Getting Lync PowerShell to use RBAC

Posted by

0

You may find that some things will work in the Lync GUI that will not work in PowerShell (Access Denied), the reason for this is that RBAC only applies to remote PowerShell and local PowerShell uses the AD permissions and not RBAC.

To resolve this you can login to PowerShell using the following script: (Copy the contents to a file and name it Connect-Lync.ps1)

$usercredential = get-credential
$pso = new-pssessionoption -skipcacheck -SkipCNCheck -SkipRevocationCheck
$session= New-PSSession -ConnectionUri https://localhost/ocspowershell -credential $usercredential -sessionoption $pso
import-pssession $session

Note: 1. This script ignores the certificate (so it will work if your using a self signed cert)
          2. You may need to modify the execution policy to run this unsigned script in PowerShell “set-executionpolicy remote”

References:

http://technet.microsoft.com/en-us/library/gg399050.aspx
“Note that RBAC applies only to remote management. If you are logged on to a computer running Lync Server 2010 and you open Lync Server Management Shell, RBAC roles will not be enforced. Instead, security is enforced primarily through the security groups RTCUniversalServerAdmins; RTCUniversalUserAdmins; and RTCUniversalReadOnlyAdmins.”

The Problem with Hardware VSS Providers and Cluster Technologies like CSV and DAG

Posted by

2

In solutions like DAG and CSV you can have issues with VSS backups completing if you are attached to a SAN and using a hardware provider.
The reason for this is because the LUN needs to pause the processes accessing the LUN but if another server is the one in control  of data on that LUN its unable to do that on a single host.
Here are some details as well as ways to resolve this issue.

Scenarios:

1. CSV Issue

  • imageimageMultiple Servers with a shared CSV Volume and VMS distributed across nodes may fail if you are using hardware VSS providers because it wants to snapshot the entire LUN but the node you are running the snap shot from doesn’t have access to all the VMS in order to pause them before committing the snapshot.
  1. You can resolve this in one of 2 ways.
    1. Move all the VMs to a single node or host until the backup is completed.
    2. Disable or remove your hardware based VSS provider.

 

 

 

2. DAG Issue

imageimage

This issue may come up not because you are sharing LUNS and have active data  on separate nodes (as above) but because you may use a separate provider for Active and Passive backups. When you try to backup a LUN that has both active and passive databases a hardware provider may try to use two different writers to snapshot the LUN. You can verify this by moving all active databases to one node to backup.

  1. You can resolve this in one of 3 ways.
    1. Do not put multiple databases on a single LUN.
    2. Move all Databases to one node before running backup
  2. 3. Disable you hardware based VSS provider

 

NOTE: Disabling your hardware provider will likely cause your backups to take much longer

References

  • Disable Equal Logic VSS Writer – Run C:\Program Files\EqualLogic\bin>eqlvss /unregserver”
  • Disable Hardware VSS in DPM – Add the following key to the registry [Software\Microsoft\Microsoft Data Protection Manager\Agent\UseSystemSoftwareProvider]
  • How VSS Works
  • If you know how to disable other providers please let me know and I will add it to this document!

Moderated Calendar in Exchange 2010 (Using a Resource Mailbox for calendars)

Posted by

0

  • Room1 is the room that needs to be moderated
  • MailUser2010 and MailUser2007 are the users that need to have authorization to approve and view the meeting requests

Create a Moderated Resource Calendar mailbox in 3 easy steps

  1. Open Exchange Management Shell
  2. New-Mailbox -Name ‘room1‘ -Alias ‘room1’ -UserPrincipalName ‘room1@MyDomain.Com’ -SamAccountName ‘room1′ -FirstName ‘room1′ –Room
  3. set-CalendarProcessing -Identity "Room1" –AutomateProcessing AutoAccept –ResourceDelegates “MailUser2010”,”MailUser2007” -AllBookInPolicy $false -AllRequestInPolicy $true

You can make further adjustments with: set-CalendarProcessing -Identity "Room1” or use the Exchange Management Console (EMC) and modify the properties of the mailbox you just created (Specifically the “Policy” Tabs)
And you can view settings with Get-CalendarProcessing -Identity "Room1”

You can now add the calendar to view and approve in OWA and two users are now able to authorize room access.

To View the new Calendar

  1. Open OWA as a user that you have given delegate access
  2. Click on Calendar
  3. Click Share, then Add Calendar
  4. image
  5. Type in or browse for your new room calendar
  6. image
  7. You can now see both calendars
  8. image

To Book a room

  1. Open OWA as a standard user
  2. Click on calendar
  3. Click New (to create a new Calendar entry)
  4. Click the scheduling Assistant tab
  5. Either Type in room name under Select Rooms, or click select Rooms to find the room you want to book
  6. Click the check box on the room to add it
  7. image
  8. on the Appointment Tab enter the Subject, add other attendees and notes
  9. Click Send.

