Migration from Office 365 or Microsoft 365 mailboxes to G Suite using the G Suite Data Migration Service

Gallery

Supported Environment Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003. Supported G Suite G Suite Enterprise, Business, Basic, and Education accounts G Suite Cost Standard prices are shown. Google occasionally offers special discounts to some customers for … Continue reading

Migrate a SQL Server database to Azure SQL Database

Gallery

This gallery contains 1 photo.

Azure Database Migration Service partners with DMA to migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance or SQL Server on Azure virtual machines.     Moving a SQL Server database … Continue reading

Migrating VMware Virtual Workloads to Microsoft Azure Cloud

Gallery

This gallery contains 3 photos.

Overview Migrating to the cloud doesn’t have to be difficult, but many organizations struggle to get started. Before they can showcase the cost benefits of moving to the cloud or determine if their workloads will lift and shift without effort, … Continue reading

Office 365 MailFlow Scenarios and Best Practices

Gallery

Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam … Continue reading

Azure Site-to-Site IPSec VPN connection with Citrix NetScaler (CloudBridge)

Gallery

This gallery contains 1 photo.

An Azure Site-to-Site VPN gateway connection is used to connect on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing … Continue reading

Deploy Work Folder in Azure Cloud

Gallery

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. … Continue reading

ADFS 4.0 Step by Step Guide: Federating with Splunk Cloud

Gallery

To integrate On-Premises SSO with Splunk Cloud, you need the following items: On-premises Active Directory On-premises ADFS 2016 A Splunk Cloud tenant Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/acs Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/logout ADFS Sign-on URL https://sts.domain.com/adfs/services/trust ADFS Sign-Out URL  https://sts.domain.com/adfs/ls/?wa=wsignout1.0 … Continue reading

ADFS 4.0 Step by Step Guide: Federating With Google Apps

Gallery

To integrate On-Premises SSO with Google Apps, you need the following items: On-premises Active Directory On-premises ADFS 2016 A Google Apps single sign-on enabled subscription Google Apps Sign-on URL https://mail.google.com/a/domain.com ADFS Sign-on URL https://sts.domain.com/adfs/ls/ ADFS Password Change URL https://sts.domain.com/adfs/portal/updatepassword/ ADFS … Continue reading

ADFS 4.0 Step by Step Guide: Federating with ServiceNow

Gallery

Prerequisites: Windows Active Directory Windows Server 2016 with ADFS Role installed ServiceNow Tenant ADFS Signing certificate from ADFS Server ADFS Service Identifier: http://sts.domain.com/adfs/services/trust ServiceNow Sign On URL: https://company.service-now.com/navigate.do ServiceNow Identifier: https://company.service-now.com ADFS Signout URL: https://sts.domain.com/adfs/ls/?wa=wsignout1.0 Step1: Export Token Signing Certificate … Continue reading

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Gallery

Hybrid Configuration Business Case. On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus … Continue reading

ADFS 4.0 Step by Step Guide: Federating with Workday

Gallery

This article provides step by step guidelines to implement single sign on using ADFS 4.0 as the identity provider and Workday as the identifier and service provider. Important Note: Workday does not provide a service provider metadata XML file to … Continue reading

Exchange 2010/2013 to Exchange 2016 Migration Step by Step

Gallery

Deployment Location: On-premises Target Environment: Exchange Server 2016 CU4 Current Environment: Exchange Server 2010 or Exchange Server 2013 or mixed Public Folder Location: Exchange Server 2013 Understanding of Exchange Server 2016: Exchange Server 2016 wraps up in two Exchange roles … Continue reading

Understanding Network Virtualization in SCVMM 2012 R2

Gallery

This gallery contains 4 photos.

Networking in SCVMM is a communication mechanism to and from SCVMM Server, Hyper-v Hosts, Hyper-v Cluster, virtual machines, application, services, physical switches, load balancer and third party hypervisor. Functionality includes: Logical Networking of almost “Anything” hosted in SCVMM- Logical network … Continue reading

How to implement hardware load balancer in SCVMM

Gallery

The following procedure describe Network Load Balancing functionality in Microsoft SCVMM. Microsoft native NLB is automatically included into SCVMM when you install SCVMM. This procedure describe how to install and configure third party load balancer in SCVMM. Prerequisites: Microsoft System … Continue reading

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Gallery

This gallery contains 6 photos.

Cisco Nexus 1000V Switch for Microsoft Hyper-V provides following advanced feature in Microsoft Hyper-v and SCVMM. Integrate physical, virtual, and mixed environments Allow dynamic policy provisioning and mobility-aware network policies Improves security through integrated virtual services and advanced Cisco NX-OS … Continue reading

Design and Build Microsoft Distributed File System (DFS)

Supported:

  • Windows and DFS Replication support folder paths with up to 32 thousand characters.
  • DFS Replication is not limited to folder paths of 260 characters.
  • Replication groups can span across domains within a single forest
  • VSS with DFS is supported.

Scalability on Windows Server 2012 R2

  • Size of all replicated files on a server: 100 terabytes.
  • Number of replicated files on a volume: 70 million.
  • Maximum file size: 250 gigabytes.
  • File can be staged ranging 16KB to 1MB. Default is 64KB when RDC is enabled. When RDC is disabled 256KB from sending member.
  • Up to 5000 folders with target. Maximum 50000 folders with targets.

Scalability on Windows Server 2008 R2

  • Size of all replicated files on a server: 10 terabytes.
  • Number of replicated files on a volume: 11 million.
  • Maximum file size: 64 gigabytes.

Unsupported:

  • Cross forests replication is unsupported
  • NTBackup for remotely backup DFS folder.
  • DFS in a workgroup environment

Determining Time Zone in DFS

Universal Coordinated Time (UTC). This option causes the receiving member to treat the schedule as an absolute clock. For example, a schedule that begins at 0800 UTC is the same for any location, regardless of time zone or whether daylight savings time is in effect for a receiving member. For example, assume that you set replication to begin at 0800 UTC. A receiving member in Eastern Standard Time would begin replicating at 3:00 A.M. local time (UTC – 5), and a receiving member in Rome would begin replicating at 9:00 A.M. local time (UTC + 1). Note that the UTC offset shifts when daylight savings time is in effect for a particular location.

Local time of receiving member. This option causes the receiving member to use its local time to start and stop replication. Local time is determined by the time zone and daylight savings time status of the receiving member. For example, a schedule that begins at 8:00 A.M. will cause every receiving member to begin replicating when the local time is 8:00 A.M. Note that daylight savings time does not cause the schedule to shift. If replication starts at 9 A.M. before daylight savings time, replication will still start at 9 A.M. when daylight savings time is in effect.

Determine AD Forest

  • The forest uses the Windows Server 2003 or higher forest functional level.
  • The domain uses the Windows Server 2008 or higher domain functional level.
  • All namespace servers are running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

Using RDC:

Remote differential compression (RDC) is a client-server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFS Replication to replicate only the changes when files are updated. RDC is used only for files that are 64 KB or larger by default. RDC can use an older version of a file with the same name in the replicated folder or in the DfsrPrivate\ConflictandDeleted folder (located under the local path of the replicated folder).

RDC is used when the file exceeds a minimum size threshold. This size threshold is 64 KB by default. After a file exceeding that threshold has been replicated, updated versions of the file always use RDC, unless a large portion of the file is changed or RDC is disabled.

  • RDC is available Windows Server 2008 R2 Enterrprise and Datacenter Edition.
  • RDC is available Windows Server 2012/R2 Standard and Datacenter Edition.

DFS Namespaces Settings and Features

A referral is an ordered list of targets, transparent to the user that a client receives from a domain controller or namespace server when the user accesses the namespace root or a folder with targets in the namespace. The client caches the referral for a configurable period of time.

Targets in the client’s Active Directory site are listed first in a referral. (Targets given the target priority “first among all targets” will be listed before targets in the client’s site.) The order in which targets outside of the client’s site appear in a referral is determined by one of the following referral ordering methods:

Lowest cost, Random order, Exclude targets outside of the client’s site

Design the Replication Topology

To publish data, you will likely use a hub-and-spoke topology, where one or more hub servers are located in data centers, and servers in branch offices will connect to one or more hub servers. To prevent the hub servers from becoming overloaded, we recommend that fewer than 100 spoke members replicate with the hub server at any given time. If you need more than 100 spoke members to replicate with a hub server, set up a staggered replication schedule to balance the replication load of the hub server.

The lowest cost ordering method works properly for all targets only if the Bridge all site links option in Active Directory is enabled. (This option, as well as site link costs, are available in the Active Directory Sites and Services snap-in.) An Inter-site Topology Generator that is running Windows Server 2003 relies on the Bridge all site links option being enabled to generate the inter-site cost matrix that the Distributed File System service requires for its site-costing functionality. If the Bridge all site links option is enabled, the servers in a referral are listed in the following order:

  1. The server in the branch site.
  2. The server in regional data center site 1. (Cost = 10)
  3. The server in regional data center site 2. (Cost = 30)
  4. The server in regional data center site 3. (Cost = 50)

A domain-based namespace can be hosted by multiple namespace servers to increase the availability of the namespace. Putting a namespace server in remote or branch offices also allows clients to contact a namespace server and receive referrals without having to cross expensive WAN connections.

Definitions:

Namespace server . A namespace server hosts a namespace. The namespace server can be a member server or a domain controller.

Namespace root . The namespace root is the starting point of the namespace. In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a domain-based namespace because it begins with a domain name (for example, Contoso) and its metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace server is shown in the previous figure, a domain-based namespace can be hosted on multiple namespace servers to increase the availability of the namespace.

Folder . Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets.

Folder targets . A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. In the previous figure, the folder named Tools has two folder targets, one in London and one in New York, and the folder named Training Guides has a single folder target in New York. A user who browses to \\domain.com\Public\Software\Tools is transparently redirected to the shared folder \\server1\Tools or \\server2\Tools, depending on which site the user is currently located in.

By default, DFS replication between two members is bidirectional. Bidirectional connections occur in both directions and include two one-way connections. If you desire only a one-way connection, you can disable one of the connections or use share permissions to prevent the replication process from updating files on certain member servers.

Step1: Organise Folder Structure in multiple servers in geographically diverse location

Example:

Server1 in Perth

D:\Marketing

D:\HR

D:\IT

Server2 in Melbourne

D:\Marketing

D:\HR

D:\IT

Step2: Install DFS on Server

Before setting up replication between servers, the DFS Replication roles need to be installed on each server that is going to participate in the replication group. Open Server Manger by clicking on the Server Manager icon on the task bar

  1. On the Welcome Tile, under Quick Start, click on Add roles and features to start the Add Roles and Features Wizard. If there’s no Welcome Tile, it might be hidden. Click View on the menu bar and click Show Welcome Tile.
  2. Click Next.
  3. Select Roll-based or feature-based installation and click Next.
  4. Select a server from the server pool and select the server on which you want to install DFS Replication. Click Next.
  5. Under Roles, expand File and Storage Services, expand File and iSCSI Services, select DFS Replication and click Next.
  6. If you have not already installed the features required for DFS Replication, the following box will pop up explaining which features and roles will be installed along with DFS Replication.
  7. Click Add Features.
  8. Back to the Select server roles dialog. It should now show DFS Replication as checked along with the other roles required for DFS Replication.
  9. Click Next.
  10. The Select features dialog shows the features that will be added along with the DFS Replication role.
  11. Click Next.
  12. Click Install.
  13. Click Close when the installation completes.
  14. You will notice a new DFS management icon.

Step3: Create New Namespace

  1. Double click on this icon to open the DFS Management MMC.
  2. In the DFS Management console, right click on Namespaces and select new namespace. In the New Namespace Wizard, select the server that will host the namespace (the DFS server) and click next to continue.
  3. Give your DFS and easy to understand namespace and click next.
  4. The next step asks whether you want to use a domain based namespace or a stand alone namespace. Select domain-name based DFS namespace and click next, then create.
  5. Once finished, you will see the newly created namespace in the namespace section of the DFS Manager along with its UNC path. This is the path you will use to access the DFS share.
  6. Now that we have create the namespace, it’s time to add some folders. In DFS, you can access multiple shared folders using a single drive letter. Add the required folders to the DFS namespace.
  7. Right click on the DFS namespace and select new folder.
  8. In the new folder window, create a folder named X, then click on the add button and locate the folder on the required server. When finished, click OK.
  9. Repeat the process to add the other shared folders.
  10. To test – Open a browser and type the UNC path of your DFS namespace. All folders appear in a single share.

Step5: Replicate Folders

  1. In the DFS Management console, double click on the folder to view its path.
  2. Log in to server 2 and create a folder named admin as well.
  3. Right click on the folder and select add folder target.
  4. Enter the UNC path of the folder located on the second server and click OK.
  5. You will be prompted to create a replication group. Click yes.
  6. Follow the wizard to configure the replication parameters.
  • Primary Member: This is the server that has the initial copy of the files you want to replicate.
  • Topology: This dictates in what fashion the replication will occur.
  • Bandwidth and Schedule: How much bandwidth to allocate and when to synchronize.
  1. Once you have finished, click create. Any file that you create, modify or delete when using the namespace UNC path will be almost immediately copied to both replicating folders.

Step6: Manually creating replication group if you didn’t create in step1

  1. In the console tree of the DFS Management snap-in, right-click the Replication node, and then click New Replication Group.
  2. Follow the steps in the New Replication Group Wizard and supply the information in the following table.
  3. Select Multipurpose replication group>Type the name of the replication group> Click Add to select at least two servers that will participate in replication. The servers must have the DFS Replication Service installed.
  4. Select Full Mesh> Select Replicate continuously using the specified bandwidth.> Select the member that has the most up-to-date content that you want to replicate to the other member.
  5. Click Add to enter the local path of the Data folder you created earlier on the first server. Use the name Data for the replicated folder name.
  6. On this page, you specify the location of the Data folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Data folder.
  7. On this page, you specify the location of the Antivirus Signatures folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Antivirus Signatures folder.
  8. Click Create to create the replication group.
  9. Click Close to close the wizard. Click OK to close the dialog box that warns you about the delay in initial replication.

How to Connect and Configure Virtual Fibre Channel, FC Storage and FC Tape Library from within a Virtual Machine in Hyper-v Server 2012 R2

Windows Server 2012 R2 with Hyper-v Role provides Fibre Channel ports within the guest operating system, which allows you to connect to Fibre Channel directly from within virtual machines. This feature enables you to virtualize workloads that use direct FC storage and also allows you to cluster guest operating systems leveraging Fibre Channel, and provides an important new storage option for servers hosted in your virtual infrastructure.

Benefits:

  • Existing Fibre Channel investments to support virtualized workloads.
  • Connect Fibre Channel Tape Library from within a guest operating systems.
  • Support for many related features, such as virtual SANs, live migration, and MPIO.
  • Create MSCS Cluster of guest operating systems in Hyper-v Cluster

Limitation:

  • Live Migration will not work if SAN zoning isn’t configured correctly.
  • Live Migration will not work if LUN mismatch detected by Hyper-v cluster.
  • Virtual workload is tied with a single Hyper-v Host making it a single point of failure if a single HBA is used.
  • Virtual Fibre Channel logical units cannot be used as boot media.

Prerequisites:

  • Windows Server 2012 or 2012 R2 with the Hyper-V role.
  • Hyper-V requires a computer with processor support for hardware virtualization. See details in BIOS setup of server hardware.
  • A computer with one or more Fibre Channel host bus adapters (HBAs) that have an updated HBA driver that supports virtual Fibre Channel.
  • An NPIV-enabled Fabric, HBA and FC SAN. Almost all new generation brocade fabric and storage support this feature.NPIV is disabled in HBA by default.
  • Virtual machines configured to use a virtual Fibre Channel adapter, which must use Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 or Windows Server 2012 R2 as the guest operating system. Maximum 4 vFC ports are supported in guest OS.
  • Storage accessed through a virtual Fibre Channel supports devices that present logical units.
  • MPIO Feature installed in Windows Server.
  • Microsoft Hotfix KB2894032

Before I begin elaborating steps involve in configuring virtual fibre channel. I assume you have physical connectivity and physical multipath is configured and connected as per vendor best practice. In this example configuration, I will be presenting storage and FC Tape Library to virtualized Backup Server. I used the following hardware.

  • 2X Brocade 300 series Fabric
  • 1X FC SAN
  • 1X FC Tape Library
  • 2X Windows Server 2012 R2 with Hyper-v Role installed and configured as a cluster. Each host connected to two Fabric using dual HBA port.

Step1: Update Firmware of all Fabric.

Use this LINK to update firmware.

Step2: Update Firmware of FC SAN

See OEM or vendor installation guide. See this LINK for IBM guide.

Step3: Enable hardware virtualization in Server BIOS

See OEM or Vendor Guidelines

Step4: Update Firmware of Server

See OEM or Vendor Guidelines. See Example of Dell Firmware Upgrade

Step5: Install MPIO driver in Hyper-v Host

See OEM or Vendor Guidelines

Step6: Physically Connect FC Tape Library, FC Storage and Servers to correct FC Zone

Step7: Configure Correct Zone and NPIV in Fabric

SSH to Fabric and Type the following command to verify NPIV.

Fabric:root>portcfgshow 0

If NPIV is enabled, it will show NPIV ON.

To enable NPIV on a specific port type portCfgNPIVPort 0 1  (where 0 is the port number and 1 is the mode 1=enable, 0=disable)

Open Brocade Fabric, Configure Alias. Red marked are Virtual HBA and FC Tape shown in Fabric. Note that you must place FC Tape, Hyper-v Host(s), Virtual Machine and FC SAN in the same zone otherwise it will not work.

image

Configure correct Zone as shown below.

image

Configure correct Zone Config as shown below.

image

Once you configured correct Zone in Fabric, you will see FC Tape showing in Windows Server 2012 R2 where Hyper-v Role is installed. Do not update tape driver in Hyper-v host as we will use guest or virtual machine as backup server where correct tape driver is needed. 

image

Step8: Configure Virtual Fibre Channel

Open Hyper-v Manager, Click Virtual SAN Manager>Create new Fibre Channel

image

Type Name of the Fibre Channel> Apply>Ok.

image

Repeat the process to create multiple VFC for MPIO and Live Migration purpose. Remember Physical HBA must be connected to 2 Brocade Fabric.

On the vFC configuration, keep naming convention identical on both host. If you have two physical HBA, configure two vFC in Hyper-v Host. Example: VFC1 and VFC2. Create two VFC in another host with identical Name VFC1 and VFC2. Assign both VFC to virtual machines.

Step9: Attach Virtual Fibre Channel Adapter on to virtual Machine.

Open Failover Cluster Manager,  Select the virtual machine where FC Tape will be visible>Shutdown the Virtual machine.

Go to Settings of the virtual machine>Add Fibre Channel Adapter>Apply>Ok.

image

Record WWPN from the Virtual Fibre Channel.

image

Power on the virtual Machine.

Repeat the process to add multiple VFCs which are VFC1 and VFC2 to virtual machine.

Step10: Present Storage

Log on FC storage>Add Host in the storage. WWPN shown here must match the WWPN in the virtual fibre channel adapter.

image

Map the volume or LUN to the virtual server.

image

Step11: Install MPIO Driver in Guest Operating Systems

Open Server Manager>Add Role & Feature>Add MPIO Feature.

image

Download manufacturer MPIO driver for the storage. MPIO driver must be correct version and latest to function correctly.

image

Now you have FC SAN in your virtual machine

image

image

Step12: Install Correct FC Tape Library Driver in Guest Operating Systems.

Download and install correct FC Tape driver and install the driver into the virtual backup server.

Now you have correct FC Tape library in virtual machine.

image

Backup software can see Tape Library and inventory tapes.

image

Further Readings:

Brocade Fabric with Virtual FC in Hyper-v

Hyper-V Virtual Fibre Channel Overview

Clustered virtual machine cannot access LUNs over a Synthetic Fibre Channel after you perform live migration on Windows Server 2012 or Windows Server 2012 R2-based Hyper-V hosts

How to upgrade firmware of brocade fabric switch

Gallery

This gallery contains 20 photos.

Requirements: Filezilla FTP Server Filezilla FTP Client Putty Java JRE installed on admin PC Log on credential for Brocade website or respective vendor website e.g. IBM/Dell Downloaded upgrade firmware Upgrade Path. Fabric OS 5.0.x to 5.2.3 is supported Fabric OS … Continue reading

Migrating VMs from Standalone Hyper-v Host to clustered Hyper-v Host

Scenario 1: In-place migration of two standalone Windows Servers (Hyper-v role installed) into clustered Windows Servers (Hyper-v role installed).

Steps involved in this scenario. There will be downtime in this scenario.

  1. Delete all snapshots from VMs
  2. Update Windows Server to latest patches and hotfixes
  3. Reboot hosts
  4. Install Failover Clustering Windows Feature in both hosts
  5. Connect hosts with shared storage infrastructure either iSCSI or fibre channel
  6. Present shared storage (5GB for Quorum disk and additional disk for VMs store) to Hyper-v Hosts.
  7. Run Failover cluster Wizard, create cluster.
  8. From the failover cluster manager, Click Disk, select virtual machine storage and convert the disk to clustered share volume
  9. Open Hyper-v Manager from Server Manager, run storage migration and migrate all VM data to single location which is shared storage.
  10. Now use Configure Role Wizard from Failover Cluster Manager, Select Virtual Machine from drop down list, Select one or More VMs and migrate those VMs to Failover cluster node.
  11. Test Live migration.

Scenario 2: Migrating standalone Windows Servers (Hyper-v role installed) using local storage to different Windows Servers (Hyper-v role installed) cluster using shared storage.

In this scenario, clustered Windows servers doesn’t see local storage available in old Hyper-v host and old Hyper-v host doesn’t see shared storage in new Hyper-v clustered environment. There will be downtime when you migrate VMs. Delete any snapshot, backup all VMs before you proceed.

Option A: Download Veeam Backup & Replication 8 trial version, configure a VM as Veeam management server. Add Source host as standalone hyper-v host and target host as Hyper-v cluster. Replicate all the VMs. Shutdown old VMs in standalone Hyper-v Hosts, then Power on VMs in Hyper-v cluster. Delete old VMs.

Option B: Copy VHD and configuration file and save into clustered shared storage. Log on to one of the clustered hyper-v host, Open Hyper-v Manager, Import VM option to import VM. Then use Configure Role option in failover Cluster Manager in same host to migrate the VM into cluster, then Power on VM in cluster.

My recommendation: use Veeam B&R.

Scenario 3: Migrating standalone Windows Servers (Hyper-v role installed) using iSCSI storage to different Windows Servers (Hyper-v role installed) cluster using fibre channel or iSCSI storage.

Option A: shutdown VMs. Present same iSCSI storage connected standalone hosts to clustered hosts. Use storage migration to migrate VMs to clustered Hosts. Then use configure role option, Failover cluster manager to migrate VMs to Hyper-v cluster.

Option B: Again use Veeam to do the job.

There are many factors/challenges when migrating VMs from standalone environment to clustered environment.

  1. iSCSI storage to Fibre Channel storage. When new cluster has host bus adapter (HBA) and old standalone host doesn’t have HBA. You can use Microsoft iSCSI initiation to fulfil the initiator requirement in new host.
  2. Fibre channel storage to iSCSI storage. There will heaps of downtime to fulfil this requirement because of new architecture. Veeam can be part of a solution.
  3. Multi-site and geographically diverse cluster will depend on MPLS or IPVPN network latency and bandwidth.

In conclusion, there is no silver bullet for individual situation. You have to consult with Microsoft partner to get a correct migration path that best fit your requirements.

