Zedan IT Blog

IT definitions, discussions and more

Category Archives: Microsoft Servers

Recommended Computer Room Temperature & Humidity

Recommended Computer Room Temperature

TempOperating expensive IT computer equipment for extended periods of time at high temperatures greatly reduces reliability, longevity of components and will likely cause unplanned downtime. Maintaining an ambient temperature range of 20° to 24°C is optimal for system reliability. This temperature range provides a safe buffer for equipment to operate in the event of air conditioning or HVAC equipment failure while making it easier to maintain a safe relative humidity level.
It is a generally agreed upon standard in the computer industry that expensive IT equipment should not be operated in a computer room or data center where the ambient room temperature has exceeded 30°C

Recommended Computer Room Humidity

humidityRelative humidity (RH) is defined as the amount of moisture in the air at a given temperature in relation to the maximum amount of moisture the air could hold at the same temperature. In a data center or computer room, maintaining ambient relative humidity levels between 45% and 55% is recommended for optimal performance and reliability.
When relative humidity levels are too high, water condensation can occur which results in hardware corrosion and early system and component failure. If the relative humidity is too low, computer equipment becomes susceptible to electrostatic discharge (ESD) which can cause damage to sensitive components. When monitoring the relative humidity in the data center, we recommend early warning alerts at 40% and 60% relative humidity, with critical alerts at 30% and 70% relative humidity. It is important to remember that the relative humidity is directly related to the current temperature, so monitoring temperature and humidity together is critical. As the value of IT equipment increases, the risk and associated costs can increase exponentially.
Advertisements

TMG Reports Empty & Corrupted SQL Logging

I had a problem annoyed me for about two years tat when generating reports in TMG, they were always completed with empty data and graphs and after trying to solve the problem by searching in internet I found (by chance)  that reports will only work if logging in TMG is configured to log to SQL database not text log files.
It was strange and annoying for me as that was not the case when I used ISA 2004 & 2006 before. I always configured ISA logging to text log files so I can use them with other log analysis tools.

So, I have changed the logging back to SQL server (internal SQL Express server) , but surprisingly reports were completed empty as well 😦 . While searching again on the internet for days I found a solution steps to correct problems when logging to SQL server. My problem was similar that it seemed that there was a corruption in the SQL Summary database when I was looking after the problem before and bounce between test and database logging.       The original post from Forefront TMG Product Team Blog: “TMG Logging to LLQ

The solution to my problem was:

1) Listing the databases currently registered in SQL Express server.   From elevated command prompt:
OSQL -E -S .\MSFW -Q “select name from sysdatabases where name like ‘%isalog%'”

tmgimg1I found that there are number of databases registered over a year ago, but they are physically not on my server. As you see in the result of the command, the system cannot find the database files associated with registered database, as explained in the error: “<The system cannot find the file specified.>”.

2)  Then I have dropped all databases by writing command of drop for all databases, then saved them into a text file:

drop database ISALOG_20120527_FWS_000
go
drop database ISALOG_20120527_WEB_000
go
….
….
….

3)  Then saved the file as text file named DropDB.sql, then at the elevated command prompt executed the command:
OSQL -E -S .\MSFW -i c:\DropDB.sql

tmgimg2

4)  Restarted the “Microsoft Forefront TMG Firewallservice and then check back the Log Status. Then clicked refresh a few times till current status no longer as “Disconnected” but as “Queue in use”.

tmgimg3In my next post I will explain a VB script I wrote to import entries from summary logging database and export them to a single SQL database to analyse them.

Array Address not changed after changing IP address of Forefront TMG 2010

Recently we have changed the IP address of our Forefront TMG 2010 Standard server.    Then after a while the Event viewer began to record errors related to the Array address,  the Event was as follows:

14158 : The IP address specified for communication between this Forefront TMG computer (old ip address) and other array members is not bound to a network adapter installed on this computer. The IP address specified for intra-array communication must be bound to a network adapter installed on the computer.

I have reviewed the configuration of the Network cards and found nothing related to the old address, but by futher investigation, I found the following configuration which needs to be canged:

1) Open:    Forefront TMG Management console -> Firewall Policy -> Network Objects -> Computer Sets -> Array Servers.

Found the old IP address still there,  then changed to the new address.

