Tag: Microsoft

TMG2010: Server Configuration does not match the stored configuration

Issue: Not Synced Server Configuration does not match with stored configuration

image4

Cause: FF TMG 2010 Array certificates expired.

Solutions: The following steps will fix the issue. Please note that I am explaining the situation where my TMG 2010 enterprise Array is deployed in workgroup.

Step1: Run ISA BPA on TMG 2010 Array Member

image1

Step2: Verify certificate expiry date

1. From the Start menu, click Run. Type MMC, and then click OK.

2. In MMC, click File, and then click Add/Remove Snap-in.

3. Click Add to open the Add Standalone Snap-in dialog box.

4. From the list of snap-ins, select Certificates, and then click Add.

5. Select the service account and click Next.

6. Click Next.

7. Select ISASTGCTRL and click Finish.

8. Browse to ADAM_ISASTGCTRL\Personal > Certificates.

9. Open the certificate to see if it is expired.

Step3: Create a Request.inf file. Open notepad and copy the following and paste into notepad. modify CN and domain details as per your own requirement. rename the file as request.inf. An example of the inf file is:

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=myTMG.mydomain.com”

EncipherOnly = FALSE

Exportable = TRUE  

KeyLength = 1024

KeySpec = 1 ; Key Exchange

KeyUsage = 0xA0 ; Digital Signature, Key Encipherment

MachineKeySet = True

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = CMC

; Omit entire section if CA is an enterprise CA

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]

CertificateTemplate = WebServer

Step4: request Certificate to the Root/Subordinate CA

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new –f request.inf certnew.req

Important! This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

Step5:Submit the request and obtain certificate

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -submit certnew.req certnew.cer

Important! certnew.req is generated in the previous command. certnew.cer is the certificate you are looking for.

An alternative way of submitting certificate to CA

  1. Open Certificate Authority
  2. Right Click on CA Server>All Task>Submit a New request
  3. Point to the location of certnew.req file
  4. Save Certificate As certnew.CER file into the preferred location

Step6:Convert certificate into .pfx format

Import the certificate certnew.cer into a server or an admin workstation

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Import. The Certificate Export Wizard appears. Click Next.

10. Browse to location of certnew.cer file

11. Import Certificate

To export a certificate in PFX format using the Certificates snap-in

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.

10. On the Export Private Key page, click Yes, export the private key. Click Next.

11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.

12. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.

13. Follow the pages of the wizard to export the certificate in PFX format.

Step7: Import Certificate into TMG Array

Log on to the TMG Server

Open FF TMG 2010 Console

Click on System>Click Server that is one of the array member>Click Import Server Certificate from the task pan>Browse location of the certificate import certnew.PFX format certificate

Click Ok.

Click refresh on the systems

Step8: Repeat the entire steps into all array members

Step9: Refresh Array members and check system

image2

Check TMG related services.

image3

Special thanks to Raihan Al-Beruni

Windows Server 2012 Release Candidate Build 8400 in VMware Workstation Technology Preview 2012

This procedure describes how to install Windows Server 2012 in VMware Workstation. The following versions are used:

  • VMware Workstation Technology Preview 2012 e.x.p Build-646643
  • Windows Server 2012 Release Candidate Datacenter Build 8400

In VMware Workstation Technology Preview 2012 create a new VM with the following settings:

  • New Virtual Machine
  • Custom (advanced)
  • Workstation Tech Preview
  • Select “I will install the operating system later”
  • Select “Microsoft Windows” and select as version “Windows 8 x64”
  • Set the Name and Location
  • Minimal 1 processor, 1 core
  • 2048 MB memory
  • Select “Use network address translation (NAT)”
  • Select “LSI Logic SAS”
  • Create a new virtual disk
  • SCSI
  • 60 GB disk size
  • Leave default disk file
  • Finish
  • After the VM is created, edit virtual Machine settings and browse for the Windows Server 2012 ISO in the the CD/DVD option

image

Edit the VMX file  and add the following line to the end to of the VMX file:

vmGenCounter.enable = FALSE

During the installation choose for the Windows Server 2012 Release Candidate (Server wit GUI)

Special thanks to my colleague Ivo Beerens

Free e-book: Introducing Windows Server 2012

Microsoft has released a free e-book entitled “Introducing Windows Server 2012”.

