Archive

Author Archive

Session speaker at MCT Summit NA 2011

August 24th, 2011 No comments

Last June, I was very happy to be a speaker at the yearly MCT Summit Europe in Stockholm Sweden (http://www.mctsummit.eu/Speakers.aspx?ID=41). As this was such a marvelous and enriching experience for me, I’m more than happy to announce I’ve been accepted as session speaker at MCT Summit USA in San Francisco – CA (http://www.mctsummit.org), taking place 18th-21st of October.

 

As the main theme is “Microsoft Cloud”, I’ll go and present a session on “Integrating your Exchange 2010 on-premise platform with Office365

As always, I’ll share my experiences of this event in a couple of daily update blog posts when I’m there.

So stay tuned for some news and the end of October.

See yah,

/Peter

Categories: Uncategorized Tags:

Exchange 2010 SP1–Rollup Update 5 released

August 24th, 2011 No comments

The Microsoft Exchange Team just announced availability of RU5 this morning.

More details can be found at their website:

http://blogs.technet.com/b/exchange/archive/2011/08/23/released-update-rollup-5-for-exchange-2010-sp1.aspx

The RU6 is also announced, being available somewhere round October.

Would this mean a monthly rollup update is coming our ways as of now?

Cheers, Peter

Categories: Uncategorized Tags:

How to deploy Forefront Endpoint Protection 2012 beta on SCCM 2012 beta

July 15th, 2011 No comments

 

This blogpost is a full installation walkthrough and documentation guideline on how Forefront Endpoint Protection 2012 beta is installed (I did this today at one of our customers)

One of the main assumptions for the implementation of FEP 2012 beta, is having the availability of a fully operational System Center Configuration Manager 2012 platform, which was the case. (Thanks to my colleague Steve for this !!)

The following topics are documented:

· Installation walkthrough of the FEP 2012 beta server components

· Overview of FEP components within SCCM 2012 console

· Update OSD Task Sequence for FEP 2012 client deployment

· Walkthrough of a manual deployment of the FEP 2012 client

· Monitoring FEP 2012

Installation walkthrough of the FEP 2012 beta server components

· Start the FEPInstall from the installation medium

image

image

· If you choose here for Basic Topology, the FEP 2012 component will take all current settings from the running SCCM 2012 platform (file locations, SQL database, SQL reporting services, service account settings,…)

· Enter the Password for the SCCM 2012 service account

image

· Here we choose Use Microsoft Update…; this guarantees that the FEP 2012 client antivirus / antimalware signatures are automatically updated by using Microsoft Update. There is an automatic fallback scenario where the update engine can perform a direct update as well, if WSUS engine should be down.

image

· By selecting Basic SpyNet membership, the FEP 2012 application will send regular information to Microsoft regarding virusses and malware it detects on the network. The feature “Advanced SpyNet” has about the same functionality, but it also gives feedback to the end-users in the FEP client console, which is normally something we don’t want to bother our users with.

image

image

image

image

image

· As the installation prerequisite check is finished succesfully, we force the setup to automatically open the SCCM console

Overview of FEP components within SCCM 2012 console

After we installed the FEP 2012 server components in the previous step, this chapter gives a basic overview of the default FEP 2012 beta topics in the SCCM 2012 beta console.

The following SCCM options are available in Software Library console:

– Software Library / Overview / Application Management / Packages /

o FEP Deployment

o FEP Operations

o FEP Policies

image

The following SCCM options are available in Monitoring console:

– Monitoring / Overview / FEP Status

– Monitoring / Reportings / Reports

o FEP information for a specific computer

image

image

The following SCCM options are available in Assets & Compliance console:

– Overview / FEP Policies

o Default desktop policy

o Default server policy

– Overview / Compliance Settings / Configuration Items

o FEP … (several collections available)

– Overview / Device Collections / FEP Collections

o FEP … (several collections available)

image

image

image

Update OSD Task Sequence for FEP 2012 client deployment

As a lot of FEP specific parameters and settings have already been preconfigured within SCCM 2012 beta, we can immediately make use of those settings to start deployment of the FEP 2012 beta client to our environment.

In this first example, we update an existing OSD task sequence to install FEP 2012 beta client at the end of the OS deployment.

· Go to Software Library / Overview / Operating Systems / Task Sequence

· In our example, there was already a task sequence for deploying a Win7 client with some applications. For “safety reasons”, we first copy this task sequence to a new, which will be updated afterwards with FEP 2012 deployment.

image

· Select the new Task Sequence, right click / Edit

image

· Pick Add / General / Install Package

· Name : FEP 2012 beta client

· Description : This package installs the FEP 2012 beta client software

· Package : Click Browse / select “Microsoft Corporation FEP – Deployment 1.0” from the list off available packages

· Program: select “install” in the listbox

image

· Drag / Drop the new package at the end of the “install applications” list; this will install the package as the last component within the task sequence (just an example, not a requirement)

image

Walkthrough of a manual deployment of the FEP 2012 client

In the previous chapter, we explained how to update an OSD task sequence to install FEP 2012 beta as part of the overall OS deployment.

In this chapter, we talk about how to “manually” deploy the FEP 2012 beta client package to a set of computers.

· Go to the FEP 2012 beta deployment package (Software Library / Overview / Application Management / Packages / FEP – Deployment)

image

· Rightclick the package + choose Deploy from the context menu

image

· Software: Browse / Pick “Install”

· Collection : Browse / Any collection of machines to which you want to deploy FEP 2012; in this example, we pick the collection “ All desktop and server clients”

image

image

· Distribution Point: <your SCCM distribution point>

image

· Purpose : Required – means the package needs to be installed automatically

· Priority : Normal / High

· If your clients, network and SCCM Site settings support wake-on-lan, mark the option “send wake-up packets” to make sure all active and standby clients receive the package

image

· Define an assigment schedule when you want FEP to be deployed

image

image

· Choose “Download content…”; this will copy the installation files to the client machine first, and start deployment afterwards. This is the suggested setting for software deployment over LAN.

image

image

· Once this wizard is completed, a deployment task is scheduled for the specific collection. Once the SCCM Agent receives notification for installation, the FEP 2012 beta client will be installed on the clients.

· After a few minutes, by going to Monitoring / FEP Status, we can see 1 computer has FEP installed, and 2 other installations are pending

image

We are now at the status where FEP 2012 beta package can be deployed from within an OS Deployment task sequence, or by using a manual deployment to a specific computer collection.

Monitoring FEP 2012

On the last screen of the previous chapter, we get a graphical overview of FEP 2012 beta deployment Statistics. When clicking on the “1 computer has FEP deployed” link, it will bring you automatically to a newly created collection (automatically done by FEP) “Computers that succeeded FEP Deployment”.

This is a group of assets that have FEP client 2012 installed.

image

· Other Device viewing collections are also created automatically by FEP:

o Computers not targeted by FEP (will never get FEP client installed)

o Computers with out of date FEP Versions (have FEP installed, but is out of date)

o Computers Pending FEP Deployment (deploy is scheduled, but not started/finished yet)

image

· On any of the above mentioned FEP Device Collections, we have a new topic available “FEP OPERATIONS” (in the menu ribbon or by rightclicking on the collection / FEP Operations from the context menu)

· This has the following possibilities:

o Run Antimalware Definition updates (=update the virus engine)

o Run Quickscan

o Run Full scan

Configuring FEP Alerts

One could continuously check the different FEP monitoring components or collections within SCCM 2012 console. However, it is more efficient to configure alerts to warn the administrators / helpdesk users of any necessary information on FEP installations on our clients & servers.

· Go to Assets & Compliance

· From within the Ribbon, 2 additional FEP configurations are possible

o FEP email settings

o FEP Alerts

· FEP Email Settings:

image

ð Allow to configure SMTP server settings + notification email address

· FEP Alerts:

image

o Configure to which email addresses FEP alerts should be sent to, on specific malware detection occurance

That’s it folks !