To Accept \ reject a Meeting invite

  1. Open the Calendar as a user that has access to moderate the room
  2. Find the Request in your inbox
  3. Double click the invite and choose Accept\or Accept (its defaulted to tentative already
  4. image

Configure Split DNS for a specific Host

Posted by

0

 

Say I have domain.com and its hosted externally.
I add an exchange server and, I add an external record pointing to my server called mail.domain.com and it points to my external IP.
I ALSO want to be able to access my server using the internal IP instead of going through my firewall and back in. (This is called split DNS)

Split DNS = I have 2 DNS zones, one external and one internal for the same domain.
The issue is that you have to manage both zones individually (even if you only need one specific host record)

And alternative method is to create a zone JUST for that one host name.

Here are the directions to create a domain and same as parent A record

  1. Open DNS on your DC, right click Forward Lookup Zone, and select  New Zone
  2. image
  3. image
  4. image
  5. image
  6. image
  7. image
  8. image
  9. image
  10. image
  11. image

Now you have split DNS for the single host name only.

Publish all exchange roles on one TMG listener

Posted by

1

I have had a few requests for publishing everything on one listener, so here is it (this is an addendum to the rest of the articles not a re-write)

OA\EWS and OAB should be able to use the form based listener because it is supposed to change to basic, this is based on information provided by outlook when connecting. (it doesn’t always work but here is how to make it)

To make this work every time here are the steps:

  1. Publish OWA using the following article.
    http://exchangemaster.wordpress.com/2010/04/09/publish-exchange-2010-with-tmg-forefront-threat-management-gateway/
  2. Publish OA\EWS\OAB using the this article

NOTE: This Method moves the authentication from the TMG to the Exchange server eliminating Pre-authentication for Outlook Anywhere.
This will also work for publishing ADFS 2.0 for Office 365 using a single listener (Coming Soon)

Configure Outlook anywhere rule on TMG

  1. Open Forefront TMG
  2. Click on image_thumb5[1]
  3. In the Action Pane under Task click image_thumb6[1]
  4. Give the rule a Name ill name mine “2010 OA”
  5. image
  6. Next –> Next
  7. image_thumb8[1]
  8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
  9. image_thumb9[1]
  10. The external name is what you use to access OA (Also needs to be on the cert)
  11. image
  12. Click –> Next –> Finish –> Select the Listener. (Choose the OWA listener you created before)

  13. This step moves the auth from the TMG server and moves it to the Exchange
  14. image
  15. Modify the User set to include “all users” and remove “all authenticated users”.
  16. clip_image002
  17. You may get the following error you can click ok and ignore it. (Do not check require users to authenticate check box on the listener or this method will not work)
  18. clip_image002[5]
  19. Finish
  20. Now Outlook anywhere is published using the same listener as OWA! (Albeit without pre-auth)

Configure your target URL for OWA redirect when migrating users to the cloud

Posted by

0

 

When you migrate  a user to Office 365  you want OWA users to have a simple redirect to office 365 and not get this error:

image

Also you want to give your users an easy OWA url not http://outlook.com/owa/mysupercooldomain.com

The solution is 2 steps

  1. create a cname record that points to outlook.com ( i.e. OWA.mysupercooldomain.com = outlook.com)
  2. add that record to your organization relationship
    1. set-orginaizationrelationship –targetOwaUrl http://owa.mysupercooldomain.com/owa
  3. Give OWA.mysupercooldomain.com to your users as there new owa page

Note: the domain you create the CNAME in must be one of your federated or accepted domains in office 365 for realm discovery to work.

Installing Windows mobile into a VM (With Network Access)

Posted by

0

 

I posted this ages ago and Recently had reason to need it again so here it is

Requires
Window Hyper-v
(I have not been able to get networking to work without docking on any other VM software, Tried: ESX 3.5, Vmware Workstation, Vmware Server, MS Virtual Server)
Guest OS Windows XP with all the updates (might work with Vista not tested)

1.       Install Virtual PC 2007 Sp1 in the guest (needed for network connectivity)

a.       Install Integration Components on the VM

b.      Use the Hyper-V synthetic NIC.

