Sinergija 2010 q&a 1 – RDS A to Z

Leave a reply

On my Windows server 2008 R2 – Remote desktop services from A to Z there were two questions…

How to setup Single Sign-on so users do not have to reauthenticate to get to remote desktop resources?

Here you have a screenshot of group policy that controls that:

More about single sign-on you can find on:
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

The second question was about AERO on RDS server… Yes, you can do that by folowing this tutorial:
http://blogs.msdn.com/b/rds/archive/2009/06/23/aero-glass-remoting-in-windows-server-2008-r2.aspx

SBS 2008 / Exchange 2007 remote.company.com and TLS…

Leave a reply

Everyone that has ever installed SBS 2008 has encountered the wizard that create certificate and remote workplace – by default called remote.company.com (yes, you can chose other prefixes but let say that I like remote becouse it is easy to remember for my users…).
SBS wizards generates a certificate for this hostname and uses it for all services (Outlook web access, Active Sync stuff and also for SMTP receive and send connectors…).
The problem is when you want to rename your SMTP receive and send connectors to match the records in DNS. It is a best practice to have same SMTP greetings as the records in DNS so for example if you have a domain company.com and you have an host record A called mail.company.com and MX record pointed to mail.company.com it is correct and I suggest you to folow this rule to have SMTP greeting or fqdn for SMTP connectors to match mail.company.com.

You can rename your connectors however you want by using Exchange management console but you will lose functionality of TLS in SMTP traffic – becouse the certificate remote.company.com does not match fqdn or smtp greeting of a connector that advertise mail.company.com. You will also get an error in Event log saying:

Microsoft Exchange could not find a certificate that contains the domain name mail.company.com in the personal store on the local computer…

 Ok, what can we do now?

Well turn on Exchange Management Shell – that is Powershell with modules for Exchange 2007 management – you can find it in star menu… And first of all we want to see current Exchange certificates that are enabled for Exchange services by using cmdlet:

[PS] C:WindowsSystem32>Get-ExchangeCertificate 

and you wil receive something like this:

Thumbprint                                Services   Subject
———-                                ——–   ——-
45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4  IP.WS      CN=remote.company.com
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB  IP..S      CN=remote.company.com
817F1311CB72FB70F962EC0FAD2D8FA857F114A4  ….S      CN=sbssrv01.company.local
4BAAC7906689AFF0129767CF492AAE058B5DF494  ….S      CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9  …..      CN=xxxxxx-xxxxxxxx-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145  …..      CN=WMSvc-WIN-K7KGUV5MQ40
 
Now we should create a new certificate that we will use for SMTP connectors by using cmdlet:
 
New-ExchangeCertificate -domainname mail.company.com -PrivateKeyExportable:1
 
Warning! When you are asked if you want to overwrite certificates chose No!
  
Confirm
Overwrite existing default SMTP certificate,
’45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4′ (expires 14.1.2012 22:37:04), with
certificate ’59D62E7850EE4093AFF1EC73E2623D52058C2B35′ (expires 27.1.2015
17:09:02)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is “Y”): N
 
so we get output:
Thumbprint                                Services   Subject
———-                                ——–   ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35  …..      CN=mail.company.com
 
Great!  If we want to be shure that everything is working correctly and that Exchange SMTP service is using our new certificate we can use cmdlet:

[PS] C:WindowsSystem32>Get-ExchangeCertificate 

[PS] C:WindowsSystem32>

Thumbprint                                Services   Subject
———-                                ——–   ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35  ….S      CN=mail.company.com
45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4  IP.WS      CN=remote.company.com
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB  IP..S      CN=remote.company.com
817F1311CB72FB70F962EC0FAD2D8FA857F114A4  ….S      CN=sbssrv01.company.local
4BAAC7906689AFF0129767CF492AAE058B5DF494  ….S      CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9  …..      CN=xxxxxxxxxxx-xxxxxxxxxxxx01-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145  …..      CN=WMSvc-WIN-K7KGUV5MQ40
We can now see that SMTP connectors are using all certificates (S defnies SMTP service).
Ok… How can you test that TLS works?
You can try it by using telnet client and connect to your server:
telnet mail.company.com 25
 
Exchange should respond something like:
220 mail.company.com Microsoft ESMTP MAIL Service ready at Wed, 27 Jan 2010 17:
12:09 +0100
 
then you can write:
helo test.blablabla.com
 
220 mail.company.com Microsoft ESMTP MAIL Service ready at Wed, 27 Jan 2010 17:
13:07 +0100
helo test.blablabla.si
250 mail.xxxxxxxxxxxxxxxx.si Hello [xxx.xxx.xxxx.xxx]
after that enter command:
starttls

 

server should respond:

220 2.0.0 SMTP server ready
 
Server ready? Super! 🙂
 
PS.
If you did miss something you will receive error from server saying:
 
starttls
500 5.3.3 Unrecognized command
 
If you get that? Read this tutorial again 🙂
PS. PS. You do not need to restart anything when you apply this commands… No need for restarting Exchange services…
Special thanks to Saso Erdeljanov for some hints about this issue…

Powershell with task scheduler… This is the way to automate your IT! – remote machine – p2

Leave a reply

Ok! Welcome to part two… What is the idea behind this second part… Well with Powershell 2.0 we have now Powershell remoting that allow us to run commands on remote machines… When we are thinking about automating tasks we would like to execute some powershell scripts on servers or machines around our company.

