More Alphabet Soup – MCITP: Virtualization Administrator

Last Friday I passed the 70-699 TS: Windows Server 2008 R2, Desktop Virtualization exam.  I don’t know why it took me so long to get around to this one, but with this exam I now hold the MCITP: Windows Server 2008 R2, Virtualization Administrator credential.

I add this to my other MCITP certificationsMCITP: Enterprise Administrator, MCITP: Enterprise Messaging Administrator, and MCITP: Enterprise Messaging Administrator 2010.  All this makes for a very busy looking business card, but it’s worth the hard work!

Protect Your Windows Computer from Fraudulent Certificates

Today it was revealed that a serious security breach occurred at Comodo, a trusted certificate provider.  The breach appears to have come from Iran and several “high value certificates” were obtained.

These X.509 certificates include:

  • (3 certificates)
  • “Global Trustee”

To protect your Windows computer (PC or server) from trusting these high value certificates, download and install KB2524375 Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing from Microsoft as soon as possible.  The installation takes only a minute and does not require a restart.

KB2524375 updates both the Computer’s and User’s Untrusted Certificates list to include the compromised certificates.

Here’s what the list looks like before the update:

And here’s what it looks like after the update:

Please take a minute to update your computers now.  This update is also being pushed out through Windows Update as I write this.

The Teched 2011 Bag

Here it is, folks!  The coveted TechEd bag for 2011.  Is it a backpack?  A parachute?  A shar-pei?  Looks like it’s soft and comfortable with LOTS of storage space.  But what will you do with all that space since your iPad takes so little of it?

A New Certified Master, I Will Be

I mentioned in an earlier article that I began the application process to enter the Microsoft Certified Master: Exchange Server 2010 program.  Well, I’m very happy to say that I was accepted to the program today!

With this acceptance, I’ve decided to blog the entire experience (or at least as much as my NDA and time will allow).  This will let folks who are interested know what to expect if they want to pursue the same prestigious certification.

Once I confirmed that I met all the prerequisites, I began the application process on March 7, 2011 by completing the online application, supplying my MCP transcript, and paying the non-refundable US $125 application fee.

On March 10th, I was confirmed by the MCM program that I met the prerequisites.  A Microsoft Partners ID and workspace was created for me to upload my resume, two sample project documents, and a single page document describing my experience and “deep technical understanding of Exchange”.    The workspace was created, but I had to email the MCM team to let them know I had signed in before I could upload my content.  Once this was submitted to the MCM workspace and I marked the content as “Ready for review”, I waited.

There are three other MCMs who I work with at ExtraTeam.  All three of them had grueling telephone interviews at this point, so this is what I was anxiously waiting for.  Today, March 21st, I received a ominous email saying, “Thank you for submitting your application. Please view the attachment for the final results of your application to the Microsoft Certified Master Program.”  Uh-oh.  No phone interview and they already made their decision.  That’s not good.  But opening the attached PDF file I was happy to see, “Congratulations! You have passed all the required pre-requisites and have been accepted into the program.”

Here’s a diagram that shows the MCM application process:

So that’s has you caught up to where I am today, aside from actually finalizing my registration (and paying the $18,500).  Now all that’s left is the hard part — Going though the MCM program.  My rotation will run June 6 – 25, 2011.  Can’t wait!

Disabling a User in AD Does Not Disable the User In Lync

It’s quite common for companies to disable user accounts in Active Directory, rather than delete them, when a user leaves the company.  This allows other IT staff and managers to access that user’s data and email after they are gone.

However, disabling a user account in Active Directory does not immediately disable the user from using Lync.  This is due to the way that Lync performs authentication and, depending on several factors, could result in a disabled user accessing Lync for up to nearly 6 months!  Obviously, this is important to understand since you don’t want disabled users to access internal resources or make Enterprise Voice calls.

The purpose of this article is to explain how and why this happens and how to successfully disable a Lync user’s account immediately without having to delete the user account from AD.

Lync Server 2010 uses several methods of authentication: Kerberos, NTLM, and certificate based.  Kerberos is the default authentication method and successful authentication results in the client receiving a Kerberos ticket that’s good for 10 hours.  Kerberos is used when users are accessing Lync Server while on the domain.  NTLM is used for authentication from other locations, such as the Internet for remote access using Lync Edge servers.

If the user authenticates using one of these two methods and selects the Save my password check box (shown above), the Lync server will generate an X.509 certificate for the user.  Lync will publish the certificate to Lync RTC database and distribute it, along with the private key, to the personal certificate store to the user on the local computer.  The certificate expires 180 days from the publication date and is used for further authentication for that user from that computer.  An example OCS signed certificate from the user’s Personal certificate store is shown below:

Certificate authentication is convenient and speeds up the sign-in process significantly, but it means that Lync doesn’t check the AD user account to see if it’s disabled.  If a disabled user signs into Lync using certificate authentication, they will still have access to all Lync features including IM, web conferencing and Enterprise Voice until the certificate expires.

The certificate(s) used by a Lync user can be viewed from the Lync Management Shell using the Get-CsClientCertificate cmdlet.  For example,


will display all the certificates the certificates stored in the rtc database for that user. If the user has run Lync from three different computers, there will be three certificates listed for the user, as shown below:

Remote users with a valid client certificate can continue to sign in and access Lync until their certificate expires, regardless of whether their account is disabled or not.

You can revoke a certificate using the Revoke-CsClientCertificate cmdlet in the Lync Management Shell, but this will not affect users who are currently signed into Lync.  For domain computers, the user will be able to use Lync until their Kerberos ticket expires (up to 10 hours).  Remote users using certificate authentication will remain signed in until they sign out, the Lync server is restarted, or their certificate expires (up to 180 days).

