Search This Blog

Thursday, July 20, 2023

Powershell Graph is case sensitive

 Powershell Graph is case sensitive

I needed to get the deviceid from devices which were members of a group.

The deviceid is kept in the additionalproperties which is a multivated value.

To make myself easy, i placed all objects in a varable called Members. Then i tried to get the deviceid values:

"($Members.additionalProperties).deviceid" which returned nothing.

I looked at the value and saw that the Object is written as deviceId, so when i ran

"($Members.additionalProperties).deviceId" the proper device ID's were returned.

Wednesday, July 19, 2023

Winget Language incorrect

 While opening terminal, i was notified that a newer stable version of powershell had been released. So i ran the command to update Powershell in the Terminal using WinGet


I noticed that the language was in french. I searched the internet and came accros following post on GetHub:

winget is localized for my region, even when my UI-language is set to en-US · Issue #238 · microsoft/winget-cli (github.com)

Yet when i verified my language settings for my account, it was set to en-US as prefered display language. I then searched for a way to manage the language using powershell.

The command i came up with was Get-WinUserLanguageList.

When i got my lst i saw that i had two language Tags:

This gave me     an idea why Winget was in french.
I decided to remove the fr-BE language Tag from the list.
The Set-WinUserLanguageList is somewhat poorly documented, wherefore i needed to put some effect in removing the Franch Langeuage Tag. Succeeded to remove the language Tag by following code:

$LangList = Get-WinUserLanguageList
$MarkedLang = $LangList | where LanguageTag -eq "fr-BE"
$LangList.Remove($MarkedLang)
Set-WinUserLanguageList $Langlist

And now language of winget appears in English:





Tuesday, May 16, 2023

 Create Testusers in AzureAD with Powershell Graph


####################################################################################
# The Real Shrimp
####################################################################################
#Functions
Function Get-RandomPassword
{
    #define parameters
    param([int]$PasswordLength = 10)
 
    #ASCII Character set for Password
    $CharacterSet = @{
            Uppercase   = (97..122) | Get-Random -Count 10 | % {[char]$_}
            Lowercase   = (65..90)  | Get-Random -Count 10 | % {[char]$_}
            Numeric     = (48..57)  | Get-Random -Count 10 | % {[char]$_}
            SpecialChar = (33..47)+(58..64)+(91..96)+(123..126) | Get-Random -Count 10 | % {[char]$_}
    }
 
    #Frame Random Password from given character set
    $StringSet = $CharacterSet.Uppercase + $CharacterSet.Lowercase + $CharacterSet.Numeric + $CharacterSet.SpecialChar
 
    -join(Get-Random -Count $PasswordLength -InputObject $StringSet)
}
#Read more: https://www.sharepointdiary.com/2020/04/powershell-generate-random-password.html#ixzz81sBsb0UW
####################################################################################
# Custom Objects
####################################################################################
$Results = New-Object System.Collections.ArrayList
####################################################################################
# Script
####################################################################################
Write-Host "This script creates a number of testusees in a designated tenant" -ForegroundColor Green
Do {
    Write-Host "Enter a Tenant ID, please" -ForegroundColor Green
    $TenantID = Read-Host
    $TenantIdCount = $TenantId | Measure-Object -Character
  }
Until ($TenantIdCount.characters -eq "36")
Do {
  Write-Host "Enter the number of test users to create" -ForegroundColor Green
  [Int]$TestUsers = Read-Host
}
Until ($TestUsers -is [Int])
####################################################################################
# Connecting to the tenant
####################################################################################
$Scopes = (Find-MgGraphCommand -Command New-MgUser | Select-Object Permissions).Permissions
Connect-MgGraph -Scopes User.ReadWrite.all, Domain.Read.All -TenantId $TenantID
####################################################################################
# Gathering
####################################################################################
$PrefDomain = (Get-MgDomain | Where-Object {$_.IsDefault -eq $true}).Id
####################################################################################
1..$TestUsers | foreach {
# Create Password Profile
  $PasswordProfile = @{
    Password = Get-RandomPassword -PasswordLength 12
    ForceChangePasswordNextSignIn = $true
    ForceChangePasswordNextSignInWithMfa = $true
  }
  $Passw = $PasswordProfile.Password
  # Creating DisplayName
  $NumCount = $_
  $BaseUsFirstName = "Test"
  $BaseUsLastName = "User"
  $DisplayName = $BaseUsFirstName + " " + $BaseUsLastName + $NumCount
  Write-Host "$($DisplayName)"
  # Creating MailNickName
  $MailNickName = $BaseUsFirstName + $BaseUsLastName + $NumCount
  # Creating UserPrincipamName
  $UserPrincipalName = $MailNickName + "@" + $PrefDomain
  # Creating User
  New-MgUser -DisplayName $DisplayName -PasswordProfile $PasswordProfile -AccountEnabled -userPrincipalName $UserPrincipalName -MailNickName $MailNickName
  $result = New-Object -TypeName psobject
  $Result | Add-Member -Name DisplayName -MemberType NoteProperty -Value $DisplayName
  $Result | Add-Member -Name UserPrincipalName -MemberType NoteProperty -Value $UserPrincipalName
  $result | Add-Member -Name Password -MemberType NoteProperty -Value $Passw
  $Results.add($Result) | Out-Null
}
# exporting data
$FileName = "testusers"+"-"+$($PrefDomain).csv
$Results | Select-Object * | Export-csv -Path C:\temp\$FileName -Delimiter ";"
Notepad.exe C:\Temp\$FileName

Wednesday, October 13, 2021

Local DHCP Groups missing on the DHCP Server.