2) Open and change the old ip address in the following two locations:

– SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for MSFW-> TCP/IP -> IP Addresses tab

– SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for ISARS -> TCP/IP -> IP Addresses tab

3) Open the registry editor for ” msFPCIntraArrayAddress ” and chnage the the old IP address for the entries found (four entries)

4) Search the registry for all entries with the old IP address and chnage it to the the new address

5) Restart the TMG Server

ActiveSync is not working on Android – for some users

When you have everything is correctly setup and your users can use ActiveSync on their Android phones, and at the same time there are some users may not be able to use it on Android, and when they setup their accounts on their phones, they have an error message “Failed to create the account. Please try again later”

After searching the internet and some forums, I found the solution:

1- Go to Active Directory users and computers

2- From the menu:  select View > Advanced Features

3- Select the user who has this problem

4- In his account properties, select the Security tab

5- Click Advanced button

6- In the Permissions tab check the box at the bottom for “Include inheritable permissions from this object’s parent”

7- You may need to wait 5-10 minutes for Active Directory to propagate the changes if have a large environment.

8- Now try to setup the account on the Android phone again.

Certificates for Exchange 2010 using internal CA

If you need to install an internal certificate server to create certificates for Exchange 2010 , remember to add the SAN certificates support to the certificate server as it is needed by the exchange server and will solve the problem of disappearing certificates after importing it to Exchange 2010.

Install the Certificate Server.  In Windows 2008 from Server Manager > Roles > Add New Role.

On the next Screen (Before you begin) click Next, then on the (Server Roles) screen, select “Active Directory Certificate Services”

Click Next, Next.   On the “Select Role Services Screen”, Select “Certificate Authority” and “Certification Authority Web Enrollment”.

If your server doesn’t have IIS installed, it will tell you that it will install it for you.  Click “Add Required Role Services”,  Then click Next

On the Setup Type, select “Enterprise”, click Next

On the “Specify CA Type”, select “Root CA”, Click Next

On “Setup Private Key”,  Select “Create a new private key”, Click Next

On “Configure Cryptography for CA”, leave the default options, Click Next

On “Configure CA Name”,  Leave the defaults, Click Next

On the “Validity Period” screen, select how many years before the certificate is expired,  or you can leave the defaults “5 Years”,  Then Click Next

On the Certificate Database Location,  leave the defaults, then click Next.

On IIS installation, Click Next

On the Roles screen, you can add more services in IIS or leave the defaults and click Next

On the “Confirmation Page”,  Setup will warn you that the Domain name and setting can not be changed later after you install Certificate Authority.   If you do not intend to change your Domain or Settings later, Click Install.

Setup will begin installation

When installation is completed,  Click Close

Then you will need to add SAN certificates support to your Certificate Authority.   SAN stands for (Subject Alternate names).  So that the certificate can be for more than one server name, e.g. Mail.company.com,  Exch.company.com,  Exchange01, …….

To ADD SAN support, Open the Command Prompt, then paste the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

Then Restart the Certificate Service by issuing the following two commands in the command prompt:

net stop certsvc
net start certsvc

==========================

Now go to your Exchange Server, Open the Management Console then from Server Configuration, Click on “New Exchange Certificate”

Enter A name for your Certificate, then click Next

Leave the ” Enable Wildcard Certificate ” un-checked, then click Next

Select the services that exchange will handle.  This is to determine the names that will be added to the certificate

Then it will display the domain names that will be added to the certificate.  In this example I assumes that the following names for the Exchange server:

Server Name: EXCHANGE01

Internet name:  mail.company.com

Intranet name: Exchange01.company.com

You can add additional domain names as well by clicking on the green Plus sign (Add…).  When finished, click Next.

Enter Organization and Location Data.  Also Specify where the Certificate Request will be saved (Here in C:\)

Click Next,  Then Click New

Exchange will start creating the Certificate Request

When Completed , Click Finish

Open CA web page using an Internet Browser,   For Example   http://Localhost/CertSrv     if you are opening from the CA itself,  Then click on ” Request a Certificate ” Link

Then Click on Advanced Certificate Request

Then Click on ” Submit a Certificate Request ”

Open the Certificate Request file you created in Exchange With Notepad (in our example here was C:\Cert1.req)  Select all Text

Paste the text into the webpage, and select ” Web Server ” from th Certificate Template list, Then Click Submit.

Select Base 64 Encoded,  then click on Download Certificate Chain.  Save the certificate to your loacl Disk.

