Archive for April, 2011



This continuation from the earlier post of the same name will take us through the second phase of the 2003 to 2010 Exchange migration I performed for a past student of mine.

Quick recap of what we’ve done up to now…

  • Prepared the environment for the new Exch 2010 server (prepareAD schema and domain)
  • Installed (2) VM’s. server names Ex10 & Ex11.company.com. Windows Server 2008 R2, patched the OS. Installed all Exch 2010 pre-req’s. Installed Exch 2010 into the new VM’s. Also installed the latest Roll-up.

So we have the platform ready, but all inbound and outbound mail is still routing through the old mailbox servers. Let’s start by getting all inbound mail into the new 2010 CAS role first. The company in question was using a “mail.company.com” hostname for the Exchange 2003 OWA environment which they planned on retaining. This is fine but the DNS configuration they were using would require us to get a new certificate for the new 2010 boxes (see Understanding Digital Certificates and SSL)

To cover all bases I recommended to get a new UCC / SAN certificate with the following names…

ex10.company.com

ex11.company.com

autodiscover.company.com

mail.company.com

ex10.company

ex11.company

autodiscover.company

mail.company

Why so many names?? well again, this particular environment had an external namespace with a normal DNS namespace (company.com) but their internal AD domain was a single label domain name (company). The certificate they purchased (Godaddy.com)  was a “multiple domains – UCC” type with up to 10 domains. this allowed us to have the luxury of having any and every name (single label or not) to be resolvable internally or externally. Some may argue this is overkill. This admin inherited this environment and was in the position to make changes to get it into Microsoft recommended shape prior to the upgrade, so this was the easiest solution for him.

Now that we have this new cert installed on both new boxes as well as the old cert from the old 2003 box imported into the new ex10 & ex11 machines we are ready to start moving mail through the new machine.

He made changes to his Sonic wall rules and had all port 25 SMTP, 80 HTTP and 443 HTTPS traffic get redirected to the new ex10 CAS 2010 box. All client MAPI/ RPC / OA / OWA and EAS connections will now hit this box first. he also created a new public autodiscover.company.com A record resolving to the old public IP he was using before. Last but not least he created another new A record for legacy.company.com pointing to a NEW public IP he had available. This is for co-existence OWA purposes.

At this point all mailboxes are still on the 2k3 side. Before we even thought of moving a single mailbox, let’s test mail flow both in and out with the new 2010 HUB roles being the point of entry and exit. We did some quick tests from internal and external mailboxes from and to internal and external mail organizations. Success. Next we created a new 2010 mailbox. We created one called “Jay Cutler” since this admin was a Chicago Bears fan. Since we installed 2010 into the 2003 organization it automatically created a connector between the 2003 routing group to the new 2010 based one. Let’s login to this new mailbox (via MAPI and OWA) and send mail messages back and forth. Success. This also confirms 2010 CAS is functioning correctly. 2010 CAS servers automatically register a SCP (Service connection point) in AD for this!

So transport internal and external is confirmed and even between 2003 and 2010. Let’s turn our focus to client access. We used the Microsoft Exchange remote connectivity analyzer 

image <— click me Smile

to aid us in this. Using some credentials from AD, we could simulate and tell which types of remote connectivity works! RPC over HTTPS (outlook anywhere), OWA and even Exchange Active Sync are all testable here. After some tweaks to his sonic wall this worked great. This tool is IMMENSELY helpful since it not only tells you when something isn’t working, but gives suggestion on possible resolutions.

One of the big headaches many admins will have is the OWA co-existence. The new 2010 CAS cannot provide a 2003 OWA experience if the target mailbox is still on a 2003 back-end server. So during this phase it has to refer the OWA request back to the 2003 Front-end “legacy” server. See what we did there? this is the legacy A DNS record we made earlier. This new public IP address goes directly to the IP address internally of the old 2003 Exchange server. So the process works like this. You hit the new OWA 2010 login page using the old URL (Http://mail.companyname.com/exchange) you are automatically redirected to the actual URL of (Http://mail.company.com/OWA). The user enters their credentials. If the lookup shows the target mailbox is still on the 2003 box it’s redirected to a URL we set earlier using the Exchange Management Shell. (Http://legacy.company.com/exchange) Now to support this some settings had to be modified on the front end server and a patch had to be installed to support this new change.

Once this was working well and EAS was also hitting the 2003 server correctly we moved a few mailboxes both guinea pig and fake dummy mailboxes.

In part 3 I’ll cover the mailbox moves, DAG configuration and how to handle failover if one of the servers becomes unavailable.

 


image  PowerShell if you haven’t been exposed to it yet is an Awesome tool. Now for someone who’s as infrastructure focused as I am say a statement like that means a lot. I tried to teach myself VB 6 back in the day and almost put a gun in my mouth. I just don’t have the “Code Monkey” mentality. There are those of you out there that can just bang out lines of script or code and not even bat an eye over it. For me, it’s pulling teeth.

This is where PowerShell really stands out. It’s the best of both worlds. You have extreme reach into the OS and configuration via WMI and .NET extensions if you need it. YET, it’s very straight forward and actually pretty easy to read once your used to it. I will be covering some basic nuggets of PowerShell components as this blog evolves to aid you in some common management tasks.

Let’s look at our first example.

I’m an AD administrator and would like to use PowerShell to create new user accounts.