Cheers,

/Peter

Categories: Uncategorized Tags:

ICTinus presentation at Techdays Belgium 2011

June 13th, 2011 No comments

ICTinus was sponsor of the Belgian Techdays 2011; to create enough “animo”, we worked around the “Pirates of the Carribean 4” theme, where visitors of the booth could win movie tickets or even a HP sponsored SmartTouch PC.

At the Student Day, I presented ICTinus in real Jack Sparrow style…, followed by a “company movie”, presenting some of our consultants.

Check out the introduction and full movie at the following link:

Techdays 2011 ICTinus presentation (Pirates in IT…)

 

AAAAAAAhhhrghhhhh

/Peter

Categories: Uncategorized Tags:

Private Key Missing from Exchange SSL certificate

June 13th, 2011 No comments

Although the creation/import of Exchange SSL certificates are straightforward (check out one of my other blogposts on trycatch.be/blogs/pdtit if you should need assistance on this) , you sometimes receive an error within the Exchange console or Powershell when manipulating SSL certificates:

Error: The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)

Enable-ExchangeCertificate : The certificate with thumbprint “0000000000” was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:29
Enable-ExchangeCertificate -Thumbprint 00000000000 -Services "IIS"

Cause: the real cause behind this error is not always that easy to determine; the most common reasons could be classified as “corrupt”, “initial CSR request was created on another Exchange Server” or “CSR was not created by Exchange Server at all”.

Solution:

To resolve this issue during SSL certificate installation in Exchange 2007 or 2010 server, use the following procedure:
Method 1: Repair Damaged Certificate (Windows Server 2003/2008)
1. Start / Run / MMC / add the Certificate Snap-In for the Local Computer account.
2. Double-Click on the recently imported certificate.
3. Select the Details tab.
4. Click on the Serial Number field and copy that string.
Note: You may use CTRL+C, but not right-click and copy.
5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
6. Type: certutil -repairstore my "SerialNumber" (which was copied in the previous step.).
7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."

It should know be possible to enable the Exchange certificate for IIS or other services (Enable-ExchangeCertificate…)

Cheers, Peter

Categories: Uncategorized Tags:

Allowing outgoing FTP behind Forefront TMG

March 16th, 2011 No comments

 

One of the issues I faced this week at one of my customers, was the configuration to allow outgoing FTP behind a Forefront TMG proxy.

Owkay, this one’s easy I thought… not so !!

At first, I started with the “well-known” parameters to configure, as it was the case for ISA 2006

a) create an Access Rule to allow FTP from internal to external, all users

b) right-click this rule, “configure FTP” and de-select “read only”

c) Go to the System topic in the left, Application Filters, FTP application filter, select “allow active FTP”

 

however, with these settings alone, it did still not work; not from browser, FTP client (eg Filezilla) or command prompt.

 

Finally, Microsoft support forum guided me in the right direction : To allow this “complicated bi-directional traffic passing through the TMG firewall layer”, you should install the Forefront TMG Client, which can be downloaded from here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=53010a09-3c5c-4d5d-9ae1-692e7447c5bd

 

Next / Next / Finish + reboot PC (not required, though recommended by MS)

enter in the TMG server in the settings tab (I will post a new article on how to make the “automatically detect” work, restart the FTP client and see it all working Smile

 

/Peter

Categories: Uncategorized Tags:

Insufficient Access Rights when moving mailbox to EX2010

December 16th, 2010 No comments

During a move mailbox operation at one of my customers from Exchange 2003 to Exchange 2010, I received the following error:

Error:
Active Directory operation failed on <name of DC>. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.

When validating the AD security permissions with other mailbox users that are owkay, I noticed a difference in security permissions; more specific, the permissions were not inherited. Must have been something wrong in the past with this user.

