This post is a continuation of my previous post in which I have assigned a certificate to the website.
In this last post, we'll be exporting the private key to a secure location for legal requirements:
1. Open the IIS manager and browse to the website that has the certificate assigned
2. Right click the website and choose Properties, then go to the tab Directory Security. Here choose View Certificate.
3. Go to the tab Details and click Copy to File.
4. After the Welcome Screen, you will see that now we have the option to Yes, Export the Private Key and click Next.
5. Choose the options you desire, I always use these:
6. Next you will be required to supply a password and a location. When you click Finish, you should receive a Success message.
OK, you are done: a certificate created which is used to secure a website and the private key is exported to a secure location for recovery purposes.
I hope the series can help you.
Have fun!
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Thursday, December 10, 2009
Certificate procedure – Step 4: Assign the certificate to your website in IIS
OK, following my previous posts, the certificate can now be used to assign it to a website (or whatever you want to use it for).
The assignment of the certificate is also pretty straightforward:
1. Open the IIS manager and browse to your website.
2. Go the Directory Security tab and click on Server Certificate.
3. A wizard will open, click Next on the Welcome Screen and choose Process the pending request and install the certificate.
4. Browse to your newly created certificate and click Next. Then choose the default SSL port 443 and click Next.
5. You can overview the summary and click Next if the displayed information is correct.
6. As a last step, Finish the wizard to assign your certificate.
That's it. Your website is now secured. As a last step I'll be exporting the private key to a safe location for recovery purposes.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
The assignment of the certificate is also pretty straightforward:
1. Open the IIS manager and browse to your website.
2. Go the Directory Security tab and click on Server Certificate.
3. A wizard will open, click Next on the Welcome Screen and choose Process the pending request and install the certificate.
4. Browse to your newly created certificate and click Next. Then choose the default SSL port 443 and click Next.
5. You can overview the summary and click Next if the displayed information is correct.
6. As a last step, Finish the wizard to assign your certificate.
That's it. Your website is now secured. As a last step I'll be exporting the private key to a safe location for recovery purposes.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Certificate procedure – Step 3: Issuing the certificate
Now that we have created our certificate request, we’ll be issuing it ourselves with our Certification Authority (CA) for testing purposes.
A very quick and simple process:
1. Open the Certification Authority console and browse to Pending Certificates. Once there, right click on the certificate and under “all tasks” choose Issue.
2. Then, go to Issued Certificates, right click on the issued certificate and click on “Copy to file” to save the certificate to a safe location.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
A very quick and simple process:
1. Open the Certification Authority console and browse to Pending Certificates. Once there, right click on the certificate and under “all tasks” choose Issue.
2. Then, go to Issued Certificates, right click on the issued certificate and click on “Copy to file” to save the certificate to a safe location.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Friday, November 20, 2009
Certificate procedure – Step 2: Creating a certificate
Now that our request is created and since we’ll be creating the certificate ourselves, let’s just get it over with … :)
1. Copy the text file to your CA, go to the CA website: http://localhost/certsrv and select Request a Certificate
2. Select Advanced Certificate Request
3. Here, choose the second option (I’m not gonna write that whole thing out :))
4. Now we can copy the text from our request file and paste it here.
5. You will see that your certificate is pending after having clicked Submit
And that’s it, nothing more to this simple step. Next we’ll be issuing our pending request.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
1. Copy the text file to your CA, go to the CA website: http://localhost/certsrv and select Request a Certificate
2. Select Advanced Certificate Request
3. Here, choose the second option (I’m not gonna write that whole thing out :))
4. Now we can copy the text from our request file and paste it here.
5. You will see that your certificate is pending after having clicked Submit
And that’s it, nothing more to this simple step. Next we’ll be issuing our pending request.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Certificate procedure - Step 1: Creating a certificate request
In my previous post (see link below), I talked about the various steps you need to perform to create a certificate to secure your data transmission, both self-signed and officially signed.
As promised, the following posts provide a step-by-step overview of the complete procedure. Thanks to Bram Poelaert for his input!
The first step is creating the certificate request:
1. Open the IIS Manager, right click the Default Web Site and select Properties
2. On the tab Directory Security, select Server Certificate
3. In the wizard, click Next on the Welcome screen
4. Since we are creating a new certificate, select Create a new certificate
5. We are creating the request now and processing it later, so choose Prepate the request now, but send it later
6. Give the request a name, this can be anything, just make it clear what it is
7. Provide the name and OU
8. This is the most important part of your certificate: the common name. This needs to be the fully qualified domain name to which the users will be connecting.
9. Next, choose your Country, State and City
10. Save the request file to a location
11. Verify the settings you have chosen in the overview before completing the wizard.
The result will be a TXT file. In the text file you will see -----BEGIN NEW CERTIFICATE REQUEST----- & -----END NEW CERTIFICATE REQUEST-----
This is the result that can be forward to an official Certification Authority, but for testing purposes we’ll be issuing the certificate ourselves.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
As promised, the following posts provide a step-by-step overview of the complete procedure. Thanks to Bram Poelaert for his input!
The first step is creating the certificate request:
1. Open the IIS Manager, right click the Default Web Site and select Properties
2. On the tab Directory Security, select Server Certificate
3. In the wizard, click Next on the Welcome screen
4. Since we are creating a new certificate, select Create a new certificate
5. We are creating the request now and processing it later, so choose Prepate the request now, but send it later
6. Give the request a name, this can be anything, just make it clear what it is
7. Provide the name and OU
8. This is the most important part of your certificate: the common name. This needs to be the fully qualified domain name to which the users will be connecting.
