This gallery contains 1 photo.
Supported Environment Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003. Supported G Suite G Suite Enterprise, Business, Basic, and Education accounts G Suite Cost Standard prices are shown. Google occasionally offers special discounts to some customers for … Continue reading
This gallery contains 1 photo.
Azure Database Migration Service partners with DMA to migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance or SQL Server on Azure virtual machines. Moving a SQL Server database … Continue reading
This gallery contains 3 photos.
Overview Migrating to the cloud doesn’t have to be difficult, but many organizations struggle to get started. Before they can showcase the cost benefits of moving to the cloud or determine if their workloads will lift and shift without effort, … Continue reading
Microsoft Office 365 gives you the flexibility to configure mail flow based on your requirements and uses scenario to delivered email to your organisation’s mailboxes. The simplest way to configure mail flow is to allow Microsoft EOP to handle spam … Continue reading
This gallery contains 1 photo.
An Azure Site-to-Site VPN gateway connection is used to connect on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing … Continue reading
The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. … Continue reading
To integrate On-Premises SSO with Splunk Cloud, you need the following items: On-premises Active Directory On-premises ADFS 2016 A Splunk Cloud tenant Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/acs Splunk cloud Sign-on URL https://yourinstance.splunkcloud.com/saml/logout ADFS Sign-on URL https://sts.domain.com/adfs/services/trust ADFS Sign-Out URL https://sts.domain.com/adfs/ls/?wa=wsignout1.0 … Continue reading
To integrate On-Premises SSO with Google Apps, you need the following items: On-premises Active Directory On-premises ADFS 2016 A Google Apps single sign-on enabled subscription Google Apps Sign-on URL https://mail.google.com/a/domain.com ADFS Sign-on URL https://sts.domain.com/adfs/ls/ ADFS Password Change URL https://sts.domain.com/adfs/portal/updatepassword/ ADFS … Continue reading
Prerequisites: Windows Active Directory Windows Server 2016 with ADFS Role installed ServiceNow Tenant ADFS Signing certificate from ADFS Server ADFS Service Identifier: http://sts.domain.com/adfs/services/trust ServiceNow Sign On URL: https://company.service-now.com/navigate.do ServiceNow Identifier: https://company.service-now.com ADFS Signout URL: https://sts.domain.com/adfs/ls/?wa=wsignout1.0 Step1: Export Token Signing Certificate … Continue reading
Hybrid Configuration Business Case. On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus … Continue reading
This article provides step by step guidelines to implement single sign on using ADFS 4.0 as the identity provider and Workday as the identifier and service provider. Important Note: Workday does not provide a service provider metadata XML file to … Continue reading
Deployment Location: On-premises Target Environment: Exchange Server 2016 CU4 Current Environment: Exchange Server 2010 or Exchange Server 2013 or mixed Public Folder Location: Exchange Server 2013 Understanding of Exchange Server 2016: Exchange Server 2016 wraps up in two Exchange roles … Continue reading
This gallery contains 4 photos.
Networking in SCVMM is a communication mechanism to and from SCVMM Server, Hyper-v Hosts, Hyper-v Cluster, virtual machines, application, services, physical switches, load balancer and third party hypervisor. Functionality includes: Logical Networking of almost “Anything” hosted in SCVMM- Logical network … Continue reading
The following procedure describe Network Load Balancing functionality in Microsoft SCVMM. Microsoft native NLB is automatically included into SCVMM when you install SCVMM. This procedure describe how to install and configure third party load balancer in SCVMM. Prerequisites: Microsoft System … Continue reading
This gallery contains 6 photos.
Cisco Nexus 1000V Switch for Microsoft Hyper-V provides following advanced feature in Microsoft Hyper-v and SCVMM. Integrate physical, virtual, and mixed environments Allow dynamic policy provisioning and mobility-aware network policies Improves security through integrated virtual services and advanced Cisco NX-OS … Continue reading
Supported:
Scalability on Windows Server 2012 R2
Scalability on Windows Server 2008 R2
Unsupported:
Determining Time Zone in DFS
Universal Coordinated Time (UTC). This option causes the receiving member to treat the schedule as an absolute clock. For example, a schedule that begins at 0800 UTC is the same for any location, regardless of time zone or whether daylight savings time is in effect for a receiving member. For example, assume that you set replication to begin at 0800 UTC. A receiving member in Eastern Standard Time would begin replicating at 3:00 A.M. local time (UTC – 5), and a receiving member in Rome would begin replicating at 9:00 A.M. local time (UTC + 1). Note that the UTC offset shifts when daylight savings time is in effect for a particular location.
Local time of receiving member. This option causes the receiving member to use its local time to start and stop replication. Local time is determined by the time zone and daylight savings time status of the receiving member. For example, a schedule that begins at 8:00 A.M. will cause every receiving member to begin replicating when the local time is 8:00 A.M. Note that daylight savings time does not cause the schedule to shift. If replication starts at 9 A.M. before daylight savings time, replication will still start at 9 A.M. when daylight savings time is in effect.
Determine AD Forest
Using RDC:
Remote differential compression (RDC) is a client-server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFS Replication to replicate only the changes when files are updated. RDC is used only for files that are 64 KB or larger by default. RDC can use an older version of a file with the same name in the replicated folder or in the DfsrPrivate\ConflictandDeleted folder (located under the local path of the replicated folder).
RDC is used when the file exceeds a minimum size threshold. This size threshold is 64 KB by default. After a file exceeding that threshold has been replicated, updated versions of the file always use RDC, unless a large portion of the file is changed or RDC is disabled.
DFS Namespaces Settings and Features
A referral is an ordered list of targets, transparent to the user that a client receives from a domain controller or namespace server when the user accesses the namespace root or a folder with targets in the namespace. The client caches the referral for a configurable period of time.
Targets in the client’s Active Directory site are listed first in a referral. (Targets given the target priority “first among all targets” will be listed before targets in the client’s site.) The order in which targets outside of the client’s site appear in a referral is determined by one of the following referral ordering methods:
Lowest cost, Random order, Exclude targets outside of the client’s site
Design the Replication Topology
To publish data, you will likely use a hub-and-spoke topology, where one or more hub servers are located in data centers, and servers in branch offices will connect to one or more hub servers. To prevent the hub servers from becoming overloaded, we recommend that fewer than 100 spoke members replicate with the hub server at any given time. If you need more than 100 spoke members to replicate with a hub server, set up a staggered replication schedule to balance the replication load of the hub server.
The lowest cost ordering method works properly for all targets only if the Bridge all site links option in Active Directory is enabled. (This option, as well as site link costs, are available in the Active Directory Sites and Services snap-in.) An Inter-site Topology Generator that is running Windows Server 2003 relies on the Bridge all site links option being enabled to generate the inter-site cost matrix that the Distributed File System service requires for its site-costing functionality. If the Bridge all site links option is enabled, the servers in a referral are listed in the following order:
A domain-based namespace can be hosted by multiple namespace servers to increase the availability of the namespace. Putting a namespace server in remote or branch offices also allows clients to contact a namespace server and receive referrals without having to cross expensive WAN connections.
Definitions:
Namespace server . A namespace server hosts a namespace. The namespace server can be a member server or a domain controller.
Namespace root . The namespace root is the starting point of the namespace. In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a domain-based namespace because it begins with a domain name (for example, Contoso) and its metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace server is shown in the previous figure, a domain-based namespace can be hosted on multiple namespace servers to increase the availability of the namespace.
Folder . Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets.
Folder targets . A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. In the previous figure, the folder named Tools has two folder targets, one in London and one in New York, and the folder named Training Guides has a single folder target in New York. A user who browses to \\domain.com\Public\Software\Tools is transparently redirected to the shared folder \\server1\Tools or \\server2\Tools, depending on which site the user is currently located in.
By default, DFS replication between two members is bidirectional. Bidirectional connections occur in both directions and include two one-way connections. If you desire only a one-way connection, you can disable one of the connections or use share permissions to prevent the replication process from updating files on certain member servers.
Step1: Organise Folder Structure in multiple servers in geographically diverse location
Example:
Server1 in Perth
D:\Marketing
D:\HR
D:\IT
Server2 in Melbourne
D:\Marketing
D:\HR
D:\IT
Step2: Install DFS on Server
Before setting up replication between servers, the DFS Replication roles need to be installed on each server that is going to participate in the replication group. Open Server Manger by clicking on the Server Manager icon on the task bar
Step3: Create New Namespace
Step5: Replicate Folders
Step6: Manually creating replication group if you didn’t create in step1
Windows Server 2012 R2 with Hyper-v Role provides Fibre Channel ports within the guest operating system, which allows you to connect to Fibre Channel directly from within virtual machines. This feature enables you to virtualize workloads that use direct FC storage and also allows you to cluster guest operating systems leveraging Fibre Channel, and provides an important new storage option for servers hosted in your virtual infrastructure.
Benefits:
Limitation:
Prerequisites:
Before I begin elaborating steps involve in configuring virtual fibre channel. I assume you have physical connectivity and physical multipath is configured and connected as per vendor best practice. In this example configuration, I will be presenting storage and FC Tape Library to virtualized Backup Server. I used the following hardware.
Step1: Update Firmware of all Fabric.
Use this LINK to update firmware.
Step2: Update Firmware of FC SAN
See OEM or vendor installation guide. See this LINK for IBM guide.
Step3: Enable hardware virtualization in Server BIOS
See OEM or Vendor Guidelines
Step4: Update Firmware of Server
See OEM or Vendor Guidelines. See Example of Dell Firmware Upgrade.
Step5: Install MPIO driver in Hyper-v Host
See OEM or Vendor Guidelines
Step6: Physically Connect FC Tape Library, FC Storage and Servers to correct FC Zone
Step7: Configure Correct Zone and NPIV in Fabric
SSH to Fabric and Type the following command to verify NPIV.
Fabric:root>portcfgshow 0
If NPIV is enabled, it will show NPIV ON.
To enable NPIV on a specific port type portCfgNPIVPort 0 1 (where 0 is the port number and 1 is the mode 1=enable, 0=disable)
Open Brocade Fabric, Configure Alias. Red marked are Virtual HBA and FC Tape shown in Fabric. Note that you must place FC Tape, Hyper-v Host(s), Virtual Machine and FC SAN in the same zone otherwise it will not work.
Configure correct Zone as shown below.
Configure correct Zone Config as shown below.
Once you configured correct Zone in Fabric, you will see FC Tape showing in Windows Server 2012 R2 where Hyper-v Role is installed. Do not update tape driver in Hyper-v host as we will use guest or virtual machine as backup server where correct tape driver is needed.
Step8: Configure Virtual Fibre Channel
Open Hyper-v Manager, Click Virtual SAN Manager>Create new Fibre Channel
Type Name of the Fibre Channel> Apply>Ok.
Repeat the process to create multiple VFC for MPIO and Live Migration purpose. Remember Physical HBA must be connected to 2 Brocade Fabric.
On the vFC configuration, keep naming convention identical on both host. If you have two physical HBA, configure two vFC in Hyper-v Host. Example: VFC1 and VFC2. Create two VFC in another host with identical Name VFC1 and VFC2. Assign both VFC to virtual machines.
Step9: Attach Virtual Fibre Channel Adapter on to virtual Machine.
Open Failover Cluster Manager, Select the virtual machine where FC Tape will be visible>Shutdown the Virtual machine.
Go to Settings of the virtual machine>Add Fibre Channel Adapter>Apply>Ok.
Record WWPN from the Virtual Fibre Channel.
Power on the virtual Machine.
Repeat the process to add multiple VFCs which are VFC1 and VFC2 to virtual machine.
Step10: Present Storage
Log on FC storage>Add Host in the storage. WWPN shown here must match the WWPN in the virtual fibre channel adapter.
Map the volume or LUN to the virtual server.
Step11: Install MPIO Driver in Guest Operating Systems
Open Server Manager>Add Role & Feature>Add MPIO Feature.
Download manufacturer MPIO driver for the storage. MPIO driver must be correct version and latest to function correctly.
Now you have FC SAN in your virtual machine
Step12: Install Correct FC Tape Library Driver in Guest Operating Systems.
Download and install correct FC Tape driver and install the driver into the virtual backup server.
Now you have correct FC Tape library in virtual machine.
Backup software can see Tape Library and inventory tapes.
Further Readings:
Brocade Fabric with Virtual FC in Hyper-v
This gallery contains 20 photos.
Requirements: Filezilla FTP Server Filezilla FTP Client Putty Java JRE installed on admin PC Log on credential for Brocade website or respective vendor website e.g. IBM/Dell Downloaded upgrade firmware Upgrade Path. Fabric OS 5.0.x to 5.2.3 is supported Fabric OS … Continue reading
Scenario 1: In-place migration of two standalone Windows Servers (Hyper-v role installed) into clustered Windows Servers (Hyper-v role installed).
Steps involved in this scenario. There will be downtime in this scenario.
Scenario 2: Migrating standalone Windows Servers (Hyper-v role installed) using local storage to different Windows Servers (Hyper-v role installed) cluster using shared storage.
In this scenario, clustered Windows servers doesn’t see local storage available in old Hyper-v host and old Hyper-v host doesn’t see shared storage in new Hyper-v clustered environment. There will be downtime when you migrate VMs. Delete any snapshot, backup all VMs before you proceed.
Option A: Download Veeam Backup & Replication 8 trial version, configure a VM as Veeam management server. Add Source host as standalone hyper-v host and target host as Hyper-v cluster. Replicate all the VMs. Shutdown old VMs in standalone Hyper-v Hosts, then Power on VMs in Hyper-v cluster. Delete old VMs.
Option B: Copy VHD and configuration file and save into clustered shared storage. Log on to one of the clustered hyper-v host, Open Hyper-v Manager, Import VM option to import VM. Then use Configure Role option in failover Cluster Manager in same host to migrate the VM into cluster, then Power on VM in cluster.
My recommendation: use Veeam B&R.
Scenario 3: Migrating standalone Windows Servers (Hyper-v role installed) using iSCSI storage to different Windows Servers (Hyper-v role installed) cluster using fibre channel or iSCSI storage.
Option A: shutdown VMs. Present same iSCSI storage connected standalone hosts to clustered hosts. Use storage migration to migrate VMs to clustered Hosts. Then use configure role option, Failover cluster manager to migrate VMs to Hyper-v cluster.
Option B: Again use Veeam to do the job.
There are many factors/challenges when migrating VMs from standalone environment to clustered environment.
In conclusion, there is no silver bullet for individual situation. You have to consult with Microsoft partner to get a correct migration path that best fit your requirements.
Forest Functional Prerequisites
RBAC Requirement
Your account must be a member of Domain Admins, Schema Admins and Enterprise Admin.
Systems Requirement
| Processor | 1vCPU |
| RAM | 4GB |
| Free disk space requirements | 32 GB |
| Screen resolution | 800 x 600 or higher |
| Network | 1 Ethernet |
| DVD | 1 |
Prepare Windows Machine
Prepare Forest and Domain
Install AD DS Role
Check New Domain Controller in AD Sites and Services
Check New Domain Controller in DNS Manager
Transfer FSMO Role
Now transfer all the FSMO roles from windows 2008 domain controller to windows 2012 R2 domain controller. Log on to windows 2008 domain controller as enterprise admin. Open command prompt type these command as follows:
ntdsutil
roles
connections
connect to server WIN2012R2SERVERNAME
q
Transfer domain naming master
Transfer PDC
Transfer Schema Master
Transfer RID master
Transfer infrastructure master
Change DNS Properties of Servers and Workstation
On each server and workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server scope options and add the IP address of your new Domain Controller as DNS server.
Removing the Windows 2008 R2 domain controller
Note: Wait for all schema object to be cleaned automatically. Do not rush to clean any schema object or DNS record in new Domain Controller.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Click Finish.
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
Assumptions:
The following servers is installed and configured in a test environment.
