How to Easily Check for a Windows Enterprise CA

I work with a lot of different clients and often need to generate private certificates for applications, such as Exchange, Lync Server, and System Center.  I’m often surprised that clients aren’t aware if they even have a certificate authority server in their domain and if so, what it’s name is.



Here’s a simple way to check for an enterprise CA in a Windows domain.  Run the following command from a CMD prompt:

Notice the extra dash “-” between the -config and -ping switches.



If there is an enterprise CA published in Active Directory, you will see a pop-up box asking you to choose the CA to ping, as shown below:




Notice that CA name and the computer that hosts it are displayed.  Once you select the certification authority and click OK, certutil will ping the server to make sure that it’s online and functioning, as shown below:
 

Certutil successfully pinged the CA
 If certutil is enable to locate and Enterprise CA in the domain, it will display an error message indicating that no active Certification Authorities were found:



Certutil was unable to locate an Enterprise CA in the domain
 

certutil -config – -ping

Issue with IE9 and the Exchange 2010 Management Console

I ran into this issue today at a customer.  With Internet Explorer 9 installed on the Exchange 2010 server, you cannot close the Exchange Management Console.  When you try to close it, you get the following message:


As of yet, this is unresolved.  See http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/ea4e1ffe-472e-4508-9a14-0735ac6322ca for other reports of the same problem. 

The workarounds are to end task mmc.exe every time or uninstall IE9.


You must close all dialog boxes before you can close Exchange Management Console

Are you an Exchange Maestro?

Register to become an Exchange 2010 Maestro!

Exchange superstarts Tony Redmond and Paul Robichaux will focus on the key “gotchas” and hurdles experienced by IT professionals in the real world. The workshop will cover Exchange 2010 Service Pack 1 as well as the RTM version released by Microsoft in October 2009.


Paul writes,


The Exchange Maestro program is a 300/400-level blitz of all the major features of Exchange 2010. We assume good knowledge of Exchange 2003/2007, and we have enough new material so that even people with some 2010 experience will learn something useful.  In addition to the lecture material, attendees get a full set of Exchange 2010 lab VMs on a take-home disk drive. That frees attendees to focus on learning because they can work on the labs during scheduled lab times, in the evenings, or once they return home.

On the third day we have a sort of capstone exercise where the attendees form teams and design an Exchange 2010 organization, then present their design proposal to Tony, playing the role of a hard-nosed customer CIO.

I have a discount registration code for you to share with your readers: “PAUL” will net $250 off for the US events, and “PAUL100” will net 100 pounds off the London event.


If you administer Exchange 2010, this is a worthwhile opportunity to learn from some of the best! 



Use the discount codes above to save $250 in the US or £100 in Europe off regular registration.  Read more at the Become an Exchange 2010 Maestro website.

How to set the Default Domain for the Microsoft Lync Server 2010 Web Scheduler

As I posted earlier, Microsoft released the Lync Server 2010 Web Scheduler today.  It provides a Web-based online Lync meeting scheduling and management experience for Lync Server 2010.



By default, the Web Scheduler requires that users enter their domain and user name along with their password to login, as shown below:


To configure the Web Scheduler with a default domain, so that users can sign in with only their user name, you must update files in both the Internal (Int) and External (Ext) virtual directories.  Luckily the files are identical, so you usually only need to update the files in one directory and copy them to the other.

Here’s how to do it:
  • Install the Microsoft Lync Server 2010 Web Scheduler.
  • Navigate to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Int\Scripts folder.
  • Edit the WebTicketManager.js file with Notepad or your favorite editor.
  • Go to line 143 and insert the following line:
userName+=”domain.com
              where domain.com is the FQDN for your internal domain.

  • Now prepend “//” to lines 144 and 145 to remark them, as shown below:
  • Save the file.
  • If your internal domain name matches your external domain name, copy WebTicketManager.js to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Int\Scripts folder.  Otherwise, perform the same edit on the the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Ext\Scripts folder.
These edits will append @domain.com to the user name entered, unless the user entered a specific domain as either domain\username or username@domain.com on the logon page.