9. Next, choose your Country, State and City
10. Save the request file to a location
11. Verify the settings you have chosen in the overview before completing the wizard.
The result will be a TXT file. In the text file you will see -----BEGIN NEW CERTIFICATE REQUEST----- & -----END NEW CERTIFICATE REQUEST-----
This is the result that can be forward to an official Certification Authority, but for testing purposes we’ll be issuing the certificate ourselves.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Thursday, November 19, 2009
Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
Last week, a colleague and I have configured an Exchange 2003 SP2 for push mail. Since it was a joint effort, I want to thank Bram Poelaert for his help and expertise. All information in these posts are therefore the result of our teamwork.
First a small overview. We were installing and configuring an ISA 2006 server with 1 network adapter to publish the OMA and OWA functionalities to the external world for push mail functionalities. In the backend, an Exchange 2003 SP2 is serving as the mail server. We’ll be offloading the SSL on the ISA 2006 server. To complete the picture, a CheckPoint firewall is placing the ISA in the DMZ by using the three zones: untrusted, DMZ & trusted.
As always, the most difficult (and critical) part of the installation isn’t the configuration of Exchange or even ISA 2006, but the installation of the necessary certificate. This is what this post will be about.
Having an official authority create a certificate for you costs quite a bit money, so you don’t want to have to do it twice. For that reason, it’s always best to test your procedures by creating a certificate yourself and make sure your certificate request is correct.
To create and install a certificate yourself, these steps have to be completed:
1. Create a certificate request via IIS web wizard
2. Process the request via your Certification Authority (CA)
3. Issue the pending certificate in CA
4. Assign the certificate to your website in IIS
5. Export the private key and store in a safe location
Make sure that when you connect to your secure website that no error messages are displayed. Most frequent mistakes are the common names that are not the same as the URL or the certificate chain that is broken somewhere.
Also, be careful with the private key. This key is residing on the computer that created the certificate request. Do NOT import the certificate again (via MMC for example) before having the private key exported. If you do, the private key will be gone and you can not use the certificate!
OK, you’ve tested your certificate and it works as you expected. Cool! Now delete everything and start over by creating a new certificate request that you can send to the third party for the creation of your certificate.
1. Create a certificate request via IIS web wizard
2. Send the certificate request (TXT file) to the CA
3. Import the certificate received in IIS web wizard
4. Export the private key and store in a safe location
5. Install the certificate and the private key on the ISA 2006 server
6. Use the certificate to secure the data
In my next post I’ll go over the process step-by-step for an easy manual.
I hope this can already put you well underway.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Enjoy!
First a small overview. We were installing and configuring an ISA 2006 server with 1 network adapter to publish the OMA and OWA functionalities to the external world for push mail functionalities. In the backend, an Exchange 2003 SP2 is serving as the mail server. We’ll be offloading the SSL on the ISA 2006 server. To complete the picture, a CheckPoint firewall is placing the ISA in the DMZ by using the three zones: untrusted, DMZ & trusted.
As always, the most difficult (and critical) part of the installation isn’t the configuration of Exchange or even ISA 2006, but the installation of the necessary certificate. This is what this post will be about.
Having an official authority create a certificate for you costs quite a bit money, so you don’t want to have to do it twice. For that reason, it’s always best to test your procedures by creating a certificate yourself and make sure your certificate request is correct.
To create and install a certificate yourself, these steps have to be completed:
1. Create a certificate request via IIS web wizard
2. Process the request via your Certification Authority (CA)
3. Issue the pending certificate in CA
4. Assign the certificate to your website in IIS
5. Export the private key and store in a safe location
Make sure that when you connect to your secure website that no error messages are displayed. Most frequent mistakes are the common names that are not the same as the URL or the certificate chain that is broken somewhere.
Also, be careful with the private key. This key is residing on the computer that created the certificate request. Do NOT import the certificate again (via MMC for example) before having the private key exported. If you do, the private key will be gone and you can not use the certificate!
OK, you’ve tested your certificate and it works as you expected. Cool! Now delete everything and start over by creating a new certificate request that you can send to the third party for the creation of your certificate.
1. Create a certificate request via IIS web wizard
2. Send the certificate request (TXT file) to the CA
3. Import the certificate received in IIS web wizard
4. Export the private key and store in a safe location
5. Install the certificate and the private key on the ISA 2006 server
6. Use the certificate to secure the data
In my next post I’ll go over the process step-by-step for an easy manual.
I hope this can already put you well underway.
Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Enjoy!
Friday, November 06, 2009
Manually upgrading the vpxa agent of an ESX server
During my ESX 2.5 Upgrade project I ran into some VM migration problems.
As soon as the vmdk was too big to be able to complete the migration in 25 minutes, the operation would fail.
A cause could have been that the version of the vpxa agent on the ESX 2.5 agent was of a different build than the vpxa agent on the ESX 3.5 destination host. So I needed to manually upgrade the vpxa agent of the ESX 2.5 host.
As you can figure, documentation on how to do this isn’t very widely spread, so I decided to write a short blog post on it:
1.Log into the VC server locally and browse to the “Upgrade” folder. Default: C:\Program Files\VMware\Infrastructure\VirtualCenter Server\Upgrade
2.Browse to the correct vpx upgrade file for your ESX server version you need to upgrade the vpxa agent on.