The Introduction:
“…Windows Server 2012 is probably the most significant release of the Windows Server platform ever. With an innovative new user interface, powerful new management tools, enhanced Windows PowerShell support, and hundreds of new features in the areas of networking, storage, and virtualization, Windows Server 2012 can help IT deliver more while reducing costs. Windows Server 2012 also was designed for the cloud from the ground up and provides a foundation for building both public and private cloud solutions to enable businesses to take advantage of the many benefits of cloud computing.

This book represents a “first look” based on the public beta release of Windows
Server 2012 and is intended to help IT professionals familiarize themselves with
the capabilities of the new platform. Although certain features may change
between now and RTM, much of the basic functionality likely will remain as
described here, meaning that most of what you learn from reading this book will
continue to benefit you as you begin to evaluate and deploy Windows Server
2012 in your own environment…”

Just click the picture to download the book

image

Unable to open PST file with mailbox import/export request

When you do a import or export request using the New-MailboxExportRequest or New-MailboxImportRequest CMDlet in Exchange 2010. It gave me an error.

Unable to open PST file ‘\\Server\Exports\Test.pst’. Error details: Access to the path ‘\\ExServer1\Imports\Test1.pst’ is denied.;

Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: Access to the path ‘\\Server\Exports\Test.pst’ is denied.

The Mailbox Replication Server (MRS) is running as LocalSystem it can’t access a network share. By adding the Exchange Trusted Subsystem group to the share permissions you will give the LocalSystem account and therefore MRS access to the share.

Lync Jump Start Series

If you are studying like me for the 70-664 & 70-665 Lync exams. The Lync Jump Start series are a good point for beginning Knipogende emoticon

Increasing simultaneously number of Mailbox moves in Exchange 2010

Sometimes we want to minimize the time required to move all the current mailboxes available on Exchange 2003 / 2007 to Exchange 2010, and for configuring your Exchange 2010 to process high number of mailboxes move simultaneously, we need to change the default configuration, which described as follows:

1. Go to all Exchange 2010 CAS Servers, open the below file in notepad or any file editor:
X:\Program Files\Microsoft\Exchange Server\V1\Bin\MSExchangeMailboxReplication.exe.config

2. Change the below values:

MaxActiveMovesPerSourceMDB = “25″

MaxActiveMovesPerTargetMDB = “25″

MaxActiveMovesPerTargetServer = “25″

3. Save the file and restart the “Microsoft Exchange Replication” service.

Microsoft Deployment Toolkit (MDT) 2012 – RTM

A couple of hours ago, Microsoft released MDT 2012

In contains numerous bug fixes as well as support for SCCM 2007 and SCCM 2012.

Improvements for All MDT Technologies

The MDT improvements that affect all MDT technologies, which are discussed in a subsequent section, are as follows:

  • Support for upgrading from previous versions of MDT
  • Integration with security and compliance templates generated by Microsoft Security Compliance Manager (SCM) version 2.0
  • Run Windows PowerShell™ scripts within an MDT task sequence
  • Create partitions to support best practice recommendations for deployment of BitLocker® Drive Encryption
  • Automatically configure participation in the Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER)
  • Guidance that describes how to use Microsoft SQL Server® 2008 R2 with Service Pack 1 (SP1) for all database needs within MDT
Improvements for LTI Deployments

MDT includes the following improvements for LTI deployments:

  • Support for Windows 8 Consumer Preview and Windows Server 8 Beta. Note: The deployment of Windows Server 8 Beta roles and features using the Install Roles and Features task sequence action is not supported.
  • Support for the Windows Assessment and Deployment Kit (Windows ADK). Note: Currently, the Windows ADK is only supported for deploying Windows 8 Consumer Preview or Windows 7 in lab environments, not in production environments.

Windows ADK requires the Microsoft .NET Framework version 4.0. If not already installed, the Windows ADK installation installs the Microsoft .NET Framework version 4.0. For more information, see Introduction to the Windows Assessment and Deployment Kit.