2.       Install  Windows Mobile Emulator

3.       Install Windows Mobile 6.1.4 Images

4.       Start WM 6.1.4 Professional

5.       On the mobile emulator

a.       click file

b.      configure

c.       network tab

d.      enable NE200 PCMCIA

e.       select Microsoft Virtual Machine Bus Network Adapter

f.        Click OK

 

6.       On the windows mobile device

a.       Click Start

b.      Settings

c.       Connections tab

d.      Connections

e.      Advanced Tab

f.        Select Networks

g.       Set Both network to “My Work Network”

7.       If you have DHCP available you now have network access from you emulator in the VM

8.       If DHCP is not available the configure you static IP in the emulator

a.       On the windows mobile device

                                                               i.      Click Start

                                                             ii.      Settings

                                                            iii.      Connections tab

                                                           iv.      Network Cards

                                                             v.      Select NE2000 compatible Ethernet Driver

                                                           vi.      Click Edit

                                                          vii.      Configure IP & Gateway on the IP address Tab

                                                        viii.      Configure DNS on Name servers tab

If you do not have access to Hyper-v or just want to use a different virtualization method you will need to use the “Dock Method”

Guest OS Windows XP with all the updates (might work with Vista not tested)

1.       Replace Step 5 With

a.       Install ActiveSync 4.5 in the XP Guest OS

                                                               i.      Run active Sync

                                                             ii.      Click File

                                                            iii.      Connection Settings

                                                           iv.      Allow Connections to one of the following

                                                             v.      Click the Drop Down Button and change to DMA

                                                           vi.      Click ok

                 

b.      In the XP guest Navigate to C:\Program Files\Microsoft Device Emulator\1.0

c.       Run dvcemumanager.exe

d.      Right click the GUID of your device and select “Cradle”

 

e.      Active Sync Will now Connect the device to the VM and you will have network connectivity that way

Exchange 2010 EMC cannot access AD configuration data after you demote a DC

Posted by

0

Environment:

Exchange 2010/Domain Controller combo server running on Windows 2008 R2.

Problem:

Demote Domain Controller role, causes Exchange Management Console fails to retrieve any Exchange information with error message “Active directory response: The LDAP server is unavailable.”  It’s still looking for the demoted DC although it’s been cleaned out of AD/DNS. All Exchange services start fine, and Exchange Shell works fine.

Reason:

     The obsolete information is cached in an Exchange Management Console file in the Windows profile for the user. EMC is trying to connect to orginal DC that is stored in the file.

Solution:

   Go to the following folder and delete the Exchange Management Console file.

   C:\users\<specific user>\AppData\Roaming\Microsoft\MMC\Exchange Management Console

   Close EMC and reopen it.

Reference: http://support.microsoft.com/kb/2019500

Retention Policy on Calendar Items in Exchange 2010

Posted by

6

As we all know by now, you can no longer use Retention Policy and Retention Tags on Calendar items in Exchange 2010.  So, how would you clean up user’s old Calendar items? Managed Folder saves the day!

Here are the powershell commands to create ManagedFolder and policy:

New-ManagedFolder -Name ‘DefaultCalendar’ -DefaultFolderType Calendar -MustDisplayComment $false

New-ManagedContentSettings -FolderName DefaultCalendar -MessageClass IPM.Appointment -Name DefaultCalendarContentSettings -RetentionEnabled $true -RetentionAction MoveToDeletedItems -AgeLimitForRetention “1″

New-ManagedFolderMailboxPolicy -Name “DefaultCalendarPolicy” -ManagedFolderLinks DefaultCalendar

Set-mailbox -identity johndoe -ManagedFolderMailboxPolicy “DefaultCalendarPolicy”

Start-ManagedFolderAssistant -Identity Johndoe

The most important part is IPM.Appointment. I’ve tried other suggestions from technet such as “Calendar”, but this is the only one that works. 

Note, -AgeLimitForRetention “1″ means one day. So the policy should move any Calendar items older than 1 day from your Calendar to Deleted Items folder.

TMG NLB and F5 Publishing Problems

Posted by

0

Environment:

TMG array –> F5 Load Balancer –> Published service

Problem:

When traffic comes in through TMG to F5, F5 doesn’t respond correctly to the load balanced request and then TMG doesn’t see any response.

Reason:

  1. F5 extracts the MAC address from the Ethernet header instead of arp requests
  2. MS NLB uses MAC address spoofing to prevent switch port flooding in unicast NLB. NLB will mask the MAC address of a host with the NLB cluster host number and assign to each node in the cluster.
  3. Since F5 doesn’t use arp requests, the NLB driver isn’t used to properly assign the correct MAC address to the sending host via the arp request.

Solution:

  1. Set MaskSourceMAC registry value to 0 on the adapters on both TMG servers that are in the NLB array sending to F5. http://support.microsoft.com/?id=193602
  2. Put a Hub between the F5 and the TMG array to prevent switch port flooding.