Anonymous Relay on Exchange 2010

To configure anonymous relay in Exchange 2010 I had to create a receive connector on the Hub Transport server and run a powershell command.
Anonymous relay is restricted to individual IP addresses in this scenario.
The process is described in the following article : http://technet.microsoft.com/en-us/library/bb232021.aspx
Posted in Microsoft Server | Leave a comment

Monitoring non-domain members with SCOM 2007 R2

To monitor non-domain members I had to do the following:-
  1. Add the CA’s certificate to the Trusted Root Certification Authorities store on both the RMS and the Monitored server.
  2. Create a certificate for both the RMS and monitored server with OIDs of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (Server Authentication and Client Authentication) and use the FQDN as the Name and Friendly Name for each certificate.
  3. Install the created certs on the RMS and monitored servers.
  4. Run MOMCertImport on the RMS to import the RMS servers certificate into SCOM, then restart the System Center Management service on the RMS.
  5. Do a manual SCOM agent install on the target monitored server and install any applicable CUs.
  6. Run MOMCertImport on the target server to import it’s certificate for SCOM use, the restart the System Center Management service.
  7. Approve the manual agent installation from the Pending Installations section of Administration in the SCOM console.
  8. Create a runas account for an account which has administrative access on the target server. Specify servername\account as the account name to create it as a local account.
  9. Edit the profile for the Default SCOM Action Account, to specify the created account as the Action Account for the target monitored server which should be in the list of servers.
Some important notes:
  • Server must have a FQDN, so if it is in a workgroup add a domain suffix manually.
  • The server being monitored must be able to resolve the FQDN of the SCOM server. If no DNS servers are specified, add a HOSTS file entry for the SCOM server.
  • MomCertImport /remove can be used to remove installed SCOM certificates.
  • Syntax of MOMCertImport is as follows:
momcertimport /subjectname <fqdn of cert> OR
momcertimport <full path to pfx for cert>
Posted in Microsoft Server | Leave a comment

Error creating SCOM 2007 R2 SQL Report Model

I had an error when I tried to Deploy a report model in Business Intelligence Studio. Error was as follows:
There was an exception running the extensions specified in the config file. —> System.Web.HttpException: Maximum request length exceeded
The fix was to change <httpRuntime executionTimeout=”9000″  /> to <httpRuntime executionTimeout=”9000″  maxRequestLength = “16384″ /> in web.config under D:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer
The Default Web Site hosting the ReportServer and Reports virtual directories for Reporting Services must be restarted after the web.config change.
NOTE: After this I could deploy the model but couldn’t generate a report based on that model in SCOM due to a datasource1 error. To fix this I had to:
2. Click on “Data Sources” -> “Operations Manager DW”
3. Select “Credentials stored securely in the report server” under “Connect Using:”.
4. Enter <domainname>\<username> for username and type password.
5. Select “Use as Windows credentials when connecting to the data source”.
6. Click Apply
Posted in Microsoft Server | Leave a comment

Install HP ACU on ESX4

To install the HP Array Configuration Utility on ESX4 I did the following:
1. Install the latest HP Proliant Support Paq for VMware ESX 4.
2. Install HP ACU Web Site (rpm -ivh cpqacuxe-8.50-5.0.noarch.rpm)
3. Install the HP ACU CLI for Linux (rpm -ivh hpacucli-8.50-6.0.noarch.rpm)
4. Start the HP ACU Web Site (cpqacuxe -R)
5. Add a firewall rule (esxcfg-firewall -o 2301,tcp,out,HPACU)
The HP ACU can now be accessed through the HP Systems management home page.
Posted in HP, VMware | Leave a comment

Install SCOM 2007 R2 Agent on ESX4

On ESX Host :-
(Indented lines are optional)
rpm –e scx (To cleanup previous failed installation)
cat /proc/sys/kernel/random/entropy_avail (To view current settings)
dd if=/dev/urandom of=~/.rnd bs=1 count=1024
esxcfg-firewall -o 1270,tcp,in,SCOMAgent
esxcfg-firewall -q (To check rule is in place)
rpm -q scx (To check version of UNIX SCOM Agent)
less /var/opt/microsoft/scx/log/scxcimd.log (To view installation logs)
service scx-cimd status (To view SCOM UNIX Agent Status)
On SCOM RMS Server :-
Copy scx-host-<servername>.pem from /etc/opt/microsoft/scx/ssl to RMS server (e.g. D: drive)
From command prompt, change directory to \program files\system center operations manager 2007\ on RMS server
scxcertconfig -sign d:\scx-host-<hostname>.pem d:\scx-host-<hostname>-new.pem
Rename original file to something else on ESX host (to keep backup)
Copy the file scx-host-<hostname>-new.pem to /etc/opt/microsoft/scx/ssl and rename to scx-host-<hostname>.pem
Run /opt/microsoft/scx/bin/tools/scxadmin -restart
Rediscover UNIX host in SCOM Console.
In SCOM Console :-
Add UNIX Low Privilege and UNIX High Privilege accounts and add them to the appropriate Profiles (Basic Authentication Accounts). Assign the accounts for use only by particular server/s.
Posted in Microsoft Server, VMware | Leave a comment

Enable Client Recovery in DPM 2010

To enable client recovery I had to enable port 6075 Incoming on the DPM servers firewall (this should be done automatically when you set up a client protection group in DPM 2010 RTM).
You also have to do the schema extensions under “End User Recovery” in Options on DPM server.
See this article fix a fix for implementing schema updates on Windows 2008… http://scdpm.blogspot.com/2009/11/enable-end-user-recover-in-dpm-fails.html
Posted in Microsoft Server | Leave a comment

Enable the Mark keys as exportable Option with Windows 2003 Certificate Services

Procedure

In order to allow the private key to be marked as exportable, follow these steps:

Open the Certificate Templates mmc snap-in.

Right-click on the Web Server template and choose Duplicate Template.

Under the General tab, name the template.

Under the Request Handling tab, select Allow private key to be exported and click OK. Close the mmc.

Open the certification Authority administrative tool (Administrative tools > Certification Authority).

Right-click the Certificate Templates node, click New > Certificate Template to Issue.

Select the correct template to add (find the template name you created in step 3) and click OK.

Now the certificate is added and should be ready for use.

Open your Web browser and point to the certificate authority server (http://<your-server-name>/certsrv).

Select the correct template to issue (find the template name you added in step 7).

You can see that the option to export the private key is now available.

Posted in Microsoft Server | Leave a comment

Configure CA to Issue Certs with SAN (Subject Alternate Names)

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

How to create and submit a certificate request

When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the Active Directory directory service. The Version 1 Web Server template can be used to request a certificate that will support LDAP over the Secure Sockets Layer (SSL). Version 2 templates can be configured to retrieve the SAN either from the certificate request or from Active Directory. To issue certificates that are based on Version 2 templates, the enterprise CA must be running on a Windows Server 2003, Enterprise Edition-based computer.

When you submit a request to a stand-alone CA, certificate templates are not used. Therefore, the SAN must always be included in the certificate request. SAN attributes can be added to a request that is created by using the Certreq.exe program. Or, SAN attributes can be included in requests that are submitted by using the Web enrollment pages.

How to use Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer.
  2. In Internet Explorer, connect to http://servername/certsrv.

    Note servername is the name of the Web server that is running Windows Server 2003 and that has the CA that you want to access.

  3. Click Request a Certificate.
  4. Click Advanced certificate request.
  5. Click Create and submit a request to this CA.
  6. In the Certificate Template list, click Web Server.

    Note The CA must be configured to issue Web Server certificates. You may have to add the Web Server template to the Certificate Templates folder in the Certification Authority snap-in if the CA is not already configured to issue Web Server certificates.

  7. Provide identifying information as required.
  8. In the Name box, type the fully qualified domain name of the server.
  9. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store
  10. Under Advanced Options, set the request format to CMC.
  11. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
    san:dns=dns.name[&dns=dns.name]

    Multiple DNS names are separated by an ampersand (&). For example, if the name of the domain controller is corpdc1.fabrikam.com and the alias is ldap.fabrikam.com, both of these names must be included in the SAN attributes. The resulting attribute string appears as follows:

    san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
  12. Click Submit.
  13. If you see the Certificate Issued Web page, click Install this Certificate.
Posted in Microsoft Server | Leave a comment

DHCP Relay for Wireless network through TMG/ISA

For DHCP to work through TMG/ISA, the two firewall rules need to be configured and enabled, as well as DHCP Relay Agent in RRAS pointing to the address of the Internal DHCP server and a Wireless Interface on the DHCP Relay Agent for listening for requests.

Posted in Microsoft Server | Leave a comment

Change Terminal Services Listening Port

Change the PortNumber value under:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Same under 2003/2008/2008R2
Posted in Microsoft Server | Leave a comment