  • Monitoring of LTI deployment process. MDT includes the new LTI monitoring feature that allows you to perform centralized monitoring of LTI deployments in the Monitoring node in the Deployment Workbench.
  • Deployment of Windows Recovery Environment (Windows RE). Windows RE helps users troubleshoot and recover from startup-related problems on their computers.
  • Deployment of Microsoft Diagnostics and Recovery Toolkit (DaRT).
  • Deployment to computers that use the Unified Extensible Firmware Interface (UEFI).
  • Deployment to computers that require the new globally unique identifier (GUID) Partition Table (GPT) format.
  • Deployment to virtual hard disks (VHDs) for native boot.
  • Support for Windows Thin PC.
  • Support for Windows Embedded POSReady 7.
  • Add local administrator accounts.
  • Deployment Wizard user experience improvements.
Improvements for Configuration Manager Deployments

MDT includes the following improvements for MDT deployments with Configuration Manager 2012 or Configuration Manager 2007 R3:

  • Support for System Center 2012 Configuration Manager. MDT includes support for System Center 2012 Configuration Manager for ZTI and UDI deployments
  • Support for new application model in Configuration Manager 2012.
  • Support for the user device affinity feature in Configuration Manager 2012.
  • Support for prestart command files.
  • Support for automatically starting a specific task sequence.
  • UDI Wizard user experience improvements.
  • The UDI Wizard has been completely revised to improve user experience.
  • UDI Wizard Designer user experience improvements.
  • The UDI Wizard Designer UI has been improved to make configuring the UDI Wizard even easier than previous versions.
  • Support for enabling BitLocker in UDI.
  • Support for MDT Replace Computer deployment scenario.
  • Localization of UDI Wizard.
  • Guidance for customizing UDI.
  • Upgrade tasks sequences created in Configuration Manager 2007 to Configuration Manager 2012.
  • Guidance for Configuration Manager 2007 R3.

Read more and download it from here 

Special thanks to Mikael Nystrom

What is the best way to migrate PDA’s or Tablets from a legacy version of Exchange to Exchange 2010.

Microsoft released November 2010 a great document: Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.

One thing that I misted in that document: What is the best way to migrate PDA’s or Tablets from a legacy version of Exchange to Exchange 2010.

In most cases you wil use TMG als a firewall. Between the Internet and your internal Network.

Some weeks ago I did a Exchange 2010 migration en I don’t wanted a big bang scenario.

But I had the all the sort of phone’s that are on the marked today (Iphone, Android, Windows Phone 7.5 and some Windows Mobile phones and all so Ipad’s)

The First thing what is asked my self when design the new infrastructure.

Domain Joining Forefront TMG or Leaving in a Workgroup

In most organizations, the decision whether to domain join the server hosting Forefront TMG your production domain may be one of the most important parts of the deployment.

Forefront TMG deployments are more complex to discuss because Forefront TMG is considered a firewall and can protect the network edge. Domain joining Forefront TMG offers many advantages: it allows certificate based authentication to be used at Forefront TMG, using Kerberos Constrained Delegation to communicate to Exchange; it allows easy use of Active Directory groups and user objects in publishing rules to restrict access; and it provides other benefits. If your are not sure to domain join Forefront TMG, see Debunking the Myth that the ISA Firewall Should Not be a Domain Member.

I thinks that the best practice is to domain join TMG. Because is makes your live a lot easier.

First I created a Exchange 2010 group in the Active Directory.

Second you make the Exchange 2010 group available in TMG

Third you make four rules 2 for Exchange 2010 (OWA & ActiveSync) and 2 for your legacy server of servers (OWA & ActiveSync)

Fourth makes sure that the Exchange 2010 rules are above the legacy rules.

Fith: You change on the Exchange 2010 rules the all authenticated users to Exchange 2010. (After the migration you delete the legacy rules and change on the 2010 rules the Exchange 2010 back to all authenticated users).

pdasync2010pic2

Sixth: When you do a mailbox move you puth the user in de Exchange 2010 group.
Why you thing. When the user is in the Exchange 2010 group the PDA wil use the Exchange 2010 rule. When there user is not in the Exchange 2010 group the legacy rule will do the trick.

