Archive for October, 2010

Configure the Forefront TMG 2010 to allow DPM 2010 communication

Wednesday, October 20th, 2010

    The DPM agent uses various ports and protocols to connect with the DPM server. The Forefront TMG needs to be configured to allow the DPM server to communicate through those ports. The complete list of ports that are used by DPM are documented at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=118620).

    Use the following procedures to configure the Forefront TMG to work with DPM:

  • Define protocols for DPM in Forefront TMG

  • Add a computer rule for the DPM server

  • Create an access rule for DPM traffic

  • Configure registry settings on the Security Server and the DPM server

    To define protocols for DPM in Forefront TMG

  1. Open the Forefront Threat Management Gateway console.

  2. In the console tree, expand the node for TMG Server, and then click Firewall Policy.

In the right pane, click Toolbox, expand Protocols, click New, and then click Protocol.

      The New Protocol Definition Wizard appears, and you can define a new DPM Agent Coordinator protocol (TCP, outbound, port range 5718) as follows:

    1. In the New Protocol Definition Wizard, type DPM Agent Coordinator, and then click Next.

    2. On the Primary Connection Information page, click New.

    3. In the New/Edit Protocol Connection dialog box, choose a Protocol type of TCP, a Direction of Outbound, and a Port Range (both From and To) of 5718. Click OK.

    4. Click Next twice, and then click Finish to close the New Protocol Definition Wizard.

  1. In the right pane, click New, and then click Protocol.

    The New Protocol Definition Wizard appears, and you can define a new DPM Protection Agent protocol (TCP, outbound, port range 5719).

  2. In the right pane, click New, and then click Protocol.

    In the New Protocol Definition Wizard, define a new DPM Dynamic Ports protocol (TCP, outbound, port range 50000-50050).

    noteNote

    You need approximately 50 ports in the unreserved dynamic port range between 49152 and 65535. For more information about this range, see the Internet Assigned Numbers Authority Web Site (http://go.microsoft.com/fwlink?LinkId=22654).

    1. In the right pane, click New, and then click RPC Protocol.

      The New RPC Protocol Definition Wizard appears, and you can define a new RPC Compliant DPM protocol as follows:

    2. In the New Protocol Definition Wizard, type DPM RPC, and then click Next.

    3. On the Select Server page, click Add interfaces manually.

    4. On the Adding Interfaces to the Protocol Definition page, click Add.

    5. In the Add/Edit Interfaces dialog box, under Interface UUID type {12345778-1234-abcd-ef00-0123456789ac}. Under Interface Name, type RPC for DPM, click OK, and then click Next.

    6. Click Finish to close the New RPC Definition Wizard.

  3. In the top pane, click Apply to save changes and update the configuration.

    To add a computer rule element for the DPM server

  4. In the right pane of the Forefront TMG console, click Toolbox, expand Network Objects, click New, and then click Computer.

  5. In the New Computer Rule Element dialog box, type a Name for the DPM server, and then under Computer IP Address, type the server’s IP address. Click OK.

  6. In the top pane, click Apply to save changes and update the configuration.

    To create an access rule for DPM traffic

  7. In the right pane of the Forefront TMG console, click Tasks, and then under Firewall Policy Tasks, click Create Access Rule.

  8. The New Access Rule Wizard appears. Type a name for the access rule (such as Allow DPM Traffic), and then click Next.

  9. On the Rule Action page, click Allow, and then click Next.

  10. On the Protocols page, under This rule applies to, choose Selected protocols, and then click Add.

    • In the Add Protocols dialog box, expand All Protocols. Select each of the following protocols and click Add:

    • DPM Agent Coordinator

    • DPM Dynamic Ports

    • DPM Protection Agent

    • NetBIOS Datagram

    • NetBIOS Name Service

    • NetBIOS Session

    • Ping

    • RPC (all interfaces)

    • DPM RPC

      When you have finished adding the protocols, click Close.

      Turn off RPC filtering for RPC (all interfaces). Under Protocols, click RPC (all interfaces), and then click Edit. Click the Parameters tab, under Application Filters clear the check box for RPC Filter, click OK, and then click Next.

  11. On the Access Rule Sources page, click Add.

    • In the Add Network Entities Dialog box, do the following:

    • Expand the Networks node, click Local Host, and then click Add.

    • Expand the Computers node, click the name of your DPM server, and then click Add.

      When you have finished adding network entities, click Close. Then click Next.

  12. On the Access Rule Destinations page, click Add.

    • In the Add Network Entities Dialog box, do the following:

    • Expand the Networks node, click Local Host, and then click Add.

    • Expand the Computers node, click the name of your DPM server, and then click Add.

      When you have finished adding network entities, click Close. Then click Next.

  13. On the User Sets page, accept the default (All Users). Click Next, and then click Finish.

  14. Under All Firewall Policy, right-click the DPM access rule, and then click Properties.

  15. In the Properties dialog box, click Protocols, click RPC (all interfaces), click Filtering, and then click Configure RPC protocol.

  16. In the Configure RPC protocol policy dialog box, clear the Enforce strict RPC compliance check box. Then click OK twice.

  17. Under All Firewall Policy, if the DPM access rule is not the first listed, right-click the DPM access rule, and then click Move Up. Repeat until the rule is the first listed.

