Tag: Microsoft

SSL3.0 Enabled after install Exchange 2013 Cumulative update

After installing a cumalitive update on Exchange 2013 SSL3.0 is weer enabled.

With the following script you can disable SSL3.0

DisableSSL3.0.ps1:
$keyPathRoot = “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”;
$keyPath = $keyPathRoot + “\SSL 3.0\Server”;
if (!(Test-Path $keyPath))
{
New-Item -path $keyPathRoot”\SSL 3.0″ -ItemType key -Name “Server” -Force;
}
Set-ItemProperty -path $keyPath -name “Enabled” -value 0x0 -Type DWORD -Force;

Thnx Andy David for the tip Smile

Configure your Exchange 2016 server with Configure-Echange2016.ps1

The Script is based on my Configure Exchange 2013 Script Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

At this moment there is only v1.0 so now new features.

You can download this script here:
https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2016-0e3c8288

Configure your Exchange 2013 server with Configure-Echange2013.ps1 Updated to V3.2

Updated to V3.2

Change List:

# V1.0 Begin
# V1.1 Added Some New Options 12-10-2014
# V1.2 Added Hyper-V Best Practise & NTFS Partition Offset
# V1.3 Added KB2995145 .NET Framework 4.5 garbage collector heap Fix
# V1.4 Added Set Minimum Disk Space Warning level (180GB Default CU6 200GB CU5)
# V1.5 Added Some new features
# V1.6 Changed the Layout & Add Move Arbitration Mailbox
# V1.7 Added PST Export & KB2990117
# V1.8 Added Full backup, Database in GB and Mailbox Size in GB Export CSV
# V1.9 Added Outlook AnyWhere & SafetyNetHoldTime
# V2.0 Added Check DatacenterActivationMode, Get-DatabaseAvailabilityGroupNetwork, Add Static Route, Disable Replation Network on DAG, Database Copies Per Volume (AutoReseed)
# V2.1 Added Edge Subscription
# V2.2 Added Check Transaction Log Growth
# V2.3 Changed the Menu to Submenu’s
# V2.4 Added Check Database White Space
# V2.5 Added MAPI HTTP External URL
# V2.6 Fixed OWA Virtual URL & HTTP URL
# V2.7 Added Fixes & Mountpoints & Changed Set Minimum Disk Space Warning Level from REG to GlobalOverride
# V2.8 Maintaince Added
# V2.9 Set Power to Highperformance
# V3.0 Check of Microsoft.Exchange.Management.PowerShell.SnapIn is loaded
# V3.1 Added Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com & Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com
# V3.2 VMware Best Practises & Fixed soms things

Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

MDT 2013 Update 2 Automatically move computers to the right OU.

On December 2010 i wrote an article: automatically move computers to the right OU.
In MDT 2012 update 1 this was an issue: MDT 2012 settings per task sequence

In MDT 2013 Update 2 this is still a issue:

How to fix:

I changed DeployWiz_SelectTS.vbs file and it work again Glimlach

1. Edit DeployWiz_SelectTS.vbs
2. Add after “Dim sTemplate”
Dim sCmd
Set Oshell = createObject(“Wscript.shell”)
3. Add before “End Function” (bottom of page)
sCmd = “wscript.exe “”” & oUtility.ScriptDir & “\ZTIGather.wsf”””
oItem = oSHell.Run(sCmd, , true)

Download DeployWiz_SelectTSMDT2013Update2.7z

Don’t forget to change every TaskSequence

clip_image002

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command: 
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

New Training Platform: Learn @ KEMP

Ward Vissers Blogging About Microsoft Exchange VMware and other interresting things about ICT

Your gateway to becoming proficient in all things KEMP is here! We have recently launched our Learn @ KEMP Training Portal, making it easy for you to:

• Learn about KEMP’s Series of Load Balancers.
• Get certified at all levels ranging from Sales to Advanced Technical Training.
• Explore our wealth of resources, from our “Expert Series” webinars to detailed configuration templates.
• Engage with Support & Sales through chat, community forums, blogs, social media or just regular email.

Start your learning journey today! Register for Learn @ KEMP

Once you achieve certification at any level, you will see your Badge Status update in real time, and have access to your certificate in the “My Account” section. Moreover, you can share the news of you becoming KEMP certified on LinkedIn, Facebook, Twitter etc.

Learn at KEMP Training

If you are supporting, designing, implementing, configuring or managing a KEMP LoadMaster load balancer, consider making the KEMP Certified Engineer (KCE) your immediate certification goal.

However, if you are in sales and need to know just the basics you should aim to complete our Essentials training course and achieve your KEMP Certified Salesperson badge and certificate.

For the best learning experience, the Learn at KEMP training is structured so that you complete each course level and achieve your certifications, starting off with Essentials, before you move on to the next level.

Could you be one of the select few to achieve the GOLD standard of KEMP Certified Master?