To prevent a user (enabled or disabled) from using Lync, you must disable their Lync account using the Lync Control Panel or the Lync Management Shell, as shown below:


To disable the Lync user account using the Management Shell, run the following cmdlet:


Note that it may still take a few minutes for a signed-in user to become disconnected, however they will be unable to access any Lync features, such as new IM, web conferencing, or Enterprise Voice calls immediately.  If they happen to be in an IM session or web conference when their Lync account is disabled, they can continue until they disconnect.  Likewise, if they are in a voice call when their Lync account is disabled, the call will continue until the call ends.  The Lync client for the disabled user will display the following:


Thanks to Tom Pacyk for sharing this with me while he was at Microsoft Certified Master: Lync  Server training.

Lync and Forefront Added to Microsoft Core Cal Suite!

Microsoft is updating the Core Client Access License Suite (Core CAL Suite) to include Lync Server 2010 and Forefront Endpoint Protection.

Beginning August 1, 2011 (the beginning of Microsoft’s fiscal year),  Lync Standard CAL and Forefront Endpoint Protection will move to Core CAL Suite.  Previously these products lived on the Enterprise CAL “Step Up”, and made up part of the Enterprise Suite stack.  Organizations who have Software Assurance on their Core CAL as of August 1st, will have access to the new features.

You can expect to see moderate price increases to Core CAL, but Microsoft will not release final details until the August 1st price list is out.  It is anticipated that with discounts to the E-CAL Step Up, the full E-CAL Suite stack will be roughly the same cost as today.

Current Core CAL customers with Software Assurance (SA) as of August 1st can choose to sign an “Early Use Rights Amendment” that will allow them to utilize the new features today at no additional cost.  Contact your Microsoft licensing vendor for more details.

Lync 2010 and Microsoft Office Compatibility

The following table describes the Lync 2010 features that are supported by various versions of Office.
Feature Microsoft Office 2003 with Service Pack 3 (SP3) Microsoft Office 2007 Microsoft Office 2010
Presence status in the Microsoft Outlook To and Cc fields Presence status appears on hover Presence status is always shown Presence status is always shown
Reply with conference call from the Presence menu No Yes Yes (from the contact card)
Presence status in a Meeting Request on the Scheduling Assistant tab No Yes Yes
Reply with IM, or call from the toolbar or ribbon in a received email No Yes Yes
Presence status in the Outlook From field Yes Yes Yes
Reply with IM or voice from Presence menu Yes Yes Yes (from the contact card)
IM and presence in Microsoft Word and Microsoft Excel files (smart tags enabled) Yes Yes Microsoft Word only
IM and presence in Microsoft SharePoint sites (Outlook must be installed) Yes Yes Yes
The following features are available only with Office 2010 and Lync:
  • New contact card with expanded options, such as video call and desktop sharing
  • Quick search from the Find a Contact field in Outlook
  • Reply with an IM or call from the Outlook Home ribbon in the Mail, Calendar, Contacts, and Tasks folders
  • Lync Contacts list in Outlook To-Do Bar
  • Office Backstage (File tab) presence status, application sharing, and file transfer
  • Presence menu in Microsoft Office SharePoint Workspace 2010 (formerly Microsoft Office Groove 2007)
  • Presence menu extensibility

Thanks fot VoIPNorm for the link to Lync 2010 and Microsoft Office Compatibility.

How to manually move the ISTG role to another server

The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. One domain controller per site holds the Inter-Site Topology Generator (ISTG) role, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.

If you have more than one domain controller in your organization, the ISTG is the DC responsible for creating the <automatically generated> connection objects that you see in Active Directory Sites and Services, as shown below:

The ISTG role is fairly “sticky”.  The first domain controller promoted in a site takes on the ISTG role, and the role does not change as additional domain controllers are added to the site.  If the current ISTG becomes unavailable for 60 minutes, an election is held by the other DCs in the site to appoint a new ISTG.  This can sometimes cause problems for Active Directory replication. 

Consider the following scenario. Your domain contains two sites, SiteA and SiteB.  Each site has two DCs for redundancy and high availability – DC1 and DC2 in SiteA, and DC3 and DC4 in SiteB.  If both sites are connected to each other using DC1 and DC3 and those servers happen to be the ISTG servers for the two sites, it will take over 60 minutes to create new automatic connections if either of those two servers becomes unavailable.  To overcome this, manually move the ISTG to another server.  Here’s how to do it.

  1. Open ADSIEDIT.msc
  2. Expand Configuration [DomainController].
  3. Expand CN=Configuration,DC=<domain>,DC=<com>.
  4. Expand CN=Sites.
  5. Highlight CN=<sitename> for the site where you want to change the ISTG Server.
  6. In the details pane, right-click on CN=NTDS Site Settings and select Properties.
  7. Locate the interSiteTopologyGenerator attribute and you will see which Domain Controller is designated as the ISTG server.
  8. To change the server, click Edit and then change the server name, as shown below.

I’m surrounded by really smart people

Here in ExtraTeam’s Microsoft practice, I’m fortunate to work in a tight group of really smart people.  Our staff has credentials that rival only a very few very large consulting companies.  This makes our collaborative work environment über cool without any pretentiousness or rivalry.  In today’s business climate, that’s a real differentiator.

My manager, Mike Sneeringer, is one of those rare double Microsoft Certified Masters – He’s an MCM in both Exchange and Lync Server.  Keif Machado is an Exchange MCM and Tom Pacyk just became a Lync Server MCM this morning!  Together, we’re certified on nearly two dozen Microsoft technologies and have numerous professional certifications including MCITPs, TS’s, MVP, MCSE, MCSA, and CISSP.  That doesn’t even count all the smart folks on the Cisco side of the business.

I’ve entered into the Exchange MCM application process this week, myself, and plan to blog about the experience as it goes.  Wish me luck!