Systems Requirements:
|
Option |
Description |
|
Virtual Machine Name |
DC1TVUAG01 |
|
Memory |
8GB |
|
vCPU |
1 |
|
Hard Disk 1 |
50GB |
|
Hard Disk 2 |
50GB |
|
Network Adapter |
2 |
|
Guest Operating System |
Windows Server 2008 R2 |
|
Service Pack Level |
SP1 |
Software Requirement:
|
Version |
Microsoft Forefront Unified Access Gateway 2010 |
|
Service Pack Level |
SP3 |
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
|
Browser |
Features |
|
Firefox |
Endpoint Session Cleanup Endpoint detection SSL Application Tunneling Endpoint Quarantine Enforcement |
|
Internet Explorer |
Endpoint Session Cleanup Endpoint detection SSL Application Tunneling Socket Forwarding SSL Network Tunneling (Network Connector) Endpoint Quarantine Enforcement |
|
Device Name |
Features |
|
Windows Phone |
Premium mobile portal |
|
iOS: 4.x and 5.x on iPhone and iPad |
Premium mobile portal |
|
Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 |
Premium mobile portal |
Service Account for Active Directory Authentication:
|
Service Account |
Privileges |
Password |
|
xman\SA-FUAG |
Domain Users |
Password set to never expired |
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
Antivirus Exclusion:
|
Version |
Paths |
Processes |
|
Forefront UAG 2010 |
UAG installation folder (may be changed during installation) |
Forefront UAG DNS-ALG Service Forefront UAG Monitoring Manager Forefront UAG Session Manager Forefront UAG File Sharing Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
|
Infrastructure server |
Protocol |
Port |
Direction |
|
Domain controller |
Microsoft-DS traffic |
TCP 445 UDP 445 |
From UAG to DC |
|
Kerberos authentication |
TCP 88 UDP 88 |
From UAG to DC |
|
|
LDAP |
TCP 389 UDP 389 |
From UAG to DC |
|
|
LDAPS |
TCP 636 UDP 636 |
From UAG to DC |
|
|
LDAP to GC |
TCP 3268 UDP 3268 |
From UAG to DC |
|
|
LDAPS to GC |
TCP 3269 UCP 3269 |
From UAG to DC |
|
|
DNS |
TCP 53 UDP 53 |
From UAG to DC |
|
|
Exchange, SharePoint, RDS |
HTTPS |
TCP 443 |
From external to internal server |
|
FTP |
FTP |
TCP 21 |
From external to internal server |
Scenario#2
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
|
Option |
IP Address |
Subnet |
Default Gateway |
DNS |
|
Internal Network |
10.10.10.2 |
255.255.255.0 |
Not required |
10.10.10.1 |
|
External Network |
192.168.1.1 |
255.255.255.0 |
192.168.1.254 |
Not required |
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
DNS Forwarding:
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
|
Purpose |
Public Host Name |
Public IP Address |
|
Exchange |
webmail.xman.com.au |
203.17.x.x |
|
SharePoint |
sharepoint.xman.com.au |
203.17.x.x |
|
RDS |
remote.xman.com.au |
203.17.x.x |
|
FTP |
ftp.xman.com.au |
203.17.x.x |
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
|
Rule(s) |
Description |
Source IP |
Public IP Address (Destination IP Address) |
Port |
NAT Destination |
Status |
|
1 |
Exchange |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
|
2 |
SharePoint |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
|
4 |
RDS |
Any |
203.17.x.x |
443 |
10.10.10.2 |
Forward |
|
5 |
FTP |
Any |
203.17.x.x |
21 |
10.10.10.2 |
Forward |
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
|
Rules |
Description |
Source IP |
Port TCP & UDP |
NAT Destination |
Destination |
Status |
|
1 |
Exchange |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.3 |
Forward |
|
2 |
SharePoint |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.4 |
Forward |
|
4 |
RDS |
10.10.10.2 |
TCP 443 |
Not Required |
10.10.10.5 |
Forward |
|
5 |
FTP |
10.10.10.2 |
TCP 21 |
Not Required |
10.10.10.6 |
Forward |
|
6 |
Client |
10.10.12.0/24 10.10.13.0/24 |
TCP 443 TCP 21 |
Not Required |
10.10.10.2 |
Forward |
|
7 |
Domain Controller |
10.10.10.2 |
445, 88, 53 389, 636 3268, 3296 |
Not Required |
10.10.10.1 |
Forward |
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
|
Common Name |
Subject Alternative Name |
Certificate Issuer |
|
RDS.xman.com.au |
– |
Verisign/Digicert |
|
webmail.xman.com.au |
autodiscover.xman.com.au |
Verisign/Digicert |
|
ftp.xman.com.au |
– |
Verisign/Digicert |
|
sharepoint.xman.com.au |
– |
Verisign/Digicert |
Understanding Properties of Trunk
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:
|
URL List |
Methods |
Allow Rich Content |
|
InternalSite_Rule54 |
HEAD |
Checked |
|
SharePoint14AAM_Rule47 |
HEAD |
Checked |
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.
Step1: Hardware Installation Follow the official IBM video tutorial to rack and stack IBM V3700. Cabling V3700, ESX Host and Fabric. Connect each canister of V3700 Storage to two Fabric. Canister1 FC Port 1—>Fabric1 and Canister 1 FC Port … Continue reading
The SMB protocol follows the client-server model; the protocol level is negotiated by the client request and server response when establishing a new SMB connection. Windows Server 2012 introduces a feature called SMB 3.0 Multichannel. Multichannel provides link aggregation and fault tolerance.
SMB 3.0 introduces multipath I/O (MPIO) where multiple TCP connections can be established with given SMB session. Benefits include increase bandwidth, enable transparent network interface failover and load balancing per session.
Open following registry key
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
If you are looking fault tolerance and throughput then obvious choice is NIC teaming with RSS.
Switch#conf t
Switch(config)#Int PORT (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active
Switch(config)#Int port (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active
PROCURVE#conf ter
PROCURVE# trunk PORT1-PORT2 (a.e. C1/C2) Trk<ID> (a.e. Trk99) LACP
PROCURVE# vlan <VLANID>
PROCURVE# untagged Trk<ID> (a.e. Trk99)
PROCURVE# show lacp
PROCURVE# show log lacp
Get-SmbClientConfiguration | Select EnableMultichannel
Get-SmbServerConfiguration | Select EnableMultichannel
6. Enable Multichannel
Set-SmbServerConfiguration -EnableMultiChannel $true
Set-SmbClientConfiguration -EnableMultiChannel $true
7. Verify Multichannel
Get-SmbConnection
Get-SmbMultichannelConnection
Before you begin, create a work sheet in spreadsheet recording required information to migrate Exchange 2007/2010 to Exchange 2013. For this article, I am going to use following work sheet. This work sheet and migration guide are tested in production exchange migration which I did for few of my clients. Note that this article is not situation specific hence I can’t provide you a silver bullet for your situation.
Deployment Work Sheet
Version Readiness Check
| Present Server | Proposed Server |
| Exchange 2007 SP3 OR 2010 SP3 | Exchange 2013 CU3 |
Exchange Role Assignment
Exchange 2013 has two server roles; the Mailbox and Client Access server roles. You need at least one Client Access server and one Mailbox server in the Active Directory forest. If you’re separating your server roles, Microsoft recommend installing the Mailbox server role first.
Mailbox Role: The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server.
Client Access: The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.
| Server Name | Exchange Roles |
| AUPEREXMBX01,AUPEREXMBX02 | Mailbox |
| AUPEREXCAS01,AUPEREXCAS02 | CAS |
Active Directory Schema and Forest
When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule. A forced replication can be performed after schema preparation.
| Description | AD Forest | Domain Controller |
| Primary SMTP namespace | Superplaneteers.com | AUPERDC01,AUPERDC02 |
| User principal name domain | Superplaneteers.com | AUPERDC01,AUPERDC02 |
Legacy Edge Transport
N/A
Network Configuration
| Server Name | TCP/IP | DNS | Replication network |
| AUPEREXMBX01 | 10.10.10.11
|
10.10.10.2
10.10.10.3 |
192.168.100.11/24 |
| AUPEREXMBX02 | 10.10.10.12 | 10.10.10.2
10.10.10.3 |
192.168.100.12/24 |
| AUPEREXCAS01 | 10.10.10.13 | 10.10.10.2
10.10.10.3 |
N/A |
| AUPEREXCAS02 | 10.10.10.14 | 10.10.10.2
10.10.10.3 |
N/A |
The network adapter name used within the operating system of mailbox server must be changed to closely match the associated network name. For example: Domain Network and Replication Network. The following binding order must be maintained within Windows operating systems:
Here is a guide how to change adapter binding order http://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx Microsoft does not support multiple default gateways on a single server, no default gateway is required on the replication network card.
Disk layout
| Server Name | C: | E: | F: | G: |
| AUPEREXMBX01 | 50 GB | 50 GB | 500GB | 300GB |
| AUPEREXMBX02 | 50 GB | 50 GB | 500GB | 300GB |
| AUPEREXCAS01 | 50 GB | 50 GB | N/A | N/A |
| AUPEREXCAS02 | 50 GB | 50 GB | N/A | N/A |
Resilient Exchange Configuration
| Purpose | Name | TCP/IP | Subnet | Type |
| DAG | AUPEREXDAG01 | 10.10.10.15 | 255.255.255.0 | N/A |
| CAS NLB or Load Balancer | Mail.superplaneteers.com | 10.10.10.16 | 255.255.255.0 | Multicast |
Exchange Administrator
| User name | Privileges |
| ExMigrationAdmin | Domain Admins
Domain user Schema Admin Enterprise Admin Organisation Management Local Administrator |
Certificates
A public Secure Sockets Layer (SSL) certificate is a prerequisite in Exchange 2013. SSL helps to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection.
You can buy a third-party certificate from public CA such as Verisign. Certificates published by public CAs are trusted by most operating systems and browsers.
| Common Name | Subject Alternative | Type | Assigned to |
| mail.superplaneteers.com | autodiscover.superplaneteers.com | SSL | IIS,SMTP,POP,IMAP |
Supported Client
Exchange 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:
Exchange 2013 does not support Outlook 2003.
Public DNS records
| DNS record | Record Type | IP/Alias/FQDN | Priority |
| Mail.superplaneteers.com | A | 203.17.x.x | N/A |
| superplaneteers.com | MX | Mail.superplaneteers.com | 10 |
| Autodiscover.superplaneteers.com | CNAME | Mail.superplaneteers.com | N/A |
If you have hosted email security then your MX record must look like this. An example is given here for TrendMicro hosted email security.
| DNS record | Record Type | IP/Alias/FQDN | Priority |
| Mail.superplaneteers.com | A | 203.17.x.x | N/A |
| superplaneteers.com | MX | in.sjc.mx.trendmicro.com | 10 |
| Autodiscover.superplaneteers.com | CNAME | Mail.superplaneteers.com | N/A |
Internal DNS records
| DNS record | Record Type | Hardware Load Balancer
VIP or CAS NLB IP |
| Mail.superplaneteers.com | A | 10.10.10.16 |
| Autodiscover.superplaneteers.com | A | 10.10.10.16 |
If you don’t have CAS NLB or hardware load balancer then create Host(A) record of mail.superplaneteers.com and point to Exchange 2013 CAS Server.
Send Connector
Here I am giving an example of TrednMicro smart host. Do not add smart host without proper authorization from smart host provider otherwise you will not be able to send email from internal organisation to external destination.
| Intended use | Address Space | Network Settings | Authentication | Smart Host |
| Internet | “*” | default | Basic, Exchange, TLS | relay.sjc.mx.trendmicro.com |
Receive Connector
| Name | Intended use | Network Settings | IP Range | Server(s) |
| Client Frontend | Client | default | All Available IPv4 | AUPEREXMBX01
AUPEREXMBX02 |
| Default Frontend | Inbound SMTP | default | All Available IPv4 | AUPEREXMBX01
AUPEREXMBX02 |
Anonymous Relay
| Relay | Authentication | Permission | Remote IP | SMTP |
| Anonymous Relay | TLS, Externally Secured | Anonymous, Exchange Servers | IP Address of Printers, Scanner, Devices, App Server | 10.10.10.11
10.10.10.12 |
Port Forwarding in Cisco Router
| Rule | Source Address | Destination Address | NATed Destination | Port |
| OWA | Any | 203.17.x.x | 10.10.10.16 | 443 |
| SMTP | Any | 203.17.x.x | 10.10.10.16 | 25 |
Again if you don’t have CAS NLB or load balancer your NATed destination is Exchange 2013 CAS server.
Mailbox Storage
| Storage Group Type | Database location |
| Mailbox storage | F:Exchange Data |
| Mailbox storage logs | G:Exchange Log |
Email address Policy
| Email Address Policy | %g.%s@superplaneteers.com |
Virtual Directory for internal and external network
| Virtual directory | Internal and External URL value |
| Autodiscover | https://autodiscover.superplaneteers.com/autodiscover/autodiscover.xml |
| ECP | https://mail.superplaneteers.com/ecp |
| EWS | https://mail.superplaneteers.com/EWS/Exchange.asmx |
| Microsoft-Server-ActiveSync | https://mail.superplaneteers.com/Microsoft-Server-ActiveSync |
| OAB | https://mail.superplaneteers.com/OAB |
| OWA | https://mail.superplaneteers.com/owa |
| PowerShell | http://mail.superplaneteers.com/PowerShell |
Since you have finished your work sheet, now you are ready to virtualize Exchange servers on Hyper-v.
1. Virtualize Windows Server 2012 R2
2. Configure TCP/IP properties
3. Disable Windows Firewall
4. Join Windows server 2012 R2 to domain.
Download following software as prerequisites.
1. Microsoft Exchange Server 2010 Service Pack 3 (SP3) OR Exchange Server 2007 Service Pack 3
2. Cumulative Update 3 for Exchange Server 2013 (KB2892464)
3. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
4. Microsoft Office 2010 Filter Pack 64 bit
5. Microsoft Office 2010 Filter Pack SP1 64 bit
Additional Prerequisites if you would like to install Exchange 2013 on Windows Server 2008 R2 SP1.
Windows Firewall
Open Control Panel > Windows Firewall. Turn off Firewall components (Domain, private and Public) completely.
Preparing Base Windows Server 2012 for Exchange 2013
Mailbox Server Role in Windows Server 2012 R2
To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator. Execute the following cmdlet one by one.
Import-Module ServerManager
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
Reboot Windows Server 2012
Client Access Server Role in Windows Server 2012 R2
To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator, Execute the following cmdlet one by one.
Import-Module ServerManager
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
Reboot Windows Server 2012
If you are installing Exchange 2013 on Windows Server 2008 R2 SP1.
Prepare mailbox role Windows Server 2008 R2 SP1
Open Windows PowerShell as an administrator, Execute the following cmdlets one by one.
Import-Module ServerManager
Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Reboot Windows Server 2008 R2
Prepare Client Access in Windows Server 2008 R2
Open Windows PowerShell, Execute the following cmdlet one by one.
Import-Module ServerManager
Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Reboot Windows Server 2008 R2
Install Service pack 3 on exchange 2010
Upgrading to SP3 requires a schema update, review the Active Directory Schema changes beforehand. Upgrade your Exchange servers to SP3. This should be performed in the following order:
1. CAS servers
2. Hub and/or Edge servers
3. Mailbox servers
4. Unified Messaging servers
Upgrade Exchange 2010 to Exchange 2010 SP3 level
1. Once the files are extracted, locate and run setup.exe as an administrator
2. Select Install Microsoft Exchange Upgrade.
3. Select Next at the welcome screen. Read and accept the license terms, then select Next.
4. If you’ve got all the requirements you’ll see all the green checks, Select Upgrade to begin the upgrade
5. Select Next to start the upgrade.
6. When the upgrade is complete, select Finish.
7. Reboot the server to allow changes to take affect.
Prepare Active Directory Schema
Before you prepare Active Directory, make sure your Active Directory is healthy. Follow the procedure for AD health check.
1. Prepare Active Directory in an Active Directory site where you want to install Exchange 2013.
2. Domain Controller must be Server 2008 Standard/Enterprise (x86/x64) OR Server 2008 R2 Standard / Enterprise OR Windows Server 2012 OR Windows Server 2012 R2.
3. Each domain needs at least one writeable global catalog server
4. Ensure AD replication is working properly in each site / domain
5. Ensure Active Directory is healthy. Visit active directory health check
6. Run the following command in a domain controller, Open command prompt as an administrator
repadmin /showrepl
repadmin /replsummary
repadmin /syncall
netdom query fsmo
Dcdiag /e
Netdiag
7. Open Active Directory Sites and Services MMC, make sure all domain controllers are global catalog.
8. Start Menu, Run, Type eventvwr to open event view, Review event logs to see everything is working as per normal
9. Start Menu, Run> Services.msc to open services, Check DNS server, DNS Client, File replication services are started and set to automatic
10. Open SYSVOL in all domain controllers and check everything is same in all domain controllers.
Now you are ready to prepare Active Directory Domain and Forest.
1. Extract the Exchange2013-x64-cu3.EXE package you have downloaded from Microsoft web site to a common location. In my example I will use E:EXCHANGE2013
2. Open a command prompt as an Administrator, and navigate to the directory in which you extracted the files to. In the case of this example it will be E:Exchange2013. You should see a Setup.exe file located there.
3. Run the following cmd:
OR
4. Run the following cmd:
OR
Now replicate Active Directory manually or wait for replication to complete. Verify event logs in Domain controllers to see any unexpected error or logs pops up or not. If everything looks fine then go ahead and install Exchange 2013.
Installing Exchange 2013 CU3
Create a Test mailbox
1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
2. Enter the user name and password of the account you used to install Exchange 2013 in Domainuser name and Password, and then click Sign in.
3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.
4. Provide the information required for the new user and then click Save.
5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .
6. Under Members, click Add .
7. Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.
Install Exchange 2013 certificates
Depending on your requirements, you can configure wild card certificate or a SAN certificate. I will go for SAN certificate to avoid further configuration such as certificate principal name configuration. In this example, I will create a SAN certificate which is as follows.
After you’ve saved the certificate request, submit the request to your certificate authority (CA) which is public CA. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:
To re-use existing certificate follow the steps below
After you’ve exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.
Now that the new certificate has been imported on your Exchange 2013 Client Access server, you need to assign it to your Exchange services using the following steps.
Configure Exchange 2013 external and internal URLs
Configure External and Internal URL to be same
$HostName = “mail.superplaneteers.com “
3. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.
Set-EcpVirtualDirectory “$HostNameECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostNameECP (Default Web Site)”).ExternalUrl)
Set-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)” -InternalUrl ((get-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)”).ExternalUrl)
Set-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)
Set-OabVirtualDirectory “$HostNameOAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostNameOAB (Default Web Site)”).ExternalUrl)
Set-OwaVirtualDirectory “$HostNameOWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostNameOWA (Default Web Site)”).ExternalUrl)
Set-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)”).ExternalUrl)
To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:
Move Arbitration Mailboxes
Follow the below steps to move all arbitration and discovery search mailboxes to 2013 database.
Open Exchange Management Shell with run as administrator and run the following cmds
Get‐Mailbox –Arbitration | New-MoveRequest –TargetDatabase TargetDBName
Get-Mailbox “*Discovery*” | New-MoveRequest –TargetDatabase TargetDBName
OR
Type the following comdlets in EMS to find arbitration mailboxes and migrate using migration wizard.
Get-Mailbox –Arbitration >C:Arbitration.txt
Get-Mailbox “*Discovery*” >C:Discovery.txt
Enable and configure Outlook Anywhere
To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2010 servers in your organization. If some Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2010 server:
$Exchange2013HostName = “mail.superplaneteers.com”
Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}
If you didn’t enable Outlook Anywhere in Exchange 2010 already, Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2013 servers.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic
Configure service connection point (SCP)
Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.
You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you’re updating.
Perform the following steps to configure the SCP object on your Exchange 2010 servers.
$AutodiscoverHostName = “autodiscover.superplaneteers.com”
Run the following command to set the SCP object on every Exchange 2010 server to the AutoDiscover URL of the new Exchange 2013 server.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml
Perform the following steps to configure the SCP object on your Exchange 2013 servers.