RVTools version 3.8 is now available

RVTools is a windows .NET 2.0 application which uses the VI SDK to display information about your virtual machines and ESX hosts. Interacting with VirtualCenter. RVTools is able to list information about VMs, CPU, Memory, Disks, Partitions, Network, Floppy drives, CD drives, Snapshots, VMware tools, Resource pools, Clusters, ESX hosts, HBAs, Nics, Switches, Ports, Distributed Switches, Distributed Ports, Service consoles, VM Kernels, Datastores, Multipath info and health checks. With RVTools you can disconnect the cd-rom or floppy drives from the virtual machines and RVTools is able to update the VMware Tools installed inside each virtual machine to the latest version.
rvtools_small.jpg
Version 3.8 (March, 2016)

  • VI SDK reference changed from 5.5 to 6.0
  • on vInfo tab page new field: ChangeVersion unique identifier for a given version of the configuration
  • on vInfo tab page new field: HA VM Monitoring status
  • on vInfo tab page new fields: Number of supported monitors and Video RAM in KB.
  • on vInfo tab page new field: Config status.
  • Config issues are visible on the vHealth tab page
  • on vInfo tab page new field: OS according to the VMware Tools
  • on vTools tab page new fields: App state, App heartbeat status and Kernel crash state
  • on vTools tab page new fields: Operations availability, State change support and
  • Interactive Guest Operations availability
  • on vHost tab page new field: NTPD running state.
  • NTP issues are visible on the vHealth tab page
  • on vHost tab page new field: Config status.
  • Config issues are visible on the vHealth tab page
  • on vCluster tab page new field: Config status.
  • Config issues are visible on the vHealth tab page
  • on vDatastore tab page new field: Config status.
  • Config issues are visible on the vHealth tab page
  • on vSC+VMK tab page new fields: IP 6 Address and IP 6 Gateway
  • all VM related tab pages now have a VM Object ID and VM UUID columnsall VM related tab pages now have powerstate and template columns
  • all tab pages. Now have a vCenter UUID column (= unique identifier for a vCenterServer)
  • all VM related tab pages. The Custom Attributes columns are now ordered alphabetically
  • all tab pages. A select is now a full row select so it is easier to follow the information across many columns
  • bug fix: Refresh data issue on vRP and vCluster tab pages solved
  • bug fix: Filter issue on vCluster tab page solved
  • bug fix: On vInfo tab page the HA information was not filled with cluster default values
  • bug fix: Content Libraries vmdk files are no longer reported as possible zombie files
  • bug fix: msi installer sometimes installs RVTools in root of c:\ drive. This is solved now.

Exchange Server 2016 Cumulative Update 1 May Cause Edge Server to Reject Email to Valid Recipients

News of a bug with Exchange Server 2016 Cumulative Update 1 has emerged, with some customers running Exchange 2016 Edge Transport servers finding that the Edge server rejects emails sent to valid email addresses.

First reported by MVP Norbert Klenner, details of the bug have been added to the release notes for Exchange 2016.

Edge Transport servers can reject mail sent to valid recipients Exchange 2016 Edge Transport servers may reject messages sent to valid internal recipients when the following are true:

  • Exchange 2016 Cumulative Update 1 (CU1) is installed on the server.
  • Recipient validation is enabled on the server.

When an Edge Transport rejects a message because of this issue, the sender will receive a non-delivery report (NDR) with the status code 5.1.10, and the errorRecipient not found by SMTP address lookup. The recipient won’t receive the message.

From testing it appears that this bug impacts Edge Transport servers receiving email directly from the internet. Edge Transport servers that are used for hybrid mail flow with Exchange Online do not appear to be affected by this bug.

Microsoft’s advice to customers affected by this bug is to either:

  1. Disable recipient validation on Exchange 2016 CU1 Edge Transport servers
  2. Route inbound email to an Edge Transport server that has not been upgraded to Exchange 2016 CU1
  3. Route inbound email directly to a Mailbox server

If you prefer not to bypass their Edge Transport server, and don’t have a non-CU1 Edge to route email to, then disabling recipient filtering on the Edge Transport server involves running the following command on the Edge Transport server:

Set-RecipientFilterConfig -RecipientValidationEnabled $False

Source

Exchange Updates installing slow on Windows Server 2012 R2

For customers who are running Exchange on Windows Server 2012 R2, we want to make certain you are aware of a condition which can substantially increase the amount of time it takes to install Exchange Updates on this OS. Working with the .Net team, we have discovered that systems which have applied Windows Update KB3097966 can take 50% more time to install Exchange. The .Net team is working on a resolution to this and will include a fix in a future product update. In the meantime, customers who have deployed this Windows update can take a one-time action on their server before installing Exchange or a Cumulative Update to bring installation time back to normal. This procedure needs to be done once on every Exchange server running Windows Server 2012 R2. The command to execute is:

“%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”

Errors and warnings encountered running this command can be safely ignored provided the final exit status code of 0 is reported in the output.

Cumulative Update 1 for Exchange Server 2016

Exchange Team released:  Cumulative Update 1 for Exchange Server 2016

Issues that the cumulative update fixes

KB 3139730 Edge Transport service crashes when you view the properties of a poison message in Exchange Server 2016
KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
KB 3135688 Preserves the web.config file for Outlook Web App when you apply a cumulative update in Exchange Server 2016
KB 3135601 Cyrillic characters are displayed as question marks when you run the “Export-PublicFolderStatistics.ps1” script in an Exchange Server 2016 environment
KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016

Exchange Server 2016 Cumulative Update 1 (KB3134844), Download, UM Lang Packs

Translate »