Saturday, November 21, 2009

Installing OpenFire IM Server on Debian 5

It has been a long while since my last post, but I am back and will try to make it more of a commitment now to update my blog. During the time I was away, I used some of my time to start exploring Linux. It is not a secret that Open Source GNU/LINUX is making a lot of headway now and I must say that as a beginner in Linux, something tells me that I will be starting to use it more and more.

There are several variants of LINUX and I don't want to go about its history. I had to select a distribution to start playing around with and searching around led me to Debian which is one of the more stable and supported distributions out there. (I guess I don't need to mention its free!)

On the topic of OpenSource software, my need to learn LINUX I must admit embarrassingly was more of a necessity than desire. One of the best known OpenSource softwares out there is OpenFire, it is a jabber Instant Messaging Server with provisions for a lot of cool plugins that can give Office Communications Server a good run for its money. I had the need to implement this on my workplace which has brought me back here to my blog after a long hiatus.

Setting up Debian is no different from any Operating System Installations out there, you boot from the CD (you can also setup a network installation source by the way), follow the install prompts and hit next-next-next. It is good to understand Linux's partitioning system but for me as a beginner I just go with LVM and keep the suggested partition scheme during installation.

I don't have a lot of screenshots during my debian install and setup. But I will be detailing most of the post install tasks i have done to setup my Debian system for installing OpenFire. When i started setting up Debian, I have heard a lot of good comments on Debian's application packaging system and I must say that this is the part i had most fun. Basically you start of with the Base OS system just like if you are used to Windows Server Operating Systems, then you can add and remove roles or features thru your Debian's application packaging system.

To setup your OpenFire IM Server on Debian, you will be having an outline of tasks as similar below:

1) Install Debian 5 aka "Lenny" Server (latest version is 5.0.3 during the time of my post)
2) Install package openssh-server (needed for terminal management)
3) Update your /etc/apt/sources.list to add some mirrors to get the install package for sun-java6-jre (this is required by Openfire java version was latest that i used for the time being)
4) Install mysql-server (I went OpenSource all the way, so I decided to to use MySQL although you can use Openfire's embedded database)
5) Create your Openfire Database on MySQL
6) Install the Openfire package via dpkg - (downloadable from ingniterealtime website the file will end with a .deb extension)
7) Import the schema file from the
resources/database of your Openfire installation directory
8) Fire up the Openfire setup wizard (screenshots will be shown later)

If you follow this outline, you will be able to setup your own Openfire IM server ready for use in your environment.

You can use the repository mirrors (basically sources of updates and application packages for Debian) below and edit your sources.list to add the non free repositories to obtain the sun-java6-jre package.

deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main
deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main
deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main


You need to issue an apt-get update command after modifying your sources.list file. After that you can do an apt-cache search sun-java6-jre to search for the package on the repositories. You can also issue an apt-cache show sun-java6-jre to get details on the package before installing. Once you sure you have the right app package you can issue apt-get install sun-java6-jre to install the package. This is the part where I had the most fun, installing the packages after the base OS installation. This is where a lot of buzz on Debian are about. They have a great packaging system and installing those packages is a lot of fun.


A sample screenshot of my installation of MySQL is shown below. Basically installing sun-java6-jre will be similar.




After installing the prerequisites, create the openfire database by issuing the command mysql –u root –p create database databasename; the –u specifies the mysql root account and –p prompts for the password which you will be asked during your installation of mysql.


You can install the openfire application you have downloaded from the igniterealtime site. The latest version during the time of this blog is 3.6.4. You can run the command dpkg –i openfire_3.6.4_all.deb to install openfire. You will be expecting to a couple of warnings during the install and you can follow the community thread here to http://www.igniterealtime.org/community/thread/38487 to check on both warnings. On a personal note, the server I setup seemed to run fine even with this warning prompts during install.


After installing ensure to import the mysql schema before you invoke the Openfire setup wizard. You can issue the command cat openfire_mysql.sql | mysql –u root – p [databaseName];

Once done, fire up a browser and connect to your Openfire server on port 9090 and follow the install prompts. Couple of screenshots shown below.




After completing the setup download your jabber client such as Spark and connect to your openfire server to start using your IM server.

Wednesday, January 21, 2009

Deploying Citrix Presentation Server 4.5/XenApps using SQL Server 2005 Farm Database Part 1

Have not posted for a while but I am back, this will be part 1 of a series of instructional videos you can use to deploy Citrix Presentation Server. As usual let us go through some of the details we will be needing to setup Citrix Presentation Server which is using a remote farm database such as SQL Server 2005.