$AutodiscoverHostName = “autodiscover.superplaneteers.com”
Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml
Configure Exchange 2013 Mail flow
There are four receive connectors in Exchange 2013. They are:
· Default <server name> Accepts connections from Mailbox servers running the Transport service and from Edge servers.
· Client Proxy <server name> Accepts connections from front-end servers. Typically, messages are sent to a front-end server over SMTP.
· Default FrontEnd <server name> Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization.
· Outbound Proxy Frontend <server name> Accepts messages from a Send Connector on a back-end server, with front-end proxy enabled.
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector
2. Select Default Frontend AUPERMBX01, Click on Edit or Pencil icon, On the Security Parameter, Select Anonymous, Click Save.
3. Repeat the steps for Default Frontend AUPERMBX02.
All you have to do is to add Exchange 2013 mailbox servers to the existing send connector as shown below:
Open Exchange management Shell as an administrator, execute the following command.
Set-SendConnector –Identity Outbound –SourceTransportServers AUPEREXMBX01, AUPEREXMBX02
OR
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Send Connector, Click Edit or Pencil icon
2. Click on scoping and + icon on Source Server parameter to add the server
3. Select the Exchange 2013 Mailbox servers (AUPEREXMBX01 and AUPEREXMBX02) and add them and Click save.
4. Send connector configuration completed.
Configure a smart host if necessary
1. In the EAC https://AUPEREXCAS01/ecp?ExchClientVer=15, navigate to Mail flow > Send connectors, and then click Add .
2. In the New send connector wizard, specify a name for the send connector and then select Custom for the Type. You typically choose this selection when you want to route messages to computers not running Microsoft Exchange Server 2013. Click Next.
3. Choose Route mail through smart hosts, and then click Add . In the Add smart host window, the fully qualified domain name (FQDN), such as relay.sjc.mx.trendmicro.com. Click Save.
4. Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter * to specify that this send connector applies to messages sent to any domain. Click Save.
5. For Source server, click Add . In the Select a server window, choose a server and click Add . Click OK.
6. Click Finish.
Anonymous Relay
Create a new receive connector using Exchange Administration Center with the following parameters.
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector, Click Add or + icon
2. Select an Exchange Mailbox Server name AUPEREXMBX01, Type Anonymous Relay on the name, Click Frontend transport, Select Custom, Click Next..
3. On the Network Adapter Binding, Add Exchange 2013 MBX Server IP (10.10.10.11) and port 25. On the remote network settings, add printer, scanner, device and application server IPs. Click Save to create Anonymous Relay.
4. Select newly created Anonymous relay, Click Edit or Pencil Icon, Click Security parameter, Select TLS, Externally Secured in Authentication and Select Exchange Servers, Anonymous users in Permission groups.
5. Open Exchange 2013 Management Shell and execute the following
Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
6. Open Exchange management Shell in Exchange 2010 execute cmdlet
Get-ReceiveConnector –Identity “Anonymous relay” | Fl
From PowerShell Windows copy all the IP addresses of printer and scanner to a notepad
7. Edit Anonymous Relay in Exchange 2013 Administration center and add all the IPs addresses you copied in previous step into remote network setting of Exchange 2013 relay.
8. Repeat step 1 to step 7 on all mailbox servers.
Configure Public Name Space
At this stage, you are ready to configure public DNS record. Update your public DNS record including Hosted Email Security. You only need to configure public DNS if you are changing public IPs and hosted email security otherwise you just have to change the port 443 and port 25 forwarding rule in internal Cisco router in your organization.
You public DNS must look similar to this table.
| superplaneteers.com | MX | Mail.superplaneteers.com |
| mail.superplaneteers.com | A | 203.17.x.x (Public IP) |
| autodiscover.superplaneteers.com | A | 203.17.x.x (Public IP) |
Request your ISP who provided you 203.17.x.x public IP to create reverse DNS record for mail.superplaneteers.com. This is very important for Exchange to function correctly. When you send email to a destination, many destination server checks reverse DNS. If reverse DNS is wrong you could be banned from sending email to destination server. Note that outlook.com check reverse DNS and SPF records of domain sending email to an outlook address.
Configure TMG/UAG
If you are publishing internet facing Exchange 2013 CAS using TMG or UAG, follow the URL below and publish Outlook Web App and Active Sync.
Publish-exchange-server-2010-using-forefront-uag-2010-step-by-step/
Publish-outlook-web-access-and-exchange-servers-using-forefront-tmg-2010/
Create internal DNS Record
Create Host(A) record with reverse DNS in the forward lookup zone of forest superplaneteers.com. Internal DNS records must look similar to this table.
| FQDN | Record Type | IP Address |
| Mail.superplaneteers.com | A | 10.10.10.16 |
| Autodiscover.superplaneteers.com | A | 10.10.10.16 |
If you don’t have CAS NLB or load balancer then your internal host(A) record must point to Exchange 2013 CAS server.
Open PowerShell as an administrator, execute the following
Resove-Dnsname mail.superplaneteers.com
Nslookup mail.superplaneteers.com
Configure Offline Address Book
To create a new offline address book and set the same OAB on all mailbox databases at once, run the following command. The command example uses “Default Offline Address Book” for the name of the OAB.
Open Exchange Management Shell, execute the cmdlets
New-OfflineAddressBook -Name “Default Offline Address Book” -AddressLists “Default Global Address List”
Restart-Service MSExchangeMailboxAssistants
Wait a few minutes and check if the OAB files is created in C:Program FilesMicrosoftExchange ServerV15ClientAccessOAB<newGUID>
Try to access the new OAB in IE: https://mail.superplaneteers.com/oab/<newguid/oab.xml
Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book (Ex2013)”
To Change the generation server open Exchange 2010 Management Shell and run the following command:
Move-OfflineAddressBook –Identity “Default Offline Address Book” –Server AUPERCAS01,AUPERCAS02
Configure new transport rule in Exchange 2013 or Export transport rules from legacy Exchange.
Follow this reference if you are migrating from Exchange 2007
You cannot migrate transport rules from Exchange Server 2007 to Exchange Server 2013
The following cmdlet example exports all your Transport Rules to the XML file, ExportedRules.xml, in the “c:TransportRules” folder:
Export-TransportRuleCollection -FileName “c:TransportRulesExportedRules.xml”
The following example cmdlet imports your transport rule collection from the XML file ExportedRules.xml in the “C:TransportRules” folder
[Byte[]]$Data = Get-Content -Path “C:TransportRulesExportedRules.xml” -Encoding Byte -ReadCount 0 Import-TransportRuleCollection -FileData $Data
To create new Transport rule,
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.
Move mailboxes to Exchange 2013
14. Click Finish.
OR
Open Exchange Management Shell
Get-Mailbox –Database “Exchange 2010 database name’ | New-MoveRequest –targetdatabase “Exchange 2013 database name”
Get-MoveRequest
Migrate Room or Resource mailboxes
Open EMS and execute the cmdlets
Get-Mailbox -RecipientTypeDetails roommailbox -database SOURCEDBNAME | new-moverequest -targetdatabase TARGETDBNAME
Upgrade Distribution groups
Open Exchange management Shell as an administrator, execute the following command.
Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ManagedBy “CN=Organization
Management,OU=Microsoft Exchange Security Groups,DC=superplaneteers,DC=com”
Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ForceUpgrade
Upgrading Distribution Groups with multiple owners to Exchange 2013
Open Exchange management Shell as an administrator, execute the following command.
foreach ($DL in (Get-DistributionGroup -ResultSize Unlimited)) { $owners = Get-ADPermission $DL.identity | ?{$_.User -notlike “*Exchange*” -and $_.User -notlike “S-*” -and $_.User -notlike “*Organization*” -and $_.User -notlike “NT*” -and $_.User -notlike “*Domain Admins*” -and $_.User -notlike “*Enterprise Admins” -and $_.User -notlike “BUILTIN*” -and $_.User –notlike “*Delegated Setup*”} | %{$_.user.tostring()};Set-DistributionGroup $DL -BypassSecurityGroupManagerCheck -ManagedBy $owners }
Migrate Public Folder
In Exchange 2013, public folders were re-engineered using mailbox infrastructure to take advantage of the existing high availability and storage technologies of the mailbox database. Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the content. This also means that there’s no longer a public folder database. High availability for the public folder mailboxes is provided by a database availability group (DAG).
There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes. Both types of mailboxes can contain content:
There are two ways you can manage public folder mailboxes:
Before you migrate public folder, I would recommend creating new separate mailbox database in Exchange 2013 then start the migration process.
Step1: Perform Perquisites
Download all four of the Microsoft Exchange 2013 public folder migration scripts and save the script in C:PFScripts
Prerequisites in Exchange 2010 Server
Open Exchange Management Shell in Exchange 2010 server, run the following cmdlets one by one.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:PFMigrationLegacy_PFStructure.xml
Run the following command to take a snapshot of public folder statistics such as item count, size, and owner
Get-PublicFolderStatistics | Export-CliXML C:PFMigrationLegacy_PFStatistics.xml
Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:PFMigrationLegacy_PFPerms.xml
Save the information from the preceding commands for comparison at the end of the migration.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {$_.Name -like “**”} | Format-List Name, Identity
In Exchange 2007, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like “**”}}
If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>
Make sure there isn’t a previous record of a successful migration. If there is, you’ll need to set that value to $false. If the value is set to $true the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete
Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -PublicFolderMigrationComplete:$false
Prerequisites on Exchange 2013
Make sure there are no existing public folder migration requests. If there are, clear them.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest -Confirm:$false
To make sure there are no existing public folders on the Exchange 2013 servers, run the following commands.
Get-Mailbox -PublicFolder
Get-PublicFolder
If the above commands return any public folders, use the following commands to remove the public folders.
Get-MailPublicFolder | where $_.EntryId -ne $null | Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren | Remove-PublicFolder -Recurse -Confirm:$false
Get-Mailbox -PublicFolder |Remove-Mailbox -PublicFolder -Confirm:$false
Step2: Generate CSV Files
On the Exchange 2010 server, run the Export-PublicFolderStatistics.ps1 script to create the folder name-to-folder size mapping file.
.Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of source server>
Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file. This file is used to create the correct number of public folder mailboxes on the Exchange 2013 Mailbox server.
.PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path> <Folder to mailbox map path>
<Folder to size map path> is \AUPEREX2010c$PFstat.csv
<Maximum mailbox size in bytes> is 20000000
<Folder to mailbox map path> is \AUPEREX2010c$PFMigrationmapgen.csv
Step3: Create public folder mailboxes on Exchange 2013
Run the following command to create the first public folder mailbox on the Exchange 2013 Mailbox server.
New-Mailbox -PublicFolder <Name> -HoldForMigration:$true –database “Exchange 2013 database”
Run the following command to create additional public folder mailboxes as needed based on the .csv file generated from the PublicFoldertoMailboxMapGenerator.ps1 script.
$numberOfMailboxes = 25;
for($index =1 ; $index -le $numberOfMailboxes ; $index++)
{
$PFMailboxName = “Mailbox”+$index; if($index -eq 1) {New-Mailbox -PublicFolder $PFMailboxName -HoldForMigration:$true -IsExcludedFromServingHiearchy:$true;}else{NewMailbox-PublicFolder $PFMailboxName -IsExcludedFromServingHierarchy:$true}
}
Step4: Start Migration request
Legacy system public folders such as OWAScratchPad and the schema-root folder subtree in Exchange 2007 won’t be recognized by Exchange 2013 and will be treated as bad items. This will cause the migration to fail. As part of the migration request, you must specify a value for the BadItemLimit parameter.
From the Exchange 2013 Mailbox server, run the following command:
$PublicFolderDatabasesInOrg = @(Get-PublicFolderDatabase)
$BadItemLimitCount = 5 + ($PublicFolderDatabasesInOrg.Count -1)
New-PublicFolderMigrationRequest -SourceDatabase (Get-PublicFolderDatabase -Server <Source server name>) -CSVData (Get-Content <Folder to mailbox map path> -Encoding Byte) -BadItemLimit $BadItemLimitCount
To verify that the migration started successfully, run the following command.
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport | Format-List
Step 5: Lock Source Server
On the Exchange 2010 server, run the following command to lock the legacy public folders for finalization.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
Step6: Finalize public folder migration
Set-PublicFolderMigrationRequest -Identity PublicFolderMigration -PreventCompletion:$false
Resume-PublicFolderMigrationRequest -Identity PublicFolderMigration
Step7: Test Public Folder Migration
Run the following command to assign some test mailboxes to use any newly migrated public folder mailbox as the default public folder mailbox
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>
Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the following public folder tests:
Post Migration Check
1. Verify Internal and external DNS records and aliases of autodiscover and mail are pointing to Exchange 2013 CAS server or load balancer VIP or CAS NLB IP. At this stage do not delete Host(A) record of legacy exchange servers until you decommission them.
2. Point your Spam Guard or hosted email security to forward all the emails to exchange 2013 to receive incoming mail via Exchange 2013.
3. Configure Spam Guard or hosted email security to accept emails from all Exchange 2013 Mailbox servers.
4. Configure smart host if necessary.
5. Configure all other application to send email via the Exchange 2013 Mailbox Servers
6. Test inbound and outbound email from outlook client and mobile devices.
7. Start Monitoring Exchange, Open EMS and execute Get-mailbox –monitoring
8. Go to https://testconnectivity.microsoft.com/ to test connectivity of Exchange 2013
9. Go to http://mxtoolbox.com/ to test your MX, Reverse DNS and DNS records.
Decommission Legacy Exchange Server
Before you decommission legacy Exchange server, make sure you have completed the following tasks
10. Remove Exchange 2010 CAS arrays. Execute Get-clientaccessarray | remove-ClientAccessArray in Exchange 2010 management shell
11. Point all the applications to use Exchange 2013 SMTP.
12. Test inbound and outbound email from various supported clients.
Now is the time to shutdown legacy exchange servers in your organization and test Exchange 2013 mail flow again. Make sure you shut down the server during working hours and working days. Keep the legacy exchange down for at least 48hrs. To decommission legacy Exchange follow the steps
1. Bring all legacy servers online means power on all servers which were down in previous step.
2. Remove all Public Folder replicas else Public Folder Database will not be removed. To remove public folder replicas, open Exchange Management Console in exchange 2010, Click Tools, Open Public Folder Management Console, Select Default Public Folder, Click properties, Click Replication, Remove exchange 2010 database from replication. Repeat the same for systems public folder.
3. Remove Exchange 2007/2010 mailbox database and Public folder databases from EMC or EMS.
4. Go to Control Panel to remove Exchange 2007/2010. On Program and Features screen click on Uninstall. On the Maintenance Mode page of the Exchange Server 2007/2010 Setup wizard begins the process of removing your Exchange installation. Click Next to continue.
5. On the Server Role Selection page, uncheck in 2007/2010 all Exchange server roles and Exchange management tools to remove. In Exchange 2007 CCR remove passive node first then follow the same steps on active node. Click next to continue.
6. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page and fix any issues that are preventing Setup from removing exchange 2007/2010. If the checks have completed successfully, click Uninstall to remove the entire installation of Exchange 2007/2010.
7. On the Completion page, click Finish.
8. Verify the setup log files and folder located at c:ExchangeSetupLogs.
9. Uninstall Internet Information Services (IIS) from windows Server 2008 or add/remove program and features in Windows Server 2003.
10. Disjoin the legacy Exchange servers from the Domain.
11. Delete Host(A) DNS record of Legacy Exchange Server. Delete ONLY legacy DNS record.
References
http://technet.microsoft.com/en-us/library/ee332361(EXCHG.141).aspx
http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx
http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-CABEAgAAQAAACQEAAQAAAA~~
http://support.microsoft.com/kb/2846555
http://support.microsoft.com/?kbid=940726
http://www.petenetlive.com/KB/Article/0000036.htm
http://www.expta.com/2013/05/owa-2013-cu1-redirection-is-broken-for.html
There are many ways you can achieve unified messaging functionality in Exchange 2013. It all depends on your Exchange, Lync and telephony infrastructure.
Before you begin, you have to install Exchange language pack for non-English Exchange deployment. For English deployment you don’t need to install language pack.
Depending on your Exchange 2013 version, Download Exchange Language Pack from the following web sites.
http://www.microsoft.com/en-au/download/details.aspx?id=35368
http://www.microsoft.com/en-au/download/details.aspx?id=39713
http://www.microsoft.com/en-au/download/details.aspx?id=41176
Right click the UMLanguagePack.Country-Code.exe file, Click Run As Administrator.
In the Exchange 2013 Setup wizard, on the License Agreement page, select I accept the terms in the license agreement, and then click Next then click Install.
Click Finish to complete the installation of the UM language pack.
Scenario#1
If you have a Cisco Call Manager for IP telephony then you just need to perform few tasks in Exchange 2013 to integrate Exchange and Cisco Call Manager. Here are the steps to accomplish unified messaging in Exchange 2013 with Cisco Call Manager.
Step1: Create a Service Account named domainnamesa-ExchangeUC and set password and account to be never expired. Set user cannot change password.
Step2: Open Exchange 2013 Management Shell as an administrator (Account must be a member of Exchange organisation management role). issue the following command.
New-ManagementRoleAssignment –Name:UMServicesConnectionACC –Role:ApplicationImpersonation -User:”domainanemsa-ExchangeUC “
Get-ManagementRoleAssignment
Step3: Create an anonymous relay in Exchange 2013. Here is a guideline.
Name: Anonymous Relay
Role: Frontend Transport
Type: Custom
Available IP: Exchange 2013 server IP
Port: 25
Authentication: TLS, Externally Secured
Permission: Exchange Servers, Anonymous users
Open Exchange Management Shell and execute the following
Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Now add Cisco Call Manager IP address into remote network settings properties of anonymous relay.
Step4: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of windows machine then export as .cer format certificate into Cisco Unity. reference http://www.digicert.com/ssl-support/pfx-import-export-iis.htm
Step5: Configure Cisco Unity for Unified Messaging. Follow this link to configure Cisco Call Manager. Detailed guide is available in Cisco Unity and Microsoft Exchange configuration guide.
