Thursday, December 30, 2010

New Rollups Released for TMG 2010 and ISA 2006

The ISA / TMG Team in MS have released a new rollup for each product. Make sure that Service Pack 1 is installed on ISA and TMG before installing these rollups.

Link Below:

http://blogs.technet.com/b/isablog/archive/2010/12/29/new-rollups-released-for-tmg-2010-and-isa-2006.aspx

UAG Maximum Number of Logon Attempts Error when using a 20 Character Password

I came across this interesting blog post last night relating to an issue within UAG when a user's password is longer than 20 characters, the UAG server will not allow logon due to truncation of the password and eventually read the logon attempt as failed and locks it out.

Paul Harper - Microsoft Premier Field Engineer - has supplied the information needed to get around this particular issue if you come across it. check the link below:

http://blogs.technet.com/b/pharp/archive/2010/12/29/forefront-uag-truncates-passwords-longer-than-20-characters-and-passes-them-on-as-valid-to-authentication-server.aspx

Wednesday, December 29, 2010

Automatically Live Migrate Multiple Virtual Machines in a Hyper V Cluster

Over the Christmas break, I decided to use the time off to carry out some essential maintenance of our 3 Node Hyper V Failover Cluster that we currently have in our datacentre (I know, sad as I am working over the holidays!).

What I wanted to do was to update all of the Hyper V hosts with the latest HP Support Packs and Firmware updates, install the latest Windows Updates and Patches and also run scripts to identify which hotfixes are missing that are specific to Hyper V, Clustering and SCVMM (see this link for a really handy script that I recommend any Hyper V admin to use regularly - http://kevingreeneitblog.blogspot.com/2010/10/hyper-v-and-scvmm-missing-updates.html).

With all of these updates to be applied to the Hyper V hosts, it means in that although there will be no need for downtime of the virtual machines on each host (approx 15 VM's on each one), I will still need to 'Live Migrate' these machines to the other Hyper V hosts before I add the updates and reboot the hardware.

This 'Live Migrate' process can be a tedious process as unlike VMWare's VMotion, you cannot 'Live Migrate' any more than one virtual machine at a time from a physical host to another - you can 'Live Migrate' more than one virutal machine at a time within a Hyper V cluster but not more than one VM from each physical host. For example, I can migrate a VM from Host 1 to Host 2 and at the same time, I can migrate a machine from Host 3 to Host 4 as long as each host only has one 'Live Migration' occuring at any given time.

With a large amount of VM's to 'Live Migrate', clicking on each VM one at a time and waiting for it to migrate before you can do the next one is a time consuming process and a waste of valuable time over the Christmas holiday period!

As previously mentioned, although you cannot 'Live Migrate' more than one virtual machine at a time in a Hyper V cluster from one host to the other, there are several ways that you can automate this process with a couple of clicks of a mouse that will systematically move each virtual machine to a different host without the need for you to do each VM one by one.

My preferred method of automating this process requires that you have Microsoft's System Center Virtual Machine Manager 2008 R2 managing your Hyper V cluster (shame on you if you don't!).

I remembered reading through the SCVMM documentation a while back and coming across a feature for host management called 'Maintenance Mode'. Maintenance Mode allows you to specify if a host is going to be offline within your Hyper V cluster and when you enable Maintenance Mode on a particular Hyper V host, a wizard pops up explaining that this process will automate the 'Live Migration' of your virtual machines to another physical host. Just the solution I was looking for!

Simply browse to the 'Hosts' section from within SCVMM, right mouse click on the host, select 'Maintenance Mode' from the menu and then follow the wizard to move all machines automatically.

There is another way to automatically move all the Virtual Machines from one Hyper V host to another but that involves pulling the power cables from the back of the host and I really don't recommend to do that....................

Now, back to enjoying the time off work!

Tuesday, December 21, 2010

BPOS versus the new Office 365

For those of you that have been out of the loop the last while, you might be excused for thinking that the new Microsoft Office 365 was a new version of your standard locally installed Office client.

Microsoft Office 365 however is the opposite of a locally installed client. It is the new version of Microsoft's current Online (Cloud) offering called Business Productivity Online Suite (BPOS).

So what are the differences you might ask? Read below for a comparison of the two composed by Aaron Leskiw.

How does Office 365 compare to BPOS?