 Local DHCP Groups missing on the DHCP Server.

Run NETSH DHCP Add Securitygroups on the DHCP Server.

Restart the DHCP Service

Add the Domain DHCP group to the corresponding DHCP local group.

Sunday, February 25, 2018

Cannot login to Exchange 2013/2016 Exchange Control Panel

We recently started our migration from Exchange 2010 SP3 (RUP18) to Exchange 2016.
After installing Exchange 2016, we ran in a heap of trouble when opening the Exchange 2016 Administrative Center, or when we tried to open OWA on Exchange 2016.

When browsing ECP/OWA, we would not even receive a login screan, We merely got "500 Unexected Error".

Searching the internet lead me to following Technet Forum post:
https://social.technet.microsoft.com/Forums/ie/en-US/777b51ee-330d-43cc-a56e-4614d44aed7b/unable-to-access-owa-or-ecp-something-went-wrong-or-500-unexpected-error?forum=exchangesvrclients

After removing the value's in MSEXchCanaryData, and recycling the Application pools in IIS I was able to login.
You have to open the ADSI editor on the primary domain controller (start-->administrative tools-->ADSI edit), go to CN=Services --> CN=Microsoft Exchange --> CN=  Right click CN=Client Access and click properties.  Scroll down to msExchCanaryData0.  You have to click edit and copy the data from Data0, Data1 and Data2 (you may have more or less) to a notepad file.  Then erase the data from those settings.  Now log onto the CAS server and open IIS management.  Go to application pools and  right click MSExchangeOWAAppPool and click Recycling.  Then restart all of the mailbox servers.  
[Quote]Marshall Lucas[/unquote]

A collegae tried to login as well, but he failed. He did get a login screen but after logging in he would still received " 500 Unexected Error". It could not be an infrastructural problem because i was able to login, wherefore we excluded any issue on part of ISS. We compared both our admin accounts and discover that my admin account was fitted with a mailbox (probably created during a test, and neglected to clean afterwards). We enabled his account with a mailbox, and now he was able to login.

I know from experience that Administrator do not need a mailbox to logon to ECP, if the Administrator does not have a mailbox attached, it would use a system mailbox instead. So the next step was to verify the arbitration mailboxes:

Get-Mailbox -arbitration | fl name, DistinguisgedName

Which returned me 5 arbitration mailboxes, 3 SystemMailboxes, one discoverymailbox and one Migration mailbox. Which looks more or less OK, wherefore i dismissed that the issue was being caused by the lack of a missing arbitration mailbox.

Moved all retrieved arbitration mailboxes to Exchange 2016, but it did resolve the issue either.

Whent on seaching for two more days, and everything kept on pointing in the direction of a missing arbitration mailbox. I decided to verify the accounts in AD against the mailboxes retrieved from Powershell:

Get-Mailbox -arbitration | fl name, DistinguisgedName

Get-ADUser -Filter "Name -like 'SystemMailbox*'" -server Root

Where i saw the catch, In Active Directory we had 6 SystemMailbox accounts, and we only had 3 SystemMailboxes which we actually mailbox enabled. I decided to make every SystemMailbox account mailbox enabled, which resolved the issue.

Get-ADUser -Filter "Name -like 'SystemMailbox*'" -server Root -Property Mail | ? {$_.Mail -eq $null} | foreach {Get-User $_.DistinguishedName | Enable-Mailbox -Database "Exchange2016DB"}

Monday, February 13, 2017

Move-ADDirectoryServerOperationMasterRole

Do not use the server FQDN for the Identity in the Move-ADDirectoryServerOperationMasterRole Cmdlet, it will fail if you do:

Move-ADDirectoryServerOperationMasterRole -Identity "DC001.domain
.suf" -OperationMasterRole InfrastructureMaster

Move-ADDirectoryServerOperationMasterRole : Cannot find directory server with identity:"DC001.domain
.suf"

Correct Syntax=
Move-ADDirectoryServerOperationMasterRole -Identity "DC001" -OperationMasterRole InfrastructureMaster


Monday, August 26, 2013

Screen Flickers when installing a Windows Server 2012 on Windows Server 2008 Hyper-V

When you install Windows Server 2012 on a Windows Server 2008 r2, you might see that the virtual machine is unresponsive and that the screen of the virtual machine is constantly flickering. This is caused usually because the virtual machine has not enough virtual memory configured. I have seen this issue occurring if the virtual machine has less ten 2048MB of memory assigned. Increasing the virtual machine's memory to more or equal to 2048MB resolves the issue.