Scenario#2
There are other ways to achieve same result if you decide Exchange 2013 to manage dial plan, auto attendant, hunt group and voice delivery etc. In this scenario, you have configure lot more then previous steps. There is no concrete steps for your scenario or your IP telephony systems. But here is what you have to do to accomplish unified messaging between IP-PBX and Exchange 2013. I assume your Exchange 2013 and IP-PBX are working per normal.
Step1: Create a Service Account named domainnamesa-ExchangeUC and set password and account to be never expired. Set user cannot change password in the properties of sa-ExchangeUC account.
Step2: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of a windows machine then export as .cer format certificate into IP-PBX.
Step3: Configure IP-PBX to connect to Exchange 2013 using service account you have created in previous step.
Step4: Create a virtual extension number. This extension number will be used in a Exchange 2013 only.
Step5: Create a dial plan
In the Exchange admin center (EAC), navigate to Unified Messaging > UM dial plans, and then click Add 
.
On the New UM Dial Plan page, complete the following boxes:
Name: ExchangeUC Dial Plan
Extension Length: 4 or Exact length used in IP-PBX
Dial plan type: Telephone extension
VoIP security mode: Unsecured
Country/Region code: +61 (for australia)
Click Save.
Step6: Create a PIN Policy
In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the ExchangeUC Dial Plan you have created in previous step and then click Edit 
.
On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to edit, and then click Edit .
Click Properties. On the UM mailbox policy page, click PIN policies.
On the PIN Policies page, configure the following PIN settings
PIN Length: 5
PIN Cycle: 5
Enforce PIN lifetime: 60
Sign-in failure: 5
Sign-in lockout:15
Click Save.
Step8: Add a DNS record in the forward lookup zone of Active Directory DNS
lets say DNS Name: IPPBX.domainname.com and corresponding IP: 10.10.70.240
Step8: Add UM IP Gateway
In the EAC, navigate to Unified Messaging > UM IP Gateways, and then click Add .
On the New UM IP gateway page, enter the following information:
Name: Cisco Unity or 3CX whichever is your gateway
Address: FQDN or IP Address of IP-PBX
UM Dial Plan: ExchangeUC Dial Plan
Click Save.
Step9: Create Auto Attendant
In the EAC, navigate to Unified Messaging > UM dial plans, select the ExchangeUC Dial Plan for which you want to add an auto attendant, and then click Edit .
On the UM Dial Plan page, under UM Auto Attendants, click Add .
On the New UM auto attendant page, complete the following boxes:
Name: ExchangeUC Auto Attendant
Uncheck “Create this auto attendant as enabled”
Uncheck “Set the auto attendant to respond to voice commands”
Access Number: click Add and add virtual extension number you have created in step 4.
Click Save.
Step 10 (Optional):
In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit .
On the UM Dial Plan page, under UM Hunt Groups, click Add .
On the New UM Hunt Group page, complete the following boxes:
Associated UM IP gateway: IPPBX.domainname.com
Name: ExchangeUC Hunt Group
Dial plan Click Browse to select the ExchangeUC Dial Plan
Pilot identifier: a string that uniquely identifies the pilot identifier obtained from IP-PBX.
Click Save.
Step11: Setup UM Dial Plan Policies
In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit .
On the UM Dial Plan page, under UM Mailbox Policies, click New .
On the New UM mailbox policy page, in the Name box, enter the name of ExchangeUC mailbox policy.
Click Save.
Step12: Enable User for Voice Mail
In the EAC, click Recipients. In the List view, select the user whose mailbox you want to enable for Unified Messaging.
In the Details pane, under Phone and Voice Features, click Enable.
On the Enable UM mailbox page, click the Browse and select ExchangeUC mailbox policy, and then click OK.
On the Enable UM mailbox page, complete the following boxes:
Extension Number: Type the extension number you have created in IP-PBX for this mailbox
PIN Settings: Type a 5 digit PIN number
Click Finish.
Now you have successfully configured Unified Messaging in Exchange 2013. However if you have Lync 2013 in your organisation. you will have to perform the following steps in Exchange 2013 to integrate Lync and Exchange.
Step1: Set Dial Start-up mode to dual
Open Exchange Management Shell, Enter the following command
Set-UmService -Identity “FQDN of Exchange Server” -DialPlans “ExchangeUC Dial Plan” -UMStartupMode “Dual”
Step2: Assign Exchange Certificate to UM
Type Get-ExchangeCertificate and copy the thumbprint in notepad
Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “EA5A332496CC05DA69B7578A110D22d” -Services “UM”
I assume that you already assigned this certificate to IIS, SMTP services. Restart the MsExchangeUM service on the Exchange server.
Step3: Assign certificate to call router
Set-UMCallRouterSettings -Server “FQDN of Exchange Server” -UMStartupMode “Dual” -DialPlans “ExchangeUC Dial Plan”
Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “45BAA32496CC891169B75B9811320F78A1075DDA” –Services “IIS”, “UMCallRouter”
Restart the MsExchangeUM service on the Exchange server.
Step4: Test UM Service
$credential = Get-Credential “DomainNameUser1”
Test-CsExUMConnectivity -TargetFqdn “FQDN of Exchange Server” -UserSipAddress “sip:User1@DomainName.com” -UserCredential $credential
$credential = Get-Credential “DomainNameUser2”
Test-CsExUMVoiceMail -TargetFqdn “FQDN of Exchange Server” -ReceiverSipAddress “sip:user1@DomainName.com” -SenderSipAddress “sip:user2@DomainName.com” -SenderCredential $credential
References:
http://technet.microsoft.com/en-us/library/jj673564%28v=exchg.150%29.aspx
http://technet.microsoft.com/en-us/library/jj150478%28v=exchg.150%29.aspx
Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue. So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.
Prerequisites:
Create a separate FTP Trunk:
You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.
Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk.
On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.
Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.
Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.
Add Enhanced Generic Client Application (Multiple Servers)
Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.
On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok.
On the socket forwarding select basic.
On the Endpoint policy make sure other is set to always. Click Ok.
Activate the Trunk
Click File, Click Activate.
Wait for Activation to complete.
Open Command Prompt as an administrator. Type iisreset and hit enter.
Error and Warning:
Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8. You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.
In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall.
To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.
Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.
Apply the policy into Endpoint Policy.
Again activate the trunk. run iisreset.
Testing FTP
Open browser, browse https://ftp.yourdomain.com
Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect
Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.
Further Study
UAG Articles
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Issue: Client Not Yet Sync WSUS error
Resolution:
Step1: Download KB2720211 x64 and apply on WSUS server using the following steps in command prompt with administrative privilege:
Step2: Open elevated command prompt, type the following. Detailed available on KB958046
net stop wuauserv
cd %systemroot%SoftwareDistribution
ren Download Download.old
net start wuauserv
Step3: Detect and authorize client to WSUS Server. Run the following in elevated command prompt.
wuauclt /resetauthorization /detectnow
gpupdate /force
Before you authorize, make sure WSUS GPO is applied to the clients with following GPO Configuration:
Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update
I have written the following articles few weeks back. One thing I would like to add on to these articles is the patching order of Forefront UAG 2010.
You must have a base build Windows Server 2008 R2 SP1 with all Microsoft security and critical updates. you install the UAG from the this source Forefront_UAG_Server_2010_64Bit_English_w_SP1 with correct product key from Microsoft volume licensing center.
The following the order of patching UAG before you start configuring UAG.
3. UAG-KB2288900-v4.0.1269.200-ENU
4. UAG-KB2585140-v4.0.1773.10100-ENU
5. UAG-KB2710791-v4.0.2095.10000-ENU
6. UAG-KB2744025-v4.0.3123.10000-ENU
UAG Articles:
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).
Trend Micro offers the following editions:
Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.
Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.
Features worry-free business Features
TrendMicro Components:
Registration Key
A Registration Key comes with your purchase of Worry-Free Business Security. It has
22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx
Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.
Security Server
At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location
Scan Server
The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.
Downloads scanning-specific components from Trend Micro and uses them to scan clients
Agents
Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.
Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats
Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats
Web Console
The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.
WFBS Ports
WFBS uses the following ports:
• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:
• IIS server default website: The same port number as your HTTP server’s TCP port.
• IIS server virtual website: 8059
• Apache server: 8059
• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.
Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.
SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.
Proxy port: Used for connections through a proxy server.
Systems requirements:
TrendMicro Download Location:
Installation:
1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.
2. Click Next. The License Agreement screen appears.
3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.
4. Click Next. The Setup Type screen appears.
5. From the Setup Type page, choose one of the following options:
6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.
7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).
8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.
9. Click Next. The Select Components page appears.
10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.
11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.
12. Click Next. The Computer Prescan page appears.
13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:
Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:
14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:
15. Click Next. The Web Server Identification page appears.
16. Choose from one of the following server identification options for client-server communication:
17. Click Next. The Administrator Account Password page appears.
18. Specify different passwords for the Security Server web console and the Security Agent.
Note: The password field holds 1-24 characters and is case sensitive.
19. Click Next. The SMTP Server and Notification Recipient(s) page appears.
20. Enter the required information:
21. Click Next. The Trend Micro Smart Protection Network page appears.
22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.
23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.
24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.
25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.
26. Set the following items:
27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.
28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:
29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.
30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.
31. Click Next. The Install Messaging Security Agent page appears.
32. Provide the following information:
i. Exchange Server
ii. Domain Administrator Account
iii. Password
33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:
35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:
The Install Third Party Components page appears. This page informs you which third party components will be installed.
36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.
Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install
Installing Agent for Exchange Server
The Messaging Security Agent (MSA) can also be installed from the Web Console.
1. Log on to the Web Console.
2. Click the Security Settings tab, and then click the Add button.
3. Under the Computer Type section, click Microsoft Exchange server.
4. Under Microsoft Exchange Server Information, type the following information:
• Server name: The name of the Microsoft Exchange server to which you want
to install MSA.
• Account: The built-in domain administrator user name.
• Password: The built-in domain administrator password.
5. Click Next. The Microsoft Exchange Server Settings screen appears.
6. Under Web Server Type, select the type of Web server that you want to install on
the Microsoft Exchange server. You can select either IIS Server or Apache Server.
7. For the Spam Management Type, End User Quarantine will be used.
8. Under Directories, change or accept the default target and shared directories for
the MSA installation. The default target and shared directories are C:Program
FilesTrend MicroMessaging Security Agent and C$, respectively.
9. Click Next. The Microsoft Exchange Server Settings screen appears again.
10. Verify that the Microsoft Exchange server settings that you specified in the
previous screens are correct, and then click Next to start the MSA installation.
11. To view the status of the MSA installation, click the Live Status tab.
Configure Smart Host for Outbound Email
1. Open the Exchange Management Console.
2. Click on the plus sign (+) next to Organization Configuration.
3. Select Hub Transport and click the Send Connectors tab.
4. Right-click the existing Send Connector then select Properties and go to the Network tab.
5. Select Route mail through the following smart hosts and click Add.
6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:
o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com
o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu
7. Click OK.
8. Go to the Address Space tab and click Add.
9. Add an asterisk (*) and then click OK.
10. Click Apply > OK.
11. Go to the Source Server tab and add your Exchange Server.
12. Click Apply > OK.
Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.
C:Usersraihan >nslookup
> set type=mx
> domainname.com.au
Non-authoritative answer:
domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au
domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au
mx1.domainname.net.au internet address = 203.161.x.x
mail.domainname.com.au internet address = 116.212.x.x
Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:
Registered Hosted Email Security
Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .
Create service account (See upcoming post on creating a secure services account)
Open Hosted Email Security Web console
Register Your Domains with Trend Micro
1. Go to the Trend Micro Online Registration portal.
2. Create a new OLR account.
a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.
Enter your HES Registration Key.
If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.
Select I Accept, then click Submit.
Complete the registration information form.
Specify your OLR logon ID.
Note: The OLR logon ID will also serve as your HES portal login ID.
Click Submit.
The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.
3. Using the provided OLR username and password, log on to the HES console:
For US: https://us.emailsec.trendmicro.com/loginPage.imss
For EMEA: https://emailsec.trendmicro.eu/loginPage.imss
Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.
4. Enter your domain and IP information, then click Add Domain.
5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.
6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.
Navigate to Administration > Domain Management
Download the ActiveDirectory Sync Client
Install the ActiveDirectory Sync Client
http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx
http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx
1. Extract the ActiveDirectory Sync Client file and run setup.exe
2. Usual I agree, next, next stuff
3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.
4. Click Next
5. Leave installation path as is, and change to install for Everyone
6. Click Next
7. Click Next
8. Click Close when finish
9. The ActiveDirectory Sync Client will then open
10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)
LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com
11. Click Add
LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com
12. Click Add
13. Click Configure
14. Click OK
15. Click Apply
16. This will restart the service
Amend ClientMHS_AD_ACL.config
1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad
2. Installed Config file looks like this:
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
3. Change the following to add groups and public folders. Ref
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”group”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”publicFolder”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”*”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client
5. Click Sync Now
6. Give it a few moments then click History
7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful
8. Click Close
9. Click Close
Post Configuration Check
If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.
Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us
Here is a guide lines how to accomplish this objective.
Step1: Check Current Exchange SSL Certificate
Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.
Step2: Record Proposed Exchange SSL Wildcard Certificate
Step3: Generate a wildcard certificate request
You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.
New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True
Step4: Sign the certificate request and download SSL certificate in PKCS#7 format
For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808
1. Click https://products.geotrust.com/geocenter/reissuance/reissue.do
2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.
3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.
4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.
5. Save the certificate locally and install per the server software.
Step5: Locate and Disable the Existing CA certificate
Now this step is a disruptive step for webmail. You must do it after hours.
1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292
2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties
4. In the Certificate purposes section, select Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.
Step6: Install Certificate
To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.
2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example
Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, POP, IIS”
3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.
For Example Get-ExchangeCertificate -DomainName yourdomain.com.au
4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”
Step7: Configure Outlook settings
Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au
To change Outlook 2007 connection settings to resolve a certificate error
1. In Outlook 2007, on the Tools menu, click Account Settings.
2. Select your e-mail address listed under Name, and then click Change.
3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.
4. Select the Connect using SSL only check box.
5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.
6. Click OK, and then click OK again.
7. Click Next. Click Finish. Click Close.
8. The new setting will take effect after you exit Outlook and open it again.
Step8: Export Certificate from Exchange in .pfx format
The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.
Open Exchange Management Shell, run
Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB
010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password
Step9: Import certificate in TMG 2010
1.Click Start and select Run and tape mmc
2.Click on the File menu and select Add/Remove Snap in
3.Click Add, select Certificates among the list of Standalone Snap-in and click Add
4.Choose Computer Account and click Next
5.Choose Local Computer and click Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.
Step10: Replace Certificate in Web Listener
1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.
2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.
3. In the results pane, double-click Remote Web Workplace Publishing Rule.
4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
5. Select External Web Listener from the list, and then click Properties.
6. In External Web Listener Properties, click the Certificates tab.
7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.
9. To save changes and update the configuration, in the results pane, click Apply.
Step11: Test OWA from external and internal network
On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.
Make sure no certificate warning shows on IE.
Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
Relevant References
Request an Internet Server Certificate (IIS 7)
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
The following features are available for external access through a UAG reverse proxy:
Prerequisites:
Network Configuration:
Forefront UAG and Lync Edge must be assigned two NICs with external network adapter and the internal network adapter.
DNS Configuration
The reverse proxy must be able to resolve the internal Director and next hop pool FQDNs used in the web publishing rules to IP addresses. As with the Edge Servers, for security reasons, we recommend that you do not have Edge Servers access a DNS server located in the internal network. This means you either need DNS servers in the perimeter, or you need HOST file entries on the reverse proxy that resolves each of these FQDNs to the internal IP address of the servers.
| DNS Name | Record Type | IP address | Purpose |
| sip.xman.com.au | HOST (A) | Internal IP | Sip domain |
| _sip_tls.xman.com.au | SRV record Port 5061 | Internal IP | used for Edge deployment separate to UAG |
| meet.xman.com.au | HOST (A) | Internal IP | Meeting |
| dialin.xman.com.au | HOST (A) | Internal IP | Dial-in |
| discover.xman.com.au | HOST (A) | Internal IP | Discover |
| webext.xman.com.au | HOST (A) | Internal IP | Common external Lync access |
| UAGSRV.xman.com.au | HOST (A) | Internal IP | UAG server internal DNS |
To create Public DNS record, request your ISP to route these public FQDN to your premises i.e. to the external NIC of UAG server if there is no frontend firewall or route to your external router if UAG is behind frontend router and placed in perimeter.
| DNS Name | Record Type | IP address | Purpose |
| webext.xman.com.au | HOST (A) | Publicly routable
UAG External NIC IP IP should resolve Front Edge or Director |
Lync external access |
| meet.xman.com.au | CNAME | webext.xman.com.au | Lync meeting |
| dialin.xman.com.au | CNAME | webext.xman.com.au | Lync Dial-in |
| discover.xman.com.au | CNAME | webext.xman.com.au | Lync discover |
| LyncUAG. xman.com.au | HOST (A) | Publicly routable
UAG External IP Address |
UAG external FQDN |
| sip.xman.com.au | HOST (A) | Publicly routable
Lync Edge External NIC IP separate to UAG |
Lync External SIP domain |
| Sipexternal.xman.com.au | CNAME | sip.xman.com.au
used for Lync Edge deployment separate to UAG |
CNAME of external SIP domain |
| Common Name | Subject alternative name | Purpose | Issuer |
| webext.xman.com.au | webext.xman.com.au | Pool FQDN | Public CA |
| meet.xman.com.au | Meeting simple URL | ||
| dialin.xman.com.au | Dial-in simple URL | ||
| discover.xman.com.au | External Autodiscover Service URL |
NAT Requirements:
This topic describes the required NAT behaviour of UAG deployment if UAG server is placed after frontend firewall.
| NAT Rule | Source IP | Public IP | NATed Destination | Port |
| 1 | Any | Public IP of Lync web | UAG External NIC IP | 4443, 3478 |
| 2 | Edge External NIC | – | Internet/Extranet | 3478 |
| 3 | Internal Network | – | UAG Internal NIC IP | 4443,3478 |
1. Start ForeFront UAG.
2. Right-Click HTTPS Connection and select New Trunk
3. Name the Trunk and enter the public hostname and IP address (this should match the DNS record created i.e LyncUAG.xman.com.au – this name should be different to the external name of the Lync Front End Pool. Click Next
4. Select the Authentication Server for your domain by clicking Add. Click Next.
5. Select the Public Certificate you have obtained. Click Next.
6. Select the default option of Use Forefront UAG access policies. Click Next.
7. Select the Default Endpoint Policies. Click Next.
8. Click Finish.
1. Select the trunk created above.
2. Click Add under Applications.
3. Click Next
4. Select Microsoft Lync Web App 2010 under Web. Click Next.
5. Enter a name for the application (i.e. LyncWeb). Click Next.
6. Leave the Endpoint Policies as default. Click Next.
7. Click Next.
8. Enter webext.xman.com.au under Addresses. This should resolve to the Front Edge (or Director) Server from the UAG server. This should also match the name that External Access URL is set in the Lync Topology. Enter the same public host name. Click Next.