Microsoft describes Office 365 as a “significantly enhanced” version of BPOS. Although it’s basically the same service, as you’ve seen, it includes new features like Office Web Apps. And, it also has enhancements to make administration easier.

On the desktop side of things, Office 365 includes the new Service Connector application, replacing the single sign-on tool.  The Service Connector should make user desktop management a little easier, and simplify the login process for users. The Service Connector also takes care of patches and updates.

Speaking of the desktop, system requirements have changed. Office 2003 will no longer be supported, and neither will Office Communicator 2007.  Workstations will need to run Office 2007 or newer, and the new Lync 2010 software for instant messaging.

Office 365 is scheduled for availability in 2011. If you’re currently a BPOS customer, then you’ll have 12 months to migrate to Office 365 from the time the service becomes available. For more information, check out the Office 365 transition center, where Microsoft has done a great job at providing information for admins, including a helpful transition checklist. There's also a helpful FAQ.

With the release of Office 365, Microsoft has really stepped-up the game for hosted-cloud services. Time will tell how successful this play will be, but recent big wins have demonstrated that they are definitely a player. If Office 365 looks like something you want to learn more about, you can get more information on the Microsoft Office 365 home page.

Or, download the Office 365 fact sheet for full details on the different Office 365 offerings.

Microsoft BPOS - How to configure an iPhone for BPOS Exchange Online

I came across this article in one of my all time favorite IT sites - Daniel Petri's http://www.petri.co.il/ - I started using this site way back when I started out studying for my old Windows NT 4 MCSE.

Anyhow, as more and more people have iPhones and more and more companies are moving to BPOS, here's the link to an article explaining what you need to do to configure your iPhone with BPOS:

http://www.petri.co.il/iphone-configuration-for-bpos-exchange.htm?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Petri+%28Petri+IT+Knowledgebase%29

Enjoy!

Friday, December 17, 2010

Deploying Virtual Machine Templates using SCVMM 2008 R2

O.K., so this isn't new information but still can be a little bit tricky if you're not used to the process of creating templates and if you don't have a full understanding of the sysprep utility and why it is needed to deploy multiple copies of the same machine.

An engineer came to me a while back and told me a story that sounded kinda familiar to me when I started using Hyper V a few years back. The engineer had a Hyper V deployment to do that involved creating 10 virtual machines all with the same Operating System but each would be used for different applications and roles. His quick solution to deployment was to build one virtual machine, make the necessary modifications to password policies, rdp connections, firewall etc., then shut down that vm and make another 9 copies of the VHD to use on the other virtual machines.

A good idea in theory but lacking one train of thought and that was that when the original VHD was created, this VHD had it's own SID unique to this installation and when he made another 9 copies of the VHD, each of these contained the exact same SID on the network. When all of the copied VHD's were brought online and added to the domain, it wasn't long before duplicate SID entries started to appear within the event logs on each of these, specifically the one that had the Domain Controller role!

What should have been done first to avoid this problem was to build the initial VHD and configure it as needed. Then he should have opened up a command line and browsed to the 'C:\Windows\System32\sysprep' folder and ran the following command:

sysprep /oobe /generalize

Once this command was completed from running on the VM, it shuts it down and the Virtual Hard Disk is now ready for deployment as an Out Of Box Experience (oobe) and Generalized machine with no SID!

All that has to be done now is to make a copy of this VHD and store it for safe keeping as it is going to be your master VHD for deployments in the future. In this engineers case, he could then make 9 copies of this newly sysprep'd VHD and when each one is run within Hyper V, the VM will start to request the relevant configuration settings such as Product Key and user settings to complete the installation.

Now, I know the title of this blog topic is 'Deploying Virtual Machine Templates using SCVMM 2008 R2' and I haven't yet even mentioned SCVVM!

The above process is quite laborious and can take a bit of getting used to along with still leaving a lot of configuration steps to finalise on each newly deployed VM. Within SCVMM however, this process is simplified greatly and takes away the need to run a command line sysprep from within the initial VM.

If you take a look at the document in the link below created by Virtualisation MVP Aidan Finn that outlines a comprehensive step by step process to creating and deploying an SCVMM 2008 R2 Template:

http://sdrv.ms/YfKqwS

SCVMM 2008 R2 Service Pack 1 RC Released

O.K., so I'm about a week behind on this one, but busy schedule means I'm only getting around to blogging about it now!