Tuesday, June 25, 2013

Capital letters and Cisco RCC/Microsoft Lync

Yesterday i was working on a project that involves a new implementation of Lync 2013 and Cisco Cups.
We had enabled a user for RCC within Cisco and Lync, but the user was unable to register on the Cisco Cups Server.

The Cisco Cups is configured as a static route within Lync 2013, where it is used for a Cisco Sip domain called cups.contoso.com.

We configured the user using the following settings:
LineUri = TEL:3567;phone-context=dialstring
LineServerUri = %UserName%@cups.contoso.com (where %UserName% is the Sam Account name of the user).

[Get-csuser "alfa" | Set-CsUser -RemoteCallControlTelephonyEnabled $True -LineUri "TEL:3567;phone-context=dialstring" -LineServerUri "alfa@cups.contoso.com"]

After enabling the user for RCC, we saw that the Lync client of the user was unable to register itself within the Cisco Cups Server to enable RCC. We enable logging on the Lync Server/client, where we saw that the registration was canceled by the Cisco Cups server. Where the Snooper reported "Call Leg does not exist".
 We could clearly see that Lync ad Cisco where communicating, but at a certain point Cisco Cups sends a Cancel to the client in which the Client ends the communication.

The reason for the Cancel is still unclear, so we retrieved the Logs from the Cisco Cups server. There we saw that the Cancel was send after giving an unspecified error on the dial string. We verified the dialstring within Lync again and confirmed that it was set correctly. As we had no real clue as what was going on, a colleague retyped the dialString within Lync, but receive the notification that nothing changed. 5 minutes later the configuration started working. Upon investigating what had changed, we saw that the colleague typed the following LuniUri:    tel:3567;phone-context=dialstring. He had specified regular letters instead if capitals for the TEL letters. To prove if this was indeed causing the issue, we enabled another account for RCC where we also specified TEL in capital letters. The user was unable to register in Cisco Cups, after changing the letters to regular, the user was able to register and use RCC.

By psoting this encounter, I hope to spare somebody's time in troubleshooting this issue..




Sunday, March 31, 2013

Beware of Exchange Web Services

I would like to point out that Exchange Web Services allows EWS clients to retrieve mail although Outlook Anywhere is disabled.
A customer of mine was not comfortable with Outlook Anywhere as an un-managed computer could be used to retrieve mail. So they wanted to delay the deployment of Outlook Anywhere until proper IPsec policies where in place. However we decided to publish EWS to allow Lync to retrieve Free/busy information for remote workers. To our surprise we discovered that Outlook mail was able to access his mailbox on Exchange 2010 although Outlook Anywhere was disabled.

Now there are a number of measurements you can take to prevent access although allowing EWS to be published externally. One option is to set the access to EWS by the mailbox features.
The can be done by using the Set-Casmailbox for the users. This is an "per user" approach in which you can allow some users and disallow some others.

You can also set it on the organizational level in which you allow or disallow it for the complete environment.
This is done via the Set-OrganizationConfig.

However both settings do not consider external and internal access. This means if you disable the setting then those client will also not be able to connect to EWS from a corporate or trusted network.

http://msdn.microsoft.com/en-us/library/exchange/ff406134(v=exchg.140).aspx



    

Tuesday, January 8, 2013

Securing POP and SMTP traffic from POP clients in Exchange 2010

I working on an exchange migration from Exchange 2003 to Exchange 2010. The customer is using a mixed environment with Microsoft Windows (Windows XP/Vista and Seven) clients, and Linux Unix clients which use POP and IMAP to retrieve mail from Exchange 2003. The Windows Clients use Outlook 2010, while the Linux clients use and a number of application which use IMAP or POP3 to access there mailboxes.

The customer wants to keep the IMAP/POP functionality in the new Exchange 2010 environment available, but wants to secure it where possible. In answer to that question i replied that we would keep the functionality, but switch to SSL encrypted communication between the clients and the servers. To do so, i also recommended that the clients would use the client submission port (TCP587(RFC5321)) in stead of simple SMTP (TCP25) to send to the server(s). Where we would also impose authentication. This way IMAP/POP and SMTP traffic would be encrypted and would only occur via authenticated users.
Enforcing the clients to use the client submission port enhances security as you would not need to create a relay receive connector for the clients on TCP port 25.

I knew this all is possible from theory but never implemented this before, as this is the first time i come across an environment where they still use IMAP/POP3 in a real live environment. To make sure i knew how to implement the theory i started playing in my test environment during the Christmas holidays.

In my test environment I have a single Exchange 2010 server with the three required roles installed (HUB/CAS/MBX), and downloaded and installed Mozilla Thunderbird as a POP client.