Migrate Windows Server 2008/R2 Active Directory to Windows Server 2012/R2 Active Directory

Forest Functional Prerequisites

  1. Check to ensure the Domain Functional Level is currently setup to at least Windows 2003 mode.
  2. Open the Active Directory Users and Computers console, select the domain via the right mouse button on it.
  3. Select Raise Domain Functional Level and review the Current domain functional level reported minimum Windows Server 2003.

RBAC Requirement

Your account must be a member of Domain Admins, Schema Admins and Enterprise Admin.

Systems Requirement

Processor 1vCPU
RAM 4GB
Free disk space requirements 32 GB
Screen resolution 800 x 600 or higher
Network 1 Ethernet
DVD 1

Prepare Windows Machine

  1. Download Windows Server 2012 R2.
  2. Build Windows Server 2012 R2
  3. Join the Server to Domain with a static IP

Prepare Forest and Domain

  1. Mount Windows Server 2012 R2 ISO on to the Windows Server 2008 R2 Domain Controller.
  2. Log on to Windows 2008 R2 Domain as an administrator.
  3. Open command prompt as an administrator, and type adprep /forestprep and press enter.
  4. Open command prompt as an administrator, and type adprep /domainprep and press enter.

Install AD DS Role

  1. Open the Server Manager console and click on Add roles and features
  2. Select Role-based of featured-based installation and select Next.
  3. Select the Active Directory Domain Services role.
  4. Accept the default features required by clicking the Add Features button.
  5. On the Features screen click the Next button.
  6. On the Confirm installation selections screen click the Install button. Check off the Restart the destination server automatically if required
  7. Click the Close button once the installation has been completed.
  8. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and amidst the drop down menu select Promote this server to a domain controller.
  9. Select add a Domain Controller into existing domain
  10. Ensure the target domain is specified.  If it is not, please either Select the proper domain or enter the proper domain in the field provided.
  11. Click Change, provide the required Enterprise Administrator credentials and click the Next button.
  12. Define if server should be a Domain Name System DNS server and Global Catalog (GC). Select the Site to which this DC belongs to and define Directory Services Restoration Mode (DSRM) password for this DC
  13. Click the Next button on the DNS options screen.
  14. Click the Next button once completed.
  15. Specify location for AD database and SYSVOL and Click the Next button.
  16. Next up is the Schema and Domain preparation.  Alternately, one could run ADPrep prior to commencing these steps, if ADPrep is not detected, it will automatically be completed on your behalf.
  17. Finally, the Review Options screen provides a summary of all of the selected options for server promotion. As an added bonus, when clicking View Script button you are provided with the PowerShell script to automate future installations. To click the Next button to continue.
  18. Should all the prerequisites pass, click the Install button to start the installation.
  19. After it completes the required tasks and the server restarts, the new Windows Server 2012 R2 Domain Controller setup is completed.

Check New Domain Controller in AD Sites and Services

  1. Open Active Directory Users and Computers, expand <Your Domain> and click the Domain Controller OU to verify your server is listed.
  2. Open DNS Manager, right-click on <Your Domain>, select Properties and then click Name Servers Verify that your server is listed in Name Servers: lists.
  3. Open Active Directory Sites and Services; verify that your server is listed in Servers under Default-First-Site-Name.

Check New Domain Controller in DNS Manager

  1. Open DNS Manager in new Domain Controller
  2. Expand Forward Lookup Zone
  3. Select FQDN of domain> Double Click on Name Server (NS)>Properties>Check New Server in Name Server Tab.

Transfer FSMO Role

Now transfer all the FSMO roles from windows 2008 domain controller to windows 2012 R2 domain controller. Log on to windows 2008 domain controller as enterprise admin. Open command prompt type these command as follows:

ntdsutil

roles

connections

connect to server WIN2012R2SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master
Change DNS Properties of Servers and Workstation

On each server and workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server scope options and add the IP address of your new Domain Controller as DNS server.

Removing the Windows 2008 R2 domain controller

  1. On the Windows 2008 R2 server click Start, Click Run, type dcpromo, then click
  2. After the Welcome to the Active Directory Installation Wizard page, be sure to leave the Delete the domain because this server is the last domain controller in the domain
  3. On the Administrator Password Page, enter your password and click Next.
  4. On the Summary page, click Next, wait for the process to end, then click
  5. On the Completing the Active Directory Domain Services Installation Wizard, click
  6. On the Active Directory Domain Services Installation Wizard page, click Restart Now to Restart the server.
  7. After the reboot is completed, delete the Windows Server 2008 R2 server from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services.

Note: Wait for all schema object to be cleaned automatically. Do not rush to clean any schema object or DNS record in new Domain Controller.

Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.

4. On the Alternate Access Mappings page, click Edit Public URLs.

5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.

6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

clip_image002

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

clip_image004

On the Authentication Page, Click Add, Select DC, Click Next

clip_image006

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

clip_image008

Select Use Forefront UAG Access Policies, Click Next

clip_image010

Select Default and Click Next

clip_image012

Click Finish.

clip_image014

clip_image016

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.

clip_image018

clip_image020

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

clip_image022

On the Web Servers page, do the following:

In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.

clip_image024

clip_image026

On the Authentication page, do the following:

To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

clip_image028

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

clip_image030

clip_image032

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

clip_image034

clip_image036

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.

Install and Configure Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Overview:

Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

  • Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
  • Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
  • Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
  • Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
  • Easily integrates with Active Directory and enables a variety of strong authentication methods.
  • Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

image 

Systems Requirements:

Option

Description

Virtual Machine Name

DC1TVUAG01

Memory

8GB

vCPU

1

Hard Disk 1

50GB

Hard Disk 2

50GB

Network Adapter

2

Guest Operating System

Windows Server 2008 R2

Service Pack Level

SP1

Software Requirement:

Version

Microsoft Forefront Unified Access Gateway 2010

Service Pack Level

SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

  • Microsoft .NET Framework 3.5 SP1
  • Windows Web Services API
  • Windows Update
  • Microsoft Windows Installer 4.5
  • SQL Server Express 2005
  • Forefront TMG is installed as a firewall during Forefront UAG setup
  • The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

  • Network Policy Server
  • Routing and Remote Access Services
  • Active Directory Lightweight Directory Services Tools
  • Message Queuing Services
  • Web Server (IIS) Tools
  • Network Load Balancing Tools
  • Windows PowerShell

Supported Browser Clients:

Browser

Features

Firefox

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Endpoint Quarantine Enforcement

Internet Explorer

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Socket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name

Features

Windows Phone

Premium mobile portal

iOS: 4.x and 5.x on iPhone and iPad

Premium mobile portal

Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0

Premium mobile portal

Service Account for Active Directory Authentication:

Service Account

Privileges

Password

xman\SA-FUAG

Domain Users

Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

  • Add the server to an array of Forefront UAG servers at a later date.
  • Configure the server as a Forefront UAG DirectAccess server at a later date.
  • Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
  • Publish the File Access application via a Forefront UAG trunk.
  • Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%\Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe

Forefront UAG Monitoring Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe

Forefront UAG Session Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe

Forefront UAG File Sharing
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

  • Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
  • Integrity of the content in the corporate network is retained.
  • Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
  • Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

image

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

  • HTTP traffic (port 80)
  • HTTPS traffic (port 443)
  • FTP Traffic (Port 21)
  • RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server

Protocol

Port

Direction

Domain controller

Microsoft-DS traffic

TCP 445

UDP 445

From UAG to DC

 

Kerberos authentication

TCP 88

UDP 88

From UAG to DC

 

LDAP

TCP 389

UDP 389

From UAG to DC

 

LDAPS

TCP 636

UDP 636

From UAG to DC

 

LDAP to GC

TCP 3268

UDP 3268

From UAG to DC

 

LDAPS to GC

TCP 3269

UCP 3269

From UAG to DC

 

DNS

TCP 53

UDP 53

From UAG to DC

Exchange, SharePoint, RDS

HTTPS

TCP 443

From external to internal server

FTP

FTP

TCP 21

From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

image

UAG Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option

IP Address

Subnet

Default Gateway

DNS

Internal Network

10.10.10.2

255.255.255.0

Not required

10.10.10.1

External Network

192.168.1.1

255.255.255.0

192.168.1.254

Not required

Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

  • UAG adapter connected to the trusted network: Internal Network
  • UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

clip_image005

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

clip_image007

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose

Public Host Name

Public IP Address

Exchange

webmail.xman.com.au

203.17.x.x

SharePoint

sharepoint.xman.com.au

203.17.x.x

RDS

remote.xman.com.au

203.17.x.x

FTP

ftp.xman.com.au

203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)

Description

Source IP

Public IP Address

(Destination IP Address)

Port

NAT Destination

Status

1

Exchange

Any

203.17.x.x

443

10.10.10.2

Forward

2

SharePoint

Any

203.17.x.x

443

10.10.10.2

Forward

4

RDS

Any

203.17.x.x

443

10.10.10.2

Forward

5

FTP

Any

203.17.x.x

21

10.10.10.2

Forward

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rules

Description

Source IP

Port

TCP & UDP

NAT Destination

Destination

Status

1

Exchange

10.10.10.2

TCP 443

Not Required

10.10.10.3

Forward

2

SharePoint

10.10.10.2

TCP 443

Not Required

10.10.10.4

Forward

4

RDS

10.10.10.2

TCP 443

Not Required

10.10.10.5

Forward

5

FTP

10.10.10.2

TCP 21

Not Required

10.10.10.6

Forward

6

Client

10.10.12.0/24

10.10.13.0/24

TCP 443

TCP 21

Not Required

10.10.10.2

Forward

7

Domain Controller

10.10.10.2

445, 88, 53

389, 636

3268, 3296

Not Required

10.10.10.1

Forward

Understanding Certificates requirements:

Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

Common Name

Subject Alternative Name

Certificate Issuer

RDS.xman.com.au

Verisign/Digicert

webmail.xman.com.au

autodiscover.xman.com.au

Verisign/Digicert

ftp.xman.com.au

Verisign/Digicert

sharepoint.xman.com.au

Verisign/Digicert

Understanding Properties of Trunk

  • Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
  • Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
  • IP address: Specify the external IP address used to reach the published Web application or portal.
  • Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
  • HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

image

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List

Methods

Allow Rich Content

InternalSite_Rule54

HEAD

Checked

SharePoint14AAM_Rule47

HEAD

Checked

Published Applications and Services:

image 

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.

clip_image009

On the Welcome page of Setup, do the following:

clip_image011

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

clip_image013

clip_image015

clip_image017

Restart the Server.

clip_image019

Initial Configuration Using Getting Started Wizard

clip_image021

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.

To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.

After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.

If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Install and Configure IBM V3700, Brocade 300B Fabric and ESXi Host Step by Step

Gallery

Step1: Hardware Installation Follow the official IBM video tutorial to rack and stack IBM V3700.   Cabling V3700, ESX Host and Fabric. Connect each canister of V3700 Storage to two Fabric. Canister1 FC Port 1—>Fabric1 and Canister 1 FC Port … Continue reading

How to configure SMB 3.0 Multichannel in Windows Server 2012 Step by Step

SMB Multichannel

The SMB protocol follows the client-server model; the protocol level is negotiated by the client request and server response when establishing a new SMB connection. Windows Server 2012 introduces a feature called SMB 3.0 Multichannel. Multichannel provides link aggregation and fault tolerance.

SMB 3.0 introduces multipath I/O (MPIO) where multiple TCP connections can be established with given SMB session. Benefits include increase bandwidth, enable transparent network interface failover and load balancing per session.

SMB Encryption

Open following registry key

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

  • If value of EncryptData DWORD is set to 0 then communication between SMB client and server is encrypted
  • If value of RejectUnencryptedAccess DWORD is set to 1 then communication between SMB client and server is rejected.

SMB Multichannel Requirement:

  • At least two computers that run on Windows Server 2012 R2, Windows Server 2012, or Windows 8 operating systems. No additional features have to be installed—SMB Multichannel is enabled by default.
  • Multiple network adapters in all hosts
  • One or more network adapters that support Receive Side Scaling (RSS)
  • One of more network adapters that are configured by using NIC Teaming
  • One or more network adapters that support remote direct memory access (RDMA)
  • Both NICs must be in different subnets
  • Enable NICs for client access
  • Dedicated subnets SMB storage
  • Dedicated Storage VLAN depending on if/how you do converged fabrics
  • VNX File OE version 7.1.65 and later or SMB 3.0 compliant storage
  • Port Channel Group configured in Cisco switch

TCP/IP session without Multichannel Session

  • No Automatic failover or Automatic failover if NICs are teamed
  • No Automatic failover if RDMA capability is not used
  • Only one NIC engaged
  • Only one CPU engaged
  • Can not use combined NIC bandwidth

TCP/IP session without Multichannel Session

  • Automatic failover or faster automatic failover if NICs are teamed
  • Automatic failover if RDMA capability is used. Multiple RDMA connection
  • All NICs engaged
  • CPU work load shared across all CPU cores
  • Combine NIC bandwidth

Which one to use, RDMA or RSS?

If you are looking fault tolerance and throughput then obvious choice is NIC teaming with RSS.

Adding a SMB Share in VNX Storage

  1. Create a network. Go to Settings -> Network -> Settings for File, Setup your network information
  2. Go to Storage -> Storage Configuration -> File Systems to create storage. Setup your storage configuration
  3. Go to CIFS Servers tab and create your Server configuration.
  4. Go back to your CIFS Share configuration and assign your CIFS Server as allowed and allow SMB protocol.
  5. Connect your CIFS Share with \\CIFSServer\CIFSShare and your new administrator password.

Adding a port channel group in Switch

Configuration of Cisco Switch with 2 network ports (If you have Cisco)

Switch#conf t
Switch(config)#Int PORT (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active
Switch(config)#Int port (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active

Configuration of HP Procurve with 2 network ports (If you have HP)

PROCURVE#conf ter
PROCURVE# trunk PORT1-PORT2 (a.e. C1/C2) Trk<ID> (a.e. Trk99) LACP
PROCURVE# vlan <VLANID>
PROCURVE# untagged Trk<ID> (a.e. Trk99)
PROCURVE# show lacp
PROCURVE# show log lacp

Adding SMB 3.0 Share in Hyper-v

  1. From Server Manager, click Tools and then click Hyper-V Manager
  2. Click Hyper-v Settings, Click Virtual Hard Disk, Type UNC path of SMB 3.0. Click Virtual Machine, Type UNC path of SMB 3.0
  3. Click Ok.
  4. Open PowerShell Prompt, Enable Multichannel using the following cmdlets.
  5. Configure SMB Multichannel using Windows PowerShell

Get-SmbClientConfiguration | Select EnableMultichannel

Get-SmbServerConfiguration | Select EnableMultichannel

    6. Enable Multichannel

Set-SmbServerConfiguration -EnableMultiChannel $true

Set-SmbClientConfiguration -EnableMultiChannel $true

   7. Verify Multichannel

Get-SmbConnection

Get-SmbMultichannelConnection

Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide

Before you begin, create a work sheet in spreadsheet recording required information to migrate Exchange 2007/2010 to Exchange 2013. For this article, I am going to use following work sheet. This work sheet and migration guide are tested in production exchange migration which I did for few of my clients. Note that this article is not situation specific hence I can’t provide you a silver bullet for your situation.

Deployment Work Sheet

Version Readiness Check

Present Server Proposed Server
Exchange 2007 SP3 OR 2010 SP3 Exchange 2013 CU3

Exchange Role Assignment

Exchange 2013 has two server roles; the Mailbox and Client Access server roles. You need at least one Client Access server and one Mailbox server in the Active Directory forest. If you’re separating your server roles, Microsoft recommend installing the Mailbox server role first.

Mailbox Role: The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server.

Client Access: The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.

Server Name Exchange Roles
AUPEREXMBX01,AUPEREXMBX02 Mailbox
AUPEREXCAS01,AUPEREXCAS02 CAS

Active Directory Schema and Forest

When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule. A forced replication can be performed after schema preparation.

Description AD Forest Domain Controller
Primary SMTP namespace Superplaneteers.com AUPERDC01,AUPERDC02
User principal name domain Superplaneteers.com AUPERDC01,AUPERDC02

Legacy Edge Transport

N/A

Network Configuration

Server Name TCP/IP DNS Replication network
AUPEREXMBX01 10.10.10.11

 

10.10.10.2

10.10.10.3

192.168.100.11/24
AUPEREXMBX02 10.10.10.12 10.10.10.2

10.10.10.3

192.168.100.12/24
AUPEREXCAS01 10.10.10.13 10.10.10.2

10.10.10.3

N/A
AUPEREXCAS02 10.10.10.14 10.10.10.2

10.10.10.3

N/A

The network adapter name used within the operating system of mailbox server must be changed to closely match the associated network name. For example: Domain Network and Replication Network. The following binding order must be maintained within Windows operating systems:

  1. First in Order- Domain adapter connected to the Active Directory network
  2. Second in Order- Replication adapter connected to the heartbeat network.

Here is a guide how to change adapter binding order http://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx Microsoft does not support multiple default gateways on a single server, no default gateway is required on the replication network card.

Disk layout

Server Name C: E: F: G:
AUPEREXMBX01 50 GB 50 GB 500GB 300GB
AUPEREXMBX02 50 GB 50 GB 500GB 300GB
AUPEREXCAS01 50 GB 50 GB N/A N/A
AUPEREXCAS02 50 GB 50 GB N/A N/A

Resilient Exchange Configuration

Purpose Name TCP/IP Subnet Type
DAG AUPEREXDAG01 10.10.10.15 255.255.255.0 N/A
CAS NLB or Load Balancer Mail.superplaneteers.com 10.10.10.16 255.255.255.0 Multicast

Exchange Administrator

User name Privileges
ExMigrationAdmin Domain Admins

Domain user

Schema Admin

Enterprise Admin

Organisation Management

Local Administrator

Certificates

A public Secure Sockets Layer (SSL) certificate is a prerequisite in Exchange 2013. SSL helps to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection.

You can buy a third-party certificate from public CA such as Verisign. Certificates published by public CAs are trusted by most operating systems and browsers.

Common Name Subject Alternative Type Assigned to
mail.superplaneteers.com autodiscover.superplaneteers.com SSL IIS,SMTP,POP,IMAP

Supported Client

Exchange 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:

  • Outlook 2013 (15.0.4420.1017)
  • Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000).
  • Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000).
  • Entourage 2008 for Mac, Web Services Edition
  • Outlook for Mac 2011

Exchange 2013 does not support Outlook 2003.

Public DNS records

DNS record Record Type IP/Alias/FQDN Priority
Mail.superplaneteers.com A 203.17.x.x N/A
superplaneteers.com MX Mail.superplaneteers.com 10
Autodiscover.superplaneteers.com CNAME Mail.superplaneteers.com N/A

If you have hosted email security then your MX record must look like this. An example is given here for TrendMicro hosted email security.

DNS record Record Type IP/Alias/FQDN Priority
Mail.superplaneteers.com A 203.17.x.x N/A
superplaneteers.com MX in.sjc.mx.trendmicro.com 10
Autodiscover.superplaneteers.com CNAME Mail.superplaneteers.com N/A

Internal DNS records

DNS record Record Type Hardware Load Balancer

VIP or CAS NLB IP

Mail.superplaneteers.com A 10.10.10.16
Autodiscover.superplaneteers.com A 10.10.10.16

If you don’t have CAS NLB or hardware load balancer then create Host(A) record of mail.superplaneteers.com and point to Exchange 2013 CAS Server.

Send Connector

Here I am giving an example of TrednMicro smart host. Do not add smart host without proper authorization from smart host provider otherwise you will not be able to send email from internal organisation to external destination.

Intended use Address Space Network Settings Authentication Smart Host
Internet “*” default Basic, Exchange, TLS relay.sjc.mx.trendmicro.com

Receive Connector

Name Intended use Network Settings IP Range Server(s)
Client Frontend Client default All Available IPv4 AUPEREXMBX01

AUPEREXMBX02

Default Frontend Inbound SMTP default All Available IPv4 AUPEREXMBX01

AUPEREXMBX02

Anonymous Relay

Relay Authentication Permission Remote IP SMTP
Anonymous Relay TLS, Externally Secured Anonymous, Exchange Servers IP Address of Printers, Scanner, Devices, App Server 10.10.10.11

10.10.10.12

Port Forwarding in Cisco Router

Rule Source Address Destination Address NATed Destination Port
OWA Any 203.17.x.x 10.10.10.16 443
SMTP Any 203.17.x.x 10.10.10.16 25

Again if you don’t have CAS NLB or load balancer your NATed destination is Exchange 2013 CAS server.

Mailbox Storage

Storage Group Type Database location
Mailbox storage F:Exchange Data
Mailbox storage logs G:Exchange Log

Email address Policy

Email Address Policy %g.%s@superplaneteers.com

Virtual Directory for internal and external network

Virtual directory Internal and External URL value
Autodiscover https://autodiscover.superplaneteers.com/autodiscover/autodiscover.xml
ECP https://mail.superplaneteers.com/ecp
EWS https://mail.superplaneteers.com/EWS/Exchange.asmx
Microsoft-Server-ActiveSync https://mail.superplaneteers.com/Microsoft-Server-ActiveSync
OAB https://mail.superplaneteers.com/OAB
OWA https://mail.superplaneteers.com/owa
PowerShell http://mail.superplaneteers.com/PowerShell

Since you have finished your work sheet, now you are ready to virtualize Exchange servers on Hyper-v.

1. Virtualize Windows Server 2012 R2

2. Configure TCP/IP properties

3. Disable Windows Firewall

4. Join Windows server 2012 R2 to domain.

Download following software as prerequisites.

1. Microsoft Exchange Server 2010 Service Pack 3 (SP3) OR Exchange Server 2007 Service Pack 3

2. Cumulative Update 3 for Exchange Server 2013 (KB2892464)

3. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

4. Microsoft Office 2010 Filter Pack 64 bit

5. Microsoft Office 2010 Filter Pack SP1 64 bit

Additional Prerequisites if you would like to install Exchange 2013 on Windows Server 2008 R2 SP1.

  1. Microsoft .NET Framework 4.5
  2. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
  3. Microsoft Office 2010 Filter Pack 64 bit
  4. Microsoft Office 2010 Filter Pack SP1 64 bit
  5. Microsoft Knowledge Base article KB974405 (Windows Identity Foundation)
  6. Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2)
  7. Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution)

Windows Firewall

Open Control Panel > Windows Firewall. Turn off Firewall components (Domain, private and Public) completely.

Preparing Base Windows Server 2012 for Exchange 2013

Mailbox Server Role in Windows Server 2012 R2

To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator. Execute the following cmdlet one by one.

Import-Module ServerManager

Install-WindowsFeature RSAT-ADDS

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Reboot Windows Server 2012

Client Access Server Role in Windows Server 2012 R2

To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator, Execute the following cmdlet one by one.

Import-Module ServerManager

Install-WindowsFeature RSAT-ADDS

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Reboot Windows Server 2012

If you are installing Exchange 2013 on Windows Server 2008 R2 SP1.

Prepare mailbox role Windows Server 2008 R2 SP1

Open Windows PowerShell as an administrator, Execute the following cmdlets one by one.

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI

Reboot Windows Server 2008 R2

Prepare Client Access in Windows Server 2008 R2

Open Windows PowerShell, Execute the following cmdlet one by one.

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI

Reboot Windows Server 2008 R2

Install Service pack 3 on exchange 2010

Upgrading to SP3 requires a schema update, review the Active Directory Schema changes beforehand. Upgrade your Exchange servers to SP3. This should be performed in the following order:

1. CAS servers

2. Hub and/or Edge servers

3. Mailbox servers

4. Unified Messaging servers

Upgrade Exchange 2010 to Exchange 2010 SP3 level

1. Once the files are extracted, locate and run setup.exe as an administrator

2. Select Install Microsoft Exchange Upgrade.

3. Select Next at the welcome screen. Read and accept the license terms, then select Next.

4. If you’ve got all the requirements you’ll see all the green checks, Select Upgrade to begin the upgrade

5. Select Next to start the upgrade.

6. When the upgrade is complete, select Finish.

7. Reboot the server to allow changes to take affect.

Prepare Active Directory Schema

Before you prepare Active Directory, make sure your Active Directory is healthy. Follow the procedure for AD health check.