Ok in example 2 we have two servers:
DEMOAD.demo.local – active directory server
and
DEMORDSSRV01.demo.local – member server (in fact remote desktop server but it is not an important info… 🙂 )

Let say that we will be connected to DEMOAD.demo.local and we will prepare a script and schedule it to get information from DEMORDSSRV01.demo.local

1. First we need to enable Powershell remoting on DEMORDSSRV01.demo.local using Powershell cmdlet:

Enable-PSRemoting

2. We need to test if remoting works so we can test it by using cmdlet:

Test-WSMan -ComputerName DEMORDSSRV01 

this cmdlet should be run on DEMOAD machine. If  everything is ok you should receive something like:

wsmid : http://schemas.dmtf
ProtocolVersion: http://schemas
ProductVendor: Microsoft Corporation
ProductVersion: OS: 0.0.0 SP: 0.0 Stack: 2.0

If you did not enable remoting on DEMORDSSRV01.demo.local you will receive:

Test-WSMan : The WinRM client cannot complete the operation…

If you receive this error try to reenable Powershell Remoting by using cmdlet: Enable-PSRemoting

3. Create a powershell script (a txt file that has extension .ps1) for example remoteprocess.ps1 edit it with your notepad and write inside the cmdlet:
get-process -computername demordssrv01 | out-file c:remoteprocess.txt

this script will request process list from demordssrv01 and the result will be pipelined to txt file called c:remoteprocess.txt on demoad.demo.local – so from machine that will execute the query.

4. When you are done with script you just need to create a Basic Task in Task Scheduler. You can check my prevous article (part1) to see other steps to do that.

Powershell with task scheduler… This is the way to automate your IT! – single machine – p1

Leave a reply

Well using Powershell interactively is something that we see all the time when Microsoft want to show us what and how we can automate our daily taks… But administrators want to know how can we schedule our brand new fantastic powershell scripts…

Ok, this guide will tell you how to do it… How to run separate commands from powershell and how to run a complete scripts so you can realy start to automate your stuff by using Powershell…

Example: I would like to schedule script that lists all processes running on a specific server
1. on my server I will first create a txt file (extension should be renamed to ps1 – as we are writing powershell script) called listproces.ps1
2. into the file I will put my scipt:

get-process | out-file c:processes.txt

3. start task scheduler on server and Create Basic Task
Name: Powershell list processes
Triger: Chose when you want your script to run
Action: Start a program
Program / script: powershell.exe
Add arguments: -ExecutionPolicy RemoteSigned –Noninteractive –Noprofile –File C:listproces.ps1

Important! You should set your task to run whether user is logged into a session or not… To do that do the folowing:


Exchange 2007 / 2010 – remove headers

4 Replies

If you are using Windows server 2008 SBS or Exchange 2007 or Exchange 2010 you send with your e-mail also mail headers that (I think) you would not like to “share” with external world:

Received: from mail.server.si (xxx.xxx.xxx.xxx) by mail.server2.si
 (172.31.200.2) with Microsoft SMTP Server (TLS) id 8.2.247.2; Wed, 19 May
 2010 13:08:47 +0200
Received: from SRVEXCH01.domain.local ([10.11.12.2]) by SRVEXCH01.domain.local
 ([10.11.12.2]) with mapi; Wed, 19 May 2010 13:08:02 +0200
From: xxxxx xxxxx xxxxx@xxxxx
To: =?iso-8859-2?Q?xxxxx_xxxxx=E6_=28xxxxx=xxxxx=2Exxxxx=29?=
 <xxxxx@xxxxx>
Return-Receipt-To: xxxxx@xxxxx
Date: Wed, 19 May 2010 13:08:00 +0200
Subject: xxxxx
Thread-Topic: xxxxx
Thread-Index: Acr3Q4r6dSBNnU37R9ypBLYy8PMzcA==
Message-ID: <13204AAD07BCDD4EB69C3367FF1783A9124C065BB2@SRVEXCH01.domain.local>
Accept-Language: sl-SI
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sl-SI
Content-Type: multipart/alternative;
 boundary=”_000_13204AAD07BCDD4EB69C3367FF1783A9124C065BB2_”
MIME-Version: 1.0
Return-Path: xxxxx@xxxxx
X-MS-Exchange-Organization-PRD: xxxxx.si
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (xxxxx.xxxxx.xxxxx: domain of xxxxx@xxxxx
 designates xxx.xxx.xxx.xxx as permitted sender) receiver=xxxxx.xxxxx.local;
 client-ip=xxx.xxx.xxx.xxx; helo=mail.xxxxx.si;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.8917.498;SV:3.3.8919.449;SID:SenderIDStatus Pass;OrigIP:xxx.xxx.xxx.xxx