9. Uncheck Use SSO. Click Next.
10. Remove “dialin” from Application URL. Click Next.
11. Click Finish.
1. In the same Trunk click Add under Applications.
2. Select Microsoft Lync Web App 2010. Click Next.
3. Enter a name for the application (i.e. LyncDiscovery). Click Next.
4. Click Next.
5. Enter webext.xman.com.au as the IP/Host and Discover as the public hostname. Click Next.
6. Uncheck Use SSO. Click Next.
7. Remove “dialin” from the application URL and click Next.
8. Click Next
9. Click Finish.
The wizard will create two additional entries for meet and dialin for the LyncDiscover application. Remove them by selecting each one and click Remove.
1. Click Configure under Trunk Configure.
2. Select the Authentication tab. Uncheck Require users to authenticate at session logon.
3. Select the Session tab and check Disable component installation and activation and Disable scripting for portal applications.
4. Click OK.
Important! Modify the registry at your own risk.
1. Open Registry Editor
2. Navigate to HKLMSoftwareWhaleCome-GapvonUrlFilter
3. Right-Click and add a DWORD 32-bit registry KeepClientAuthHeader and FullAuthPassthru, set the value to 1.
4. Close the registry editor.
1. Click the Save button in the UAG console.
2. Click Activate
3. Once the configuration has completed, click Finish
4. Start a Command Prompt (cmd) as an Administrator.
5. Perform an IISRESET.
Verify Website Access through the Internet
Open a web browser, type the URLs in the Address bar that clients use to access the Address Book files and the website for conferencing as follows:
References:
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Step1: Configure the SharePoint server
1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.
2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.
3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.
4. On the Alternate Access Mappings page, click Edit Public URLs.
5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.
6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.
7. When you have finished, click Save.
8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:
9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.
10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.
Step2: Create a New trunk
Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next
Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next
On the Authentication Page, Click Add, Select DC, Click Next
Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next
Select Default and Click Next
Click Finish.
Step3: add SharePoint web applications to the trunk.
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.
On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.
In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.
In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.
In the Public host name box, enter a public host name of your choice for the SharePoint web application.
Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.
On the Authentication page, do the following:
To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.
To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.
On the Portal Link page of the wizard, if required, configure the portal link for the application.
If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.
When you have completed the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications list.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.
Step4: Configure Mobile devices Access for SharePoint
When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:
1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.
2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.
3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.
4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.
5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
When you create a Forefront Unified Access Gateway (UAG) HTTPS portal trunk, only HTTPS requests that arrive at the Forefront UAG are handled by the trunk. This topic describes how to create a redirect trunk to automatically redirect HTTP requests made by remote endpoints to the HTTPS trunk.
| Web Sites | Inbound Requested Port | Request Redirected To |
| RDS.xman.com.au | 80 | 443 |
| ftp.xman.com.au | 80 | 443 |
| webmail.xman.com.au | 80 | 443 |
| sharepoint.xman.com.au | 80 | 443 |
Step1: Before you create a redirect trunk, note the following:
1. Make sure that you have already created the HTTPS trunk to which you want to redirect HTTP requests.
2. Make sure you define all the parameters of the HTTPS Connections trunk before you create the redirect trunk, including the definitions you make in the Forefront UAG Management console after completing the New Trunk Wizard.
If at a later stage, you change the IP address or port number of the HTTPS Connections trunk, do one of the following:
1. Update the IP address or port number manually in the relevant redirect trunk.
2. Delete the existing redirect trunk and create a new one.
3. Redirect trunks are not monitored by the Forefront UAG Web Monitor.
4. Sessions in redirect trunks are not calculated in the session count of Forefront UAG. When an HTTP session is redirected to HTTPS via a redirect trunk, it is only counted as one HTTPS session.
Step2: create a redirect trunk
1. In the Forefront UAG Management console, in the left navigation tree, right-click HTTP Connections, and then select New Trunk.
2. In the Create Trunk Wizard, select HTTP to HTTPS redirection, and then click Next.
3. All HTTPS trunks for which no redirect trunk exists are listed.
4. Select the HTTPS trunk to which you want to redirect HTTP requests, and then click Finish.
5. A new trunk with the same name as the HTTPS trunk you selected is created in the left navigation tree.
6. HTTP requests that arrive at the external Web site that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Step1: configure Exchange to use basic authentication
1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).
4. In the Actions pane, under owa (Default Web Site), click Properties.
5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.
Step2: publish Outlook Web Access on a Forefront UAG portal
Right Click on HTTPS Connections, Click New Trunk, Click Next
Select Portal Trunk and Publish Exchange Applications via portal, Click Next
Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next
Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.
Type the service account which will talk to DC from UAG, Click Ok
Select the DC, Click Select. Leave rest of the settings as is. Click Next
Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au
Select Default and Click next
Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next
Type the name of the application, Click next
Select default and click next
On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.
Click Configure an application server, Click Next
On the Web Servers page of the wizard:
In the Addresses list, enter the IP address or host name of the Client Access server.
In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.
On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.
On the Outlook Anywhere Page, Select basic Authentication, Click next
On the Portal Link page of the wizard, configure the portal link for the application.
If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.
On the Authorization page of the wizard, select which users are authorized to access this application.
On the Completing the Add Application Wizard page of the wizard, click Finish.
Once configured, you will see the following screen.
If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.
To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
The following procedures describe how to export RemoteApp settings from RDS, and then publish RemoteApps and import the RemoteApp settings, via Forefront Unified Access Gateway (UAG).
Step1: Exporting RemoteApp settings from RDS
Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS.
1. On the RD Session Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.
2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.
3. In the Actions pane, click Export RemoteApp Settings.
4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.
5. Specify a location to save the .tspub file, and then click Save.
Step2: Publishing RemoteApps and importing RemoteApp settings
This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.
1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.
2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.
3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.
4. On the Select Endpoint Policies page of the wizard, do the following:
5. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.
6. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.
7. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:
8. Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.
9. Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.
10. Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.
11. On the Import RemoteApp Programs page of the wizard, do the following:
12. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.
13. In RD Session Host or RD Connection Broker, specify the name of an RD Session Host (if different from that specified in the imported settings file), or the name of the RD Connection Broker server.
14. If you are using an RD Connection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RD Session Hosts that might be used by the RD Connection Broker. To specify multiple servers, use an IP address range or subnet.
15. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.
16. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.
17. Complete the Add Application Wizard.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Forefront UAG Patching Order
Forefront UAG Overview:
Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
Assumptions:
The following servers is installed and configured in a test environment.
Systems Requirements:
| Option | Description |
| Virtual Machine Name | DC1TVUAG01 |
| Memory | 8GB |
| vCPU | 1 |
| Hard Disk 1 | 50GB |
| Hard Disk 2 | 50GB |
| Network Adapter | 2 |
| Guest Operating System | Windows Server 2008 R2 |
| Service Pack Level | SP1 |
Software Requirement:
| Version | Microsoft Forefront Unified Access Gateway 2010 |
| Service Pack Level | SP3 |
Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:
The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.
| Browser | Features |
| Firefox | Endpoint Session CleanupEndpoint detectionSSL Application TunnelingEndpoint Quarantine Enforcement |
| Internet Explorer | Endpoint Session CleanupEndpoint detectionSSL Application TunnelingSocket Forwarding
SSL Network Tunneling (Network Connector) Endpoint Quarantine Enforcement |
| Device Name | Features |
| Windows Phone | Premium mobile portal |
| iOS: 4.x and 5.x on iPhone and iPad | Premium mobile portal |
| Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0 | Premium mobile portal |
Service Account for Active Directory Authentication:
| Service Account | Privileges | Password |
| xmanSA-FUAG | Domain Users | Password set to never expired |
The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.
Antivirus Exclusion:
| Version | Paths | Processes |
| Forefront UAG 2010 | UAG installation folder (may be changed during installation) %ProgramFiles%Microsoft Forefront Unified Access Gateway |
Forefront UAG DNS-ALG Service %ProgramFiles%Microsoft Forefront Unified Access GatewayDnsAlgSrv.exeForefront UAG Monitoring Manager %ProgramFiles%Microsoft Forefront Unified Access GatewayMonitorMgrCom.exeForefront UAG Session Manager %ProgramFiles%Microsoft Forefront Unified Access GatewaySessionMgrCom.exeForefront UAG File Sharing %ProgramFiles%Microsoft Forefront Unified Access GatewayShareAccess.exe Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |
The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.
There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:
Perimeter Port Requirement:
To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:
Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.
| Infrastructure server | Protocol | Port | Direction |
| Domain controller | Microsoft-DS traffic | TCP 445UDP 445 | From UAG to DC |
| Kerberos authentication | TCP 88UDP 88 | From UAG to DC | |
| LDAP | TCP 389UDP 389 | From UAG to DC | |
| LDAPS | TCP 636UDP 636 | From UAG to DC | |
| LDAP to GC | TCP 3268UDP 3268 | From UAG to DC | |
| LDAPS to GC | TCP 3269UCP 3269 | From UAG to DC | |
| DNS | TCP 53UDP 53 | From UAG to DC | |
| Exchange, SharePoint, RDS | HTTPS | TCP 443 | From external to internal server |
| FTP | FTP | TCP 21 | From external to internal server |
Scenario#2
In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.
UAG Network Configuration
The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:
· First in Order- UAG internal adapter connected to the trusted network.
· Second in Order- UAG external adapter connected to the untrusted network.
The following are the network configuration for UAG server.
| Option | IP Address | Subnet | Default Gateway | DNS |
| Internal Network | 10.10.10.2 | 255.255.255.0 | Not required | 10.10.10.1 |
| External Network | 192.168.1.1192.168.1.2192.168.1.3
192.168.1.4 192.168.1.5 |
255.255.255.0 | 192.168.1.254 | Not required |
Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.
Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers
Configuration Step 1 – Rename Network Adapters:
Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:
Configuration Step 2 – Configure Network Adapters:
The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.
Internal Network Adapter
The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.
External Network Adapter
Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.
Configuration Step 3 – Amend Bind Order:
Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:
Internal Network (Highest)
External Network (Lowest)
To amend network binding follow the steps below:
1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.
Configuration Step 4 – Run the UAG Network Interfaces Wizard:
You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.
Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.
DNS Forwarding:
The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:
| Purpose | Public Host Name | Public IP Address |
| Exchange | webmail.xman.com.au | 203.17.x.x |
| SharePoint | sharepoint.xman.com.au | 203.17.x.x |
| RDS | remote.xman.com.au | 203.17.x.x |
| FTP | ftp.xman.com.au | 203.17.x.x |
Scenario#1 Firewall Rules consideration
External NAT Rules
The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.
| Rule(s) | Description | Source IP | Public IP Address
(Destination IP Address) |
Port | NAT Destination |
| 1 | Exchange | Any | 203.17.x.x | 443 | 192.168.1.2 |
| 2 | SharePoint | Any | 203.17.x.x | 443 | 192.168.1.3 |
| 4 | RDS | Any | 203.17.x.x | 443 | 192.168.1.4 |
| 5 | FTP | Any | 203.17.x.x | 21 | 192.168.1.5 |
The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:
| Rule(s) | Description | Source IP | Port
TCP & UDP |
Destination |
| 1 | Exchange | 10.10.10.2 | TCP 443 | 10.10.10.3 |
| 2 | SharePoint | 10.10.10.2 | TCP 443 | 10.10.10.4 |
| 4 | RDS | 10.10.10.2 | TCP 443 | 10.10.10.5 |
| 5 | FTP | 10.10.10.2 | TCP 21 | 10.10.10.6 |
| 6 | Client | 10.10.12.0/24 | TCP 443
TCP 21 |
10.10.10.2 |
| 7 | Domain Controller | 10.10.10.2 | 445, 88, 53
389, 636 3268, 3296 |
10.10.10.1 |
Understanding Certificates requirements:
Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names. Certificates must be in .pfx format with private key within the certificate.
Launch Certificate Manager
1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:
2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.
3. Follow the instructions in the Certificate Import Wizard.
| Common Name | Subject Alternative Name | Certificate Issuer |
| RDS.xman.com.au | – | Verisign/Digicert |
| webmail.xman.com.au | autodiscover.xman.com.au | Verisign/Digicert |
| ftp.xman.com.au | – | Verisign/Digicert |
| sharepoint.xman.com.au | – | Verisign/Digicert |
Understanding Properties of Trunk
UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.
| Trunk Name | Public Host Name | HTTPS Port | External IP Address | Authentication Server(s) |
| Exchange | webmail.xman.com.au | 443 | 192.168.1.2 | DC1TVDC01 |
| SharePoint | sharepoint.xman.com.au | 433 | 192.168.1.3 | DC1TVDC01 |
| RDS | remote.xman.com.au | 443 | 192.168.1.4 | DC1TVDC01 |
| FTP | ftp.xman.com.au | 21 | 192.168.1.5 | DC1TVDC01 |
Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:
| URL List | Methods | Allow Rich Content |
| InternalSite_Rule54 | HEAD | Checked |
| SharePoint14AAM_Rule47 | HEAD | Checked |
Published Applications and Services:
Install Forefront UAG:
Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.
Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.
On the Welcome page of Setup, do the following:
Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.
Restart the Server.
Initial Configuration Using Getting Started Wizard
Before you run the initial configuration, you must patch the UAG with an order described in this article . To patch UAG, open command prompt using run as Administrator. Go to the location where you saved all the service packs and patches. Run one by one. Note that if you do not run the setup as an administrator setup will roll back and fail because it cannot modify registry.
In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
On the Define Network Adapter Settings page, in the Adapter name list do the following:
To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.
To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.
After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:
If you are running Forefront UAG on a single server, click Single server.
If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.
After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.
If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.
Configure Remote Desktop (RDP) to Forefront UAG
After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:
Ensure that remote desktop is enabled on the Forefront UAG server.
Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.
To do this, open the Forefront TMG Management console from the Start menu.
1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.
2. On the Rule Action, Click Allow, Click Next
3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next
4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next
5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.
Part 1: Install and Configure Forefront UAG Step by Step
Part 2: Publish RDS using Forefront UAG 2010 Step by Step
Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step
Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step
Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step
Part 6: Experience Mobile Browsing Using UAG 2010
Part 7: Publish FTP using UAG 2010
Part 8: Publish Application Specific Host Name using UAG 2010
Part 9: FF UAG 2010 Patching Order
Part 10: Publish Lync 2013 Using UAG 2010
Step1: configure Exchange to use basic authentication
1. Start the Exchange Management Console.
2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
3. Select your Client Access server, and then on the Outlook Web Access (or Outlook Web App) tab, select owa (Default Web Site).
4. In the Actions pane, under owa (Default Web Site), click Properties.
5. On the Authentication tab, click Use one or more of the following standard authentication methods, make sure that only the Basic authentication (password is sent in clear text) check box is selected, and then click OK.
Step2: publish Outlook Web Access on a Forefront UAG portal
Right Click on HTTPS Connections, Click New Trunk, Click Next
Select Portal Trunk and Publish Exchange Applications via portal, Click Next
Type the name of the trunk, type the name of the public host name i.e. FQDN of webmail. Click Next
Click Add on the Authentication page, Type the name of the domain Controller, Click Ok.
Type the service account which will talk to DC from UAG, Click Ok
Select the DC, Click Select. Leave rest of the settings as is. Click Next
Select the certificate which is issued by public certificate authority, exported from mail server and imported to UAG server. Click Next. Don’t worry about certificate screen shot. this is a test environment.
Select Use Forefront UAG Access Policies, Click Next. Don’t worry about the certificate shown in above screen shot. This is a test environment. In production environment, common name of the certificate will be webmail.xman.com.au
Select Default and Click next
Select OWA, Anywhere and ActiveSync, Select Exchange version from drop down menu, Click Next
Type the name of the application, Click next
Select default and click next
On the Deploying an Application page of the wizard, choose whether to publish a single Exchange Client Access server or a farm of load-balanced Exchange Client Access servers.
Click Configure an application server, Click Next
On the Web Servers page of the wizard:
In the Addresses list, enter the IP address or host name of the Client Access server.
In the Public host name box, enter the public host name for this application. The public host name must match the FQDN in the certificate. The public host name can be the same as the public host name of the trunk, if required.
On the Authentication page of the wizard, select an authentication server to authenticate users to the application, and click 401 request.
On the Outlook Anywhere Page, Select basic Authentication, Click next
On the Portal Link page of the wizard, configure the portal link for the application.
If you are publishing Exchange 2013 or Exchange 2010 and OWA is not the initial portal application, make sure that the Open in a new window check box is selected.
On the Authorization page of the wizard, select which users are authorized to access this application.
On the Completing the Add Application Wizard page of the wizard, click Finish.
Once configured, you will see the following screen.
If you want to define the Outlook Web Access application as the portal home page, in the Forefront UAG Management console, in the Initial application list, click the application that you added in this procedure.
To apply the Outlook Web Access look and feel to the Forefront UAG user interaction pages, in the Forefront UAG Management console, next to Configure trunk settings, click Configure, click the Authentication tab, and then select the Apply an Outlook Web Access look and feel check box. Confirm the changes to the logon settings, and then click OK.
On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.
Patching Requirements
Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.