To make the move operation run smoothly, I activated the “include inheritable permissions… “on this user security properties

 

/Cheers, Peter

Categories: Uncategorized Tags:

Exchange backup failure after upgrading to Symantec Backup Exec 2010

December 8th, 2010 No comments

In a solid running environment with Symantec Backup Exec 12.5 and Exchange 2007, the daily backup job of Exchange started failing with following error, after upgrading to Backup Exec 2010 version:

 

Final error: 0xe000fed1 – A failure occurred querying the Writer status. Final error category: Resource Errors

 

Here are the steps I used to resolve the issue:

a) check event log on Exchange Server

– Event ID 9609 – Exchange VSS Writer (instance 904411c7-69b4-461b-9899-9e6dd5b07d52:135) failed with error code -2403 when preparing for Snapshot.

– Event ID 9840 – An attempt to prepare the storage group ‘First Storage Group’ for backup failed because the storage group is already in the process of being backed up. The error code is -2403. (Note that if a backup was recently aborted, then it may take several minutes for the system to detect the aborted backup and initiate backup cleanup procedures, so this message may be generated if an attempt was made to backup a storage group before a previous backup attempt had fully terminated.) 

owkay, something is really going wrong Smile

 

b) a first check on Symantec support and Microsoft Technet leaded to the following suggestions:

– install hotfixes on Windows 2003 box (not relevant as it was fully patched)

– verify AOFO (open file option from Symantec) was installed (you can check this from ackup Exec – Tools – install remote agents and select the Exchange server; it gave a message in this wizard that the open was installed and running successfully; that’s not it Smile

 

c) Another Microsoft KB (http://support.microsoft.com/kb/930800) suggested to dismount / remount the Exchange database, as well as verifying if VSS engine was running owkay

– dismounting store was not possible, as it alerted me the backup process was running; I made this possible by stopping the information store service (as was suggested as 2nd option in the same article)

 

Solution: restarting the Information Store or reboot Exchange Server, simple as that

(some further background investigation learned me that the VSS engine gets somehow updated / replaced by the Backup Exec AOFO engine upgrade from 12.5 to 2010, which requires a reboot apparently. Only drawback is that this is not mentioned during the remote agent upgrade…)

 

/Cheers, Peter

Categories: Uncategorized Tags:

Some handy Exchange tools

November 16th, 2010 No comments

Although you should be familiar with most of these tools already, lot’s of thanks go to Dan Erelis and Eight2One for making a handy overview of all of them, separated per version, in a clearly structured table:

 

http://eightwone.com/exchange-toolkit/

 

http://blogs.technet.com/b/danerelis/archive/2010/11/15/exchange-tools-find-what-your-eneed-in-a-easy-reference-guide.aspx

 

Thanks folks,

Peter

Categories: Uncategorized Tags:

What’s new in Exchange 2010 SP1

November 15th, 2010 No comments

Dear readers,

I know, SP1 for Exchange 2010 has been released already several weeks ago, but for those who are still wondering if the upgrade is worthwhile (for both EX2010 users and previous version users thinking on migration), I made up a list of “my personal SP1 features” that I use for convincing customers to make the switch:

 

(for a complete overview of Exchange 2010 SP1 features, check the following Microsoft website:)

http://technet.microsoft.com/en-us/library/ff459257.aspx

 

  • Setup from EX2010 SP1 integrated media has now a thick box to install required Windows Roles & Features
  • 27 new OWA themes + more customizable than ever
  • Change Password features in OWA, even when Password is expired
  • SMTP failover with load balancing, where “down transport servers” are being detected and excluded from sending mails
  • ISINTEG is back in the picture, although replaced by cmdlets (new-mailboxrepairrequest)
  • Public Folder Client permissions are viewable/editable through  EMC
  • Directly import PST’s to users archive mailbox using cmdlet (new-mailboximportrequest)
  • Delegate access rights to archive mailbox
  • Share your Outlook calendar with “everyone” on the internet (no federation needed)

That’ about it.

Stay tuned the next couple of weeks where I go through all details on some of above mentioned features and topics.

Grtz, Peter

Categories: Uncategorized Tags: