Zedan IT Blog

IT definitions, discussions and more

Certificates for Exchange 2010 using internal CA

If you need to install an internal certificate server to create certificates for Exchange 2010 , remember to add the SAN certificates support to the certificate server as it is needed by the exchange server and will solve the problem of disappearing certificates after importing it to Exchange 2010.

Install the Certificate Server.  In Windows 2008 from Server Manager > Roles > Add New Role.

On the next Screen (Before you begin) click Next, then on the (Server Roles) screen, select “Active Directory Certificate Services”

Click Next, Next.   On the “Select Role Services Screen”, Select “Certificate Authority” and “Certification Authority Web Enrollment”.

If your server doesn’t have IIS installed, it will tell you that it will install it for you.  Click “Add Required Role Services”,  Then click Next

On the Setup Type, select “Enterprise”, click Next

On the “Specify CA Type”, select “Root CA”, Click Next

On “Setup Private Key”,  Select “Create a new private key”, Click Next

On “Configure Cryptography for CA”, leave the default options, Click Next

On “Configure CA Name”,  Leave the defaults, Click Next

On the “Validity Period” screen, select how many years before the certificate is expired,  or you can leave the defaults “5 Years”,  Then Click Next

On the Certificate Database Location,  leave the defaults, then click Next.

On IIS installation, Click Next

On the Roles screen, you can add more services in IIS or leave the defaults and click Next

On the “Confirmation Page”,  Setup will warn you that the Domain name and setting can not be changed later after you install Certificate Authority.   If you do not intend to change your Domain or Settings later, Click Install.

Setup will begin installation

When installation is completed,  Click Close

Then you will need to add SAN certificates support to your Certificate Authority.   SAN stands for (Subject Alternate names).  So that the certificate can be for more than one server name, e.g. Mail.company.com,  Exch.company.com,  Exchange01, …….

To ADD SAN support, Open the Command Prompt, then paste the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

Then Restart the Certificate Service by issuing the following two commands in the command prompt:

net stop certsvc
net start certsvc

==========================

Now go to your Exchange Server, Open the Management Console then from Server Configuration, Click on “New Exchange Certificate”

Enter A name for your Certificate, then click Next

Leave the ” Enable Wildcard Certificate ” un-checked, then click Next

Select the services that exchange will handle.  This is to determine the names that will be added to the certificate

Then it will display the domain names that will be added to the certificate.  In this example I assumes that the following names for the Exchange server:

Server Name: EXCHANGE01

Internet name:  mail.company.com

Intranet name: Exchange01.company.com

You can add additional domain names as well by clicking on the green Plus sign (Add…).  When finished, click Next.

Enter Organization and Location Data.  Also Specify where the Certificate Request will be saved (Here in C:\)

Click Next,  Then Click New

Exchange will start creating the Certificate Request

When Completed , Click Finish

Open CA web page using an Internet Browser,   For Example   http://Localhost/CertSrv     if you are opening from the CA itself,  Then click on ” Request a Certificate ” Link

Then Click on Advanced Certificate Request

Then Click on ” Submit a Certificate Request ”

Open the Certificate Request file you created in Exchange With Notepad (in our example here was C:\Cert1.req)  Select all Text

Paste the text into the webpage, and select ” Web Server ” from th Certificate Template list, Then Click Submit.

Select Base 64 Encoded,  then click on Download Certificate Chain.  Save the certificate to your loacl Disk.

On The Exchange Server:

Click Start, type: MMC, Then press Enter

An Empty Console opens,  From File Menu select: Add – Remove Snap-in

Add Certificates Snap-in, Select Computer Account Select Local Computer, then Click Finish, Then Click OK

Right-Click on the Certificate in the Trusted Root, Then Import the Created Certificate which we downloaded from the CA

From the Exchange Management Console, Click Server Configuration, the Exchange certificate we requested, then Click on Complete Pending Request

Select the Certificate we downloaded from the CA, then Click Complete

Right click on the Certificate, select Assign services to certificate

================================

Importing Certificates into Computers,   For computers in your domain, follow these steps:

On your domain controller, start Group Policy Management Console (Start menu, type ” gpmc.msc “, Press Enter).

