Enabling redundant cluster networks for log shipping and seeding of Cluster Continuous Replication in Windows Server 2008 R2

Lab environment
Cluster FQDN: cs01.contoso.com
Computer FQDN: Ex02.contoso.com
Redundant Computer FQDN: Ex02rep.contoso.com
Roles: CCR Active Mailbox Server
Operating System: Windows Server 2008 R2 Enterprise
Network: 172.16.2.2 (Public), 172.16.2.12 (Redundant)

Computer FQDN: Ex03.contoso.com

Redundant Computer FQDN: Ex03rep.contoso.com

Roles: CCR Passive Mailbox Server

Operating System: Windows Server 2008 R2 Enterprise

Network: 172.16.2.3 (Public), 172.16.2.13 (Redundant)

When I try to enable the redundant cluster network of Cluster Continuous Replication in Windows Server 2008 R2, I found the following error:

The addition host names cannot work. However, the resource groups were added in Failover Cluster Manager.

I read the article from the following link to solve my problem:

http://blogs.technet.com/b/timmcmic/archive/2010/07/13/continuous-replication-hostnames-fail-to-create-or-function-correct-with-exchange-2007-sp3-cluster-continuous-replication-ccr-on-windows-2008-r2.aspx?CommentPosted=true#commentmessage

When the replication service first starts up <or> the configuration time expires the replication service enumerates all network names on the cluster to determine which are valid endpoints for log shipping.  This is initially based on two cluster private properties stamped on each name, MSExchange_NetName and MSExchange_UseNetworkForLogCopying. Each of these should have a value of 1 on a network name utilized as a continuous replication host name.

On the surface it would appear that there is nothing preventing this name from operating correctly as a continuous replication host name.  After performing some internal tracing it was determined that the replication service is also implementing another check on a network name resource to ensure that it can be satisfactorily utilized for replication – is Kerberos enabled for the network name.  The replication service performs this check by reviewing a private property of a network name resource – requirekerberos and ensuring it has a value of 1.

In Windows 2003 network name resources could be enabled for Kerberos at the administrators discretion.  In Windows 2008 and Windows 2008 R2 all network names must be Kerberos enabled.  In Windows 2008 requireKerberos is a valid private property and can be programatically set.  In Windows 2008 R2 the requireKerberos property has been deprecated and can be no longer be programmatically set.  Without the requireKerberos property in Windows 2008 R2 the enable-continuousreplicationhostname commandlet fails with the previously documented error.

To work around this issue and allow the replication host names created with the enable-continuousreplicationhostname command to function the following steps can be performed:

1. Using the Exchange Management Shell invokes the enable-continuousreplicationhostname cmdlet. Allow the command to create the resource group, network name and IPv4 resource.

2. Verify with Failover Cluster Manager that the resource group, network name and IPv4 resource were created and are online.

3. Manually set requireKerberos utilizing either cluster.exe or Failover Cluster PowerShell extensions (preferred)

Cluster.exe

1. At EX02, log in as Domain Administrator.

2. Launch "Command Prompt", enter the following commands to add "requirekerberos" parameter:

cluster cs01 res "Network Name (Ex02rep)" /prive requirekerberos=1:DWORD

cluster cs01 res "Network Name (Ex03rep)" /prive requirekerberos=1:DWORD

Remark: "requirekerberos" is all lowercase.

3. Enter the following commands to take the continuous replication hostname groups offline:

cluster cs01 group "Ex02rep_group" /offline
cluster cs01 group "Ex03rep_group" /offline

4. Enter the following commands to take the continuous replication hostname groups  online:

cluster cs01 group "Ex02rep_group" /online
cluster cs01 group "Ex03rep_group" /online

5. Enter the following commands to restart the Microsoft Exchange replication service:

net stop msexchangerepl
net start msexchangerepl

Remark: You have to restart the Microsoft Exchange replication service in both servers.

PowerShell

1. At EX02, log in as Domain Administrator.

2. Launch "PowerShell", enter the following cmdlet to import failover cluster powershell extension:

Import-Module FailoverClusters

3. Enter the following cmdlets to add "requirekerberos" parameter:

Get-ClusterResource "Network Name (Ex02rep)" | Set-ClusterParameter -Create requirekerberos 1Get-ClusterResource "Network Name (Ex03rep)" | Set-ClusterParameter -Create requirekerberos 1

Remark: "requirekerberos" is all lowercase.

4. Enter the following cmdlets to take the continuous replication hostname groups  offline:

Stop-ClusterGroup -Cluster cs01 -Name Ex02rep_group

Stop-ClusterGroup -Cluster cs01 -Name Ex03rep_group

5. Enter the following cmdlets to take the continuous replication hostname groups  online:

Start-ClusterGroup -Cluster cs01 -Name Ex02rep_group

Start-ClusterGroup -Cluster cs01 -Name Ex03rep_group

6. Enter the following cmdlet to restart the Microsoft Exchange replication service:

Restart-Service msexchangerepl

Remark: You have to restart the Microsoft Exchange replication service in both servers.

At this time you can utilize either cluster.exe or powershell to verify that the requirekerboros key has been created with a value of 1.

Command

Cluster cs01 res "Network Name (Ex02rep)" /priv

Cmdlet

Get-ClusterResource "Network Name (Ex02rep)" | Get-ClusterParameter

As a result, the redundant host names of CCR were added.

RequireKerberos Reference:

http://technet.microsoft.com/en-us/library/cc772544(WS.10).aspx

This posting is provided “AS IS” with no warranties, and confers no rights!

Remote Desktop Connection Manager

Microsoft provides a tool being Remote Desktop Connection Manager for Administrators to manage multiple remote desktop connections.

It supports the following operatings systems:

Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows XP and Windows Vista

Remark: Windows XP and Windows Server 2003 have to upgrade the Remote Desktop Connection Client software to version 6 or newer.

Download link:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4603c621-6de7-4ccb-9f51-d53dc7e48047&displaylang=en

This posting is provided “AS IS” with no warranties, and confers no rights!

Removing Desktop Icons

1. On a workstation, log in as Administrator.

2. Click "Start > Run", enter "regedit" to launch "Registry Editor".

3. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\".

4. Below "NameSpace", you'll see long CLSID strings like {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.

5. Select one of items, you will see the name on right pane.

6. Select one of CLSID strings which you want to delete, press "Delete".

7. Close the registry editor window.
8. Refresh the desktop.

This posting is provided “AS IS” with no warranties, and confers no rights!

Limit the event log size and automatically back up the event log by Group Policy

At Windows Vista or later operating systems, we can apply the group policy to limit the event log size and automatically back up the event log.

Assuming the domain controller is installed Windows Server 2008 R2.

1. At Domain Controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Right-click a group policy which is assigned to the workstations, select "Edit".
4. Expand "Computer Configuration > Policies > Windows Settings > Security Settings > Event Log".

You can control the log size of application, security and system. These settings can apply to Windows XP or later operating systems. However, for Windows Vista or later operating systems, there is a new group policy to control the log settings.

5. Expand "Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service".

Assuming I want to change the System log settings.

6. Select "System".

7. At right pane, double-click "Maximum Log Size (KB)".

8. Select "Enabled".

9. Next to "Maximum Log Size (KB)", type "2048".

10. Click "OK".

Remark: The "Event Log Service" settings override the above group policy settings.

11. Double-click "Backup log automatically when full".

12. Select "Enabled".

13. Click "OK".

14. Close "Group Policy Management Editor".

15. Go to a workstation which will be applied the group policy, log in as Domain Administrator.

16. Click "Start", enter "gpupdate /force".

17. Launch "Event Viewer".

18. Expand "Windows Logs", right-click "System", select "Properties".

The settings are applied.

19. Launch "Command Prompt", enter the following command to create a lot of events in Syste log:

for /L %i (1,1,10000) do eventcreate /id 999 /t error /l system /d:"log test"

20. After the command finished, launch "Windows Explorer".

21. Navigate to "%SystemRoot%\System32\Winevt\Logs".

The event log of System is automatically backed up.

This posting is provided “AS IS” with no warranties, and confers no rights!

Remove the license key of vCenter Server 4.1

1. At vCenter Server, log in as Administrator.
2. Launch "ADSI Edit".
3. Right-click "ADSI Edit", select "Connect to".
4. Select "Select or type a Distinguished Name or Name Context", type "dc=virtualcenter, dc=vmware, dc=int".
5. Select "Select or type a domain or server", type "localhost".

6. Expand "DC=virtualcenter, dc=vmware, dc=int > OU=Licensing > OU=Licenses".

7. At right pane, you can see the "CN=License key" containers.

8. Right-click the container which you want to delete, select "Delete".

Reference:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1015268

This posting is provided “AS IS” with no warranties, and confers no rights!

Updating the GPO with "Apply once and do not reapply" option

By default, when the content of a group policy preference which is checked "Apply once do not reapply" is modified,  it also will be applied to the computers. However, if it doesn't be applied to the computers, you have to delete the registry key of the group policy preference to make it reapply to the computers.

The "Apply once and do not reapply" settings are stored at the following registry key.

Computer Configuration:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Group Policy\Client\RunOnce

User Configuration:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Group Policy\Client\RunOnce

If you want to reapply the Group Policy Preference to a computer, delete the GUID.

Tracing the GUID

You may assign a lot of Group Policy Preference with "Apply once and do not reapply". However, you don't know the GUID. I'm going to show you how to find the GUID of Group Policy Preference.

Assuming I have some services of Group Policy Preference with "Apply once and do not reapply".

1. At Domain Controller, log in as Domain Administrator.

2. Launch "Group Policy Management Console".

3. Right-click a group policy which you will modify, select "Edit".

4. Expand "Computer Configuration > Preferences > Control Panel Settings > Services".

5. At right pane, right-click the name of the service, select "All Tasks > Display Xml".

The GUID of this group policy preference shows in Internet Explorer. Then, I can delete the GUID in the registry.

Reference:
http://support.microsoft.com/kb/2284538

This posting is provided “AS IS” with no warranties, and confers no rights!

Restrict the members of local administrator group by Group Policy Preference

In Windows Server 2008 or above environment, there are 2 method to control the members of users group by Group Policy Restricted Group and Group Policy Preference.

Both settings in a Group Policy could remove unauthorized members from a security group.

Using Group Policy Preference

1. At Domain Controller, log in as Domain Administrator.

2. Launch "Group Policy Management Console".

3. Right-click a group policy which is assigned to the computers, select "Edit".

4. Expand "Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups".

5. Right-click "Local Users and Groups", select "New > Local Group".

6. Next to "Action", select "Update".

7. Next to "Group name", select "Administrators (built-in)".

8. Check "Delete all member users" and "Delete all member groups".

9. Click "Add".

10. Press [F3].

You can select a variable which is suitable for your environment.

11. Select "DomainName", click "Select".

12. At "Name", type "\Domain Admins".

13. Click "OK".

14. Click "Add".

15. At "Name", type "BuiltIn\Administrator".

16. Click "OK".

Remark: Make sure that you must add the domain groups or users before adding "BuiltIn\Administrator".

Remark: You might need to copy the description of local administrator and paste it in Description field.

17. Click "OK".

18. Close "Group Policy Management Editor".

After the policy is applied, the members of local administrator group are restricted.

Reference:

Restrict the members of local administrator group by Group Policy

This posting is provided “AS IS” with no warranties, and confers no rights!

Disable system protection and system restore in Windows 7 by Group Policy

Assuming the domain controller is installed Windows Server 2008 R2.

1. At Domain Controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Right-click a group policy which is assigned to the workstations, select "Edit".
4. Expand "Computer Configuration > Policies > Administrative Templates > System > System Restore".
5. At right pane, double-click "Turn off Configuration".
6. Select "Enabled".

7. Click "OK".

8. Double-click "Turn off System Restore".

9. Select "Enabled".

10. Click "OK".

11. At a workstation which updated the Group Policy, log in as administrator.

12. Launch "System Properties", select "System Protection" tab.

Because the system protection was turned on, the protection of protection settings is ON. This setting can be modified by registry.

13. Back to Group Policy Management Editor of Domain Controller, expand "Preferences > Windows Settings > Registry".

14. Right-click "Registry", select "Registry Item".

15. Next to "Action", select "Delete".

16. Next to "Hive", select "HKEY_LOCAL_MACHINE".

17. Next to "Key Path", type "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients".

18. Under "Value name", type "{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}".

19. Select "Common" tab, check "Apply once and do not reapply".

20. Check "Item-level targeting", click "Targeting".

21. Click "New Item > Operating System".

22. Leave the default settings.

23. Click "OK".

24. Click "OK".

25. Right-click "Registry", select "Registry Item".

26. Next to "Action", select "Delete".

27. Next to "Hive", select "HKEY_LOCAL_MACHINE".

28. Next to "Key Path", type "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients".

29. Under "Value name", type "{3E7F07C9-6BC3-11DC-A033-0019B92BB8B1}".

30. Select "Common" tab, check "Apply once and do note reapply".

31. Check "Item-level targeting", click "Targeting".

32. Click "New Item > Operating System".

33. Leave the default settings.

34. Click "OK".

35. Close "Group Policy Management Editor".

As a result, the protection of protection settings is OFF.

Reference:

http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/c387bc60-5038-4bda-aef1-edd7a0c1def1/

This posting is provided “AS IS” with no warranties, and confers no rights!

Configuring performance options of Windows 7 by Group Policy

By default, performance options of Windows 7 is best appearance.

However, domain users cannot modify the performance settings. I should assign the Group Policy to modify performance options for all users.

1. At Domain Controller, log in as Domain Administrator.

2. Launch "Group Policy Management".

3. Right-click a group policy which is assigned to the users, select "Edit".

4. Expand "User Configuration > Policies > Administrative Templates > Control Panel > Personalization".

5. At right pane, double-click "Load a specific theme".

6. Select "Enabled".

7. Under "Path to theme file", type "%Systemroot%\Resources\Ease of Access Themes\basic.theme".

8. Click "OK".

9. At left pane, expand "Preferences > Windows Settings > Registry".

10. Right-click "Registry", select "Registry Item".

11. Next to "Action", select "Update".

12. Next to "Hive", select "HKEY_CURRENT_USER".

13. Next to "Key Path", type "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects".

14. Under "Value name", type "VisualFXSetting".

15. Next to "Value type", select "REG_DWORD".

16. Next to "Value data", type "2".

17. Click "OK".

18. Close "Group Policy Management Editor".

As a result, when a domain user logs in the Windows, the user will be assigned best performance setting of performance options.

Remark: "Windows 7 basic theme" will be applied to a domain user who first logs in.

Remark: If the "Load a specific theme" setting is not applied correctly on a computer, please read the following web site and install the Hotfix.

The "Load a specific theme" Group Policy setting is not applied correctly on a computer that is running Windows or Windows Server 2008 R2

http://support.microsoft.com/kb/980628

This posting is provided “AS IS” with no warranties, and confers no rights!