Windows Patch Classification
The following are strongly recommended patches:
Windows Product Classification
It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).
Patching Groups
Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:
1. UAT (UAT1, UAT2, etc)
2. Test Environment (Test1, Test2, etc)
3. Development Environment (Dev1, Dev2 etc)
4. Production (Prod1, Prod2, etc)
If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.
Change Management
System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.
Backup
Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.
Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:
Application Compatibility
Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.
Documentation
Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.
Back out Plan
A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.
User Notifications
You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.
Consistency across Servers
Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.
Routine Maintenance Window
A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.
Patching Tools
I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.
Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.
Automate, Automate and Automate!
Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.
Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.
Reboot Windows Computer
Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.
X86 and X64 Windows Systems
The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.
Antivirus and Antispyware
Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.
Audit Practices
Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.
Log Retention
Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.
Installing Updates on a single Exchange Server
Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information
Check for publisher’s certificate revocation
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab, and then locate the Security section.
4. Clear the Check for publisher’s certificate revocation check box, and then click OK.
5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.
Pre-check before installing
1. Determine which update rollup packages are installed on your Exchange server roles
2. Determine whether any interim updates are installed
3. Review interim updates
4. Obtain the latest update rollup package
5. Apply on a Test Exchange Server
Install Exchange Update
1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.
2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.
Install Exchange Update on DAG Member
To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.
.StartDagServerMaintenance.ps1 <ServerName>
Install the update rollup
1. Close all Exchange management tools.
2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.
3. On the Welcome page, click Next.
4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.
5. On the Completion page, click Finish.
Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed
.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution
When the installation is finished, complete the following tasks:
Patching Microsoft Failover Cluster
You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.
Procedure to install Windows service pack or hotfixes in Windows Server 2003:
Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:
You can use the following PowerShell Cmdlet to accomplish the same.
1. Load the module with the command: Import-Module FailoverClusters
2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA
3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group
4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA
5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group
6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB
7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB
It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.
Bottom line
1. Read all related documents.
2. Use a change control process.
3. Apply updates that are needed.
4. Test patches and hotfixes on test environment.
5. Don’t get more than 2 service packs behind.
6. Target non-critical servers first.
7. Service Pack (SP) level consistency.
8. Latest SP instead of multiple hotfixes.
9. Apply only on exact match.
10. Subscribe to Microsoft email notification.
11. Always have a back-out plan.
12. Have a working Backup and schedule production downtime.
13. Consistency across Domain Controllers and application servers.
SQL Server failover cluster rolling patch and service pack process
Patch Management on Business-Critical Servers
You can run the Smart Update Firmware DVD either online or offline. When performing an offline deployment, you can boot the server from the Smart Update Firmware DVD or from a USB drive key that contains the Smart Update Firmware DVD contents. Download the latest Smart Update ISO, go to http://www.hp.com/support, Search the model of your server, select the Windows Operating System version, locate the Software – CD-ROM section on this page, and then click the Download button. Download and Save the ISO on Admin PC.
Temporarily disable BitLocker support to allow firmware updates in Windows Server:
1. Click Start, and then search for gpedit.msc in the Search Text box.
2. When the Local Group Policy Editor starts, click Local Computer Policy.
3. Click Computer ConfigurationAdministrative TemplatesWindows ComponentsBitlocker Drive Encryption.
4. When the BitLocker settings are displayed, double-click Control Panel Setup: Enable Advanced startup options.
5. When the dialog box appears, click Disable.
6. Close all windows, and then start the firmware update.
Deploying components online
1. Insert the Smart Update Firmware DVD or USB drive key. The Smart Update Firmware DVD interface opens. Open a CLI. To access the Smart Update Firmware DVD, enter one of the following commands:
On Windows operating systems, enter:
_autorunautorun_win
On Linux operating systems, enter:
/autorun
2. Read the End-User License Agreement. To continue, click Agree. The Smart update Firmware DVD interface appears.
3. Click the Firmware Update tab.
4. Click Install Firmware. HP SUM is initiated.
5. Select and install components.
Deploying offline
1. Plug in the USB key with the Automatic Mode ISO image or use the Automatic Mode ISO image from a hard drive on a remote client computer.
2. Using Microsoft Internet Explorer, browse to ILO Management IP address.
3. Log in with your iLO administrative credentials.
4. Click the virtual media tab, and then click Virtual Media Applet.
5. In the Virtual CD/DVD-ROM section, click Local Image File.
6. Click Browse. Locate the firmware ISO image, and then click Open.
7. To connect to the ISO image, click Connect.
8. Return to the iLO website. Click the Power Management tab.
9. Using the Momentary Press button, power up the server.
10. Once booted, at the menu, select either Automatic Mode (default) or Interactive Mode. At the prompt, select a language and keyboard.
11. Click Continue. Read the End-User License Agreement. To continue, click Agree. The Smart Update Firmware DVD interface appears.
12. Click the Firmware Update tab. Click Install Firmware. HP SUM is initiated.
13. Select and install components. Reboot the server. A remote console session is terminated if the iLO firmware is updated during the Automatic Mode firmware update process.
The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:
Microsoft recommends the following:
Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.
Step1: Remove Time Synchronisation of Guest with Host
Follow the procedure if the host is Hyper-v Host
1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.
2. On the Integration Service, uncheck Time synchronization.
3. Click OK.
Follow the procedure if the host is ESXi Host
1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,
2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.
Step2: Configure Cisco Switch as NTP Source
|
global configuration mode |
switch# config t |
|
Enable NTP |
switch(config)#ntp enable |
|
Show NTP Status |
switch(config)# show ntp status |
|
configures the NTP server |
switch(config)#ntp server {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name] |
|
configures the NTP peer to communicate over |
switch(config)#ntp peer {ip-address | ipv6-address | dns-name} [prefer] [use-vrf vrf-name] |
|
Displays the configured server and |
switch(config)#show ntp peers |
| Saves the changes |
switch(config)# copy running-config startup-config |
Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.
Step3: Configure a Domain Controller as a NTP Server
Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line.
Netdom query fsmo
net stop w32time
w32tm /unregister
w32tm /register
Net start w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update
when using hardware time source, use this command
w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update
w32tm /config /update
net stop w32time && net start w32time
w32tm /resync /rediscover
Query the time configuration to make sure time is configured as desired
W32TM /query /status
w32tm /query /peers
w32tm /query /configuration
Step4: Configure a NTP Server using Group Policy Object
|
Clock Discipline Parameters |
|
|
FrequencyCorrectRate |
4 |
|
HoldPeriod |
5 |
|
LargePhaseOffset |
50000000 |
|
MaxAllowedPhaseOffset |
300 |
|
MaxNegPhaseCorrection |
300 |
|
MaxPosPhaseCorrection |
300 |
|
PhaseCorrectRate |
1 |
|
PollAdjustFactor |
5 |
|
SpikeWatchPeriod |
900 |
|
UpdateInterval |
30000 |
|
General Parameters |
|
|
AnnounceFlags |
5 |
|
EventLogFlags |
2 |
|
LocalClockDispersion |
10 |
|
MaxPollInterval |
10 |
|
MinPollInterval |
6 |
|
ChainEntryTimeout |
|
|
ChainMaxEntries |
|
|
ChainMaxHostEntries |
|
|
ChainDisable |
|
|
ChainLoggingRate |
4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),
|
NtpServer |
au.pool.ntp.org time.windows.com OR IP Address of Cisco Core Switch if you are using Hardware Time Provider. |
|
Type |
NTP |
|
CrossSiteSyncFlags |
2 |
|
ResolvePeerBackoffMinutes |
15 |
|
ResolvePeerBackoffMaxTimes |
7 |
|
SpecialPollInterval |
3600 |
|
EventLogFlags |
1 |
Standard time configuration should look like this:
|
Location |
Configuration |
Status |
Settings |
|
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service |
Configure Global Configuration Settings here |
Enabled |
Default |
|
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers |
Configure Windows NTP Client settings here. |
Enabled |
au.pool.ntp.org time.windows.com |
|
Enable Windows NTP Client here. Enable |
Enabled |
– |
|
|
Enable Windows NTP Server here. |
Enabled |
– |
Step5: Create and link a separate GPO for domain joined client or server
|
Clock Discipline Parameters |
|
|
FrequencyCorrectRate |
4 |
|
HoldPeriod |
5 |
|
LargePhaseOffset |
50000000 |
|
MaxAllowedPhaseOffset |
300 |
|
MaxNegPhaseCorrection |
300 |
|
MaxPosPhaseCorrection |
300 |
|
PhaseCorrectRate |
1 |
|
PollAdjustFactor |
5 |
|
SpikeWatchPeriod |
900 |
|
UpdateInterval |
30000 |
|
General Parameters |
|
|
AnnounceFlags |
5 |
|
EventLogFlags |
2 |
|
LocalClockDispersion |
10 |
|
MaxPollInterval |
10 |
|
MinPollInterval |
6 |
|
ChainEntryTimeout |
|
|
ChainMaxEntries |
|
|
ChainMaxHostEntries |
|
|
ChainDisable |
|
|
ChainLoggingRate |
4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),
|
NtpServer |
dc.superplaneteers.com |
|
Type |
NT5DS |
|
CrossSiteSyncFlags |
2 |
|
ResolvePeerBackoffMinutes |
15 |
|
ResolvePeerBackoffMaxTimes |
7 |
|
SpecialPollInterval |
3600 |
|
EventLogFlags |
1 |
Standard configuration should look like this:
|
Location |
Configuration |
Status |
settings |
|
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service |
Configure Global Configuration Settings here |
Enabled |
Default |
|
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers |
Configure Windows NTP Client settings here. |
Enabled |
NT5DS |
|
Enable Windows NTP Client here. Enable |
Enabled |
– |
|
|
Enable Windows NTP Server here. |
Disabled |
– |
Broadcasting Time Configuration using DHCP Server
Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.
NTP Client Configuration for domain joined Hyper-v Server 2012
NTP Client Configuration for non domain joined Hyper-v Server 2012
w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update
Where DC.superplaneteers.com is the PDC and Time Provider.
net stop w32time && net start w32time
w32tm /resync /rediscover
Query the time configuration to make sure time is configured as desired
W32TM /query /status
w32tm /query /peers
w32tm /query /configuration
NTP Client Configuration in ESXi Host
Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property
![clip_image002[4]](http://microsoftguru.com.au/wp-content/uploads/2013/06/clip_image0024.jpg "clip_image002[4]")
On the General Tab, Select Start and Stop with Host
![clip_image004[4]](http://microsoftguru.com.au/wp-content/uploads/2013/06/clip_image0044.jpg "clip_image004[4]")
Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok
![clip_image006[4]](http://microsoftguru.com.au/wp-content/uploads/2013/06/clip_image0064.jpg "clip_image006[4]")
If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.
![clip_image008[4]](http://microsoftguru.com.au/wp-content/uploads/2013/06/clip_image0084.jpg "clip_image008[4]")
Time drifting error in Windows Machine
Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.
![clip_image010[4]](http://microsoftguru.com.au/wp-content/uploads/2013/06/clip_image0104.jpg "clip_image010[4]")
Further Study
Timekeeping best practices for Windows on ESXi Host
Detailed explanation of time configuration GPO
Physical Hardware Requirements -Up to 23 instances of SQL Server requires the following resource:
Software Requirements
Download SQL Server 2012 installation media. Review SQL Server 2012 Release Notes. Install the following prerequisite software on each failover cluster node and then restart nodes once before running Setup.
Active Directory Requirements
Unsupported Configuration
the following are the unsupported configuration:
Permission Requirements
System admin or project engineer who will be performing the tasks of creating cluster must be a member of at least Domain Users security group with permission to create domain computers objects in Active Directory and must be a member of administrators group on each clustered server.
Network settings and IP addresses requirements
you need at least two network card in each cluster node. One network card for domain or client connectivity and another network card heartbeat network which is shown below.
The following are the unique requirements for MS cluster.
Domain Network should be configured with IP Address, Subnet Mask, Default Gateway and DNS record.
Heartbeat network should be configured with only IP address and subnet mask.
Additional Requirements
Supported Operating Systems
In a simple definition, quorum is a voting mechanism in a Microsoft cluster. Each node has one vote. In a MSCS cluster, this voting mechanism constantly monitor cluster that how many nodes are online and how nodes are required to run the cluster smoothly. Each node contains a copy of cluster information and their information is also stored in witness disk/directory. For a MSCS, you have to choose a quorum among four possible quorum configurations.
Why quorum is necessary? Network problems can interfere with communication between cluster nodes. This can cause serious issues. To prevent the issues that are caused by a split in the cluster, the cluster software requires that any set of nodes running as a cluster must use a voting algorithm to determine whether, at a given time, that set has quorum. Because a given cluster has a specific set of nodes and a specific quorum configuration, the cluster will know how many “votes” constitutes a majority (that is, a quorum). If the number drops below the majority, the cluster stops running. Nodes will still listen for the presence of other nodes, in case another node appears again on the network, but the nodes will not begin to function as a cluster until the quorum exists again.
Hardware: A multi-site cluster requires redundant hardware with correct capacity, storage functionality, replication between sites, and network characteristics such as network latency.
Number of nodes and corresponding quorum configuration: For a multi-site cluster, Microsoft recommend having an even number of nodes and, for the quorum configuration, using the Node and File Share Majority option that is, including a file share witness as part of the configuration. The file share witness can be located at a third site, that is, a different location from the main site and secondary site, so that it is not lost if one of the other two sites has problems.
Network configuration—deciding between multi-subnets and a VLAN: configuring a multi-site cluster with different subnets is supported. However, when using multiple subnets, it is important to consider how clients will discover services or applications that have just failed over. The DNS servers must update one another with this new IP address before clients can discover the service or application that has failed over. If you use VLANs with multi-site you must reduce the Time to Live (TTL) of DNS discovery.
Tuning of heartbeat settings: The heartbeat settings include the frequency at which the nodes send heartbeat signals to each other to indicate that they are still functioning, and the number of heartbeats that a node can miss before another node initiates failover and begins taking over the services and applications that had been running on the failed node. In a multi-site cluster, you might want to tune the “heartbeat” settings. You can tune these settings for heartbeat signals to account for differences in network latency caused by communication across subnets.
Replication of data: Replication of data between sites is very important in a multi-site cluster, and is accomplished in different ways by different hardware vendors. Therefore, the choice of the replication process requires careful consideration. There are many options you will find while replicating data. But before you make any decision, consult with your storage vendor, server hardware vendor and software vendors. Depending on vendor like NetApp and EMC, your replication design will change. Review the following considerations:
Choosing replication level ( block, file system, or application level): The replication process can function through the hardware (at the block level), through the operating system (at the file system level), or through certain applications such as Microsoft Exchange Server (which has a feature called Cluster Continuous Replication or CCR). Work with your hardware and software vendors to choose a replication process that fits the requirements of your organization.
Configuring replication to avoid data corruption: The replication process must be configured so that any interruptions to the process will not result in data corruption, but instead will always provide a set of data that matches the data from the main site as it existed at some moment in time. In other words, the replication must always preserve the order of I/O operations that occurred at the main site. This is crucial, because very few applications can recover if the data is corrupted during replication.
Choosing between synchronous and asynchronous replication: The replication process can be synchronous, where no write operation finishes until the corresponding data is committed at the secondary site, or asynchronous, where the write operation can finish at the main site and then be replicated (as a background operation) to the secondary site.
Synchronous Replication means that the replicated data is always up-to-date, but it slows application performance while each operation waits for replication. Synchronous replication is best for multi-site clusters that can are using high-bandwidth, low-latency connections. Typically, this means that a cluster using synchronous replication must not be stretched over a great distance. Synchronous replication can be performed within 200km distance where a reliable and robust WAN connectivity with enough bandwidth is available. For example, if you have GigE and Ten GigE MPLS connection you would choose synchronous replication depending on how big is your data.
Asynchronous Replication can help maximize application performance, but if failover to the secondary site is necessary, some of the most recent user operations might not be reflected in the data after failover. This is because some operations that were finished recently might not yet be replicated. Asynchronous replication is best for clusters where you want to stretch the cluster over greater geographical distances with no significant application performance impact. Asynchronous replication is performed when distance is more than 200km and WAN connectivity is not robust between sites.
Windows® Storage Server 2012 is the Windows Server® 2012 platform of choice for network-attached storage (NAS) appliances offered by Microsoft partners.
Windows Storage Server 2012 enhances the traditional file serving capabilities and extends file based storage for application workloads like Hyper-V, SQL, Exchange and Internet information Services (IIS). Windows Storage Server 2012 provides the following features for an organization.
Workgroup Edition
Standard Edition
From the Server Manager, Click Add roles and features, On the Before you begin page, Click Next. On the installation type page, Click Next.
On the Server Roles Selection page, Select iSCSI Target and iSCSI target storage provider, Click Next
On the Feature page, Click Next. On the Confirm page, Click Install. Click Close.
On the Server Manager, Click File and Storage Services, Click iSCSI
On the Task Button, Click New iSCSI Target, Select the Disk drive from where you want to present storage, Click Next
Type the Name of the Storage, Click Next
Type the size of the shared disk, Click Next
Select New iSCSI Target, Click Next
Type the name of the target, Click Next
Select the IP Address on the Enter a value for selected type, Type the IP address of cluster node, Click Ok. Repeat the process and add IP address for the cluster nodes.
Type the CHAP information. note that CHAP password must be 12 character. Click Next to continue.
Click Create to create a shared storage. Click Close once done.
Repeat the step to create all shared drive of your preferred size and create a shared drive of 2GB size for quorum disk.
Step1: Connect the cluster servers to the networks and storage
1. Review the details about networks in Hardware Requirements for a Two-Node Failover Cluster and Network infrastructure and domain account requirements for a two-node failover cluster, earlier in this guide.
2. Connect and configure the networks that the servers in the cluster will use.
3. Follow the manufacturer’s instructions for physically connecting the servers to the storage. For this article, we are using software iSCSI initiator. Open software iSCSI initiator from Server manager>Tools>iSCSI Initiator. Type the IP address of target that is the IP address of Microsoft Windows Storage Server 2012. Click Quick Connect, Click Done.