Either create a new group policy or use the Default Domain Policy to deploy it to every system.

Right-click the policy of your choice and select Edit… go to Computer Configuration > Policies  > Windows Settings > Security Settings > Public Key Policies

Right-click Trusted Root Certification Authorities, and choose Import…

Use the import wizard browse over to your root certificate we have created earlier.

==================================

If have computers not members in the domain, you can import the certificates manually, for Windows 7:

Open Certificate Manager by clicking the Start button , type ” certmgr.msc ” into the Search box, and then pressing ENTER.

Trusted Root Certification Authorities > Right Click Certificates Folder,  Select Import.

Import the Certificate we have created earlier.

=======================================

I hope I could gave you a brief idea on setting up internal CA to issue certificates for your Exchange server.

Advertisements

Exchange 2010 Quick Installation & Configuration

In this post I will explain the simplest way to install Exchange 2010 and getting it up and ready to use email quickly.  Exchange 2010 introduced new concepts and has changes since Exchange 2003 and 2007,  so if you were using exchange 2003 before, and now you need to install exchnage 2010, you will have to read and make labs to cover the changes in 2010.

In this quick guide, I assume that you have a new active directory environment and need a new installation for email service for both locally and through the internet.  I assume also that we will have a single Exchange server (no sites or distributed infrastructure) and will be used to host the roles of ( Client Access, Hub Transport, Mailbox).

>> Remember that you must be a member of the Enterprise Admins & Schema Admins Groups. <<

1- On the computer to be used as the exchange server,  install windows 2008, join it to your active directory domain, check for the latest windows updates.

2- Open Windows PowerShell and paste the following command:  ”  Import-Module ServerManager  ”  and Press Enter

3- On the PowerShell, paste the following command:  (copy and paste into Power Shell)

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy,Desktop-Experience –Restart

Then press Enter.   This will install prerequisits for Exchange and then restarts your server

PowerShell Command for Exchange 2010 Preparation

4- From Elevated Command Prompt (Right Click the Command Prompt icon, select Run as Administrator),  configure the service  NetTcpPortSharing to startup automatically by entering the following command:

sc config NetTcpPortSharing start= auto

5- Download and install ” Microsoft Office 2010 Filter Packs ”  http://www.microsoft.com/en-us/download/details.aspx?id=17062

6- Run Exchange 2010 setup program, select Step 3: Choose Exchange Language Option, then select Install only languages from the DVD:

7- Select Step 4:  Install Microsoft Exchange

8- At the Introduction Screen , Click Next

9- Select I accept the Licence agreement , then click Next

10- On the Next Scree (Error Reporting), select Yes or No if you prefer to to send Error Reports to Microsoft, Then Click Next

11- On the next screen (Installation Type), Select ” Typical Exchange Server Installation, and Specify the Path for the installation files if you want to install it on a different location.  For Example, I choosed to install it in ” D:\ExchangeServer2010 ”

Then Select the CheckBox of : Automatically install Windows Server roles and features required for Exchange Server.  Then Click Next

12- On the next screen, Enter your Organization name, or you may leave it as it is ” First Organization “.  Do not Select Apply Active Directory Split Permissions.  Click Next

13 – In the next Screen (Client Settings),  If your users use Outlook 2010 or 2007 , select No.  If you still have users with Outlook 2003, select Yes.

14- If your server will be connected to the internet, enter the name that users will use to connect to it.  Select the check box of ” The Client Access server role will be Internet facing “.  Enter the name of the server ,  for example  mail.company.com.  Click Next

15-  On the next screen , select if you want to join the Customer Experience Imprvements Program.   Click Next.