My ESX 2.5 was version 2.5.2 so I needed vpx-upgrade-esx-4-linux-*. I found this info in the bundleversion.xml file
3.Copy this file to the ESX host you need to upgrade the vpxa agent on via a winSCP or PenguiNet or something like it.
4.Log into the ESX as root and browse to the folder where you have copied to upgrade file
5.Run the command: service vmware-vpxa restart
This will stop and start the agent and automatically upgrade it’s version. This shouldn’t take more than 5 – 10 seconds.
6.Now log back into the VirtualCenter server locally and restart the services:
a. VMware License Server
b. VMware VirtualCenter Server
OK, that’s it. Your vpxa agent is now upgrade to the version and build you have selected. It could be that in VC itself you will have to disconnect the ESX host and then connect it again.
As soon as the vmdk was too big to be able to complete the migration in 25 minutes, the operation would fail.
A cause could have been that the version of the vpxa agent on the ESX 2.5 agent was of a different build than the vpxa agent on the ESX 3.5 destination host. So I needed to manually upgrade the vpxa agent of the ESX 2.5 host.
As you can figure, documentation on how to do this isn’t very widely spread, so I decided to write a short blog post on it:
1.Log into the VC server locally and browse to the “Upgrade” folder. Default: C:\Program Files\VMware\Infrastructure\VirtualCenter Server\Upgrade
2.Browse to the correct vpx upgrade file for your ESX server version you need to upgrade the vpxa agent on.
My ESX 2.5 was version 2.5.2 so I needed vpx-upgrade-esx-4-linux-*. I found this info in the bundleversion.xml file
3.Copy this file to the ESX host you need to upgrade the vpxa agent on via a winSCP or PenguiNet or something like it.
4.Log into the ESX as root and browse to the folder where you have copied to upgrade file
5.Run the command: service vmware-vpxa restart
This will stop and start the agent and automatically upgrade it’s version. This shouldn’t take more than 5 – 10 seconds.
6.Now log back into the VirtualCenter server locally and restart the services:
a. VMware License Server
b. VMware VirtualCenter Server
OK, that’s it. Your vpxa agent is now upgrade to the version and build you have selected. It could be that in VC itself you will have to disconnect the ESX host and then connect it again.
Thursday, November 05, 2009
ESX command line commands
I am currently busy with designing a migration strategy for a large ESX 2.5.2 migration to ESX 3.5 for one of our customers. (yeah I know, a little late ... but at least they will migrate immediately on the vShpere4 :))
While doing my tests and type the commands mostly only once and from then on use the arrow keys to go up to previous commands. You know how it goes: as lazy as you can get it ... :)
Anyways, I decided I would post most of these commands here. Not just for you guys, but admittingly also for myself as I regularly find myself looking through my memory for correct syntaxes ... :)
List files:
vmware-cmd –l
List path and names of .registered VM vmx files on the present host
Get state vm
vmware-cmd /vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx getstate
Retrieve power state of the VM: off, on, suspended, stuck
Reboot vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx reset trysoft/hard
Reboot the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown before reboot (hard).
Power on vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx start
Power on the VM
Shutdown vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx stop trysoft/hard
Shutdown/halt the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown (hard).
Suspend vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx suspend
Suspend the VM
Verify snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx hassnapshot
Query if VM has a snapshot
Create snapshot
vmware-cmd createsnapshot name description quiesce memory
Quiesce will quiesce file system writes, while Memory will grab the memory state
Revert to snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx revertsnapshot
Revert to previous created snapshot (you loose the current VM state!)
Remove snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx removesnapshots
Remove previous created snapshots (you keep the current VM state!)
Register vm
vmware-cmd -s register vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Register VM (add to inventory)
Unregister vm
vmware-cmd -s unregister vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Unregister VM (remove to inventory)
Answer vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx answer
answer pending request for userinput
Extend virtual Disk
vmkfstools -X 12G ./testing.vmdk
To extend an existing Virtual Disk to 12GB.
Be aware if the shrinked size is smaller as the partition size in the guest there might be a data losse or a corrupted system resulting!
Copy virtual disk
vmkfstools -i /vmfs/volumes/'vmfslabel'/'VMName'/'VMName'.vmdk /vmfs/volumes//'VMName'.vmdk
Copy vmdk from one vmfs to another datastore
Export virtual disk
vmkfstools -i /vmfs/'VMName'/'VMName'.vmdk -d 2gbsparse //'VMName'.vmdk
Export vmdk to ext3 partition
Rename files
vmkfstools -E
Rename files associated with a specified virtual disk
Delete Virtualdisk
vmkfstools -U
Delete files associated with the specified virtual disk
Delete folders
rm –R –f /vmfs/volumes//VM folder>
Delete non-empty folders
Find functionality
| grep –i “”
Example: vi *440*.vmx | grep –I “version”
Find a word with a file. In this example “version”
There are of course a whole lot more vmkfstools and vmware-cmd commands, but I think this gives a good start ...
Enjoy!
While doing my tests and type the commands mostly only once and from then on use the arrow keys to go up to previous commands. You know how it goes: as lazy as you can get it ... :)
Anyways, I decided I would post most of these commands here. Not just for you guys, but admittingly also for myself as I regularly find myself looking through my memory for correct syntaxes ... :)
List files:
vmware-cmd –l
List path and names of .registered VM vmx files on the present host
Get state vm
vmware-cmd /vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx getstate
Retrieve power state of the VM: off, on, suspended, stuck
Reboot vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx reset trysoft/hard
Reboot the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown before reboot (hard).
Power on vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx start
Power on the VM
Shutdown vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx stop trysoft/hard
Shutdown/halt the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown (hard).