SCVMM 2008 R2 Service Pack 1 RC combines the usual gamut of bug fixes and tweaks as well as adding a new feature set for Windows Server 2008 R2 Dynamic Memory.

Check out all the info on SP1 right here:

http://blogs.technet.com/b/scvmm/archive/2010/12/15/sc-vmm-2008-r2-sp1-introduction.aspx

http://blogs.technet.com/b/scvmm/archive/2010/12/03/scvmm-2008-r2-sp1-rc-available-for-download.aspx

Hyper V Performance Tuning

Here's some good steps to follow when trying to tune your Hyper V deployment. These steps were published on Jason Conger's Virtualisationadmin Blog:

Hyper-V is pretty easy to set up in Windows Server 2008 R2 - just enable the Hyper-V role and start building virtual machines. However, there are a lot of performance tuning measures that can be made to ensure you get optimum performance from your hardware. Paul Schnackenburg has put together a series of articles detailing these performance tuning techniques. Paul’s articles include detailed analysis of the following:
  • Virtual processors - According to Microsoft as a general rule of thumb it’s best to have four virtual processors per logical processor in the system, maximum is eight. But the question of course is how can you find out the ratio on your hosts?
  • Memory, Storage, and Networking - Optimizing memory for VMs is a challenge in Hyper-V of today as the memory you assign to each VM is fixed whether the VM actually uses it or not. The good news it’s going to become a whole lot easier when Microsoft releases SP1 for Windows Server 2008 R2 and Dynamic Memory comes into play.
  • Tuning Tips and Tricks - integration components, guest OS, Hyper-V manager, Services, Host OS, Background CPU activity, network configuration.
  • Monitoring Hyper-V performance - The first rule is don’t ever measure performance of a VM from within a VM. Most sys admins first reaction to performance complaints will be to have a look in Task Manager. Unfortunately that doesn’t work in a VM because it can only see its little keyhole view of the world.

UAG Service Pack 1 Released!

UAG Service Pack 1 has been released and it comes packed with some new GUI enhancements as well as some neat new features.

For anyone who has configured Direct Access using UAG in the past, they will notice that some of these changes are welcome enhancments!

A really nice feature in SP1 is the ability to update or modify the existing UAG GPO's that the configuration wizard generates initially. This is quite cool because previously, if you wanted to make any changes to the Direct Access configuration, you nearly always needed to manually remove these GPO's first to ensure the new ones took precedence when you re-ran the wizard.

You can now also specify a GPO that houses the client laptop's or computers that you want to enable Direct Access on instead of the previous option of just a security group.

There is also some major changes to the Direct Access Configuration Assistant to help troubleshoot those hard to get going configurations!

Here's the links needed to get the download and give you some extra information on whats included:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=980ff09f-2d5e-4299-9218-8b3cab8ef77a

http://technet.microsoft.com/en-us/library/gg295322.aspx

Thursday, December 16, 2010

Exchange 2010 Virtualisation Support

I have decided to post this for those of you not familiar with Microsoft's stance on virtualising Exchange Server 2010 as there seems to be conflicting reports of what is and is not supported within a virtual environment.

Microsoft supports Exchange Server 2010 in a virtualised environment with just two exceptions.

Hyper V is of course supported as well as all vendors that are listed on the 'Server Virtualisation Validation Platform' listed here: http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm

The Exchange 2010 UM role is the only role not supported in a virtual environment (it still works if you want to try it, just not supported by MS!)

Here's the catch however that most people are not aware of - Microsoft DO NOT support a virtualised DAG environment if the DAG servers are made Highly Available (HA) within the HyperVisor. Again, this configuration will work if you set it up this way, however, if you have problems and want to call Microsoft for support, they won't want to know if you have the DAG members Highly Available and configured to fail over to another host in the event of hardware failure.

Amazingly though, VMWare are quoted as recommending their VMWare HA Solution with the Exchange application-aware high availability solution which is an unsupported configuration!!

Here is a link from the Microsoft Exchange Team's Official Blog and it makes for some interesting reading on the subject!

http://msexchangeteam.com/archive/2010/11/09/456851.aspx

Troubleshooting 'Redirected Access' on a Cluster Shared Volume (CSV)

Here's a really interesting post from Chuck Timon - Microsoft Enterprise Platforms Support Senior Support Escalation Engineer - surrounding the dreaded 'Redirected Access' message that can appear sometimes (rarely for me thankfully!) on a Hyper V Failover Cluster.