16- Setup will run the Readiness Check, to check if the prerequisits are OK

If everything is OK, you will get a screen similar to the following:

Note the warning in the Organization Prerequisit,  This appears because we did not prepare the Active Directory Schema before we run setup, and it tells you that setup will prepare the Schema for you.  Remember that in the begining of this guide, we assumed that we will have a single Exchange 2010 server,  so we will not be using Exchange 2003 or 2007.  If your case is different, you should prepare the domain and the schema from the command prompt befor you run Exchange 2010 setup (not explained in this guide).

If all other items marked Green ( Completed ),  click Install to begin installation.

17- The next screen show the installation progress, which will take some time to complete.

If everything went OK without errors, you will get a screen similar to the following,  check if all items are with green icon (completed)

18- Click Finish and Restart your computer

19- After you restart your computer, Run setup again, then select Step 5: get Critical Updates for Exchange Server.  This will open internet explorer and connect to Microsoft Update site.

After windows update is completed, restart your server to make sure that every thing ok OK.

20- After you restart the server, open the Exchnage Managment Console.  At the first time you open it a pop-up windows will remind you that your exchange server is unlicensed and asks you to enter the product key.

After entering the product key, a warning message telling that the change won’t take effect until the Information Store Service has been restarted.     For me, I prefer to restart the whole server as it is a new installation and won’t affect users yet.

===========================

Now you Exchnage server installed and you can begin create users and start messaging between them.  However, Exchange 2010 does not come enabled for internet messaging by default, which means you need to add two more steps to make it enabled to Send / Recieve Messages from the internet.

21- Open Exchange Management Console.  Go to Organization Configuration > Hub Transport.  then select ” New send connector ” from the Actions Pane.

22- On the new opened screen, Enter a name for the connector (I choosed Default) then select Internet from the ” Select intended use ” list.  Then Click Next

23- On the Address Space screen, Click Add with Green plus sign,  thenn enter ” * ” in the domain name to indicate that this connector will be used to send emails to all domains on the internet.

Click OK , and Next.

24- On the screen of Network Settings, select the option of ” Use domain name system (DNS) ” and click Next.

25- In the source server, click Next as we have only one server.

26- On the last screen click New then Finish to create the connector

27- You can find the created connector in the ” Send Connectors ” tab if you need to edit it later.

28- Next, you need to configure exchange to recieve emails from serves on the Internet.   Go to Server Configuration > Hub Transport, right click the Default Connector as shown in the following screenshot, then select properties.

29- Go to Permissions Groups tab, then check the ” Anonymous Users ”

I hope I could give you a quick and simple way to get Exchange 2010 up & running.

Administrator is denied from access backup folders (Win 2008)

In my previous post of ” Run scheduled tasks with highest privileges ” to allow a sheduled task with specific account to use the wbadmin backup command,  the same user is not able to view the backup folder or view its properties (for example, it was a requirment that the backup operator to view the backup folder size every day)  even if that user is a domain administrator.

After a little search and reading some articles, I found that the problem is in the new feature in windows 2008 (User Account Control).  And some suggests to disable it if not needed.

I found that we do not need it for our enviornment and specific setup, so I disabled it and restarted the server and the problem was solved.

How to Disable the User Account Control:

1) Open The group policy Editor – simply type gpmc.msc in the search box then right click it and select Run As Administrator.

2) Right click the Default Domain Policy and select Edit.  Group Policy Management Editor opens.

3) Go to:  Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

4) Go to: User Account Control

5) Edit the policies  – as shown in the image

6) Restart the server

 

 

Using FTPS (TLS) through TMG 2010

Some of my users used to download files though FTP from a partner company in Germany, and to be able t connect and downlad files they had to use an FTP client with capability of using TLS (Transpport Layer Security) as an ecryption protocol.  Things were fine till we implemented the TMG 2010 and its predecessor ISA 2006.  We tried every thing to allow the communication, even we tried allow every thing and deny nothing but still cients won’t connect to the FTP server.  And if you monitor the TMG sessions nothing is recorded as denied or accepted.