Now we need to edit the Web Scheduler logon page to reflect the change:
  • Navigate to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Int\UserControls folder.
  • Edit the LoginControl.ascx file with Notepad or your favorite editor.
  • Edit line 28 to read “User Name:“, rather than “Domain\user name:”, as shown below: 
  • Save the file.
  • Copy LoginControl.ascx to the C:\Program Files\Microsoft Lync Server 2010\Web Components\Web Scheduler\Ext\UserControls folder.
Now all you need to do is try it out!


Microsoft Lync Server 2010 Web Scheduler is now available

Lync Web Scheduler is a resource kit tool for Microsoft Lync Server 2010. It provides a Web-based alternative to the add-in for the Microsoft Office Outlook messaging and collaboration client for the purpose of scheduling a meeting using Lync Server 2010. It also provides a browser-based conference management experience that includes operations such as the following:
  • Scheduling a new online Lync meeting.
  • Listing all existing Lync Server 2010 meetings that the user has organized.
  • Viewing and modifying details of an existing meeting.
  • Deleting an existing meeting.
  • Sending an email invitation to meeting participants by using a configured SMTP mail server.
  • Joining an existing conference.
Compared to the Conferencing Add-In for Microsoft Outlook, Lync Web Scheduler has the following limitations:
  • Lync Web Scheduler does not support scheduling recurring meetings.
  • Lync Web Scheduler lists only meetings that were organized by the user. It does not list all meetings that the user is invited to. Further, meetings created using some other tool will not be editable using Lync Web Scheduler.
  • Lync Web Scheduler is available only in English.
  • Meeting invitations that are generated by Lync Web Scheduler do not look exactly the same as those that are generated by the Conferencing Add-In for Outlook.
  • Lync Web Scheduler doesn’t interact with the calendaring server. Calendar updates happen only via email invitations.
Lync Web Scheduler is an ASP.NET application, which must be installed on the same Internet Information Services (IIS) Web server on which Lync Server Web Components are installed.
Get it at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=b7d8f948-fa64-4c51-8b54-2223954d1fa4

One TechEd Story

One of the things I enjoy at Microsoft TechEd is talking with people to get their TechEd story.  I like to hear what they think of TechEd and about the value they get from the conference.
Claudia Perez works for Galveston County IT in Texas.  She’s worked in IT for over 16 years, 15 of them for this same organization.  She manages about 1,500 users across 20 departments.  Last year she went to New Orleans for her second TechEd.
As you can imagine with any small government these days, budget cuts and staff shortages take their toll and it’s much more difficult to make the commitment to a four day conference.  There’s travel and expenses, not to mention the registration costs to contend with.  Even though state and local government get a pretty good discount, it’s still hard to justify.
So why does Claudia do it?  And just as importantly, how does her boss justify the expense?  Here’s what Claudia says:
There is more than one reason why I attend TechEd. It is a combination of the sessions, the information, the convenience of having the technologies I use at a single event, and definitely the networking (and The Krewe has a lot to do with this part).
I have to admit that the first time I attended I was overwhelmed. In part because I was still in disbelief that I was approved to attend since I have been requesting the opportunity to go to TechEd for many years in a row with no results. Also, I didn’t know quite what to expect. I was very glad I came across the Krewe group during my first year.
I work for local government where I am not only the Exchange person; I am also the SQL person, the Windows Server person, etc. So TechEd makes it so convenient because I have the sessions, hands on labs, etc. that pertain to my main areas of responsibility all in one event. This way I choose what areas to focus more on depending on what projects I am working on that year. There are also the ‘after hours’ activities organized by other TechEd participants. The Exchange Roundtable is a great example.
I also like to be informed of what is coming up next or what is now available in the market that can help us. Having the ability to interact with so many different vendors in one place makes that also very convenient.
Another great reason is the networking. I have learned over the past few years how important it is as an IT pro to have a great network of IT professionals. The way we stay in touch and exchange information and even tried to help each other has proven to be very valuable. More than once I have come across an issue that I’ve never seen before, I ask the question and I always get tips, ideas, or answers from the network of people I met at TechEd.
Our current boss (for over 2 years now) understands the importance of training and continuous education. He is even pushing now for certifications and more training.  That mentality helps a lot when I have to ask for approval for the conference. I also have discussed with him the importance of having a network of professionals and he has seen how valuable it has been when I needed answers. In addition, when I comeback from TechEd, I come back with new ideas and information about how to do things more efficient, how to address some issues we may be facing, information on better practices, etc. We cannot always put new ideas into place, sometimes because of budget restrictions, but at the same time, the information gathered helps us to plan for future projects.
I think Claudia perfectly sums up the value of TechEd.  And it’s really great that her boss understands this, as well.



