September 21 2010

Virtualization support for Microsoft products including SCCM, OCS, Exchange, ISA



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

For many years I’ve had to scour the interwebs to find out if hardware virtualization is supported by Mircosoft for a particular product.

I’m not sure how long it has been around but I’ve finally found the Windows Server Catalog site which will simply tell you if it is supported or not:

http://www.windowsservercatalog.com/svvp.aspx?svvppage=svvpwizard.htm

For example I can easily see that SCCM 2007 SP2 on VMWare ESX 3.5 Update 5 with Windows Server 2008 R2 x64 as the guest OS is SUPPORTED!

So simple and so overdue!
 
 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

August 5 2010

New Microsoft TS certifications

I’ve spent some time over the last few weeks catching on my Microsoft certifications for some of the areas I focus on and passed the following exams:
 

70-401: TS: Microsoft System Center Configuration Manager 2007, Configuring
70-400: TS: Microsoft System Center Operations Manager 2007, Configuring
70-638: TS: Microsoft Office Communications Server 2007, Configuring

 
This has given me the following certifications:
 
Microsoft Certified Technology Specialist – System Center Configuration Manager (SCCM) 2007: Configuration
Microsoft Certified Technology Specialist – System Center Operations Manager (SCOM) 2007: Configuration
Microsoft Certified Technology Specialist – Office Communications Server 2007: Configuration
 

I found the 70-400 & 70-401 (SCOM & SCCM) exams cover a lot of material and knowledge that you would use in your day-to-day design and administration of these products. I would say that with a few years experience using these products frequently you should be ok to get a passing score. 70-638 (OCS) exam material really went into a lot of depth around design concepts a lot more than day-to-day administration – even if you have used OCS for years I would suggest that you study hard for this one!

 
 

November 5 2009

Improving the SIDMap.wsf script for OCS attribute synchronization

Microsoft’s definition of SIDMap.wsf is : It uses the same disabled user account in the resource forest to enable users for Office Communications Server. To provide single sign-in, the primary user account must also be mapped to the disabled user account in the resource forest for Office Communications Server. This tool performs the mapping.

This script is part of the Office Communications Server 2007 Resource Kit and basically will syncronize the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute on the  SIP-enabled disabled user account.

I’ve made some improvements to the script to add a log file and also provide some feedback to the user so they know it has worked. I’ve create a batch file that can be put on a server and run by the support team. This is outlined in attribute_sync.bat below and then the modified SIDMap.wsf is included too.

attribute_sync.bat

REM **   This script copies the value in the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute
REM **   for every disabled user that is SIP enabled in the 'Testing' OU
REM **   www.danovich.com.au
for /f "tokens=1* delims= " %%a in ('date/t') do set dayname=%%a
for /f "tokens=1* delims= " %%a in ('date/t') do set mmddyyyy=%%a
for /f "tokens=1* delims=/" %%a in ('echo %mmddyyyy%') do set day=%%a
for /f "tokens=2* delims=/" %%a in ('echo %mmddyyyy%') do set month=%%a
for /f "tokens=3* delims=/" %%a in ('echo %mmddyyyy%') do set year=%%a
for /f "tokens=1* delims=:" %%a in ('echo %time%') do set hour=%%a
for /f "tokens=2* delims=:" %%a in ('echo %time%') do set mins=%%a
for /f "tokens=3* delims=:" %%a in ('echo %time%') do set sec=%%a
for /f "tokens=1* delims=." %%a in ('echo %sec%') do set secs=%%a
for /f "tokens=2* delims=." %%a in ('echo %sec%') do set mili=%%a
wscript //h:cscript //B
c:
cd "C:Program FilesMicrosoft Office Communications Server 2007 R2ResKitLcsSync"
SIDMap.wsf /OU:OU=OU=Testing,DC=danovich,DC=com /logfile:C:LogsOCS-%username%-%day%-%month%-%year%-%hour%.%mins%.%secs%.log

SIDMap.wsf

<?xml version="1.0" ?>
<package>
<job id="Main" prompt="no">
<?job debug="true" error="true" ?>
<runtime>
<named
name="OU"
helpstring="The Active Directory DN of the organizational unit to search under"
many="false"
type="string"
required="false"
/>
<named
name="query"
helpstring="Generates a list of disabled users that are mailbox and SIP enabled and associated with an external account"
type="simple"
required="false"
/>
<named
name="logfile"
helpstring="Text file used to log the output."
type="string"
required="false"
/>
</runtime>
<script id="VBScript_Block" language="VBScript">
<![CDATA[
' Initialize variables
Set WshShell = CreateObject("WScript.Shell")
const ForWriting = 2
intCount = 0
bQuery = False
On Error Resume Next 'Force continuation on errors when initializing globals
' Retrieve command-line arguments
' Check whether an OU is provided.
if WScript.Arguments.Named.Exists("OU") then
strNamingContext = "LDAP://" & WScript.Arguments.Named("OU")
else
Set objRootDSE = GetObject("LDAP://rootDSE")
strNamingContext = "LDAP://" & objRootDSE.Get("defaultNamingContext")
end if
' Check whether the user only wants to query the AD.
if WScript.Arguments.Named.Exists("query") then
' Query only all disabled users that are mailbox and SIP enabled.
' set.
bQuery = True
end if
' Check whether logging to a file is required.
if WScript.Arguments.Named.Exists("logfile") then
strLogFile = WScript.Arguments.Named("logfile")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogFile = fso.OpenTextFile(strLogFile, ForWriting, True)
objLogFile.WriteLine("List of disabled users associated with an external account and SIP enabled:")
end if
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open
' Create connection to AD.
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
' Define AD query.
' Search for disabled user accounts that are SIP enabled and mailbox enabled.
objCommand.CommandText = _
"<" & strNamingContext & ">;" & _
"(&(objectCategory=person)(objectClass=user)(msRTCSIP-UserEnabled=TRUE)(msExchMasterAccountSid=*)(userAccountControl:1.2.840.113556.1.4.803:=2));" & _
"ADsPath,cn,msRTCSIP-PrimaryUserAddress,msExchMasterAccountSid,msRTCSIP-OriginatorSid;subtree"
' Disable caching to reduce memory consumption for very large result sets.
objCommand.Properties("Cache Results") = FALSE
' Define the maximum page size.
objCommand.Properties("Page Size") = 1000
' Execute query.
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
WScript.Echo("Failed to query Active Directory " & strNamingContext)
WshShell.Popup "Failed to query Active Directory", ," Attribute sync failed ",  16
WScript.Quit(Err.Number)
end if
While Not objRecordset.EOF
intCount = intCount + 1
if IsObject(objLogFile) then
objLogFile.WriteLine(objRecordset.Fields("cn").Value)
else
WScript.Echo(objRecordset.Fields("cn").Value)
end if
if bQuery = False then
' Set the msRTCSIP-OriginatorSid attribute.
Set objContact = GetObject(objRecordset.Fields("ADsPath"))
strExchSid = objRecordset.Fields("msExchMasterAccountSid").Value
objContact.Put "msRTCSIP-OriginatorSid", strExchSid
objContact.SetInfo
If Err.Number <> 0 Then
if IsObject(objLogFile) then
objLogFile.WriteLine("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
else
WScript.Echo("Failed to set msRTCSIP-OriginatorSid attribute " & _
Err.Number)
WshShell.Popup "Failed to set msRTCSIP-OriginatorSid attribute", ," Attribute sync failed ",  16
end if
end if
end if
WScript.Echo()
objRecordSet.MoveNext
Wend
WshShell.Popup "Attribute sync has been successful for " & intCount & " users in the following OU:" & vbCrLf & vbCrLf & strNamingContext & vbCrLf & vbCrLf & "Log file is located at " & strLogFile, ," Attribute sync successful ", 64
WScript.Echo "Attribute sync has been successful for " & intCount & " users in the " & strNamingContext & " OU "
if IsObject(objLogFile) then
objLogFile.WriteLine(vbNewLine & intCount & " disabled users.")
objLogFile.Close
end if
objConnection.Close
]]>
</script>
</job>
</package>

November 4 2009

Office Communicator error – Cannot synchronize address book

We’d rolled out Office Communicator 2007 R2 across the environment, however a handful of machines were getting the ‘Cannot synchronize address book’ error and when expanded the entire error message was ‘Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book.’

So after doing some extensive Googling, I did some troubleshooting and found that the situtation was:

– There was no issue with the proxy server. I could manually enter the name of one of the address book files (eg https://ocs.domain.com/Abs/Ext/F-0918.lsabs) and download it manually through the browser.

– There is no GalContacts.db file in the ‘C:Documents and Settings%UserName%Local SettingsApplication DataMicrosoftCommunicator’ folder meaning that there was no locally cached copy of the address book.

– In the registry under ‘HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS’ if I set the CertificateRevocation DWORD and to 0, I can successfully sign in and retrieve the address book (below)

Registry setting
Registry setting

This pointed to an issue with the certificate we were using and specifically the Certificate Revocation List (CRL). From here we need to check the certificate we were using for OCS, look at the details tab and check the CRL Distribution Point (shown below)

Check Certificate
Check Certificate

I then checked this distribution point (a HTTP location in our case) and found out that it was invalid. Right, so next it was off to reconfigure our internal Certificate Authority server with the correct CRL locations.

On the Certificate Authority, we open up the MMC snap-in, right click the server name and select properties. On the extension tab, select ‘CRL Distibution Point’. You then want to configure some valid location underneath here and tick the box to ensure these are being included in the issued certificates. For example in my case, I ensured that there were 3 additional entries (not including the C:Windows one):

LDAP:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
[TICK] Publish CRLs to this location
[UNTICK] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[TICK] Publish Delta CRLs to this location

file://\<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
[TICK] Publish CRLs to this location
[GREYED OUT] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[UNTICK] Publish Delta CRLs to this location

http://<ServerDNSName>/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
[GREYED OUT] Publish CRLs to this location
[GREYED OUT] Include in all CRLs…….Active Directory…..
[UNTICK] Include in CRLs….Delta CRL Locations…..
[TICK] Include in the CDP extension of issued certificates
[GREYED OUT] Publish Delta CRLs to this location

Selecting OK will then restart the Certificate Services service. Then you need to recreate your OCS certificates via the OCS MMC certificate wizard. Once these have been applied to the OCS server (OCS services do NOT need to be restarted), you clients just need to sign out and back in and all of your address book issues are fixed!

If you look at your new certificate, the newly added CRL Distribution Points should be listed. You can also use the ‘Certutil.exe –v –verify –urlfetch c:exported_certificate.cer’ with above certificate and check that CRL locations can be reached successfully. The ‘pkiview.msc’ tools from the Windows 2003 Resource Kit was also very useful in checking that the CRL locations could be reached.

October 6 2009

Office Communicator and Live Meeting Client Version Tool

The guys over at www.insideocs.com have released a great little simple tool that reteives the versions numbers of Office Communicator and Live Meeting Client installed on your machine. A great time-saving little tool for troubleshooting.

The link is http://www.insideocs.com/Tools/ClientVersions.html

The HTA is also available here:

http://blog.danovich.com.au/wp-content/uploads/2009/10/ucclientversion.hta

September 7 2009

Office Communicator 2007 and Live Meeting ADM templates for Port Range

The default UDP/TCP port range used by the Office Communicator 2007 client is 1024-65535. The Real Time Media Communications stack in Office Communicator 2007 allocates the media port dynamically in this range.

To control the specific range of ports that need to be open on a firewall, a registry key setting is provided to force the media stack to reduce the range of port values that can be used for real time media communications. Microsoft provide these registry keys (http://technet.microsoft.com/en-us/library/bb964029.aspx) however, there is no ADM template provided to be able to control this via Group Policy.

See below for a custom ADM that has been created. Just copy these into a text editor and save them as an ADM file, then import in them into your GPO. Remember to adjust the values to suit the port range required in your environment.

User Policy

CLASS USER

CATEGORY “OCS R2”
KEYNAME SoftwareMicrosoftSharedUcClient
POLICY ServerAddressInternal
PART ServerAddressInternal EDITTEXT
VALUENAME “ServerAddressInternal”
END PART
END POLICY
END CATEGORY

CATEGORY “OCS R2”
KEYNAME “SoftwareMicrosoftLive MeetingConsoleVersion 8.0Attendee”
POLICY AttendeePortRangeMin
EXPLAIN “Enabled = 48951”
VALUENAME “MediaPortRangeMin”
VALUEON NUMERIC “48951”
VALUEOFF NUMERIC “0”
END POLICY

POLICY AttendeePortRangeMax
EXPLAIN “Enabled = 49050”
VALUENAME “MediaPortRangeMax”
VALUEON NUMERIC “49050”
VALUEOFF NUMERIC “0”
END POLICY
END CATEGORY

CATEGORY “OCS R2”
KEYNAME “SoftwareMicrosoftLive MeetingConsoleVersion 8.0Presenter”
POLICY PresenterPortRangeMin
EXPLAIN “Enabled = 49051”
VALUENAME “MediaPortRangeMin”
VALUEON NUMERIC “49051”
VALUEOFF NUMERIC “0”
END POLICY

POLICY PresenterPortRangeMax
EXPLAIN “Enabled = 49150”
VALUENAME “MediaPortRangeMax”
VALUEON NUMERIC “49150”
VALUEOFF NUMERIC “0”
END POLICY
END CATEGORY

Computer Policy

CLASS MACHINE

CATEGORY “OCS R2”
KEYNAME “SoftwarePoliciesMicrosoftCommunicatorPortRange”
POLICY “Enabled”
VALUENAME “Enabled”
VALUEON    NUMERIC 1
VALUEOFF   NUMERIC 0
END POLICY

POLICY “MaxMediaPort”
EXPLAIN “Enabled = 48950”
VALUENAME “MaxMediaPort”
VALUEON NUMERIC “48950”
VALUEOFF NUMERIC “0”
END POLICY

POLICY “MinMediaPort”
EXPLAIN “Enabled = 48851”
VALUENAME “MinMediaPort”
VALUEON NUMERIC “48851”
VALUEOFF NUMERIC “0”
END POLICY
END CATEGORY

I would recommend ensuring that you follow the guidelines on the minimum number of ports as outlined by Microsoft in this document –> http://technet.microsoft.com/en-us/library/bb964029.aspx

——-

Update 27/10/2009

I noticed that there is a Technet post about this blog entry – http://social.microsoft.com/Forums/en-US/commmunicatorsetup/thread/4184b145-4f63-40bd-901a-26d90c35ab89. Jeff Schertz’s answer is correct – These registry keys and values do not exist by default since the normal behavior is for the client to assign dynamic ports in the entire 1024-65535 range.  You need to manually create these keys and values.