If you are not familiar with MS Terminal Services then it is about time you get familiarize with this feature of Windows Server 2003. At the time of this writing as we know Citrix Presentation Server is now known as XenApps and supports installations on Windows Server 2008 systems. The concepts and procedures on this training video will be likely similar to the new version.
.
For the infrastructure, your Citrix setup would need a Licensing Server, a Web Interface Server (if you would like you clients to be able to access applications via Web Browser), your Citrix Presentation Server and the farm Database Server.
.
Since Citrix rides on top of Terminal Services, we should have our Terminal Services Licensing Server as well.
.
I would not discuss Terminal Services and Terminal Services Licensing here, but part 2 will show you how to install prerequisites for your Citrix Presentation Server and that will include enabling Terminal Services on Windows 2003. Part1 of this video will now cover setting up Citrix Licensing Server. The part where you need to register at http://www.mycitrix.com/ and obtain the .lic file is not shown here, but what you need to note is that when you register your Citrix license server, you should make sure that you specify your server host name exactly as the case sensitive host name of the machine. You can go the cmd prompt and type "hostname" and copy paste the resulting name on the mycitrix site to ensure you obtain the correct .lic file in the process. After which you can view Part 1 of the training video shown below. Do note that we are installing the Citrix License Management Console on a separate server from our Presentation Server in this video series.

Friday, January 9, 2009

Citrix Presentation Server Installation fails with Error 26013. Function InitializeTree2 returned failure in CTX_MF_IMA_InitializeTree2

If you encounter an error installing Citrix Presentation Server with a similar screen below informing you that the database username and password that you have entered maybe wrong, put in the domainname\username format on the screen for Data Store Access. I did spend some time figuring this out as I knew I entered in correct credentials. If you see the screen below it also does not mention to enter the domain name. Sometimes the simplest things can make you scratch your head too!


For those that are setting up Citrix Farm with an SQL server as the farm database, here is a good link.


Presentation Server and SQL 2005 Configuration


Rename a Computer that Hosts SQL Server 2005

I decided to posts this out to make it more available for others. Did spend some time looking for this article on the net. Here is the exact link.

.
Note that the procedures below does not apply for some conditions such as if you are running a failover cluster and if your server uses reporting services. There are separate procedures for these that is also mentioned on the link above.
.
When you change the name of the computer that is running Microsoft SQL Server 2005, the new name is recognized during SQL Server startup. You do not have to run Setup again to reset the computer name. The following steps cannot be used to rename an instance of SQL Server 2005. These steps can be used only to rename the part of the instance name that corresponds to the computer name. For example, you can change a computer named MB1 that hosts an instance of SQL Server named Instance1 to another name, such as MB2. However, the instance portion of the name, Instance1, will remain unchanged. In this example, the \\ComputerName\InstanceName would be changed from \\MB1\Instance1 to \\MB2\Instance1.
To rename a computer that hosts a stand-alone instance of SQL Server 2005
For a renamed default instance, run the following procedures:

sp_dropserver
GO
sp_addserver , local
GO
Restart the SQL Server instance.

For a renamed named instance, run the following procedures:

sp_dropserver
GO
sp_addserver , local
GO

Restart the SQL Server instance

Just before you apply those update rollups to your Exchange 2007 servers....

I am sure you know by now if you have deployed a couple of Exchange 2007 Servers, that applying update rollups does not seem to be as easy as Next-Next-Next (haha promoting my blog my title). So just before you apply those update rollups for Exchange, you may want to take a look at the following articles.

Exchange Server 2007 managed code services do not start after you install an update rollup for Exchange Server 2007
http://support.microsoft.com/kb/944752

Managed code services does not start is usually because of the update rollups containing digital signatures which during the installation attempts to do a validation a certificate revocation list (CRL) at crl.microsoft.com/pki/crl/products/CSPCA.crl

So it is quite common for the organizations not to allow their Exchange Servers to go out to the Web and causing this validation during the installation of the rollup for the Exchange Services not to start.

A recommended fix out there is point crl.microsoft.com to 127.0.0.1 in the local hosts file of the servers before the upgrade. I can attest that this might work for some of the servers but in case it does not for all, you can still continue and modify your Exchange Services configuration file manually based on the article above.

For those who have Exchange 2007 servers in different server roles like CCR clustered mailbox servers, you can check the links below before you apply your rollup updates.

How to Install Update Rollups in a Single Copy Cluster
http://technet.microsoft.com/en-us/library/bb885045.aspx

How to Install Update Rollups in a CCR Environment
http://technet.microsoft.com/en-us/library/bb885047.aspx

Thursday, January 8, 2009

Deploying 802.1x Dynamic VLAN authentication for Wired Networks using Cisco ACS 4.2 and Microsoft IAS Radius Servers (Part 2)

In part1 of our Deploying 802.1x Dynamic VLAN authentication for Wired Networks using Cisco ACS 4.2 and Microsoft IAS Radius Servers. We have discussed about setting up the AD security groups and Certificate Infrastructure. We also discussed setting up our RADIUS servers and policies for authentication and VLAN allocation. Now we will discuss configuring the AAA clients which in our scenario right now are Cisco Switches that will be performing 802.1x port authentication by passing Machine credentials to the defined RADIUS servers.

Defining AAA clients on RADIUS servers

Next step in our setup is to define our AAA clients on the RADIUS servers, it involves simply pointing the AAA client's IP on the network and a preshared key that will later be defined on the switch as well. Once you are done you will have a screen similar below.


Configure Authenticating Switches

Now its time for us to configure our Cisco Switches to pass authentication to RADIUS servers and perform per port 802.1x authentication to connecting end devices. You should have a bunch of global commands instructing the switch to perform 802.1x authentication similar to the one below. You can go to Cisco's website to get more information on the commands although I will try to comment on some of the lines.

aaa authentication
dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
dot1x system-auth-control ( define this to see Dot1x commands per interface level )

ip radius source-interface value
radius-server host x.x.x.x auth-port 1645 acct-port 1646 timeout value key value
radius-server host x.x.x.x auth-port 1645 acct-port 1646 timeout value key value

The next 3 commands above instructs the switch where the source RADIUS server's VLAN is located when you have multiple VLANs and also points the RADIUS server hosts. The primary will be the first one defined and secondary will be the second one. The key value is the same pre-shared key used when you define your AAA client on the RADIUS servers.

Once you have these commands set, its time to go per port level and allow switch ports to do dot1x authentication.

switchport access vlan id
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout tx-period value
dot1x auth-fail vlan id
dot1x guest-vlan id
spanning-tree portfast

You can lookup this commands further but basically on this configuration for the guest-vlan and auth-fail vlan, you are configuring where clients will be dumped to if they fail dot1x authentication with the RADIUS servers.

Configure wired client computers for PEAP-MS-CHAP v2 802.1x authentication

Ok now we almost have everything set, the last set is to configure our Dot1x clients which are Windows XP machines in this example. Basically what we need to do is to configure the clients NIC card to perform Dot1x authentication. You can research about GPO policy extension to set this one for the clients but I believe at the time of this writing it is only available in Windows Vista and a Windows 2008 Domain Controller. Just follow the screen below and you should have configured your clients appropriately.

Note that I have cleared the screencap, if the environment is more restrictive, you can define the value of the "Connect to these Servers" field on the client's NIC card. This prevents man in the middle attacks when you are doing the dot1x authentication to your RADIUS servers. Do note that if you are configuring a Windows XP SP3 client note the changes in configuring Dot1x for the network card in this kb article "Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3"

http://support.microsoft.com/kb/949984

Also there are two registry values that you would likely change to control supplicant behavior on the clients. The first one defines that you are performing only Machine Authentication and the second one allows the supplicant client to send stop and start messages for Dot1x. Based on experience, you should set the second registry value as listed below as I have found that some clients do not get authenticated if this value is not set.

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode registry value to 3 (REG_DWORD data type). The default value of SupplicantMode for wired connections is 2.

Verify Wired Connections

Now that you have done configuring your dot1x clients. Verify that you can authenticate to your RADIUS servers and get your VLAN assignment based on your grouping. You can move the clients to another AD security group and test the new VLAN segment once you unplug and replug the network cable for the machine. Lastly I need to mention that for Cisco ACS you may need to install this hotfix on your Windows Dot1x clients as the Windows clients don't work well by default with 3rd party RADIUS servers for PEAP see "PEAP authentication is not successful when you connect to a third-party RADIUS server" on kb http://support.microsoft.com/kb/885453

Before I forget here are the links you can use as reference for your own deployment:

Microsoft:

http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=c9ed3609-49fc-439b-92f4-266b187cae5a&displaylang=en

Cisco:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

http://www.ciscopress.com/articles/article.asp?p=29600&seqNum=3

http://www.ciscosystems.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/ACSugP.pdf

Hope you guys enjoyed this article. Do comment for additional info or corrections.


Deploying 802.1x Dynamic VLAN authentication for Wired Networks using Cisco ACS 4.2 and Microsoft IAS Radius Servers (Part 1)

Today I am sharing a deployment of 802.1x Dynamic VLAN Authentication for Wired Networks using Cisco's ACS and Microsoft IAS RADIUS Servers. If you are using Microsoft Operating Systems as clients such as Windows XP and Vista machines, two common 802.1x authentication methods that will be supported for use based on Extensible Authentication Protocol (EAP) are EAP-TLS or PEAP-MS-CHAP v2.
.
For this deployment we will be using PEAP-MS-CHAP v2 as the authentication method between our clients and RADIUS servers. You can read about the difference between the two methods but PEAP-MS-CHAP v2 is the preferred method for its effectiveness and lesser administrative overhead. (EAP-TLS requires you to install user certificates aside from computer certificates as well) Another least known authentication method is EAP-MD5 CHAP but it is lessed widely used in 802.1x deployments.
..
As usual let me outline what is needed for our deployment scenario:

  • Configure Active Directory for accounts and groups
  • Configure a certificate infrastructure for PEAP-MS-CHAP v2
  • Configure the RADIUS servers and Policies
  • Deploy and configure authenticating switches as AAA clients defined on our RADIUS servers
    Configure wired client computers for PEAP-MS-CHAP v2 802.1x authentication
    Verify Wired Connections
Caveats when doing Dynamic VLAN authentication with Windows

Before we start I would like to mention that if you are doing this deployment setup, you have to be aware that when doing Dynamic VLAN authentication, your group policies and logon scripts may fail to work if you are performing both Computer and User authentication. The reason I say this is that a Machine doing computer authentication will get an IP address during the bootup process after it has authenticated. Now let us say that you are implementing User authentication as well, if it happens that the user should belong to another VLAN based on your policy, it will trigger a change in VLAN segment during the logon process simultaneously while your logon scripts and GPO are being processed the scripts to fail. Currently this is documented in KB article 935638. http://support.microsoft.com/kb/935638
.
For this reason if you plan to implement Dynamic VLAN with both Computer and User authentication, you should consider investing in a third party supplicant such as Cisco's Secure Client. I will not be dealing with Cisco's Secure Client for this post but once you see how the native MS supplicant is setup you should be able to configure Cisco's Secure Client as well.
.
Configure Active Directory for accounts and groups
.
Ok we are assuming that you already have Active Directory already in place in your environment. With this you could already provision your AD security groups containing Computer Accounts and User Accounts that you would wish to group to a particular VLAN.
.
Configure a certificate infrastructure for PEAP-MS-CHAP v2
.
Next step is to configure a Certificate Infrastructure, you may opt to use Internal Microsoft Certificate Authority, but I do need to mention that you should select an Enterprise Edition of Windows Server if you are using Cisco's ACS for your deployment, ACS requires a duplication of a V2 certificate template which will only be available on Enterprise Edition of Windows. Read my previous post here. Later I will be providing a listing of related links that you can use to start your deployment.
.
Configure the RADIUS servers
.
I will not be dealing with setting up ACS but instead you can read othe guides I will be providing at the end of the article. In this setup we will have ACS as our primary RADIUS server and IAS as the secondary RADIUS server. For IAS, you can proceed with ADD/REMOVE Windows Component on your server and enable the Internet Authentication Service component. Need to note that is recommended to have your RADIUS running on probably one of your Domain Controllers for faster authentication. Once you have IAS running, you would like request for a Server Certificate to support your PEAP infrastructure. Main thing to note is that PEAP only requires a Machine Server Certificate on your IAS server and your authenticating clients only need to have a trusted root certificate of the issuing CA of your RADIUS servers. This simplicity also makes PEAP a favorable choice over EAP-TLS. Ok I have been talking a lot regarding the deployment and now its time for some screenshots.

Ok I have cleared some of the details on the screencap as this represents my actual deployment for one client, two things you need to note is that PEAP certificate field should contain your IAS Server Certificate. If you are using a Domain Controller installed with IAS service, then you will probably have the Domain Controller Certificate already ready to use. This will do as long as the certificate has the Server Authentication key usage attribute. You can check this when you open the certificate and check details tab for the Enhanced Key Usage attribute. For the edit profile tab, the advanced tab is where you configure the policy for Dynamic VLAN. This tells you exactly where to place the machine when it is authenticated. The Tunnel-PVT-Group-ID will actually correspond to your VLAN NAME defined on the switch (case sensitive) and the Tunnel Tag corresponds the VLAN number. After defining our policies we can proceed with configuring the AAA client switches in part2 of our article.

Tuesday, January 6, 2009

Side Note to Changing Expiration Date of Certificates that are issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority

If you do have a requirement of changing the default certificate validity issued by your Windows 2000 or 2003 Certificate for your deployment (Default 1 year for Standalone CA, 2 years for Enterprise CA) then you might have followed the guide on the KB article below.

http://support.microsoft.com/kb/254632

The summary and registry hack is posted below.

SUMMARY


This article describes how to change the validity period of a certificate that is issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority (CA). By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and Enterprise CAs.

For Enterprise CAs, the default registry setting is two years. For Stand-alone CAs, the default registry setting is one year. For certificates that are issued by Stand-alone CAs, the validity period is determined by the registry entry that is described later in this article. This value applies to all certificates that are issued by the CA.

For certificates that are issued by Enterprise CAs, the validity period is defined in the template that is used to create the certificate. Windows 2000 and Windows Server 2003 Standard Edition do not support modification of these templates. Windows Server 2003 Enterprise Edition supports Version 2 certificate templates that can be modified. The validity period defined in the template applies to all certificates issued by any Enterprise CA in the Active Directory forest. One exception is the Subordinate CA certificate templates. There is no validity period defined in this template. Instead, the CA's registry validity period determines the validity period of the Subordinate CA certificate. A certificate that is issued by a CA is valid for the minimum of the following periods of time:


•The registry validity period that is noted earlier in this article.

This applies to the Standalone CA, and Subordinate CA certificates issued by the Enterprise CA.

•The template validity period.
This applies to the Enterprise CA.

Templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.


The expiration date of the CA certificate

A CA cannot issue a certificate with a longer validity period than its own CA certificate. For more information about certificate templates, see the "Implementing and Administering Certificate Templates in Windows Server 2003" white paper. To do this, visit the following Web site:
http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/c25f57b0-5459-4c17-bb3f-2f657bd23f781033.mspx?mfr=true)


Note The Request Attribute name is made up of value string pairs that accompany the request and that specify the validity period. By default, this is enabled by a registry setting on a Standalone CA only.

To Change the Expiration Date of Certificates That Are Issued by a Windows Server 2003 or a Windows 2000 Server Certificate Authority


To change the validity period settings for a CA, follow these steps.

1.Click Start, and then click Run.
2.In the Open box, type regedit, and then click OK.
3.Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\
4.In the right pane, double-click ValidityPeriod.
5.In the Value data box, type one of the following, and then click OK:


•Days
•Weeks
•Months
•Years
6.In the right pane, double-click ValidityPeriodUnits.
7.In the Value data box, type the numeric value that you want, and then click OK. For example, type 2.
8.Stop, and then restart the Certificate Services service. To do so:


a. Click Start, and then click Run.
b. In the Open box, type cmd, and then click OK.
c. At the command prompt, type the following lines. Press ENTER after each line.
net stop certsvcnet start certsvc
d. Type exit to quit Command Prompt.

I have highlighted important points to consider like the availbility of duplicating templates only being available on Enterprise Edition of Windows. One implementation I can site as an example is Cisco's ACS which required a duplication of templates for its Server Cert so its more likely you would use an Enterprise Edition of Windows as your Root CA or subscribe to a third party CA.

One more note I wanted to add which was why I actually blogged about this article is that If you Duplicate a certificate template and specifiy a longer validity period that what is specified in the registry. The value that will be taken will still be the lesser value of the two.

Meaning Microsoft domain-rooted CA will use either the issuing certificate template validity period or the maximum CA cert validity period defined in the CertSvc registry key, whichever is less.

Monday, January 5, 2009

Increasing Logical Disk Capacity on a drive stored on SAN Storage IBM DS3300

Most of us will be presented with the need of increasing logical disk capacity on drives that are stored in SAN. It may happen that these drives were already presented to the respective Operating Systems and in time, the need to increase the storage space on the server may arise.

I would like to share an experience of performing such an activity. First of all we need to note if your SAN Storage supports the capability of adding space to the hardware RAID container before we can perform this. On the IBM DS range of storage systems, this is supported by either doing the ADD FREE CAPACITY task on the GUI or Storage Manager or via CLI using the script editor.

After you have expanded the array, you can expand the logical drive with the additional free space from the array. On the DS 3300 series, with the Storage Manager 2 client, this can only be done using the script editor.

With which you can use the command below to perform the operation.

set logicalDrive ["DriveNameonSAN"] addCapacity=20 GB;


Now that you have added capacity on the SAN drive, this will be visible on the Operating System and you can use your OS tools to extend the volume. Note that there are conditions that need to be met before you extend the drive and is documented here


Fortunately Windows Server 2008 has the extend feature on Disk Management so you can perform the steps on the GUI similar to the screen below.


Note that before you perform this procedure make sure you know the impact to your applications hosted on the drive to be extended. It does not hurt to do a backup as well but you already know that ;)

Control RMS client Not To Use Outlook By Default in searching Address List

Active Directory Rights Management Services (AD RMS) provides services to enable the creation of information protection solutions. It allows organization to protect sensitive documents and control its consumption through publishing licenses and user rights.

Using AD RMS-enabled applications, such as Office 2003 and Office 2007 a document owner can apply rights to a document file to be consumed by an intended consumer. RMS as a Microsoft feature, is tightly intergrated with MS Office suite of applications.

I would like to share a deployment scenario with RMS which was currently used to apply document permissions to Word, Excel and PowerPoint documents. This organization was not using Outlook as their main mail client since they do not have Exchange in their environment. The way that RMS works is that when someone attempts to publish or consume a rights-protected document, AD RMS identifies the consumer through the Simple Mail Transfer Protocol (SMTP) e-mail address assigned to the consumer's Active Directory logon account. In an organization that uses Exchange, the RMS enabled application uses Outlook to validate email addresses entered in that dialog. This causes an instance of Outlook to be started when restricting permissions. However, if an organization does not use Exchange and uses another mail client but at the same time the users use Outlook probably for their personal POP3 accounts in example, this could present a nuissance. The default behavior is that the RMS enabled application such as Word will launch an instance of the Outlook address book to query users which on this environment would be empty since there is no Exchange in the environment. (see below)




Ok enough for all that background, there is a registry key that can be used to control this behavior. The following registry key is stated below.


DoNotUseOutlookByDefault
Location:HKCU\Software\Microsoft\Office\12.0\Common\DRMDWORD:DoNotUseOutlookByDefault
Value:
0 = Outlook is used
1 = Outlook is not used
Description:The permissions dialog uses Outlook to validate email addresses entered in that dialog. This causes an instance of Outlook to be started when restricting permissions.
Users can disable this option using this key
Exists in Office 11:Yes
Exists in Office 12:Yes
Can Be Set by GPO in Office 11:No
Can Be Set by GPO in Office 12:No


After setting this, you will be provided with the default lookup method of browsing through your AD similar to a window when adding Local Users and Groups in Computer Management. One more note to add, make sure your Office 2003 has the latest service pack or this fix would not work. Check out this kb article. http://support.microsoft.com/kb/892542


Sunday, January 4, 2009

Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008

So you have brought in your brand new Windows Server 2008, hooked it up on the network and joined it as a member server in your domain. You decided to make this brand new server a Web Server and enable it for SSL. You open up an IE browser type in your Internal Certificate Authority Servername / certsrv page as you always do and you are suprised to receive an error.
.
.
This is due to the fact that Windows Server 2008 and Vista rely on a different ActiveX component named Certenroll. Your existing Windows 2003 CA uses an ActiveX controll named Xenroll which is now depracated on Windows Server 2008 and Vista. You can make your existing Windows Server 2003 support web enrollment requests from Windows 2008 and Vista by applying the hotfix on this kb article.


http://support.microsoft.com/kb/922706

Bulk Importing Contacts using CSV file on Exchange 2007

Tested this script to import bulk contacts. Note that import will skip your csv contacts if display name column is empty for each contact. Parameter for Organizational Unit is the AD domain name and an AD OU container in this case, OU container name is mail contacts.


Import-Csv -path C:\Contacts\testcontact.csv ForEach { New-MailContact -Name $_.displayName -Firstname $_.Firstname -Lastname $_.Lastname -ExternalEmailAddress $_.Emailaddress -OrganizationalUnit "Domain.local/Mail Contacts" }


Here is a sample of the csv file

Saturday, January 3, 2009

Exchange Remote Connectivity Analyzer

Chanced upon this free tool on the net to test for remote connectivity to your Exchange Servers, it analyzes connections made via RPC over HTTP for your Exchange 2003 or now called as Outlook Anywhere in Exchange 2007. It also can check for Active Sync connectivity and the new Autodiscover service in Exchange 2007. It also allows you to ignore SSL certificate errors when performing the test in case you are not using a third party CA for your deployment.