1. Prepare Active Directory in an Active Directory site where you want to install Exchange 2013.

2. Domain Controller must be Server 2008 Standard/Enterprise (x86/x64) OR Server 2008 R2 Standard / Enterprise OR Windows Server 2012 OR Windows Server 2012 R2.

3. Each domain needs at least one writeable global catalog server

4. Ensure AD replication is working properly in each site / domain

5. Ensure Active Directory is healthy. Visit active directory health check

6. Run the following command in a domain controller, Open command prompt as an administrator

repadmin /showrepl

repadmin /replsummary

repadmin /syncall

netdom query fsmo

Dcdiag /e

Netdiag

7. Open Active Directory Sites and Services MMC, make sure all domain controllers are global catalog.

8. Start Menu, Run, Type eventvwr to open event view, Review event logs to see everything is working as per normal

9. Start Menu, Run> Services.msc to open services, Check DNS server, DNS Client, File replication services are started and set to automatic

10. Open SYSVOL in all domain controllers and check everything is same in all domain controllers.

Now you are ready to prepare Active Directory Domain and Forest.

1. Extract the Exchange2013-x64-cu3.EXE package you have downloaded from Microsoft web site to a common location. In my example I will use E:EXCHANGE2013

2. Open a command prompt as an Administrator, and navigate to the directory in which you extracted the files to. In the case of this example it will be E:Exchange2013. You should see a Setup.exe file located there.

3. Run the following cmd:

  • Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

OR

  • Setup.exe /PS /IacceptExchangeServerLicenseTerms

4. Run the following cmd:

  • Setup.exe /PrepareAD /OrganizationName:<NAMEHERE> /IAcceptExchangeServerLicenseTerms

OR

  • Setup.exe /PAD /OrganizationName:<NAMEHERE> /IAcceptExchangeServerLicenseTerms

Now replicate Active Directory manually or wait for replication to complete. Verify event logs in Domain controllers to see any unexpected error or logs pops up or not. If everything looks fine then go ahead and install Exchange 2013.

Installing Exchange 2013 CU3

  1. After you have downloaded Exchange 2013 CU2, log on to the computer on which you want to install Exchange 2013.
  2. Navigate to the network location of the Exchange 2013 installation files.
  3. Start Exchange 2013 Setup by right clicking Setup.exe select Run as administrator
  4. On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013. Select Don’t check for updates right now, you can download and install updates manually later. Click Next to continue.
  5. The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.
  6. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  7. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send error reports and information about your computer hardware and how you use Exchange to Microsoft. click Next.
  8. On the Server Role Selection page, select both Mailbox role and Client Access role or separate role based on your design. The management tools are installed automatically if you install any other server role.
    Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you must install the Windows features manually. Click Next to continue.
  9. On the Installation Space and Location page, click Browse to choose a new location. I strongly recommend you installing Exchange 2013 on a separate partition other then C: drive. Click Next to continue.
  10. On the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue.
  11. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.
  12. On the Completion page, click Finish.
  13. Restart the computer after Exchange 2013 has completed.
  14. Once rebooted log on to Exchange server and review Event Logs in Exchange Server.
  15. Repeat the steps for all Exchange Server 2013 in your organisation.

Create a Test mailbox

1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.

2. Enter the user name and password of the account you used to install Exchange 2013 in Domainuser name and Password, and then click Sign in.

3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.

4. Provide the information required for the new user and then click Save.

5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .

6. Under Members, click Add .

7. Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.

Install Exchange 2013 certificates

Depending on your requirements, you can configure wild card certificate or a SAN certificate. I will go for SAN certificate to avoid further configuration such as certificate principal name configuration. In this example, I will create a SAN certificate which is as follows.

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
  2. Enter your user name and password in Domainuser name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .
  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
  5. Specify a name for this certificate and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
  7. Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.
  8. For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example: CN=mail.superplaneteers.com and SAN=autodiscover.superplaneteers.com
  9. These domains will be used to create the SSL certificate request. Click Next.
  10. Add any additional domains you want included on the SSL certificate.
  11. Select the domain that you want to be the common name for the certificate and click Set as common name. For example, mail.superplaneteers.com. Click Next.
  12. Provide information about your organization. This information will be included with the SSL certificate. Click Next.
  13. Specify the network location where you want this certificate request to be saved. Click Finish.

After you’ve saved the certificate request, submit the request to your certificate authority (CA) which is public CA. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:

  1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
  2. In the certificate request details pane, click Complete under Status.
  3. On the Complete pending request page, specify the path to the SSL certificate file and then click OK.
  4. Select the new certificate you just added, and then click Edit .
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.
  7. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

To re-use existing certificate follow the steps below

  1. Log on directly to your Exchange 2010 Client Access server with an administrator user account.
  2. Open an empty Microsoft Management Console (MMC).
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account and click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.
  8. Select the 3rd-party certificate that’s used by Exchange 2010 that matches the host names you’ve configured on the Exchange 2013 server. This must be a 3rd-party certificate and not a self-signed certificate.
  9. Right-click on the certificate and select All Tasks and then Export….
  10. In the Certificate Export Wizard, click Next.
  11. Select Yes, export the private key and click Next.
  12. Make sure Personal Information Exchange – PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.
  13. Select Password and enter a password to help secure your certificate. Click Next.
  14. Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.
  15. You’ll receive a confirmation prompt if the certificate export was successful. Click OK to close it.
  16. Copy the .pfx file you created to your Exchange 2013 Client Access server.

After you’ve exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.

  1. Log on directly to your Exchange 2013 Client Access server with an administrator user account.
  2. Open an empty Microsoft Management Console (MMC).
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account and click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), and then Personal.
  8. Right-click Personal and select All Tasks and then Import….
  9. In the Certificate Import Wizard, click Next.
  10. Click Browse and select the .pfx file you copied to your Exchange 2013 Client Access server. Click Open and then click Next.
  11. In the Password field, enter the password you used to help secure the certificate when you exported it on the Exchange 2010 Client Access server.
  12. Verify that Include all extended properties is selected and click Next.
  13. Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next. Click Finish.
  14. You’ll receive a confirmation prompt if the certificate import was successful. Click OK to close it.

Now that the new certificate has been imported on your Exchange 2013 Client Access server, you need to assign it to your Exchange services using the following steps.

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
  2. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.
  3. Enter your user name and password in Domainuser name and Password, and then click Sign in.
  4. On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit .
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.
  7. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

Configure Exchange 2013 external and internal URLs

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
  2. Enter your user name and password in Domainuser name and Password, and then click Sign in.
  3. Go to Servers > Servers, select the name of the Internet-facing Exchange 2013 Client Access server and then click Edit .
  4. Click Outlook Anywhere.
  5. In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.superplaneteers.com.
  6. While you’re here, let’s also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail. superplaneteers.com.
  7. Click Save.
  8. Go to Servers > Virtual directories and then click Configure external access domain .
  9. Under Select the Client Access servers to use with the external URL, click Add .
  10. Select the Client Access servers you want to configure, and then click Add. After you’ve added all the Client Access servers you want to configure, click OK.
  11. In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.superplaneteers.com. Click Save.

Configure External and Internal URL to be same

  1. Open the Exchange Management Shell on your Exchange 2013 Client Access server.
  2. Store the host name of your Client Access server in a variable that will be used in the next step. For example, In my case, mail.superplaneteers.com

$HostName = “mail.superplaneteers.com “

3. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.

Set-EcpVirtualDirectory “$HostNameECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostNameECP (Default Web Site)”).ExternalUrl)

Set-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)” -InternalUrl ((get-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)”).ExternalUrl)

Set-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)

Set-OabVirtualDirectory “$HostNameOAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostNameOAB (Default Web Site)”).ExternalUrl)

Set-OwaVirtualDirectory “$HostNameOWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostNameOWA (Default Web Site)”).ExternalUrl)

Set-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)”).ExternalUrl)

To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:

  1. In the EAC, go to Servers > Virtual directories.
  2. In the Select server field, select the Internet-facing Client Access server.
  3. Select a virtual directory and then click Edit .
  4. Verify that the Internal URL field is populated with the correct FQDN.

Move Arbitration Mailboxes

Follow the below steps to move all arbitration and discovery search mailboxes to 2013 database.

Open Exchange Management Shell with run as administrator and run the following cmds

Get‐Mailbox –Arbitration | New-MoveRequest –TargetDatabase TargetDBName

Get-Mailbox “*Discovery*” | New-MoveRequest –TargetDatabase TargetDBName

OR

Type the following comdlets in EMS to find arbitration mailboxes and migrate using migration wizard.

Get-Mailbox –Arbitration >C:Arbitration.txt

Get-Mailbox “*Discovery*” >C:Discovery.txt

  1. In the EAC, go to Recipients > Migration.
  2. Click New , and then click Move to a different database.
  3. On the New local mailbox move page, click Select the users that you want to move, and then click Add .
  4. On the Select Mailbox page, add the mailbox that has the following properties:
    • The display name is Microsoft Exchange.
    • The alias of the mailbox’s email address is SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}.
  5. Click OK, and then click Next.
  6. On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.
  7. On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15. x, which indicates that the database is located on an Exchange 2013 server.
  8. Click OK, and then click Next.
  9. On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.

Enable and configure Outlook Anywhere

To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2010 servers in your organization. If some Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2010 server:

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the external host name of your Exchange 2013 Client Access server in a variable that will be used in the next steps. For example, mail.superplaneteers.com.

$Exchange2013HostName = “mail.superplaneteers.com”

Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}

If you didn’t enable Outlook Anywhere in Exchange 2010 already, Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2013 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic

Configure service connection point (SCP)

Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.

You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you’re updating.

Perform the following steps to configure the SCP object on your Exchange 2010 servers.

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.superplaneteers.com.

$AutodiscoverHostName = “autodiscover.superplaneteers.com”

Run the following command to set the SCP object on every Exchange 2010 server to the AutoDiscover URL of the new Exchange 2013 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Perform the following steps to configure the SCP object on your Exchange 2013 servers.

  1. Open the Exchange Management Shell on your Exchange 2013 Client Access server.
  2. Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.superplaneteers.com.

$AutodiscoverHostName = “autodiscover.superplaneteers.com”

Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Configure Exchange 2013 Mail flow

Receive connectors

There are four receive connectors in Exchange 2013. They are:

· Default <server name>   Accepts connections from Mailbox servers running the Transport service and from Edge servers.

· Client Proxy <server name>   Accepts connections from front-end servers. Typically, messages are sent to a front-end server over SMTP.

· Default FrontEnd <server name>   Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization.

· Outbound Proxy Frontend <server name>   Accepts messages from a Send Connector on a back-end server, with front-end proxy enabled.

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector

2. Select Default Frontend AUPERMBX01, Click on Edit or Pencil icon, On the Security Parameter, Select Anonymous, Click Save.

3. Repeat the steps for Default Frontend AUPERMBX02.

Send connector:

All you have to do is to add Exchange 2013 mailbox servers to the existing send connector as shown below:

Open Exchange management Shell as an administrator, execute the following command.

Set-SendConnector –Identity Outbound –SourceTransportServers AUPEREXMBX01, AUPEREXMBX02

OR

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Send Connector, Click Edit or Pencil icon

2. Click on scoping and + icon on Source Server parameter to add the server

3. Select the Exchange 2013 Mailbox servers (AUPEREXMBX01 and AUPEREXMBX02) and add them and Click save.

4. Send connector configuration completed.

Configure a smart host if necessary

1. In the EAC https://AUPEREXCAS01/ecp?ExchClientVer=15, navigate to Mail flow > Send connectors, and then click Add .

2. In the New send connector wizard, specify a name for the send connector and then select Custom for the Type. You typically choose this selection when you want to route messages to computers not running Microsoft Exchange Server 2013. Click Next.

3. Choose Route mail through smart hosts, and then click Add . In the Add smart host window, the fully qualified domain name (FQDN), such as relay.sjc.mx.trendmicro.com. Click Save.

4. Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter * to specify that this send connector applies to messages sent to any domain. Click Save.

5. For Source server, click Add . In the Select a server window, choose a server and click Add . Click OK.

6. Click Finish.

Anonymous Relay

Create a new receive connector using Exchange Administration Center with the following parameters.

  • Name: Anonymous Relay
  • Role: Frontend Transport
  • Type: Custom
  • Available IP: Exchange 2013 server IP
  • Port: 25
  • Security: Anonymous
  • Authentication: TLS, Externally Secured
  • Permission: Exchange Servers, Anonymous users

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector, Click Add or + icon

2. Select an Exchange Mailbox Server name AUPEREXMBX01, Type Anonymous Relay on the name, Click Frontend transport, Select Custom, Click Next..

3. On the Network Adapter Binding, Add Exchange 2013 MBX Server IP (10.10.10.11) and port 25. On the remote network settings, add printer, scanner, device and application server IPs. Click Save to create Anonymous Relay.

4. Select newly created Anonymous relay, Click Edit or Pencil Icon, Click Security parameter, Select TLS, Externally Secured in Authentication and Select Exchange Servers, Anonymous users in Permission groups.

5. Open Exchange 2013 Management Shell and execute the following

Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

6. Open Exchange management Shell in Exchange 2010 execute cmdlet

Get-ReceiveConnector –Identity “Anonymous relay” | Fl

From PowerShell Windows copy all the IP addresses of printer and scanner to a notepad

7. Edit Anonymous Relay in Exchange 2013 Administration center and add all the IPs addresses you copied in previous step into remote network setting of Exchange 2013 relay.

8. Repeat step 1 to step 7 on all mailbox servers.

Configure Public Name Space

At this stage, you are ready to configure public DNS record. Update your public DNS record including Hosted Email Security. You only need to configure public DNS if you are changing public IPs and hosted email security otherwise you just have to change the port 443 and port 25 forwarding rule in internal Cisco router in your organization.

You public DNS must look similar to this table.

superplaneteers.com MX Mail.superplaneteers.com
mail.superplaneteers.com A 203.17.x.x (Public IP)
autodiscover.superplaneteers.com A 203.17.x.x (Public IP)

Request your ISP who provided you 203.17.x.x public IP to create reverse DNS record for mail.superplaneteers.com. This is very important for Exchange to function correctly. When you send email to a destination, many destination server checks reverse DNS. If reverse DNS is wrong you could be banned from sending email to destination server. Note that outlook.com check reverse DNS and SPF records of domain sending email to an outlook address.

Configure TMG/UAG

If you are publishing internet facing Exchange 2013 CAS using TMG or UAG, follow the URL below and publish Outlook Web App and Active Sync.

Publish-exchange-server-2010-using-forefront-uag-2010-step-by-step/

Publish-outlook-web-access-and-exchange-servers-using-forefront-tmg-2010/

Create internal DNS Record

Create Host(A) record with reverse DNS in the forward lookup zone of forest superplaneteers.com. Internal DNS records must look similar to this table.

FQDN Record Type IP Address
Mail.superplaneteers.com A 10.10.10.16
Autodiscover.superplaneteers.com A 10.10.10.16

If you don’t have CAS NLB or load balancer then your internal host(A) record must point to Exchange 2013 CAS server.

Open PowerShell as an administrator, execute the following

Resove-Dnsname mail.superplaneteers.com

Nslookup mail.superplaneteers.com

Configure Offline Address Book

To create a new offline address book and set the same OAB on all mailbox databases at once, run the following command. The command example uses “Default Offline Address Book” for the name of the OAB.

Open Exchange Management Shell, execute the cmdlets

New-OfflineAddressBook -Name “Default Offline Address Book” -AddressLists “Default Global Address List”

Restart-Service MSExchangeMailboxAssistants

Wait a few minutes and check if the OAB files is created in C:Program FilesMicrosoftExchange ServerV15ClientAccessOAB<newGUID>

Try to access the new OAB in IE: https://mail.superplaneteers.com/oab/<newguid/oab.xml

Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book (Ex2013)”

To Change the generation server open Exchange 2010 Management Shell and run the following command:

Move-OfflineAddressBook –Identity “Default Offline Address Book” –Server AUPERCAS01,AUPERCAS02

Configure new transport rule in Exchange 2013 or Export transport rules from legacy Exchange.

Follow this reference if you are migrating from Exchange 2007

You cannot migrate transport rules from Exchange Server 2007 to Exchange Server 2013

The following cmdlet example exports all your Transport Rules to the XML file, ExportedRules.xml, in the “c:TransportRules” folder:

Export-TransportRuleCollection -FileName “c:TransportRulesExportedRules.xml”

The following example cmdlet imports your transport rule collection from the XML file ExportedRules.xml in the “C:TransportRules” folder

[Byte[]]$Data = Get-Content -Path “C:TransportRulesExportedRules.xml” -Encoding Byte -ReadCount 0 Import-TransportRuleCollection -FileData $Data

To create new Transport rule,

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.

  1. Enter your user name and password in Domainuser name and Password, and then click Sign in.
  2. Click Mail Flow, Click Rules, Click Add or + Icon, Type the Name of Rule, Select rule conditions, Click More Option.
  3. Select Date when you would like to activate the rule
  4. Click whether you would like to enforce the rule or test the rule
  5. Follow the wizard to finish the rule settings.

Move mailboxes to Exchange 2013

  1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.
  2. Enter your user name and password in Domainuser name and Password, and then click Sign in.
  3. Go to Recipients > Migration, click Add and then select Move to a different database.
  4. Under Select the users that you want to move, click Add .
  5. In the Select Mailbox window, select the mailboxes you want to move, click Add and then OK.
  6. Verify that the mailboxes you want to move are listed and then click Next.
  7. Specify a name for the new mailbox move and verify that Move the primary mailbox and the archive mailbox if one exists is selected.
  8. Under Target database, click Browse.
  9. In the Select Mailbox Database window, select a mailbox database on the Exchange 2013 server that you want to move the mailboxes to, click Add and then OK.
  10. Verify that the mailbox database displayed in Target database is correct and then click Next.
  11. Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse and select a different user.
  12. Verify Automatically start the batch is selected.
  13. Decide whether you want to have mailbox moves automatically complete. During the finalization phase, the mailbox is unavailable for a short time. If you choose to complete the mailbox move manually, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.

14. Click Finish.

OR

Open Exchange Management Shell

Get-Mailbox –Database “Exchange 2010 database name’ | New-MoveRequest –targetdatabase “Exchange 2013 database name”

Get-MoveRequest

Migrate Room or Resource mailboxes

Open EMS and execute the cmdlets

Get-Mailbox -RecipientTypeDetails roommailbox -database SOURCEDBNAME | new-moverequest -targetdatabase TARGETDBNAME

Upgrade Distribution groups

Open Exchange management Shell as an administrator, execute the following command.

Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ManagedBy “CN=Organization

Management,OU=Microsoft Exchange Security Groups,DC=superplaneteers,DC=com”

Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ForceUpgrade

Upgrading Distribution Groups with multiple owners to Exchange 2013

Open Exchange management Shell as an administrator, execute the following command.

foreach ($DL in (Get-DistributionGroup -ResultSize Unlimited)) { $owners = Get-ADPermission $DL.identity | ?{$_.User -notlike “*Exchange*” -and $_.User -notlike “S-*” -and $_.User -notlike “*Organization*” -and $_.User -notlike “NT*” -and $_.User -notlike “*Domain Admins*” -and $_.User -notlike “*Enterprise Admins” -and $_.User -notlike “BUILTIN*” -and $_.User –notlike “*Delegated Setup*”}  | %{$_.user.tostring()};Set-DistributionGroup $DL -BypassSecurityGroupManagerCheck -ManagedBy $owners }

Reference http://blogs.technet.com/b/microsoft_exchange_tips/archive/2013/11/07/upgrading-distribution-groups-with-multiple-owners-to-exchange-2013.aspx

Migrate Public Folder

In Exchange 2013, public folders were re-engineered using mailbox infrastructure to take advantage of the existing high availability and storage technologies of the mailbox database. Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the content. This also means that there’s no longer a public folder database. High availability for the public folder mailboxes is provided by a database availability group (DAG).

There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes. Both types of mailboxes can contain content:

  • Primary hierarchy mailbox   The primary hierarchy mailbox is the one writable copy of the public folder hierarchy. The public folder hierarchy is copied to all other public folder mailboxes, but these will be read-only copies.
  • Secondary hierarchy mailboxes   Secondary hierarchy mailboxes contain public folder content as well and a read-only copy of the public folder hierarchy.

There are two ways you can manage public folder mailboxes:

  • In the Exchange admin center (EAC), navigate to Public folders > Public folder mailboxes.

Before you migrate public folder, I would recommend creating new separate mailbox database in Exchange 2013 then start the migration process.

Step1: Perform Perquisites
Download all four of the Microsoft Exchange 2013 public folder migration scripts and save the script in C:PFScripts
Prerequisites in Exchange 2010 Server
Open Exchange Management Shell in Exchange 2010 server, run the following cmdlets one by one.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:PFMigrationLegacy_PFStructure.xml

Run the following command to take a snapshot of public folder statistics such as item count, size, and owner
Get-PublicFolderStatistics | Export-CliXML C:PFMigrationLegacy_PFStatistics.xml

Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:PFMigrationLegacy_PFPerms.xml

Save the information from the preceding commands for comparison at the end of the migration.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {$_.Name -like “**”} | Format-List Name, Identity

In Exchange 2007, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like “**”}}

If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>

Make sure there isn’t a previous record of a successful migration. If there is, you’ll need to set that value to $false. If the value is set to $true the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete

Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -PublicFolderMigrationComplete:$false

Prerequisites on Exchange 2013
Make sure there are no existing public folder migration requests. If there are, clear them.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest -Confirm:$false

To make sure there are no existing public folders on the Exchange 2013 servers, run the following commands.
Get-Mailbox -PublicFolder
Get-PublicFolder

If the above commands return any public folders, use the following commands to remove the public folders.
Get-MailPublicFolder | where $_.EntryId -ne $null | Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren | Remove-PublicFolder -Recurse -Confirm:$false
Get-Mailbox -PublicFolder |Remove-Mailbox -PublicFolder -Confirm:$false

Step2: Generate CSV Files
On the Exchange 2010 server, run the Export-PublicFolderStatistics.ps1 script to create the folder name-to-folder size mapping file.
.Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of source server>

Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file. This file is used to create the correct number of public folder mailboxes on the Exchange 2013 Mailbox server.
.PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path> <Folder to mailbox map path>

<Folder to size map path> is  \AUPEREX2010c$PFstat.csv
<Maximum mailbox size in bytes> is 20000000
<Folder to mailbox map path> is \AUPEREX2010c$PFMigrationmapgen.csv

Step3: Create public folder mailboxes on Exchange 2013
Run the following command to create the first public folder mailbox on the Exchange 2013 Mailbox server.
New-Mailbox -PublicFolder <Name> -HoldForMigration:$true –database “Exchange 2013 database”

Run the following command to create additional public folder mailboxes as needed based on the .csv file generated from the PublicFoldertoMailboxMapGenerator.ps1 script.

$numberOfMailboxes = 25;
for($index =1 ; $index -le $numberOfMailboxes ; $index++)
{
$PFMailboxName = “Mailbox”+$index;  if($index -eq 1) {New-Mailbox -PublicFolder $PFMailboxName -HoldForMigration:$true -IsExcludedFromServingHiearchy:$true;}else{NewMailbox-PublicFolder $PFMailboxName -IsExcludedFromServingHierarchy:$true}
}

Step4: Start Migration request

Legacy system public folders such as OWAScratchPad and the schema-root folder subtree in Exchange 2007 won’t be recognized by Exchange 2013 and will be treated as bad items. This will cause the migration to fail. As part of the migration request, you must specify a value for the BadItemLimit parameter.

From the Exchange 2013 Mailbox server, run the following command:

$PublicFolderDatabasesInOrg = @(Get-PublicFolderDatabase)
$BadItemLimitCount = 5 + ($PublicFolderDatabasesInOrg.Count -1)
New-PublicFolderMigrationRequest -SourceDatabase (Get-PublicFolderDatabase -Server <Source server name>) -CSVData (Get-Content <Folder to mailbox map path> -Encoding Byte) -BadItemLimit $BadItemLimitCount

To verify that the migration started successfully, run the following command.
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport | Format-List

Step 5: Lock Source Server
On the Exchange 2010 server, run the following command to lock the legacy public folders for finalization.

Set-OrganizationConfig -PublicFoldersLockedForMigration:$true

Step6: Finalize public folder migration
Set-PublicFolderMigrationRequest -Identity PublicFolderMigration -PreventCompletion:$false
Resume-PublicFolderMigrationRequest -Identity PublicFolderMigration

Step7: Test Public Folder Migration
Run the following command to assign some test mailboxes to use any newly migrated public folder mailbox as the default public folder mailbox
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>

Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the following public folder tests:

Post Migration Check

1. Verify Internal and external DNS records and aliases of autodiscover and mail are pointing to Exchange 2013 CAS server or load balancer VIP or CAS NLB IP. At this stage do not delete Host(A) record of legacy exchange servers until you decommission them.

2. Point your Spam Guard or hosted email security to forward all the emails to exchange 2013 to receive incoming mail via Exchange 2013.

3. Configure Spam Guard or hosted email security to accept emails from all Exchange 2013 Mailbox servers.

4. Configure smart host if necessary.

5. Configure all other application to send email via the Exchange 2013 Mailbox Servers

6. Test inbound and outbound email from outlook client and mobile devices.

7. Start Monitoring Exchange, Open EMS and execute Get-mailbox –monitoring

8. Go to https://testconnectivity.microsoft.com/ to test connectivity of Exchange 2013

9. Go to http://mxtoolbox.com/ to test your MX, Reverse DNS and DNS records.

Decommission Legacy Exchange Server

Before you decommission legacy Exchange server, make sure you have completed the following tasks

  1. Make sure public and internal DNS, MX and CNAME are correct.
  2. Move all user mailboxes to Exchange 2013.
  3. Move all room mailboxes to Exchange 2013.
  4. Move all public folders to Exchange 2013
  5. Move all arbitration mailboxes to Exchange 2013.
  6. Move all Discovery Search mailboxes to Exchange 2013
  7. Add all Exchange 2013 mailbox servers in all the send connectors and remove the Exchange 2007/2010 servers from Send Connector.
  8. Create new anonymous relay receive connectors in Exchange 2013 and all IPs in remote network settings properties of relay
  9. Ensure you have configured Autodiscover correctly at AutoDiscoverServiceInternalUri properties if all CAS 2013. Issue Get-ClientAccessServer | fl cmdlet to view internal url of autodiscover.

10. Remove Exchange 2010 CAS arrays. Execute Get-clientaccessarray | remove-ClientAccessArray in Exchange 2010 management shell

11. Point all the applications to use Exchange 2013 SMTP.

12. Test inbound and outbound email from various supported clients.

Now is the time to shutdown legacy exchange servers in your organization and test Exchange 2013 mail flow again. Make sure you shut down the server during working hours and working days. Keep the legacy exchange down for at least 48hrs. To decommission legacy Exchange follow the steps

1. Bring all legacy servers online means power on all servers which were down in previous step.

2. Remove all Public Folder replicas else Public Folder Database will not be removed. To remove public folder replicas, open Exchange Management Console in exchange 2010, Click Tools, Open Public Folder Management Console, Select Default Public Folder, Click properties, Click Replication, Remove exchange 2010 database from replication. Repeat the same for systems public folder.

3. Remove Exchange 2007/2010 mailbox database and Public folder databases from EMC or EMS.

4. Go to Control Panel to remove Exchange 2007/2010. On Program and Features screen click on Uninstall. On the Maintenance Mode page of the Exchange Server 2007/2010 Setup wizard begins the process of removing your Exchange installation. Click Next to continue.    

5. On the Server Role Selection page, uncheck in 2007/2010 all Exchange server roles and Exchange management tools to remove. In Exchange 2007 CCR remove passive node first then follow the same steps on active node. Click next to continue.

6. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page and fix any issues that are preventing Setup from removing exchange 2007/2010. If the checks have completed successfully, click Uninstall to remove the entire installation of Exchange 2007/2010.

7. On the Completion page, click Finish.

8. Verify the setup log files and folder located at c:ExchangeSetupLogs.

9. Uninstall Internet Information Services (IIS) from windows Server 2008 or add/remove program and features in Windows Server 2003.

10. Disjoin the legacy Exchange servers from the Domain.

11. Delete Host(A) DNS record of Legacy Exchange Server. Delete ONLY legacy DNS record.

References

http://technet.microsoft.com/en-us/library/ee332361(EXCHG.141).aspx

http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx

http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-CABEAgAAQAAACQEAAQAAAA~~

http://support.microsoft.com/kb/2846555

http://support.microsoft.com/?kbid=940726

http://www.petenetlive.com/KB/Article/0000036.htm

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-2-step-by-step-exchange-2007-to-2013-migration.aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-3-step-by-step-exchange-2007-to-2013-migration.aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-4-step-by-step-exchange-2007-to-2013-migration.aspx

http://www.expta.com/2013/05/owa-2013-cu1-redirection-is-broken-for.html

How to Configure Unified Messaging in Exchange 2013 Step by Step

There are many ways you can achieve unified messaging functionality in Exchange 2013. It all depends on your Exchange, Lync and telephony infrastructure.

Before you begin, you have to install Exchange language pack for non-English Exchange deployment. For English deployment you don’t need to install language pack.

Depending on your Exchange 2013 version, Download Exchange Language Pack from the following web sites.

http://www.microsoft.com/en-au/download/details.aspx?id=35368

http://www.microsoft.com/en-au/download/details.aspx?id=39713

http://www.microsoft.com/en-au/download/details.aspx?id=41176

Right click the UMLanguagePack.Country-Code.exe file, Click Run As Administrator.

In the Exchange 2013 Setup wizard, on the License Agreement page,  select I accept the terms in the license agreement, and then click Next then click Install.

Click Finish to complete the installation of the UM language pack.

Scenario#1

If you have a Cisco Call Manager for IP telephony then you just need to perform few tasks in Exchange 2013 to integrate Exchange and Cisco Call Manager. Here are the steps to accomplish unified messaging in Exchange 2013 with Cisco Call Manager.

Step1: Create a Service Account named domainnamesa-ExchangeUC  and set password and account to be never expired. Set user cannot change password.  

Step2: Open Exchange 2013 Management Shell as an administrator (Account must be a member of Exchange organisation management role). issue the following command. 

New-ManagementRoleAssignment –Name:UMServicesConnectionACC –Role:ApplicationImpersonation -User:”domainanemsa-ExchangeUC “

Get-ManagementRoleAssignment

Step3: Create an anonymous relay in Exchange 2013. Here is a guideline

Name: Anonymous Relay

Role: Frontend Transport

Type: Custom

Available IP: Exchange 2013 server IP

Port: 25

Authentication: TLS, Externally Secured

Permission: Exchange Servers, Anonymous users

Open Exchange Management Shell and execute the following

Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Now add Cisco Call Manager IP address into remote network settings properties of anonymous relay.

Step4: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of windows machine then export as .cer format certificate into Cisco Unity. reference http://www.digicert.com/ssl-support/pfx-import-export-iis.htm

Step5: Configure Cisco Unity for Unified Messaging. Follow this link to configure Cisco Call Manager. Detailed guide is available in Cisco Unity and Microsoft Exchange configuration guide.

Scenario#2

There are other ways to achieve same result if you decide Exchange 2013 to manage dial plan, auto attendant, hunt group and voice delivery etc. In this scenario, you have configure lot more then previous steps. There is no concrete steps for your scenario or your IP telephony systems. But here is what you have to do to accomplish unified messaging between IP-PBX and Exchange 2013. I assume your Exchange 2013 and IP-PBX are working per normal.  

Step1: Create a Service Account named domainnamesa-ExchangeUC and set password and account to be never expired. Set user cannot change password in the properties of sa-ExchangeUC account.

Step2: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of a windows machine then export as .cer format certificate into IP-PBX.

Step3: Configure IP-PBX to connect to Exchange 2013 using service account you have created in previous step.

Step4: Create a virtual extension number. This extension number will be used in a Exchange 2013 only.  

Step5: Create a dial plan

In the Exchange admin center (EAC), navigate to Unified Messaging > UM dial plans, and then click Add Add Icon.

On the New UM Dial Plan page, complete the following boxes:

Name: ExchangeUC Dial Plan

Extension Length: 4 or Exact length used in IP-PBX

Dial plan type: Telephone extension

VoIP security mode: Unsecured

Country/Region code: +61 (for australia)

Click Save.

Step6: Create a PIN Policy

In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the ExchangeUC Dial Plan you have created in previous step and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to edit, and then click Edit Edit Icon.

Click Properties. On the UM mailbox policy page, click PIN policies.

On the PIN Policies page, configure the following PIN settings

PIN Length: 5

PIN Cycle: 5

Enforce PIN lifetime: 60

Sign-in failure: 5

Sign-in lockout:15

Click Save.

Step8: Add a DNS record in the forward lookup zone of Active Directory DNS

lets say DNS Name: IPPBX.domainname.com and corresponding IP: 10.10.70.240

Step8: Add UM IP Gateway

In the EAC, navigate to Unified Messaging > UM IP Gateways, and then click Add Add Icon.

On the New UM IP gateway page, enter the following information:

Name: Cisco Unity or 3CX whichever is your gateway

Address: FQDN or IP Address of IP-PBX

UM Dial Plan: ExchangeUC Dial Plan

Click Save.

Step9: Create Auto Attendant

In the EAC, navigate to Unified Messaging > UM dial plans, select the ExchangeUC Dial Plan for which you want to add an auto attendant, and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Auto Attendants, click Add Add Icon.

On the New UM auto attendant page, complete the following boxes:

Name: ExchangeUC Auto Attendant

Uncheck “Create this auto attendant as enabled”

Uncheck “Set the auto attendant to respond to voice commands”

Access Number: click Add Add Icon and add virtual extension number you have created in step 4.

Click Save.

Step 10 (Optional):

In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Hunt Groups, click Add Add Icon.

On the New UM Hunt Group page, complete the following boxes:

Associated UM IP gateway: IPPBX.domainname.com

Name: ExchangeUC Hunt Group

Dial plan   Click Browse to select the ExchangeUC Dial Plan

Pilot identifier: a string that uniquely identifies the pilot identifier obtained from IP-PBX.

Click Save.

Step11: Setup UM Dial Plan Policies

In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Mailbox Policies, click New Add Icon.

On the New UM mailbox policy page, in the Name box, enter the name of ExchangeUC mailbox policy.

Click Save.

Step12: Enable User for Voice Mail

In the EAC, click Recipients. In the List view, select the user whose mailbox you want to enable for Unified Messaging.

In the Details pane, under Phone and Voice Features, click Enable.

On the Enable UM mailbox page, click the Browse and select ExchangeUC mailbox policy, and then click OK.

On the Enable UM mailbox page, complete the following boxes:

Extension Number: Type the extension number you have created in IP-PBX for this mailbox

PIN Settings: Type a 5 digit PIN number

Click Finish.

Now you have successfully configured Unified Messaging in Exchange 2013. However if you have Lync 2013 in your organisation. you will have to perform the following steps in Exchange 2013 to integrate Lync and Exchange.

Step1: Set Dial Start-up mode to dual

Open Exchange Management Shell, Enter the following command

Set-UmService -Identity “FQDN of Exchange Server” -DialPlans “ExchangeUC Dial Plan” -UMStartupMode “Dual”

Step2: Assign Exchange Certificate to UM

Type Get-ExchangeCertificate and copy the thumbprint in notepad

Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “EA5A332496CC05DA69B7578A110D22d” -Services “UM”

I assume that you already assigned this certificate to IIS, SMTP services. Restart the MsExchangeUM service on the Exchange server.

Step3: Assign certificate to call router

Set-UMCallRouterSettings -Server “FQDN of Exchange Server” -UMStartupMode “Dual” -DialPlans “ExchangeUC Dial Plan”
Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “45BAA32496CC891169B75B9811320F78A1075DDA” –Services “IIS”, “UMCallRouter”

Restart the MsExchangeUM service on the Exchange server.

Step4: Test UM Service

$credential = Get-Credential “DomainNameUser1”

Test-CsExUMConnectivity -TargetFqdn “FQDN of Exchange Server” -UserSipAddress “sip:User1@DomainName.com” -UserCredential $credential

$credential = Get-Credential “DomainNameUser2”

Test-CsExUMVoiceMail -TargetFqdn “FQDN of Exchange Server” -ReceiverSipAddress “sip:user1@DomainName.com” -SenderSipAddress “sip:user2@DomainName.com” -SenderCredential $credential

References:

http://technet.microsoft.com/en-us/library/jj673564%28v=exchg.150%29.aspx

http://technet.microsoft.com/en-us/library/jj150478%28v=exchg.150%29.aspx

Publish FTP Using Microsoft Forefront UAG 2010

Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue.  So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

  1. Forefront UAG 2010 SP3
  2. Windows 7 or Windows 8 Client
  3. Windows Server 2008 R2 Domain
  4. Internet Explorer 9 or later
  5. Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
  6. Passive mode IIS 7.5 FTP 
  7. Client Connection Port 20 & 21.
  8. Passive mode port range 1024-65534

image

image

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

image

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk. 

image

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

image

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

image

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

image

image

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

image

image

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok. 

image

image

On the socket forwarding select basic.

image

image

image

On the Endpoint policy make sure other is set to always. Click Ok.

image

Activate the Trunk

Click File, Click Activate.

image

Wait for Activation to complete.

image

Open Command Prompt as an administrator. Type iisreset and hit enter.

image

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8.   You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall. 

image

image

image

image

image

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

image

image

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

image

Apply the policy into Endpoint Policy.

image

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com 

image

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect

image

image

image

Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.

image

image

Further Study

Publish FTP using TMG

Passive mode IIS 7.5 FTP 

UAG Articles

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

 

 

 

 

 

 

 

 

Windows Server 2012: WSUS Client Not Yet Sync

Issue: Client Not Yet Sync WSUS error

Resolution:

Step1:  Download KB2720211 x64 and apply on WSUS server using the following steps in command prompt with administrative privilege:

  • iisreset/stop
  • net stop wsusservice
  • WSUS-KB2720211-x64.exe /q C:MySetup.log
  • iisreset
  • net start wsusservice

Step2: Open elevated command prompt, type the following. Detailed available on KB958046

net stop wuauserv
cd %systemroot%SoftwareDistribution
ren Download Download.old
net start wuauserv

Step3: Detect and authorize client to WSUS Server. Run the following in elevated command prompt.

wuauclt /resetauthorization /detectnow

gpupdate /force

Before you authorize, make sure WSUS GPO is applied to the clients with following GPO Configuration:

Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update

  • Configure Automatic Update—–Enabled
  • Specify intranet Microsoft update service location…… Enabled
  • Enable Client side target……Enabled.

Forefront UAG 2010 Patching Order

I have written the following articles few weeks back. One thing I would like to add on to these articles is the patching order of Forefront UAG 2010.

You must have a base build Windows Server 2008 R2 SP1 with all Microsoft security and critical updates. you install the UAG from the this source Forefront_UAG_Server_2010_64Bit_English_w_SP1 with correct product key from Microsoft volume licensing center.

The following the order of patching UAG before you start configuring UAG.

1. TMG-KB2555840-amd64-ENU

2. TMG-KB2689195-amd64-GLB

3. UAG-KB2288900-v4.0.1269.200-ENU

4. UAG-KB2585140-v4.0.1773.10100-ENU

5. UAG-KB2710791-v4.0.2095.10000-ENU

6. UAG-KB2744025-v4.0.3123.10000-ENU

UAG Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

TrendMicro Worry-Free Business Advanced Configuration Step by Step

Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).

Trend Micro offers the following editions:

Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.

Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.

Features worry-free business Features

  • Component Updates
  • Device Control
  • Antivirus/Anti-spyware
  • Firewall
  • Web Reputation
  • URL Filtering
  • Behavior Monitoring
  • User Tools
  • Instant Messaging Content
  • Filtering
  • Mail Scan (POP3)
  • Mail Scan (IMAP)
  • Anti-Spam (IMAP)
  • Email Message Content
  • Filtering
  • Email Message Data Loss Prevention
  • Attachment Blocking

TrendMicro Components:

Registration Key

A Registration Key comes with your purchase of Worry-Free Business Security. It has

22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx

Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.

Security Server

At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location

Scan Server

The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.

Downloads scanning-specific components from Trend Micro and uses them to scan clients

Agents

Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.

Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats

Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats

Web Console

The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.

WFBS Ports

WFBS uses the following ports:

Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:

IIS server default website: The same port number as your HTTP server’s TCP port.

IIS server virtual website: 8059

Apache server: 8059

Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.

Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.

SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.

Proxy port: Used for connections through a proxy server.

Systems requirements:

  • 1 vCPU, 2GB RAM, 10GB additional space
  • IIS 7.5 Windows Server 2008 R2
  • Internet Explorer
  • Adobe Acrobat
  • Java client
  • Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
  • Administrator or Domain Administrator access on the computer hosting the
  • Security Server
  • File and printer sharing for Microsoft Networks installed
  • Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
  • If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications

TrendMicro Download Location:

WFB 8.0

Download Center

Installation:

1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.

2. Click Next. The License Agreement screen appears.

3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.

4. Click Next. The Setup Type screen appears.

5. From the Setup Type page, choose one of the following options:

  • Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
  • Minimal Install
  • Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.

6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.

7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).

8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.

9. Click Next. The Select Components page appears.

10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.

  • Security Server (default): The Security Server hosts the centralized web-based management console.
  • Security Agent (default): The agent protects desktops and servers.
  • Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
  • Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.

11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.

12. Click Next. The Computer Prescan page appears.

13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:

Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:

  • the boot area and boot directory (for boot sector viruses)
  • the Windows folder
  • the Program Files folder
  • Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.

14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:

  • Internet Information Services (IIS) server
  • Apache Web server 2.0.xx

15. Click Next. The Web Server Identification page appears.

16. Choose from one of the following server identification options for client-server communication:

  • Server information – Choose domain name or IP address:
  • Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
  • IP address – Verify that the target server’s IP address is correct.

17. Click Next. The Administrator Account Password page appears.

18. Specify different passwords for the Security Server web console and the Security Agent.

Note: The password field holds 1-24 characters and is case sensitive.

  • Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
  • Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.

19. Click Next. The SMTP Server and Notification Recipient(s) page appears.

20. Enter the required information:

  • SMTP server – the IP address of your email server
  • Port – the port that the SMTP server uses for communications
  • Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.

21. Click Next. The Trend Micro Smart Protection Network page appears.

22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.

23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.

  • Proxy server type
  • Server name or IP address
  • Port
  • User name and Password – Provide these only if the proxy server requires authentication.

24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.

25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.

26. Set the following items:

  • Installation Path – This is the destination folder where the Security Agent files are installed.
  • Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.

27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.

28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:

  • Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
  • Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
  • Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
  • Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
  • Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
  • Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
  • URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
  • Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
  • Device Control – This regulates access to external storage devices and network resources.

29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.

30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.

  • When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
  • When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.

31. Click Next. The Install Messaging Security Agent page appears.

32. Provide the following information:

i. Exchange Server

ii. Domain Administrator Account

iii. Password

33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:

  • Target Folder – This is the folder where the MSA files are installed.
  • Temp Folder – This is the system root folder for MSA Agent installation.
  • Spam management
  • End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
  • Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.

35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:

    • If you wish to verify previous installation settings, click Back.
    • Click Next to proceed with the actual installation.

The Install Third Party Components page appears. This page informs you which third party components will be installed.

36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.

Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install

  1. Log on to the WFBS console.
  2. Click Security Settings > Add. The Add Computer page appears.
  3. Under Computer Type section, choose Desktop or server.
  4. Under Method section, choose Remote install.
  5. Click Next. The Remote Install page appears.
  6. From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
  7. Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
    The computer is added to the Selected Computers list.
  8. Repeat Steps 6-7 if you want to add more computers to the list.
  9. Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.

Installing Agent for Exchange Server

The Messaging Security Agent (MSA) can also be installed from the Web Console.

1. Log on to the Web Console.

2. Click the Security Settings tab, and then click the Add button.

3. Under the Computer Type section, click Microsoft Exchange server.

4. Under Microsoft Exchange Server Information, type the following information:

Server name: The name of the Microsoft Exchange server to which you want

to install MSA.

Account: The built-in domain administrator user name.

Password: The built-in domain administrator password.

5. Click Next. The Microsoft Exchange Server Settings screen appears.

6. Under Web Server Type, select the type of Web server that you want to install on

the Microsoft Exchange server. You can select either IIS Server or Apache Server.

7. For the Spam Management Type, End User Quarantine will be used.

8. Under Directories, change or accept the default target and shared directories for

the MSA installation. The default target and shared directories are C:Program

FilesTrend MicroMessaging Security Agent and C$, respectively.

9. Click Next. The Microsoft Exchange Server Settings screen appears again.

10. Verify that the Microsoft Exchange server settings that you specified in the

previous screens are correct, and then click Next to start the MSA installation.

11. To view the status of the MSA installation, click the Live Status tab.

Configure Smart Host for Outbound Email

1. Open the Exchange Management Console.

2. Click on the plus sign (+) next to Organization Configuration.

3. Select Hub Transport and click the Send Connectors tab.

4. Right-click the existing Send Connector then select Properties and go to the Network tab.

5. Select Route mail through the following smart hosts and click Add.

6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:

o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com

o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu

7. Click OK.

8. Go to the Address Space tab and click Add.

9. Add an asterisk (*) and then click OK.

10. Click Apply > OK.

11. Go to the Source Server tab and add your Exchange Server.

12. Click Apply > OK.

Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.

C:Usersraihan >nslookup

> set type=mx

> domainname.com.au

Non-authoritative answer:

domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au

domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au

mx1.domainname.net.au internet address = 203.161.x.x

mail.domainname.com.au internet address = 116.212.x.x

Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:

Registered Hosted Email Security

Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .

Create service account (See upcoming post on creating a secure services account)

  1. Open ActiveDirectory Users and Computers
  2. Create a user sa-TrendMicroHE with password never expires

Open Hosted Email Security Web console

Register Your Domains with Trend Micro

1. Go to the Trend Micro Online Registration portal.

2. Create a new OLR account.

a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.

clip_image002

Enter your HES Registration Key.

clip_image004

If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.

Select I Accept, then click Submit.

Complete the registration information form.

clip_image006

Specify your OLR logon ID.

clip_image008

Note: The OLR logon ID will also serve as your HES portal login ID.

Click Submit.

The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.

3. Using the provided OLR username and password, log on to the HES console:

For US: https://us.emailsec.trendmicro.com/loginPage.imss

For EMEA: https://emailsec.trendmicro.eu/loginPage.imss

Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.

4. Enter your domain and IP information, then click Add Domain.

clip_image010

5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.

6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.

clip_image012

Navigate to Administration > Domain Management

  1. All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
  2. Click Activate Domain
  3. Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record

Download the ActiveDirectory Sync Client

  1. Navigate to Administration > Directory Management

clip_image014

  1. Click Imported User Directories so it becomes Enabled with a green tick
  2. Navigate to Administration > Web Services

clip_image016

  1. Click on the Applications bar so it get’s a Green Tick as above
  2. Click on Generate Service Authentication Key, copy this key for use later in the setup
  3. Click and download the ActiveDirectory Sync Client

Install the ActiveDirectory Sync Client

http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx

http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx

1. Extract the ActiveDirectory Sync Client file and run setup.exe

2. Usual I agree, next, next stuff

3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.