5. Open Computer Management, Click Disk Management, Initialize and format the disk using either MBR and GPT disk type. Go to second server, open Computer Management, Click Disk Management, bring the disk online simply by right clicking on the disk and clicking bring online. Ensure that the disks (LUNs) that you want to use in the cluster are exposed to the servers that you will cluster (and only those servers).
6. On one of the servers that you want to cluster, click Start, click Administrative Tools, click Computer Management, and then click Disk Management. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.) In Disk Management, confirm that the cluster disks are visible.
7. If you want to have a storage volume larger than 2 terabytes, and you are using the Windows interface to control the format of the disk, convert that disk to the partition style called GUID partition table (GPT). To do this, back up any data on the disk, delete all volumes on the disk and then, in Disk Management, right-click the disk (not a partition) and click Convert to GPT Disk.
8. Check the format of any exposed volume or LUN. Use NTFS file format.
In this step, you install the failover cluster feature. The servers must be running Windows Server 2012.
1. Open Server Manager, click Add roles and features. Follow the screen, go to Feature page.
2. In the Add Features Wizard, click Failover Clustering, and then click Install.
4. Follow the instructions in the wizard to complete the installation of the feature. When the wizard finishes, close it.
5. Repeat the process for each server that you want to include in the cluster.
Before creating a cluster, I strongly recommend that you validate your configuration. Validation helps you confirm that the configuration of your servers, network, and storage meets a set of specific requirements for failover clusters.
1. To open the failover cluster snap-in, click Server Manager, click Tools, and then click Failover Cluster Manager.
2. Confirm that Failover Cluster Manager is selected and then, in the center pane under Management, click Validate a Configuration. Click Next.
3. On the Select Server Page, type the fully qualified domain name of the nodes you would like to add in the cluster, then click Add.
4. Follow the instructions in the wizard to specify the two servers and the tests, and then run the tests. To fully validate your configuration, run all tests before creating a cluster. Click next
5. On the confirmation page, Click Next
6. The Summary page appears after the tests run. To view the results, click Report. Click Finish. You will be prompted to create a cluster if you select Create the Cluster now using validation nodes.
5. While still on the Summary page, click View Report and read the test results.
To view the results of the tests after you close the wizard, see
SystemRootClusterReportsValidation Report date and time.html
where SystemRoot is the folder in which the operating system is installed (for example, C:Windows).
6. As necessary, make changes in the configuration and rerun the tests.
1. To open the failover cluster snap-in, click Server Manager, click Tools, and then click Failover Cluster Manager.
2. Confirm that Failover Cluster Management is selected and then, in the center pane under Management, click Create a cluster. If you did not close the validation nodes then the validation wizard automatically open cluster creation wizard. Follow the instructions in the wizard to specify, Click Next
3. Verify the IP address and cluster node name and click Next
4. After the wizard runs and the Summary page appears, to view a report of the tasks the wizard performed, click View Report. Click Finish.
Step5: Verify Cluster Configuration
On the Cluster Manager, Click networks, right click on each network, Click Property, make sure Allow clients to connect through this network is unchecked for heartbeat network. verify IP range. Click Ok.
On the Cluster Manager, Click networks, right click on each network, Click Property, make sure Allow clients to connect through this network is checked for domain network. verify IP range. Click Ok.
On the Cluster Manager, Click Storage, Click disks, verify quorum disk and shared disks are available. You can add multiple of disks by simply click Add new disk on the Task Pan.
An automated MSCS cluster configuration will add quorum automatically. However you can manually configure desired cluster quorum by right clicking on cluster>More Actions>Configure Cluster Quorum Settings.
In the previous steps you have configured a MSCS cluster, to configure a Hyper-v cluster all you need to do is install Hyper-v role in each cluster node. from the Server Manager, Click Add roles and features, follow the screen and install Hyper-v role. A reboot is required to install Hyper-v role. Once role is installed in both node.
Note that at this stage add Storage for Virtual Machines and networks for Live Migration, Storage network if using iSCSI, Virtual Machine network, and Management Network. detailed configuration is out of scope for this article as I am writing about MSCS cluster not Hyper-v.
from the Cluster Manager, Right Click on Networks, Click Network for Live Migration, Select appropriate network for live Migration.
If you would like to have virtual machine additional fault tolerance like Hyper-v Replica, Right Click Cluster virtual node, Click Configure Role, Click Next.
From Select Role page, Click Hyper-v Replica broker, Click Next. Follow the screen.
From the Cluster manager, right Click on Roles, Click Virtual machine, Click New Hard Disk to configure virtual machine storage and virtual machine configuration disk drive. Once done, From the Cluster manager, right Click on Roles, Click Virtual machine, Click New Virtual machine to create virtual machine.
There are multiple methods for backing up information that is stored on Cluster Shared Volumes in a failover cluster running on
Operating System Level backup
The backup application runs within a virtual machine in the same way that a backup application runs within a physical server. When there are multiple virtual machines being managed centrally, each virtual machine can run a backup “agent” (instead of running an individual backup application) that is controlled from the central management server. Backup agent backs up application data, files, folder and systems state of operating systems.
Hyper-V Image Level backup
The backup captures all the information about multiple virtual machines that are configured in a failover cluster that is using Cluster Shared Volumes. The backup application runs through Hyper-V, which means that it must use the VSS Hyper-V writer. The backup application must also be compatible with Cluster Shared Volumes. The backup application backs up the virtual machines that are selected by the administrator, including all the VHD files for those virtual machines, in one operation. VM1_Data.VHDX, VM2_data.VHDX and VM1_System.VHDX, VM2_system.VHDX are stored in a backup disk or tape. VM1_System.VHDX and VM2_System.VHDX contain system files and page files i.e. system state, snapshot and VM configuration are stored as well.
1. To open the failover cluster snap-in, click Server Manager, click Tools, and then click Failover Cluster Manager.
2. Right Click on Roles, click Configure Role to publish a service or application
3. Select a Cluster Services or Application, and then click Next.
4. Follow the instructions in the wizard to specify the following details:
5. On Select Storage page, Select the storage volume or volumes that the clustered file server should use. Click Next
6. On the confirmation Page, review and Click Next
7. After the wizard runs and the Summary page appears, to view a report of the tasks the wizard performed, click View Report.
8. To close the wizard, click Finish.
9. In the console tree, make sure Services and Applications is expanded, and then select the clustered file server that you just created.
10. After completing the wizard, confirm that the clustered file server comes online. If it does not, review the state of the networks and storage and correct any issues. Then right-click the new clustered application or service and click Bring this service or application online.
Perform a Failover Test
To perform a basic test of failover, right-click the clustered file server, click Move this service or application to another node, and click the available choice of node. When prompted, confirm your choice. You can observe the status changes in the center pane of the snap-in as the clustered file server instance is moved.
|
Task |
PowerShell command |
|
Run validation tests on a list of servers. |
Where |
|
Create a cluster using defaults for most settings. |
Where |
|
Configure a clustered file server using defaults for most settings. |
Where |
|
Configure a clustered print server using defaults for most settings. |
Where |
|
Configure a clustered virtual machine using defaults for most settings. |
Where |
|
Add available disks. |
|
|
Review the state of nodes. |
|
|
Run validation tests on a new server. |
Where |
|
Prepare a node for maintenance. |
Where |
|
Pause a node. |
Where |
|
Resume a node. |
Where |
|
Stop the Cluster service on a node. |
Where |
|
Start the Cluster service on a node. |
Where |
|
Review the signature and other properties of a cluster disk. |
Where |
|
Move Available Storage to a particular node. |
Where |
|
Turn on maintenance for a disk. |
Where |
|
Turn off maintenance for a disk. |
Where |
|
Bring a clustered service or application online. |
Where |
|
Take a clustered service or application offline. |
Where |
|
Move or Test a clustered service or application. |
Where |
Use the following instructions to migrate clustered services and applications from your old cluster to your new cluster. After the Migrate a Cluster Wizard runs, it leaves most of the migrated resources offline, so that you can perform additional steps before you bring them online. If the new cluster uses old storage, plan how you will make LUNs or disks inaccessible to the old cluster and accessible to the new cluster (but do not make changes yet).
1. To open the failover cluster snap-in, click Administrative Tools, and then click Failover Cluster Manager.
2. In the console tree, if the cluster that you created is not displayed, right-click Failover Cluster Manager, click Manage a Cluster, and then select the cluster that you want to configure.
3. In the console tree, expand the cluster that you created to see the items underneath it.
4. If the clustered servers are connected to a network that is not to be used for cluster communications (for example, a network intended only for iSCSI), then under Networks, right-click that network, click Properties, and then click Do not allow cluster network communication on this network. Click OK.
5. In the console tree, select the cluster. Click Configure, click Migrate services and applications.
6. Read the first page of the Migrate a Cluster Wizard, and then click Next.
7. Specify the name or IP Address of the cluster or cluster node from which you want to migrate resource groups, and then click Next.
8. Click View Report. The wizard also provides a report after it finishes, which describes any additional steps that might be needed before you bring the migrated resource groups online.
9. Follow the instructions in the wizard to complete the following tasks:
14. When the wizard completes, most migrated resources will be offline. Leave them offline at this stage.
Completing the transition from the old cluster to the new cluster. You must perform the following steps to complete the transition to the new cluster running Windows Server 2012.
1. Prepare for clients to experience downtime, probably brief.
2. Take each resource group offline on the old cluster.
3. Complete the transition for the storage:
4. If the new cluster uses mount points, adjust the mount points as needed, and make each disk resource that uses a mount point dependent on the resource of the disk that hosts the mount point.
5. Bring the migrated services or applications online on the new cluster. To perform a basic test of failover on the new cluster, expand Services and Applications, and then click a migrated service or application that you want to test.
6. To perform a basic test of failover for the migrated service or application, under Actions (on the right), click Move this service or application to another node, and then click an available choice of node. When prompted, confirm your choice. You can observe the status changes in the center pane of the snap-in as the clustered service or application is moved.
7. If there are any issues with failover, review the following:
Migrating Cluster Resource with new Mount Point
When you are working with new storage for your cluster migration, you have some flexibility in the order in which you complete the tasks. The tasks that you must complete include creating the mount points, running the Migrate a Cluster Wizard, copying the data to the new storage, and confirming the disk letters and mount points for the new storage. After completing the other tasks, configure the disk resource dependencies in Failover Cluster Manager.
A useful way to keep track of disks in the new storage is to give them labels that indicate your intended mount point configuration. For example, in the new storage, when you are mounting a new disk in a folder called Mount1-1 on another disk, you can also label the mounted disk as Mount1-1. (This assumes that the label Mount1-1 is not already in use in the old storage.) Then when you run the Migrate a Cluster Wizard and you need to specify that disk for a particular migrated resource, you can look at the list and select the disk labeled Mount1-1. Then you can return to Failover Cluster Manager to configure the disk resource for Mount1-1 so that it is dependent on the appropriate resource, for example, the resource for disk F. Similarly, you would configure the disk resources for all other disks mounted on disk F so that they depended on the disk resource for disk F.
A failover cluster is a group of independent computers that work together to increase the availability of applications and services. The clustered servers (called nodes) are connected by physical cables and by software. If one of the cluster nodes fails, another node begins to provide service (a process known as failover). Users experience a minimum of disruptions in service.
This guide describes the steps that are necessary when migrating a clustered DHCP server to a cluster running Windows Server 2008 R2, beyond the standard steps required for migrating clustered services and applications in general. The guide indicates when to use the Migrate a Cluster Wizard in the migration, but does not describe the wizard in detail.
Step 1: Review requirements and create a cluster running Windows Server 2012
Before beginning the migration described in this guide, review the requirements for a cluster running Windows Server 2008 R2, install the failover clustering feature on servers running Windows Server 2008 R2, and create a new cluster.
Step 2: On the old cluster, adjust registry settings and permissions before migration
To prepare for migration, you must make changes to registry settings and permissions on each node of the old cluster.
1. Confirm that you have a current backup of the old cluster, one that includes the configuration information for the clustered DHCP server (also called the DHCP resource group).
2. Confirm that the clustered DHCP server is online on the old cluster. It must be online while you complete the remainder of this procedure.
3. On a node of the old cluster, open a command prompt as an administrator.
4. Type: regedit Navigate to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDHCPServerParameters
5. Choose the option that applies to your cluster: If the old cluster is running Windows Server 2008, skip to step 7. If the old cluster is running Windows Server 2003 or Windows Server 2003 R2:
6. Right-click Parameters, and then click Permissions.
7. Click Add. Locate the appropriate account and assign permissions:
8. Repeat the process on the other node or nodes of the old cluster.
Step 3: On a node in the old cluster, prepare for export, and then export the DHCP database to a file
As part of migrating a clustered DHCP server, on the old cluster, you must export the DHCP database to a file. This requires preparatory steps that prevent the cluster from restarting the clustered DHCP resource during the export. The following procedure describes the process. On the old cluster, start the clustering snap-in and configure the restart setting for the clustered DHCP server (DHCP resource group):
1. Click Start, click Administrative Tools, and then click Failover Cluster Management. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. If the console tree is collapsed, expand the tree under the cluster that you are migrating settings from. Expand Services and Applications and then, in the console tree, click the clustered DHCP server.
3. In the center pane, right-click the DHCP server resource, click Properties, click the Policies tab, and then click If resource fails, do not restart.
This step prevents the resource from restarting during the export of the DHCP database, which would stop the export.
1. On the node of the old cluster that currently owns the clustered DHCP server, confirm that the clustered DHCP server is running. Then open a command prompt window as an administrator.
2. Type: netsh dhcp server export <exportfile> all
Where <exportfile> is the name of the file to which you want to export the DHCP database.
3. After the export is complete, in the clustering interface (Cluster Administrator or Failover Cluster Management), right-click the clustered DHCP server (DHCP resource group) and then click either Take Offline or Take this service or application offline. If the command is unavailable, in the center pane, right-click each online resource and click either Take Offline or Take this resource offline. If prompted for confirmation, confirm your choice.
4. If the old cluster is running Windows Server 2003 or Windows Server 2003 R2, obtain the account name and password for the Cluster service account (the Active Directory account used by the Cluster service on the old cluster). Alternatively, you can obtain the name and password of another account that has access permissions for the Active Directory computer accounts (objects) that the old cluster uses. For a migration from a cluster running Windows Server 2003 or Windows Server 2003 R2, you will need this information for the next procedure.
Step 4: On the new cluster, configure a network for DHCP clients and run the Migrate a Cluster Wizard
Microsoft recommends that you make the network settings on the new cluster as similar as possible to the settings on the old cluster. In any case, on the new cluster, you must have at least one network that DHCP clients can use to communicate with the cluster. The following procedure describes the cluster setting needed on the client network, and indicates when to run the Migrate a Cluster Wizard.
1. On the new cluster (running Windows Server 2012), click Server Manager, click Tools, and then click Failover Cluster Manager.
2. If the cluster that you want to configure is not displayed, in the console tree, right-click Failover Cluster Manager, click Manage a Cluster, and then select or specify the cluster that you want.
3. If the console tree is collapsed, expand the tree under the cluster.
4. Expand Networks, right-click the network that clients will use to connect to the DHCP server, and then click Properties.
5. Make sure that Allow cluster network communication on this network and Allow clients to connect through this network are selected.
6. To prepare for the migration process, find and take note of the drive letter used for the DHCP database on the old cluster. Ensure that the same drive letter exists on the new cluster. (This drive letter is one of the settings that the Migrate a Cluster Wizard will migrate.)
7. In Failover Cluster Manager, in the console tree, select the new cluster, and then under Configure, click Migrate services and applications.
8. Use the Migrate a Cluster Wizard to migrate the DHCP resource group from old to the new cluster. If you are using new storage on the new cluster, during the migration, be sure to specify the disk that has the same drive letter on the new cluster as was used for the DHCP database on the old cluster. The wizard will migrate resources and settings, but not the DHCP database.
Step 5: On the new cluster, import the DHCP database, bring the clustered DHCP server online, and adjust permissions
To complete the migration process, import the DHCP database that you exported to a file in Step 2. Then you can bring the clustered DHCP server online and adjust settings that were changed temporarily during the migration process.
1. If you are reusing the old cluster storage for the new cluster, confirm that you have stored the exported DHCP database file in a safe location. Then be sure to delete all the DHCP files other than the exported DHCP database file from the old storage. This includes the DHCP database, log, and backup files.
2. On the new cluster, in Failover Cluster Manager, expand Services and Applications, right-click the clustered DHCP server, and then click Bring this service or application online. The DHCP service starts with an empty database.
3. Click the clustered DHCP server.
4. In the center pane, right-click the DHCP server resource, click Properties, click the Policies tab, and then click If resource fails, do not restart. This step prevents the resource from restarting during the import of the DHCP database, which would stop the import.
5. In the new cluster, on the node that currently owns the migrated DHCP server, view the disk used by the migrated DHCP server, and make sure that you have copied the exported DHCP database file to this disk.
6. In the new cluster, on the node that currently owns the migrated DHCP server, open a command prompt as an administrator. Change to the disk used by the migrated DHCP server.
7. Type: netsh dhcp server import <exportfile>
Where <exportfile> is the filename of the file to which you exported the DHCP database.
8. If the migrated DHCP server is not online, in Failover Cluster Manager, under Services and Applications, right-click the migrated DHCP server, and then click Bring this service or application online.
9. In the center pane, right-click the DHCP server resource, click Properties, click the Policies tab, and then click If resource fails, attempt restart on current node.
This returns the resource to the expected setting, instead of the “do not restart” setting that was temporarily needed during the import of the DHCP database.
10. If the cluster was migrated from Windows Server 2003 or Windows Server 2003 R2, after the clustered DHCP server is online on the new cluster, make the following changes to permissions in the registry:
11. Perform the preceding steps only after DHCP is online on the new cluster. After you complete these steps, you can test the clustered DHCP server and begin to provide DHCP services to clients.