We searched a alot and found something in Misrosoft site and on other sites as well indicatin that TLS is not supported by TMG and ISA !!!   It was a depression till I found a post in a forum discussing the same isse and requesting for help.  One replied with a simple solution and it worked with us as well.

It was simply to disable the FTP protocol filter and define a new protocol allowing ports 1024 – 65535

It was a solution but I was worried about disabling the FTP filter, but I decided to go for it as we generally do not allow FTP clients to the internet except for this connection specifically and to that company only and we do not allow FTP servers to be published to the internet.   Except that only IT are allowed to download FTP files and there will be no need for normal users except this type of connection I thought I will do it.

This is what I did:

  1. Created a protocol TCP Outbound  1024-65535 (No application filters) (Toolbox > Protocols > New Protocol)
  2. Edited the FTP protocol to remove the FTP application filter (Toolbox > Protocols > All Protocols > D.Click FTP)
  3. Created a computer object with the IP address of the remore FTP server in Germany (Toolbox > Network Objects > New Computer)
  4. Created a new access rule allowing internal computers to go to the computer created in step 3 with the protocls of (FTP, and the protocol created in step 1)

Remark:  I had no other access rule allowing FTP except for IT staff.

And it worked.

Run scheduled tasks with highest privileges

In my previous posts of scheduling backup scripts for Windows 2008 ( you can find theme here & here ) the scheduled task was created and executed by the Administrator account, which is by default has the most privileges.   But if you you try to execute it with another account the task will be ignored due to a sceurity restriction in Windows 2008.

Let’s say you have created an account for backup called “backupadmin” and you have created a scheduled task to execute the script and you specified “backupadmin” as the account used to login automatically and execute the task,  and you did not forget to add this account to the “Backup Operators” group.   you will find that the task will not run and the log file similar to the following:

ERROR – Access denied. You must be a member of the Administrators group or Backup Operators group to use Windows Server Backup.  In addition, you must run WBADMIN from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.)

And if you try to execute the “wbadmin” command from the command prompt you will get the same result.

Solution:

You can simply solve this issue by making it executing the task with highst privilege while you create the task.   Go to the General Tab and select the checkbox of ” Run with highest privileges “.   This will help in solving this issue.

But if you need to run it from the command prompt, you will still need to run it in an elevated mode, ( start button-> type cmd.exe -> right click -> run as administrator).

ISA Logging only shows IP address for SecureNAT clients

I have installed TMG Client and configure it to not automatically configure the web browsers so that users can move between networks easily, then I realized that when monitoring TMG real time logs the URL field only shows the IP address for entries created by those computers with the client installed, and if the client is configured to configure the web browser, the log contain the URL domain name with no problem.

After searching on the internet I noticed that it is the normal behavior of the TMG and ISA as well that to log the hostname clients must be configured as a web proxy (adding the proxy address in the browser settings).

While doing more search I found that there is a fix from microsoft for that specifit issue and described in the KB article:  980723

http://support.microsoft.com/kb/980723

You can copy the script, save it as a vbs file the execute it in the command prompt with the cscript command.

Please note that when copy the script and try to execute it , an error will appear,  that is because the script you copy is actually two scripts for enabling the hotfix and disabling it.   The before you execute it you should delete the lower part of the script which beging with a text saying:  “Save the file as a Microsoft Visual Basic script ………….

Below is the specific part of the script that you can copy and execute it directly.