Suspend vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx suspend
Suspend the VM
Verify snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx hassnapshot
Query if VM has a snapshot
Create snapshot
vmware-cmd createsnapshot name description quiesce memory
Quiesce will quiesce file system writes, while Memory will grab the memory state
Revert to snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx revertsnapshot
Revert to previous created snapshot (you loose the current VM state!)
Remove snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx removesnapshots
Remove previous created snapshots (you keep the current VM state!)
Register vm
vmware-cmd -s register vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Register VM (add to inventory)
Unregister vm
vmware-cmd -s unregister vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Unregister VM (remove to inventory)
Answer vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx answer
answer pending request for userinput
Extend virtual Disk
vmkfstools -X 12G ./testing.vmdk
To extend an existing Virtual Disk to 12GB.
Be aware if the shrinked size is smaller as the partition size in the guest there might be a data losse or a corrupted system resulting!
Copy virtual disk
vmkfstools -i /vmfs/volumes/'vmfslabel'/'VMName'/'VMName'.vmdk /vmfs/volumes/
Copy vmdk from one vmfs to another datastore
Export virtual disk
vmkfstools -i /vmfs/'VMName'/'VMName'.vmdk -d 2gbsparse /
Export vmdk to ext3 partition
Rename files
vmkfstools -E
Rename files associated with a specified virtual disk
Delete Virtualdisk
vmkfstools -U
Delete files associated with the specified virtual disk
Delete folders
rm –R –f /vmfs/volumes/
Delete non-empty folders
Find functionality
Example: vi *440*.vmx | grep –I “version”
Find a word with a file. In this example “version”
There are of course a whole lot more vmkfstools and vmware-cmd commands, but I think this gives a good start ...
Enjoy!
Tuesday, May 19, 2009
SMS Site System Status Summarizer still cannot access storage object. The operating system reported error 2147942405: Access is denied.
Now that I've got my OCS 2007 R2 successfully integrated with Cisco Call Manager 7, I thought I'll expand our test environment and start implementing SCCM 2007 R2 for monitoring the servers installed and facilitate the deployment of future clients.
I chose to set up my SCCM environment on 4 servers:
SCCM1 = MP, FSP, SLP, Site server
SCCM2 = DP, PXE, SUP
IIS1 = Reporting Point, SQL Reporting
SQL1 = DB server
I installed the first SCCM1 server and from within the management console I deployed the other SCCM services (SCCM2 and IIS1). For this I followed the Technet deployment and configuration guides for SCCM 2007 R2. No problems there.
Also with the installation and configuration of Reporting on IIS1 all went ok. Running the reports works fine. So all ok you would think?!
Still, I kept receiving these annoying messages under Site Status - Site System Status - IIS1\C$\SMS
(in the print screen below, the status is now OK, because of course by now I resolved the problem ...)
(The Site System Status is CRITICAL because I have installed the PXE service, but haven't configured it yet, I'll do that next ...)
So anyway, here I would get these messages:
SMS Site System Status Summarizer still cannot access storage object "\\BTLABIIS1\C$\SMS" on site system "\\BTLABIIS1". The operating system reported error 2147942405: Access is denied.
Everywhere you look online it will tell you to make sure the SCCM site server computer account (SCCM1 in my case) is member of the local Administrators group on the remote SCCM server.
Unfortunately for me, that didn't do the trick. Reading the documentation on Technet, I knew I had this before anything else, but still with the result displayed above.
To resolve this, there is a second account that needs to be member of the Administrators group on the remote server: the service account used to deploy the SCCM service with. You can look it up Site management - Site Settings - Site Systems - - Role properties .
When you add this account to the Administrators group, this error message will dispear.
Hope it helps.
I chose to set up my SCCM environment on 4 servers:
SCCM1 = MP, FSP, SLP, Site server
SCCM2 = DP, PXE, SUP
IIS1 = Reporting Point, SQL Reporting
SQL1 = DB server
I installed the first SCCM1 server and from within the management console I deployed the other SCCM services (SCCM2 and IIS1). For this I followed the Technet deployment and configuration guides for SCCM 2007 R2. No problems there.
Also with the installation and configuration of Reporting on IIS1 all went ok. Running the reports works fine. So all ok you would think?!
Still, I kept receiving these annoying messages under Site Status - Site System Status - IIS1\C$\SMS
(in the print screen below, the status is now OK, because of course by now I resolved the problem ...)
(The Site System Status is CRITICAL because I have installed the PXE service, but haven't configured it yet, I'll do that next ...)
So anyway, here I would get these messages:
SMS Site System Status Summarizer still cannot access storage object "\\BTLABIIS1\C$\SMS" on site system "\\BTLABIIS1". The operating system reported error 2147942405: Access is denied.
Everywhere you look online it will tell you to make sure the SCCM site server computer account (SCCM1 in my case) is member of the local Administrators group on the remote SCCM server.
Unfortunately for me, that didn't do the trick. Reading the documentation on Technet, I knew I had this before anything else, but still with the result displayed above.
To resolve this, there is a second account that needs to be member of the Administrators group on the remote server: the service account used to deploy the SCCM service with. You can look it up Site management - Site Settings - Site Systems -
When you add this account to the Administrators group, this error message will dispear.
Hope it helps.
Monday, April 27, 2009
OCS 2007 R2 Documentation
You also noticed that when you search for OCS 2007 R2 documentation, you get a lot of OCS 2007 documents? Drove me crazy, whenever I followed a link on a OCS 2007 R2 site, I got to OCS 2007 knowledge base.