  18. In the top pane, click Apply to save your changes and update the configuration.

    WarningWarning

    Use the following procedure to modify registry settings on TMG and the DPM server. Modify the registry with care. Serious system-wide problems might occur if you modify the registry incorrectly. To correct such problems, you may need to reinstall the operating system software on these servers.

    To configure registry settings on the TMG and the DPM server

  19. Log on to the server as domain administrator.

  20. Click Start, click Run, type regedit, and then click OK.

  21. In the left pane of Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.

  22. Right-click the Rpc node, click New, and then click Key. Type Internet as the name of the key.

  23. Configure the following values for the Internet key:

    Ports REG_MULTI_SZ 50000-50050

    PortsInternetAvailable REG_SZ Y

    UseInternetPorts REG_SZ Y

  24. To apply the registry settings, close Registry Editor and then restart the server.

Apply missing Exchange 2010 RBAC Management Roles and Policies

Thursday, October 14th, 2010

If you encounter after installation of Exchange Server 2010 SP1, there are some RBAC Management Roles and Policies missing and you even can’t not access the Exchange Management Console or Exchange Management Shell, you need to follow this steps, when /PrepareAD and /PrepareDomain doesn’t fix the issue:

1. Open Windows PowerShell (not the Exchange Management Shell)

Note: If you have UAC enabled, right click Windows PowerShell and click Run as administrator.

2. Run Start-Transcript c:\RBAC.txt and press enter

Note: This will start logging all commands and output you type to a text file.

3. Run Add-PSSnapin *setup and press enter

Note: This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors. DO NOT run any other cmdlets in this snap-in without direction from Microsoft. Doing so could irreparably damage your Exchange installation.

4. Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press enter.

Note: This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup. Also, be sure you run with the Verbose switch so we can capture what the cmdlet does.

5. Run Remove-PSSnapin *setup and press enter

6. Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos and press enter.

Check EMC and EMS if issue still persist.

 

Windows Server 2008 R2 Domain Controller on iSCSI boot server not supported

Friday, October 8th, 2010

When you installed Windows Server 2003 Domain Controller and used iSCSI mounted drives for your SYSVOL and Active Direcotry Database, you recognized that this doesn’t work because the iSCSI LUNs are not mounted when Active Directory Services expect it.

So you decide to use iSCSI volumes for system volume and additional volumes for SYSVOL and Active Directory Database too.

If you think this works for Windows Server 2008 R2 Domain Controller, you will fail. The Active Directory Installation Wizard does not support saving the Active Directory Database and the SYSVOL folder on to an iSCSI volume. Microsoft release a MSKB article 977184 about this issue.

But the article also described an alternative and the necessary steps to enable the Active Directory Installation Wizard to save Active Directory Database and SYSVOL folder on iSCSI volume.

But this is only possible if the iSCSI volume is the system volume.

The operating system cannot start if you save the Active Directory Database to a non-system volume that is not available during the startup process. Therefore, do not put the Active directory database on an iSCSI volume that may not be available during the startup process.

 

Windows Server 2008 R2 refuse to resolve external FQDN

Friday, October 8th, 2010

No, it is not the dot in the hierachy on DNS Server which makes him a Root DNS.

So looking for this is obvious. And what if you find, that DNS Root Servers are listed and forwarders are able to ping, but recursive name resolution still doesn’t work.

When you look up the new features and changes coming with Windows Server 2008 R2, you will find something about EDns (EDNS). What is this?

It is an additional OPT record and mandatory for DNSSEC. So it is first enabled by default with Windows Server 2008 R2. It was already available since Windows Server 2003, but not enabled by default.

So you are wondering when you execute following from command prompt:

dnscmd /config /EnableEDNSProbes 0

your DNS Server is now able to provide name resolution for your external internet addresses.

Read Scott Forsyth’s Blog for more details

http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

 

Windows Live Essentials 2011 Worldwide Language Downloads

Thursday, October 7th, 2010

… you find it for any language here.

 

Exchange Team released Update Rollup 1 for Exchange Server 2010 SP1

Thursday, October 7th, 2010

It includes several fixes for nearly all server roles. More details and download option here.

Next scheduled Update Rollup for December 2010

 

Microsoft SQL Server 2008 SP2 Upgrade Advisor

Thursday, October 7th, 2010

Download the Microsoft SQL Server 2008 Upgrade Advisor. Upgrade Advisor analyzes instances of SQL Server 2000 and SQL Server 2005 to help you prepare for upgrades to SQL Server 2008.

http://www.microsoft.com/downloads/details.aspx?FamilyID=bdd888fa-779f-480c-a85f-7d70b179e3b9

Roundtable Forefront and System Center on Tech-Ed Europe

Monday, October 4th, 2010

Reservation will be made for Tuesday November 9 at 1900 at following location for Forefront and System Center Roundtable:
http://www.ypsilonberlin.de
YPSILON
Haupstrasse 163
10827 Berlin
Phone +49 30 7824539
U-Bhf Kleistpark, U 7
Bus M48, 106, 187, 204, N7

Hope we will have a good time to chat about all interesting things around Forefront and System Center products and exchange some experiences. We will also meet other Tech-Ed attendees there. Go tell your peers or feel free to post the event on your blog.
For catering you need to take care on your own. The restaurant has nice greek food ;-)

RSVP