4. Click Next

5. Leave installation path as is, and change to install for Everyone

6. Click Next

7. Click Next

8. Click Close when finish

9. The ActiveDirectory Sync Client will then open

10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)

LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com

11. Click Add

LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com

12. Click Add

13. Click Configure

  • Username: as per web login
  • Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
  • Proxy: leave as automatic unless your network requires otherwise
  • Synchronize: leave at 1

14. Click OK

15. Click Apply

16. This will restart the service

Amend ClientMHS_AD_ACL.config

1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad

2. Installed Config file looks like this:

<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>

3. Change the following to add groups and public folders. Ref

<?xml version=”1.0″ encoding=”utf-8″?>

<ad_acl>

<ldap_path name=”default”>

<objectClass name=”User”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>mail</emailAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

<ldap_path name=”default”>

<objectClass name=”group”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>mail</emailAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

 

<ldap_path name=”default”>

<objectClass name=”publicFolder”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>mail</emailAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

 

<ldap_path name=”default”>

<objectClass name=”*”>

<displayNameAttr>displayName</displayNameAttr>

<emailAttr>mail</emailAttr>

<emailAttr>proxyAddresses</emailAttr>

</objectClass>

</ldap_path>

</ad_acl>

4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client

5. Click Sync Now

6. Give it a few moments then click History

7. Here you should see the correct number of groups and users you expect.  Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful

8. Click Close

9. Click Close

Post Configuration Check

  1. open the Hosted Email Security Console
  2. Navigate to Administration > Directory Management
  3. Click the Export to CSV for the domain you’re wanting to check
  4. This will generate a CSV file, which you can use notepad to check that all your email addresses have synced

Worry Free Business Files and Folder Exclusion

Worry-Free Business Best Practice

Replace Common Name (CN) and SAN Certificates with Wild Card Certificate— Step by Step

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us

Here is a guide lines how to accomplish this objective.

Step1: Check Current Exchange SSL Certificate

Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.

Step2: Record Proposed Exchange SSL Wildcard Certificate

  • Common Name: *.yourdomain.com.au
  • SAN: N/A
  • Organisation: Your Company
  • Department: ICT
  • City: Perth
  • State: WA
  • Country: Australia
  • Key Size: 2048

Step3: Generate a wildcard certificate request

You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.

New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True

Step4: Sign the certificate request and download SSL certificate in PKCS#7 format

For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808

1. Click https://products.geotrust.com/geocenter/reissuance/reissue.do

2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or  X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Save the certificate locally and install per the server software. 

Step5: Locate and Disable the Existing CA certificate

Now this step is a disruptive step for webmail. You must do it after hours.

1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.

3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties

4. In the Certificate purposes section, select  Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.

Step6: Install Certificate

To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.

2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example

Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services  “SMTP, IMAP, POP, IIS”

3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.

For Example Get-ExchangeCertificate -DomainName yourdomain.com.au

4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”

Step7: Configure Outlook settings

Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx

To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au

To change Outlook 2007 connection settings to resolve a certificate error

1. In Outlook 2007, on the Tools menu, click Account Settings.

2. Select your e-mail address listed under Name, and then click Change.

3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.

4. Select the Connect using SSL only check box.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

Open Exchange Management Shell, run

Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB

010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password

Step9: Import certificate in TMG 2010

1.Click Start and select Run and tape mmc
2.Click on the  File menu and select   Add/Remove Snap in
3.Click  Add, select Certificates among the list of   Standalone Snap-in and click   Add
4.Choose   Computer Account and click   Next
5.Choose   Local Computer and click   Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.

Step10: Replace Certificate in Web Listener

1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

5. Select External Web Listener from the list, and then click Properties.

6. In External Web Listener Properties, click the Certificates tab.

7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

9. To save changes and update the configuration, in the results pane, click Apply.

Step11: Test OWA from external and internal network

On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.

Make sure no certificate warning shows on IE.

Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
 

Relevant References

Request an Internet Server Certificate (IIS 7)

Using wildcard certificates

Publish Lync Server 2013 using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

The following features are available for external access through a UAG reverse proxy:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.
  • Enabling mobile applications to automatically discover mobility URLs from the Internet.

Prerequisites:

  • Lync Frontend, Lync Director and Lync Edge are configured and optional for internal users
  • Lync External Access Topology is published using Topology Builder
  • Lync Server is configured for External user Access
  • UAG server installed and initial configuration is completed
  • All Service pack and hot fixes installed in UAG and Lync Server.

Network Configuration:

Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.

DNS Configuration

The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.

DNS Name Record Type IP address Purpose
sip.xman.com.au HOST (A) Internal IP Sip domain
_sip_tls.xman.com.au SRV record Port 5061 Internal IP used for Edge deployment separate to UAG
meet.xman.com.au HOST (A) Internal IP Meeting
dialin.xman.com.au HOST (A) Internal IP Dial-in
discover.xman.com.au HOST (A) Internal IP Discover
webext.xman.com.au HOST (A) Internal IP Common external Lync access
UAGSRV.xman.com.au HOST (A) Internal IP UAG server internal DNS

To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.

DNS Name Record Type IP address Purpose
webext.xman.com.au HOST (A) Publicly routable

UAG External NIC IP IP should resolve Front Edge or Director

Lync external access
meet.xman.com.au CNAME webext.xman.com.au Lync meeting
dialin.xman.com.au CNAME webext.xman.com.au Lync Dial-in
discover.xman.com.au CNAME webext.xman.com.au Lync discover
LyncUAG. xman.com.au HOST (A) Publicly routable

UAG External IP Address

UAG external FQDN
sip.xman.com.au HOST (A) Publicly routable

Lync Edge External NIC IP separate to UAG

Lync External SIP domain
Sipexternal.xman.com.au CNAME sip.xman.com.au

used for Lync Edge deployment separate to UAG

CNAME of external SIP domain

Certificates Requirements

Common Name Subject alternative name Purpose Issuer
webext.xman.com.au webext.xman.com.au Pool FQDN Public CA
meet.xman.com.au Meeting simple URL
dialin.xman.com.au Dial-in simple URL
discover.xman.com.au External Autodiscover Service URL

NAT Requirements:

This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.

NAT Rule Source IP Public IP NATed Destination Port
1 Any Public IP of Lync web UAG External NIC IP 4443, 3478
2 Edge External NIC Internet/Extranet 3478
3 Internal Network UAG Internal NIC IP 4443,3478
Create a Lync Trunk

1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e LyncUAG.xman.com.au – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.

Create Lync Web Services Application

1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter webext.xman.com.au under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.

Create LyncDiscovery Application


1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter webext.xman.com.au as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.

Additional Trunk Configuration

1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.

Additional Registry Entry

Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLMSoftwareWhaleCome-GapvonUrlFilter
3. Right-Click and add a DWORD 32-bit registry  KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.

Save and Activate the Configuration

1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.

Verify Website Access through the Internet

Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:

References:

Publish Lync 2010 with ForeFront Unified Access Gateway 2010 (UAG)

Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.

4. On the Alternate Access Mappings page, click Edit Public URLs.

5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.

6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

clip_image002

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

clip_image004

On the Authentication Page, Click Add, Select DC, Click Next

clip_image006

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

clip_image008

Select Use Forefront UAG Access Policies, Click Next

clip_image010

Select Default and Click Next

clip_image012

Click Finish.

clip_image014

clip_image016

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.

clip_image018

clip_image020

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

clip_image022

On the Web Servers page, do the following:

In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.

clip_image024

clip_image026

On the Authentication page, do the following:

To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

clip_image028

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

clip_image030

clip_image032

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

clip_image034

clip_image036

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.

Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

When you create a Forefront Unified Access Gateway (UAG) HTTPS portal trunk, only HTTPS requests that arrive at the Forefront UAG are handled by the trunk. This topic describes how to create a redirect trunk to automatically redirect HTTP requests made by remote endpoints to the HTTPS trunk.

Web Sites Inbound Requested Port Request Redirected To
RDS.xman.com.au 80 443
ftp.xman.com.au 80 443
webmail.xman.com.au 80 443
sharepoint.xman.com.au 80 443

Step1: Before you create a redirect trunk, note the following:

1. Make sure that you have already created the HTTPS trunk to which you want to redirect HTTP requests.

2. Make sure you define all the parameters of the HTTPS Connections trunk before you create the redirect trunk, including the definitions you make in the Forefront UAG Management console after completing the New Trunk Wizard.

If at a later stage, you change the IP address or port number of the HTTPS Connections trunk, do one of the following:

1. Update the IP address or port number manually in the relevant redirect trunk.

2. Delete the existing redirect trunk and create a new one.

3. Redirect trunks are not monitored by the Forefront UAG Web Monitor.

4. Sessions in redirect trunks are not calculated in the session count of Forefront UAG. When an HTTP session is redirected to HTTPS via a redirect trunk, it is only counted as one HTTPS session.

Step2: create a redirect trunk

1. In the Forefront UAG Management console, in the left navigation tree, right-click HTTP Connections, and then select New Trunk.

2. In the Create Trunk Wizard, select HTTP to HTTPS redirection, and then click Next.

3. All HTTPS trunks for which no redirect trunk exists are listed.

4. Select the HTTPS trunk to which you want to redirect HTTP requests, and then click Finish.

5. A new trunk with the same name as the HTTPS trunk you selected is created in the left navigation tree.

6. HTTP requests that arrive at the external Web site that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard.

Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Step1: configure Exchange to use basic authentication

1. Start the Exchange Management Console.

2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).

4. In the Actions pane, under owa (Default Web Site), click Properties.

5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.

Step2: publish Outlook Web Access on a Forefront UAG portal

Right Click on HTTPS Connections, Click New Trunk, Click Next

clip_image001

Select Portal Trunk and Publish Exchange Applications via portal, Click Next

clip_image003

Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next

clip_image005

Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.

clip_image007

clip_image008

Type the service account which will talk to DC from UAG, Click Ok

clip_image010

Select the DC, Click Select. Leave rest of the settings as is. Click Next

clip_image011

clip_image013

Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.

clip_image015

Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au

clip_image017

Select Default and Click next

clip_image019

Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next

clip_image021

Type the name of the application, Click next

clip_image023

Select default and click next

clip_image025

On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.

Click Configure an application server, Click Next

clip_image027

On the Web Servers page of the wizard:

In the Addresses list, enter the IP address or host name of the Client Access server.

In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.

clip_image029

On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.

clip_image031

On the Outlook Anywhere Page, Select basic Authentication, Click next

clip_image033

On the Portal Link page of the wizard, configure the portal link for the application.

If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.

clip_image035

On the Authorization page of the wizard, select which users are authorized to access this application.

clip_image037

On the Completing the Add Application Wizard page of the wizard, click Finish.

clip_image039

Once configured, you will see the following screen.

clip_image041

If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.

To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

Publishing Remote Desktop Services Using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

The following procedures describe how to export RemoteApp settings from RDS, and then publish RemoteApps and import the RemoteApp settings, via Forefront Unified Access Gateway (UAG).

Step1: Exporting RemoteApp settings from RDS

Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS.

1. On the RD Session Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.

2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.

3. In the Actions pane, click Export RemoteApp Settings.

4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.

5. Specify a location to save the .tspub file, and then click Save.

Step2: Publishing RemoteApps and importing RemoteApp settings

This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.

1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.

2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.

3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.

4. On the Select Endpoint Policies page of the wizard, do the following:

5. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.

6. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.

7. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:

8. Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.

9. Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.

10. Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.

11. On the Import RemoteApp Programs page of the wizard, do the following:

12. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.

13. In RD Session Host or RD Connection Broker, specify the name of an RD Session Host (if different from that specified in the imported settings file), or the name of the RD Connection Broker server.

14. If you are using an RD Connection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RD Session Hosts that might be used by the RD Connection Broker. To specify multiple servers, use an IP address range or subnet.

15. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.

16. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.

17. Complete the Add Application Wizard.

Install and Configure Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront UAG Overview:

Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

  • Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
  • Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
  • Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
  • Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
  • Easily integrates with Active Directory and enables a variety of strong authentication methods.
  • Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

image

Systems Requirements:

Option Description
Virtual Machine Name DC1TVUAG01
Memory 8GB
vCPU 1
Hard Disk 1 50GB
Hard Disk 2 50GB
Network Adapter 2
Guest Operating System Windows Server 2008 R2
Service Pack Level SP1

Software Requirement:

Version Microsoft Forefront Unified Access Gateway 2010
Service Pack Level SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

  • Microsoft .NET Framework 3.5 SP1
  • Windows Web Services API
  • Windows Update
  • Microsoft Windows Installer 4.5
  • SQL Server Express 2005
  • Forefront TMG is installed as a firewall during Forefront UAG setup
  • The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

  • Network Policy Server
  • Routing and Remote Access Services
  • Active Directory Lightweight Directory Services Tools
  • Message Queuing Services
  • Web Server (IIS) Tools
  • Network Load Balancing Tools
  • Windows PowerShell

Supported Browser Clients:

Browser Features
Firefox Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement
Internet Explorer Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name Features
Windows Phone Premium mobile portal
iOS: 4.x and 5.x on iPhone and iPad Premium mobile portal
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 Premium mobile portal

Service Account for Active Directory Authentication:

Service Account Privileges Password
xmanSA-FUAG Domain Users Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

  • Add the server to an array of Forefront UAG servers at a later date.
  • Configure the server as a Forefront UAG DirectAccess server at a later date.
  • Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
  • Publish the File Access application via a Forefront UAG trunk.
  • Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version Paths Processes
Forefront UAG 2010 UAG installation folder (may be changed during installation)
%ProgramFiles%Microsoft Forefront Unified Access Gateway
Forefront UAG DNS-ALG Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing
%ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewayuagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%Microsoft Forefront Unified Access Gatewayuagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%Microsoft Forefront Unified Access GatewayUserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%Microsoft Forefront Unified Access GatewayWatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewaywhlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%Microsoft Forefront Unified Access Gatewaywhlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

  • Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
  • Integrity of the content in the corporate network is retained.
  • Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
  • Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

image

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

  • HTTP traffic (port 80)
  • HTTPS traffic (port 443)
  • FTP Traffic (Port 21)
  • RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server Protocol Port Direction
Domain controller Microsoft-DS traffic TCP 445UDP 445 From UAG to DC
Kerberos authentication TCP 88UDP 88 From UAG to DC
LDAP TCP 389UDP 389 From UAG to DC
LDAPS TCP 636UDP 636 From UAG to DC
LDAP to GC TCP 3268UDP 3268 From UAG to DC
LDAPS to GC TCP 3269UCP 3269 From UAG to DC
DNS TCP 53UDP 53 From UAG to DC
Exchange, SharePoint, RDS HTTPS TCP 443 From external to internal server
FTP FTP TCP 21 From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

image

UAG Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option IP Address Subnet Default Gateway DNS
Internal Network 10.10.10.2 255.255.255.0 Not required 10.10.10.1
External Network 192.168.1.1192.168.1.2192.168.1.3

192.168.1.4

192.168.1.5

255.255.255.0 192.168.1.254 Not required

Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

  • UAG adapter connected to the trusted network: Internal Network
  • UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

clip_image005

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

clip_image007

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose Public Host Name Public IP Address
Exchange webmail.xman.com.au 203.17.x.x
SharePoint sharepoint.xman.com.au 203.17.x.x
RDS remote.xman.com.au 203.17.x.x
FTP ftp.xman.com.au 203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s) Description Source IP Public IP Address

(Destination IP Address)

Port NAT Destination
1 Exchange Any 203.17.x.x 443 192.168.1.2
2 SharePoint Any 203.17.x.x 443 192.168.1.3
4 RDS Any 203.17.x.x 443 192.168.1.4
5 FTP Any 203.17.x.x 21 192.168.1.5

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rule(s) Description Source IP Port

TCP & UDP

Destination
1 Exchange 10.10.10.2 TCP   443 10.10.10.3
2 SharePoint 10.10.10.2 TCP   443 10.10.10.4
4 RDS 10.10.10.2 TCP   443 10.10.10.5
5 FTP 10.10.10.2 TCP   21 10.10.10.6
6 Client 10.10.12.0/24 TCP   443

TCP   21

10.10.10.2
7 Domain   Controller 10.10.10.2 445,   88, 53

389,   636

3268,   3296

10.10.10.1

Understanding Certificates requirements:

Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names. Certificates must be in .pfx format with private key within the certificate.

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

 

Common Name Subject Alternative Name Certificate Issuer
RDS.xman.com.au Verisign/Digicert
webmail.xman.com.au autodiscover.xman.com.au Verisign/Digicert
ftp.xman.com.au Verisign/Digicert
sharepoint.xman.com.au Verisign/Digicert

Understanding Properties of Trunk

  • Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
  • Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
  • IP address: Specify the external IP address used to reach the published Web application or portal.
  • Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
  • HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

Trunk Name Public Host Name HTTPS Port External IP Address Authentication Server(s)
Exchange webmail.xman.com.au 443 192.168.1.2 DC1TVDC01
SharePoint sharepoint.xman.com.au 433 192.168.1.3 DC1TVDC01
RDS remote.xman.com.au 443 192.168.1.4 DC1TVDC01
FTP ftp.xman.com.au 21 192.168.1.5 DC1TVDC01

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List Methods Allow Rich Content
InternalSite_Rule54 HEAD Checked
SharePoint14AAM_Rule47 HEAD Checked

Published Applications and Services:

image

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.

clip_image009

On the Welcome page of Setup, do the following:

clip_image011

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

clip_image013

clip_image015

clip_image017

Restart the Server.

clip_image019

Initial Configuration Using Getting Started Wizard

Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not  run the setup as an administrator setup will roll back and fail because it cannot modify registry.

clip_image021

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.

To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.

After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.

If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.

Publish Exchange Server 2010 using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Step1: configure Exchange to use basic authentication

1. Start the Exchange Management Console.

2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).

4. In the Actions pane, under owa (Default Web Site), click Properties.

5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.

Step2: publish Outlook Web Access on a Forefront UAG portal

Right Click on HTTPS Connections, Click New Trunk, Click Next

clip_image001

Select Portal Trunk and Publish Exchange Applications via portal, Click Next

clip_image003

Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next

clip_image005

Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.

clip_image007

clip_image008

Type the service account which will talk to DC from UAG, Click Ok

clip_image010

Select the DC, Click Select. Leave rest of the settings as is. Click Next

clip_image011

clip_image013

Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.

clip_image015

Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au

clip_image017

Select Default and Click next

clip_image019

Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next

clip_image021

Type the name of the application, Click next

clip_image023

Select default and click next

clip_image025

On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.

Click Configure an application server, Click Next

clip_image027

On the Web Servers page of the wizard:

In the Addresses list, enter the IP address or host name of the Client Access server.

In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.

clip_image029

On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.

clip_image031

On the Outlook Anywhere Page, Select basic Authentication, Click next

clip_image033

On the Portal Link page of the wizard, configure the portal link for the application.

If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.

clip_image035

On the Authorization page of the wizard, select which users are authorized to access this application.

clip_image037

On the Completing the Add Application Wizard page of the wizard, click Finish.

clip_image039

Once configured, you will see the following screen.

clip_image041

If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.

To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

Windows Server Patching Best Practices

This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

Patching Requirements

Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

Windows Patch Classification

The following are strongly recommended patches:

  1. Critical
  2. Security
  3. Definition Updates for malware
  4. Service packs

Windows Product Classification

It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).

Patching Groups

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

Change Management

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

Backup

Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

  • A full backup of all databases on the server.
  • A full backup of transaction log and log backup
  • A system state backup of the server.
  • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

Application Compatibility

Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

Documentation

Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

Back out Plan

A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

User Notifications

You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

Consistency across Servers

Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

Routine Maintenance Window

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

Patching Tools

I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.

Automate, Automate and Automate!

Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

Standardize Patch Management Processes

Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

Reboot Windows Computer

Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

X86 and X64 Windows Systems

The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

Antivirus and Antispyware

Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

Audit Practices

Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

Log Retention

Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.

Installing Updates on a single Exchange Server

Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

Check for publisher’s certificate revocation

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options.

3. Click the Advanced tab, and then locate the Security section.

4. Clear the Check for publisher’s certificate revocation check box, and then click OK.

5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.

Pre-check before installing

1. Determine which update rollup packages are installed on your Exchange server roles

2. Determine whether any interim updates are installed

3. Review interim updates

4. Obtain the latest update rollup package

5. Apply on a Test Exchange Server

Install Exchange Update

1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.

2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.

Install Exchange Update on DAG Member

To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.

.StartDagServerMaintenance.ps1 <ServerName>

Install the update rollup

1. Close all Exchange management tools.

2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.

3. On the Welcome page, click Next.

4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.

5. On the Completion page, click Finish.

Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed

.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution

When the installation is finished, complete the following tasks:

  • Start the Services MMC snap-in, and then verify that all the Exchange-related services are started successfully.
  • Log on to Outlook Web App to verify that it’s running correctly.
  • Restore Outlook Web App customizations, and then check Outlook Web App for correct functionality.
  • After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.
  • Check Exchange 2010 version information
  • View Update rollup in Control Panel>Programs and Features

Patching Microsoft Failover Cluster

You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

Procedure to install Windows service pack or hotfixes in Windows Server 2003:

  1. Check the System event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.
  4. Open Cluster Administrator, right-click Node A, and then click Pause Node.
  5. Install the service pack on Node A, and then restart the computer.
  6. Check the System event log for errors. If you find any errors, troubleshoot them before continuing this process.
  7. In Cluster Administrator, right-click Node A, and then click Resume Node.
  8. Right-click Node B, and then click Move Group for all groups owned by Node B to move all groups to Node A.
  9. In Cluster Administrator, right-click Node B, and then click Pause Node.
  10. Install the service pack on Node B, and then restart the computer.
  11. Check the system event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. In Cluster Administrator, right-click Node B, and then click Resume Node.
  13. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

  1. Check the event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. On Node A, Expand Services and Applications, and then click the service or application
  4. Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.
  5. In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.
  6. Install the service pack/hotfixes on Node A, and then restart the computer.
  7. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  8. In Failover Cluster Manager snap-in, right-click Node A, and then click Resume.
  9. Under Actions (on the right), click Move this service or application to another node, then choose the node.
    Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.
  10. Install the service pack/hotfixes on Node B, and then restart the computer.
  11. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.
  13. In Failover Cluster Manager, right-click Node B, and then click Resume.
  14. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

You can use the following PowerShell Cmdlet to accomplish the same.

1. Load the module with the command: Import-Module FailoverClusters

2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA

3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group

4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA

5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group

6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB

7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB

Conclusion

It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.

Bottom line

1. Read all related documents.

2. Use a change control process.

3. Apply updates that are needed.

4. Test patches and hotfixes on test environment.

5. Don’t get more than 2 service packs behind.

6. Target non-critical servers first.

7. Service Pack (SP) level consistency.

8. Latest SP instead of multiple hotfixes.

9. Apply only on exact match.

10. Subscribe to Microsoft email notification.

11. Always have a back-out plan.

12. Have a working Backup and schedule production downtime.

13. Consistency across Domain Controllers and application servers.

Additional Readings:

SQL Server failover cluster rolling patch and service pack process

Patch Management on Business-Critical Servers

Upgrade HP Firmware using Smart Update Manager (HP SUM)

You can run the Smart Update Firmware DVD either online or offline. When performing an offline deployment, you can boot the server from the Smart Update Firmware DVD or from a USB drive key that contains the Smart Update Firmware DVD contents. Download the latest Smart Update ISO, go to http://www.hp.com/support, Search the model of your server, select the Windows Operating System version, locate the Software – CD-ROM section on this page, and then click the Download button. Download and Save the ISO on Admin PC.