Certificate:
As we are going to use TLS to digitally encrypt the communications channels, we have to make sure that the intended FQDN's are present in the SSL certificate. The Exchange environment already has and SSL certificate assigned to it for SMTP and IIS, and we are going to reuse that SSL certificate to secure the POP3 access.
In the screenshot you will see that the hostname of the server is present in the certificate, and that is the FQDN we intend to use for POP and SMTP communication. Now we need to see, to which service the certificate is assigned.
Note: You can run previous commands in a single line by running "Get-ExchangeCertificate | fl CertifiacteDomains, Services"
In the screenshot you will see that the POP and Imap Service are already assigned in my case, this was because i toke the screenshots after testing and not while testing. To assign the Certificate to the IMAP/POP3 service, you need to run following command:
If you have multiple certificates in use:
List certificates:
[Code]
Get-exchangeCertificate
[/Code]
 select the required certificate and assign it to the requested services
[Code]
Get-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | Enable-ExchangeCertificate -Services "POP, IMAP"
[/Code]
The required certificate is now assigned to the IMAP and POP3 service.
Note: If  the MSExchangePOP3 or MSExchangeIMAP where already started before assigning the certificate, you will need to restart these services. Is required each time you change or reassign a certificate to a service.
Configuring the Client Access Server
Open the Exchange Management Console, go to server configuration and Client Access Server Role.
Go to tab Bindings, and configure the IP addresses on which the Service should listen. By default it lists all IPv4 and IPv6 addresses, but I removed the IPv6 addresses as i do not use IPv6 in the test environment.

  Note: I still allow connection over port 110, but you can remove that if you wish to allow only secured communication (which will be done with my customer).     
Then go to the Authentication Tab, modify the authentication if required and verify that the certificate name is the name of the certificate which you selected in previous step.
Note: These are basically the default settings as Exchange 2010 aims to be secure by default.
  We do not need to modify the other tabs.

IMAP
Now verify that the same settings apply to IMAP, which it should as it is designed to be secure by default.
Note: Modify the bindings if you wish to only allow secure connections.  
Starting the required services
The Imap and POP3 service are set to manual start in which they are not started automatically. If you wish to supply access by these services, you have to change the start-up mode to automatic. In my test environment i merely started the services as they are only required for testing the configuration.
To change the startup mode:
[Code]
Get-service -name msexchangepop3, msexchangeimap4 | Set-Service -StartupType Automatic
[/Code]
Start-Service
[Code]
Get-service -name msexchangepop3, msexchangeimap4 | Start-Service
[/Code]

Configure SMTP access (Client Submission Port)
We want user to authenticate and use TLS encryption when sending (relaying) mail through Exchange 2010.
Open the Exchange Management Console, go to server configuration and Hub Transport Server Role.

Select the receive connector for the client submission port which is called "Client" by defaul, but which i renamed to "Client Exch02". Right click and select Properties. Verify that the client network is allowed to use the connector in the Network Tab. Go to the Authentication Tab and select "Transport Layer Security (TLS)", "Basic Authentication" and "Offer Basic Authentication only after Starting TLS".
 Note: I have tried with TLS alone, but then the credentials are not accepted. I could only make with work with basic authentication, but that is no issue as the Authentication is done in a TLS encrypted tunnel in which the communication is encrypted anyways. This is why you need to make sure that "Offer Basic Authentication only after Starting TLS" is also selected.  
In the "Permission Groups" setting you have to make sure that "Exchange Users" and "Exchange Servers" is checked.

Client Configuration
As client i choose to use Mozilla Thunderbird, as it is a widely used client in Windows and operating Systems.
I am not going to completely explain the configuration of the client as it is pretty straight forward, yet i am showing the setting in the client to prove that communication is indeed TLS encrypted and authentication is required to send mail (SMTP).
POP3 Settings:
    SMTP Settings:
Here you see that authentication is required.
To client submission connector allows relaying for Exchange Authenticated users, so you have allowed relaying but on a more secure reliable way. If you have applications which need to send or relay SMTP traffic via your Exchange 2010 environment, you should investigate if the same settings can be used for these applications. 

Tuesday, November 13, 2012

Lync Monitoring: An error has occurred during report processing. (rsProcessingAborted)

You get following error when trying to view the "all incidents reports" in Lync reporting services:


“An error has occurred during report processing. (rsProcessingAborted) Query Execution Failed for Dataset “GetAll”. (rsErrorExecutingCommand) Error convirting data type nvarchar to Datatime.”  

The problem is caused by the language settings within Internet Explorer. More particular the date formatting that is used in different parts of the world. In my case Belgium/Europe we use the following formatting: dd/mm/yyyy while in the US the date format is mm/dd/yyyy. This date formating causes the report to fail, therefore following error is displayed:
"Error convirting data type nvarchar to Datatime."

In order to get the correct date formating which the report is expecting, you need to add the EN-US language to Internet Explorer: 

Open Internet explorer, Go to Internet Options, Appearance and select language.

Move En-US to first place and click ok.