So I decided to make a collection of true OCS 2007 R2 document libraries, to facilitate my OCS 2007 R2 - Cisco Call Manager integration project:
1. Microsoft Office Communications Server 2007 R2
The mother load, from the Microsoft download center. I just don't understand why this doesn't show up when you Google it.
2. Microsoft Office Communications Server 2007 R2 Documentation
A CHM file with technical documentation to help you understand, plan, deploy, and operate Microsoft Office Communications Server 2007 R2 servers.
Remember that you might have to "Unblock" the content.
If you need help on that, here is the Microsoft support page: You cannot open HTML Help (.chm) files from Internet Explorer
3. Microsoft Office Communications Server 2007 R2 online documentation
If you don't want to mess about with the .chm file, you can find the same documentation online, on the Technet pages.
Hope this can help you on your OCS search.
So I decided to make a collection of true OCS 2007 R2 document libraries, to facilitate my OCS 2007 R2 - Cisco Call Manager integration project:
1. Microsoft Office Communications Server 2007 R2
The mother load, from the Microsoft download center. I just don't understand why this doesn't show up when you Google it.
2. Microsoft Office Communications Server 2007 R2 Documentation
A CHM file with technical documentation to help you understand, plan, deploy, and operate Microsoft Office Communications Server 2007 R2 servers.
Remember that you might have to "Unblock" the content.
If you need help on that, here is the Microsoft support page: You cannot open HTML Help (.chm) files from Internet Explorer
3. Microsoft Office Communications Server 2007 R2 online documentation
If you don't want to mess about with the .chm file, you can find the same documentation online, on the Technet pages.
Hope this can help you on your OCS search.
Thursday, April 16, 2009
Exchange 2010 beta available: a list of the new features
So yesterday (14/04/09) we were able to download the first beta of the new email system that is used by 65 % of the companies. In Q3 of 2009 the distribution of the RTM version should be a fact.
First thing I noticed is that the admin interface has not been majorly changed, compared to the new interface we got from E2K7. That's good, cause I like this new interface much better than the old one.
Based on Microsoft documentation, I've set off testing and playing around in my test lab. The improvements they have made (27 to be exact) are divided by Microsoft in 3 big pilars:
1. Flexibility and reliability
2. Anywhere access
3. Protection and compliance
Of course, one of the most eye catching improvement is the support for OWA on Internet Explorer 7 & 8, Safari 3 and Firefox 3. But another cool feature that I think will be much used is the "MailTips". It will protect end users from sending personal mails to large mailing groups. The last thing that caught my eye yesterday already is the "Consolidated view" and "Conversation Mute". Finally we are able to view all e-mails concerning a single topic in a single node (in Outlook ànd OWA).
Below is a list of the other 27 improvements. The ones I think are really interesting and that I'll be looking into I've indicated in bold:
1. Added internet browser support for OWA
2. Answer/forward status is being kept by the server and can be shown on all clients
3. MailTips to prevent personal mails from being distributed to large communities
4. Conversation view for the threating of messages
5. Calendar sharing available in OWA and for federated users
6. Sharing of contacts outside the company and outside the desktop
7. Voice Mail Preview: automatic written preview of a received voice mail
8. Call Answering Rules to administer phone calls just like e-mails
9. Rights Management in OWA as well as Outlook
10. Federation Services to connect your Exchange servers to those of other organizations
11. Page patching: automatic fixing of corrupted DB pages
12. I/O Optimalization: less I/O bursts, support for SATA disks
13. JBOD (Just a Bunch Of Disks) support instead of only RAID
14. Database Availability groups: redundant DB's for mailboxes which provide automatic recovery
15. Failover on DB level, clustering not longer necessary to provide high-availability, so more uptime
16. Online Move-Mailbox: moving MBX'en while the user is logged in
17. Rules for transport protection: an administrator can change the IRM protection AFTER they have been sent
18. Moderation: a transport rule that allows you to send a message to a reviewer before the message is actually sent
19. Rules for protection Outlook which allows you to automatically assign RMS templates to e-mails
20. Role-based access control for Outlook
21. Exchange Control Panel to assign end users specific levels of control
22. Message tracking for end users (without having to contact the helpdesk)
23. Distribution Groups can be created, modified and deleted by end users
24. Block/Allow list for mobile devices
25. Protected voicemail: you are able to block the sending of voicemails outside the organization
26. Personal archive: moving of PST files to a secundary mailbox for better performance and compliance
27. Multi mailbox search: finally you are able to search multiple mailboxes with a single click
As you can see, there are quite a few cool improvements.
Can't wait to get started ... :)
First thing I noticed is that the admin interface has not been majorly changed, compared to the new interface we got from E2K7. That's good, cause I like this new interface much better than the old one.
Based on Microsoft documentation, I've set off testing and playing around in my test lab. The improvements they have made (27 to be exact) are divided by Microsoft in 3 big pilars:
1. Flexibility and reliability
2. Anywhere access
3. Protection and compliance
Of course, one of the most eye catching improvement is the support for OWA on Internet Explorer 7 & 8, Safari 3 and Firefox 3. But another cool feature that I think will be much used is the "MailTips". It will protect end users from sending personal mails to large mailing groups. The last thing that caught my eye yesterday already is the "Consolidated view" and "Conversation Mute". Finally we are able to view all e-mails concerning a single topic in a single node (in Outlook ànd OWA).