On The Exchange Server:

Click Start, type: MMC, Then press Enter

An Empty Console opens,  From File Menu select: Add – Remove Snap-in

Add Certificates Snap-in, Select Computer Account Select Local Computer, then Click Finish, Then Click OK

Right-Click on the Certificate in the Trusted Root, Then Import the Created Certificate which we downloaded from the CA

From the Exchange Management Console, Click Server Configuration, the Exchange certificate we requested, then Click on Complete Pending Request

Select the Certificate we downloaded from the CA, then Click Complete

Right click on the Certificate, select Assign services to certificate

================================

Importing Certificates into Computers,   For computers in your domain, follow these steps:

On your domain controller, start Group Policy Management Console (Start menu, type ” gpmc.msc “, Press Enter).

Either create a new group policy or use the Default Domain Policy to deploy it to every system.

Right-click the policy of your choice and select Edit… go to Computer Configuration > Policies  > Windows Settings > Security Settings > Public Key Policies

Right-click Trusted Root Certification Authorities, and choose Import…

Use the import wizard browse over to your root certificate we have created earlier.

==================================

If have computers not members in the domain, you can import the certificates manually, for Windows 7:

Open Certificate Manager by clicking the Start button , type ” certmgr.msc ” into the Search box, and then pressing ENTER.

Trusted Root Certification Authorities > Right Click Certificates Folder,  Select Import.

Import the Certificate we have created earlier.

=======================================

I hope I could gave you a brief idea on setting up internal CA to issue certificates for your Exchange server.

Exchange 2010 Quick Installation & Configuration

In this post I will explain the simplest way to install Exchange 2010 and getting it up and ready to use email quickly.  Exchange 2010 introduced new concepts and has changes since Exchange 2003 and 2007,  so if you were using exchange 2003 before, and now you need to install exchnage 2010, you will have to read and make labs to cover the changes in 2010.

In this quick guide, I assume that you have a new active directory environment and need a new installation for email service for both locally and through the internet.  I assume also that we will have a single Exchange server (no sites or distributed infrastructure) and will be used to host the roles of ( Client Access, Hub Transport, Mailbox).

>> Remember that you must be a member of the Enterprise Admins & Schema Admins Groups. <<

1- On the computer to be used as the exchange server,  install windows 2008, join it to your active directory domain, check for the latest windows updates.

2- Open Windows PowerShell and paste the following command:  ”  Import-Module ServerManager  ”  and Press Enter

3- On the PowerShell, paste the following command:  (copy and paste into Power Shell)

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy,Desktop-Experience –Restart

Then press Enter.   This will install prerequisits for Exchange and then restarts your server

PowerShell Command for Exchange 2010 Preparation

4- From Elevated Command Prompt (Right Click the Command Prompt icon, select Run as Administrator),  configure the service  NetTcpPortSharing to startup automatically by entering the following command:

sc config NetTcpPortSharing start= auto

5- Download and install ” Microsoft Office 2010 Filter Packs ”  http://www.microsoft.com/en-us/download/details.aspx?id=17062

6- Run Exchange 2010 setup program, select Step 3: Choose Exchange Language Option, then select Install only languages from the DVD:

7- Select Step 4:  Install Microsoft Exchange

8- At the Introduction Screen , Click Next

9- Select I accept the Licence agreement , then click Next

10- On the Next Scree (Error Reporting), select Yes or No if you prefer to to send Error Reports to Microsoft, Then Click Next

11- On the next screen (Installation Type), Select ” Typical Exchange Server Installation, and Specify the Path for the installation files if you want to install it on a different location.  For Example, I choosed to install it in ” D:\ExchangeServer2010 ”

Then Select the CheckBox of : Automatically install Windows Server roles and features required for Exchange Server.  Then Click Next

12- On the next screen, Enter your Organization name, or you may leave it as it is ” First Organization “.  Do not Select Apply Active Directory Split Permissions.  Click Next

13 – In the next Screen (Client Settings),  If your users use Outlook 2010 or 2007 , select No.  If you still have users with Outlook 2003, select Yes.

14- If your server will be connected to the internet, enter the name that users will use to connect to it.  Select the check box of ” The Client Access server role will be Internet facing “.  Enter the name of the server ,  for example  mail.company.com.  Click Next

15-  On the next screen , select if you want to join the Customer Experience Imprvements Program.   Click Next.