The post covers 4 reasons as to why this message will appear on your CSV and the solutions to diagnose and bring the CSV back online.

Here's the link:

http://blogs.technet.com/b/askcore/archive/2010/12/16/troubleshooting-redirected-access-on-a-cluster-shared-volume-csv.aspx

Wednesday, December 15, 2010

Exchange 2010 Personal Archive support in Outlook 2007 is here!

Finally, for those of you that are using Exchange 2010 Personal Archives and are tired of having to upgrade Outlook Clients to 2010 version, then Microsoft have recently released a rollup and hotfix that enables this support, here's the link:

http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2458611

Monday, November 22, 2010

Active Directory and Exchange Topology Diagrammer

I came across this tool a couple of years ago, demo'd it, thought it looked great but forgot about it and never used it in a live environment.

Last week I started a project which required a full audit of a fairly large Exchange 2007 network that spread throughout 13 sites worldwide. As part of the audit, I set about creating a Visio diagram of the Exchange Organization but soon ran into trouble trying to map out all of the site links and detailed information.

That's when I remembered Microsoft's Active Directory Topology Diagrammer. This is a really handy tool when you want to create Visio diagrams of your networks and it covers Active Directory Site Structure, OU Structure and brilliantly the Exchange Organization structure too!

Download the tool from here and try it out, you will need Visio installed and with the latest Exchange stencils though for the tool to draw the diagrams properly:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en

Tuesday, November 16, 2010

Increase Exchange 2010 DAG Failover Threshold

One of our clients has a 4 member node Exchange 2010 DAG spread across 4 different countries worldwide.

The client had reported to me that one of the sites that had a slight bandwidth issue was consistently failing it's Active Mailbox Store from the local site over to it's Dublin HQ site. When we manually moved the database back over to the original local site, it would randomly fail back over to the main Dublin HQ site presumably due to the intermittent latency on the Internet connection at that local site.

The customer requested that I find a way to increase the failover threshold or tolerance for the DAG so that it doesn't fail over as frequently without losing the functionality of High Availability.

After searching for quite a while on how to do this using Exchange Power Shell I found some information relating not to Exchange Server but to the Windows Server 2008 Cluster Service (which is essentially what the DAG uses when it is created for the first time) for it's clustering technology.

Using a standard Command Prompt (cmd), I started playing with the 'cluster' command and looking into what switches it used and what they could be applied to.

Here's what I came up with:

Type 'cluster /list' to display the name of the cluster that is present on the Server

When you run a 'cluster /prop' from the cmd line, it returns a number of values relating to the cluster, two of which are the following:

CrossSubnetDelay = 1000 (this is the default 1000 milliseconds which equals 1 second per heartbeat check)

CrossSubnetThreshold = 5 (this is the default number of heartbeats that can be missed before failover)

I changed the CrossSubnetDelay value to make the heartbeat check in every 2 seconds instead of the default 1 second by using the command below:

cluster /cluster:<ClusterName> /prop CrossSubnetDelay=2000

With this new setting along with the default value of 5 seconds for the CrossSubnetThreshold setting, this now allows the Cluster service to wait for 10 seconds before initiating a failover to a different DAG member.

This value can be increased to a maximum of 4000 milliseconds once the cluster is across subnets (it is a maximum of 2000 milliseconds if you are on the same subnet)

The CrossSubnetThreshold value can be modified with a value anywhere from 3 to 10.

This workaround / solution may need some tweaking with values until you reach the desired tolerance on your DAG.

It is also worth making sure you make a note of all changes that you make before and after the above commands and as always - make sure you have a full backup of your Exchange environment before you do anything like this!!!!

Saturday, November 13, 2010

Bulk Create Active Directory User Accounts and Exchange Mailboxes

Although this process is fairly well known at this point, I am continually asked for this PowerShell script to assist with the bulk creation of new Active Directory user accounts with passwords and then the bulk creation of Exchange Mailboxes for these new accounts. It will also allow you to create or specify an OU to place them into.

This script was created by Exchange MVP Andy Grogan.

Here's the link to the downloadable Powershell Script and sample CSV file that creates the user accounts within Active Directory:

http://www.telnetport25.com/component/content/article/15-powershell/321-quick-post-script-to-create-lab-users-powershell-version.html

Once you have modified the CSV file to suit your user structure and run the Powershell script, you should now have all of the users created within AD and all assigned passwords of your choice too.