Below is a list of the other 27 improvements. The ones I think are really interesting and that I'll be looking into I've indicated in bold:
1. Added internet browser support for OWA
2. Answer/forward status is being kept by the server and can be shown on all clients
3. MailTips to prevent personal mails from being distributed to large communities
4. Conversation view for the threating of messages
5. Calendar sharing available in OWA and for federated users
6. Sharing of contacts outside the company and outside the desktop
7. Voice Mail Preview: automatic written preview of a received voice mail
8. Call Answering Rules to administer phone calls just like e-mails
9. Rights Management in OWA as well as Outlook
10. Federation Services to connect your Exchange servers to those of other organizations
11. Page patching: automatic fixing of corrupted DB pages
12. I/O Optimalization: less I/O bursts, support for SATA disks
13. JBOD (Just a Bunch Of Disks) support instead of only RAID
14. Database Availability groups: redundant DB's for mailboxes which provide automatic recovery
15. Failover on DB level, clustering not longer necessary to provide high-availability, so more uptime
16. Online Move-Mailbox: moving MBX'en while the user is logged in
17. Rules for transport protection: an administrator can change the IRM protection AFTER they have been sent
18. Moderation: a transport rule that allows you to send a message to a reviewer before the message is actually sent
19. Rules for protection Outlook which allows you to automatically assign RMS templates to e-mails
20. Role-based access control for Outlook
21. Exchange Control Panel to assign end users specific levels of control
22. Message tracking for end users (without having to contact the helpdesk)
23. Distribution Groups can be created, modified and deleted by end users
24. Block/Allow list for mobile devices
25. Protected voicemail: you are able to block the sending of voicemails outside the organization
26. Personal archive: moving of PST files to a secundary mailbox for better performance and compliance
27. Multi mailbox search: finally you are able to search multiple mailboxes with a single click
As you can see, there are quite a few cool improvements.
Can't wait to get started ... :)
Monday, April 06, 2009
OCS 2007 - Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
So now that I have my OCS server installed, a few troubleshooting tasks have to be done (in my case anyway).
First error I saw when running the Validate Front End Server Configuration wizard, is this:
Looking around online I see everywhere that the certificate is probably wrong. I configured the certificate with the FQDN of the OCS server, which looks to be correct, especially when I see the entries above the check user logon section, where it shows it succeeds in connecting to the OCS pool.
So anyway, I tried recreating a new certificate, this time with the FQDN of the OCS pool instead of the OCS server. After signing the new certificate with my CA and assigning it to the OCS server, it still Completes with failures. Only this is very interesting: now my login is successful but I can't connect to the OCS pool anymore. Complete opposite of what I had before!
What the f***??!! Before you start trying: assigning the certificate with the server FDQN to the OCS server and the OCS FQDN to the IIS (or visa versa) does not work either.
Instead, create a new certificate with these settings:
1. Subject name: FQDN of the OCS pool
2. Alternate name: not that important
3. Remember to check the Automatically add local machine name to Subject Alt Name, that way you create a multi-homed certificate
After assigning this certificate to your OCS server and in the IIS manager, you should be good:
Hope it can help...
First error I saw when running the Validate Front End Server Configuration wizard, is this:
Looking around online I see everywhere that the certificate is probably wrong. I configured the certificate with the FQDN of the OCS server, which looks to be correct, especially when I see the entries above the check user logon section, where it shows it succeeds in connecting to the OCS pool.
So anyway, I tried recreating a new certificate, this time with the FQDN of the OCS pool instead of the OCS server. After signing the new certificate with my CA and assigning it to the OCS server, it still Completes with failures. Only this is very interesting: now my login is successful but I can't connect to the OCS pool anymore. Complete opposite of what I had before!
What the f***??!! Before you start trying: assigning the certificate with the server FDQN to the OCS server and the OCS FQDN to the IIS (or visa versa) does not work either.
Instead, create a new certificate with these settings:
1. Subject name: FQDN of the OCS pool
2. Alternate name: not that important
3. Remember to check the Automatically add local machine name to Subject Alt Name, that way you create a multi-homed certificate
After assigning this certificate to your OCS server and in the IIS manager, you should be good:
Hope it can help...
OCS 2007 & SQL2005 SP3 – Pool backend discovery failed
A few weeks ago I was installing an OCS server in a lab environment for the purposes of giving demo’s and testing some stuff out myself.
However, before I could actually even start I ran into a nice little problem.
First I prepared the AD, as documented by Microsoft, no problem there at all. Then I launched the Create Enterprise Pool from the setup.exe
In the next screen of the simple wizard you need to provide a pool name, after which the FQDN is filled in automatically and the SQL backend. (if your SQL farm is separated by a firewall, make sure port 1433 is open from the OCS to the SQL)
That should be that. Unfortunately for me, I received this error:
Since I have a SQL 2005 server, I checked the Service Pack level and made sure it was the latest version (SP3). The Backward Compatibility pack installed on the OCS is from the same SP level. No problem there you would say. But no matter how I tried configuring the OCS pool, it didn’t work.
I guess not many people have this issue, since I didn’t find much online about it. But then I stumbled across this article from Microsoft: You cannot create the enterprise pool for Office Communications Server 2007 on a back-end server that has SQL 2005 Service Pack 3 (SP3) installed
Basically it says the backward compatibility pack from SP3 does NOT work correctly and what you need to do is this:
1. Uninstall the SQL 2005 SP3 Backward compatibility pack
2. Download the correct backward compatibility pack (SQLserver2005_BC.msi) from this link: SQLServer2005_BC.msi
3. Install this new BC pack
Immediately after that I tried the OCS enterprise pool wizard again (no reboot) and what do you know: it flew straight through!