16- Setup will run the Readiness Check, to check if the prerequisits are OK

If everything is OK, you will get a screen similar to the following:

Note the warning in the Organization Prerequisit,  This appears because we did not prepare the Active Directory Schema before we run setup, and it tells you that setup will prepare the Schema for you.  Remember that in the begining of this guide, we assumed that we will have a single Exchange 2010 server,  so we will not be using Exchange 2003 or 2007.  If your case is different, you should prepare the domain and the schema from the command prompt befor you run Exchange 2010 setup (not explained in this guide).

If all other items marked Green ( Completed ),  click Install to begin installation.

17- The next screen show the installation progress, which will take some time to complete.

If everything went OK without errors, you will get a screen similar to the following,  check if all items are with green icon (completed)

18- Click Finish and Restart your computer

19- After you restart your computer, Run setup again, then select Step 5: get Critical Updates for Exchange Server.  This will open internet explorer and connect to Microsoft Update site.

After windows update is completed, restart your server to make sure that every thing ok OK.

20- After you restart the server, open the Exchnage Managment Console.  At the first time you open it a pop-up windows will remind you that your exchange server is unlicensed and asks you to enter the product key.

After entering the product key, a warning message telling that the change won’t take effect until the Information Store Service has been restarted.     For me, I prefer to restart the whole server as it is a new installation and won’t affect users yet.

===========================

Now you Exchnage server installed and you can begin create users and start messaging between them.  However, Exchange 2010 does not come enabled for internet messaging by default, which means you need to add two more steps to make it enabled to Send / Recieve Messages from the internet.

21- Open Exchange Management Console.  Go to Organization Configuration > Hub Transport.  then select ” New send connector ” from the Actions Pane.

22- On the new opened screen, Enter a name for the connector (I choosed Default) then select Internet from the ” Select intended use ” list.  Then Click Next

23- On the Address Space screen, Click Add with Green plus sign,  thenn enter ” * ” in the domain name to indicate that this connector will be used to send emails to all domains on the internet.

Click OK , and Next.

24- On the screen of Network Settings, select the option of ” Use domain name system (DNS) ” and click Next.

25- In the source server, click Next as we have only one server.

26- On the last screen click New then Finish to create the connector

27- You can find the created connector in the ” Send Connectors ” tab if you need to edit it later.

28- Next, you need to configure exchange to recieve emails from serves on the Internet.   Go to Server Configuration > Hub Transport, right click the Default Connector as shown in the following screenshot, then select properties.

29- Go to Permissions Groups tab, then check the ” Anonymous Users ”

I hope I could give you a quick and simple way to get Exchange 2010 up & running.

Administrator is denied from access backup folders (Win 2008)

In my previous post of ” Run scheduled tasks with highest privileges ” to allow a sheduled task with specific account to use the wbadmin backup command,  the same user is not able to view the backup folder or view its properties (for example, it was a requirment that the backup operator to view the backup folder size every day)  even if that user is a domain administrator.

After a little search and reading some articles, I found that the problem is in the new feature in windows 2008 (User Account Control).  And some suggests to disable it if not needed.

I found that we do not need it for our enviornment and specific setup, so I disabled it and restarted the server and the problem was solved.

How to Disable the User Account Control:

1) Open The group policy Editor – simply type gpmc.msc in the search box then right click it and select Run As Administrator.

2) Right click the Default Domain Policy and select Edit.  Group Policy Management Editor opens.

3) Go to:  Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

4) Go to: User Account Control

5) Edit the policies  – as shown in the image

6) Restart the server

 

 

Using FTPS (TLS) through TMG 2010

Some of my users used to download files though FTP from a partner company in Germany, and to be able t connect and downlad files they had to use an FTP client with capability of using TLS (Transpport Layer Security) as an ecryption protocol.  Things were fine till we implemented the TMG 2010 and its predecessor ISA 2006.  We tried every thing to allow the communication, even we tried allow every thing and deny nothing but still cients won’t connect to the FTP server.  And if you monitor the TMG sessions nothing is recorded as denied or accepted.

We searched a alot and found something in Misrosoft site and on other sites as well indicatin that TLS is not supported by TMG and ISA !!!   It was a depression till I found a post in a forum discussing the same isse and requesting for help.  One replied with a simple solution and it worked with us as well.