The next step is to create new Exchange mailboxes for those users using the following process:

 You open the Exchange Management Shell and begin with Get-User.


If we imagine we have an OU we wish to grab all the users from we could just type Get-User –OrganizationalUnit <OU Name>. However, this will return to us all the users in that OU, whereas perhaps some are already mailbox enabled. To narrow down our grab we can use a request for RecipientType which we could say is equal to User (as opposed to UserMailbox, which would mean they already have a mailbox).

So, for example, if we want to locate all users in the Accounts OU that do not have mailboxes already for their accounts we could type:

Get-User –OrganizationalUnit Accounts | Where-Object [$_.RecipientType –eq "User"}

That command would get us part of the way there.

Now if we wanted to mailbox enable those users we would append to the end:

Enable-Mailbox –Database "<Name of Database>"

So, let’s say in our setup here we have the Accounts users in the Accounts OU and we want them all given mailboxes in a database called EX2010Database.

We would type the full command:
Get-User –OrganizationalUnit Accounts | Where-Object [$_.RecipientType –eq "User"} | Enable-Mailbox –Database "EX2010Database"

Now just sit back and let the script do all the hard work!

Sunday, October 31, 2010

Exchange 2010 Remote Management using Powershell

I've been doing a lot of work recently with Exchange 2010 and Powershell and have come across this neat way of managing the Exchange Server within your network from a remote client PC without having to install the Exchange Management Tools and do it through the GUI.


You need to complete these commands from a Windows 7 client machine (or any machine that has Powershell installed) for it to work.


Firstly, you need to enable remote scripts to run on your Windows 7 machine by typing the following command from an elevated Powershell prompt:


Set-executionpolicy remotesigned
At this point, it's worth trying to input an administrative Exchange Powershell command into your client to see if it understands it. Try entering something like:  get-mailbox

Your Windows 7 client will come back with an error stating that the command is not recognisable as an internal Powershell cmdlet - this is correct as we haven't imported the Exchange 2010 session into the local client's Powershell Library yet

Once the 'set-executionpolicy remotesigned' command is completed, enter the following commands to get control of your Exchange 2010 server:
$session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri http://servername.domainname.local/PowerShell -Authentication Kerberos


(This command makes contact with the Exchange 2010 server and initiates a new Powershell session -don't forget to substitute your own servername and domainname into the line above!)
Import-PSSession $session

(This command then imports the new Powershell session into the local client library)


Now try to run the get-mailbox command again or any other Exchange 2010 Powershell command for that matter and you should now be able to work through administering your server remotely from your client pc!

Tuesday, October 26, 2010

DPM 2010 Monitoring Management Pack Released!

Finally the RTM version of the DPM 2010 Monitoring Management Pack has been released. There are some nice features around SLA based alerting and integration with your in-house ticketing systems.

Here's the link from Microsoft to download it:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32077d99-618f-43d0-843d-4ba4f8019f84&displaylang=en

Friday, October 22, 2010

Hyper V and SCVMM Missing Updates Script

I came across this really handy little script on Microsoft SCVMM Engineer JonJor's blog. This script is basically a reporting tool that checks all of the relevant Hyper-V, Failover Cluster, SCVMM, Bits,VDS, VSS,WMI and WinRM components for installed updates and reports back with any that are missing.

Most of these updates are generally deployed automatically using Windows Update but there are some that slip through the net and this tool will help you find them.

Make sure that you check back to the link below regularly for an updated script as the author continually makes changes and additions to it.

I've already resolved issues on two Hyper-V cluster sites just by installing the recommended updates from this report.

It's worth noting that you are best running the script from a folder on the root of the System Drive with no spaces in the name as I had some initial syntax issues when I named the folder something like 'Hyper V Updates', try naming it to 'missingupdates' or 'hypervupdates' to be sure it works first time.