Temporarily disable BitLocker support to allow firmware updates in Windows Server:
1. Click Start, and then search for gpedit.msc in the Search Text box.
2. When the Local Group Policy Editor starts, click Local Computer Policy.
3. Click Computer ConfigurationAdministrative TemplatesWindows ComponentsBitlocker Drive Encryption.
4. When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced startup options.
5. When the dialog box appears, click Disable.
6. Close all windows, and then start the firmware update.

Deploying components online

1. Insert the Smart Update Firmware DVD or USB drive key. The Smart Update Firmware DVD interface opens. Open a CLI. To access the Smart Update Firmware DVD, enter one of the following commands:
On Windows operating systems, enter:
_autorunautorun_win
On Linux operating systems, enter:
/autorun

2. Read the End-User License Agreement. To continue, click Agree. The Smart update Firmware DVD interface appears.
3. Click the Firmware Update tab.
4. Click Install Firmware. HP SUM is initiated.
5. Select and install components.

Deploying offline

1. Plug in the USB key with the Automatic Mode ISO image or use the Automatic Mode ISO image from a hard drive on a remote client computer.
2. Using Microsoft Internet Explorer, browse to ILO Management IP address.
3. Log in with your iLO administrative credentials.
4. Click the virtual media tab, and then click Virtual Media Applet.
5. In the Virtual CD/DVD-ROM section, click Local Image File.
6. Click Browse. Locate the firmware ISO image, and then click Open.
7. To connect to the ISO image, click Connect.
8. Return to the iLO website. Click the Power Management tab.
9. Using the Momentary Press button, power up the server.
10. Once booted, at the menu, select either Automatic Mode (default) or Interactive Mode. At the prompt, select a language and keyboard.
11. Click Continue. Read the End-User License Agreement. To continue, click Agree. The Smart Update Firmware DVD interface appears.
12. Click the Firmware Update tab. Click Install Firmware. HP SUM is initiated.
13. Select and install components. Reboot the server. A remote console session is terminated if the iLO firmware is updated during the Automatic Mode firmware update process.

Windows Time Configuration Best Practice—Step by Step

The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:

  • All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
  • All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
  • All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.

Microsoft recommends the following:

  • Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
  • Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.

  • There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
  • Never put a virtualized domain controller in a saved state.
  • Never sync a domain controller time with the virtual host
  • Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
  • Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
  • Do not restore a snapshot to a production domain controller (PDC)

Step1: Remove Time Synchronisation of Guest with Host

Follow the procedure if the host is Hyper-v Host

1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.

2. On the Integration Service, uncheck Time synchronization.

3. Click OK.

Follow the procedure if the host is ESXi Host

1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,

2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.

Step2: Configure Cisco Switch as NTP Source

global configuration mode

switch# config t

Enable NTP

switch(config)#ntp enable

Show NTP Status

switch(config)# show ntp status

configures the NTP server

switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

configures the NTP peer to communicate over
the specified NTP Server

switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name]

Displays the configured server and
peers.

switch(config)#show ntp peers

Saves the changes

switch(config)# copy running-config startup-config

Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.

Step3: Configure a Domain Controller as a NTP Server

Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line. 

  1. Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.

Netdom query fsmo

  1. Run the following commands from an Elevated command prompt to stops the time service

net stop w32time

  1. Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied.  If you get an access denied, just run it again.

w32tm /unregister

  1. Re-creates the Registry Settings

w32tm /register

  1. Starts the service

Net start w32time

  1. Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.

w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update

when using hardware time source, use this command

w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update

  1. Updates the configuration

w32tm /config /update

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

Step4: Configure a NTP Server using Group Policy Object

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

au.pool.ntp.org time.windows.com

OR

IP Address of Cisco Core Switch if you are using Hardware Time Provider.

Type

NTP

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard time configuration should look like this:

Location

Configuration

Status

Settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

au.pool.ntp.org

time.windows.com

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Enabled

Step5: Create and link a separate GPO for domain joined client or server

  1. Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
  2. Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
  3. Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters

FrequencyCorrectRate

4

HoldPeriod

5

LargePhaseOffset

50000000

MaxAllowedPhaseOffset

300

MaxNegPhaseCorrection

300

MaxPosPhaseCorrection

300

PhaseCorrectRate

1

PollAdjustFactor

5

SpikeWatchPeriod

900

UpdateInterval

30000

General Parameters

AnnounceFlags

5

EventLogFlags

2

LocalClockDispersion

10

MaxPollInterval

10

MinPollInterval

6

ChainEntryTimeout

ChainMaxEntries

ChainMaxHostEntries

ChainDisable

ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer

dc.superplaneteers.com

Type

NT5DS

CrossSiteSyncFlags

2

ResolvePeerBackoffMinutes

15

ResolvePeerBackoffMaxTimes

7

SpecialPollInterval

3600

EventLogFlags

1

Standard configuration should look like this:

Location

Configuration

Status

settings

Computer ConfigurationAdministrative TemplatesSystemWindows Time Service

Configure Global Configuration Settings here

Enabled

Default

Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers

Configure Windows NTP Client settings here.

Enabled

NT5DS

Enable Windows NTP Client here. Enable

Enabled

Enable Windows NTP Server here.

Disabled

Broadcasting Time Configuration using DHCP Server

Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.

  1. Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
  2. Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.

NTP Client Configuration for domain joined Hyper-v Server 2012

  1. Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
  2. Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
  3. Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.

NTP Client Configuration for non domain joined Hyper-v Server 2012

  1. Sets the server to sync with the NTP servers

w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update

Where DC.superplaneteers.com is the PDC and Time Provider.

  1. Restarts the service so the new settings take effect.

net stop w32time && net start w32time

  1. Syncs the clock to your new NTP servers.  This needs to return “The command completed successfully.”

w32tm /resync /rediscover

  1. Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

NTP Client Configuration in ESXi Host

Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property

clip_image002[4]

On the General Tab, Select Start and Stop with Host

clip_image004[4]

Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok

clip_image006[4]

If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.

clip_image008[4]

Time drifting error in Windows Machine

Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.

clip_image010[4]

Further Study

Microsoft Reference

Time Drifting Issue

Timekeeping best practices for Windows on ESXi Host

Detailed explanation of time configuration GPO

Cisco NTP Network Appliance

Windows Server 2012: Failover Clustering Deep Dive

Physical Hardware Requirements -Up to 23 instances of SQL Server requires the following resource:

  1. Processor 2 processors for 23 instances of SQL Server as a single cluster node would require 46 CPUs.
  2. Memory 2 GB of memory for 23 instances of SQL Server as a single cluster node would require 48 GB of RAM (2 GB of additional memory for the operating system).
  3. Network adapters- Microsoft certified network adapter. Converged adapter or iSCSI Adapter or HBA.
  4. Storage Adapter- multipath I/O (MPIO) supported hardware
  5. Storage – shared storage that is compatible with Windows Server 2008/2012. Storage requirements include the following:
  • Use basic disks, not dynamic disks.
  • Use NTFS partition.
  • Use either master boot record (MBR) or GUID partition table (GPT).
  • Storage volume larger than 2 terabytes, use GUID partition table (GPT).
  • Storage volumes smaller than 2 terabytes, use master boot record (MBR).
  • 4 disks for 23 instances of SQL Server as a cluster disk array would require 92 disks.
  • Cluster storage must not be Windows Distributed File System (DFS)

Software Requirements

Download SQL Server 2012 installation media. Review SQL Server 2012 Release Notes. Install the following prerequisite software on each failover cluster node and then restart nodes once before running Setup.

  1. Windows PowerShell 2.0
  2. .NET Framework 3.5 SP1
  3. .NET Framework 4

Active Directory Requirements

  1. Cluster nodes must be member of same Active Directory Domain Services
  2. The servers in the cluster must use Domain Name System (DNS) for name resolution
  3. Use cluster naming convention for example Production Physical Node: DC1PPSQLNODE01 or Production virtual node DC2PVSQLNODE02

Unsupported Configuration

the following are the unsupported configuration: 

  1. Do not include cluster name with these characters like <, >, “,’,&
  2. Never install SQL server on a Domain Controller
  3. Never install cluster services in a domain controller or Forefront TMG 2010

Permission Requirements

System admin or project engineer who will be performing the tasks of creating cluster must be a member of at least Domain Users security group with permission to create domain computers objects in Active Directory and must be a member of administrators group on each clustered server.

Network settings and IP addresses requirements

you need at least two network card in each cluster node. One network card for domain or client connectivity and another network card heartbeat network which is shown below.

image

The following are the unique requirements for MS cluster.

  1. Use identical network settings on each node such as Speed, Duplex Mode, Flow Control, and Media Type.
  2. Ensure that each of these private networks uses a unique subnet.
  3. Ensure that each node has heartbeat network with same range of IP address
  4. Ensure that each node has unique range of subnet whether they are placed in single geographic location of diverse location.

Domain Network should be configured with IP Address, Subnet Mask, Default Gateway and DNS record.

image

Heartbeat network should be configured with only IP address and subnet mask.

image

Additional Requirements

  1. Verify that antivirus software is not installed on your WSFC cluster.
  2. Ensure that all cluster nodes are configured identically, including COM+, disk drive letters, and users in the administrators group.
  3. Verify that you have cleared the system logs in all nodes and viewed the system logs again.
  4. Ensure that the logs are free of any error messages before continuing.
  5. Before you install or update a SQL Server failover cluster, disable all applications and services that might use SQL Server components during installation, but leave the disk resources online.
  6. SQL Server Setup automatically sets dependencies between the SQL Server cluster group and the disks that will be in the failover cluster. Do not set dependencies for disks before Setup.
  7. If you are using SMB File share as a storage option, the SQL Server Setup account must have Security Privilege on the file server. To do this, using the Local Security Policy console on the file server, add the SQL Server setup account to Manage auditing and security log rights.

Supported Operating Systems

  • Windows Server 2012 64-bit x64 Datacenter
  • Windows Server 2012 64-bit x64 Standard
  • Windows Server 2008 R2 SP1 64-bit x64 Datacenter
  • Windows Server 2008 R2 SP1 64-bit x64 Enterprise
  • Windows Server 2008 R2 SP1 64-bit x64 Standard
  • Windows Server 2008 R2 SP1 64-bit x64 Web

Understanding Quorum configuration

In a simple definition, quorum is a voting mechanism in a Microsoft cluster. Each node has one vote. In a MSCS cluster, this voting mechanism constantly monitor cluster that how many nodes are online and how nodes are required to run the cluster smoothly. Each node contains a copy of cluster information and their information is also stored in witness disk/directory. For a MSCS, you have to choose a quorum among four possible quorum configurations.

  • Node Majority- Recommended for clusters with an odd number of nodes. 

clip_image002

  • Node and Disk Majority – Recommended for clusters with an even number of nodes. Can sustain (Total no of Node)/2 failures if a disk witness node is online. Can sustain ((Total no of Node)/2)-1 failures if a disk witness node is offline.

clip_image004 

clip_image006 

  • Node and File Share Majority- Clusters with special configurations. Works in a similar way to Node and Disk Majority, but instead of a disk witness, this cluster uses a file share witness.

clip_image008 

clip_image010 

  • No Majority: Disk Only (not recommended)

Why quorum is necessary? Network problems can interfere with communication between cluster nodes. This can cause serious issues. To prevent the issues that are caused by a split in the cluster, the cluster software requires that any set of nodes running as a cluster must use a voting algorithm to determine whether, at a given time, that set has quorum. Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster will know how many “votes” constitutes a majority (that is, a quorum). If the number drops below the majority, the cluster stops running. Nodes will still listen for the presence of other nodes, in case another node appears again on the network, but the nodes will not begin to function as a cluster until the quorum exists again.

Understanding a multi-site cluster environment

Hardware: A multi-site cluster requires redundant hardware with correct capacity, storage functionality, replication between sites, and network characteristics such as network latency.

Number of nodes and corresponding quorum configuration: For a multi-site cluster, Microsoft recommend having an even number of nodes and, for the quorum configuration, using the Node and File Share Majority option that is, including a file share witness as part of the configuration. The file share witness can be located at a third site, that is, a different location from the main site and secondary site, so that it is not lost if one of the other two sites has problems.

Network configuration—deciding between multi-subnets and a VLAN: configuring a multi-site cluster with different subnets is supported. However, when using multiple subnets, it is important to consider how clients will discover services or applications that have just failed over. The DNS servers must update one another with this new IP address before clients can discover the service or application that has failed over. If you use VLANs with multi-site you must reduce the Time to Live (TTL) of DNS discovery.

Tuning of heartbeat settings: The heartbeat settings include the frequency at which the nodes send heartbeat signals to each other to indicate that they are still functioning, and the number of heartbeats that a node can miss before another node initiates failover and begins taking over the services and applications that had been running on the failed node. In a multi-site cluster, you might want to tune the “heartbeat” settings. You can tune these settings for heartbeat signals to account for differences in network latency caused by communication across subnets.

Replication of data: Replication of data between sites is very important in a multi-site cluster, and is accomplished in different ways by different hardware vendors. Therefore, the choice of the replication process requires careful consideration. There are many options you will find while replicating data. But before you make any decision, consult with your storage vendor, server hardware vendor and software vendors. Depending on vendor like NetApp and EMC, your replication design will change. Review the following considerations:

Choosing replication level ( block, file system, or application level): The replication process can function through the hardware (at the block level), through the operating system (at the file system level), or through certain applications such as Microsoft Exchange Server (which has a feature called Cluster Continuous Replication or CCR). Work with your hardware and software vendors to choose a replication process that fits the requirements of your organization.

Configuring replication to avoid data corruption: The replication process must be configured so that any interruptions to the process will not result in data corruption, but instead will always provide a set of data that matches the data from the main site as it existed at some moment in time. In other words, the replication must always preserve the order of I/O operations that occurred at the main site. This is crucial, because very few applications can recover if the data is corrupted during replication.

Choosing between synchronous and asynchronous replication: The replication process can be synchronous, where no write operation finishes until the corresponding data is committed at the secondary site, or asynchronous, where the write operation can finish at the main site and then be replicated (as a background operation) to the secondary site.

Synchronous Replication means that the replicated data is always up-to-date, but it slows application performance while each operation waits for replication. Synchronous replication is best for multi-site clusters that can are using high-bandwidth, low-latency connections. Typically, this means that a cluster using synchronous replication must not be stretched over a great distance. Synchronous replication can be performed within 200km distance where a reliable and robust WAN connectivity with enough bandwidth is available. For example, if you have GigE and Ten GigE MPLS connection you would choose synchronous replication depending on how big is your data.

Asynchronous Replication can help maximize application performance, but if failover to the secondary site is necessary, some of the most recent user operations might not be reflected in the data after failover. This is because some operations that were finished recently might not yet be replicated. Asynchronous replication is best for clusters where you want to stretch the cluster over greater geographical distances with no significant application performance impact. Asynchronous replication is performed when distance is more than 200km and WAN connectivity is not robust between sites.

Utilizing Windows Storage Server 2012 as shared storage

Windows® Storage Server 2012 is the Windows Server® 2012 platform of choice for network-attached storage (NAS) appliances offered by Microsoft partners.

Windows Storage Server 2012 enhances the traditional file serving capabilities and extends file based storage for application workloads like Hyper-V, SQL, Exchange and Internet information Services (IIS). Windows Storage Server 2012 provides the following features for an organization.

Workgroup Edition

  • As many as 50 connections
  • Single processor socket
  • Up to 32 GB of memory
  • As many as 6 disks (no external SAS)

Standard Edition

  • No license limit on number of connections
  • Multiple processor sockets
  • No license limit on memory
  • No license limit on number of disks
  • De-duplication, virtualization (host plus 2 virtual machines for storage and disk management tools), and networking services (no domain controller)
  • Failover clustering for higher availability
  • Microsoft BranchCache for reduced WAN traffic

Presenting Storage from Windows Storage Server 2012 Standard

From the Server Manager, Click Add roles and features, On the Before you begin page, Click Next. On the installation type page, Click Next. 

image

On the Server Roles Selection page, Select iSCSI Target and iSCSI target storage provider, Click Next

image

On the Feature page, Click Next. On the Confirm page, Click Install. Click Close.

On the Server Manager, Click File and Storage Services, Click iSCSI

image

On the Task Button, Click New iSCSI Target, Select the Disk drive from where you want to present storage, Click Next

image

Type the Name of the Storage, Click Next

image

Type the size of the shared disk, Click Next

image

Select New iSCSI Target, Click Next

image

Type the name of the target, Click Next

image

Select the IP Address on the Enter a value for selected type, Type the IP address of cluster node, Click Ok. Repeat the process and add IP address for the cluster nodes.   

image

image

Type the CHAP information. note that CHAP password must be 12 character. Click Next to continue.

image

Click Create to create a shared storage. Click Close once done.

image

image

Repeat the step to create all shared drive of your preferred size and create a shared drive of 2GB size for quorum disk.

image

Deploying a Failover Cluster in Microsoft environment

Step1: Connect the cluster servers to the networks and storage

1. Review the details about networks in Hardware Requirements for a Two-Node Failover Cluster and Network infrastructure and domain account requirements for a two-node failover cluster, earlier in this guide.

2. Connect and configure the networks that the servers in the cluster will use.

3. Follow the manufacturer’s instructions for physically connecting the servers to the storage. For this article, we are using software iSCSI initiator. Open software iSCSI initiator from Server manager>Tools>iSCSI Initiator. Type the IP address of target that is the IP address of Microsoft Windows Storage Server 2012. Click Quick Connect, Click Done.

image

5. Open Computer Management, Click Disk Management, Initialize and format the disk using either MBR and GPT disk type. Go to second server, open Computer Management, Click Disk Management, bring the disk online simply by right clicking on the disk and clicking bring online. Ensure that the disks (LUNs) that you want to use in the cluster are exposed to the servers that you will cluster (and only those servers).

image

6. On one of the servers that you want to cluster, click Start, click Administrative Tools, click Computer Management, and then click Disk Management. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.) In Disk Management, confirm that the cluster disks are visible.

image

7. If you want to have a storage volume larger than 2 terabytes, and you are using the Windows interface to control the format of the disk, convert that disk to the partition style called GUID partition table (GPT). To do this, back up any data on the disk, delete all volumes on the disk and then, in Disk Management, right-click the disk (not a partition) and click Convert to GPT Disk.

8. Check the format of any exposed volume or LUN. Use NTFS file format.

Step 2: Install the failover cluster feature

In this step, you install the failover cluster feature. The servers must be running Windows Server 2012.

1. Open Server Manager, click Add roles and features. Follow the screen, go to Feature page.

2. In the Add Features Wizard, click Failover Clustering, and then click Install.

image

4. Follow the instructions in the wizard to complete the installation of the feature. When the wizard finishes, close it.

5. Repeat the process for each server that you want to include in the cluster.

Step 3: Validate the cluster configuration

Before creating a cluster, I strongly recommend that you validate your configuration. Validation helps you confirm that the configuration of your servers, network, and storage meets a set of specific requirements for failover clusters.

1. To open the failover cluster snap-in, click Server Manager, click Tools, and then click Failover Cluster Manager.

image

2. Confirm that Failover Cluster Manager is selected and then, in the center pane under Management, click Validate a Configuration. Click Next.

image

3. On the Select Server Page, type the fully qualified domain name of the nodes you would like to add in the cluster, then click Add.

image 

4. Follow the instructions in the wizard to specify the two servers and the tests, and then run the tests. To fully validate your configuration, run all tests before creating a cluster. Click next

image

5. On the confirmation page, Click Next

image

6. The Summary page appears after the tests run. To view the results, click Report. Click Finish. You will be prompted to create a cluster if you select Create the Cluster now using validation nodes.

image 

5. While still on the Summary page, click View Report and read the test results.

image

To view the results of the tests after you close the wizard, see

SystemRootClusterReportsValidation Report date and time.html

where SystemRoot is the folder in which the operating system is installed (for example, C:Windows).

6. As necessary, make changes in the configuration and rerun the tests.

Step4: Create a Failover cluster

1. To open the failover cluster snap-in, click Server Manager, click Tools, and then click Failover Cluster Manager.

image

2. Confirm that Failover Cluster Management is selected and then, in the center pane under Management, click Create a cluster. If you did not close the validation nodes then the validation wizard automatically open cluster creation wizard. Follow the instructions in the wizard to specify, Click Next

  • The servers to include in the cluster.
  • The name of the cluster i.e. virtual name of cluster
  • IP address of the virtual node

image

3. Verify the IP address and cluster node name and click Next

image

4. After the wizard runs and the Summary page appears, to view a report of the tasks the wizard performed, click View Report. Click Finish.

image

image

Step5: Verify Cluster Configuration

On the Cluster Manager, Click networks, right click on each network, Click Property, make sure Allow clients to connect through this network is unchecked for heartbeat network. verify IP range. Click Ok.

image

On the Cluster Manager, Click networks, right click on each network, Click Property, make sure Allow clients to connect through this network is checked for domain network. verify IP range. Click Ok.

image

On the Cluster Manager, Click Storage, Click disks, verify quorum disk and shared disks are available. You can add multiple of disks by simply click Add new disk on the Task Pan.

image

An automated MSCS cluster configuration will add quorum automatically. However you can manually configure desired cluster quorum by right clicking on cluster>More Actions>Configure Cluster Quorum Settings.

image

Configuring a Hyper-v Cluster

In the previous steps you have configured a MSCS cluster, to configure a Hyper-v cluster all you need to do is install Hyper-v role in each cluster node. from the Server Manager, Click Add roles and features, follow the screen and install Hyper-v role. A reboot is required to install Hyper-v role.  Once role is installed in both node.

Note that at this stage add Storage for Virtual Machines and networks for Live Migration, Storage network if using iSCSI, Virtual Machine network, and Management Network. detailed configuration is out of scope for this article as I am writing about MSCS cluster not Hyper-v.

image

from the Cluster Manager, Right Click on Networks, Click Network for Live Migration, Select appropriate network for live Migration.

image

If you would like to have virtual machine additional fault tolerance like Hyper-v Replica, Right Click Cluster virtual node, Click Configure Role, Click Next.

image

From Select Role page, Click Hyper-v Replica broker, Click Next. Follow the screen.

image

From the Cluster manager, right Click on Roles, Click Virtual machine, Click New Hard Disk to configure virtual machine storage and virtual machine configuration disk drive. Once done, From the Cluster manager, right Click on Roles, Click Virtual machine, Click New Virtual machine to create virtual machine.

image

Backing up Clustered data, application or server

There are multiple methods for backing up information that is stored on Cluster Shared Volumes in a failover cluster running on

  • Windows Server 2008 R2
  • Hyper-V Server 2008 R2
  • Windows Server 2012
  • Hyper-V Server 2012

Operating System Level backup

The backup application runs within a virtual machine in the same way that a backup application runs within a physical server. When there are multiple virtual machines being managed centrally, each virtual machine can run a backup “agent” (instead of running an individual backup application) that is controlled from the central management server. Backup agent backs up application data, files, folder and systems state of operating systems.

clip_image012

Hyper-V Image Level backup

The backup captures all the information about multiple virtual machines that are configured in a failover cluster that is using Cluster Shared Volumes. The backup application runs through Hyper-V, which means that it must use the VSS Hyper-V writer. The backup application must also be compatible with Cluster Shared Volumes. The backup application backs up the virtual machines that are selected by the administrator, including all the VHD files for those virtual machines, in one operation. VM1_Data.VHDX, VM2_data.VHDX and VM1_System.VHDX, VM2_system.VHDX are stored in a backup disk or tape. VM1_System.VHDX and VM2_System.VHDX contain system files and page files i.e. system state, snapshot and VM configuration are stored as well.

clip_image014

Publishing an Application or Service in a Failover Cluster Environment

1. To open the failover cluster snap-in, click Server Manager, click Tools, and then click Failover Cluster Manager.

2. Right Click on Roles, click Configure Role to publish a service or application

image 

3. Select a Cluster Services or Application, and then click Next.

image

4. Follow the instructions in the wizard to specify the following details:

  • A name for the clustered file server
  • IP address of virtual node

image

5. On Select Storage page, Select the storage volume or volumes that the clustered file server should use. Click Next

image

6. On the confirmation Page, review and Click Next

image

7. After the wizard runs and the Summary page appears, to view a report of the tasks the wizard performed, click View Report.

