Sunday, September 25, 2011

Enabling urgent Active Directory replication settings between sites

By default,  urgent Active Directory replication is always triggered by certain events on all domain controllers within the same site.

Events That Trigger Urgent Replication
1. Assigning an account lockout, which a domain controller performs to prohibit a user from logging on after a certain number of failed attempts.

Remark: An account unlock is not urgently replicated.

2. Changing the account lockout policy.
3. Changing the domain password policy.
4. Changing a Local Security Authority (LSA) secret, which is a secret from in which private data is stored by the LSA (for example, the password for a tust relationship).
5. Change the password on a domain controller computer account.
6. Changing the relative identifier (known as a "RID") master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain.

Enabling urgent Active Directory replication settings between site
To enable urgent Active Directory replication between sites, we have to modify the site link settings.

1. At a domain controller, log in as Enterprise Administrator.
2. Launch "ADSI Edit".
3. Right-click "ADSI Edit", select "Connecto to".
4. Next to "Select a well known Naming Context", select "Configuration".


5. Click "OK".
6. Expand "Configuration > CN=Configuration, DC=<Domain>, DC=com > CN=Sites > CN=Inter-Site Transports > CN=IP".

Remark: You cannot enable change notification for SMTP links.

7. Right-click the site link object, select "Properties".
8. At "Attribute Editor" tab, next to "options", click "Edit".
9. Type "1", click "OK".


Remark:  If the Value(s) box contains a value, you must  derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR 0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3.

10. Click "OK".

You can repeat the above steps for other site links.

Reference:
Advanced Replication Management
http://technet.microsoft.com/en-us/library/cc961787.aspx

How to enable change notification on all site links
http://www.expta.com/2009/03/how-to-enable-change-notification-on.html

Enable Change Notifications between Sites - How an Why?
http://blogs.technet.com/b/qzaidi/archive/2010/09/23/enable-change-notifications-between-sites-how-and-why.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Tuesday, September 13, 2011

Configuring Remote Desktop Gateway option in Remote Desktop Web Connection

In "RD Web Access", there is no option to enable Remote Desktop Gateway. Therefore, administrator can configure the default Remote Desktop Gateway for users in IIS.

Assuming Remote Desktop Gateway and Remote Desktop Web Access were installed in the same server named "rdg.contoso.com"

To configure Remote Desktop Gateway, please read "Deploying Remote Desktop Gateway in workgroup environment" for your reference.

1. At "rdg.contoso.com", log in as Administrator.
2. Launch "Internet Information Services (IIS) Manager".
3. Expand "RDG > Sites > Default Web Site > RDWeb > Pages".
4. In the detail pane, double-click "Application Settings".


By default, there is no Remote Desktop Gateway to be assigned.

5. Double-click "DefaultTSGateway".
6. Under "Value", type "rdg.contoso.com".
7. Click "OK".

Now, all Remote Desktop Connection in Remote Desktop Web Access is through the Remote Desktop Gateway, "rdg.contoso.com".

Remark: To configure the above settings of Terminal Services Gateway, the IIS path is "<Server Name> > Sites > Default Web Site > TS".


Reference:
Configure Remote Desktop Web Connection Behavior

Forcing the Remote Desktop option in TS Web Access to use TS Gateway

Saturday, September 10, 2011

Deploying Remote Desktop Gateway in workgroup environment

Installing and Configuring Remote Desktop Gateway or Terminal Services Gateway
Prerequisites
1. Operating Systems: Windows Server 2008 or Windows Server 2008 R2
2. The server could be accessed from Internet
3. A domain name registered domain service provider

To deploy Remote Desktop Gateway in Windows Server 2012 or Windows Server 2012 R2, please read the following post.
Deploying Remote Desktop Gateway in Windows Server 2012 or Windows Server 2012 R2 workgroup environment

Renaming the server for Remote Desktop Gateway
I will install remote desktop gateway on Windows Server 2008 R2. Assuming I registered a domain name, contoso.com, on Internet.
1. At a server, log in as Administrator.
2. Click "Start", enter "sysdm.cpl".
3. Select "Computer Name" tab, click "Change".
4. Under "Computer name", type "rdg".
5. Click "More".
6. Under "Primary DNS suffix of this computer", type "contoso.com".
7. Click "OK" three times.


You have to provide the FQDN for generating the certificate.
8. Click "Close".
9. Restart the computer.


Installing the Remote Desktop Gateway server role
1. At "rdg.contoso.com", log in as Administrator.
2. Click "Server Manager".
3. Right-click "Roles", select "Add Roles".
4. At "Before You Begin", click "Next".
5. Check "Remote Desktop Services".


6. Click "Next" twice.
7. Check "Remote Desktop Gateway", click "Add Required Role Services".


8. Click "Next".
9. Select "Choose a certificate for SSL encryption later".


10. Click "Next".
11. At "Authorization Policies", select "New".
12. Click "Next".
13. At "RD Gateway User Groups", you can add users or groups to use this Remote Desktop Gateway.


14. I would like to let Administrators group use this Remote Desktop Gateway, click "Next".
15. At "RD CAP", you can change the name select the authentication method for Remote Desktop Gateway.


16. Click "Next".
17. At "RD RAP", you can control which computers can be remote control through this Remote Desktop Gateway.
18. Select "Allow users to connect to any computer on the network".


Remark: You can change the settings of "RD CAP" and "RD RAP" after installing Remote Desktop Gateway.

19. Click "Next" twice.
20. Still check "Network Policy Server", click "Next" twice.
21. Leave the default IIS settings, click "Next".
22. Click "Install".
23. When installation finished, click "Close".


Create a self-signed certificate for Remote Desktop Gateway
1. At "rdg.contoso.com", log in as Administrator.
2. Launch "Remote Desktop Gateway Manager".
3. Right-click "RDG", select "Properties".
4. Select "SSL Certificate" tab.


5. Click "Create and Import Certificate".
6. Next to "Certificate name", make sure the name is same as your Internet domain name.
7. Check "Store the root certificate".


Remark: You can use the third-party certificate which is signed by Trust Root CA.

Remark: Remote Desktop Gateway supports wildcard certificate.

8. Click "OK" twice.


The certificate was installed in the server.

9. Click "OK".


Configuring the remote desktop connection
To connect Remote Desktop Gateway, the Remote Desktop Gateway version must be 6.0 or later.

Prerequisites
You have to install the certificate which was generated by "rdg.contoso.com".

1. Copy the RDG certificate to a workstation you want to use.
2. Right-click the certificate,"RDG", click "Install Certificate".
3. At welcome screen, click "Next".
4. Select "Place all certificate in the following store", click "Browse".
5. Select "Trusted Root Certification Authorities", click "OK".


6. Click "Next".
7. Click "Finish".


8. Click "Yes" to accept install the certificate.

Configure Remote Desktop Connection
1. At a workstation, launch "Remote Desktop Connection".
2. At "Remote Desktop Connection", click "Options".
3. Select "Advanced" tab.
4. Next to "Connect from anywhere", click "Settings".
5. Select "Use these RD Gateway server settings".
6. Next to "Server name", type "rdg.contoso.com".
7. Next to "Logon settongs", un-check "Use my RD Gateway credentials for the remote computer".


8. Click "OK".
9. Select "General" tab.

Now, you can remote the other computers through the Remote Desktop Gateway.

Remark: A computer installed Windows Vista or later need to be entered "Computer Name\User Name" for RD Gateway Server Credentials.


Remark: For Windows XP, you have to modify the registry to support Network Level Authentication.

1. Launch "Registry Editor".
2. Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\Lsa".
3. In the detail pane, double-click "Security Packages".
4. Add "tspkg" in the bottom.


5. Click "OK".
6. Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders".
7. In the detail pane, double-click "SecurityProviders".
8. Type "credssp.dll" at the end of value.


9. Click "OK".
10. Close "Registry Editor".
11. Restart the computer.

References:
Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3

Building a Remote Desktop Gateway (RDG) / RD Gateway Server
http://www.rayheffer.com/953/building-a-remote-desktop-gateway-rdg-rd-gateway-server/

Additional info:
Deploying RD Gateway R2 server with NAP
http://blogs.msdn.com/b/rds/archive/2009/08/17/deploying-rd-gateway-r2-server-with-nap.aspx

Improving TS Gateway availability using NLB
http://blogs.msdn.com/b/rds/archive/2009/03/24/improving-ts-gateway-availability-using-nlb.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Monday, September 5, 2011

(2148074274) The target principal name is incorrect.

When I perform "repadmin /replsum %computername%", I get the error from one of domain controllers in my production environment.


DC04 can't replicate from DC02. To solve this problem, I have to run the following step in DC02:

1. At the DC02, log in as Domain Administrator.
2. Launch "Services" console.
3. Right-click  "Kerberos Key Distribution Center", select "Properties"..
4. Next to "Startup type", select "Disabled".
5. Click "Stop".


6. Click "OK".
7. Launch "Command Prompt".
8. Enter "netdom resetpwd /server:<Server Name> /ud:<Domain Administrator> /pd:*".


9. Restart the DC02.

After the computer was restarted, the replication from DC02 resumes normal.

Reference:
Error Message "Target Principal Name is Incorrect" When manually replicating data between domain controllers
http://support.microsoft.com/kb/288167

This posting is provided “AS IS” with no warranties, and confers no rights!

Sunday, September 4, 2011

Speed up Exchange Management Shell and Exchange Management Console in lab environment

If there is no internet connection in your lab environment, the "Exchange Management Shell" and "Exchange Management Console" of Exchange 2010 start-up are very slow.

To solve this scenario, we can change the following settings.

For Exchange 2010 (No-Internet access)
1. At the Exchange Server, launch "Internet Explorer".
2. On the menu, click "Tools > Internet Options".
3. Select "Advanced" tab.
4. Un-check "Check for publisher's certificate revocation".


5. Click "OK".
6. Close "Internet Explorer".
7. Right-click "Exchange Management Shell" in the "Start" menu, select "Properties".
8. Next to "Target".


9. Replace "-auto" by the CAS FQDN name.


10. Click "OK".
11. Launch "Exchange Management Console".
12. Right-click "Microsoft Exchange On-Premises (<Server Name>)", select "Properties".
13. Select "Specify a server to connect to ", click "Browse" to select a CAS Server.


14. Click "OK".


For Exchange 2007 (No-Internet access)
1. You just un-check "Check for publisher's certificate revocation" in Internet Explorer.


At Internet connection environment, you can change the following settings to speed up "Exchange Management Shell" and "Exchange Management Console".

For Exchange 2010 (Internet access)
1. Launch "Registry Editor".
2. Navigate to "HKLM\SOFTEWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config".
3. At right pane, create the following "Reg_DWORD".

ChainUrlRetrievalTimeoutMilliseconds
This registry setting defines the default timeout for a single CRL retrieval. If this value is set to 0 or if this value is undefined, the default value that is used is 15,000 milliseconds.

Decreasing the amount of time to allow CRL retrieval can significantly improve performance when internet access is poor or non-existent. Setting the value to 200 (milliseconds) may be a reasonable timeout.

ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds
This registry setting defines the cumulative timeout for all CRL retrievals. If this value is set to 0 or if this value is undefined, the default value that is used is 20,000 milliseconds.

Decreasing the amount of time to allow all CRL retrievals can significantly improve performance when internet access is poor or non-existent. Setting the value to 500 (milliseconds) may be a reasonable timeout.

4. Modify the value of "ChainUrlRetrievalTimeoutMilliseconds" to 200 decimal.
5. Modify the value of "ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds" to 500 decimal.


6. Close "Registry Editor".
7. Right-click "Exchange Management Shell" in the "Start" menu, select "Properties".
8. Next to "Target".


9. Replace "-auto" by the CAS FQDN name.


10. Click "OK".
11. Launch "Exchange Management Console".
12. Right-click "Microsoft Exchange On-Premises (<Server Name>)", select "Properties".
13. Select "Specify a server to connect to ", click "Browse" to select a CAS Server.


14. Click "OK".


For Exchange 2007 (Internet access)

1. Repeat steps 1 - 6 in Exchange 2007 environment.


Reference:
Speed up EMC and Powershell when working on a LAB

Configuring Exchange Servers without Internet Access
http://blogs.technet.com/b/exchange/archive/2010/05/14/3409948.aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Friday, September 2, 2011

Restoring Windows by Backup Exec 2010 R3 IDR


To use Backup Exec 2010 R3 IDR, you have to install the “Intelligent Disaster Recovery” option during installing Backup Exec 2010 R3.


After installing Backup Exec 2010 R3, you need to run the full backup of the servers in which you want to use IDR.

Prerequisites
Assuming that the server was back up.


Creating IDR bootable image
1. At the backup server, launch "Backup Exec 2010 R3".
2. On the menu, click "Tools > Wizards > Intelligent Disaster Recovery Preparation Wizard".


3. At welcome screen, check "Choose a media server that has the IDR option installed", click "Next".
4. Enter the "User name", "Password" and "Domain" for the Media Server.


5. Click "Next".
6. Select "Bootable CD IMAGE for use with CD Writers (ISO 9660)".


7. Click "Next" twice.
8. Select the server you want to create the bootable image for.


Remark: You cannot select different OS in the "Selected Computers". 

Example: WS1 was installed Windows Server 2008. WS2 was installed Windows Server 2003. You cannot select them in the "Selected Computers".

9. Click "Next".
10. Enter the path to store the CD image.


11. Click "Next".
12. Then you have to provide the windows operating installation files.


Remark: If you want to restore Windows Server 2003 OS, you have to provide Windows server 2003 installation files for creating CD image.

13. Click "Next".


The bootable CD image is being created.

14. When the CD image was created, click "Next".
15. Click "Finish".


Restoring Windows operating system by IDR
Prerequisites
The bare computer should be assigned the same hard disk size as the backup one.

Lab
1. At a bare computer, insert IDR bootable image.
2. Boot up the computer.


3. Press [Enter].
4. At welcome screen, select "Automated Recovery".


5. Click "Next".
6. At "SCSI, RAID, and USB Controllers Discovery", you can update the driver.


7. I don't need to update the driver, click "Next".
8. At "Select Recovery File", you can select the "Recovery File".


Remark: By default, the bootable CD image was copied the latest DR file.

9. Click "Next".


10. Click "OK" to format the hard disk.
11. Click "Next" twice.
12. At "Select Restore Method" screen, select "Install networking, and then restore from a remote media server".


13. Click "Next".
14. At "Network Configuration" screen, select "Local Area Connection".


15. Click "Configure".
16. Select "Internet Protocol (TCP/IP)", click "Properties".
17. You have to enter the same IP address settings of the server back up as before.


18. Click "OK".
19. Click "Close".
20. Click "Next".
21. At "Connect to Media Server" screen, enter the "Server name with domain name", "Domain Name", "User Name" and "Password".


Remark: If the server isn't typed with domain name, you may not contact the media server.

22. Click "Next".
23. Check the options you want to select.


24. Click "Next".


The data is being restored.

25. When restoration finished, click "No".


26. After restoring Windows Server 2003 operating system, you need to provide some Hotfixes for the OS.


Remark: If you don't provide the Hotfixes for the OS, the operating system can't start.

27. Provide the Hotfixes for the OS, click "OK".


28. Click "Finish".

As a result, the full backup was restored to a bare computer.

This posting is provided “AS IS” with no warranties, and confers no rights!