Here's the link:

http://blogs.technet.com/b/jonjor/archive/2010/10/14/vmmupdate.aspx

Thursday, October 21, 2010

Using DPM 2010 to Restore a System State or Perform a Bare Metal Recovery for a Windows 2008 Server

Here's a step by step video from Microsoft's Shane Brasher on how to restore the system state of a Windows 2008 Server using DPM 2010.

http://www.microsoft.com/showcase/en/us/details/bb0b5339-445b-4298-8705-350f13227b93

And here's one detailing how to perform a Bare Metal Recovery of a Windows 2008 Server - the Bare Metal recovery is a new feature to DPM 2010 and will come in really handy in a non-virtualised environment or if you choose not to back up the entire VHD each day:

http://www.microsoft.com/showcase/en/us/details/bec0b1c6-d1fd-41f0-b4bc-df5791dfc68d

Always handy to know how to do this in case of emergency!

Tuesday, October 19, 2010

Windows 2008 R2 RADIUS with Cisco ASA

I came across an issue last week when a customer had retired their old Windows 2003 RADIUS server and replaced it with a new Windows 2008 R2 server. They had their Cisco ASA device integrated for Authentication of remote IPSec VPN clients to Active Directory through the RADIUS server.

When the old Windows 2003 server was removed and the new Windows 2008 R2 server went in, naturally, the RADIUS had stopped working and needed to be reconfigured.

After playing around with this problem for nearly half a day I found the solution wasn't too technical but more a step by step configuration of both sides of the Authentication process (RADIUS and Cisco ASA) needed to be carried out exactly as outlined below.

One of the main differences of the old RADIUS on the Windows 2003 Server versus the new Windows 2008 R2 server is that the Windows 2008 R2 Server uses the new Microsoft Network Policy Server to provide RADIUS and NAC (Network Access Control) to the network.

When the NPS component is deployed out of the box, it comes pre configured with some policies that can conflict with how you want your Cisco ASA to communicate with it and these policies will need to be deleted and recreated to get the Cisco to communicate with it.

The following blog post outlines exactly the process needed to properly configure your Cisco ASA with a Windows 2008 R2 RADIUS / NPS Server:

http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

Sunday, October 10, 2010

MBSA, SCOM and SCCM Connectors for Microsoft Visio

O.K., so I suppose for some people these products are old news but I came across them this week when creating detailed documentation for some clients and found the add on's they provide are quite useful and informative when creating Visio Network Diagrams for clients.

Basically, these add ons allow you to add MBSA security scan reports to your individual or collective servers and computers on any given LAN and can then change the color of your server stencil depending on the security staus of the machine - e.g. Red for Critical, Yellow for Information and Green for all good!

It will also update the properties of the stencil to tag in the MBSA report and provide better detail information too.

Here's the links to them if you're interested!

http://blogs.msdn.com/b/nickmac/archive/2008/04/14/microsoft-visio-toolbox.aspx

http://technet.microsoft.com/en-us/security/cc184925.aspx

Thursday, September 16, 2010

IE 9 Beta Released!

Click below to read about the new Internet Explorer 9 Web Browser from Microsoft. Looks nice at first glance, getting more and more integrated like Windows Explorer and some nice features such as pinned websites too!

http://blogs.technet.com/b/uktechnet/archive/2010/09/15/internet-explorer-9-beta-for-it-professionals-ie9-a-guest-post-by-simon-may.aspx

Tuesday, September 14, 2010

Enabling UAG 2010 UPN Logon

Another UAG 2010 issue that we came across!!

By default, true UPN logon (e.g. username@domain.com) is not enabled when logging onto a UAG trunk. As a result, we had a site with UAG 2010 enabled and an SSL Portal presenting OWA and Sharepoint out to the internet. We had SSO configured for AD authentication.

When we would logon to the SSL Portal with a standard username such as kevin.greene, then OWA and Sharepoint would work fine. When we attempted to logon to the portal with a UPN such as kevin.greene@domain.com, then the OWA application would work fine, but the Sharepoint app would present us with a 'Permission Not Granted' error message and would proceed no further. When we monitored the UAG Web Monitor, we found that UAG was processing the UPN logon as domain\kevin.greene@domain.com and when Sharepoint attempted to read this logon string, it didn't want to know about it!!!

We found this on Microsoft's Technet site that pointed us in the right direction to resolving the UPN logon issue:

http://technet.microsoft.com/en-us/library/ee809087.aspx

If you take a look at the section that describes the 'TranslateUPN' registry key, there are 5 steps to follow that will enable UPN logon to pass through correctly to the Sharepoint server.

Hope this saves someone else out there some time on site!!