Now this seems pretty basic right? Heck, PowerShell 2.0 even gives you an entire module (built in on WS2008 once the role is installed, or as part of the RSAT suite. For win7 SP1 HERE) just focused on AD administration through powershell. For a list of all the cmdlets available in the module, click on the TechNet logo to be brought to the page..

image

So given this scenario the Cmdlet you would need is the New-ADUser Cmdlet. Now almost every Cmdlet you can run in the shell or the ISE you can pass “Parameters” too. Think of parameters like switches you can send to DOS commands. The one this bugget is concerned with is the –AccountPassword parameter. Now the interesting thing about this parameter is that it’s NOT required! Well Chad, when I am in ADUC I HAVE to enter in a password during the wizard. Well this method it’s not. Now if you omit this parameter, or mess it up, the account is still created. The exception is that the account cannot be enabled.

enough about all of this, let’s get to the goods.

NewADUser –Name “Chad Solarz” –AccountPassword “Pa$$w0rd”

Now we’ve only added the ONLY required parameter –Name. This syntax listed above will NOT work. Why? well the string of text we’ve used for the –AccountPassword parameter needs to be scrambled and not readable. It would be pretty unsecure if we had passwords all over the place in the code!There are many ways to do this. let’s discuss two of the most likely.

First is using the Read-Host cmdlet embedded into the syntax. The Read-Host cmdlet prompts the person running the syntax to be asked for the string to use for the password. Let’s see how this is added in..

NewADUser –Name “Chad Solarz” -AccountPassword (Read-Host -AsSecureString "AccountPassword")

Now you see the parenthesis being used. Like in math, those are always evaluated first. So the user of the script is asked for the password that needs to be used, then it stores it as a secured string value which can then be passed into the –AccountPassword parameter.

Another way is to “define” or assign the value of a Variable and then use that to be passed into the New-ADUser cmdlet.

$Password = Read-Host –AsSecureString

NewADUser –Name “Chad Solarz” –AccountPassword $Password

The Advantage to using the variable is that it’s re-useable to any other cmdlet in the same script.

Good luck and happy PowerShelling!


I had a few students in this week’s 50292 Windows 7 class ask if there’s a list of keyboard shortcuts listed in the book. I’ve just put some on here that deal with the use of the Windows logo key Picture of Windows logo key. I decided to point them here and the MSFT official site as well

Windows 7 Keyboard Shortcuts

The following table contains keyboard shortcuts that use the Windows logo key Picture of Windows logo key.

 

          Press this key                    To do this

Windows logo key Picture of Windows logo key Open or close the Start menu.
Windows logo key Picture of Windows logo key +Pause Display the System Properties dialog box.
Windows logo key Picture of Windows logo key +D

Display the desktop.

Windows logo key Picture of Windows logo key +M Minimize all windows.
Windows logo key Picture of Windows logo key +Shift+M Restore minimized windows to the desktop.
Windows logo key Picture of Windows logo key +E Open Computer.
Windows logo key Picture of Windows logo key +F Search for a file or folder.
Ctrl+Windows logo key Picture of Windows logo key +F Search for computers (if you’re on a network).
Windows logo key Picture of Windows logo key +L Lock your computer or switch users.
Windows logo key Picture of Windows logo key +R Open the Run dialog box.
Windows logo key Picture of Windows logo key +T Cycle through programs on the taskbar.
Windows logo key Picture of Windows logo key+number Start the program pinned to the taskbar in the position indicated by the number. If the program is already running, switch to that program.
Shift+Windows logo key Picture of Windows logo key+number Start a new instance of the program pinned to the taskbar in the position indicated by the number.
Ctrl+Windows logo key Picture of Windows logo key+number Switch to the last active window of the program pinned to the taskbar in the position indicated by the number.
Alt+Windows logo key Picture of Windows logo key+number Open the Jump List for the program pinned to the taskbar in the position indicated by the number.
Windows logo key Picture of Windows logo key +Tab Cycle through programs on the taskbar by using Aero Flip 3-D.
Ctrl+Windows logo key Picture of Windows logo key +Tab Use the arrow keys to cycle through programs on the taskbar by using Aero Flip 3-D.
Ctrl+Windows logo key Picture of Windows logo key +B Switch to the program that displayed a message in the notification area.

Windows logo key Picture of Windows logo key +Spacebar

Preview the desktop.
Windows logo key Picture of Windows logo key +Up Arrow Maximize the window.
Windows logo key Picture of Windows logo key +Left Arrow Maximize the window to the left side of the screen.
Windows logo key Picture of Windows logo key +Right Arrow Maximize the window to the right side of the screen.
Windows logo key Picture of Windows logo key +Down Arrow Minimize the window.
Windows logo key Picture of Windows logo key +Home Minimize all but the active window.
Windows logo key Picture of Windows logo key +Shift+Up Arrow Stretch the window to the top and bottom of the screen.
Windows logo key Picture of Windows logo key +Shift+Left Arrow or Right Arrow Move a window from one monitor to another.
Windows logo key Picture of Windows logo key +P Choose a presentation display mode.
Windows logo key Picture of Windows logo key +G Cycle through gadgets.
Windows logo key Picture of Windows logo key +U

Open Ease of Access Center.

Windows logo key Picture of Windows logo key +X

Open Windows Mobility Center.

AD / Kerberos


Ever wonder how authentication works inside of active directory? I did, so I did some digging and searching. MOST of the time, “it just works”. This leads most admins to never really pull back the covers or pop the hood on how authentication really works. This is really a shame since there is a lot happening behind the curtains and with great reasons why.

Our friends over at the “Active Directory Services team blog” http://blogs.technet.com/b/askds/ wrote an incredible article titled “Kerberos for the busy admin”. This extremely well written article gives you what you need to better understand kerberos without melting your frontal lobe!

Please read it here…

http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx