Recently I was implementing a new PKI on a customer’s site.

They had a single forest with 6 child domains, some of the domains dated back to 2000 and so the “Cert Publisher’s” group was defined as a Global Group.
We need to add the computer account of the issuing CA’s to the Cert Publisher’s group in each child domain and so need the group to be a “domain local” group scope.
I used the following script to complete this as it is not possible to change within the gui of “Active Directory Users and Computers”

Set grp = GetObject(“LDAP://CN=Cert Publishers,CN=Users,DC=sub,DC=example,DC=com”)
grp.Put “groupType”,”-2147483640″
grp.SetInfo
grp.Put “groupType”,”-2147483644″
grp.SetInfo
Changing the DC=sub for each domain

Save the above in a .vbs file and run within an elevated command prompt.

Regards,
RichardK

The following TechNet Wiki links contains a number of very useful tools for Hyper-V, some of my favourites;

• Core Configurator 2.0 – makes configuring Server Core or Hyper-V Server much easier
• Disk2VHD – for creating VHDs from physical disks – very useful for the new Host Profile feature in VMM 2012
• Wim2VHD – in a similar vein to the above, if you have already captured your Server image to a .WIM, this tool will convert it to a VHD
• nvspcrub – useful tool to remove virtual network configuration from the management partition

Many more tools can be found at the following LINK

Cheers
SteveH

Today, Microsoft announced the general availability of System Center Advisor (formerly Microsoft codename ‘Atlanta’) enabling IT Professionals to proactively avoid server configuration problems by assessing static, runtime and operational data to identify potential issues that cause outages or poor performance.

System Center Operations Manager is great at alerting you to server issues as they happen, enabling you to quickly respond – but what if you could actually prevent server configuration problems before they ever impact your server’s performance or availability?

Read more HERE

Cheers
SteveH

Re-post from; http://www.windowsitpro.com/content1/tabid/57/catpath/virtualization/topic/windows-server-8-hyperv-30-evens-odds-vsphere-140573

At the recent Windows Server Workshop at the Microsoft campus in Redmond Washington Jeff Woolsey, Principle Program Manager Lead for Windows Virtualization in the Windows Server and Cloud division presented the new features in the next version of their Hyper-V virtualization platform. In the introduction to the workshop Jeffery Snover, Distinguished Engineer and the Lead Architect for the Windows Server Division made the bold statement that with Microsoft it’s the third release is where Microsoft really gets it right and with regard to what Microsoft demonstrated in the next version of Hyper-V this is definitely true. The upcoming Hyper-V 3.0 release that’s included in the next version of Windows Server has closed the technology gap with VMware’s vSphere.

Hyper-V 3.0 Scalability

The days when Hyper-V lagged behind VMware in terms of scalability are a thing of the past. The new Hyper-V 3.0 meets or exceeds all of the scalability marks that were previously VMware-only territory. Hyper-V 3.0 hosts support up to 160 logical processors (where a logical processor is either a core or a hyperthread) and up to 2 TB RAM. On the VM guest side, Hyper-V 3.0 guests will support up to 32 virtual CPUs with up to 512 GB RAM per VM. More subtle changes include support for guest NUMA where the guest VM has processor and memory affinity with the Hyper-V host resources. NUMA support is important for ensuring scalability increases as the number of available host processors increase.

Multiple Concurrent Live Migration and Storage Live Migration

Perhaps more important than the sheer scalability enhancements are the changes in Live Migration and the introduction of Storage Live Migration. Live Migration was introduced in Hyper-V 2.0 which came out with Windows Server 2008 R2. While it filled an important hole in the Hyper-V feature set it wasn’t up to par with the VMotion capability provided in vSphere. Live Migration was limited to a single Live Migration at a time while ESX Server was capable of performing multiple simultaneous VMotions. In addition, vSphere supported a similar feature called Storage VMotion which allowed a VM’s storage to be moved to new locations without incurring any downtime. Hyper-V 3.0 erases both of these advantages. Hyper-V 3.0 supports multiple concurrent Live Migrations. There are no limits to the number of concurrent Live Migrations that can take place with Hyper-V 3.0. In addition, Hyper-V 3.0 also provides full support for Storage Live Migration where a virtual machine’s files ( the configuration, virtual disk and snapshot files) can be moved to different storage locations without any interruption of end user connectivity to the guest VM.

Microsoft also threw in one additional twist that vSphere has never had. Hyper-V 3.0 has the ability to perform Live Migration and Storage Live Migration without the requirement of a shared storage on the backend. The removal of this requirement really helps bring the availability advantages of Live Migration to small and medium sized businesses that came afford a SAN or don’t want to deal with the complexities of a SAN. The ability to perform Live Migration without requiring shared storage really sets Hyper-V apart from vSphere and will definitely be a big draw – especially for SMBs that haven’t implemented virtualization yet.

VHDX, ODX, Virtual Fiber Channel & Boot from SAN

Another important enhancement with Hyper-V 3.0 was the introduction of a new virtual disk format called VHDX. The new VHDX format breaks the 2TB limit that was present in the older VHD format and pushes the maximum size of the virtual disk up to 16 TB per VHDX. The new format also provides improved performance, support for larger block sizes and is more resilient to corruption.

Hyper-V 3.0 also supports a feature called Offloaded Date Transfer (ODX). ODX enables Hyper-V to take advantage of the storage features of a backend shared storage subsystem. When performing file copies on an ODX enabled SAN the OS hands off all of the data transfer tasks to the SAN providing much high file copy performance with zero to minimal CPU utilization. There is no special ODX button. Instead ODX works in the backend. ODX requires the storage subsystem to support ODX.

Companies that use fiber channel SANs will appreciate the addition of the virtual Fiber Channel support in the Hyper-V guests. Hyper-V 3.0 guests can have up to four virtual fiber channel host bus adapters. The virtual HBAs appear in the VMs as devices very like virtual NICs and other virtual devices. Hyper-V VMs will also be able to boot from both fiber channel and iSCSI SANs.

Extensible Virtual Switch & NIC Teaming

In keeping par with the sweeping changes in Hyper-V’s compute capabilities and storage Microsoft also made a some of significant enhancements to Hyper-V’s networking capabilities. First, they updated the virtual switch that’s built into the Hyper-V hypervisor. The new virtual switch has a number of new capabilities multi-tenant capability as well as the ability to provide minimum and maximum bandwidth guarantees. In addition to these features the new virtual switch is also extensible. Microsoft provides a API that allows capture, filter and forwarding extensions. To ensure the high quality of these virtual switch extensions Microsoft will be initiating a Hyper-V virtual switch logo program.

Another overdue feature that will be a part of Windows Server 8 is the built-in ability to provide NIC teaming natively in the operating system. VMware’s ESX Server has provided NIC teaming for some time. Prior to Windows Server 8 you could only get NIC teaming for Windows via specialized NICs from Broadcom and Intel. The new NIC teaming works across heterogonous vendor NICs and can provide support for load balancing as well as failover.

The Magic Number 3

As Jeffery Snover pointed out three does seem to be the magic number – at least for Hyper-V. Hyper-V 3.0 brings Microsoft’s virtualization on par with VMware’s vSphere. Businesses that are just getting into to virtualization or those businesses that may be bulking at VMware’s latest price increases will find Hyper-V to be a very cost effective and highly competitive alternative.

Whilst at a customer recently I had a requirement to run a ‘Diskpart /Clean’ at the start of a task sequence to remove any encryption on the drive, in this case McAfee. I have done this several times in the past however always hit a few niggles so thought I would blog to refer to in the future

The easiest way to do this is to perform the following;

1. Mount your Windows PE image(s) to a directory
2. Create a text file called ‘CleanPartitions.txt’ (for arguments sake), with the following content;
   • Select Disk 0
   • Clean
3. Copy this text file to ‘<Mounted Folder>\Windows\System32′ (again, for arguments sake)
4. Commit the mounted folder back to the .WIM

In your task sequence, before the standard ‘Format and Partition Disk’ phase, perform the following;

1. Add a ‘Run Command Line’ task
2. In the ‘Command Line:’ text area, type;
   • diskpart.exe /s “%windir%\system32\CleanPartitions.txt”
3. Disable 64-bit file redirection
4. Save the task sequence

This should now run successfully and remove any encryption on the drive

It is worth noting that this will only work in a Lite-touch situation as you will need to either PXE-boot or use bootable media. There is a solution that McAfee have released that allows you to perform this end-to-end in a Zero-Touch situation that I will blog about soon.

Cheers

SteveH

Excellent tabular list of new and upcoming features in Hyper-V 3.0 with Server 8

http://aidanfinn.com/?p=11979

Cheers,
SteveH

Had an issue recently whilst trying to re mediate an App-V 4.5 management server. Another website had been installed which had overwritten the Default Web Site that App-V was using for it’s management web service on the Management Server thus the admin console would not connect. The management server was running on Server 2008 R2 and IIS 7.

After relocating the additional website, I removed and reinstalled  IIS making sure I selected the following two additional features (which are required);

• IIS6 Management Compatibility
• IIS Management Scripts and Tools

I then attempted to run the installer again but got the same error. After checking IIS the Default Web Site had not been created after reinstalling. I re-created this website (making sure I used the exact name – ‘Default Web Site’) and re-ran the installer which succeeded.

It transpires that the 4.5 installer is hard coded to use the Default Web Site

Cheers,

SteveH

I think this infographic really demonstrates what an amazing service they deliver…no wonder they get great feedback and customer loyalty…

Just a quick post showing how to change the certification pipeline to use SSL after initial install not choosing to secure the URL. This may be the case if you need to request a certificate after initial set up or are waiting on a third party certificate, or just change your mind! The steps to do this are outlined below:

1. Open IIS on the AD RMS server and edit the bindings, add a binding for HTTPS selecting the certificate to use making sure the name matches your cluster URL.

2. Remove the HTTP binding from the list and do an IIRESET.

3. Close and reopen the AD RMS console and ensure in the centre console both URL’s are using HTTPS.

4. If the SCP has already been published in Active Directory you will need to re-publish it so that clients discover the new HTTP’s certification pipeline.

Good Luck!

Ash

So, this week see’s the release of the Lync mobile client for a number of different phone OS’ kicking off with the client for Windows Mobile 7.

We were keen to get going with this and as such had prepared our Lync environment on Friday so we could get the clients installed and working first thing this morning – and good news, it all works like a charm.

I have been through MS’ mobility document and this blog aims to give you the information you need to get this working, it doesn’t however, detail any of the sizing calculations you will need to think about when enabling Lync mobility services.

1.1 DNS

To facilitate the Lync 2010 mobility client both internal and external DNS records are required.

The following table details the records required:

Table 1 – Lync A record DNS requirements – Internal

Table 2 – Lync A record DNS requirements – External

Note: These records are required for each SIP domain you use.

1.2 Certificates

The certificates bound to the internal Lync Server as well as the Reverse Proxy will need amending to accept connections on the names listed above. The following names need adding to the SAN field of the internal and external certificates.

Internal – Lyncdiscoverinternal.internaldomain.com

External – Lyncdiscover.externaldomain.com

Note: A wildcard certificate can be used on TMG (Reverse Proxy) in place of a SAN certificate

1.3 Lync Server Updates

A pre-requisite to the installation of the Lync2010 Mobility pack is the installation of the Cumulative Update 4 (CU4) released in November 2011 which can be found here:

http://go.microsoft.com/fwlink/?LinkID=208564.

1.3.1 Set Mobility Service ports

Once the above update has been installed we need to set the firewall ports used by the mobility service for both the internal and external web services. The following commands detail how to complete this exercise.

Internal Web Services:

Set-CsWebServer –Identity “FESERVER01.internaldoamin.com” –McxSipPrimaryListeningPort 5086

External Web Services:

Set-CsWebServer –Identity “FESERVER01.internaldomain.com –McxSipExternalListeningPort 5087

To publish the changes:

Enable-CsTopology

Once the ports have been set and CU4 has been installed you can install the Lync Mobility pack, found here: http://www.microsoft.com/download/en/details.aspx?id=28356

1.4 Configure Reverse Proxy

To create a web publishing rule for the external Autodiscover URL on MS TMG use the following (taken directly from the MS guide)

1.5 Configure Push Notification

Microsoft phones and iPhones can make use of Push rather than Pull notification; push notifications enable events and messages to be delivered even when the device is inactive. Push notifications works via a cloud-based Lync Server and as such you need to create a federation relationship to facilitate the delivery of notifications etc.

To configure Push, run the following from the Lync Management Shell:

New-CsHostingProvider –Identity “LyncOnlineFederation” –Enabled $True –ProxyFqdn “sipfed.online.lync.com” –VerificationLevel UseSourceVerification

New-CsAllowedDomain –Identity “push.lync.com”

To enable Push, run the following from the Lync Management Shell:

Set-CsPushNotificationConfiguration –EnableApplePushNotificationService $True –EnableMicrosoftPushNotificationService $True

Set-CSAccessEdgeConfiguration -AllowFederatedUsers $True

Good luck and Merry Xmas

NeilC