Tuesday, March 29, 2011

More Alphabet Soup - MCITP: Virtualization Administrator

Last Friday I passed the 70-669 TS: Windows Server 2008 R2, Desktop Virtualization exam with a score of 943.  I don't know why it took me so long to get around to this one, but with this exam I now hold the MCITP: Windows Server 2008 R2, Virtualization Administrator credential.


I add this to my other MCITP certifications - MCITP: Enterprise Administrator, MCITP: Enterprise Messaging Administrator, and MCITP: Enterprise Messaging Administrator 2010.  All this makes for a very busy looking business card, but it's worth the hard work!

I didn't do much studying for this exam.  I've done a number of POCs and demos of App-V, Med-V and Windows 7 XP mode, so I wan't expecting much difficulty.  It helps to have written the Hyper-V Unleashed book, too.  :)

Wednesday, March 23, 2011

Protect Your Windows Computer from Fraudulent Certificates

Today it was revealed that a serious security breach occurred at Comodo, a trusted certificate provider.  The breach appears to have come from Iran and several "high value certificates" were obtained.

These X.509 certificates include:
  • login.live.com
  • mail.google.com
  • www.google.com
  • login.yahoo.com (3 certificates)
  • login.skype.com
  • addons.mozilla.org
  • "Global Trustee"
To protect your Windows computer (PC or server) from trusting these high value certificates, download and install KB2524375 Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing from Microsoft as soon as possible.  The installation takes only a minute and does not require a restart.

KB2524375 updates both the Computer's and User's Untrusted Certificates list to include the compromised certificates.

Here's what the list looks like before the update:


And here's what it looks like after the update:


Please take a minute to update your computers now.  This update is also being pushed out through Windows Update as I write this.

The Teched 2011 Bag!

Here it is, folks!  The coveted Microsoft TechEd bag for 2011.  Finally we have an answer to that age old question: What if a backpack and a Shar-Pei had a baby?

Looks like it's soft and comfortable with LOTS of storage space.  But what will you do with all that space since your iPad takes so little of it?

Monday, March 21, 2011

A New Certified Master, I Will Be

I mentioned in an earlier article that I began the application process to enter the Microsoft Certified Master: Exchange Server 2010 program.  Well, I'm very happy to say that I was accepted to the program today!

With this acceptance, I've decided to blog the entire experience (or at least as much as my NDA and time will allow).  This will let folks who are interested know what to expect if they want to pursue the same prestigious certification.

Once I confirmed that I met all the prerequisites, I began the application process on March 7, 2011 by completing the online application, supplying my MCP transcript, and paying the non-refundable US $125 application fee.

On March 10th, I was confirmed by the MCM program that I met the prerequisites.  A Microsoft Partners ID and workspace was created for me to upload my resume, two sample project documents, and a single page document describing my experience and "deep technical understanding of Exchange".    The workspace was created, but I had to email the MCM team to let them know I had signed in before I could upload my content.  Once this was submitted to the MCM workspace and I marked the content as "Ready for review", I waited.

There are three other MCMs who I work with at ExtraTeam.  All three of them had grueling telephone interviews at this point, so this is what I was anxiously waiting for.  Today, March 21st, I received a ominous email saying, "Thank you for submitting your application. Please view the attachment for the final results of your application to the Microsoft Certified Master Program."  Uh-oh.  No phone interview and they already made their decision.  That's not good.  But opening the attached PDF file I was happy to see, "Congratulations! You have passed all the required pre-requisites and have been accepted into the program."

Here's a diagram that shows the MCM application process:


So that's has you caught up to where I am today, aside from actually finalizing my registration (and paying the $18,500).  Now all that's left is the hard part -- Going though the MCM program.  My rotation will run June 6 - 25, 2011.  Can't wait!

Disabling a User in AD Does Not Disable the User In Lync

It's quite common for companies to disable user accounts in Active Directory, rather than delete them, when a user leaves the company.  This allows other IT staff and managers to access that user's data and email after they are gone.

However, disabling a user account in Active Directory does not immediately disable the user from using Lync.  This is due to the way that Lync performs authentication and, depending on several factors, could result in a disabled user accessing Lync for up to nearly 6 months!  Obviously, this is important to understand since you don't want disabled users to access internal resources or make Enterprise Voice calls.

The purpose of this article is to explain how and why this happens and how to successfully disable a Lync user's account immediately without having to delete the user account from AD.

Lync Server 2010 uses several methods of authentication: Kerberos, NTLM, and certificate based.  Kerberos is the default authentication method and successful authentication results in the client receiving a Kerberos ticket that's good for 10 hours.  Kerberos is used when users are accessing Lync Server while on the domain.  NTLM is used for authentication from other locations, such as the Internet for remote access using Lync Edge servers.


If the user authenticates using one of these two methods and selects the Save my password check box (shown above), the Lync server will generate an X.509 certificate for the user.  Lync will publish the certificate to Lync RTC database and distribute it, along with the private key, to the personal certificate store to the user on the local computer.  The certificate expires 180 days from the publication date and is used for further authentication for that user from that computer.  An example OCS signed certificate from the user's Personal certificate store is shown below:


Certificate authentication is convenient and speeds up the sign-in process significantly, but it means that Lync doesn't check the AD user account to see if it's disabled.  If a disabled user signs into Lync using certificate authentication, they will still have access to all Lync features including IM, web conferencing and Enterprise Voice until the certificate expires.

The certificate(s) used by a Lync user can be viewed from the Lync Management Shell using the Get-CsClientCertificate cmdlet.  For example,

Get-CsClientCertificate sip:username@domain.com
will display all the certificates the certificates stored in the rtc database for that user. If the user has run Lync from three different computers, there will be three certificates listed for the user, as shown below:


Remote users with a valid client certificate can continue to sign in and access Lync until their certificate expires, regardless of whether their account is disabled or not.

You can revoke a certificate using the Revoke-CsClientCertificate cmdlet in the Lync Management Shell, but this will not affect users who are currently signed into Lync.  For domain computers, the user will be able to use Lync until their Kerberos ticket expires (up to 10 hours).  Remote users using certificate authentication will remain signed in until they sign out, the Lync server is restarted, or their certificate expires (up to 180 days).

To prevent a user (enabled or disabled) from using Lync, you must disable their Lync account using the Lync Control Panel or the Lync Management Shell, as shown below:


 


To disable the Lync user account using the Management Shell, run the following cmdlet:
Disable-CsUser sip:user@domain.com
Note that it may still take a few minutes for a signed-in user to become disconnected, however they will be unable to access any Lync features, such as new IM, web conferencing, or Enterprise Voice calls immediately.  If they happen to be in an IM session or web conference when their Lync account is disabled, they can continue until they disconnect.  Likewise, if they are in a voice call when their Lync account is disabled, the call will continue until the call ends.  The Lync client for the disabled user will display the following:

 


Thanks to Tom Pacyk for sharing this with me while he was at Microsoft Certified Master: Lync  Server training.

Lync and Forefront Added to Microsoft Core Cal Suite!

Microsoft is updating the Core Client Access License Suite (Core CAL Suite) to include Lync Server 2010 and Forefront Endpoint Protection.


Beginning August 1, 2011 (the beginning of Microsoft's fiscal year),  Lync Standard CAL and Forefront Endpoint Protection will move to Core CAL Suite.  Previously these products lived on the Enterprise CAL “Step Up”, and made up part of the Enterprise Suite stack.  Organizations who have Software Assurance on their Core CAL as of August 1st, will have access to the new features.


You can expect to see moderate price increases to Core CAL, but Microsoft will not release final details until the August 1st price list is out.  It is anticipated that with discounts to the E-CAL Step Up, the full E-CAL Suite stack will be roughly the same cost as today.

Current Core CAL customers with Software Assurance (SA) as of August 1st can choose to sign an “Early Use Rights Amendment” that will allow them to utilize the new features today at no additional cost.  Contact your Microsoft licensing vendor for more details.

SoftChoice, a Microsoft Gold Licensing partner, put together a great document and FAQ about the new changes.  You can download it here.

Tuesday, March 15, 2011

Lync 2010 and Microsoft Office Compatibility

The following table describes the Lync 2010 features that are supported by various versions of Office.

Feature Microsoft Office 2003 with Service Pack 3 (SP3) Microsoft Office 2007 Microsoft Office 2010
Presence status in the Microsoft Outlook To and Cc fieldsPresence status appears on hoverPresence status is always shownPresence status is always shown
Reply with conference call from the Presence menuNoYesYes (from the contact card)
Presence status in a Meeting Request on the Scheduling Assistant tabNoYesYes
Reply with IM, or call from the toolbar or ribbon in a received emailNoYesYes
Presence status in the Outlook From fieldYesYesYes
Reply with IM or voice from Presence menuYesYesYes (from the contact card)
IM and presence in Microsoft Word and Microsoft Excel files (smart tags enabled)YesYesMicrosoft Word only
IM and presence in Microsoft SharePoint sites (Outlook must be installed)YesYesYes

The following features are available only with Office 2010 and Lync:
  • New contact card with expanded options, such as video call and desktop sharing
  • Quick search from the Find a Contact field in Outlook
  • Reply with an IM or call from the Outlook Home ribbon in the Mail, Calendar, Contacts, and Tasks folders
  • Lync Contacts list in Outlook To-Do Bar
  • Office Backstage (File tab) presence status, application sharing, and file transfer
  • Presence menu in Microsoft Office SharePoint Workspace 2010 (formerly Microsoft Office Groove 2007)
  • Presence menu extensibility
Thanks fot VoIPNorm for the link to Lync 2010 and Microsoft Office Compatibility.

Friday, March 11, 2011

Download These Lync Adoption and Training Materials


The Lync Adoption and Training Downloads contains a variety of user education and training resources for Microsoft Lync, including What's New articles and videos, Quick Start Guides, Work Smart Guides, Short Videos, and Training PowerPoint Presentations.

There's some really good content in here for end-users!  Download the training downloads from Microsoft here.

Thursday, March 10, 2011

How to manually move the ISTG role to another server

The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. One domain controller per site holds the Inter-Site Topology Generator (ISTG) role, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.

If you have more than one domain controller in your organization, the ISTG is the DC responsible for creating the <automatically generated> connection objects that you see in Active Directory Sites and Services, as shown below:


The ISTG role is fairly "sticky".  The first domain controller promoted in a site takes on the ISTG role, and the role does not change as additional domain controllers are added to the site.  If the current ISTG becomes unavailable for 60 minutes, an election is held by the other DCs in the site to appoint a new ISTG.  This can sometimes cause problems for Active Directory replication. 

Consider the following scenario. Your domain contains two sites, SiteA and SiteB.  Each site has two DCs for redundancy and high availability - DC1 and DC2 in SiteA, and DC3 and DC4 in SiteB.  If both sites are connected to each other using DC1 and DC3 and those servers happen to be the ISTG servers for the two sites, it will take over 60 minutes to create new automatic connections if either of those two servers becomes unavailable.  To overcome this, manually move the ISTG to another server.  Here's how to do it.
  1. Open ADSIEDIT.msc
  2. Expand Configuration [DomainController].
  3. Expand CN=Configuration,DC=<domain>,DC=<com>.
  4. Expand CN=Sites.
  5. Highlight CN=<sitename> for the site where you want to change the ISTG Server.
  6. In the details pane, right-click on CN=NTDS Site Settings and select Properties.
  7. Locate the interSiteTopologyGenerator attribute and you will see which Domain Controller is designated as the ISTG server.
  8. To change the server, click Edit and then change the server name, as shown below.

I'm surrounded by really smart people

Here in ExtraTeam's Microsoft practice, I'm fortunate to work in a tight group of really smart people.  Our staff has credentials that rival only a very few very large consulting companies.  This makes our collaborative work environment ├╝ber cool without any pretentiousness or rivalry.  In today's business climate, that's a real differentiator.

My manager, Mike Sneeringer, is one of those rare double Microsoft Certified Masters - He's an MCM in both Exchange and OCS.  Keif Machado is an Exchange MCM and Tom Pacyk just became a Lync Server MCM this morning!  Together, we're certified on nearly two dozen Microsoft technologies and have numerous professional certifications including MCITPs, TS's, MVP, MCSE, MCSA, and CISSP.  That doesn't even count all the smart folks on the Cisco side of the business.

I've entered into the Exchange MCM application process this week, myself, and plan to blog about the experience as it goes.  Wish me luck!

Tuesday, March 8, 2011

Multiple Email Disclaimers Based on Sent From Address

Using Exchange 2010 Hub Transport rules, you can configure multiple email disclaimers based on the sender's email address.  This is useful if you manage an Exchange organization comprised of two or more companies, say companyabc.com and companyxyz.com.  Here's how you configure it, step-by-step:
  • From the Exchange Management Console, expand Microsoft Exchange > Microsoft Exchange On-Premises > Organization Configuration
  • Click Hub Transport and then the Transport Rules tab.
  • Click New Transport Rule in the Actions pane and configure the new rule as follows.

Provide a name and description for the new companyabc.com rule.

Enable the condition, "when the sender's properties contain specific words" and then click the blue properties contain specific words hyperlink to configure them.

Choose email from the Property dropdown box and enter the company's email domain (i.e., companyabc.com) as the value.  Then click OK.

Click Next to configure the actions.

Select append disclaimer text and fallback to action if unable to apply.  Then click the blue disclaimer text hyperlink to edit the text.

Enter the disclaimer text for CompanyABC and click OK.  The rest of these procedures configure an optional exception.  The exception prevents the disclaimer from being appended on future replies so that the disclaimer is only added once.

Select except when the Subject field or message body contains specific words.  Then click the blue specific words hyperlink to edit the words.

Enter some unique words from a portion of the disclaimer, click Add and OK.

Click Next to complete the hub transport rule.
Click New to create the new companyabc.com disclaimer.
  • Repeat the steps above for companyxyz.com.


Monday, March 7, 2011

How to Remove Windows 7 / Server 2008 R2 Service Pack 1 Backup Files

So you've updated your Windows 7 and Windows Server 2008 R2 computers with Service Pack 1 (SP1), and everything is running great.  You've tested your applications and haven't run into any compatibility issues, so now you'd like to delete the Service Pack 1 backup files.  Here's how to do it.
Note: The Service Pack Backup Files allow you to uninstall SP1, rolling the operating system back to RTM.  Once the backup files are deleted, you can no longer roll the system back.  Make sure you have given enough time to ensure that the system is behaving properly with SP1 before deleting the backup files.
The process of deleting the Service Pack backup files is the same in both Windows 7 and Windows Server 2008 R2.  Deleting the SP1 backup files will reclaim about 540MB on the system drive for Windows 7, and about 1.3GB for Windows Server 2008 R2.
  • Click the Start button and type cleanup in the search bar to run the Disk Cleanup utility.
  • Scroll through the list of Files to Delete, and select Service Pack Backup Files, as shown below:

  • Click OK to delete the Service Pack 1 backup files.  This will take a few moments.
As noted in the comment below, you can also remove the Service Pack backup files using the following command from the command line:
DISM /Online /Cleanup-Image /SPSuperseded
I typically run a disk defragmentation cycle after the SP1 backup files have been removed, since this is a fairly large amount of data to remove.

Friday, March 4, 2011

Lync Tools: Stress and Performance Tool and Capacity Calculator

Microsoft released two new Lync Server 2010 tools to help you in your deployments.

The Microsoft Lync Server 2010 Capacity Calculator is a spreadsheet for calculating a user’s hardware requirements based on information that the admin supplies about number of users, types of communication, and expected traffic.  It includes a Microsoft Word document explaining the tool and how to use it.



The Lync Server 2010 Stress and Performance Tool (LSS) can be used to prepare, define and validate performance targets of user scenarios offered by on-premise Lync Server 2010 deployment. LSS includes multiple modules and can simulate simultaneous users on one or more Lync Servers.


Both of these tools will be instrumental in any successful Lync deployment.