However, before I could actually even start I ran into a nice little problem.
First I prepared the AD, as documented by Microsoft, no problem there at all. Then I launched the Create Enterprise Pool from the setup.exe
In the next screen of the simple wizard you need to provide a pool name, after which the FQDN is filled in automatically and the SQL backend. (if your SQL farm is separated by a firewall, make sure port 1433 is open from the OCS to the SQL)
That should be that. Unfortunately for me, I received this error:
Since I have a SQL 2005 server, I checked the Service Pack level and made sure it was the latest version (SP3). The Backward Compatibility pack installed on the OCS is from the same SP level. No problem there you would say. But no matter how I tried configuring the OCS pool, it didn’t work.
I guess not many people have this issue, since I didn’t find much online about it. But then I stumbled across this article from Microsoft: You cannot create the enterprise pool for Office Communications Server 2007 on a back-end server that has SQL 2005 Service Pack 3 (SP3) installed
Basically it says the backward compatibility pack from SP3 does NOT work correctly and what you need to do is this:
1. Uninstall the SQL 2005 SP3 Backward compatibility pack
2. Download the correct backward compatibility pack (SQLserver2005_BC.msi) from this link: SQLServer2005_BC.msi
3. Install this new BC pack
Immediately after that I tried the OCS enterprise pool wizard again (no reboot) and what do you know: it flew straight through!
Tuesday, January 27, 2009
Replicate Exchange to a DRS (Disaster Recovery Site): Best Practices
In my last post I’ve gone over some of the considerations you need to keep in mind when choosing a replication setup for Exchange 2007.
Now there are of course some best practices you can keep in mind when you’ve chosen your setup concerning the replication of Exchange 2007. Since we are on the subject, and in order to keep a nice overview, I’ve created this post which is a summary of the Microsoft guidelines.
1. Mandatory Data to replicate
a) edb files: messages and MAPI-content
b) stm files: non-MAPI content
c) log files: changes to commit to the database
d) chk files: info on the entries in the log files
2. Best Practices for asynchronous replication (replication mechanisms)
a) Configure replication at the logical/mount point volume level: if the mailbox data path is G:\MDB1\MDB1.EDB, then drive G should be the base unit to perform replication. As a result, all the data on drive G will be replicated. Setting replication to occur at the file or subdirectory level is prone to human error and is not supported by Microsoft.
b) Create many replication points: reduce the queuing of multiple I/O’s which are destined for the same replication point
c) Keep transaction logs on different logical volumes: since each write I/O request is queued at the replication point, it is best to split the edb and log files to different logical volumes, to reduce long write response times.
d) Use multiple replication links: expensive, but necessary (although not technically) for availability and load-balancing.
3. Best Practices for Configuring Exchange For Synchronous Replication
a) Create the maximum number of storage groups per Exchange server: there will be more parallel log writing processes, which can reduce the overall transaction log-write latency
b) Increase transaction log buffer size: Increasing the log buffer size reduces the frequency of capacity flushes, increases the log write size, and subsequently reduces the overall log write latency.
That's about it for this post. Of course, this is only a short summary and can (should be) supplemented with other articles on this subject.
Now there are of course some best practices you can keep in mind when you’ve chosen your setup concerning the replication of Exchange 2007. Since we are on the subject, and in order to keep a nice overview, I’ve created this post which is a summary of the Microsoft guidelines.
1. Mandatory Data to replicate
a) edb files: messages and MAPI-content
b) stm files: non-MAPI content
c) log files: changes to commit to the database
d) chk files: info on the entries in the log files
2. Best Practices for asynchronous replication (replication mechanisms)
a) Configure replication at the logical/mount point volume level: if the mailbox data path is G:\MDB1\MDB1.EDB, then drive G should be the base unit to perform replication. As a result, all the data on drive G will be replicated. Setting replication to occur at the file or subdirectory level is prone to human error and is not supported by Microsoft.
b) Create many replication points: reduce the queuing of multiple I/O’s which are destined for the same replication point
c) Keep transaction logs on different logical volumes: since each write I/O request is queued at the replication point, it is best to split the edb and log files to different logical volumes, to reduce long write response times.
d) Use multiple replication links: expensive, but necessary (although not technically) for availability and load-balancing.
3. Best Practices for Configuring Exchange For Synchronous Replication
a) Create the maximum number of storage groups per Exchange server: there will be more parallel log writing processes, which can reduce the overall transaction log-write latency
b) Increase transaction log buffer size: Increasing the log buffer size reduces the frequency of capacity flushes, increases the log write size, and subsequently reduces the overall log write latency.
That's about it for this post. Of course, this is only a short summary and can (should be) supplemented with other articles on this subject.
Replicate Exchange to a DRS (Disaster Recovery Site): Design
Last week, we had a discussion over the design and configuration of an Exchange 2007 server in a DRS.
Of course, as always, there isn’t one answer that fits all. There are a few questions you need to answer to get to a solution that fits your needs:
- How will the data be replicated to the server located in the DRS?
- How performant is the link between the main site and the DRS?
- How important is are the e-mails within your company?
- How much money do you have to spend?
Let’s go over the questions one by one to come to our solution.
1. How will the data be replicated to the server located in the DRS?
There are 4 different replication menthods:
a) Synchronous replication: the Exchange host receives a “successful write” response when the operation is complete on the local AND remote locations.
