Jeff Schertz: Posts

CSVDE.exe command annoyance

Aaron Steele — Fri, 06 Oct 2006 19:35:14 GMT

Body:

I just spent entirely too much time searching for a resolution to an issue that, although quite simple to resolve, didn't seem to be that obvious to me.

When using the command csvde.exe to import data into Active Directory (i.e creating 1600 new user accounts in an environment with thousands of existing accounts) it might be a good idea to log any errors reported during the process :) Which, I've found, is easier said then done.

The command usage states there is a switch for logging:

CSV Directory Exchange

General Parameters
==================
-i              Turn on Import Mode (The default is Export)
-f filename     Input or Output filename
-s servername   The server to bind to (Default to DC of computer's domain)
-v              Turn on Verbose Mode
-c FromDN To DN Replace occurrences of FromDN to Town
-j path         Log File Location
-t port         Port Number (default = 389)
-u              Use Unicode format
-?              Help

But this switch works in an odd way, the usage must be the PATH only, not including the actual filename, which seems counterintuitive to me.

csvde -i -f importfile.csv -j c:\project\

Anything other than a 100% correct entry and you'll be routinely rewarded with "unable to open log file" which isn't very helpful.

   examples of incorrect usage are:
      csvde -i -f importfile.csv -j c:\project\error.txt
      csvde -i -f importfile.csv -j error.txt

When the command is run correctly, 2 new files will be created at the specificed path: csv.err and csv.log.

Published: 6/12/2006 2:34 PM

Reading the sIDHistory attribute in AD

Aaron Steele — Fri, 06 Oct 2006 19:36:00 GMT

Body:

In case you've noticed that the sIDHistory attribute isn't very user friendly when viewing it with ADSI Edit, here's a way to reverse-engineer the value to compare it with how we are normally used to seeing it displayed:

Find the SID for the source domain user or group by using the getsid.exe command:

Command Usage:

getsid \\<source_dc> “<Source User/Group Name>” \\<target_dc> “<Target User/Group Name>”

Example:

getsid \\DA_PDC “Developers” \\CORPCU1DC001 “Corp-CU-Developers”

The results should display that the SIDs are not a match, which is expected since the migrated account has a new SID and the getsid command does not check the sIDhistory attribute.

The SID for account DomainA\Developers does not match account DomainB\Corp-CU-Developers

The SID for account DomainA\Developers is S-1-5-21-1620258971-428748344-1844936127-1370

The SID for account DomainB\Corp-CU-Developers is S-1-5-21-702074188-2833732907-241959117-38230

The final grouping in the SID is the RID (Relative ID) and is unique for each object created by that domain. In the example above the decimal value 1370 is the RID of the group in the source domain that is going to be verified.

Using the ADSIEdit tool, view the sIDHistory attribute on the migrated user or group in hexadecimal format.

Re-order the last 4 HEX groupings back to front, keeping the paired characters the same:

5A 05 00 00 > 00 00 05 5A > 0000055A

Convert the re-ordered value from hexadecimal into decimal:

55A = 1370

The calculated decimal value 1370 is the same RID as shown by the getsid output against the source object.

The same procedure can be used to convert and verify the entire SID value, as outlined in this TechNet blog entry:

http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx

And if you're already familiar with the Additional Account Info tab taht can be added to Active Directory Users and Computers, then you can skip all this :) But it's good to know how it works behind the scenes.

Category: Active Directory

Published: 7/14/2006 2:35 PM

Categories: Active Directory

Deploying OCS 2007 in a Windows 2008 Domain

Jeff Schertz — Thu, 03 Jul 2008 14:27:26 GMT

Body:

Recently I've seen this topic popping up more often in the TechNet forums and decided to try it myself. I ran through the install in a fresh lab with Windows 2008 Active Directory (2003 Forest functional level and 2008 Domain functional level) and a single Windows 2003 SP2 Member Server.

I had read some posts where people were running into problems performing the initial Schema/Forest/Domain prep steps, and they seemed to fall into two categories: executing the setup on the wrong computer or some type of port connectivity issues between servers. First off, Windows Server 2008 is NOT a supported host operating system for Office Communications Server 2007, as outlined in the OCS 2007 Supportability Guide. Also notice that OCS 2007 is specifically listed in the "Applications that are incompatible" section of knowledge base article KB948680. So any attempt to run the setup wizard on a Windows 2008 server (as in the domain controller) will fail. As long as there are no LDAP connectivity issues between servers, the setup wizard should be able to make all Active Directory changes when executed from a Windows 2003 server in the domain, assuming sufficient rights are granted.

To test this I simply added my domain administrator account to the root-level Schema Admins group and successfully prepped the schema, forest, and root domain using the setup wizard on the Windows 2003 Member Server. But if for some reason this doesn't work or the steps need to be performed locally on a domain controller, then you can use the LCSCmd.exe to Prepare Active Directory.

LCSCmd.exe /Forest:contoso.com /Action:SchemaPrep
LCSCmd.exe /Forest:contoso.com /Action:ForestPrep
LCSCmd.exe /Domain:contoso.com /Action:DomainPrep

Take note that this applies to a fresh installation of Communications Server in an existing Windows 2008 domain. When planning to upgrade a Windows 2003 Active Directory forest/domain which is already running OCS, be aware that upgrading any domain controllers to 2008 will break OCS. The forest prep command will need to be reissued after the upgrade in order to re-establish the lost functionality.

LCSCmd.exe /Forest:contoso.com /Action:ForestPrep

Obviously the Active Directory Users and Computers snap-in on the domain controllers will not contain the Communications Server tab or the tasks to enable user for OCS, so administration should be performed from the OCS server itself or another supported host.

Category: Office Communications Server

Published: 7/3/2008 9:27 AM

Categories: Office Communications Server

Uninstalling OCS 2007

Jeff Schertz — Tue, 08 Jul 2008 22:19:59 GMT

Body:

The most common reasons I have seen for uninstalling Office Communications Server 2007 from an environment are typically to remove a pre-release beta version or test deployment, or to start from scratch after a botched deployment. In either scenario it's often desired to completely remove all aspects of OCS and start fresh. This approach is often started by simply uninstalling the OCS components from the Front-End server, and doing so will generate this alert:

If 'Yes' is chosen and all other component removed, then the Active Directory forest and domain(s) will still contain remnants of OCS and promptly beginning a new installation in the same forest will probably lead to even more problems then before. There is a little more to it than just running the Add/Remove Programs wizard.

Supported Uninstall Path

The correct order of steps to completely uninstall OCS 2007 are:

Deactivate Servers
Uninstall Software Components
Unprep Domain and Forest

Deactivating Servers

Each registered server component (e.g. Standard Edition Front-End, Edge, Web Components, Mediation) can be deactivated by using either the Management Console or the LCSCmd.exe command utility.

The simplest way is to use the console and navigate to the menu shown below:

But if the server components have already been uninstalled and the console is therefor also removed, then the command line must be used. Since the server files have been removed then the LCSCmd.exe command must be run from the setup\i386 directory of the OCS installation files. The OCS 2007 Administration Guide contains all of the documented switches and examples required to deactivate and unprep components, but here are some examples for removing common components.

Deactivate Standard Edition Server	lcscmd.exe /Server /Role:SE /Action:Deactivate /Force
Deactivate Enterprise Edition Server	lcscmd.exe /Server /Role:EE /Action:Deactivate /Force
Deactivate Consolidated Edge Server	lcscmd.exe /Server /Role:AP /Components:AP,DP,MR /Action:Deactivate /Force
Deactivate Proxy Server	lcscmd.exe /Server /Role:Proxy /Action:Deactivate /Force
Deactivate WorkGroupProxy Server	lcscmd.exe /Server /Role:WorkGroupProxy /Action:Deactivate /Force
Deactivate Web Components Server	lcscmd.exe /Web /Action:Deactivate /Force
Deactivate Mediation Server	lcscmd.exe /MedServer /Action:Deactivate /Force

If the original server has been completely removed from the domain, then issuing the command from another server requires a slightly different format in order to specify the desired AD object:

lcscmd.exe /Server:ocs1.schertz.lab /Action:Deactivate /Role:SE /Refdomain:schertz.lab

Removing Programs

After deactivating all components then uninstall each program on the server(s).

When removing the Standard Edition Server component, uncheck the option to "Keep the user database" to have the local SQL database files deleted by the process. The folders will still reside on the local disk (by default C:\LC Data and C:\LC Log) but will be empty.

Unprepping the Forest

The final steps are to remove the related configuration information in Active Directory. Note that the Schema extensions created by the original SchemaPrep step can not be removed, but if the eventual goal is to reinstall OCS then this present no problems. The Schema extensions are generic and contain no instance-specific configuration information. By unprepping the Domain and Forest, all configuration information will be removed.

lcscmd.exe /Domain:schertz.lab /Action:DomainUnPrep

lcscmd.exe /Forest:schertz.lab /Action:ForestUnprep

After allowing for any AD replication to fully complete, a new installation of OCS can be started. I'd recommend using a new, unique servername for the second go-around just to be on the safe side.

Category: Office Communications Server

Published: 7/8/2008 5:19 PM

Categories: Office Communications Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/31/image_4.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/31/image_6.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/31/image_8.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/31/image_thumb.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/31/image_thumb_1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/31/image_thumb_2.png

Activating IRM on Windows Mobile 6

Jeff Schertz — Fri, 11 Jul 2008 14:06:21 GMT

Body:

The other day I received an email from a coworker which was protected by Information Rights Management and I realized I could not open it using my Windows Mobile device. We are running Rights Management Server internally and with my laptop on Vista, the IRM components are built-in and all integrated seamlessly. The first time I had to open an IRM-protected message or document at work I was prompted to add and configure an account in Outlook in order to access the protected content. Since then, dealing with IRM-protected content is seamless whether online or offline thanks to the updated lockbox functionality of RMS SP1.

To test out the phone I sent myself a protected email, using the Permission drop-down under Options on the Message ribbon.