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}" Const SE_VPS_NAME = "LogDomainNameForFWC" Const SE_VPS_VALUE = true
Sub SetValue()
    ' Create the root object.     Dim root  ' The FPCLib.FPC root object     Set root = CreateObject("FPC.Root")
    'Declare the other objects that are needed.     Dim array       ' An FPCArray object     Dim VendorSets  ' An FPCVendorParametersSets collection     Dim VendorSet   ' An FPCVendorParametersSet object
    ' Get references to the array object     ' and the network rules collection.     Set array = root.GetContainingArray     Set VendorSets = array.VendorParametersSets
    On Error Resume Next     Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    If Err.Number <> 0 Then         Err.Clear
        ' Add the item         Set VendorSet = VendorSets.Add( SE_VPS_GUID )         CheckError         WScript.Echo "New VendorSet added... " & VendorSet.Name
    Else         WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)     End If
    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
        Err.Clear         VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
        If Err.Number <> 0 Then             CheckError         Else             VendorSets.Save false, true             CheckError
            If Err.Number = 0 Then                 WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"             End If         End If     Else         WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"     End If
End Sub
Sub CheckError()
    If Err.Number <> 0 Then         WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description         Err.Clear     End If
End Sub
SetValue
 

Data Centers Part 1

This is one of the Data Centers I have designed and constructed back in 2008.  This is completely designed by me, and I have purchased every single devices and equipment in it and made the contracts for construction and managed its operation on a daily basis.

 

Data Center DataCenter Photos Network Rack Server Room Raised Floor A/C AC Security Safety Fire Alarm

Migrate windows users profiles from a workgroup to a domain

I had to  create an active directory domain for a company which is already in business for years with about 200 Desktop / Laptop computers.  All of them were standalone computers and even no specific workgroup.   We had to implement special services which require a domain to have a repository for account and be able to manage user settings.   It seemed easy at the beginning as there was no special considerations such as migrating or upgrading or moving from old domain.

A standard practice for situations like this when you need to join these computers to the new constructed domain, you will simply join the machine to the domain then you wiil need to login to the domain with the new user account to create the new profile,  then you will have to manually move all files from My Documents, Desktop,  Email settings, PST files , and so on.   This is a very time consuming task and will make IT support staff hate the idea of having a domain, especially that they lived for years without knowing what domain is.

I had to find a solution to do that in a simple way, as I thought if the files are stored on the hard disk, and the profile specific configuration is stored in the registry, then by making a change in the registry then the mission will be acomplished.

I started to search for topics on this issue, and found a lot of discussions on the internet by several IT proffisionals facing the same issues, and explaining how to make registry change, login/logoff/login/logoff then copy move,…….    It seems very difficult and risky, as we can not afford to loose (or forget to move a file) from users profiles.  And if we wanted to be wise, we should do it in the classical way.   Till I found a post in a forum from a user simply advice the users to use a a tool designed for that.

I decided to to give it a try, and it was amzing to see how it did it in miniutes without errors.

The tool is “User Profile Wizard – profwiz.exe”  and you can download it from http://www.forensit.com  and the great thing that it is FREE.

If you download its manual, you will find that it has a lot of options and a configuration that can be saved and used later and many things.   And honestly if you read it and try all the feature you will waste alot of time, while it simply can do the tasks in minutes.  You can simply do the following.

Copy the tool to the computer you want to join the domain, Double Click it, the window of user account infomation will ask you about the domain you want to join and the Domain User Name.   For eaxmple, if the computer has local user profile “User” and the Domain name is “CompanyDomain” and the created Domain username is “DomainUser”,  then you will enter “CompanyDomain”  in the field “Enter the Domain”.   And enter the DomainUser in the field “Enter The Account name” –  Check the box of “Join Domain” to let Profile Wizard join the computer to the domain in addition of creating the new profile.

Click Next to open the “Select User Profile Window”.  In this window you will choose the local user profile that you want to migrate to the domain.  The window will list all local profiles, you can select only one at a time (if you have more then one profile you can run Profwiz.exe again without checking the box of join domain and select another local profile to migrate).  Then Click Next.

The next window will ask you for the Domain User account, which is the account with permission to join the domain, it could be a domain administrator account or an IT user with privilge to joint the computer to the domain.

Normally the above procedure will not take more than few minutes depending on the size of the local profile files, and when finished you will need to restart the computer and then the user can login to the domain with all his old profile setting.