Publishing Sharepoint 2007 with UAG 2010 SSL Portal

We have been working on a site which requires a bespoke configuration to present their internal applications such as OWA, Sharepoint,CRM and some legacy out onto the Internet.

The solution that we have recommended to securely publish these resources and integrate them into Active Directory authentication is to install TMG 2010 alongside UAG 2010 within a Microsoft Hyper V 2008 R2 cluster environment.

We had suggested to the customer that they could present the resources either through a single url SSL Portal - e.g. https://vpn.domainname.com/ or through individual application trunks such as - https://owa.domainname.com/ or https://sharepoint.domainname.com/

When we went about deploying the remote access, the OWA publishing worked straight away both inside the UAG SSL Portal and also as an individual trunk through https://webmail.domainname.com/

The problems all started when we tried to get the published Sharepoint resources out through UAG. Firstly, this customer had a contiguous namespace for their DNS as per the recommended configuration by Microsoft, e.g. internal was domainname.com and external was domainname.com. Secondly, they were accessing their internal Sharepoint server over port 80 (HTTP) and naturally wanted to access their external Sharepoint resource through port 443 (SSL).

When the Sharepoint was presented through the SSL Portal configuration, we would have all of the applications contained within one single window after the original Single Sign On (SSO)of Active Directory was authenticated. The url at the top of this Portal was https://vpn.domainname.com/

When we clicked on the Sharepoint application to open the site, the site would open in an new page, but would have a url of https://vpn.domainname.com/

Although most of the links worked, when documents were tested to be checked in or out, created or deleted, we came across a number of errors and quickly realised that we needed to translate the original url of the internal Sharepoint site across to the UAG SSL Portal application - https://sharepoint.domainname.com/ instead of the Portal url of https://vpn.domainname.com/

This is where the fun began! Mainly because of our lack of experience on the installation of this product, and also because of the lack of concise documentation on UAG, we had all kinds of issues trying to get this to work.

Eventually, we called in our resources from Microsoft Ireland who put me in touch with a UAG Specialist in the UK. Here is the basics of what we had to do in order to get the URL Translation working between Sharepoint and UAG 2010:


1.Changed the Web Servers Tab and Portal link tab so that https://sharepoint.domainname.com was used as the public host name for SharePoint

2.Changed the Path on the Web Servers tab to ‘/’

3.Used a ‘fake’ host header to allow SharePoint to distinguish between intranet and internet clients

4.Configured SharePoint AAM rules to generate the correct public URLs for Internet clients
It's worth noting that these steps were additonally on top of the original configuration that we had implemented and they were the changes needed to get the configuration working the way we needed.
After all that, I'm now at last much clearer on configuring UAG 2010 with Sharepoint thankfully!

Creating Graphical Reports in Exchange 2007

For those of you that ever wanted to utilise the raw data contained within the Exchange Server message logs, then here is an excerpt from an excellent article from msexchange.org explaining how to deploy a reporting solution using free Microsoft tools to create nice bar charts, data tables and even 3D pie charts!

We had a customer that had a particular need to present a report to internal management that contained the top 50 senders and receivers of email. Now this might sound like a simple enough report to generate from any anti spam or email monitoring device, but as we found out, the reports these devices can churn out, are mainly based around top spam users or top blocked users. This customer wanted a report that detailed everything - spam included!

This solution will work on Exchange 2003, Exchange 2007 and also Exchange 2010 (DAG configuration not supported though).

This solution utilises the Microsoft Log Parser tool version 2.2 to query the log files and generate the reports that you need.

Once the Log Parser is installed and the additional Microsoft Office Addins (pre-requisites too), then it is all about old fashioned command line scripting (no advanced training needed though) to get the reports that you need.

We had to stray slightly from the steps within the document I've linked to but with a little perseverence, we managed to generate some pretty cool reports that the customer was delighted with considering it cost nothing to implement!

Here's the link to the full document on msexchange.org's website:

Part 1
http://www.msexchange.org/articles_tutorials/exchange-server-2007/monitoring-operations/creating-graphical-reports-exchange-2007-part1.html


Part 2
http://www.msexchange.org/articles_tutorials/exchange-server-2007/monitoring-operations/creating-graphical-reports-exchange-2007-part2.html


Part 3
http://www.msexchange.org/articles_tutorials/exchange-server-2007/monitoring-operations/creating-graphical-reports-exchange-2007-part3.html



Happy scripting!