If you ever wanted to test that your Exchange Deployment for Remote Connectivity, this is one useful tool that you can use. Check it out here.

https://www.testexchangeconnectivity.com/

Exchange 2007 Fast and Easy Certificate Request Tool

Ever wanted an easier way to request for that SAN (Subject Alternative Name) Certificate that you need for your Exchange 2007 Deployment. Now you can using Digicert's Fast and Easy Exchange Certificate Request Tool. Just fillup the details and you will have a certificate request that you can submit to your Certificate Authority.
a
You can check out their site here. https://www.digicert.com/easy-csr/exchange2007.htm


For those who prefer to do it the manual way, you can use this Exchange Management Shell cmdlet. Just replace the fields appropriately for your deployment.

New-ExchangeCertificate -GenerateRequest -SubjectName "C=Country, O=Organization Name, CN=webmail.domain.com" -DomainName alternatename1.domain.com, autodiscover.domain.com, servername.domain.local, servername, autodiscover.domain.local -FriendlyName "OWA CAS SAN Certificate" -KeySize 1024 -Path c:\CAS_SAN_cert.req -PrivateKeyExportable:$true

The Curious Case of the Missing File Shares on SAN

Every once in a while, we will be dumbfounded by strange issues that we encounter during our course of deployment setup and support. One case that I encountered was the case of the missing file shares on SAN.
a
In this case, a file server using disks presented from an iSCSI SAN hosts normal NTFS files shares that are mapped to user logon scripts. Apparently after rebooting the file server, all the shares disappear though all the contents are there. This does seem strange and can make an IT admin scratch their head, but thinking logically will lead you to suspect of the Server service running on the file server. After all the Server Service is responsible for file, print, and named-pipe sharing over the network. Indeed restarting this service on the file server will reapply all the file shares.
a
The cause of this case is documented on
a
MS KB article 870964 "File shares on iSCSI devices may not be re-created when you restart the computer"
a
According to the symptom, "You use the Microsoft iSCSI Initiator service to connect to an Internet SCSI (iSCSI) disk device. The file shares that you create for folders that are located on your iSCSI device may not be re-created when you restart the computer that the shares are created on."
a
The cause is stated as "This issue may occur when the iSCSI Initiator service is not initialized when the Server service initializes. The Server service creates file shares. However, because iSCSI disk devices are not available, the Server service cannot create file shares for iSCSI devices until the iSCSI service is initialized."
Apparently the Server service may start first during a restart causing it not to apply shares on the disks on iSCSI as the iSCSI service has not started yet. To resolve the issue, you can make the Server service dependent on the iSCSI service using the services.msc console or through regedit.
a
Windows XP and Windows Server 2003

Start Registry Editor.

Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer
On the Edit menu, point to New, and then click Multi-String Value.
Type DependOnService to name the new registry entry, and then press ENTER.
Double-click DependOnService, type MSiSCSI in the Value data box, and then click OK.
Exit Registry Editor.
a
For more on the KB article, you can click on this link

Connecting Windows Server 2008 to iSCSI SAN Storage (Part2)

In Part1 of our Connecting Windows Server 2008 to iSCSI SAN Storage, we have discussed configuring our iSCSI Network, Creating our RAID arrays and Logical Drives, enabling the iSCSI initiator service and multipath device driver on our host, and finally mapping our host-to-logical drive for the intended host the will connect to the iSCSI SAN.

Configure the host via iSCSI initiator to connect and logon to iSCSI target portal

Let us now continue on by configuring our iSCSI software initiator which will allow us to see our drives on the operating system that was presented via the SAN using the host-to-logical drive mapping. The process for configuring our iSCSI software initiator consists of actually a couple of steps: (1) Defining the iSCSI target portal (2) Logon to the target portal (3) Setup your persistent targets and autobind the volumes

Defining the iSCSI target portal is done by specifying the IP address configured for your SAN storage's host portals, usually you will configure your host portals on both redundant controllers of the SAN storage to provide redundancy for failover. Afterwhich, we can logon to the defined target portals and for the first time see the disks presented to our Windows Server 2008 system. Lastly, you would have the target portals to be persistent and bind the volumes presented automatically so that it will remain available after a restart of the host. When you are done you will have a screen similar to the one below.


Format presented volumes on the hosts and assign drive partitions

You can choose to enable authentication like CHAP when connecting to your target portal, for this example we won't be using any authentication with our connection. Once you have completed this configuration you can go to device manager and rescan for hardware changes and you will be presented with your iSCSI disks which you can then format and partition as a normal basic or dynamic disk on Disk Management as seen below.


