Server 2010
Control Panel. However, there are several essential policies and
settings that significantly impact client functionality and that can be
configured only by using Group Policy or Lync Server Management Shell.<br />
<br />
The following CMDlets are used to manage the client policies:<br />
<ul>
<li>Get-CsClientPolicy: Get the client policies which are configured, if you do not specify a name all client policies are returned.</li>
<li>Grant-CsClientPolicy: Assigns the policy to a level (Global, Site, Tag). If you do not specify an identity the client policy is applied Global. </li>
<li>New-CsClientPolicy: Creates a new client policy. Among other things, client policies help
determine the features of Microsoft Lync 2010 that are made available to
users; for example, you might give some users the right to transfer
files while denying this right to other users.</li>
<li>Remove-CsClientPolicy: Removes an existing client policy. Among other things, client policies
help determine the features of Microsoft Lync 2010 that are available to
users; for example, you might give some users the right to transfer
files while denying this right to other users.</li>
<li>Set-CsClientPolicy: Modifies the property values of an existing client policy. Among other
things, client policies help determine the features of Microsoft Lync
2010 that are available to users; for example, you might give some users
the right to transfer files while denying this right to other users.</li>
<li>New-CsClientPolicyEntry: Allows you to assign new options to the client policy. </li>
</ul>
<br />
Information on the settings and applying the policy can be found here: http://technet.microsoft.com/en-us/library/gg398300.aspx <br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com0tag:blogger.com,1999:blog-8820695633308655530.post-63433259154062007112011-09-01T13:57:00.001+02:002011-09-01T13:58:48.674+02:00Export/Import ContactsExporting an importing contacts has become easy since Powershell was introduced. In the old days we used tools as CSVDE or LDIFDE to export, import contact information. This article describes both ways.<br />
<br />
<u>CSVDE</u><br />
<br />
Export<br />
[Code] <br />
CSVDE -f C:\Mailcontacts.csv -r ObjectClass=Contact -l Objectclass,DisplayName,GivenName,SN,Mail<br />
[/Code]<br />
Import<br />
[Code]<br />
CSVDE -i -f C:\Mailcontacts.csv<br />
[/code]<br />
<br />
<u>LDIFDE</u><br />
<br />
Export<br />
[Code]<br />
LDIFDE -f C:\MailContacts.ldf -r ("Objectclass=Contact") -l Objectclass,DisplayName,GivenName,SN,Mail<br />
[/Code]<br />
Import<br />
[Code]<br />
LDIFDE -i -f C:\Mailcontacts.ldf<br />
[/Code]<br />
<br />
<u>Powershell</u><br />
Get-contact | select-object Name, DisplayName, FirstName; LastName; WindowsEmailAddress | Export-csv C:\Mailcontacts.csv<br />
<br />
$Contacts = import-csv C:\Mailcontacts.csv<br />
Foreach ($_.Name in $Contacts) {New-contact -Name $_.Name -DisplayName $_DisplayName -FirstName $_FisrName -LastName $_LastName -Externaladdress $_.WindowsEmailAddress -Ou "OU=Contacts,DC=Domain,DC=Suffix,"}<br />
<br />
You can of course combine these tools to export for example contacts out of Windows Server 2003 and import them in Windows Server 2008. Just remember that you need to modify the CSV tables to match the variables in the powershell Cmdlet.<br />
<br />The Shrimphttp://www.blogger.com/profile/01499973186099139865noreply@blogger.com1