When viewing the message on my Windows Mobile 6 Blackjack I see that the message icon denotes protected content, and I get the same message I saw originally telling me that the phone is not configured for IRM.

Since ActiveSync is no longer in the picture, the phone's instructions no longer apply. According to the Windows Mobile Device Center (WMDC) help documentation all I needed to do was connect my phone and then choose the option to activate IRM:

You can activate Information Rights Management (IRM) on your device to access IRM-protected e-mail and other content. (IRM is only supported for Windows Mobile 6 devices.)

To activate IRM on your device:

Connect your device to a PC with which a partnership has been set up using a cable, cradle, infrared connection, or Bluetooth connection.
Click Mobile Device Settings.
Click Activate Information Rights Management.
Enter your logon credentials and click Activate. Most of the activation process happens behind the scenes and depends on server availability and network conditions.

Well that sounds easy enough but WMDC did not display that option. I verified via the Help menu that WMDC was updated to the most current version (6.1.6965). The help file also lists some prerequisites for the activation to be possible:

To activate IRM on your Windows Mobile powered device so that you can use IRM-protected documents:

IRM must be installed and activated on the PC. (If your PC runs Windows Vista, the Windows Rights Management Services (RMS) Client is already installed. If your PC runs Windows XP, the Windows RMS Client Service Pack 1 (SP1) must be installed.)
Your device must be connected to a PC with which a partnership has been set up.
Your device must require IRM activation (that is, IRM has never been activated or the IRM license needs to be renewed).

All of these requirements had been met, so I spent some time searching online for solutions to why the elusive "Activate Information Rights Management" option was just no where to be found. I finally ran across an archived discussion from last year by the Microsoft Development Lead for WMDC Steve Spiller. He basically reiterated the above requirements but added one key piece of information:

"So be sure that you've successfully opened an IRM protected email on your desktop and that your desktop is connected to your corporate network so it will have access [to Active Directory] in order to get the IRM server information required for activation."

Duh. I'm so used to working remotely that this didn't even occur to me, as I already have my 'lockbox' for RMS since I've previously connected to our RMS server and I can sign and decrypt content online or offline without issues. But apparently WMDC needs to be able to connect to the RMS server in order to perform the IRM activation process on the phone. So I disconnected the phone, connected to our corporate VPN, and reconnected the phone. This time WMDC displayed what I was looking for:

Clicking the new "Activate Information Rights Management" option prompts for AD credentials, and then activates the device. Now when I go back to that email on my phone I can properly access the content:

And as a final test I sent myself a protected message from my phone by accessing the Message Options and changing the Permission setting.

Category: Windows Vista

Published: 7/11/2008 9:06 AM

Categories: Windows Vista

Clarification on OCS Edge Interface Support

Jeff Schertz — Tue, 12 Aug 2008 14:05:59 GMT

Body:

A question that comes up almost weekly in the TechNet discussion forums is: "Can I use only one network card in my Edge server?"

Background

A definitive answer has always been difficult to nail down as my testing, other user's experiences, different Microsoft documents, and some other sources all seem to slightly contradict each other. Let's start with the documentation; the OCS 2007 Supportability Guide states the following:

“Edge server roles can be collocated, but each server role must have a separate IP address. Each server role can use a separate physical network adapter, or all server roles can use a single multihomed network adapter.”

“Two network adapters, one for the internal interface of the Access Edge Server and one for the external interface, are supported and recommended. A single multihomed network adapter for both the internal and external edge is also supported.”

So my first thought is: what exactly is a “single multihomed network adapter” in those contexts? That term can mean a couple different things. According to the Microsoft KB article 157025 a multihomed computer is "one that has multiple network interfaces" but another TechNet article for TCP/IP in Windows Professional 2000 states that a multihomed computer is when "a computer can access multiple subnets that are logically separated, but bound to a single network adapter.”

To further complicate things, Wikipedia defines four different variants for a multihomed computer as:

Single interface connected to multiple IP subnetworks
Multiple interfaces with a single IP address for interface
Multiple interfaces connected to the same IP subnetwork
Multiple interfaces connected to separate IP subnetworks

Confused yet? So basically, a single multihomed network interface could mean one of several different scenarios, and I did not believe that all of these situations are supported or even possible based on network configuration limitation within OCS and Windows Server itself.

In the past I tried to deploy a simple Access Edge server with a single Interface for the internal and external network, which were both in the same IP subnet (connected back to a switch routed to a single third-leg ISA server for the Perimeter Network) and it simply would not work. SIP traffic wasn’t passing back to the Front-End server; it just would not leave the Edge server. External connections authenticated, but traffic just died ‘inside’ the Edge server. Once I installed a second NIC everything worked fine. Yet I have heard about some people getting an Edge Server to operate correctly with a single interface, but I was unaware of what the exact configuration was were the working and non-working scenario's failed.

So thanks to input from Neil Deason at Microsoft, I was able to come up with what I hope to be a pretty clear definition to this common question.

Supported Configurations

The documented, recommended, and unquestionably supported configuration is simply to deploy separate physical network interface cards which are connected to separate IP subnetworks. (This includes a single physical card with multiple ports; whatever physical configuration that allows you to plug two cables into the server and the host sees separate interfaces. Let's not get silly here.) By definition this means that the internal and external subnetworks need to be uniquely different, which is typically found in a standard Perimeter Network located between separate firewalls.

A simple Access Edge deployment utilizing NAT:

Or a consolidated Edge deployment with all three external roles assigned publicly routable IP addresses:

The above configuration only works for a consolidated Edge Server when all external IP addresses are on a public IP subnetwork, otherwise separate adapters connected to separate IP subnetworks would need to be used. The Access Edge and Web Conferencing roles can be co-located on the same same external interface using the same IP private subnetwork.

Here's a consolidated Edge deployment using the least amount of public IP addresses:

This can be expanded up to separate physical adapters for each external role in a consolidated Edge server, as shown repeatedly in the documentation, for enhanced performance and security. And if plenty of public IP addresses are available, then assigning each role a public address simplifies the configuration further:

Unsupported Configurations

A Consolidated Edge or dedicated A/V Authentication Edge server will clearly not operate on a single network interface due to the A/V role's requirement for a publicly routable IP address, which would conflict with the requirement of separate IP Addresses spaces for the internal and external networks. So, a single multihomed network adapter connected to a same IP subnetwork for both internal and external routes is not supported for the A/V Edge role specifically.

The 'Fuzzy' Configurations

There are a few scenarios that fall into this category which technically 'can' function but it depends on the layout of the existing networks, the deployment of the OCS servers, and maybe what color shirt you are wearing that day. Basically, it might work but it's not recommended and the supportability is not 100% clear. Contacting PSS may result in a resolution or a request to reconfigure the server to match recommended guidelines.

A single physical network interface with multiple IP addresses in different subnetworks, for a dedicated Access Edge server. Technically this works, but the documentation states that it only applies to the Access Edge role, and probably is not supported for the Web Conferencing and A/V Authentication roles.
Multiple physical network interfaces with multiple IP addresses in the same subnetwork. This configuration works and is supported, but is highly discouraged as to accommodate the need for separate interfaces you would have to configure gateways on both network adapters. This is not recommended due to the Dead Gateway Detection feature of Windows Server. By design, only one of the two gateways can be used by default and there is no load balancing or logic used for routing, Windows simply becomes a non-opportunistic router and traffic flow could be very spotty. Networks with a single firewall appliance (e.g an ISA Server deployed in 3-leg Perimeter mode) fall into this category and the recommended configuration is discussed on page 18 of the Designing Your Perimeter Network for Office Communications Server 2007 White Paper from Microsoft.
A single physical network interface with multiple IP addresses in the same subnetwork. I've already stated this an impossible configuration for the A/V Authentication role, but may work for the Access Edge and Web Conferencing roles. I personally have not gotten this to work the one time I attempted it for the Access Edge role, but I have heard vague references of it working although I haven't seen any documented proof. This is even less desirable than the configuration above.

So the moral of the story continues to be: use at least two NICs! In a full-feature deployment OCS can get complicated quite quickly and I still don't understand the desire to cut corners in this area. And if you are working in Perimeter network with only a single IP subnetwork, then you're already twice-removed from the optimal configuration by attempting to use a single NIC in the Edge server. But if you don't want to follow the deployment shown in the Perimeter Network white paper, at least use separate NICs in the Edge server to more closely match Microsoft's recommendations and hedge your bets towards a better level of supportability.

Category: Office Communications Server

Published: 8/12/2008 9:05 AM

Categories: Office Communications Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_12.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_18.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_3.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_6.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_thumb.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_thumb_1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_thumb_2.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/33/image_thumb_5.png

Disabling Instant Messaging in OCS

Jeff Schertz — Wed, 13 Aug 2008 21:02:11 GMT

Body:

In the past I've heard at least a few discussions regarding administrators looking for a way to disable instant message functionality in Office Communications Server 2007. Some may want to block IM from certain workstations, while others may be looking to deploy OCS as a Presence-only application. Or possibly even as a contact management solution for a Remote Call Control deployment, but actually want to prevent IM conversations for work-performance or compliance-related matters.

Either way there must have been enough of a demand as Microsoft as introduced that ability as part of the latest Communicator hotfix, which is actually not yet available for widespread download. If your environment requires this ability then you'll need to contact MS Product Support to request the hotfix referenced in the KB article 954439.

This hotfix applies to the Communicator client and once installed the client will recognize a new registry setting called DisableIM. The configuration details are covered in KB article 954648.

(Updated 1/10/09: The July hotfix referenced above was removed a few months ago due to a bug in one of the patches, but the most recent Communicator hotfix package still includes this new functionality. Currently the latest patch (12/19/2008) can be downloaded from KB article 957465.)