8. To close the wizard, click Finish.

image

9. In the console tree, make sure Services and Applications is expanded, and then select the clustered file server that you just created.

10. After completing the wizard, confirm that the clustered file server comes online. If it does not, review the state of the networks and storage and correct any issues. Then right-click the new clustered application or service and click Bring this service or application online.

Perform a Failover Test

To perform a basic test of failover, right-click the clustered file server, click Move this service or application to another node, and click the available choice of node. When prompted, confirm your choice. You can observe the status changes in the center pane of the snap-in as the clustered file server instance is moved.

Configuring a New Failover Cluster by Using Windows PowerShell

Task

PowerShell command

Run validation tests on a list of servers.

Test-Cluster -Node server1,server2

Where server1 and server2 are servers that you want to validate.

Create a cluster using defaults for most settings.

New-Cluster -Name cluster1 -Node server1,server2

Where server1 and server2 are the servers that you want to include in the new cluster.

Configure a clustered file server using defaults for most settings.

Add-ClusterFileServerRole -Storage "Cluster Disk 4"

Where Cluster Disk 4 is the disk that the clustered file server will use.

Configure a clustered print server using defaults for most settings.

Add-ClusterPrintServerRole -Storage "Cluster Disk 5"

Where Cluster Disk 5 is the disk that the clustered print server will use.

Configure a clustered virtual machine using defaults for most settings.

Add-ClusterVirtualMachineRole -VirtualMachine VM1

Where VM1 is an existing virtual machine that you want to place in a cluster.

Add available disks.

Get-ClusterAvailableDisk | Add-ClusterDisk

Review the state of nodes.

Get-ClusterNode

Run validation tests on a new server.

Test-Cluster -Node newserver,node1,node2

Where newserver is the new server that you want to add to a cluster, and node1 and node2 are nodes in that cluster.

Prepare a node for maintenance.

Get-ClusterNode node2 | Get-ClusterGroup | Move-ClusterGroup

Where node2 is the node from which you want to move clustered services and applications.

Pause a node.

Suspend-ClusterNode node2

Where node2 is the node that you want to pause.

Resume a node.

Resume-ClusterNode node2

Where node2 is the node that you want to resume.

Stop the Cluster service on a node.

Stop-ClusterNode node2

Where node2 is the node on which you want to stop the Cluster service.

Start the Cluster service on a node.

Start-ClusterNode node2

Where node2 is the node on which you want to start the Cluster service.

Review the signature and other properties of a cluster disk.

Get-ClusterResource "Cluster Disk 2" | Get-ClusterParameter

Where Cluster Disk 2 is the disk for which you want to review the disk signature.

Move Available Storage to a particular node.

Move-ClusterGroup "Available Storage" -Node node1

Where node1 is the node that you want to move Available Storage to.

Turn on maintenance for a disk.

Suspend-ClusterResource "Cluster Disk 2"

Where Cluster Disk 2 is the disk in cluster storage for which you are turning on maintenance.

Turn off maintenance for a disk.

Resume-ClusterResource "Cluster Disk 2"

Where Cluster Disk 2 is the disk in cluster storage for which you are turning off maintenance.

Bring a clustered service or application online.

Start-ClusterGroup "Clustered Server 1"

Where Clustered Server 1 is a clustered server (such as a file server) that you want to bring online.

Take a clustered service or application offline.

Stop-ClusterGroup "Clustered Server 1"

Where Clustered Server 1 is a clustered server (such as a file server) that you want to take offline.

Move or Test a clustered service or application.

Move-ClusterGroup "Clustered Server 1"

Where Clustered Server 1 is a clustered server (such as a file server) that you want to test or move.

Migrating clustered services and applications to a new failover cluster

Use the following instructions to migrate clustered services and applications from your old cluster to your new cluster. After the Migrate a Cluster Wizard runs, it leaves most of the migrated resources offline, so that you can perform additional steps before you bring them online. If the new cluster uses old storage, plan how you will make LUNs or disks inaccessible to the old cluster and accessible to the new cluster (but do not make changes yet).

1. To open the failover cluster snap-in, click Administrative Tools, and then click Failover Cluster Manager.

2. In the console tree, if the cluster that you created is not displayed, right-click Failover Cluster Manager, click Manage a Cluster, and then select the cluster that you want to configure.

3. In the console tree, expand the cluster that you created to see the items underneath it.

4. If the clustered servers are connected to a network that is not to be used for cluster communications (for example, a network intended only for iSCSI), then under Networks, right-click that network, click Properties, and then click Do not allow cluster network communication on this network. Click OK.

5. In the console tree, select the cluster. Click Configure, click Migrate services and applications.

6. Read the first page of the Migrate a Cluster Wizard, and then click Next.

7. Specify the name or IP Address of the cluster or cluster node from which you want to migrate resource groups, and then click Next.

8. Click View Report. The wizard also provides a report after it finishes, which describes any additional steps that might be needed before you bring the migrated resource groups online.

9. Follow the instructions in the wizard to complete the following tasks:

    • Choose the resource group or groups that you want to migrate.
    • Specify whether the resource groups to be migrated will use new storage or the same storage that you used in the old cluster. If the resource groups will use new storage, you can specify the disk that each resource group should use. Note that if new storage is used, you must handle all copying or moving of data or folders—the wizard does not copy data from one shared storage location to another.
    • If you are migrating from a cluster running Windows Server 2003 that has Network Name resources with Kerberos protocol enabled, specify the account name and password for the Active Directory account that is used by the Cluster service on the old cluster.
  1. After the wizard runs and the Summary page appears, click View Report.

14. When the wizard completes, most migrated resources will be offline. Leave them offline at this stage.

Completing the transition from the old cluster to the new cluster. You must perform the following steps to complete the transition to the new cluster running Windows Server 2012.

1. Prepare for clients to experience downtime, probably brief.

2. Take each resource group offline on the old cluster.

3. Complete the transition for the storage:

    • If the new cluster will use old storage, follow your plan for making LUNs or disks inaccessible to the old cluster and accessible to the new cluster.
    • If the new cluster will use new storage, copy the appropriate folders and data to the storage. As needed for disk access on the old cluster, bring individual disk resources online on that cluster. (Keep other resources offline, to ensure that clients cannot change data on the disks in storage.) Also as needed, on the new cluster, use Disk Management to confirm that the appropriate LUNs or disks are visible to the new cluster and not visible to any other servers.

4. If the new cluster uses mount points, adjust the mount points as needed, and make each disk resource that uses a mount point dependent on the resource of the disk that hosts the mount point.

5. Bring the migrated services or applications online on the new cluster. To perform a basic test of failover on the new cluster, expand Services and Applications, and then click a migrated service or application that you want to test.

6. To perform a basic test of failover for the migrated service or application, under Actions (on the right), click Move this service or application to another node, and then click an available choice of node. When prompted, confirm your choice. You can observe the status changes in the center pane of the snap-in as the clustered service or application is moved.

7. If there are any issues with failover, review the following:

    • View events in Failover Cluster Manager. To do this, in the console tree, right-click Cluster Events, and then click Query. In the Cluster Events Filter dialog box, select the criteria for the events that you want to display, or to return to the default criteria, click the Reset button. Click OK. To sort events, click a heading, for example, Level or Date and Time.
    • Confirm that necessary services, applications, or server roles are installed on all nodes. Confirm that services or applications are compatible with Windows Server 2008 R2 and run as expected.
    • If you used old storage for the new cluster, rerun the Validate a Cluster Configuration Wizard to confirm the validation results for all LUNs or disks in the storage.
    • Review migrated resource settings and dependencies.
    • If you migrated one or more Network Name resources with Kerberos protocol enabled, confirm that the following permissions change was made in Active Directory Users and Computers on a domain controller. In the computer accounts (computer objects) of your Kerberos protocol-enabled Network Name resources, Full Control must be assigned to the computer account for the failover cluster.

Migrating Cluster Resource with new Mount Point

When you are working with new storage for your cluster migration, you have some flexibility in the order in which you complete the tasks. The tasks that you must complete include creating the mount points, running the Migrate a Cluster Wizard, copying the data to the new storage, and confirming the disk letters and mount points for the new storage. After completing the other tasks, configure the disk resource dependencies in Failover Cluster Manager.

A useful way to keep track of disks in the new storage is to give them labels that indicate your intended mount point configuration. For example, in the new storage, when you are mounting a new disk in a folder called Mount1-1 on another disk, you can also label the mounted disk as Mount1-1. (This assumes that the label Mount1-1 is not already in use in the old storage.) Then when you run the Migrate a Cluster Wizard and you need to specify that disk for a particular migrated resource, you can look at the list and select the disk labeled Mount1-1. Then you can return to Failover Cluster Manager to configure the disk resource for Mount1-1 so that it is dependent on the appropriate resource, for example, the resource for disk F. Similarly, you would configure the disk resources for all other disks mounted on disk F so that they depended on the disk resource for disk F.

Migrating DHCP to a Cluster Running Windows Server 2012

A failover cluster is a group of independent computers that work together to increase the availability of applications and services. The clustered servers (called nodes) are connected by physical cables and by software. If one of the cluster nodes fails, another node begins to provide service (a process known as failover). Users experience a minimum of disruptions in service.

This guide describes the steps that are necessary when migrating a clustered DHCP server to a cluster running Windows Server 2008 R2, beyond the standard steps required for migrating clustered services and applications in general. The guide indicates when to use the Migrate a Cluster Wizard in the migration, but does not describe the wizard in detail.

Step 1: Review requirements and create a cluster running Windows Server 2012

Before beginning the migration described in this guide, review the requirements for a cluster running Windows Server 2008 R2, install the failover clustering feature on servers running Windows Server 2008 R2, and create a new cluster.

Step 2: On the old cluster, adjust registry settings and permissions before migration

To prepare for migration, you must make changes to registry settings and permissions on each node of the old cluster.

1. Confirm that you have a current backup of the old cluster, one that includes the configuration information for the clustered DHCP server (also called the DHCP resource group).

2. Confirm that the clustered DHCP server is online on the old cluster. It must be online while you complete the remainder of this procedure.

3. On a node of the old cluster, open a command prompt as an administrator.

4. Type: regedit Navigate to:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDHCPServerParameters

5. Choose the option that applies to your cluster: If the old cluster is running Windows Server 2008, skip to step 7. If the old cluster is running Windows Server 2003 or Windows Server 2003 R2:

    • Right-click Parameters, click New, click String Value, and for the name of the new value, type: ServiceMain
    • Right-click the new value (ServiceMain), click Modify, and for the value data, type: ServiceEntry
    • Right-click Parameters again, click New, click Expandable String Value, and for the name of the new value, type: ServiceDll
    • Right-click the new value (ServiceDll), click Modify, and for the value data, type: %systemroot%system32dhcpssvc.dll

6. Right-click Parameters, and then click Permissions.

7. Click Add. Locate the appropriate account and assign permissions:

    • On Windows Server 2008: Click Locations, select the local server, and then click OK. Under Enter the object names to select, type NT ServiceDHCPServer. Click OK. Select the DHCPServer account and then select the check box for Full Control.
    • On Windows Server 2003 or Windows Server 2003 R2: Click Locations, ensure that the domain name is selected, and then click OK. Under Enter the object names to select, type Everyone, and then click OK (and confirm your choice if prompted). Under Group or user names, select Everyone and then select the check box for Full Control.

8. Repeat the process on the other node or nodes of the old cluster.

Step 3: On a node in the old cluster, prepare for export, and then export the DHCP database to a file

As part of migrating a clustered DHCP server, on the old cluster, you must export the DHCP database to a file. This requires preparatory steps that prevent the cluster from restarting the clustered DHCP resource during the export. The following procedure describes the process. On the old cluster, start the clustering snap-in and configure the restart setting for the clustered DHCP server (DHCP resource group):

1. Click Start, click Administrative Tools, and then click Failover Cluster Management. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

2. If the console tree is collapsed, expand the tree under the cluster that you are migrating settings from. Expand Services and Applications and then, in the console tree, click the clustered DHCP server.

3. In the center pane, right-click the DHCP server resource, click Properties, click the Policies tab, and then click If resource fails, do not restart.

This step prevents the resource from restarting during the export of the DHCP database, which would stop the export.

1. On the node of the old cluster that currently owns the clustered DHCP server, confirm that the clustered DHCP server is running. Then open a command prompt window as an administrator.

2. Type: netsh dhcp server export <exportfile> all

Where <exportfile> is the name of the file to which you want to export the DHCP database.

3. After the export is complete, in the clustering interface (Cluster Administrator or Failover Cluster Management), right-click the clustered DHCP server (DHCP resource group) and then click either Take Offline or Take this service or application offline. If the command is unavailable, in the center pane, right-click each online resource and click either Take Offline or Take this resource offline. If prompted for confirmation, confirm your choice.

4. If the old cluster is running Windows Server 2003 or Windows Server 2003 R2, obtain the account name and password for the Cluster service account (the Active Directory account used by the Cluster service on the old cluster). Alternatively, you can obtain the name and password of another account that has access permissions for the Active Directory computer accounts (objects) that the old cluster uses. For a migration from a cluster running Windows Server 2003 or Windows Server 2003 R2, you will need this information for the next procedure.

Step 4: On the new cluster, configure a network for DHCP clients and run the Migrate a Cluster Wizard

Microsoft recommends that you make the network settings on the new cluster as similar as possible to the settings on the old cluster. In any case, on the new cluster, you must have at least one network that DHCP clients can use to communicate with the cluster. The following procedure describes the cluster setting needed on the client network, and indicates when to run the Migrate a Cluster Wizard.

1. On the new cluster (running Windows Server 2012), click Server Manager, click Tools, and then click Failover Cluster Manager.

2. If the cluster that you want to configure is not displayed, in the console tree, right-click Failover Cluster Manager, click Manage a Cluster, and then select or specify the cluster that you want.

3. If the console tree is collapsed, expand the tree under the cluster.

4. Expand Networks, right-click the network that clients will use to connect to the DHCP server, and then click Properties.

5. Make sure that Allow cluster network communication on this network and Allow clients to connect through this network are selected.

6. To prepare for the migration process, find and take note of the drive letter used for the DHCP database on the old cluster. Ensure that the same drive letter exists on the new cluster. (This drive letter is one of the settings that the Migrate a Cluster Wizard will migrate.)

7. In Failover Cluster Manager, in the console tree, select the new cluster, and then under Configure, click Migrate services and applications.

8. Use the Migrate a Cluster Wizard to migrate the DHCP resource group from old to the new cluster. If you are using new storage on the new cluster, during the migration, be sure to specify the disk that has the same drive letter on the new cluster as was used for the DHCP database on the old cluster. The wizard will migrate resources and settings, but not the DHCP database.

Step 5: On the new cluster, import the DHCP database, bring the clustered DHCP server online, and adjust permissions

To complete the migration process, import the DHCP database that you exported to a file in Step 2. Then you can bring the clustered DHCP server online and adjust settings that were changed temporarily during the migration process.

1. If you are reusing the old cluster storage for the new cluster, confirm that you have stored the exported DHCP database file in a safe location. Then be sure to delete all the DHCP files other than the exported DHCP database file from the old storage. This includes the DHCP database, log, and backup files.

2. On the new cluster, in Failover Cluster Manager, expand Services and Applications, right-click the clustered DHCP server, and then click Bring this service or application online. The DHCP service starts with an empty database.

3. Click the clustered DHCP server.

4. In the center pane, right-click the DHCP server resource, click Properties, click the Policies tab, and then click If resource fails, do not restart. This step prevents the resource from restarting during the import of the DHCP database, which would stop the import.

5. In the new cluster, on the node that currently owns the migrated DHCP server, view the disk used by the migrated DHCP server, and make sure that you have copied the exported DHCP database file to this disk.

6. In the new cluster, on the node that currently owns the migrated DHCP server, open a command prompt as an administrator. Change to the disk used by the migrated DHCP server.

7. Type: netsh dhcp server import <exportfile>

Where <exportfile> is the filename of the file to which you exported the DHCP database.

8. If the migrated DHCP server is not online, in Failover Cluster Manager, under Services and Applications, right-click the migrated DHCP server, and then click Bring this service or application online.

9. In the center pane, right-click the DHCP server resource, click Properties, click the Policies tab, and then click If resource fails, attempt restart on current node.

This returns the resource to the expected setting, instead of the “do not restart” setting that was temporarily needed during the import of the DHCP database.

10. If the cluster was migrated from Windows Server 2003 or Windows Server 2003 R2, after the clustered DHCP server is online on the new cluster, make the following changes to permissions in the registry:

  • On the node that owns the clustered DHCP server, open a command prompt as an administrator.
  • Type: regedit Navigate to:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDHCPServerParameters
  • Right-click Parameters, and then click Permissions.
  • Click Add, click Locations, and then select the local server.
  • Under Enter the object names to select, type NT ServiceDHCPServer and then click OK. Select the DHCPServer account and then select the check box for Full Control. Then click Apply.
  • Select the Everyone account (created through steps earlier in this topic) and then click Remove. This removes the account from the list of those that are assigned permissions.

11. Perform the preceding steps only after DHCP is online on the new cluster. After you complete these steps, you can test the clustered DHCP server and begin to provide DHCP services to clients.

Configuring a Multisite SQL Server Failover Cluster

To install or upgrade a SQL Server failover cluster, you must run the Setup program on each node of the failover cluster. To add a node to an existing SQL Server failover cluster, you must run SQL Server Setup on the node that is to be added to the SQL Server failover cluster instance. Do not run Setup on the active node to manage the other nodes. The following options are available for SQL Server failover cluster installation:

Option1: Integration Installation with Add Node

Create and configure a single-node SQL Server failover cluster instance. When you configure the node successfully, you have a fully functional failover cluster instance. At this point, it does not have high availability because there is only one node in the failover cluster. On each node to be added to the SQL Server failover cluster, run Setup with Add Node functionality to add that node.

Option 2: Advanced/Enterprise Installation

After you run the Prepare Failover Cluster on one node, Setup creates the Configuration.ini file that lists all the settings that you specified. On the additional nodes to be prepared, instead of following these steps, you can supply the autogenerated ConfigurationFile.ini file from first node as an input to the Setup command line. This step prepares the nodes ready to be clustered, but there is no operational instance of SQL Server at the end of this step.

image

After the nodes are prepared for clustering, run Setup on one of the prepared nodes. This step configures and finishes the failover cluster instance. At the end of this step, you will have an operational SQL Server failover cluster instance and all the nodes that were prepared previously for that instance will be the possible owners of the newly-created SQL Server failover cluster.

Follow the procedure to install a new SQL Server failover cluster using Integrated Simple Cluster Install 

  1. Insert the SQL Server installation media, and from the root folder, double-click Setup.exe. To install from a network share, browse to the root folder on the share, and then double-click Setup.exe.
  1. The Installation Wizard starts the SQL Server Installation Center. To create a new cluster installation of SQL Server, click New SQL Server failover cluster installation on the installation page

image

  1. The System Configuration Checker runs a discovery operation on your computer. To continue, click OK.

image

  1. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report. To continue, click Next.
  2. On the Setup Support Files page, click Install to install the Setup support files.
  3. The System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue.

image

  1. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.
  2. On the Product key page, indicate whether you are installing a free edition of SQL Server, or whether you have a PID key for a production version of the product.
  3. On the License Terms page, read the license agreement, and then select the check box to accept the license terms and conditions.

image 

  1. To help improve SQL Server, you can also enable the feature usage option and send reports to Microsoft. Click Next to continue.

image

  1. On the Feature Selection page, select the components for your installation. You can select any combination of check boxes, but only the Database Engine and Analysis Services support failover clustering. Other selected components will run as a stand-alone feature without failover capability on the current node that you are running Setup on.

image

  1. The prerequisites for the selected features are displayed on the right-hand pane. SQL Server Setup will install the prerequisite that are not already installed during the installation step described later in this procedure. SQL Server setup runs one more set of rules that are based on the features you selected to validate your configuration.

image

  1. On the Instance Configuration page, specify whether to install a default or a named instance. SQL Server Network Name — Specify a network name for the new SQL Server failover cluster. that is the name of virtual node of the cluster.  This is the name that is used to identify your failover cluster on the network. Instance ID — By default, the instance name is used as the Instance ID. This is used to identify installation directories and registry keys for your instance of SQL Server. This is the case for default instances and named instances. For a default instance, the instance name and instance ID would be MSSQLSERVER. To use a nondefault instance ID, select the Instance ID box and provide a value. Instance root directory — By default, the instance root directory is C:Program FilesMicrosoft SQL Server. To specify a nondefault root directory, use the field provided, or click the ellipsis button to locate an installation folder.

image

  1. Detected SQL Server instances and features on this computer – The grid shows instances of SQL Server that are on the computer where Setup is running. If a default instance is already installed on the computer, you must install a named instance of SQL Server. Click Next to continue.

image

  1. The Disk Space Requirements page calculates the required disk space for the features that you specify, and compares requirements to the available disk space on the computer where Setup is running. Use the Cluster Resource Group page to specify the cluster resource group name where SQL Server virtual server resources will be located. To specify the SQL Server cluster resource group name, you have two options:
  • Use the drop-down box to specify an existing group to use.
  • Type the name of a new group to create. Be aware that the name “Available storage” is not a valid group name.

image

  1. On the Cluster Disk Selection page, select the shared cluster disk resource for your SQL Server failover cluster. More than one disk can be specified. Click Next to continue.

image

  1. On the Cluster Network Configuration page, Specify the IP type and IP address for your failover cluster instance. Click Next to continue. Note that the IP address will resolve the name of the virtual node which you have mentioned earlier step.

image

  1. On the Server Configuration — Service Accounts page, specify login accounts for SQL Server services. The actual services that are configured on this page depend on the features that you selected to install.

image

  1. Use this page to specify Cluster Security Policy. Use default setting. Click Next to continue. Work flow for the rest of this topic depends on the features that you have specified for your installation. You might not see all the pages, depending on your selections (Database Engine, Analysis Services, Reporting Services).
  2. You can assign the same login account to all SQL Server services, or you can configure each service account individually. The startup type is set to manual for all cluster-aware services, including full-text search and SQL Server Agent, and cannot be changed during installation. Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they have to have complete their tasks. To specify the same logon account for all service accounts in this instance of SQL Server, provide credentials in the fields at the bottom of the page. When you are finished specifying login information for SQL Server services, click Next.
  • Use the Server Configuration – Collation tab, use default collations for the Database Engine and Analysis Services.
  • Use the Database Engine Configuration — Account Provisioning page to specify the following:
  • select Windows Authentication or Mixed Mode Authentication for your instance of SQL Server.

image

  1. Use the Database Engine Configuration – Data Directories page to specify nondefault installation directories. To install to default directories, click Next. Use the Database Engine Configuration – FILESTREAM page to enable FILESTREAM for your instance of SQL Server. Click Next to continue.

image

  1. When you are finished editing the list, click OK. Verify the list of administrators in the configuration dialog box. When the list is complete, click Next.
  2. Use the Analysis Services Configuration — Account Provisioning page to specify users or accounts that will have administrator permissions for Analysis Services. You must specify at least one system administrator for Analysis Services. To add the account under which SQL Server Setup is running, click Add Current User. To add or remove accounts from the list of system administrators, click Add or Remove, and then edit the list of users, groups, or computers that will have administrator privileges for Analysis Services. When you are finished editing the list, click OK. Verify the list of administrators in the configuration dialog box. When the list is complete, click Next.

image

  1. Use the Analysis Services Configuration — Data Directories page to specify nondefault installation directories. To install to default directories, click Next.

image

  1. Use the Reporting Services Configuration page to specify the kind of Reporting Services installation to create. For failover cluster installation, the option is set to Unconfigured Reporting Services installation. You must configure Reporting Services services after you complete the installation. However, no harm to select Install and configure option if you are not an SQL expert.

image

  1. On the Error Reporting page, specify the information that you want to send to Microsoft that will help improve SQL Server. By default, options for error reporting is disabled.

image

  1. The System Configuration Checker runs one more set of rules to validate your configuration with the SQL Server features that you have specified.

image

  1. The Ready to Install page displays a tree view of installation options that were specified during Setup. To continue, click Install. Setup will first install the required prerequisites for the selected features followed by the feature installation.

image

  1. During installation, the Installation Progress page provides status so that you can monitor installation progress as Setup continues. After installation, the Complete page provides a link to the summary log file for the installation and other important notes. To complete the SQL Server installation process, click Close.
  2. If you are instructed to restart the computer, do so now. It is important to read the message from the Installation Wizard when you have finished with Setup.
  3. To add nodes to the single-node failover you just created, run Setup on each additional node and follow the steps for Add Node operation.

