Alex de Jong MCT, MCSE, MCITP...

Natural born geek: Speaker, Trainer, Consultant and Technical Writer

Fixing transport problems in the Exchange 2013 VM’s: 20341 and 20342

Teaching Exchange 2013 is fun.. but only when everything works :) . The VM’s we get from Microsoft unfortunately, do not work always as expected. On my own laptop everything is fine, but a several customers e-mail gets stuck in “Drafts” or “Outbox” when trying to send one.

After some investigation I found something that can fix this issue… (update.. tested and verified on all student computers)

The issue seems to have something to do with IPv6 on used in the transport services. Both courses 20341 and 20342 have the following Exchange 2013 configuration:

1 domain controller for the Adatum.com domain: Lon-DC1.adatum.com – 172.16.0.10 /16

1 client: Lon-CL1.adatum.com – DHCP

2 CAS: Lon-CAS1.adatum.com – 172.16.0.21 & Lon-CAS2.adatum.com – 172.16.0.22

2 MBX: Lon-MBX1.adatum.com – 172.16.0.23 & Lon-MBX2.adatum.com – 172.16.0.24

1 TMG: Lon-TMG.adatum.com – 172.16.0.1

 

So, the first step is to make sure that both MBXs only use the fixed NIC to perform DNS lookups.

1. Logon to lon-cas1 as administrator

2. Open IE, login to the Exchange Admin Center

3. navigate to Servers –> Servers

4. On both MBXs change the DNS lookup setting to only use Fixed Network card “Intel 21140…. “ for both External and Internal DNS Lookups

 

next we need to disable IPv6 from the transport services on both of the MBXs.

1. Logon to lon-mbx1 as administrator

2. Navigate to “c:\program files\microsoft\exchange server\v15\bin”

3. Open the file: EdgeTransport.exe.config with notepad.

4. In the <AppSettings> section, search for the line: <add key=”DnsIpv6Enabled” value=”true” /> and replace true with false

5. select the entire line en press control-C as we need to add this line to two other files… save the changes

6. Open the file: MSEchangeDelivery.exe.config

7. create a new line in the <appSettings> section, press control-V to paste the line into this file… save the changes

8. Open the file: MSExchangeSubmission.exe.config

9. create a new line in the <appSettings> section, press control-V to paste the line into this file… save the changes

10. Open Services.msc and restart the “Microsoft Exchange Active Directory Topology” service. Accept that it will restart all depending services.

 

When the above is done on both MBXs, all mail-flow should be working as expected again :) .. Now is a good time to create a new snapshot of all the running VMs. (yes!! while they are running)

Finally, to make sure that AutoConfig in Outlook 2013 will work on the client pc.. assign a fixed IP address to Lon-CL1: 172.16.0.50 /16 – DNS 172.16.0.10

 

Hope this helps my fellow Exchange Instructors.

 

Alex

Add a comment

Direct Access 2.0… Part 1

Hi,

Ever wanted to implement the ultimate remote access technology but didn’t do it because of the fear of IPv6, PKI and the Internet in general? Then here is your guide to Direct Access 2.0. The 2.0 part is because it is based on Windows Server 2012. In this part we will start with a Direct Access overview and how it works. In upcoming parts we will cover PKI, IPv6 and of course, the setup.

 

Direct Access Overview

So, what is Direct Access? basically it is a VPN solution. But it’s different. A VPN connects the user to the corporate network, Direct Access extends the corporate network to the user. What this means is that not only the user can access corporate resources like Exchange or SharePoint servers, corporate IT can also access the clients using this connection. And all it takes for the client is an internet connection. As soon as the DA client is connected to the internet, it will try and connect to the CorpNet, even before the user logs on to the network. This way of setting up a connection allows Group Policies to run at user logon. The client only connects to the CorpNet for CorpNet resources, all other internet related traffic is directly send to the destination servers on the internet.

network-security

What’s new in Windows Server 2012

On the Microsoft website about DA it says:

Windows Server 2008 R2 introduced DirectAccess, a new remote access feature that allows connectivity to corporate network resources without the need for traditional Virtual Private Network (VPN) connections. DirectAccess provides support only for domain-joined Windows 7 Enterprise and Ultimate edition clients. The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients, non-domain joined clients, and third party VPN clients. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 R2 cannot coexist on the same edge server with DirectAccess, and must be deployed and managed separately from DirectAccess.

Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management.

The new unified server role for DirectAccess and RRAS provides a single point of configuration and management for remote access server deployment. Windows Server 2012 includes the following improvements over Windows 7 DirectAccess and RRAS.

  • DirectAccess and RRAS coexistence
  • Simplified DirectAccess Deployment
  • Removal of public key infrastructure (PKI) deployment as a DirectAccess prerequisite
  • Built-in NAT64 and DNS64 support for accessing IPv4-only resources
  • Support for DirectAccess server behind a NAT device
  • Simplified network security policy
  • Load balancing support
  • Support for multiple domains
  • NAP integration
  • Support for OTP (token based authentication)
  • Automated support for force tunneling
  • IP-HTTPS interoperability and performance improvements
  • DirectAccess manage-out to clients support
  • Multisite support
  • Support for Server Core
  • Windows PowerShell support
  • User monitoring
  • Server operations status
  • Diagnostics
  • Accounting and reporting
  • Site-to-site IKEv2 IPsec tunnel mode VPN

So there is a lot of changes. Maybe the most important update is that there is no need for Forefront UAG and still be able to do the cool stuff with DA. Actually, one of the design goals was to rule out UAG. If you are already using UAG and want to migrate from UAG to DA on Windows Server 2012, click here.

 

How does it work?

First of all, the client needs to determine if it is running on the CorpNet or outside of the safe boundaries, the internet. To determine that, it tries to connect to a Network Location Server (NLS). The NLS is a server that runs a website. DA configuration makes sure that the NLS is not reachable from the internet, so if a client is able to connect to the NLS, the client knows that it is located in the CorpNet. If the client is not able to connect to the NLS, it tries to connect to the CorpNet using DA.

The settings that the client needs to be able to DA the CorpNet are configured using Group Policies in Active Directory. The GPO’s are created by the DA installation wizard. There are several ways to access the CorpNet. Important to remember is that the client does not need an IPv6 address. I will get one in the DA tunnel.

1. If the client has a public IPv4 address, it will use 6to4.

2. If the client is behind a NAT device that allows the Teredo port, it will use Teredo.

3. If the client is behind a NAT device that does not allow the Teredo port, it will use IPHTTPS.

The initial connection is authenticated with digital certificates, Active Directory is not good enough on the internet. The initial authentication only authenticates the client computer, the user is authenticated by Active Directory.

All traffic between the client computer and the CorpNet is encrypted by means of IPSec. IPSec is native in IPv6.

 

Speaking about IPv6: your applications need to support IPv6 as that is the only way it can connect to a server service through DA. Outlook for example works perfect. The Lync 2010 client does not. This is fixed in Lync 2013 by the way.

image

That’s all for now… Part 2 covers deployment scenario’s as well as the prerequisites for implementing DA.

Add a comment

What if Windows Update fails…

Hi,

Just this morning I tried to run Windows Update on a Windows Server 2008 R2 server. Got an error message that Windows didn’t even know itself Smile

 

By reregistering Windows Update Components this problem was solved.

Just create a little .CMD file using Notepad. Copy the next part into it.

 

=====

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f

net stop wuauserv

move %windir%\windowsupdate.log %windir%\windowsupdate.old.log
move %windir%\SoftwareDistribution %windir%\SoftwareDistribution.old

regsvr32 /s atl.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuapi.dll
regsvr32 /s msxml3.dll
regsvr32 /s mssip32.dll
regsvr32 /s initpki.dll
regsvr32 /s softpub.dll
net start wuauserv

wuauclt /resetauthorization /detectnow

=====

Open command prompt as an administrator and run the .CMD file. When it’s finished you should be able to run Windows Update again.

Add a comment

Course 10747 and 10748 (Bootcamp) Lab Guide

Hi, teaching is fun… especially when you get to do a bootcamp about one of the coolest MS products.. this week it’s SCCM 2012 time in Oslo Norway.

To keep track on the labs I made this little spreadsheet about the labs that are used during this course.

SCCM 2012 Bootcamp Lab Guide
10747 Administering SCCM 2012
Lab Exercises Pages and timing
Module Content Lab A  Lab B Lab C VM Set Time Total
1 Overview 33, 30m 46, 30m   A 60
2 Discoveries, Collections, RBAC 26, 30m 39, 30m 52, 30m A 90
3 Client Management 34, 30m 47, 15m 59, 30m A 75
4 Inventories, Metering, Asset Intel 28, 30m 42, 15m 56, 15m B 60
5 Queries and Reports 19, 30m 36, 30m   C 60
6 Depl. Packages and Programs 43, 60m     B 60
7 Depl. Applications 43, 20m 56, 30m   B 50
8 Depl. Applications Advanced 20, 40m 35, 20m   B 60
9 Depl. Software Updates 25, 30m 54, 30m   B 60
10 Endpoint Protection 24, 30m     B 30
11 Depl. Operating Systems 30, 45m 46, 15m 63, 45m B 105
12 Compliance Management 30, 30m     B 30
13 Mobile Device Management 22, 45m     B 45
14 Power, WOL and Remote Tools 28, 15m 41, 30m   B 45
10748 Deploying SCCM 2012
Lab Exercises Pages and timing
Module Content Lab A Lab B Lab C VM Set Time Total
1 Overview
2 Depl. Stand Alone Site 36, 30m 57, 15m  69, 30m A 75
3 RBAC 31, 20m     B 20
4 Depl. Multi-site hierarchy 34, 15m 53, 30m 66, 30m A 75
5 Data Repl and Content Mgmt 23, 30m 65, 30m   C 60
6 Depl. Client Agents 56, 45m     C 45
7 Maintenance and Monitoring 36, 60m     C 60
8 Migrating from SCCM 2007 37, 30m     B 30

 

 

Map picture

1 comment

Deploying Windows 8: Tools, tools, tools… Dutch

A couple of weeks ago Roel van Bueren and I delivered our famous Windows Deployment session at the NGN Windows Event. This was the last of 3 times we delivered this one in Germany, Norway and this one the Netherlands.

The slides we used for this talk…

Deploying windows 8 from Alex de Jong
 
the video..
Windows 8 Deployment: Tools, tools, tools with Roel van Bueren
 
Hope you enjoy it.
 
Alex

Add a comment

to Go or not to Go… that is the question.

Hi,

Being a STEP member has it’s thunder. Last week I received a 32 GB USB 3.0 stick configured with Windows to Go.

This is what Wikipedia says about Windows to Go

Windows To Go is a feature in Windows 8 Enterprise that allows Windows 8 Enterprise to boot and run from mass storage devices such as USB flash drives and external hard disk drives.[1] It is a fully manageable corporate Windows 8 environment.

A good question at this point would be: What are the differences between Windows to Go and the normal version of Windows 8?

Microsoft Technet says this:

Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:

  • Internal disks are offline. To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system the Windows To Go drive will not be listed in Windows Explorer.

In disk management however, you can still assign a drive-letter to local disks. Maybe helpful when you want to perform offline Anti-malware checking.

  • Trusted Platform Module (TPM) isn’t used. When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
  • Hibernate is disabled by default. To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.

This is smart. My laptop has i.e. 24GB of memory so Hiberfil.sys would fill up my USB drive instantly.

  • Windows Recovery Environment isn’t available. In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
  • Push Button Reset isn’t available. Resetting to the manufacturer’s standard for the computer doesn’t really apply when running a Windows To Go workspace, so the feature was disabled.
  • Store is disabled by default. Apps licensed through the store are linked to hardware for licensing. Since Windows To Go is designed to roam to different host PCs access to the store is disabled. You can enable the store if your Windows To Go workspaces won’t be roaming to multiple PC hosts.

 

So there are a couple of changes made to Windows to Go. Another question at this point would be: So why is Windows to Go better than applying a .WIM file to a USB Drive and boot Windows from that USB Drive?

This question I Asked to my friend Stephen Rose, Sr Product Marketing and Community Manager at Microsoft. He works very close with the Windows Client Product team. This was his answer:

 

“Yes there is an issue. If you just copy Win 8 onto a stick, the first time you boot that stick, the software will bond with the hardware. If you try to put the stick into another machine, it will void the license and not work properly. WTG is based on a one to one VL license that allows you to use the WTG stick in multiple machines while staying genuine and compliant.

So in short, if you were to put Windows 8 on a stick, you would need a 2nd device license and it will be bonded to the 1st hardware it sees.  You would need a new stick and license for every machine you plugged into. WTG is licensed for multiple pieces of hardware.

Stephen”

That explains everything. Windows to Go will not bind to hardware, but let’s say.. to the USB stick.

 

If you want all the sweet info about Windows to Go.. go here

For all Windows 8 info on Technet, there is Springboard: http://technet.microsoft.com/en-us/windows/hh771457.aspx?ocid=wn-tn-sb

Alex

 

 

image

Add a comment

Now online… My Microsoft Techdays Session Videos

http://technet.microsoft.com/nl-nl/video/pki-for-dummies-digital-certificates-made-easy

 

http://technet.microsoft.com/nl-nl/video/direct-access-for-dummies

Add a comment

Achter de schermen bij de Windows 2012 / Windows 8 dag van NGN #dutch

Hi,

Windows Server 2012 en Windows 8 komen eraan… sterker nog.. bij mij is het al gearriveerd. Dat betekent dat de NGN niet stil kan zitten en uiteraard komt er een Windows Server 20012/8 dag. Locatie: onbekend, datum: zeer waarschijnlijk 20 september… inhoud: bijna klaar. Hieronder zie je de lijst met sprekers die tot nu toe zijn bevestigd en de onderwerpen:

  • Erwin Derksen: Dynamic Access Control
  • Ruben Spruijt: nog te bepalen
  • Erik den Braver: nog te bepalen
  • Peter Noorderijk: Hyper-V 3.0
  • Raymond Comvalius: Windows 8 deepdive, UE-V, Restore Image
  • Jeff Wouters: Powershell 3.0
  • Sander Berkhouwer: Group Policies
  • Roe van Bueren en ikzelf: Windows Deployment

 

Klinkt goed, toch??

 

Alex

Add a comment

Comic Sans day

Today is Comic Sans day in the Netherlands..

So what I hear you think…

And you are right…

Add a comment

Interviewing Mark Russinovich about Windows Azure, Sysinterals, Zero Day and Trojan Horse.

Hi,

Ladies and Gentleman, we’ve got him: @markrussinovich, and we had a great time talking about his work for Microsoft, Sysinternals and of course, his two novels Zero Day and Trojan Horse.

It is always a great to have a chat with the man who’s favorite tool is Zoomit, because you can make drawings with it in the airplane when you’re bored. :) But also the man responsible for Process Monitor, Process Explorer and Autoruns and all those other tools that sysadmins cannot live without.

During one of his sessions last week at Teched Europe 2012 Mark showed this movie about his upcoming novel “Trojan Horse”

More info on Trojan Horse is found here

And.. while you are here anyway.. why not watch the Case of the Unexplained session from Teched US right now?

oh.. and finally… “When in doubt, run Process Monitor”

Alex

1 comment