Monday, October 1, 2012

Windows Server 2008 R2 Repair

I am having trouble with my test server which is running my virtual environment. It is running on hardware that is not really supported by Windows Server 2008 R2, and because of that the system sometimes reboots.
These reboots can cause virtual machines to become corrupt, if the reboot happens in a major write operation.

Now a week ago the server rebooted again unexpectedly and because of this my Lync Server would no longer boot up. I tried repairing the machine using SFC tool with the known syntax:
[Code]
SFC /ScanNow /OffBootDir C: /OffWinDir C:\Windows
[/Code]

It can happen that following message appears:
"There is a Windows Repair pending which requires a reboot of the system"

If this message apears, you can revert the pending changes, or remove/rename the pending.xml file.

To revert the pending change, use following code:
[Code]
dism.exe /image:C:\ /cleanup-image /revertpendingactions
[/Code]

Rename the pending.xml, which is found under C;\Windows\System32.

But after the reboot the system wouldn't boot. The next step would be to repair the Windows boot loader using StartRep.exe
Started the system in repair modus (CMD), where the systems start in X:\Windows\System32
type X\Resources\Recovery\StartRep.exe and press enter. The system asks you if you wish to repair the system boot loader, where you click Finnish. After clicking finish the system restarted perfectly into Windows, even all Lync services where started as intended.     

Installing Lync 2013 on Windows Server 2012

I wanted to install Lync 2013 on Windows Server 2012 in a test environment to get acquainted with the product. I downloaded the Windows Server virtual disk (VHD) from the Microsoft Website, booted up the disk and added it to my testdomain.

When provisioning your virtual machine, i would like to note that you need to provide at least 3072MB to the virtual machine, otherwise the installation of the front-end server will fail with following exclussion: "81" Is not a valid value for Configuration Option 'Max Server Memmory'. I started off with the Hyper-V default, which is 1024 which make the Lync role installation fail.

The first step is to install the Lync 2013 prerequisites. Unlike Windows Server 2008R2, we do not need to import the server module and use the add-WindowsFeature CMDlet, no In Windows Server 2012 you can kickof the installation of the prerequisites by using the Install-WindowsFeature CMDlet. The major of prerequisites are installed by following line:
[Code]

install-WindowsFeature Web-Server Web-WebServer, web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Http-Tracing, Web-Performance, Web-Stat-Compression, Web-Dyn-Compression, Web-Security, Web-Filtering, Web-Client-Auth, Web-Windows-Auth, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools, NET-Framework-45-Feature, NET-Framework-45-Core, NET-WCF-Services45, NET-WCF-TCP-PortSharing45, RSAT-AD-Tools, Windows-Identity-Foundation, Web-ISAPI-Ext, Web-ISAPI-Filter, Desktop-Experience, Server-Media-Foundation, web-asp-net, web-asp-net45

[/Code]
besides these prerequisites you also need to install the Web-Net-Ext (.Net extensibility 3.5), yet when you add Web-Net-Ext to the previous line you will see that the feature fails to install. This is because the sources for this feature have been stripped from Windows Server 2012. To add this feature you have to define the source in order to install it. These sources are not available on the VHD, so you will need to download the ISO itself. Once you have the iso you can find the sources under Sources\SXS\. My CD-rom drive on the server is Z, so I installed it with following line:
[Code]
Install-WindowsFeature Web-Net-Ext -Source Z:\Sources\SXS\
[/Code]


###############################################################################
# De Greyt Jurgen    #
# 15/11/2012    #
# Modified 8/11/2012            #
###############################################################################
#Active Directory Remote administration tools
Add-WindowsFeature RSAT-ADDS

#Identity Framework
Add-windowsFeature Windows-Identity-Foundation

#Message Queying
Add-windowsFeature MSMQ-Server, MSMQ-Directory

#IIS
Add-windowsFeature Web-Server, Web-Scripting-Tools, Web-Windows-Auth, Web-asp-net, Web-log-Libraries, web-http-tracing, web-stat-Compression, Web-Dyn-Compression, Web-Default-Doc, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-HTTP-Errors, Web-HTTP-Logging, Web-Net-Ext, Web-Client-Auth, Web-Filtering, Web-Mgmt-Console, Web-Asp-Net45, Web-Net-Ext45

#.Net Framework
Add-windowsFeature NET-WCF-HTTP-Activation45

#Media
Add-windowsFeature Server-Media-Foundation
###############################################################################



Sunday, July 29, 2012

learning some new tricks

When configuring my network interfaces i usually use netsh to configure them. When being accustomed to using netsh it is pretty simple. To find the name of your interfaces you would use "netsh int ip show interfaces." To configure the ip addresses you would use the following syntax "Netsh Int Ip set address "local area connection" static 10.10.10.1 255.255.255.0 10.10.10.254 10. Adding DNS servers would be done with the following Synctax: Netsh int ip set dnsserver "Local Area Connection" static 10.10.10.10, adding a dns could be done by netsh int ip add dnsserver "Local Area Connection" 10.10.10.20.


Now i was playing with Windows Server 2012, and wanted to challenge myself into configuring the interface through powershell. I guessed it was possible as I saw some NetIP commandlets in previous encounters. 


The first thing i did was trying to find the right cmdlets, the best to search them i used following synctax:
Get-Command "Set*NetIP*" 
This gave me a few hints to continue my search: In the same manner as with NETSH i need to find out the name of the interface i am willing to configure. Set-NetIpInterface, suggest that there would also exist an Get-NetIpInterface cmdlet. Putting my thinking into practice showed me the configured interfaces on the server.
Get-NetIpInteface
 This showed that the interface we are trying to configure is called "Ethernet", the second cmdlet we where interested in was the Set-NetIPAddress cmdlet. Now we need to find out how we link the IpAddess that is specified in the Set-NetIpAddress is linked to the correct interface. To Find out i checked the help file of the Set-NetIpAddress: Get-Help "Set-NetIpaddress"
 This showed me the new-netipaddress cmdlet, which led me to the following string:
New-NetIpAddress -Ipaddress 192.168.0.3 -DefaultGateway 192.168.0.254 -InterfaceAlias Ethernet -AddressFamily IPv4 -PrefixLength 24
The new-NetIpAddress Cmdlet does not allow DNS or WINS to be set. Setting the DNS server would be done by the Set-DNSClientServerAddress cmdlet.
To set the DNS server we need to have the Interface Index number of the interface where we want to link the DNS servers settings to. The interface index number is shown by the Get-NetIpInterface cmdlet.
Setting the DNS Server is done with following Syntax:
Set-DNSClientServerAddress -Address IP First Server, IP Second Server -InterfaceIndex 'Indexnumber'

To Check your configuration afterwards you can use Get-netipconfiguration -InterfaceAlias Ethernet | fl
For all the netsh diehards, netsh still runs under Windows Server 2012.

Sunday, June 3, 2012

Certificates, certificates, all I see are certificates...

I was working on a Lync implementation for a local ISP. The design was set forward with one single site, which contains a Director, Front-end and edge pool, where each pool contains two servers for High Availability. After deploying the edge servers we noticed that the XDS replication was not occurring from the front-end servers to the Edge servers. We checked the Lync file share and the network to verify that the Front-end server could talk to the Edge servers on port 4443. Everything turned out OK, yet no matter what we did, the replication towards the edge servers didn't kick off.

While searching the internet for a possible solution, the following comment kept spinning in my mind:
"Replication issue's with the edge server are usually Network or certificate related." As we had checked the network, we started troubleshooting the certificates again. The certificates turned out OK, yet when investigating the certificates I did see that the Trusted Root Certificate store did contain a lot of certificates. I didn't count them, but usually you will see around 30 root certificates, the root CA container of the edge did contain so many certificates they didn't fit in a single view.

I started logging using the Lync Logging tool, yet this only gave the following warning: Master Directory not discovered yet. Investigated the eventlog where the following warning drew my attention in the system log:


Log Name:      System
Source:        Schannel
Date:         
Event ID:      36885
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:     
Description:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.


I searched the Microsoft Forums where I found following thread:
 http://social.technet.microsoft.com/Forums/en-AU/ocsedge/thread/1cd3be72-1f65-48ae-aa8c-498f79917492

We added the registry DWORD and replication kicked of perfectly.

Edit the registry on the Edge server to add a DWord value, SendTrustedIssuerList, to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL key and assign it a value of 0. This will prevent schannell.dll from truncating the Root CA list from the edge server, and allow validation tests to pass.


More info on this registry setting can be found here:


This entry controls the flag controlling sending of list of trusted issuers. In the case of servers that trust hundreds of certificate authorities for client authentication, there are too many issuers for the server to be able to send them all to the client when requesting client authentication. In this situation, this registry key can be set, and instead of sending a partial list, Schannel will not send any to the client.
Not sending a list of trusted issuers might impact what the client sends when asked for a client certificate. For example, when Internet Explorer receives a request for client authentication, it only displays the client certificates that chain up to one of the certificate authorities that is sent by the server. If the server did not send a list, then Internet Explorer displays all of the client certificates that are installed on the client machine. This behaviour might be desirable, when PKI environments include cross certificates, the client and server certificates will not have the same Root CA and therefore, Internet Explorer cannot chose a certificate that chains up to on of the server’s CAs. By configuring the server to not send a trusted issuer list then Internet Explorer will send all its certificates.
This entry does not exist in the registry by default. This value is true by default.


http://technet.microsoft.com/en-us/library/cc776467%28v=ws.10%29.aspx



A few days later we where testing the web conferencing and discovered that only anonymous users where able to join a conference. When a user selected domain user, in the web-interface following error would occur:

We enabled logging with the web-client and this showed us the following:

We applied the same registry setting to the Directors and front-end pool servers. After applying the settings user where able to join a conference using the Lync web client.



  

 

Monday, March 19, 2012

Multiple Exchange UM servers and microsoft Lync

A few weeks ago I was troubleshooting an issue with the Exchange 2010 UM auto attendant. When we called the attendant and asked to call a user within the organization the call would fail. 
  
This customer has two exchange UM servers, Node01 and Node02. We configured Exchange UM to use Lync as UM IP Gateway and everything worked well, except the Exchange UM attendant. When calling the attendant and asking the attendant to call a user, the call failed. We also saw the following event appearing  in the application eventlog:

Event ID: 1400 Source: MSExchange Unified MessagingThe following UM IP gateways did not respond as expected to a SIP OPTIONS request.
Transport = TLS, Address = lyncpool.domain.com, Port = 5061, Response Code = 0, Message = This operation has timed out.

1400 (Warning/MSExchange Unified Messaging) appearing regular in the event logs on the exchange UM servers, but didn't pay to much attention to it as everything was working (did only test the Exchange UM mailbox and not the Auto Attendant). Exchange has the Lync mediation server pool configured as UMIPGateway using a TLS communication. The TLS certificate that was placed on the Exchange for UM had following parameters configured: 
  • Common Name: UM.domain.local 
  • Subject Alternative Names: um.domain.local, Node01.domain.local, Node02.domain.local. 
I would like to express the fact that users where able to access their UM mailbox, and where able to retrieve or leave a spoken message in the UM mailbox using Lync (so here was TLS communication between Lync and Exchange).

In order to troubleshoot this, I increased the event logging level on the Exchange servers to expert level for Exchange UM and installed Wireshark to monitor the network traffic, and enabled logging on the Lync servers. Restarted testing with the Exchange UM attendant to call a Lync user. 

As expected the call failed. The application log on the exchange server and Lync logging didn't show any useful information, besides that the communication terminated unexpectedly. However the wireshark traces showed that only authentication traffic was passing between the two servers. Although the log did not explicit showed that authentication was falling i did presume that TLS authentication was failing as that was the only traffic between the two servers that was recorded. 

I inspected the Exchange Certificate over and over again, but to my knowledge nothing was wrong with the certificate. Spending hours searching the INTERNET I found two similar cases, one had the same event ID but was using OCS and had a wild card certificate which was not supported. The other one had a single UM server and he opened a call with Microsoft, troubleshooting with Microsoft pointed out that the problem occurred because the Subject name of his certificate was set to the external name of Exchange OWA.

At first I didn't pay much attention to the post, because i was still convinced that all PKI requirements where met. Up to that point I didn't pay that much attention to the common name value, and made sure that all the names that could be used in the communication with the server array is present in the Alternate Subject Names. The common name value was always set to the external name of the server array, which is according to Microsoft best practice:


[Quote]
As a best practice, you should minimize the number of certificates you use for your Client Access servers, reverse proxy servers, and transport servers (Edge and Hub). We recommend using a single certificate for all of these service endpoints in each datacenter. This approach minimizes the number of certificates that are needed, which reduces both cost and complexity for the solution.
[Unquote]

Source: http://technet.microsoft.com/en-us/library/dd638104.aspx 

Running out of Idea's I decided to change the Unified Messaging certificate to match the common name to the FQDN of the server on one server. Stopped the MSexchangeUM service on the other to make sure that the one would be used that had the new certificate. Resumed testing, to my surprise the attendant is now able to call users through Lync.
 

Surprised by this outcome, made me wonder and doubt everything I knew from PKI so far. As with every issue I encounter, I will always try to explain that issue to myself in which I can explain why the issue occurred and what I can do to prevent it.

Been deploying Exchange for many years now, and never ran into any issue's regarding PKI, and this encounter shacked my world. It seemed that the way I was deploying Exchange Certificates had a flaw But if it has a flaw, how come I never ran into any similar issue's before?      
Have to admit that I haven't deployed a lot UM server roles, as many enterprise already have an existing solution. But surely did a fair share of Exchange deployments with multiple Hub/Cas servers and never ran into issue concerning certificates.  

Maybe there was nothing wrong with the certificate in which the common name of the array can still be used if I change the UM server name by using the Set-UMServer cmdlet. The UM server was still pointing to each server individually. But if changing the UM server to represent the name of the array, will we loose high availability? As in when Round robin is used, clients are pointed to servers that may or may not be on-line...

What about manageability? If the common name has to be the FQDN of the server, you would need to run a certificate request on each server, and each server will have its own private key. But If you use one common certificate for all, you would need to change the certificate on all servers if you wish them to use the same private key.

Is there an advantage of using a singe shared private key among all your servers? Hmmm, not sure. In case of Exchange UM surely not, as it is real-time, and in case of fail-over the session would always be lost. But what in other commodities (SMTP, HTTPS, RPC/MAPI)? No, I don't think so. Even if you have hardware load-balancers in place, a new session will be created when a fail over occurs.

The more I keep pondering about the subject, the more questions arise in my mind.  