SQL Advanced/Enterprise Failover Cluster Install

Step1: Prepare Environment

  1. Insert the SQL Server installation media, and from the root folder, double-click Setup.exe.

  2. Windows Installer 4.5 is required, and may be installed by the Installation Wizard. If you are prompted to restart your computer, restart and then start SQL Server Setup again.

  3. After the prerequisites are installed, the Installation Wizard starts the SQL Server Installation Center. To prepare the node for clustering, move to the Advanced page and then click Advanced cluster preparation

  4. The System Configuration Checker runs a discovery operation on your computer. To continue, click OK. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.

  5. On the Setup Support Files page click Install to install the Setup support files.

  6. The System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.

  7. On the Language Selection page, you can specify the language, to continue, click Next

  8. On the Product key page, select PIDed product key, Click Next

  9. On the License Terms page, accept the license terms and Click Next to continue.

  10. On the Feature Selection page, select the components for your installation as you did for simple installation which has been mentioned earlier.

  11. The Ready to Install page displays a tree view of installation options that were specified during Setup. To continue, click Install. Setup will first install the required prerequisites for the selected features followed by the feature installation.

  12. To complete the SQL Server installation process, click Close.

  13. If you are instructed to restart the computer, do so now.

  14. Repeat the previous steps to prepare the other nodes for the failover cluster. You can also use the autogenerated configuration file to run prepare on the other nodes. A configurationfile.ini is generated in C:Program FilesMicrosoft SQL Server110Setup BootStrapLog20130603_014118configurationfile.ini which is shown below.

image

Step2 Install SQL Server

  1. After preparing all the nodes as described in the prepare step, run Setup on one of the prepared nodes, preferably the one that owns the shared disk. On the Advanced page of the SQL Server Installation Center, click Advanced cluster completion.

  2. The System Configuration Checker runs a discovery operation on your computer. To continue, click OK. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.

  3. On the Setup Support Files page, click Install to install the Setup support files.

  4. The System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.

  5. On the Language Selection page, you can specify the language, To continue, click Next.

  6. Use the Cluster node configuration page to select the instance name prepared for clustering

  7. Use the Cluster Resource Group page to specify the cluster resource group name where SQL Server virtual server resources will be located. On the Cluster Disk Selection page, select the shared cluster disk resource for your SQL Server failover cluster.Click Next to continue

  8. On the Cluster Network Configuration page, specify the network resources for your failover cluster instance. Click Next to continue.

  9. Now follow the simple installation steps to select Database Engine, reporting, Analysis and Integration services.

  10. The Ready to Install page displays a tree view of installation options that were specified during Setup. To continue, click Install. Setup will first install the required prerequisites for the selected features followed by the feature installation.

  11. Once installation is completed, click Close.

Follow the procedure if you would like to remove a node from an existing SQL Server failover cluster

  1. Insert the SQL Server installation media. From the root folder, double-click setup.exe. To install from a network share, navigate to the root folder on the share, and then double-click Setup.exe.

  2. The Installation Wizard launches the SQL Server Installation Center. To remove a node to an existing failover cluster instance, click Maintenance in the left-hand pane, and then select Remove node from a SQL Server failover cluster.

  3. The System Configuration Checker will run a discovery operation on your computer. To continue, click OK.

  4. After you click install on the Setup Support Files page, the System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue.

  5. On the Cluster Node Configuration page, use the drop-down box to specify the name of the SQL Server failover cluster instance to be modified during this Setup operation. The node to be removed is listed in the Name of this node field.

  6. The Ready to Remove Node page displays a tree view of options that were specified during Setup. To continue, click Remove.

  7. During the remove operation, the Remove Node Progress page provides status.

  8. The Complete page provides a link to the summary log file for the remove node operation and other important notes. To complete the SQL Server remove node, click Close.

Using Command Line Installation of SQL Server

1. To install a new, stand-alone instance with the SQL Server Database Engine, Replication, and Full-Text Search component, run the following command

Setup.exe /q /ACTION=Install /FEATURES=SQL /INSTANCENAME=MSSQLSERVER

/SQLSVCACCOUNT=”<DomainNameUserName>” /SQLSVCPASSWORD

2. To prepare a new, stand-alone instance with the SQL Server Database Engine, Replication, and Full-Text Search components, and Reporting Services. run the following command

Setup.exe /q /ACTION=PrepareImage /FEATURES=SQL,RS /InstanceID =<MYINST> /IACCEPTSQLSERVERLICENSETERMS

3. To complete a prepared, stand-alone instance that includes SQL Server Database Engine, Replication, and Full-Text Search components run the following command

Setup.exe /q /ACTION=CompleteImage /INSTANCENAME=MYNEWINST /INSTANCEID=<MYINST>

/SQLSVCACCOUNT=”<DomainNameUserName>” /SQLSVCPASSWORD

4. To upgrade an existing instance or failover cluster node from SQL Server 2005, SQL Server 2008, or SQL Server 2008 R2.

Setup.exe /q /ACTION=upgrade /INSTANCEID = <INSTANCEID>/INSTANCENAME=MSSQLSERVER /RSUPGRADEDATABASEACCOUNT=”<Provide a SQL DB Account>” /IACCEPTSQLSERVERLICENSETERMS

5. To upgrade an existing instance of SQL Server 2012 to a different edition of SQL Server 2012.

Setup.exe /q /ACTION=editionupgrade /INSTANCENAME=MSSQLSERVER /PID=<PID key for new edition>” /IACCEPTSQLSERVERLICENSETERMS

6. To install an SQL server using configuration file, run the following command

Setup.exe /ConfigurationFile=MyConfigurationFile.INI

7. To install an SQL server using configuration file and provide service Account password, run the following command

Setup.exe /SQLSVCPASSWORD=”typepassword” /AGTSVCPASSWORD=”typepassword”

/ASSVCPASSWORD=”typepassword” /ISSVCPASSWORD=”typepassword” /RSSVCPASSWORD=”typepassword”

/ConfigurationFile=MyConfigurationFile.INI

8. To uninstall an existing instance of SQL Server. run the following command

Setup.exe /Action=Uninstall /FEATURES=SQL,AS,RS,IS,Tools /INSTANCENAME=MSSQLSERVER

Reference and Further Reading

Windows Storage Server 2012

Virtualizing Microsoft SQL Server

The Perfect Combination: SQL Server 2012, Windows Server 2012 and System Center 2012

EMC Storage Replication

Download Hyper-v Server 2012

Download Windows Server 2012

Transition from Exchange 2010 to Exchange 2013 Step by Step

Exchange Server 2013 Step by Step 

BUY IT NOW:
Amazon USA

Amazon UK

BARNES & NOBLE

Book World

Assumptions:

You have the following infrastructure operational and functioning as desired.

  1. Domain Controller
  2. Certificate Authority
  3. Exchange Server 2010 SP2 DAG
  4. FF TMG 2010 SP2

Current Exchange Version:

image

Prerequisites:

  1. Windows Server 2012 installed on computers which will house Exchange Server 2013.
  2. Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.
  3. Download Exchange 2010 SP3
  4. Cumulative Update 1 for Exchange Server 2013

Step1: Perform a Server Switch Over for a Exchange 2010 SP2 DAG Member

Before you upgrade Exchange Server 2010 SP2 to Exchange 2010 SP3, you must perform a server switch over if you have Exchange DAG. You need to be assigned permissions before you can perform this procedure. use Exchange Management Shell and Run the following Command.

Move-ActiveMailboxDatabase -Server EXCHMBXSRV01 -ActivateOnServer EXCHMBXSRV02

Step2: Install Service Pack 3 on Exchange Server 2010 SP2

Download and Extract Exchange Server 2010 SP3 on the DAG member where you want run the Exchange 2010 Sp3 installer. Now follow the screen shot and upgrade Exchange Server 2010 SP2 to Exchange Server 2010 SP3.

image

you will be prompted for an warning which is A transient communication failure causes a Windows Server 2008 R2 failover cluster to stop working. Ignore the warning and continue. Once SP3 installed. Check the version which is as follows.

 image

Repeat the step 2 in all Exchange Server in your Exchange Organization.

Step3: Prepare Windows Server 2012

Download Windows Server 2012 and install the following prerequisites on Windows Server 2012.

Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.

Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

Microsoft Office 2010 Filter Pack 64 bit

Microsoft Office 2010 Filter Pack SP1 64 bit

Exchange 2013 setup automatically install features required by Exchange. Alternatively you can use the following PowerShell Command to install all the features at that same time. A reboot is required after installing features.

Step4: Prepare Active Directory and Active Directory Schema

Run the following command to prepare AD Schema and Active Directory.

setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

image

setup /PrepareAD /OrganizationName:<organization name> /IAcceptExchangeServerLicenseTerms

since we already have an Exchange Organization, we don’t need to type Organization again. the following command is enough to prepare Active Directory.  setup /PrepareAD /IAcceptExchangeServerLicenseTerms

image

Step5: Install CU1 for Exchange Server 2013

Log on to the computer on which you want to install Exchange 2013. After you have downloaded Exchange 2013 CU1, Copy Exchange-X64.exe file into Windows Server 2012 where you want to install Exchange Server 2013 . Extract the installer by double clicking the Exchange-x64.exe installer.

  1. On the Check for Updates page, Select Don’t check for updates right now, you can download and install updates manually later. We recommend that you download and install updates now. Click Next to continue. at this stage setup will copy the content and initialize installer.
  2. The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.
  3. On the License Agreement page, Select I accept the terms in the license agreement, and then click Next.
  4. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, click Next.
  5. On the Server Role Selection page, select both Mailbox role and Client Access role. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features.  Click Next to continue.
  6. On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
  7. On the Malware Protection Settings page, choose keep it enabled. Click Next to continue.
  8. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. Reboot the server from Server Manager>All Servers>Right Click on Server>Click Shutdown Local Server, Select Reboot, Click Ok.
  9. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.
  10. On the Completion page, click Finish.
  11. Restart the computer after Exchange 2013 has completed.

On a co-existence scenario if you type https://FQDN of Client Access Server/ecp you will see only Mailboxes.image

If you type https://FQDN of Client Access Server/ecp?ExchClientVer=15  on internet explorer you will see detailed Exchange Administration Center. 

image

Step6: Install Certificates on Exchange Server 2013 CAS Server(s)

Step7: Configure Outlook Web Access in Exchange 2013

Step8: Configure Send/Receive Connector

Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url. Create new Send Connector using this procedure.

  1. In the EAC, navigate to Mail flow > Send connectors, and then click Add Add Icon.
  2. In the New send connector wizard, specify a name for the send connector and then select Internet for the Type. Click Next.
  3. Verify that MX record associated with recipient domain is selected, which specifies that the connector uses the domain name system (DNS) to route mail. Click Next.
  4. Under Address space, click Add Add Icon. In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter *, which indicates that this send connector applies to messages addressed to any domain. Click Save.
  5. Make sure Scoped send connector is not selected and then click Next.
  6. For Source server, click Add Add Icon. In the Select a server window, select a Mailbox server that will be used to send mail to the Internet via the Client Access server and click Add Add Icon. After you’ve selected the server, click Add Add Icon. Click OK.
  7. Click Finish.

image

New-SendConnector –Internet –Name MysendConnector –AddressSpace Superplaneteers.com

Similarly you can use New-ReceiveConnector Cmdlet to create receive connector.

Step9: Test Internal/External Mail Flow using new Send Connector

Open internet explorer and type Https://FQDN of CAS Server/OWA  Log on to OWA using domain nameusername and password and check email

Step10: Migrate Mailboxes, DL, Public Folder from Exchange 2010 to Exchange 2013

Before you start migrating Exchange mailboxes, se the Exchange Management Console to enable circular logging otherwise a large log will be generated when migrating mailboxes.  you can enable circular logging in all mailbox database using the following power shell command

Get-MailboxDatabase | Set-MailboxDatabase –circularloggingenabled $true

Set-StorageGroup -Identity “First Storage Group” -CircularLoggingEnabled $true

Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url, In the EAC, navigate to Recipients > Migration, and then click Add Add Icon.

image

In the New local mailbox move wizard, select the user you want to move click OK and then click Next.

image 

On the Move configuration page, specify a name for the new batch. Select which options you want for the archive mailbox, and mailbox database location and click New. follow the screen to complete migration.

image

image

image 

To migrate entire mailboxes from an existing Exchange 2010 DAG to new Exchange 2013 DAG using Exchange Management Shell in Exchange Server 2013 and run the following cmdlets.

Get-Mailbox -Database Manager-DB01 | New-MoveRequest -TargetDatabase Manager-DB02 -BatchName “DB01toDB02”

To find out more about New-MoveRequest cmdlet type Get-Help New-MoveRequest –Example or visit Move and Migration Cmdlets 

Step11: Publish Exchange OWA to External Clients

Step12: Migrate Public Folder.

Step13: Migrate Exchange UM

Step14: Retire Exchange Server 2010

A detailed migration steps are available in this book.

Exchange Server 2013 Step by Step 

BUY IT NOW:
Amazon USA

Amazon UK

BARNES & NOBLE

Book World

First Cumulative Update for Exchange 2013

Cumulative update 1 for Exchange Server 2013 (KB2816900)

Update Rollup 10 for Exchange Server 2007 Service Pack 3 (KB2788321)

Details can be found here

Performing a Staged RODC Installation using the GUI

 

Staging an RODC allows an administrator to perform installation without travelling to the site. You can stage a RODC installation in four steps. Step1, Step2 and Step3 are performed in Head office by a member of domain admin where authoritative domain controller is located. Fourth step is performed in site office where site admin and RODC is located.

Assumption:

· RODC NetBIOS Name: DC4

· RODC Security Group: RODCAdmins

· Forest: Superplaneteers.com

Step1: Prepare Environment

· Install Operating System on RODC Server

· Activate Windows Server 2012

· Configure TCP/IP Properties of the Server

· Rename RODC Server to desired NetBIOS name (Example-DC4)

Step2: Add Site Admin into RODCAdmins Security Groups in AD

Open Active Directory Users and Computers, Right Click on desired OU, Click new, Click Group, Create a Security group named as RODCAdmins.

clip_image002

Add Site Admins into RODCAdmins group.

Step3: Create an RODC Computer Account

Open Active Directory users and Computers, Select Domain Controllers OU, Click on Action, Click Pre-create Read-only Domain Controller account

clip_image004

Click Next, On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy (PRP), select Use advanced mode installation, and then click Next.

clip_image006

On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials, Click Next

clip_image008

On the Specify the Computer Name page, type the computer name of the server that will be the RODC.

clip_image010

On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.

clip_image012

On the Additional Domain Controller Options page, make the following select Domain Naming System (DNS), Global Catalog (GC), Read-only Domain Controller (RODC) and then click Next:

clip_image014

On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating. To search the directory for a specific user or group, click Set. In Select Users, Computers, or Groups, type the name of the user or group. When you are finished, click Next.

clip_image016

On the Summary page, review your selections. Click Back to change any selections, if necessary.

clip_image018

When you are sure that your selections are accurate, click Next to create the RODC account.

clip_image020

On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

Step4: Attach a server to an RODC account using Server Manager

This step is performed in the site office where the RODC is located. The server where you perform this procedure must not be domain member. In Windows Server 2012, you use the Add Roles Wizard in Server Manager to attach a server to an RODC account. Follow the procedure to promote a RODC at the branch office.

1. Log on to Server DC4 as local Administrator. In Server Manager, click Add roles and features. On the Before you begin page, click Next.

2. On the Select installation type page, click Role-based or feature-based installation and then click Next.

3. On the Select destination server page, click Select the local server from the server pool, click Next.

4. On the Select server roles page, click Active Directory Domain Services, click Add Features and then click Next.

5. On the Select features page, select any additional features that you want to install and click Next.

6. On the Active Directory Domain Services page, review the information and then click Next.

7. On the Confirm installation selections page, click Install.

8. On the Results page, verify Installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.

9. On the Deployment Configuration page, click Add a domain controller to an existing domain, type the name of the domain superplaneteers.com and specify an account who is a member of RODCAdmins group that is delegated to manage and install the RODC, and then click Next.

10. On the Domain Controller Options page, click Use existing RODC account in this case DC4, type and confirm the Directory Services Restore Mode password, and then click Next.

11. On the Additional Options page, select the head office domain controller that you want to replicate the AD DS installation data from or if you have correct sites configured then allow the wizard to select any domain controller and then click Next.

12. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or accept default locations, and then click Next.

13. On the Review Options page, confirm your selections, click Next.

14. Once Prerequisites Check is successful then click Install.

15. To complete the AD DS installation, the server will restart automatically.

Deploy Windows 8 Enterprise using Lite Touch Deployment Method

Gallery

System Requirements: Windows 8 Enterprise Version Windows Server 2008 or Windows Server 2012 Microsoft .NET Framework version 3.5 with SP1 or later Windows PowerShell™ 2.0 or later Windows 7 Automated Installation Kit Active Directory Domain Services Dynamic Host Configuration Protocol … Continue reading

Windows Server 2012 Step by Step Book

Gallery

This is my first book published on December 2 2012. The following is the chapters available in detailed in the book titled “Windows Server 2012 Step by Step” Chapter 1: Introduction to windows server 2012 Chapter 2: Installing and navigating … Continue reading

Active Directory Certificate Services Best Practices

AD CS is composed of several role services that perform several tasks. One or more of these role services can be installed on a server as required. These role services are as follows:

  • Certification Authority— This role service installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.
  • Certification Authority Web Enrollment— This role service handles the web-based distribution of certificates to clients. It requires Internet Information Services (IIS) to be installed on the server.
  • Online Responder— The role service responds to individual client requests regarding information about the validity of specific certificates. It is used for complex or large networks, when the network needs to handle large peaks of revocation activity, or when large certificate revocation lists (CRLs) need to be downloaded.
  • Certificate Enrollment Web Service— This new service enables users and computers to enroll for certificates remotely or from non-domain systems via HTTP.
  • Certificate Enrollment Web Policy Service— This service works with the related Certificate Enrollment Web Service but simply provides policy information rather than certificates.
  • Network Device Enrollment Service— This role service streamlines the way that network devices such as routers receive certificates.

Windows Server 2012 Step by Step
Active Directory Certificate Services Hierarchy

Public Key Infrastructure must be deployed in hierarchical order to securely deliver certificates to clients, application and servers. The best way to achieve this is to deploy a Standalone Offline Root CA and Online Enterprise Subordinate CA. Offline Root CA meaning you have to shut down the CA once you obtain the CRL chain for subordinate CA. Subordinate stays powered on and joined to the domain. Offline Root CA works in a workgroup not a domain member.

Standalone offline Root CA:

Benefits:

  • Principal component of PKI infrastructure
  • Provide CRL sign off capacity for subordinate authority
  • Provide Web Enrolment for Sub-ordinate Certificate Authority
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Online Enterprise Subordinate CA

Benefits:

  • Subordinate Component of PKI infrastructure
  • Present and issue Certificates to clients
  • Sign off Web Certificates for application
  • Management point of Certificate Infrastructure
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Certificate Services Best practices

  • Analyze and plan necessity of Active Directory Certificates or public key infrastructure (PKI) in your organization before deploying certification authorities (CAs)
  • Place database and transaction log files on separate hard drives possibly SAN
  • Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise
  • When changing security permissions for the certification authority (CA), always use the Certification Authority snap-in
  • Do not issue certificates to users or computers directly from the root certification authority
  • Always point client to subordinate certificate any certificates
  • Back up the CA database, the CA certificate, and the CA keys
  • Ensure that key lifetimes are long enough to avoid renewal issues
  • Review the concepts of security permissions and access control, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester
  • Use Secure Sockets Layer (SSL) when using Web-based certificate enrollment

Certificate Provider

You have to select RSA#Microsoft Software Key Storage Provider” with sha1 if there is any Windows XP Client otherwise select RSA#Microsoft Software Key Storage Provider” with sha256 as certificate provider.

Cryptographic Key Length

Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA.

Templates

  • Plan certificate templates before deployment
  • Only Publish templates that are necessary
  • Duplicate new templates from existing templates closest in function to the intended template
  • Do not exceed the certificate lifetime of the issuing certification authority
  • Do not delete the Certificate Publishers security group

Validity Period

  • Offline Standalone Root CA- 10 Years
  • Online Enterprise Subordinate CA- 10 Years

Revocation List

The following sections summarize how certificate revocation checking works.

  • Basic chain and certificate validation
  • Validating revocation information
  • Network retrieval and caching

Revocation Best Practice

  • Leave the default revocation checking behavior instead of using CRLs for revocation checking
  • Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL
  • Use CryptoAPI 2.0 Diagnostics to Troubleshoot Revocation Settings
  • Use Group Policy to Define Revocation Behavior

Audit Policy

Select the following Audit Policy for both Certificate Authority

  • Backup and restore the CA database
  • Change CA configuration
  • Change CA security settings
  • Issue and manage certificate request
  • Revoke certificates and publish CRL

Backup Certificate Authority

  • Backup Public Key
  • Backup CA database
  • Retention: Daily increment/Monthly Full

Security Permission on Template

The following table summarize certificate security permission in AD CS.

Domain Computers Auto-Enroll Read Only
Domain Users Auto-Enroll Read Only
Wintel Administrator Full Control Full Control

Security Permission on Servers

You must create role separation in Active Directory Certificate Services to provide greater control on Certificate Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg caRoleSeparationEnabled 1. The following table describe role separation for AD CS.

CA Administrator Full Permission
Certificate Manager Issue and Manage Certificates
Auditor Manage auditing and security logLocal Security Settings/ Security Settings/Local Policies/User Rights Assignments
Backup Operator Back up file and directories

Local Security Settings/ Security Settings/Local Policies/User Rights Assignments

Enrollees Authenticated Users

The Following are the messy configurations you must avoid when installing a Certificate Authority.

  • Do not install Certificate Authority on any Domain Controller or server with other roles unless you are a small business and you have only one or two servers in your organization. In this case, you don’t have any choice.
  • Do not install both certificate authority in two different operating systems such as Windows Server 2003 and Windows Server 2008.
  • Do not keep CAs in different patch and update level.
  • Do not use 1024 bit encryption length.

Relevant Articles:

Microsoft Active Directory Best Practice Part II

Microsoft Active Directory—Best Practice