If you want to remove this stuff we need to create a Hub Transport Rule:
Open Microsoft Exchange Console
Navigate to:
Microsoft Exchange Organization Configuration Hub Transport Transport Rules

Right Click and select New Transport Rule and name it “Remove headers” click Next,

chose From users inside or outside the organization and select Inside click Next,chose Remove header and as message header just write: Received twice click Next…

 

You are done… Headers will not be sent any more to users outside the organization…

Bye,
Luka (under influence of wonderful NT Konferenca 2010)

Manage Hyper-V Virtual machines using WMI and VBS scripts

15 Replies

Today I was working on how to manage Hyper-V virtual machines using WMI.
This VBS scripts can be modified to suit your needs…
Each script takes one argument “machine name”:

listvm.vbs – display all virtual machines on Hyper-V – this script will create a TXT file (you should edit path and filename inside the script) with all virtual machines that are on Hyper-V host. It will print names of the machines and current state (Running, Off, Saved)

sortvm.vbs – this script alphabeticaly sorts list of virtual machines (you should edit path and filename inside the script)

startvm.vbs – usage: startvm.vbs “Name of your virtual machine” – this script will start the virtual machine

stopvm.vbs – usage: stopvm.vbs “Name of your virtual machine” – this script will turn of (dirty!) your virtual machine

shutdownvm.vbs – usage: shutdownvm.vbs “Name of your virtual machine” – this script will shut down your virtual machine if it is Integration Services aware – it will signal/notify guest operating system to initialize shutdown procedure. It works only on machines that support Hyper-V Integration services.

hardresetvm.vbs – usage: hardresertvm.vbs “Name of your virtual machine” – this script will reset (dirty!) your virtual machine

savestatevm.vbs – usage: savestatevm.vbs “Name of your virtual machine” – this script will save and turn off your virtual machine

I have compiled this scripts using resources regarding Hyper-V and WMI
http://msdn.microsoft.com/en-us/library/cc136992(VS.85).aspx
http://blogs.msdn.com/virtual_pc_guy/

Enjoy, WMI power!

Windows Server 2008 R2 Foundation on HP ML 110 G6 – SBSBIOSLock

10 Replies

NT Konferenca 2010 is almost here…

While preparing my demos for my sessions I needed to install Windows server 2008 R2 Foundation on an HP ML 110 G6 which was given to me for demos…
After unpacking and starting the server I inserted DVD with installation inside… I get this nice screen telling me Validantih HP Platform Please Wait … 🙂

After a minute I got this error – a popup windows came up with folowing message:

SBSBIOSLock

could not find the media

If you want to continue your installation you need to get to HP BIOS and change the value on SATA emulation from RAID to AHCI. It worked for me… Well leave me alone I need to finish my installation. 🙂

SBS 2008 (AD server) virtualized on Hyper-V – what about time synchronization?

1 Reply

Hi!

This blog post is about time synchronization with Hyper-V Integration services when you virtualize SBS 2008 server. You should never leave Hyper-V host to “force” time on servers that you virtualize and that are Active Directory servers (at least not PDC that is the root time server for a domain).

By default Hyper-V enables all Integration services components on your virtual machine but it’s better to configure your virtual machine in my case SBS 2008 server that is Active Directory server too with external NTP time source. Becouse if something goes wrong or you have wrong time on your Hyper-V host you can get in troubles when Hyper-V host will push this “bad time” into your virtual machine.

You should also know that by default on boot virtual machine get’s time from your Hyper-V host becouse of that I have writen two articles. First is about configuring your Hyper-V host that is not joined into a domain (so it does not get the right time from AD server) so it can receive the right time from NTP time source.
And the second one about setting correct values on SBS 2008 server and disabling Hyper-V integration services feature Time Synchronization.

Hope it helps…

Time sync in SBS 2008 virtualized on Hyper – part 1.docx
Time sync in SBS 2008 virtualized on Hyper – part 1.pdf

Time sync in SBS 2008 virtualized on Hyper – part 2.docx
Time sync in SBS 2008 virtualized on Hyper – part 2.pdf

Luka