Advantages:
I. guaranteed no data loss (how is that for a sole advantage … )
Disadvantage:
I. reduced performance (site link, link utilization, distance very important since mails have to saved to both local and remote storage)
II. more expensive than asynchronous replication
III. need for 3rd party software
b) Asynchronous replication: the Exchange host writes to the local storage and the data is replicated independently afterwards
Advantages:
I. not as heavy on performance indicators as synchronous replication
II. cheaper than synchronous replication
III. native Exchange 2007 technology (LCR, SCR & CCR)
IV. robust: (in case of a CCR no single failure will lead to a loss of service)
Disadvantages:
I. no guarantee against data loss can be provided
c) Host-based replication: a filter driver manages the replication (and needs to cut the I/O stream to do this)
d) Storage-based replication: replication at storage level (more performant than host-based replication)
2. How performant is the link between the main site and the DRS?
Whether you choose synchronous or asynchronous replication might not just depend on the budget you have to spend, but also on the environment that is already in place. Be aware that choosing synchronous replication will not only reduce the number of mailboxes per server (up to 75 % reduction in mailboxes/server scalability), the site link is largely impacted as well.
The tools LoadSim and JetStress are developed by Microsoft to test latencies and storage throughput.
3. How important is are the e-mails within your company?
As said above, asynchronous replication cannot guarantee that all data will be retained in case of a “disaster”, while synchronous replication does (providing the site links are operational). However, Exchange 2007 is designed to lose as little information as possible in case of a failure. Thanks to the LCR, CCR and SCR technologies, the losses should be minimized to read/unread messages statuses, incomplete contact, calendar entries, … If this is acceptable for your SLA, they offer a really good solution. Of course, if databases have to be moved to a new stand-by Exchange server, some downtime will be unavoidable.
4. How much money do you have to spend?
I guess this point is pretty clear. Choosing between LCR, SCR and CCR have already huge price effects on your budget. If your SLA requires you to choose for synchronous replication, this price will mount exponentially since third party software will have to be purchased, installed, configured, received training on, …
Of course, as always, there isn’t one answer that fits all. There are a few questions you need to answer to get to a solution that fits your needs:
- How will the data be replicated to the server located in the DRS?
- How performant is the link between the main site and the DRS?
- How important is are the e-mails within your company?
- How much money do you have to spend?
Let’s go over the questions one by one to come to our solution.
1. How will the data be replicated to the server located in the DRS?
There are 4 different replication menthods:
a) Synchronous replication: the Exchange host receives a “successful write” response when the operation is complete on the local AND remote locations.
Advantages:
I. guaranteed no data loss (how is that for a sole advantage … )
Disadvantage:
I. reduced performance (site link, link utilization, distance very important since mails have to saved to both local and remote storage)
II. more expensive than asynchronous replication
III. need for 3rd party software
b) Asynchronous replication: the Exchange host writes to the local storage and the data is replicated independently afterwards
Advantages:
I. not as heavy on performance indicators as synchronous replication
II. cheaper than synchronous replication
III. native Exchange 2007 technology (LCR, SCR & CCR)
IV. robust: (in case of a CCR no single failure will lead to a loss of service)
Disadvantages:
I. no guarantee against data loss can be provided
c) Host-based replication: a filter driver manages the replication (and needs to cut the I/O stream to do this)
d) Storage-based replication: replication at storage level (more performant than host-based replication)
2. How performant is the link between the main site and the DRS?
Whether you choose synchronous or asynchronous replication might not just depend on the budget you have to spend, but also on the environment that is already in place. Be aware that choosing synchronous replication will not only reduce the number of mailboxes per server (up to 75 % reduction in mailboxes/server scalability), the site link is largely impacted as well.
The tools LoadSim and JetStress are developed by Microsoft to test latencies and storage throughput.
3. How important is are the e-mails within your company?
As said above, asynchronous replication cannot guarantee that all data will be retained in case of a “disaster”, while synchronous replication does (providing the site links are operational). However, Exchange 2007 is designed to lose as little information as possible in case of a failure. Thanks to the LCR, CCR and SCR technologies, the losses should be minimized to read/unread messages statuses, incomplete contact, calendar entries, … If this is acceptable for your SLA, they offer a really good solution. Of course, if databases have to be moved to a new stand-by Exchange server, some downtime will be unavoidable.
4. How much money do you have to spend?
I guess this point is pretty clear. Choosing between LCR, SCR and CCR have already huge price effects on your budget. If your SLA requires you to choose for synchronous replication, this price will mount exponentially since third party software will have to be purchased, installed, configured, received training on, …
Tuesday, January 13, 2009
PowerShell Graphical Help
PowerShell is cool, isn't it? I absolutely love it.
But there was a downside. Using the help function within the PowerShell prompt is difficult to read not to mention it can scroll your screen quite a bit.
So instead of using the help function within PowerShell, the PowerShell guys of Microsoft have created a Graphical Help File.
It contains just the same information as the help within PowerShell when using the -detailed switch, but it comes with some definate advantages:
- fully searchable
- graphical
- seperate window so you can a clear eye on your code
A must have download.
But there was a downside. Using the help function within the PowerShell prompt is difficult to read not to mention it can scroll your screen quite a bit.
So instead of using the help function within PowerShell, the PowerShell guys of Microsoft have created a Graphical Help File.
It contains just the same information as the help within PowerShell when using the -detailed switch, but it comes with some definate advantages:
- fully searchable
- graphical
- seperate window so you can a clear eye on your code
A must have download.
Subscribe to:
Posts (Atom)