I hope to see you all at TechEd in Atlanta in May!

Fourth Annual UC Roundtable at Microsoft TechEd!

I’m arranging the Fourth Annual UC Roundtable this year at Microsoft TechEd in Atlanta, GA.  The UC Roundtable (formerly the Exchange Roundtable) brings Exchange and Lync Server IT Pros together for an informal get together to discuss all things Exchange and Lync Server!



This year, we’ll gather at the atrium of the Embassy Suites Atlanta at Centenial Olympic Park (right next door to the Georgia World Congress Center) Wednesday, May 18, from 6:00-7:30pm.

Join me and other Exchange and Lync Server experts for a lively discussion.  Bring your Exchange or Lync questions, learn or teach others, and have fun!  I hope to see you there.

Please RSVP to jeff@expta.com with your contact info and the number of people attending, so I can make sure we have enough room.  I’ll send a reminder email to you when it gets closer.



Spread the word!

How to fix "550 5.1.1 User unknown" Error when Sending to a Distribution Group

You may find that after you create a new distribution group in Exchange 2010, you cannot send SMTP email to it from the Internet or internal relay hosts.  When you do, you receive a “550 5.1.1 User unknown” error .  If you send email to the distribution group internally using Outlook or OWA, it works just fine.



This happens because Exchange 2010 automatically sets the attribute Require that all senders are authenticated to enabled by default. 



To clear this setting, view the properties of the distribution group and double-click Message Delivery Restrictions on the Mail Flow Settings tab:




Then clear the checkbox for Require that all senders are authenticated and click OK.




At first I thought this might be due to the fact that my client is using Edge Transport servers and that the Block messages sent to recipients that do not exist in the directory setting was enabled.  This is shown below from the Edge server’s Recipient Filtering properties:


I tested this by running the following cmdlet:
Test-EdgeSynchronization -VerifyRecipient zzz.domain.com
Sure enough, the result shows, NotSynchronized – Recipient doesn’t exist in source Active Directory, as shown below:



Somewhat surprisingly, this result does not change when Require that all senders are authenticated is disabled.



I can’t believe I’ve never run into this until now. 



Before you ask, there is no way to change the default behavior of Exchange 2010 to create all distribution groups with the authentication setting set to disabled (unchecked).

MVP Award Unboxing

I thought it might be fun to show what the MVP award package looks like, so I took a few pictures.




The box in the box



Opening the box reveals a very nice presentation of the award



The contents include:
A framed personalized certificate, an MVP lapel pin, the MVP rules of conduct, an MVP name badge, and a new 2011 year crystal disk to place on last year’s award.


The 2011 MVP Award

Good News, Bad News

First, the good news…  After a long wait, I finally learned that I’m able to go to Microsoft TechEd in Atlanta!  Better late than never.  I just hope there’s a hotel room left since TechEd North America 2011 is selling out fast.  Last I heard a few weeks ago, there were only about 600 discounted rooms left.  Since I’m joining the party so late, I will not be speaking this year.  It will be great to meet up with The Krewe again!



Now the bad news…  It turns out that I can’t make the Microsoft Certified Master: Exchange Server 2010 rotation in June due to issues beyond my control (mine, not theirs).  I’ll be doing the next rotation in September 2011.  It’s only three months later, but it’s still really disappointing.  :(  Oh well, feces occurs.



See you in Atlanta!