Simple Windows Server Backup Script – Part 3 2008 R2

In my previous post of Backing up and restoring windows 2008 , I gave some examples of using wbadmin command in backup & restore, also I gave some idea on scheduling it and keep old backups archive.

In Windows 2008 the option Include in wbadmin command allow you to restore specific files or folders from a backup archive, but it let you only specify whole volumes to backup (taking image of them).   You cannot select specific files or folders to backup.

However, in windows 2008 R2 this ability is available.  You can select specific files or folders when using the -include option.

Another ability in 2008 R2 backup is you can select to backup the system state as an item.   It creates a backup that includes the system state in addition to any other items that you specified with the -include parameter. The system state contains boot files (Boot.ini, NDTLDR, NTDetect.com), the Windows Registry including COM settings, the SYSVOL (Group Policies and Logon Scripts), the Active Directory and NTDS.DIT on Domain Controllers and, if the certificates service is installed, the Certificate Store. If your server has the Web server role installed, the IIS Metadirectory will be included. If the server is part of a cluster, Cluster Service information will also be included.

These two options were not available in wbadmin that comes with windows 2008.

Example:

wbadmin start backup –backupTarget:d: -include:g\folder1,h:\folder2 –systemstate 

The restore operation is the same as explained for windows 2008.   Please review the previous Post ” Simple Windows Server Backup Script – Part 2 2008 

Things to remember when restoring backup:

  1. If your backuptarget is a volume (not a shared folder), e.g. ( -backuptarget:F: ) the folder named “WindowsImageBackup” should be on the root of that volume.
  2. If you are restoring registry on a Domain Controller server, you must perform the restoration in the Directory Services Recovery Mode (DSRM)

I hope this will give you a quick approach to schedule windows 2008 & 2008R2 backup.  Other parameters were not discussed as I have focused on the most important.

Daily backup script for MDaemon (or other servers)

Here I will present a simple backup script for MDaemon mail server on windows 2003 in a simple, fast and efficient way.

The good thing about MDaemon server that you can simple backup the configuration & mail folders and then replace it on a freshly installed server and you get the same mail server you have before, so why not making a script to back these folders automatically.

Please note that to use this script you must configure MDaemon to start as a windows service.

Below is a simple batch file containing commands to stop the MDaemon, backup files & folders then start MDaemon again.   In this batch file I use the NTbackup solution, but ofcource you can replace this with a simple xcopy batch file.   I always prefer NTbackup for compression and verification.

Suppose you have a disk E: that you will take backup on,  the following script will create a folder for backup every day.

Create a folder in C:\ and name it C:\scripts , then Open notepad and place the following commands and save them as backup.bat

D:\MDaemon\app\MDLaunch.exe /stop

E:
cd\
md “%date%”
cd “%date%”

echo Mail Server Windows Backup Started at: %date%_%time% >>BackupLog.txt

C:\Windows\system32\NTBACKUP.EXE backup “@C:\scripts\WinBackup.bks” /n “MAILBACKUP” /d “MAILBACKUP %date% %time%” /v:yes /r:no /rs:no /hc:off /m normal /j “Mail Server Daily Backup” /l:s /f “E:\%date%\MAILBACKUP.bkf”

echo Mail server Windows Backup Completed at:  %date%_%time% >>BackupLog.txt

D:\MDaemon\app\MDLaunch.exe

 This will create new folder and rename it by today’s date and place the backup  “MAILBACKUP.bkf”  inside it.  Remember to create the BKS file for the NTbackup program (e.g. winbackup.bks) in the scripts folder  which will include the MDaemon folders.   For more information refer to my post on windows 2003 backup.

The first command is stop the MDaemon service and the last command is to start the MDaemon service again.

I use the echo commands to create a log file of the backup.

I hope this gave you an idea on automating backup secripts, and you can use it in other servers, for example sql server by stopping the service, copy the database files then starting the sql service again.

If you like this article the please leave a comment and if you would like to share with an article or a tip please send it to  ” mohamed@mzedan.com “