I requested the hotfix and installed it on one host in my virtual lab:

An attempt to send an instant message to any contact is blocked as the "Send an Instant Message" option is disabled:

And when someone else attempts to send an instant message to the user logged into a disabled client, the presence appears correctly but a message informs the sender that the recipient is unable to receive instant messages, which are then retroactively blocked if sent:

Since this is a new registry setting, it cannot be configured in the current communicator.adm Group Policy Template file. There are many resources available that cover how to create custom templates, here is a good place to start. So without going into too much detail, I created a separate custom template for this new value and added it into the Group Policy Object Editor.

This is a somewhat advanced step, so use this code sample at your own risk.

On whatever server or management console you centrally manage Group Policies, create a new text file called %SYSTEMROOT%\inf\CommunicatorExtras.adm. Copy/Paste the following text into this file:

CLASS MACHINE
CATEGORY !!OCSPOLICY_EXTRAS
    POLICY !!PolicyDisableIM
    EXPLAIN !!ExplainText_DisableIM
    KEYNAME "Software\Policies\Microsoft\Communicator"
    VALUENAME "DisableIM"
        VALUEON   NUMERIC 1
        VALUEOFF NUMERIC 0
    END POLICY
END CATEGORY
CLASS USER
CATEGORY !!OCSPOLICY_EXTRAS
    POLICY !!PolicyDisableIM
    EXPLAIN !!ExplainText_DisableIM
    KEYNAME "Software\Policies\Microsoft\Communicator"
    VALUENAME "DisableIM"
        VALUEON   NUMERIC 1
        VALUEOFF NUMERIC 0
    END POLICY
END CATEGORY
[strings]
OCSPOLICY_EXTRAS="Office Communicator Extra Settings"
PolicyDisableIM="Disable Instant Messaging"
ExplainText_DisableIM="Prevents user from sending or receiving instant messages.\n\nEnabling this policy will disable instant messaging, while disabling this policy will return Communicator to it's default behavior.\n\nNote: The July 30 hotfix for communicator must be installed on the workstation, older versions of the client will ignore this setting.\n\nSee KB article 954439 for more details: http://support.microsoft.com/kb/954439"

Edit the desired existing group policy object (or create a new one), and right-click on the Administrative Templates folder under either the Computer or User Configuration and choose Add/Remove Templates. Browse for and add the new template file.

Once the CommunicatorExtras.adm template is loaded into the Group Policy Object Editor, you should see a new template grouping named "Office Communicator Extra Settings" which will contain a single policy setting for Disabling IM.

Category: Office Communications Server

Published: 8/13/2008 3:47 PM

Categories: Office Communications Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/34/image_10.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/34/image_4.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/34/image_6.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/34/image_thumb_1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/34/image_thumb_2.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/34/image_thumb_4.png

A Look at Forefront Security for OCS 2007

Jeff Schertz — Thu, 14 Aug 2008 21:16:56 GMT

Body:

I finally had a chance to test drive the beta version of the upcoming Forefront Security release specifically for Office Communications Server 2007 (FSOCS). I deployed this in my lab, co-locating it on an existing Standard Edition server in an internal network segment.

To download the public beta release:

Forefront Security for Office Communications Server 2007 Beta
http://www.microsoft.com/downloads/details.aspx?familyid=d128fd1a-42a2-47cb-9de8-e4ea8ba2382d&displaylang=en

Before installing, I recommend reading through the TechNet documentation:

Microsoft Forefront Security for Office Communications Server
http://technet.microsoft.com/en-us/library/cc676967.aspx

Create a new domain account for the RTC Proxy service to run under, and as per the install instructions configure the following:

Grant the Logon As Service right to the account on the server's Local Security Policy.
Add the domain account to the server's local RTC Server Applications group.
Add the domain account to the domain groups RTCUniversalServerAdmins and RTCProxyUniversalServices.

After the installation completes, launch the Forefront Security Server Administrator (FSSA) console from All Programs. The console is unfortunately not an MMC snap-in but is fairly straightforward. It's broken up into four main sections: Settings, Filtering, Operate, and Report.

Settings

The documentation states that the scan engines should automatically begin to update 5 minutes after the service starts, but to avoid some potential errors in the ProgramLog.txt file it is recommended to manually download at least one update.

I went ahead and manually updated all nine engines, just for good measure.

I didn't mess around with many of the General Options, but I did later adjust one: the IM Process Count setting under the Scanning group. By default it was set to 4 and I noticed that each instance was taking up about 150-170MB of RAM. After dropping this value to 2 (valid choices are 1-10) FSOCS is using up half the memory it was before. In a production deployment a higher number of process engines would increase scanning performance, but only based on the amount of available RAM in the server.

Filtering

Natively OCS supports filtering IM conversations only for URLs and file transfers by file extension. But without third-party applications or some extensive custom coding, there was no way to filter or block messages by keyword matching. FSOCS introduces keyword filtering, content filtering, and a more granular control of file transfers. It also supports defining safe sender lists by domain which can be omitted from content filtering, but will always still apply to all virus scans.

FSOCS includes sample keyword lists for content filtering of profanity, which can be installed manually by executing the KeywordInstaller.msi package located in the program installation directory (the default is C:\Program Files\Microsoft Forefront Security\Office Communications Server). A number of languages are included.

After installing the package, the files will be located in Data\Example Keywords in the same parent directory as listed above. I highly recommend browsing the list for a good laugh; I bet that was an interesting day at work brainstorming that list. I suppose one could pick up some [questionable] foreign language skills as well. :P Anyway, this file can then be imported into a Filter List, which I labeled Profanity. I also created another filter list and added just the single keyword "chicken", as I didn't see anything in the provided word list tame enough to take screen shots of.

From the Keyword section, I enabled both Filter Lists, set the Action to Identify: tag message/file, and checked Notify Admin/Sender. You can select different directions of communications between internal, inbound, or outbound directions.

As you can see, the IM containing the filtered keyword (chicken) was blocked in the recipient's window:

The offending sender also received an IM from the service account with a summary of the filtered message:

Also, under Scan Job\Settings, there are buttons to change the Deletion and Tag text seen by intended recipients of infected files and blocked messages. The default "Message has been blocked" entry can be customized:

By enabling the native file extension filtering within OCS, and attempt to send a file with an .EXE extension is immediately blocked, and sender never even sees the transfer attempt in their IM window.

Although .EXE files are filtered by default in OCS (if Intelligent IM Filtering is enabled) there are a different set of file extensions in FSOCS. From the interface alone it doesn't appear that you can customize the file types list, but I haven't dug into the documentation far enough to figure out if that is the case. To test it, I enabled a file extension that was not currently filtered by OCS:

But when a file extension is blocked by FSOCS which is not already covered by the Intelligent IM Filter, the sender sees a different message when attempting to transfer that file type.

I'm not to sure what the benefit would be to using file filtering in FSOCS over the native OCS filtering, as even the notifications are less informative to the end user; it's more clear that the content was blocked instead of it just looking like a general failure.

Operate

The only component in this section simply shows the status of the built-in "IM Scan Job" and has options to bypass or enable the scan, as well as export or clear the incidences log.

As you can see from the most recent entry on the list, a virus was detected and removed. Let's look at how that appears to the end users. During a normal file transfer, the process looks identical as the virus scanning is performed on the back-end, transparent to the users:

This time when I send an infected file it appears to transfer correctly on the sender's side, but the recipient is presented with an error as the file has been blocked and was promptly quarantined or deleted by FSOCS.

Report

This section allows for notifications to be enabled/disabled and the message content customized. It also contains any quarantined messages or files and there are options to export or allow delayed delivery of the blocked messages.

Category: Office Communications Server

Published: 8/14/2008 4:16 PM

Categories: Office Communications Server

Using the Microsoft Notes Connector to Synchronize with Mail-Enabled Objects

Jeff Schertz — Tue, 19 Aug 2008 21:37:54 GMT

Body:

In a previous blog entry I covered how to use object filtering with the Microsoft Notes Connector. There was a reason I ran into that situation in the first place which was planning a migration from Notes to Exchange using the Notes Connector, but with a catch: I had already created new accounts in the target forest for the users in the migration scope. These accounts needed to be pre-deployed before any directory synchronization was configured so that employees in the newly acquired company could authenticate to the parent company's AD forest and access the intranet site, among other resources. This is why I needed to limit the migration scope to the exact set of user accounts that had already been deployed in the target forest via a CSVDE import.

Normally this would not cause a problem as the directory synchronization portion of the Notes Connector can be configured to create new Contact objects instead of new User objects. Then when the mail migration tasks are performed, native or third-party tools (like Quest's Notes Migrator or Binary Tree's CMT Universal) can identify matching user accounts and contacts objects, merge the mail attributes into the user account, mailbox-enable it, and then delete the contact from AD. Notice I said normally. Sigh.

Introduce catch #2: The new user accounts I created in the target forest were mail-enabled. They needed to have their mail attribute (among a few others) populated with their legacy email address so that SharePoint services would import that attribute into their profile for use in the intranet site's company directory. These items were also already acting a mail-forwarding objects and messing with them can start to open a can of worms related to X.400 addresses. When the accounts were imported in bulk, many of the legacy mail attributes were also brought it; mail-disabling them was simply not an option. This obviously presents a problem to the Connector's directory synchronization, as it will not be able to use those in-use mail attributes since they are already entered in the user accounts, so new contacts would be created with incorrect SMTP address. That could muck-up a Global Address List in short order.

After researching the documentation and contacting Microsoft Product Support I learned that there was no native way to configure the Connector's directory synchronization to identify the existing user objects and 'merge' the imported information with them. When researching a solution for this, Travis Nielsen mentioned that he had run across something similar few years prior and figured out a way to move some attributes off of the contacts created by the directory sync and stamp them onto the pre-existing objects, effectively fooling the Connector.

Knowing this, I set off to dissect how the Connector worked so that I could understand exactly what could be modified to get the end result I was looking for.

Under the Hood

In a test lab I have a target Windows 2003 forest with a separate Exchange 2003 server, and a source Windows 2003 forest with another member server running Notes/Domino 6.5.4. The Notes Connector is configured and I've already synchronized a handful of objects. I also have the DirSync options on the Connector set to create new Contact objects. So let's go ahead and create a brand new user in the Notes directory to watch how directory synchronization works.

I've created a new user (CRusso) in the Notes directory. I'm current filtering objects with the Connector by setting the field carLicense = 'Sync' so then stamped that value on there, otherwise the directory sync would ignore the new user.

From the DirSync Options tab on the Connector for Lotus Notes object in the ESM, I kicked off an Immediate update from Notes to Exchange.

Checking the interactive service window on the Domino Server will show the creation of the new user, as well as the connection from the Exchange Connector:

Because an Immediate update was run, only new objects not yet identified by the Connector will be processed, hence the Documents read: 1 summary. If an Immediate Full Reload was run then all objects included in the filter scope would be read.

Flipping back to the Exchange server, the Application event log shows some recent events that tell us what the DirSync process did:

The most recent Notes Directory Synchronization event mirrors what we saw on the Domino server console:

Event Type:      Information
Event Source:    MSExchangeNOTES
Event Category: Notes Directory Synchronization
Event ID:        60378

Description:     Directory Synchronization Export is complete. MS.DXANOTES successfully exported 1 entries, and had problems exporting 0 entries.

In addition, the two Proxy Generation events describe the stamping of mail attributes on the new contact in AD. I've snipped down the description to just the import part, which proxies were applied to the object.

Event Type:      Information
Event Source:    MSExchangeSA
Event Category: Proxy Generation
Event ID:        3006
Description:
Policy provider instance processing recipient.
Recipient DN: CN=Chris Russo,OU=Import,OU=DirSync,DC=contoso,DC=com
Proxies written to recipient:
    X400:c=US;a= ;p=Contoso;o=Exchange;s=Russo;g=Chris;
    SMTP:CRusso@contoso.com
    notes:UID=1913cc8-3c223412-862574a6-54b234
    NOTES:Chris Russo/nwtraders@nwtraders

Now we have a new contact object in the defined Import OU in Active Directory. A quick look at the E-mail Addresses tab in ADUC and we can see that we see the typical X.400 and SMTP addresses created by the RUS, as well as two Notes proxy addresses. The default (NOTES) is the address that will be used by Exchange to route email sent to this contact over the connector to the Notes directory for foreign delivery. The secondary proxy (notes) is apparently some kind of unique identifier. This attribute value will play a key role later on ;)

But if I run through the same exact process as above, only for a user which already has a user account in AD then a couple things can happen. If the user object exists in the same OU that DirSync is configured to import to, then the Connector will notice the conflict. But if the user object is in a different OU, outside what DirSync is configured to look at, then the conflict will be discovered when Exchange 2003 generates the proxy addresses on the object. Here we can see that the SMTP alias was automatically stamped with a '2' suffix since the intended address is not unique.

So this is exactly the behavior we want to avoid, and ultimately have only the single user account in AD. Let's turn our attention to the imported objects AD attributes to see what we can find.

After looking through the raw attributes of these contacts and comparing them to others, I noticed one attribute in particular that was stamped on only the contact objects created by the Connector: importedFrom. And every object had the same exact value, which is actually a unique identifier which indicates what created these objects: the Connector for Lotus Notes.

This that one of half of the puzzle, while the other half is that notes proxy address I mentioned earlier. Each AD object created by the Connector has it's own unique value for that proxy address and I discovered it's actually the the Person Document's UNID in Notes.

This can be viewed in the Domino Administrator by looking at the Document Properties and clicking on the far-right tab. The first two lines make up the UNID:

When you look at the secondary notes proxy address in Active Directory on a contact object created by the Connector, we see the same UNID, but stored in a slightly different format than in Notes:

The 'OF' and 'ON' prefixes are omitted, as well as and preceding zeros, and the colons are replaced by hyphens.

UNID Notes Format: OF733DCF3E:D9716911:ON862574A6:00522990
UNID AD Format: 733DCF3E-D9716911- 862574A6- 522990

Unfortunately that Notes document properties tab only displays the string, you cannot highlight and copy text from it. For a simpler way to get the UNID without typing it in manually, switch to the <+> tab and look at the end of the Identifier field, the UNID is also stored there as an alpha-numeric string:

The portion after the last forward slash is the UNID:

Notes://LAB3NOTES/86257420007522B9/77B3DCF1F48F935485256B49007DC700/733DCF3ED9716911862574A600522990

The Workaround

So to test the process I deleted the new contact object for CRusso and manually created a new user account in AD. I mail-enabled the object and set a legacy SMTP address of crusso@nwtraders.com to match the Notes account's SMTP address. Then I manually set the importedFrom attribute, as well as added the secondary Notes proxy address. (Note that the secondary proxy address for the UNID cannot be entered in ADUC as the format is deemed invalid by the tool, it must be entered in the attribute using a raw editor, like ADSIedit.) I also updated the value in the Company Name field on the Notes Person document to have another piece of information to verify directory synchronization.

After issuing a full immediate reload on the connector I found that the primary NOTES proxy address had been added to the mail-enabled user object and the company field was also updated to reflect the change in the Notes database. Now any successive manual or scheduled directory synchronization processes will update this object as they have been associated together.

In order to complete this task at a larger scale, you would just need to export the UNID fields and NOTES mail addresses for all in-scope Notes accounts, and then use a CSV or LDIF import to create the new account in the target domain with the required information to set the foundation up for the Connector to link.

It's also important to note that the import Container scope on the Notes Connector is able to see and search the location of any proposed targets for object matching. If you stamp the required attributes on an account stored in an OU that Connector is not configured to look at, then the matching will not work and the default action will be chosen (Create a Windows Contact object in the import container.)

Of course after I reverse engineered this process I eventually ran across a discussion online that confirmed the behavior I saw: Connector for Lotus Notes Directory Synchronization: Part 3 - Frequently Asked Questions.

Also, It's probably worth noting that both the Notes Connector and the Calendar Connector were just updated the other day.

Category: Exchange Server

Published: 8/19/2008 4:37 PM

Categories: Exchange Server

First Look at the Edge Planning Tool

Jeff Schertz — Tue, 02 Sep 2008 11:49:26 GMT

Body:

Microsoft has just released a really neat tool that threatens to make obsolete all of my OCS Edge-related blog material :) Seriously, as complicated as it can be to design and configure an Edge deployment when reading through the deployment guides, the Perimeter Network white paper, blog articles, and any other resources this tool can help clear up things ten-fold. I think just the existence of this tool goes on to underscore just how complicated an Edge design and deployment can be when so many external parameters can affect the design.

Tom Laciano's latest blog briefly covers the release of the Edge Planning Tool for Microsoft Office Communications Server 2007, as well as hints to a future OCS team blog covering the tool. With that in mind I won't go into too much detail in an effort to not be redundant.

Simply put, the planning tool takes a lot of the guesswork out of the Edge configuration by asking straight forward questions about the design of the current network, the configuration of the Edge server, specific IP addresses, etc. The process identifies where best practices are observed and where they are ignored, summarizing everything in separate reports upon completion.

Update: The R2 version of the Edge Planning Tool can be downloaded here:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ec4b960c-3fe2-41bd-abdf-ae89cfcb8c6c

You'll need to install .NET Framework 3.5 on the host before installing the tool, but it can be run on any workstation; it does not need to be installed on a server like the BPA tools typically are.

Once launched, you'll be presented with a step-by-step questionnaire that runs through the following topics:

Perimeter Network
- Internal and/or External firewalls?
Topology
- Consolidated, Single-Site, or Scaled Single-Site?
Operating System
- Using Windows 2003?
- Using 32-bit platform?
Certificates
- External certificates issued by Third Party CA or Windows Server 2003 CA?
- Internal certificates issued by Windows Server 2003 CA or Third Party CA?
SIP Domains
- Enter all defined SIP domains.
Edge Server
- Deploy Web Conferencing?
- Deploy A/V?
- Two network adapters in the Edge Server?
- Access Edge
  - Provide FQDN, external firewall IP address, external interface IP address, and TLS port number.
- Web Conferencing Edge
  - Provide FQDN, external firewall IP address, external interface IP address, and TLS port number.
- A/V Edge
  - Provide FQDN, external IP address, TCP and UDP port numbers and ranges.
- Consolidated Edge
  - Provide internal FQDN, internal interface IP address, MTLS and TCP port numbers.
Director
- Currently deployed?
- Standard or Enterprise?
  - Provide FQDN and IP address or server or virtual pool.
  - Provide FQDN(s) of any Web Conferencing Pool servers.
Remote Access
- Functionality desired?
- Allow anonymous conference access?
Automatic Discovery
- Functionality desired?
Federation
- Functionality desired?
- Allow discovery of Federated Partners (Open Federation)?
- Configure an Allow List?
  - Provide SIP domains and Access Edge Server FQDN's for desired federations.
Public IM Connectivity (PIC)
- Functionality desired?
- Has PIC already been provisioned and licensed from the MVLS portal?
- Was PIC previously in use with LCS 2005 SP1?
  - Provide the FQDN of the LCS 2005 Access Proxy.
Reverse Proxy
- Provide FQDN, external firewall IP address, external interface IP address, and TLS port number.
- Provide internal IP address of the Reverse Proxy.

After completing the entire questionnaire the planning tool will create a number of completely customized reports:

The Best Practices Report compares the settings to Microsoft best practices and outlines which components either meet or fail to meet those requirements. A general list of common mistakes is also displayed for review.

The OCS Admin Report contains all of the specific configuration information that an administrator would need to setup the Edge servers, divided into 5 sections:

Edge Report
Reverse Proxy Report
Next Hop Report
Edge Server Configuration Documentation
Internal Director / Pool Configuration Documentation

The Certificate Report lists the Subject Name and Subject Alternative Name values, as well as the type (public CA versus private CA) of certificate required for each component.

The Firewall Report details the rules, ports, traffic flow direction, and offers guidance on how to configure internal and external Perimeter firewalls to support the Edge server and Reverse Proxy rules.

The DNS Report lists all required name records with type, FQDN, and IP address as well as some optional recommendations for using additional SRV records.

And finally the Custom Documentation tab contains a step-by-step report complete with screen shots which walk through the process of configuring the Edge Server to communicate with the internal Front-End or Director servers. It also includes the same level of detail for changes required on the Front-End or Director server in order to use the newly deployed Edge server.

All of these reports can be exported to a web browser and then saved which make the task of documenting your working environment a snap. Even if you've already deployed an Edge presence in OCS I'd recommend walking through this tool simply to see where you stand on best practices and to create a customized configuration document to file away with your disaster recovery documentation.

Category: Office Communications Server

Published: 9/2/2008 6:49 AM

Categories: Office Communications Server

Computers not showing in WSUS Management Console

Jeff Schertz — Mon, 15 Sep 2008 23:10:30 GMT

Body:

My home lab server is starting to get so many virtual servers to hold all the products I've been testing that I decided to deploy Windows Server Update Services 3.0 in order to help manage all the updates, as well as to learn yet another product.

The setup and configuration was pretty straight forward, but after configuring group policies and double and triple checking them, I was only getting a couple servers to appear under the All Computers in the Update Services management console. I followed a handful of TechNet articles which had me checking the local WindowsUpdate.log files and various registry settings, but everything appeared to to functioning correctly; the console was just not showing the 10+ servers in my domain.

While looking at the list I noticed a pattern among the only 4 computers listed. Although seemingly unrelated, as I had a SharePoint server, Exchange server, XP workstation, and the WSUS server itself listed, I noticed the Operating Systems were all unque: Windows XP, Server 2003 Standard, Server 2003 Enterprise, and Server 2003 Standard x64. There was only one server listed from each of my 4 base images I use to deploy additional virtual machines with.

This realization led me to the answer on this blog post: http://rialtus.livejournal.com/161268.html

I typically don't use Sysprep in my lab, but just 'walk' the computer SID with the Microsoft SysInternals utility NewSID. Although this works great for updating the workstation SID, it doesn't take into account the SUSClientID registry value, which I verified to be identical on all deployed virtual guests duplicated from the on the same image, shown here by running the reg query command remotely against three Windows 2003 Standard servers:

reg query "\\SERVER1\HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientID

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate SusClientID    REG_SZ    bddf68cb-a0fe-4cd2-8bcb-31bd4164037b
reg query "\\SERVER2\HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate SusClientID    REG_SZ    bddf68cb-a0fe-4cd2-8bcb-31bd4164037b

reg query "\\SERVER3\HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate SusClientID    REG_SZ    bddf68cb-a0fe-4cd2-8bcb-31bd4164037b

Unlike the article's directions, I didn't reboot each guest. I simply stopped the Automatic Updates client, and then forced a reset which in turn started the service back up using these three commands:

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v
SusClientID /f

net stop wuauserv

wuauclt /resetauthorization /detectnow

I refreshed the All Computers object in the Update Service manager and all of missing servers immediately appeared. I'll have to add this process to my guest deployment checklist from now on.

Category: Windows Server

Published: 9/15/2008 6:10 PM

Categories: Windows Server

My Favorite OCS Telephony Devices

Jeff Schertz — Sun, 05 Oct 2008 13:08:32 GMT

Body:

At the moment I have a few too many OCS-specific telephony devices on my desk: a Polycom CX700 handset (aka the Tanjay), an LG-Nortel IP8540 handset (aka the Catalina), an LG-Nortel IP8502 Bluetooth headset, a couple generic USB headsets, and the latest edition: the Polycom Communicator CX100 speakerphone.

On any given day I'm either working from my home office in the suburbs, my corporate office downtown, any number of possible client sites with a range of wired and wireless access for consultants and guests, or even a public hotspot like Panera Bread. The only constant in my connectivity to the Internet is inconsistency.

Although I've been testing out a number of devices in the past I have narrowed my selection down to a couple devices that really suit my needs well, which is basically a handset in my home office and a headset to carry around with me.

Handset

The full-featured, stand-alone Tanjay phone is a nice unit but is not only overkill for my purposes, I'd have to remember to constantly sign out of the device when leaving home otherwise I'd show up on OCS to others as signed-in to a device that does not accept instant messages. So for me the simple winner here is the Catalina handset, which is currently sold by Polycom as the CX200 and LG-Nortel as the USB Phone 8501.

It's a USB device that doesn't require any alternative power source, so when I drop my laptop down on my home office desk it's a plug-and-play solution that OCS instantly recognizes. The buttons make it very easy to answer and hang-up voice calls, and mute/un-mute while on calls. The handset works as the default audio device whether I place a Communicator call, answer an incoming voice call, or join a Live Meeting. I mainly use the speakerphone functionality but the built-in handset is convenient for times when background noise or privacy are an issue. Live Meeting also uses it as the default device for a speakerphone, although I've noticed that the mute button on the phone doesn't coincide with the client's mute functionality.

Portable Speaker Phone

As convenient as the Catalina is it's obviously too large and clunky to travel around with, so I've found the next best thing, the Polycom Communicator CX100. It's also a USB speakerphone that OCS automatically detects as the default device when connected. It comes with a zipper carrying pouch and it about the size of one of those large scientific calculators I used in high school. The USB cable manually winds up in a rear compartment which is covered when the fold-up stand is closed. There is also a standard mini (3.5mm) headphone jack included.

When using my laptop's built-in speaker and microphone I've had complaints on more than one occasion that the caller was hearing an echo. As network latency can inherently delay VoIP conversations the close proximity of the speakers and microphone on my laptop would cause the caller to hear their own voice. The design of the CX100 seems to prevent that situation well as I've had no complaints so far.

The center ring on the device has simple buttons for adjusting the volume, mute, and start/end calls. I've noticed that depending on whether OCS is currently running or not when I connect the device the green off-hook button either maximizes the OC window on the computer just like the Catalina does, or sometimes incorrectly just goes off-hook and gives a dial tone sound. No window is launched and without buttons on the device to dial a number I'm at a loss at what functionality that provides. But it does work correctly when answering inbound calls, so it's jut a minor annoyance. My only real concern is that the light gauge USB cable must be very tightly wrapped in order for the stand to completely close, and I wonder if prolonged use might eventually wear down and break the USB cable.

Wireless Headset

A headset can sometimes be more cumbersome or complicated then they are worth. Although wired, USB headsets with inline DSP audio interfaces are typically the best quality, they are usually bulky and come with what seems like 30 feet of wire to tangle up in a laptop bag. Last year LG-Nortel sent us some of their devices to test and I was eager to try the prototype version if their upcoming 8502 Bluetooth Wireless Headset.

This device comes with a USB dongle that contains the same OCS logo with integrated presence LED that the Catalina and Tanjay handsets have. The earpiece can be charged via the supplied mini-USB cable or the mini-USB docking device. There is a simple multi-function button the headset that powers the device on/off and also answers/ends calls, and a pair of clearly marked volume buttons. It supports full-duplex wideband audio has by far the best audio quality of any other BT wireless devices I've tried. The microphone does not seem quite powerful enough, as even with the input turned all the way up you have to speak louder than normal for callers to consistently hear you clearly. I should note that I'm using a pre-production beta device and this may have been addressed in the final design.

Actually using all this Stuff

The challenge here has been getting multiple devices to work with each other. Although it can appear confusing, once you understand the default behavior of handling voices calls in Office Communicator, it's actually quite simple to juggle the devices. So at the moment I'm away from my home office and have the CX100 speakerphone and IP8502 Bluetooth headset. If I connect both USB devices (the CX100 and the 8502 dongle) and launch the Set Up Audio and Video wizard in Office Communicator, the devices should be automatically configured as such:

The behavior I have observed is that OC will default to the Speaker/Microphone or Speakerphone device when making and answering voice calls. In order to switch over the the headset, an icon will appear on the toolbar of the Communicator window that toggle the speakerphone on/off:

Alternatively, the button on the headset will switch from speakerphone to the headset if hit once. If the button is pushed again it will not switch back to the speakerphone, but instead simply end the call. The toolbar button in OC would need to be used to toggle back in that case.

When receiving an incoming voice call, answering by clicking on the toast will default to the speakerphone device, but if the headset button is instead pressed then the call will be answered by the headset.
When placing an outgoing call from Communicator, if the headset button is pushed immediately then you can switch to the headset while dialing, otherwise you'd have to wait until the connection was established in order to access the speakerphone toolbar button.

So if I disconnect my USB speakerphone, then OC will default back to the laptop's internal speaker and microphone and calls would then start from the laptop until manually switched to the headset. I have not yet found a way to force OC to use the headset, which is probably a good idea since the battery is often depleted and sending audio to an unconnected or dead device would be problematic. And easy way to tell that the device has powered down is the presence LED on the dongle will turn off, indicating that the headset is no longer on.

Category: Office Communications Server

Published: 10/5/2008 8:08 AM

Categories: Office Communications Server

OCS 2007 Setup and Administration Delegation

Jeff Schertz — Thu, 09 Oct 2008 19:29:15 GMT

Body:

I little used portion of the OCS installation wizard is the ability to delegate some access rights to specific user accounts so that remote or junior administrators can deploy OCS components on server in a environment without actually needed to have full administrative rights.

Launch the OCS 2007 Deployment Wizard and (depending on if it's Standard or Enterprise Edition) select the Deploy Standard Edition Server or either of the Deploy Pools options. Select Prepare Active Directory and Step 7 will be Delegate Setup and Administration.

From this wizard only the Delegate Setup Tasks can be performed, as illustrated by the screenshot below. These administrative tasks must all be performed manually and directions for each scenario are included, as well as links to the deployment guides. The OCS 2007 Active Directory Guide covers these steps starting on page 17.

Delegate Setup Tasks

The wizard runs through the following screens as asked for a couple pieces of information:

Authorize Group
- Select which domain in the forest that rights will be delegated to.
- Create a new Universal Security Group called RTCSetupDelegate in the domain and enter the name here.
Location of Computer Objects for Deployment
- Enter the fully distinguished name of the OU where the server's computer objects are stored (or will be stored) on which the OCS components will be deployed. I created a child-OU called "OCS Servers" in my normal "Servers" OU as to limit the scope of objects that the delegated accounts could deploy OCS to. Ideally you would pre-deploy the computer objects in this location.
Service Account
- Unless custom account names were chosen during installation then the SIP and Component Service accounts are RTCService and RTCComponentService.

The deployment log details all of the checks and changes that are applied by the wizard.

The new RTCSetupDelegate group is added as a member to the existing RTCUniversalGLobalReadOnlyGroup and RTCUniversalGlobalWriteGroup groups.

The following permissions were assigned to the RTCSetupDelegate group on the OU specified in the wizard:

Permission	Apply To	Object Permission	Properties Permissions
Special	Special	Allow List Contents, Read/Write All Properties Delete Subtree, Read/Modify Permission Create/Delete All Child Objects Create/Delete All msRTCSIP-MCU Objects Create/Delete All msRTCSIP-Mediation Objects Create/Delete All msRTCSIP-Server Objects Create/Delete All msRTCSIP-WebComponents Objects	Read/Write All Properties
Special	msRTCSIP-Server objects	Read/Write All Properties, Delete Subtree	Read/Write All Properties
Special	msRTCSIP-MCU objects	Read/Write All Properties, Delete Subtree	Read/Write All Properties
Special	msRTCSIP-WebComponents objects	Read/Write All Properties, Delete Subtree	Read/Write All Properties
Special	msRTCSIP-Mediation Server objects	Read/Write All Properties, Delete Subtree	Read/Write All Properties
Read Public Information	Computer objects		Read Public Information
Read DNS Host Name Attributes	Computer objects		Read DNS Host Name Attributes
Special	This object only	List Contents, Read All Properties, Read Permissions	Read All Properties

The Deployment Log that is present after the process completes will outline every little detail of all checks performed and changes made. In fact, more than you probably ever need to know :)

Delegate Administration

The remaining scenarios allow administrators to grant access to other user and group objects so that these accounts or members can perform administrative tasks against OCS servers and users without simply being put into the Domain Admins group. Even Read-Only administrative rights can be delegated out quite simply.

Each of these tasks are completed by using the lcscmd.exe command as documented in the AD Guide.

Category: Office Communications Server

Published: 10/9/2008 2:29 PM

Categories: Office Communications Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/40/image_4.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/40/image_9.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/40/image_thumb_1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/40/image_thumb_3.png

OCS 2007 R2 Announcement, Finally!

Jeff Schertz — Tue, 14 Oct 2008 14:33:05 GMT

Body:

Jamie Stark, an OCS Product Manager at Microsoft, is blogging this week from VoiceCon in Amsterdam as he and his team officially announce and release details of the upcoming Office Communications Server 2007 R2 release.

You can find his updates here: http://nomorephones.spaces.live.com/default.aspx

The scheduled keynote should have just wrapped up within the hour, so I’d expect to an update on there sometime later today.

I’ve been biting my tongue for some time regarding all of the R2 enhancements and updates, so as soon as the Non-Disclosure Agreement lifts covering these details expect a flood of blogs and articles from the community insiders.

Category: Office Communications Server

Published: 10/14/2008 9:33 AM

Categories: Office Communications Server

OCS R2 Edge Bombshell

Jeff Schertz — Tue, 14 Oct 2008 16:54:25 GMT

Body:

Yes, you read this correctly: In a single-server Edge deployment a private IP address is now supported on the A/V Edge Role. It is still recommended to use a public IP address and is still not supported for scaled Edge deployments, but through some magical alignment of the stars (or more likely some work by the product team) this requirement has changed for the better.

As minor as the point seems to be in the documentation, there must be at least 2 posts every week in the TechNet forums asking how and why the previous requirement for a public IP address was in place for OCS 2007 and stating what a problem it is for smaller shops to get a fully-functional deployment up and running. It’s also a major stumbling block in proof-of-concept and sandbox labs.

Basically, the R2 documentation states it is supported if the external firewall can be configured to filter inbound traffic with DNAT and outbound traffic can be configured with SNAT then. There is also a note that if ISA Server 2006 is used as the external firewall then this scenario may not work. Another repeated statement is that in no scenario should the internal firewall perform Network Address Translation between the Edge Server’s internal IP address and the internal network hosting the Front-End and other OCS and Active Directory servers. This appears to have been misunderstood previously and has been specifically reworded more clearly.

Another welcome change to the A/V Edge configuration requirements is that the RTP TCP/UDP inbound port range of 50000 to 59000 is no longer required with R2, but is optionally supported. The client A/V communications can be limited to just the STUN UDP 3478 and TCP 443 ports, greatly simplifying the external firewall configuration. So if a current deployment already has the firewall configured for the previous 50000-59000 port range, then OCS R2 still supports using them, but new deployments can benefit from these changes off the bat.

Category: Office Communications Server

Published: 10/14/2008 11:54 AM

Categories: Office Communications Server

New Server Roles and Client Features in OCS R2

Jeff Schertz — Tue, 14 Oct 2008 20:11:05 GMT

Body:

One of the biggest complaints I’ve seen with OCS was the large number of servers required when deploying all the components, even in consolidated scenarios. And although with new features come yet even more server roles, one change was made that actually helps reduce server footprint in smaller deployments.

Monitoring Server

With OCS 2007 to recording and reporting on Call Detail Records required that an Archiving Server also be used as those two components were wrapped up in the same role. And then adding the Quality of Experience server roles meant adding yet another server. I think the more common scenario for many smaller clients not concerned with archiving or required to adhere to any compliance or legal stipulations would want to deploy CDR and QoE roles. This deployment would require 3 server: 2 OCS and 1 additional SQL backend server.

With R2 the CDR and QoE components are collocated on the same server and use the same SQL instance. This allows for all real-time monitoring services to be used without having to deploy unwanted archiving services.

Application Sharing Server

The new Application Sharing role is located on the Front-End server and handles data streams for application and desktop sharing between conferencing attendees. This component is an additional front-end service that appears to better handle application sharing than the way to was dealt with in OCS 2007. It allows allows for OC clients to initiate desktop sharing sessions. Although the standard OCS 2007 version certainly allows for desktop sharing through Live Meeting, it appears that this functionality works through the OC client and/or the CWA web-based interface, which doesn’t require a web conferencing session to be initiated between both end-points first. I’m eager to check this feature out as this could be a wonderful way for desktop support personnel to assist remote end-users, assuming that the functionality doesn’t hinge on inherent firewall and NAT issues like the rarely-used file transfer features of the current version.

Additionally any remote users, even those on Macintosh or Linux clients can view shared desktops and take control of the sessions while using Communicator Web Access.

Group Chat Server

Another common question in the forums was related to setting up persistent ‘chat rooms’ or having bot-like capabilities which other public services (like Skype, for example) currently contain. Up until R2 there has been no native support for this feature, but now there are a host of new server roles designed to add this functionality.

A single dedicated server can host all three Group Chat Server roles: Lookup Server, Channel Server, and the Web Service. All three services are required for minimum functionality and are only supported on a 64-bit host (as all R2 roles are). If archiving of group chat content is required then a second Compliance Server must be installed with a dedicated SQL database as well, the Standard Archiving server does not handle Group Chat content. There is also a stand-alone Group Chat administration tool which can be installed on the server itself and/or a remote console.

In addition there is a Group Chat application that must be installed on clients; I have not yet seen if it is a seamless plug-in to the current OC client or a separate application in and of itself.

Other New Features

Although not defined as separate server roles, their are some new applications and functionality built into the existing OCS roles which add some eagerly awaited native features.

Dial-In Conferencing

Major complaint #2 was one of the most asked-for pieces of functionality that OC lacked natively: inbound PBX-calls into existing Conferences. This one feature crippled OCS’s ability to act as a conferencing bridge, although I wonder how many of the companies that asked for this feature would have been able to support that many inbound PBX calls to their phone system. A third-party conferencing service does more than just connect calls together, it handles multiple voice streams that some small businesses may not have the bandwidth to host internally

But if you are sitting on a slew of voice T1s then (just like Live Meeting in OCS allows a company to save money on hosting their own web conferences) OCS R2 can give those adopters the same luxury of saving money on hosted phone conferencing solutions.

A Communicator Web Access server is required so that users can manage their PIN via a webpage. Both internal (authenticated users) and external (anonymous and federated contacts).

Improvements in Media Handling

Media quality and resiliency has been enhanced to offer an even better voice experience in R2. Improvements have been made in echo detection, volume level regulation, down-level codec selection, comfort-noise, and even suppression of typing noises. I will definitely appreciate that last feature as it seems like there is always one person on a conference call unmuted and hammering away at the keyboard.

New Certificate Wizard

Second in the deployment complaints department to only Edge configuration issues are all things related to certificates. Fortunately with the recent release of the Edge deployment wizard and now R2’s improved Certificate Wizard steps have been taken to demystify the process and make their requirements and deployment easier to deal with.

Communicator Mobile for Java

This new version allows certain non-Windows Mobile phones which support the Java platform to operate as UC endpoints just like the regular standard CoMo edition. The officially support phones are limited to the Nokia S40 and Motorola RAZR V3xx devices, but may work with many other phones.

Team Ring

OCS users can setup detailed call-forwarding scenarios where teams and members can be defined and specific rules set to forward calls to ring other contacts either simultaneously or one-at-a-time depending on states like presences and time of day.

Voice Mail Additions

Just a little couple time-saver features here: with the R2 client you can click an option to dial directly into your voicemail option in Exchange to change the greeting message. Also you can click other Contacts and leave a message directly in their voice mail without calling them first.

Dialing Easter Eggs

When in an IM conversation and an incoming call appears the client will now show the toast instead of simply flashing the window. I’ve missed a number of calls because it wasn’t clear a call was coming in during those times.

If prompted to press a key or enter a number (as in a conference bridge PIN) the keyboard can be used to immedaietly type in numbers without first clicking on the dial pad.

Hallehjuh, pasting strings of numbers into the Dial Pad now works in R2. I guess that was a pet peeve, but that is annoying.

High-Definition Video

Depending on the hardware and video capabilities of client’s workstations it will be possible to stream video in either VGA (640x480) or HD (1270x720) for peer-to-peer OC conversations. Policies can be configured to restrict these features if limited bandwidth is available on those networks.

New Group Policy Settings

OCS R2 includes a handful of new group policy settings for things like: disabling IM between clients (this one is already available for OCS 2007 with a client update), client software Automatic Updates, blocking HTML in instant messages, disabling voice memos, and some settings limiting video resolution and screen size.

New Requirements

The two biggest changes to the base requirements have already been talked about and unofficially mentioned in forums for the past six months: that all (1) all OCS R2 server components are only supported on 64-bit architecture running a 64-bit host operating system, and (2) Windows 2008 is now supported as a host operating system of all server components. I imagine this will take the honors as the most complained-about ‘feature’ in R2, but as time goes on I expect to see the same shift in attitude that was seen from when Exchange 2007 was first launched and now.

The back-end database servers can obviously still be hosted on 32-bit operating systems and hardware, while SQL Server 2008 is now a supported platform for Enterprise Edition deployments. The Administration Tools appear to still be supported on 32-bit platforms so it can be installed on management workstations.

Category: Office Communications Server

Published: 10/14/2008 3:11 PM

Categories: Office Communications Server

Office Communicator Sidebar Gadget

Jeff Schertz — Mon, 17 Nov 2008 19:49:58 GMT

Body:

Dmitry Polzin has created a Vista Sidebar Gadget for Office Communicator that helps better manage multiple conversation windows.

You can download it from the Windows Live Gallery here:
http://gallery.live.com/liveItemDetail.aspx?li=2701d34d-ec6a-48ec-9ce2-a3932345f3a8

As with any gadgets the window can be either docked in the sidebar or dragged out into the desktop .

The gadget’s title bar shows your current presence with the total number of active conversations (e.g. 6).

You can also Minimize All, Maximize All, and Close All conversation windows using the buttons in the upper right. The small OC icon maximizes/minimizes the main OC application window as well.

There are a couple of configurable Options as well, for suppressing new windows and alerts and tracking elapsed time in conversations.

Category: Office Communications Server

Published: 11/17/2008 1:49 PM

Categories: Office Communications Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_10_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_4_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_6_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_8_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_thumb_1_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_thumb_2_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_thumb_3_020742E0.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/44/image_thumb_4_020742E0.png

Deploying SCMDM 2008 Server Prerequisites

Jeff Schertz — Mon, 17 Nov 2008 19:50:52 GMT

Body:

The TechNet documentation for SCMDM 2008 contains detailed steps for deploying each role, but the server prerequisites are a bitter scattered across the documentation and you really have to read through the entire document to understand how it all comes together. Although I highly recommend reading through all of the documentation, I’ve decided to put together a detailed list covering the installation of each component as is a certain order that should be used.

Assuming that most first-time installations of SCMDM will be in a lab or small POC deployments, the Integrated Configuration is the most likely scenario. This calls for all internal MDM components (e.g. SQL, WSUS, MDM-DM, MDM-ES, etc) to be installed on a single host, with only a second additional host used for the MDM Gateway Server.

Integrated Internal Server

Deploy all components on the same physical host in the order shown, using only the x64 installation packages for each

Host Operating System

Windows Server 2003 Standard or Enterprise Edition (x64)
Windows Server 2003 Service Pack 2
- Redistributable Download Package (x64)
.NET Framework Version 2.0
- Redistributable Download Package (x64)
Windows PowerShell 1.0
- English Language Package for Server 2003 (x64)
Microsoft Management Console 3.0
- Redistributable Download Package (x64)
- Verify that the MMC current version is 3.0 (it should already be at this version on a 2003 SP2 Server)
Internet Information Server (IIS) 6.0
- Configure IIS for 64-bit application compatibility by executing the following command:
  - cscript C:\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
- Verify the results are:
  - Enable32bitAppOnWin64 : (BOOLEAN) False
Microsoft Report Viewer 2005 (Optional)
- Redistributable Download Package (x64)
- Only needed if planning to run software update reports against WSUS database

SQL Database Services

SQL Server 2005 Standard or Enterprise (x64)
- Install only the Database Engine
  - Optionally add the Management Tools if desired
SQL Server 2005 Service Pack 2
- Redistributable Download Package (x64)

Software Update Services

Windows Server Update Services 3.0 SP1
- Redistributable Download Package (x64)
- Perform a Full Server installation (including the Administration Console)
  - Database Options
    - Use the existing default database on this computer
      - <Default> Instance
  - Web Site Selection
    - Create a Windows Server Update Services 3.0 SP1 Web Site
- Cancel the Configuration Wizard that appears after the installation completes

Mobile Device Manager Services

Configure Active Directory
Install Enrollment Server
Install Device Management Server

Gateway Server

Follow the same directions above for just the Host Operating System section, skipping the MS Report Viewer. The Gateway Server also does not require the SQL or WSUS components.

Note: If IIS is deployed as part of the base server build in your environment and the .NET framework installation cannot be performed before IIS is installed, then read the section entitled “WSUS Encounters Errors after reinstalling .NET Framework” in the MDM Troubleshooting guide. Follow the detailed steps in order to reestablish the correct configuration.

Category: Windows Mobile

Published: 11/17/2008 1:50 PM

Categories: Windows Mobile

OCS Public IM Emergency Maintenance

Jeff Schertz — Sat, 06 Dec 2008 12:51:01 GMT

Body:

By now most everyone should be aware that AOL made a certificate configuration change earlier this week that affected PIC communications between OCS users and AOL instant messaging users. Here is the first released blog describing the fix:

Office Communicator clients cannot communicate with contacts homed on AOL

Well, I just found out that Yahoo will be performing emergency maintenance between 4:30PM and 4:30AM EST. The release I read didn’t specify if this was starting yesterday (Friday) or today (Saturday). From the message’s urgency and the ‘emergency change’ description I’m assuming it already happened last night.

It is recommended to restart the Access Edge service if any communications problems are experienced:

Office Communicator clients cannot communicate with contacts homed on Yahoo! Messenger Network

Category: Office Communications Server

Published: 12/6/2008 6:51 AM

Categories: Office Communications Server

Viewing the OCS Address Book (for Humans)

Jeff Schertz — Wed, 10 Dec 2008 14:11:57 GMT

Body:

Anyone who’s attempted to troubleshoot Address Book problems in OCS before has probably at least tried to open up the GalContacts.db file on a workstation running Office Communicator. Unfortunately it’s in some alien language with human strings dispersed among countless delimiters:

This makes troubleshooting Address Book normalization operations kind of a pain. But luckily there is a registry setting available that can be configured on the client’s HKCU or HKLM key which will create a comma separated value (CSV) version of the client address book file.

Set the following DumpContactstoCSVFile value to enable this behavior, then restart Office Communicator.

[HKEY_CURRENT_USER\Software\Microsoft\Communicator]
"DumpContactstoCSVFile"=dword:00000001

Then select the View Received Files menu item from the client to open the local folder “%USERPROFILE%\My Documents\My Received Files”

Then open up the Contacts.csv file in Notepad or Excel (if available).

Thanks to Tom Gamull for pointing this out in one of Matt McGillen’s blogs. This has also been mentioned in a few other blogs but I wanted to add it to my collection of Address Book-related articles as ABS troubleshooting questions come up in the TechNet forums quite often.

Category: Office Communications Server

Published: 12/10/2008 8:11 AM

Categories: Office Communications Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/47/image_3_335E0FCC.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/47/image_7_335E0FCC.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/47/image_9_335E0FCC.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/47/image_thumb_1_335E0FCC.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/47/image_thumb_3_335E0FCC.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/47/image_thumb_335E0FCC.png

Rejoining a Domain in Less than Two Reboots

Jeff Schertz — Wed, 17 Dec 2008 14:59:37 GMT

Body:

I feel a little silly just finding out this little tip recently as I can’t count how many times I’ve had to manually re-join a Windows workstation or member server to a domain in my life. This is a pretty common procedure as various issues can sometimes cause problems with the secure channel communications between workstations and domain controllers in an Active Directory domain. Rejoining the domain reestablishes the trusted partnership and in most cases resolves the issue.

The tried-and-true process has always been to remove the workstation from the domain by temporarily moving it into a workgroup and them moving it back into the domain. This requires two reboots and if you’ve learned the hard way, a new local Administrator account with a known-password just in case ;)

In a recent training class we were using multiple Virtual PC images in the test labs and a few of the guests were having problems logging into the domain. The instructors had a sidebar in the materials that mentioned if this happened to remove/rejoin the domain by using a process that I had never seen, but works in a single reboot!

It’s quite simple: basically just change the Domain name field to use the Active Directory’s other domain naming context. Meaning if the DNS value is currently entered in the setting field, then change it to the NETBIOS value, or vice-versa. This will force Windows to believe it is connecting to a new domain and allow the process to happen in a single reboot.

So, in this example I have a workstation JDSPC02 that is a member of the lab.schertz.local AD domain. The DNS name of ‘lab.schertz.local’ is currently used as shown below in the Computer Name Changes window:

I know that the NETBIOS domain name for the same AD domain is simply ‘LAB’ so I replaced the value to ‘LAB’.

All too easy:

Let it be said that I have no idea if this is a supported or even recommended action, but it’s worked fine each time I’ve tested it.

Category: Windows Server

Published: 12/17/2008 8:59 AM

Categories: Windows Server; Active Directory

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/48/image_4_0FE2B538.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/48/image_thumb_1_0FE2B538.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/48/image16_0FE2B538.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/48/image16_thumb_0FE2B538.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/48/image19_0FE2B538.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/48/image19_thumb_0FE2B538.png

Publishing SCMDM Enrollment Server with ISA 2006 Array

Jeff Schertz — Thu, 18 Dec 2008 14:46:29 GMT

Body:

During a recent deployment of SCMDM I ran into a little snag while publishing the internal IIS web site on the Enrollment Server. Because my client was using an ISA Server 2006 Array I needed to get the exact same certificate on both array nodes in order to configure the Listener correctly.

If you follow the technical article Configuring External and Internal Firewalls in Mobile Device Manager then the requested certificate will not be configured to allow exporting the private key. And because ISA Server requires all array nodes to have the exact same certificate, you can’t simply run through the certificate request and submission steps twice, one per server. The original certificate must be exported with the private key and installed on each ISA Server.

So, I used a slightly different process then documented in the section entitled “Guidance for Publishing MDM Enrollment Server on ISA Server 2006” from the article linked in the previous paragraph. I modified both the content of the certificate request .INF (a required step) and also performed the request from an internal server to reduce the amount of file copies between servers in the perimeter network and internal network (optional).

To start, I looked up how to allow the private key to be exported in the original certificate request when using the certreq.exe command. I found the answer in the Appendix 3 from the Windows Server 2003 Operations Whitepapers which shows that the line Exportable = TRUE should be added to the request INF file. As previously mentioned, I created the original request from an internal server already on the domain, then exported the certificate and private key to a file. At this time you can also chose to remove the private key from the local server, as I didn’t want to leave that key sitting on that server unnecessarily.

The Process

Request, issue and install a new certificate on an internal domain-connected server (in this case the SCMDM Enrollment Server).

Create a new text file C:\NewCertReq.inf and type the following text in (do not cut/paste from this article), replacing domain.com with your public domain name:

[NewRequest]
Subject = "CN=mobileenroll.domain.com"
Exportable = TRUE
KeySpec = 1
MachineKeySet = TRUE

Issue the following certificate request at the command prompt:

certreq -new NewCertReq.inf NewCertReq.txt

Submit the request using a domain account with sufficient rights to make requests and use the template:

certreq -submit -attrib "CertificateTemplate:SCMDM2008WebServer" NewCertReq.txt NewCert.cer

Accept new request to import the certificate into local Certificates Store:

certreq -accept NewCert.cer

Export the new certificate and private key into a Personal Information Exchange (.pfx) file.

Locate the new mobileenroll.domain.com certificate using the Certificates console in the Local Computer\Personal store.
Open the certificate and verify that the bottom of the General tab shows the certificates private key is stored locally.

Click on the Details tab and then the “Copy to File…” button to start the Certificate Export Wizard.
Select “Yes, export the private key””

Select Personal Information Exchange (.PFX)

Choose a new password and save

Import the new certificate into ISA Server

Copy the .PFX file to each ISA Server array member.
Open the Certificates console for Local Computer (not Current User) and import the certificate into Personal store.
- Mark Key as exportable

Now when the certificate is selected for the ISA listener it should be displayed as ‘Correctly Installed’ on all array nodes.

There is one important note regarding whether to retain or delete the private key if the export is successful from the requesting server. If any additional array nodes will be added in the future then it would be prudent to retain the private key here on the this internal server so an identical certificate could later be issued. But if leaving the key on this internal server will be against any security policies then it should be deleted now. The additional of future ISA array nodes would require a fresh certificate to be installed to all members.

Category: Windows Mobile

Published: 12/18/2008 8:46 AM

Categories: Windows Mobile; Windows Server

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/49/image_2_19B9BEB1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/49/image_6_19B9BEB1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/49/image_8_19B9BEB1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/49/image_thumb_19B9BEB1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/49/image_thumb_2_19B9BEB1.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/49/image_thumb_3_19B9BEB1.png

Expanding on SCMDM Certificate Requirements

Jeff Schertz — Thu, 29 Jan 2009 05:42:05 GMT

Body:

There are are couple issues related to System Center Mobile Device Manager 2008 that I’ve addresses in a recent deployment I’ve been meaning to blog about, but was waiting on a couple responses back from Microsoft for confirmation. One is related to the externally-published Enrollment Server certificate and the other issue tackles the problem of using a Windows 2008 Certificate Authority.

Enrollment Server Certificate

The SCMDM deployment documentation states that all certificates should be deployed from the same certificate chain, meaning that all issuing servers chain up to the same root Certificate Authority.

This diagram from the Architecture documentation illustrates how the initial device enrollment process does not happen through an MDM Gateway server, but in fact an the Enrollment Server’s IIS website, which must be externally published to public hosts. this is typically performed through ISA Server, but any device or solution which supports configuration of a reverse HTTPS proxy can be used.

Upon first glance it may be assumed that a trusted third-party Certificate Authority will need to be used to issue an SSL certificate to that proxy (in this example an ISA Server 2006 Web Publishing Listener), as conventional wisdom leads us to believe that the site would need to be inherently-trusted by any connecting devices (by validating against any pre-installed trusted root certificates).

Well that assumption is incorrect in the case of SCMDM 2008. The typical deployment would leverage a Enterprise Windows Server 2003 internal Enterprise Certificate Authority to issue all certificates for SCMDM, including server, website, and device certificates. The requirement here, which I don’t find to be definitively clear in the documentation is that the certificate used on the externally published proxy for the Enrollment Server must also be issued by the same chain of authority as all the other certificates used in SCMDM. Meaning that a separate public certificate cannot be used on the external proxy or the device enrollment will fail, as it compares that certificate to the one that is issued to the device during the enrollment process. If the are not issued from the same root server (or issuing servers chaining up to the the same root CA) it will not complete.

By browsing to the site URL from a device (https://mobileenroll.contoso.com/enrollmentserver/service.asmx) will show the expected certificate trust security warning in the browser, but proceeding will still allow the page to be accessed:

The Windows Mobile 6.1 Domain Enroll function automatically suppresses any trust error as it expects to see an untrusted certificate, since the device has not yet been enrolled and added to the internal Active Directory. The process retroactively checks the certificate on the IIS site and compares it to the device certificate that is handed down to it by MDM and makes sure they are from the same authority.

Here is a recent discussion in the TechNet Forums with some more details and history on the topic:

http://social.technet.microsoft.com/Forums/en-US/SCMDM/thread/198a5667-570b-4bbb-8646-2f87d78fb1d0/

Windows 2008 Certificate Authority

The SCMDM deployment documentation specifically states that only Windows Server 2003 is supported for the enterprise certificate authority. The recently released Service Pack 1 adds support for Windows Server 2008 forest/domain configurations but still doesn’t list Server 2008 as a support CA.

Well after working with some members of the Premier Field Engineering Team they were able to test and validate a working scenario for environments with Server 2008 Enterprise CAs by deploying a 2003 Issuing subordinate CA to a 2008 root CA:

Windows 2008 Enterprise Edition Root Certificate Authority
Windows 2003 Enterprise Edition Issuing Certificate Authority
Hotfix 951840 applied to the SCMDM Gateway Server

The Windows Mobile 6.1 (Ipsecvpnpm.exe) hotfix is NOT required to be applied to the devices.

The 2003 server was used throughout the MDM deployment configuration to insure that all issued certificates for server components will match the device certificates.

Category: Windows Mobile

Published: 1/28/2009 11:42 PM

Categories: Windows Mobile

Attachments: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/51/image_2_47BB2A59.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/51/image_6_47BB2A59.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/51/image_8_47BB2A59.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/51/image_thumb_2_47BB2A59.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/51/image_thumb_3_47BB2A59.png
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/Attachments/51/image_thumb_47BB2A59.png

Converting Recorded Live Meetings into Portable Media Files

Jeff Schertz — Thu, 29 Jan 2009 05:44:27 GMT

Body:

Live Meeting 2007 has the ability to record meetings, capturing audio, video, and other shared content for archival and later viewing. When in a meeting the presenter can behind recording content and select where they want to save the output to.

The main disadvantage with the recorded content has been the portability (or lack thereof) of the captured content. Live Meeting will save the recording across literally hundreds of files scattered through multiple folders. The Live Meeting Recording Manager can then be used to view recent recordings which is played back in Internet Explorer.

Well now there is a new tool called the Recording Converter which was just released by Microsoft that will take the saved content and convert it into a single .WMV file

Using the converter is as simple as pointing the source folder location to the My Meeting subfolder containing the recording you want to convert, and then selecting the resolution and what type of video is used, if applicable. Converting a 3 minute presentation containing video, audio and a shared slide deck took only about 30 seconds to process. I did notice the total recording size did grow from 3.3MB for all folder contents to 8MB for the individual Windows media file.

Category: Office Communications Server

Published: 1/28/2009 11:44 PM

Categories: Office Communications Server

OCS 2007 Server R2 Launch

Jeff Schertz — Thu, 29 Jan 2009 14:42:17 GMT

Body:

Just a quick note here from Microsoft about the upcoming public launch of OCS R2:

(There’s a link on the site right now that will conveniently add a calendar item and reminder to Outlook. )

The virtual event experience will be available at www.OCSR2LAUNCH.com on Tuesday February 3rd 2009.

The event will open with a LIVE keynote hosted by Stephen Elop, President Microsoft Business Division, with customer stories and product demonstrations on February 3rd 2009, 09:30 -10:30 AM Pacific Time. Please reserve this time in your calendars as it will be a showpiece of the event.

The virtual site will also contain breakout sessions showcasing Office Communications Server user experience, business value, deployment guidance and customer momentum news. We have over 150 stands in the Partner Pavilion, where you can explore our partner capabilities and connect with them. Registered participants will also be able to sign up for a free trial of Office Communications Server 2007 R2 where you can explore the user experience within a hosted environment.

The really nice part about this is that after February 3rd I’ll be able to blog on absolutely everything related to R2 including screenshots of content and anything else that might skirt the line between what is currently public and what is still covered under NDA.

Category: Office Communications Server

Published: 1/29/2009 8:42 AM

Categories: Office Communications Server