I migrated at this way about 300 users with random pda’s and tablets with no downtime at all Knipogende emoticon

Screenshot from the TMG rules.
 pdasync2010pic1

Set Exchange 2010 Virtual Directories

With the following following powershell commands you set al the Exchange 2010 virtual directories

Set-ClientAccessServer -Identity ward-ex2010 -AutoDiscoverServiceInternalUri https://casarray.hyperv.local/Autodiscover/Autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "ward-ex2010\EWS (Default Web Site)"-ExternalUrl "https://webmail.wardvissers.nl/ews/exchange.asmx" -InternalUrl "https://casarray.hyperv.local/ews/exchange.asmx"

Set-OABVirtualDirectory -Identity "ward-ex2010\oab (Default Web Site)" -InternalUrl http://casarray.hyperv.local/oab -ExternalUrl https://webmail.wardvissers.nl/oab

Enable-OutlookAnywhere -Server ward-ex2010 -ExternalHostname "webmail.wardvissers.nl" -ClientAuthenticationMethod "Basic" -SSLOffloading:$False

Set-ActiveSyncVirtualDirectory -Identity "ward-ex2010\Microsoft-Server-ActiveSync (Default Web Site)" -InternalURL https://casarray.hyperv.local/Microsoft-Server-Activesync -ExternalURL https://webmail.wardvissers.nl/Microsoft-Server-Activesync

Set-ECPVirtualDirectory –Identity "ward-ex2010\ecp (default web site)" -InternalURL https://casarray.hyperv.local/ECP -ExternalURL https://webmail.wardvissers.nl/ECP

Set-AutodiscoverVirtualDirectory "ward-ex2010\Autodiscover (Default Web Site)" -InternalUrl http:/casarray.hyperv.local -ExternalUrl https://autodiscover.nifv.nl

Microsoft Deployment Toolkit (MDT) 2012 RC1

The Solution Accelerators team released Microsoft Deployment Toolkit (MDT) 2012 RC1 is available for download on Connect now.

Download the MDT 2012 RC1 release now

New features and enhancements:

Support for Configuration Manager 2012 RC2: This update provides support for Configuration Manager 2012 RC2 releases. MDT 2012 fully leverages the capabilities provided by Configuration Manager 2012 for OS deployment. The latest version of MDT offers new User-Driven Installation components and extensibility for Configuration Manager 2007 and 2012. Users now also have the ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012.

Customize deployment questions: For System Center Configuration Manager customers, MDT 2012 provides an improved, extensible wizard and designer for customizing deployment questions.

Ease Lite Touch installation: The Microsoft Diagnostics and Recovery Toolkit (DaRT) is now integrated with Lite Touch Installation, providing remote control and diagnostics. New monitoring capabilities are available to check on the status of currently running deployments. LTI now has an improved deployment wizard user experience. Enhanced partitioning support ensures that deployments work regardless of the current structure.

Secure Deployments: MDT 2012 offers integration with the Microsoft Security Compliance Manager (SCM) tool to ensure a secure Windows deployment from the start.

Reliability and flexibility: Existing MDT users will find more reliability and flexibility with the many small enhancements and bug fixes and a smooth and simple upgrade process.

Support for Windows 8: The RC1 release of MDT 2012 provides support for deploying Windows 8 Consumer Preview in a lab environment.

Key Benefits:

  • Full use of the capabilities provided by System Center Configuration Manager 2012 for OS deployment.
  • Improved Lite Touch user experience and functionality.
  • A smooth and simple upgrade process for all existing MDT users.

New Features:

For System Center Configuration Manager customers:

  • Support for Configuration Manager 2012 (while still supporting Configuration Manager 2007)
  • New User-Driven Installation components for Configuration Manager 2007 and Configuration Manager 2012
    • Extensible wizard and designer, additional integration with Configuration Manager to deliver a more customized OS experience, support for more imaging scenarios, and an enhanced end-user deployment experience
  • Ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012

For Lite Touch Installation:

  • Integration with the Microsoft Diagnostics and Recovery Toolkit (DaRT) for remote control and diagnostics
  • New monitoring capabilities to see the progress of currently running deployments
  • Support for deploying Windows to computers using UEFIAbility to deploy Windows 7 so that the computer will start from a new VHD file, "Deploy to VHD"
  • Improved deployment wizard user experience

For all customers:

  • Integration with configuration templates from the Security Compliance Manager Solution Accelerator, ensuring Windows is secure from the start
  • A simple mechanism for running Windows PowerShell scripts during a deployment, with task sequence environment and logging integration
  • Better partitioning support, creating the recommended partitioning structures on new computers and ensuring deployments work regardless of the current structure
  • A smooth and simple upgrade process for all existing MDT users
  • Many small enhancements and bug fixes
Translate »