Archiwum kategorii: Windows Server 2012

Certificate Authority – Certificate with Subject Alternative Name – Web Server Template STATUS Unavailable

If You are using Local Certificate Authority more the often there is a need to enrol Certificate with Subject Alternative Name. Buy when we open Certificate MMC Snap-in the only template we can use to request Certificate is Computer.


The Work around this problem is quite simple we just need to assign Server account ritght to enrol certificate using Web Server template.

Assign Web Server Template to Computer Account

1. Logon to Certificate Authority Server and open Certificate Authority management.

2. Click on Certificate Templates and form Action menu select Manage


3. Next find Web Server and form context menu select properties.


4. In Security Tab add Computer Account (remember to select object type Computers) and assign Read and Enroll rights


Now assigned computer have rights to Enroll certificate using Web Server Template.

Generate Certificate for computer using Web Server Template with Subject Alternative Name

1. Now let’s get back to Computer that is in need for Certificate with Subject Alternative Name and open Certificate MMC Snap-in for Computer Account.


2. Let’s Request new Personal Certificate


3. Now we will be able to Select Web Server Template and configure its properties.


4. The bare minimum we need to fill is:

    Common name (CN=) – The default Name of Computer

    DNS (DNS Name=) – All the Subject Alternative Names You need.


And the Last thing is to assign Certificate to Bindings and restart the IIS.

Cheers,

Maciej Jędryszek

Microsoft Windows Server – Certificate Authority – Install, Locate and Migrate

Properly configured and maintain Certificate Authority will help You great deal with Certificates Management in Your Active Directory Environment. And Can in many occasions save money on Public Certificates and provide security within AD.

!! If you migrate CA between Server start with point 2 and get back to point 1 🙂

1. Install Certificate Authority (CA)

1.1 Active Dierectory Certificate Authority is a first Role on the list (impossible to miss). Just open Server Manager and Add Role

1.2 From my personal experience it is always good to install Certificate Authority Web Enrollemnt feature. Of course You can use certutil and Certificate Authority MMC but sometimes it is easier and faster to use Web Enrollment to generate Certificate using template you select. This Feature will required IIS.

1.3 Go back to Server Manager and on information Flag enter post deployment Configuration.

1.4 Proceed with Configuration wizard.

1.4.1 Provide CA Rool services Account

1.4.2 Select Configuration Certificate Authority and if u selected Certificate Authority Web Enrollment.

1.4.3 Specific CA type. In this example since we are providing it within CA we select Enterprise CA

1.4.4 Specific CA level in this scenario Root CA

1.4.5 This step is very important and depends if you Migrate Certificate Authority or perform Fresh Installation

If this is new CA just select Creat a new private key

If you migrate CA and plan to restore previously created Backup select Use Existing private key and Select a certficaten and us its previously issued certificates when reinstalling CA and go to point 1.4.7

New CA

1.4.6 Provide Cryptography options and Certificate Name (usually Hostname-CA), Validity Period and folder path. and skip to point 1.4.9

Restor CA

1.4.7 Import Certificate Backup and provide certificate authentication

1.4.8 Select imported certificate and finish the configuration wizard.

1.4.9 Now You CA should be available. Check it by opening Certificate Authority MMC and also see if Cert Web Enrollemnt is accessible. http://<server_fqnd>/certsvr (http://localhost/certsrv/)

2. Backup Certificate Authority for Migration

2.1
Open Certificate Authority MMC

2.2 Fom Context menu select All Task -> Back up CA


2.3 Select Private key and CA certificates as well as Certificate database and certificate database log

2.4 Provide access password.

2.5 Export CA configuration – open regedit and export whole Configuration key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

2.5 Uninstall Active Directory Certificate Authority Role form server

3. Locate Certificate Authority server

Open elevated command prompt and type (don’t miss double minus)

certutil -config – -ping

You will get Popup with list of CA in Domain and correspondent host names.

Cheers

Maciek Jędryszek

Quick Guide – Migration Exchange 2007 on Windows 2003 to Exchange 2013 on Windows 2012 R2 – Part 2

This part will cover how to migrate PF and Removing old Exchange from Active Directory. This can be sometimes tricky and please pay attention what server are You should be on as there is some juggling.

!!! Sometimes will put in Shell examples variables i.e. <FQDN of source server> remember to replace it accordingly to Your environment

1.Migrate Public Folders

1.1 Take a time and check out Technet information about this part that you can find HERE

1.2 Download Migartion Scripts from HERE:

1.3 Prepere migration Files

1.3.1 Copy all the scripts to C:\PFMigration on Exchange 2007

1.3.2 Open Management Shell on Exchange 2007

Create Folder Name to folder size Mapping.

– Export original Public Folder Structure

Get-PublicFolder -Recurse | Export-CliXML C:\PFMigration\Legacy_PFStructure.xml

– Export Public Folder item count size and owners

Get-PublicFolderStatistics | Export-CliXML C:\PFMigration\Legacy_PFStatistics.xml

– Export Public Folder Permission

Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:\PFMigration\Legacy_PFPerms.xml

– If the name of a public folder contains a backslash \, the public folders will be created in the parent public folder when migration occurs. Before you migrate, we recommend that you rename any public folders that have a backslash in the name.

Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like „*\*”}}

* If You are using this Guide for Exchange 2010 to Exchange 2013 Migration check appropriate script in Technet (Step2 Point 2a)

– If any public folders are returned, you can rename them by running the following command

Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>

– Make sure there isn’t a previous record of a successful migration (Command Should Return False in both fields)

Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete

1.3.3 Still on Exchange 2007 machine

– Create the folder name-to-folder size mapping file.

.\Export-PublicFolderStatistics.ps1 PF_Statistic.csv <FQDN of source server>

1.3.4 Long on to Exchange 2013 Management Console

– Copy PF_Statistic.csv form Exchange 2007 Machine to Exchange 2013 C:\PFMigration and go in management Shell to this folder.

.\PublicFolderToMailboxMapGenerator.ps1 5GB PF_Statistic.csv PF_Folder2Mailbox.csv

*Max Size is 25GB

1.3.5 Create mailboxes to store Public Folders on Exchange 2013 Shell

TIP: I prefer to store Public Folders in separate Mailbox Database and name Public Folders Mailboxes respectfully to its content. So If you like to set it up like me just create new Mailbox Database (e.g. PF_Database) and rename Mailbox name in PF_Folder2Mailbox.csv and new-mailbox command (e.g. PF_Mailbox1) For purpose of this guide I will left names as created by Microsoft Provided scripts.

New-Mailbox -PublicFolder Mailbox1 –HoldForMigration: $true

You can specific name and mailbox database by adding –Database <Mailbox Database Name> and –Server <FQDN of source server>

1.3.5 Now start Migration – remember to be aware on witch server you are and also that Public Folders will now be unavailable for users.

Exchange 2013 Shell

Start Migration request

New-PublicFolderMigrationRequest -SourceDatabase (Get-PublicFolderDatabase -Server <FQDN of source server>) -CSVData (Get-Content PF_Folder2Mailbox.csv -Encoding Byte)

– Check Migration State

Full

Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatisti­cs -IncludeReport | fl

Brief

Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatisti­cs -IncludeReport | fl | Select Name,Status

If State is AutoSuspended do the fallwoing

Exchange 2007 Shell

Lock Folders for Migration

Set-OrganizationConfig -PublicFoldersLockedForMigration:$true

Exchange 2013 Shell

Resume Migration Task

Set-PublicFolderMigrationRequest -Identity \PublicFolderMigration -PreventCompletion:$false

Resume-PublicFolderMigrationRequest \PublicFolderMigration

– Check Migration State

Full

Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatisti­cs -IncludeReport | fl

Brief

Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatisti­cs -IncludeReport | fl | Select Name,Status

Now be patient State should change to InProgress and wait till You see state as completed.

1.3.6 Test and Unlock the Public Folder

Assign new Public Folder Mailbox to test user

Set-Mailbox -Identity <Test User Mailbox> -DefaultPublicFolderMailbox mailbox1

Logon to test user mailbox via OWA or Outlook and test folders. See if you can manage it and create items.

If everything is OK proceed

Exchange 2013 Shell

Get-Mailbox -PublicFolder | Set-Mailbox -PublicFolder -IsExcludedFromServingHierarchy $false

Exchange 2007 Shell

Set-OrganizationConfig -PublicFolderMigrationComplete:$true

2. Remove Exchange 2007 – Everything is now done on Exchange 2007 Shell and UI

This task should be simple. Delete and uninstall everything J

2.1 Check if all mailbox are migrated to new server and if so Delete all the Mailbox Database form Exchange 2007

Remove-MailboxDatabase -Identity <Mailbox Database Name>

2.2 Remove all OAB form Exchange 2007. Check if OAB form new server is assign.

Remove-OfflineAddressBook -Identity <OAB Name>

2.3 Uninstall Exchange 2007 form server. From Elevated Command Prompt run

Setup.com /mode:uninstall

Now it is done you can remove old server form domain. I hope this was helpful for some of You.

Cheers.

Maciek Jędryszek

Quick Guide – Migration Exchange 2007 on Windows 2003 to Exchange 2013 on Windows 2012 R2 – Part 1

Scenario is simple. We have one server with Exchange 2007 installed on Windows Server 2003 Standard. We added new server to domain with Windows 2012 Standard R2 to be our new Exchange 2013 Server. The plan is to Install Exchange 2013 and migrate mailboxes from old server. New Server is installed and up to date.

1.Install Prerequisite

1.1 Update Exchange 2007 Server to latest Rollup. Rollup list you can find HERE

1.2 On New Exchange 2013 Server Install:

Unified Communications Managed API 4.0 Runtime

Microsoft Office 2010 Filter Packs

Service Pack 1 for Microsoft Office Filter Pack 2010 (KB2460041) 64-bit Edition

▪ Install required Windows Features and Roles

You can also download my simple PowerShell script that will install all required Roles and Features. Available HERE It is just a simple example of PS>Install-WindowsFeature. You can read more about it on Technet.

2.Prepare Domain

2.1 Now let’s prepare Active Directory. Just remember to check Organization Name. You can do that by running on Exchanage 2007 Server Management Shell following command.

Get-OrganizationConfig |select Name

2.2 Go to Exchange 2013 server and open command prompt. Insert or mount Exchange 2013 media and go to it.

Use this command to prepare AD just remember to change Organization to appropriate.

.\setup /PrepareAD /OrganizationName: consto /IAcceptExchangeServerLicenseTerms

3.Install Exchange 2013

3.1 Now it is time to install Exchange 2013. Run setup form Exchange media and fallow the wizard. I think good practices to store Exchange Installation and Mailboxes on 2nd Partition and Logs on 3rd. Just for clear view.

▪ Accept the License

▪ Don’t use recommended settings

▪ Select Server Roles

▪ Specific Install Directory

▪ Disable malware scanning – No

▪ And if no Warring’s or Errors will display install Server. (If you get warring’s or errors refer to links in prerequisite check)

▪ You can now update the Exchange 2013 Server but just in case don’t go further than Exchange Server 2013 Service Pack 1 (SP1 aka CU4). This is quite important and often missed in other guides. CU5 change ipv6 and may generate communication problems with old server a specially if You are using Windows 2003 or implementation takes place in small environments where DC is same Server as Exchange. Cumulative Updates for Exchange 2013 list can be found HERE.

4.Configure Exchange 2013

4.1 Create Exchange 2013 Admin Account. If your current Exchange account have Mailbox on Exchange 2007 You will not be able to connect to ECP using this credentials. That is why create new Exchange Admin Account f.e. ExAdm that will be member of Exchange Admins and Exchange Organization Administrators.

4.2 Prepare Database Path and Log location – ref. to my previous post

4.3 Setup Virtual Directories External URL – go to ECP -> Servers -> Virtual Directories and setup external URL for each Virtual Directory

▪ Autodiscover

▪ ECP

▪ EWS

▪ Microsoft-Server-ActiveSync

▪ OAB

▪ OWA

4.4 Configure Outlook-Anywhere – go to ECP -> Servers ->Servers -> [Exchange2013ServerName] -> Outlook Anywhere

4.5 Configure Send and Receive Connectors (if there is no major change in your environment you can leave it as it is)

4.6 Configure Certificates (If You are using other CA (local or public) replace self-singed certificate with the appropriate one and assign it to Services)

New-ExchangeCertificate – generate request

▪ If You are using local CA generate certificate using request and Web Server template

Import-ExchangeCertificate – import new certificate

Enable-ExchangeCertificate – assign services

4.6 At this point we should have environment with 2 Exchange Servers within same Organization. This should be a time to start thinking about migration. First lest migrate Administrator Account to Exchange 2013 (if you Admin already have mailbox on Exchange 2007 else use other account to test environment) I’m choosing Admin account because I don’t want to test it on new clean mailbox and admin account is one mailbox that usually contains just spam and some reports (nothing major – at least in my case)

4.7 Create Migration Batch. Got to ECP -> Recipients -> Migration.

▪ Add user to Migration

▪ Name migration Batch

▪ Specific destination mailbox database

▪ Specific who will receive migration report

▪ Run Migration Batch

And wait till it is finish. By default there is zero tolerance for bad items but if your mailbox is corrupted browse corrupted items and either save it via outlook or accept it lose and run migration batch with appropriate bad items limit.

4.8 Login first to OWA first and see if everything is ok. Then start Outlook and if ask reopen it again.

4.9 If everything is ok Congratulation you can now create new batch with more users.

5.END of Part 1

Things that are still on schedule is Public Folder migration (and this can be tricky since in Exchange 2013 Public folder is way different and evolved into Public Folder Mailboxes) and removing Exchange 2007 from old server. I will cover this in Part 2.

If You encounter any problems please let me know I will try to help if I can.

Cheers,

Maciek