To install or upgrade a SQL Server failover cluster, you must run the Setup program on each node of the failover cluster. To add a node to an existing SQL Server failover cluster, you must run SQL Server Setup on the node that is to be added to the SQL Server failover cluster instance. Do not run Setup on the active node to manage the other nodes. The following options are available for SQL Server failover cluster installation:
Option1: Integration Installation with Add Node
Create and configure a single-node SQL Server failover cluster instance. When you configure the node successfully, you have a fully functional failover cluster instance. At this point, it does not have high availability because there is only one node in the failover cluster. On each node to be added to the SQL Server failover cluster, run Setup with Add Node functionality to add that node.
Option 2: Advanced/Enterprise Installation
After you run the Prepare Failover Cluster on one node, Setup creates the Configuration.ini file that lists all the settings that you specified. On the additional nodes to be prepared, instead of following these steps, you can supply the autogenerated ConfigurationFile.ini file from first node as an input to the Setup command line. This step prepares the nodes ready to be clustered, but there is no operational instance of SQL Server at the end of this step.
After the nodes are prepared for clustering, run Setup on one of the prepared nodes. This step configures and finishes the failover cluster instance. At the end of this step, you will have an operational SQL Server failover cluster instance and all the nodes that were prepared previously for that instance will be the possible owners of the newly-created SQL Server failover cluster.
Follow the procedure to install a new SQL Server failover cluster using Integrated Simple Cluster Install
Step1: Prepare Environment
Insert the SQL Server installation media, and from the root folder, double-click Setup.exe.
Windows Installer 4.5 is required, and may be installed by the Installation Wizard. If you are prompted to restart your computer, restart and then start SQL Server Setup again.
After the prerequisites are installed, the Installation Wizard starts the SQL Server Installation Center. To prepare the node for clustering, move to the Advanced page and then click Advanced cluster preparation
The System Configuration Checker runs a discovery operation on your computer. To continue, click OK. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.
On the Setup Support Files page click Install to install the Setup support files.
The System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.
On the Language Selection page, you can specify the language, to continue, click Next
On the Product key page, select PIDed product key, Click Next
On the License Terms page, accept the license terms and Click Next to continue.
On the Feature Selection page, select the components for your installation as you did for simple installation which has been mentioned earlier.
The Ready to Install page displays a tree view of installation options that were specified during Setup. To continue, click Install. Setup will first install the required prerequisites for the selected features followed by the feature installation.
To complete the SQL Server installation process, click Close.
If you are instructed to restart the computer, do so now.
Repeat the previous steps to prepare the other nodes for the failover cluster. You can also use the autogenerated configuration file to run prepare on the other nodes. A configurationfile.ini is generated in C:Program FilesMicrosoft SQL Server110Setup BootStrapLog20130603_014118configurationfile.ini which is shown below.
Step2 Install SQL Server
After preparing all the nodes as described in the prepare step, run Setup on one of the prepared nodes, preferably the one that owns the shared disk. On the Advanced page of the SQL Server Installation Center, click Advanced cluster completion.
The System Configuration Checker runs a discovery operation on your computer. To continue, click OK. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.
On the Setup Support Files page, click Install to install the Setup support files.
The System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue. You can view the details on the screen by clicking Show Details, or as an HTML report by clicking View detailed report.
On the Language Selection page, you can specify the language, To continue, click Next.
Use the Cluster node configuration page to select the instance name prepared for clustering
Use the Cluster Resource Group page to specify the cluster resource group name where SQL Server virtual server resources will be located. On the Cluster Disk Selection page, select the shared cluster disk resource for your SQL Server failover cluster.Click Next to continue
On the Cluster Network Configuration page, specify the network resources for your failover cluster instance. Click Next to continue.
Now follow the simple installation steps to select Database Engine, reporting, Analysis and Integration services.
The Ready to Install page displays a tree view of installation options that were specified during Setup. To continue, click Install. Setup will first install the required prerequisites for the selected features followed by the feature installation.
Once installation is completed, click Close.
Follow the procedure if you would like to remove a node from an existing SQL Server failover cluster
Insert the SQL Server installation media. From the root folder, double-click setup.exe. To install from a network share, navigate to the root folder on the share, and then double-click Setup.exe.
The Installation Wizard launches the SQL Server Installation Center. To remove a node to an existing failover cluster instance, click Maintenance in the left-hand pane, and then select Remove node from a SQL Server failover cluster.
The System Configuration Checker will run a discovery operation on your computer. To continue, click OK.
After you click install on the Setup Support Files page, the System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue.
On the Cluster Node Configuration page, use the drop-down box to specify the name of the SQL Server failover cluster instance to be modified during this Setup operation. The node to be removed is listed in the Name of this node field.
The Ready to Remove Node page displays a tree view of options that were specified during Setup. To continue, click Remove.
During the remove operation, the Remove Node Progress page provides status.
The Complete page provides a link to the summary log file for the remove node operation and other important notes. To complete the SQL Server remove node, click Close.
1. To install a new, stand-alone instance with the SQL Server Database Engine, Replication, and Full-Text Search component, run the following command
Setup.exe /q /ACTION=Install /FEATURES=SQL /INSTANCENAME=MSSQLSERVER
/SQLSVCACCOUNT=”<DomainNameUserName>” /SQLSVCPASSWORD
2. To prepare a new, stand-alone instance with the SQL Server Database Engine, Replication, and Full-Text Search components, and Reporting Services. run the following command
Setup.exe /q /ACTION=PrepareImage /FEATURES=SQL,RS /InstanceID =<MYINST> /IACCEPTSQLSERVERLICENSETERMS
3. To complete a prepared, stand-alone instance that includes SQL Server Database Engine, Replication, and Full-Text Search components run the following command
Setup.exe /q /ACTION=CompleteImage /INSTANCENAME=MYNEWINST /INSTANCEID=<MYINST>
/SQLSVCACCOUNT=”<DomainNameUserName>” /SQLSVCPASSWORD
4. To upgrade an existing instance or failover cluster node from SQL Server 2005, SQL Server 2008, or SQL Server 2008 R2.
Setup.exe /q /ACTION=upgrade /INSTANCEID = <INSTANCEID>/INSTANCENAME=MSSQLSERVER /RSUPGRADEDATABASEACCOUNT=”<Provide a SQL DB Account>” /IACCEPTSQLSERVERLICENSETERMS
5. To upgrade an existing instance of SQL Server 2012 to a different edition of SQL Server 2012.
Setup.exe /q /ACTION=editionupgrade /INSTANCENAME=MSSQLSERVER /PID=<PID key for new edition>” /IACCEPTSQLSERVERLICENSETERMS
6. To install an SQL server using configuration file, run the following command
Setup.exe /ConfigurationFile=MyConfigurationFile.INI
7. To install an SQL server using configuration file and provide service Account password, run the following command
Setup.exe /SQLSVCPASSWORD=”typepassword” /AGTSVCPASSWORD=”typepassword”
/ASSVCPASSWORD=”typepassword” /ISSVCPASSWORD=”typepassword” /RSSVCPASSWORD=”typepassword”
/ConfigurationFile=MyConfigurationFile.INI
8. To uninstall an existing instance of SQL Server. run the following command
Setup.exe /Action=Uninstall /FEATURES=SQL,AS,RS,IS,Tools /INSTANCENAME=MSSQLSERVER
Reference and Further Reading
Virtualizing Microsoft SQL Server
The Perfect Combination: SQL Server 2012, Windows Server 2012 and System Center 2012
BUY IT NOW:
Amazon USA
Amazon UK
BARNES & NOBLE
Book World
Assumptions:
You have the following infrastructure operational and functioning as desired.
Current Exchange Version:
Prerequisites:
Step1: Perform a Server Switch Over for a Exchange 2010 SP2 DAG Member
Before you upgrade Exchange Server 2010 SP2 to Exchange 2010 SP3, you must perform a server switch over if you have Exchange DAG. You need to be assigned permissions before you can perform this procedure. use Exchange Management Shell and Run the following Command.
Move-ActiveMailboxDatabase -Server EXCHMBXSRV01 -ActivateOnServer EXCHMBXSRV02
Step2: Install Service Pack 3 on Exchange Server 2010 SP2
Download and Extract Exchange Server 2010 SP3 on the DAG member where you want run the Exchange 2010 Sp3 installer. Now follow the screen shot and upgrade Exchange Server 2010 SP2 to Exchange Server 2010 SP3.
you will be prompted for an warning which is A transient communication failure causes a Windows Server 2008 R2 failover cluster to stop working. Ignore the warning and continue. Once SP3 installed. Check the version which is as follows.
Repeat the step 2 in all Exchange Server in your Exchange Organization.
Step3: Prepare Windows Server 2012
Download Windows Server 2012 and install the following prerequisites on Windows Server 2012.
Windows Media Foundation. Use Add Roles and features Wizard to install Media Foundation on Windows Serer 2012.
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
Microsoft Office 2010 Filter Pack 64 bit
Microsoft Office 2010 Filter Pack SP1 64 bit
Exchange 2013 setup automatically install features required by Exchange. Alternatively you can use the following PowerShell Command to install all the features at that same time. A reboot is required after installing features.
Step4: Prepare Active Directory and Active Directory Schema
Run the following command to prepare AD Schema and Active Directory.
setup /PrepareSchema /IAcceptExchangeServerLicenseTerms
setup /PrepareAD /OrganizationName:<organization name> /IAcceptExchangeServerLicenseTerms
since we already have an Exchange Organization, we don’t need to type Organization again. the following command is enough to prepare Active Directory. setup /PrepareAD /IAcceptExchangeServerLicenseTerms
Step5: Install CU1 for Exchange Server 2013
Log on to the computer on which you want to install Exchange 2013. After you have downloaded Exchange 2013 CU1, Copy Exchange-X64.exe file into Windows Server 2012 where you want to install Exchange Server 2013 . Extract the installer by double clicking the Exchange-x64.exe installer.
On a co-existence scenario if you type https://FQDN of Client Access Server/ecp you will see only Mailboxes.
If you type https://FQDN of Client Access Server/ecp?ExchClientVer=15 on internet explorer you will see detailed Exchange Administration Center.
Step6: Install Certificates on Exchange Server 2013 CAS Server(s)
Step7: Configure Outlook Web Access in Exchange 2013
Step8: Configure Send/Receive Connector
Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url. Create new Send Connector using this procedure.
. . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter *, which indicates that this send connector applies to messages addressed to any domain. Click Save. . In the Select a server window, select a Mailbox server that will be used to send mail to the Internet via the Client Access server and click Add . After you’ve selected the server, click Add . Click OK. 
New-SendConnector –Internet –Name MysendConnector –AddressSpace Superplaneteers.com
Similarly you can use New-ReceiveConnector Cmdlet to create receive connector.
Step9: Test Internal/External Mail Flow using new Send Connector
Open internet explorer and type Https://FQDN of CAS Server/OWA Log on to OWA using domain nameusername and password and check email
Step10: Migrate Mailboxes, DL, Public Folder from Exchange 2010 to Exchange 2013
Before you start migrating Exchange mailboxes, se the Exchange Management Console to enable circular logging otherwise a large log will be generated when migrating mailboxes. you can enable circular logging in all mailbox database using the following power shell command
Get-MailboxDatabase | Set-MailboxDatabase –circularloggingenabled $true
Set-StorageGroup -Identity “First Storage Group” -CircularLoggingEnabled $true
Open Exchange Administration Center using https://FQDN of Client Access Server/ecp?ExchClientVer=15 url, In the EAC, navigate to Recipients > Migration, and then click Add .
In the New local mailbox move wizard, select the user you want to move click OK and then click Next.
On the Move configuration page, specify a name for the new batch. Select which options you want for the archive mailbox, and mailbox database location and click New. follow the screen to complete migration.
To migrate entire mailboxes from an existing Exchange 2010 DAG to new Exchange 2013 DAG using Exchange Management Shell in Exchange Server 2013 and run the following cmdlets.
Get-Mailbox -Database Manager-DB01 | New-MoveRequest -TargetDatabase Manager-DB02 -BatchName “DB01toDB02”
To find out more about New-MoveRequest cmdlet type Get-Help New-MoveRequest –Example or visit Move and Migration Cmdlets
Step11: Publish Exchange OWA to External Clients
Step12: Migrate Public Folder.
Step13: Migrate Exchange UM
Step14: Retire Exchange Server 2010
A detailed migration steps are available in this book.
BUY IT NOW:
Amazon USA
Amazon UK
BARNES & NOBLE
Book World
Staging an RODC allows an administrator to perform installation without travelling to the site. You can stage a RODC installation in four steps. Step1, Step2 and Step3 are performed in Head office by a member of domain admin where authoritative domain controller is located. Fourth step is performed in site office where site admin and RODC is located.
Assumption:
· RODC NetBIOS Name: DC4
· RODC Security Group: RODCAdmins
· Forest: Superplaneteers.com
Step1: Prepare Environment
· Install Operating System on RODC Server
· Activate Windows Server 2012
· Configure TCP/IP Properties of the Server
· Rename RODC Server to desired NetBIOS name (Example-DC4)
Step2: Add Site Admin into RODCAdmins Security Groups in AD
Open Active Directory Users and Computers, Right Click on desired OU, Click new, Click Group, Create a Security group named as RODCAdmins.
Add Site Admins into RODCAdmins group.
Step3: Create an RODC Computer Account
Open Active Directory users and Computers, Select Domain Controllers OU, Click on Action, Click Pre-create Read-only Domain Controller account
Click Next, On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy (PRP), select Use advanced mode installation, and then click Next.
On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentials, Click Next
On the Specify the Computer Name page, type the computer name of the server that will be the RODC.
On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.
On the Additional Domain Controller Options page, make the following select Domain Naming System (DNS), Global Catalog (GC), Read-only Domain Controller (RODC) and then click Next:
On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating. To search the directory for a specific user or group, click Set. In Select Users, Computers, or Groups, type the name of the user or group. When you are finished, click Next.
On the Summary page, review your selections. Click Back to change any selections, if necessary.
When you are sure that your selections are accurate, click Next to create the RODC account.
On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
Step4: Attach a server to an RODC account using Server Manager
This step is performed in the site office where the RODC is located. The server where you perform this procedure must not be domain member. In Windows Server 2012, you use the Add Roles Wizard in Server Manager to attach a server to an RODC account. Follow the procedure to promote a RODC at the branch office.
1. Log on to Server DC4 as local Administrator. In Server Manager, click Add roles and features. On the Before you begin page, click Next.
2. On the Select installation type page, click Role-based or feature-based installation and then click Next.
3. On the Select destination server page, click Select the local server from the server pool, click Next.
4. On the Select server roles page, click Active Directory Domain Services, click Add Features and then click Next.
5. On the Select features page, select any additional features that you want to install and click Next.
6. On the Active Directory Domain Services page, review the information and then click Next.
7. On the Confirm installation selections page, click Install.
8. On the Results page, verify Installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.
9. On the Deployment Configuration page, click Add a domain controller to an existing domain, type the name of the domain superplaneteers.com and specify an account who is a member of RODCAdmins group that is delegated to manage and install the RODC, and then click Next.
10. On the Domain Controller Options page, click Use existing RODC account in this case DC4, type and confirm the Directory Services Restore Mode password, and then click Next.
11. On the Additional Options page, select the head office domain controller that you want to replicate the AD DS installation data from or if you have correct sites configured then allow the wizard to select any domain controller and then click Next.
12. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or accept default locations, and then click Next.
13. On the Review Options page, confirm your selections, click Next.
14. Once Prerequisites Check is successful then click Install.
15. To complete the AD DS installation, the server will restart automatically.
System Requirements: Windows 8 Enterprise Version Windows Server 2008 or Windows Server 2012 Microsoft .NET Framework version 3.5 with SP1 or later Windows PowerShell™ 2.0 or later Windows 7 Automated Installation Kit Active Directory Domain Services Dynamic Host Configuration Protocol … Continue reading
This is my first book published on December 2 2012. The following is the chapters available in detailed in the book titled “Windows Server 2012 Step by Step” Chapter 1: Introduction to windows server 2012 Chapter 2: Installing and navigating … Continue reading
Windows Server 2012 Step by Step is available in Amazon US, Amazon EU and Amazon Japan. This book will also be available to download from Amazon Kindle globally.
AD CS is composed of several role services that perform several tasks. One or more of these role services can be installed on a server as required. These role services are as follows:
Active Directory Certificate Services Hierarchy
Public Key Infrastructure must be deployed in hierarchical order to securely deliver certificates to clients, application and servers. The best way to achieve this is to deploy a Standalone Offline Root CA and Online Enterprise Subordinate CA. Offline Root CA meaning you have to shut down the CA once you obtain the CRL chain for subordinate CA. Subordinate stays powered on and joined to the domain. Offline Root CA works in a workgroup not a domain member.
Standalone offline Root CA:
Benefits:
Online Enterprise Subordinate CA
Benefits:
Certificate Services Best practices
Certificate Provider
You have to select RSA#Microsoft Software Key Storage Provider” with sha1 if there is any Windows XP Client otherwise select RSA#Microsoft Software Key Storage Provider” with sha256 as certificate provider.
Cryptographic Key Length
Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA.
Templates
Validity Period
Revocation List
The following sections summarize how certificate revocation checking works.
Revocation Best Practice
Audit Policy
Select the following Audit Policy for both Certificate Authority
Backup Certificate Authority
Security Permission on Template
The following table summarize certificate security permission in AD CS.
| Domain Computers | Auto-Enroll | Read Only |
| Domain Users | Auto-Enroll | Read Only |
| Wintel Administrator | Full Control | Full Control |
Security Permission on Servers
You must create role separation in Active Directory Certificate Services to provide greater control on Certificate Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg caRoleSeparationEnabled 1. The following table describe role separation for AD CS.
| CA Administrator | Full Permission |
| Certificate Manager | Issue and Manage Certificates |
| Auditor | Manage auditing and security logLocal Security Settings/ Security Settings/Local Policies/User Rights Assignments |
| Backup Operator | Back up file and directories
Local Security Settings/ Security Settings/Local Policies/User Rights Assignments |
| Enrollees | Authenticated Users |
The Following are the messy configurations you must avoid when installing a Certificate Authority.
Relevant Articles:
Blog by Raihan Al-Beruni 