Enable failover for redundancy of connection to the iSCSI Logical Drives

You have now completed connecting your Windows Server 2008 Server to an iSCSI SAN Storage. But we are not quite done yet, you would likely want to enable failover on your iSCSI SAN connection between your iSCSI host. To do this, just add another target portal on your iSCSI software initiator similar to the procedure above and logon to it. You will know you have configured it correctly with the presence of an additional Universal Xport SCSI Disk Device on Device Manager and seeing redundant disk devices on your target properties similar to screen below.

You can test failover by unplugging one of your network cables connecting to your host portals on the SAN and observer the changes on Device Manager and test if access from you SAN disks. This completes our step by step guide for Connecting Windows Server 2008 to iSCSI SAN storage hope this article helped you guys out there who are doing a same deployment setup.

Connecting Windows Server 2008 to iSCSI SAN Storage (Part1)

Today I am going to share a setup of Connecting Windows Server 2008 to an iSCSI SAN Storage. For this setup, I am using IBM DS3300 iSCSI SAN storage to allocate our LUN partitions to a Windows Server 2008 Server.

The outline of the activity will be similar below:
  • Configure your iSCSI hosts and target portals network

  • Pre Create RAID arrays and Logical Drives on your Storage Subsystem

  • Enable the iSCSI initiator feature on Windows Server 2008

  • Define iSCSI hosts on the Storage Subsytem

  • Install Multipath Driver on your host based on your Storage Subsytem

  • Configure Host to Logical Drive Mappings on the Storage Subsystem

  • Configure the host via iSCSI initiator to connect and logon to iSCSI target portal

  • Format presented volumes on the hosts and assign drive partitions

  • Enable failover for redundancy of connection to the iSCSI Logical Drives

The term host refers to your Windows Server 2008 system and the target portals are referring to your DS3300 storage subsytem configured with host portals.

Configure your iSCSI hosts and target portals network

First I am assuming that you have your iSCSI network setup already, it is highly recommended that you dedicate a private network for your iSCSI traffic separate from your production network card traffic. So at minimum you should have 2 network cards on your host system. 1 for your production LAN and the other for iSCSI LAN. Once you have this setup, you can set your iSCSI network card similar to screen below. Note that you should disable additional TCP/IP overhead like NETBIOS which can improve your iSCSI LAN network traffic.

Pre Create RAID arrays and Logical Drives on your Storage Subsystem

Next step is to pre create RAID arrays and Logical Drives on your storage subsystem. I won't be showing it here, but once you login to a Storage Management GUI like IBM's Storage Manager, you can easily accomplish this through the wizard. You may wish to allocate a hot spare for your RAID arrays and this can be done as well through the GUI. Once you have your RAID arrays built, you can carve out Logical Drives which you can map to intended hosts later. I also recommend that you name your Logical Drives on your SAN appropriately probably adding the servername at least to help you determine which host the drives are intended for. It can get confusing once you started carving out all those Logical Drives for all your hosts.

Enable the iSCSI initiator feature on Windows Server 2008

Now after this step, we go back to our Windows Server 2008 system and enable the iSCSI initiator service, this can be done on Server Manager and enabling the feature for the iSCSI initiator. Previously on Windows Server 2003 you would have to download the Microsoft iSCSI Software Initiator which is now on Version 2.08. Did I mention that you can use the same guide for Windows Server 2003 with a minor difference in the multipath drivers and the additional step of installing the iSCSI software initiator which is already included as a feature on Windows Server 2008.
a
Define iSCSI hosts on the Storage Subsytem

Once you enable the iSCSI software initiator, make sure the service is set to start as automatic on services console. You will then be presented with your host's unique IQN (iSCSI qualified name) which you would use to define the same host on the iSCSI SAN storage subsystem as seen below.

Install Multipath Driver on your host based on your Storage Subsytem

You can then install the multipath driver on your host based on the Storage System you are using. This enables our Windows Server 2008 machine to failover to another controller of the storage subsytem if we loose communication to one path on our target portal. Note that Windows Server 2008 has the native MPIO feature and this will be automatically enabled once we install the multi path driver from our Storage System which in this case is IBM's DS3300.


Configure Host to Logical Drive Mappings on the Storage Subsystem

When this is done we are now ready to configure our host-to-logical drive mapping through our Storage Manager. This process allocates are pre configured Logical Drives on the SAN storage to the intended host as seen below.

After this step we are almost ready to see the drives on our host but not quite yet, we need to configure our iSCSI initiator to connect to the target portals configured on the SAN storage and login to it. This will be covered in Part2 of our Connecting Windows Server 2008 to iSCSI SAN Storage article.