It was simply to disable the FTP protocol filter and define a new protocol allowing ports 1024 – 65535

It was a solution but I was worried about disabling the FTP filter, but I decided to go for it as we generally do not allow FTP clients to the internet except for this connection specifically and to that company only and we do not allow FTP servers to be published to the internet.   Except that only IT are allowed to download FTP files and there will be no need for normal users except this type of connection I thought I will do it.

This is what I did:

  1. Created a protocol TCP Outbound  1024-65535 (No application filters) (Toolbox > Protocols > New Protocol)
  2. Edited the FTP protocol to remove the FTP application filter (Toolbox > Protocols > All Protocols > D.Click FTP)
  3. Created a computer object with the IP address of the remore FTP server in Germany (Toolbox > Network Objects > New Computer)
  4. Created a new access rule allowing internal computers to go to the computer created in step 3 with the protocls of (FTP, and the protocol created in step 1)

Remark:  I had no other access rule allowing FTP except for IT staff.

And it worked.

Run scheduled tasks with highest privileges

In my previous posts of scheduling backup scripts for Windows 2008 ( you can find theme here & here ) the scheduled task was created and executed by the Administrator account, which is by default has the most privileges.   But if you you try to execute it with another account the task will be ignored due to a sceurity restriction in Windows 2008.

Let’s say you have created an account for backup called “backupadmin” and you have created a scheduled task to execute the script and you specified “backupadmin” as the account used to login automatically and execute the task,  and you did not forget to add this account to the “Backup Operators” group.   you will find that the task will not run and the log file similar to the following:

ERROR – Access denied. You must be a member of the Administrators group or Backup Operators group to use Windows Server Backup.  In addition, you must run WBADMIN from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.)

And if you try to execute the “wbadmin” command from the command prompt you will get the same result.

Solution:

You can simply solve this issue by making it executing the task with highst privilege while you create the task.   Go to the General Tab and select the checkbox of ” Run with highest privileges “.   This will help in solving this issue.

But if you need to run it from the command prompt, you will still need to run it in an elevated mode, ( start button-> type cmd.exe -> right click -> run as administrator).

ISA Logging only shows IP address for SecureNAT clients

I have installed TMG Client and configure it to not automatically configure the web browsers so that users can move between networks easily, then I realized that when monitoring TMG real time logs the URL field only shows the IP address for entries created by those computers with the client installed, and if the client is configured to configure the web browser, the log contain the URL domain name with no problem.

After searching on the internet I noticed that it is the normal behavior of the TMG and ISA as well that to log the hostname clients must be configured as a web proxy (adding the proxy address in the browser settings).

While doing more search I found that there is a fix from microsoft for that specifit issue and described in the KB article:  980723

http://support.microsoft.com/kb/980723

You can copy the script, save it as a vbs file the execute it in the command prompt with the cscript command.

Please note that when copy the script and try to execute it , an error will appear,  that is because the script you copy is actually two scripts for enabling the hotfix and disabling it.   The before you execute it you should delete the lower part of the script which beging with a text saying:  “Save the file as a Microsoft Visual Basic script ………….

Below is the specific part of the script that you can copy and execute it directly.

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}" Const SE_VPS_NAME = "LogDomainNameForFWC" Const SE_VPS_VALUE = true
Sub SetValue()
    ' Create the root object.     Dim root  ' The FPCLib.FPC root object     Set root = CreateObject("FPC.Root")
    'Declare the other objects that are needed.     Dim array       ' An FPCArray object     Dim VendorSets  ' An FPCVendorParametersSets collection     Dim VendorSet   ' An FPCVendorParametersSet object
    ' Get references to the array object     ' and the network rules collection.     Set array = root.GetContainingArray     Set VendorSets = array.VendorParametersSets
    On Error Resume Next     Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    If Err.Number <> 0 Then         Err.Clear
        ' Add the item         Set VendorSet = VendorSets.Add( SE_VPS_GUID )         CheckError         WScript.Echo "New VendorSet added... " & VendorSet.Name
    Else         WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)     End If
    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
        Err.Clear         VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
        If Err.Number <> 0 Then             CheckError         Else             VendorSets.Save false, true             CheckError
            If Err.Number = 0 Then                 WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"             End If         End If     Else         WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"     End If
End Sub
Sub CheckError()
    If Err.Number <> 0 Then         WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description         Err.Clear     End If
End Sub
SetValue