 

 

Sunday, March 18, 2012

Windows Server 8 - DCPromo? Install domain Controller using the Command Line.

I am playing around with Windows Server 8, and wanted to setup a first domain controller for the Windows Server 8 test domain. Since I like the command-line, I configured the Ip address using the netsh cmdlet and changed the computer name using netdom. After the reboot, I reopened Powershell and ran "DcPromo", which gave me following answer:
  Darn, did DCpromo get removed? No, I not want to use the server manager, I want to use the command line tools ;). Lets try CMD.
Doh, what about powershell cmdlets?
First we Import the server manager to check the availability of Active Directory services:
[Code]
Import-Module Servermanager
Get-WindowsFeature
[/code]
The feature we where looking for is the "AD-Domain-Services"
Add the feature using the Add-WindowsFeature CmdLet
[Code]
Add-Windowsfeature AD-Domain-Services
[/Code]
Once the feature is installed you get access to a new powershell module. You can always check the installed modules by using the Get-Module CmdLet.
The new commandlet that is available is the ADDSDeployment. Import the new module:
[Code]
Import-Module ADDSDeployment
[/Code]
No we are finally ready to install the Active Directory roles:
I used following command for setting up my Windows Server 8 test forest/domain
[Code]
Install-ADDSForest -CreateDNSDelegation:$False -DataBasePath:C:\NTDS\ADDSDB -ForestMode Win8 -DomainName W8Test.local -DomainMode Win8 -DomainNetBiosName W8Test -InstallDNS:$True -LogPath C:\NTDS\Log -SysvolPath C:\NTDS\Sysvol -RebootOnCompletion:$True
[/Code]
You can also add the -Force parameter if you do not want to be promted.

 On completion the server will reboot, in which we have deployed our first Windows Server 8 domain Controller in our new Windows Server 8 Forest and domain.





  

Wednesday, March 14, 2012

Bus Crash Switzerland

Last night a terrible accident happened in a Swiss tunnel, tacking the lives of 28 people of which 22 children. As a father of 3 I would to express my deepest condolences with the ones who are left behind.

Monday, February 20, 2012

Decommission Lync 2010 standard pool

A lot of companies start with a Lync standard edition in a POC, when the POC is approved they upgrade their standard pool to an enterprise pool. You cannot upgrade you existing standard pool to an enterprise pool, but have to create a new enterprise pool, which I did.

Firstly a bit of explanation about the Prove Of Concept. The network with this customer are basically islands where only a limited number of ports are opened between these networks. This has as a result that if two users, each located on a different network try to communicate with each other. As the client ports are blocked they need to use an edge server's MCU to successfully communicate with each other. So in the POC two servers where deployed, a Single edge and a single Standard front-end server/pool.
The POC was deployed in the production environment where Exchange UM plus multiple application where integrated as trusted applications in Lync. also a PBX gateway ad voice route was defined.

As this is a production environment, with real live user accounts it seemed best the deploy the new environment along side to the existing POC deployment. After the new deployment was in place the users where migrated to the new pool.

[Code]
Get-csuser | where {$_.registrarpool -like "lcsserver.contosso.com"} | Move-CsUser -Target lcspool01.contosso.com
[/Code]

The following step is to move the conferencing directory to the now pool:

[Code]
Get-CsConferenceDirectory | where {$_.RegistrarPool -like "lcsserver.contosso.com"} | Move-CsConferenceDirectory -Target lcspool01.contosso.com
[/Code]

As Exchange UM was set up, we needed to move the Exchange Um Contact.

[Code]
Get-ExUmContact | Move-ExUMContact -Target lcspool01.contosso.com
[/Code]

Then launched the Lync Topology builder.
Removed the association of the front-end pool with the edge pool.
Removed the PSTN gateway
removed the voice route
[Code]
Get-CsVoiceRoute | Remove-CsVoiceRoute
[/Code]

Removed the trusted application servers.
Removed the edge Server
Published the topology and ran the deployment wizard on all the servers to update their configuration.

Checked and moved remaining application end-points
[Code]
Get-CSApplicationEndPoint | where {$_.Registrarpool -like "lcsserver.contosso.com"} | Move-CSApplicationEndPoint -Target lcspool01.contosso.com
[/Code]

Opened the topology builder again. Removed the Standard edition front-end pool and published the topology. Be sure to wait for replication between all the different step, advancing to fast can result in temporary errors.

 
   

Sunday, February 19, 2012

Powershell Get service status compared to stratup type.

I like using command type tools, in stead of the GUI. One of my favourites is surely Powershell. Now what I find disappointing is that you cannot get the start-up type of a service using the get-service cmdlet. The only way to get the startup type and compare it to its current status is using WMI.

Following comandlet lists of service where the startup type is set to automatic but where the current status is stopped.  

[Code]
Get-WmiObject -Class Win32_Service -Filter "StartMode='Auto' AND State='Stopped'" | sort DisplayName | Format-Table DisplayName, StartMode, State
[/Code]