Window Server 2012 New Features – DHCP failover

While replacing my 2 Domain Controllers today I also took the opportunity to clean up DHCP and DNS and DHCP which led me to one of my favorite new features in Windows server 2012 DHCP Failover. My only question is was there any reason beyond the lawsuits over giving away free software to end users that we didn’t have this years ago. If you haven’t used Windows Server 2012 with DHCP failover, you are missing out.. I know we had Split DHCP and DHCP Clusters with Windows Server 2008 R2 but this is much cooler.

DHCP failover: This feature provides the ability to have two DHCP servers serve IP addresses and option configuration to the same subnet or scope, providing for continuous availability of DHCP service to clients. The two DHCP servers replicate lease information between them, allowing one server to assume responsibility for servicing of clients for the entire subnet when the other server is unavailable. It is also possible to configure failover in a load-balancing configuration with client requests distributed between the two servers in a failover relationship. For more information about DHCP failover, see Step-by-Step: Configure DHCP for Failover

In Windows Server 2008 R2, there are two high availability options available for DHCP Server deployment. Each of these options is associated with some challenges.

1.DHCP in a Windows failover cluster. This option places the DHCP server in a cluster with an additional server configured with the DHCP service that assumes the load if the primary DHCP server fails. The clustering deployment option uses a single shared storage. This makes the storage a single point of failure, and requires additional investment in redundancy for storage. In addition, clustering involves relatively complex setup and maintenance.

2.Split scope DHCP. Split scope DHCP uses two independent DHCP servers that share responsibility for a scope. Typically 70% of the addresses in the scope are assigned to the primary server and the remaining 30% are assigned to the backup server. If clients cannot reach the primary server then they can get an IP configuration from the secondary server. Split scope deployment does not provide IP address continuity and is unusable in scenarios where the scope is already running at high utilization of address space, which is very common with Internet Protocol version 4 (IPv4).

DHCP failover in Windows Server 2012 enables administrators to deploy a highly resilient DHCP service to support a large enterprise without the challenges of the options discussed earlier. The main goals of the feature are the following:

Provide DHCP service availability at all times on the enterprise network.

  • If a DHCP server is no longer reachable, the DHCP client is able to extend the lease on its current IP address by contacting another DHCP server on the enterprise network.

image

1. Right-Click on the Scope you want to enable failover from, Choose Configure Failover

2. Choose the Network that you want to provide Failover for or Select All, Click Next

image

3. Either enter the name of your Partner server or Click on Add Server to choose from other DHCP Servers on you network, Click OK, then Click Next

image

4. You can choose from 2options from the Mode Dropdown, we left the default “Load balance” but you can also choose the alternate “Hot standby”

image

5. You can also choose the interval between State Switch Failover Interval. Last, as mentioned earlier review the options available in the drop-down menu next to Mode. You can choose Load balance or Hot standby. By default, Load balance mode is chosen. Click Next verify your settings., and Click Finish

image

6. Once Completed Verify Success, and Click Close.

image

Note: When you choose the DHCP Fail Over Partner the partner should not have the Network you are going to be using to Fail over configured as part of any scope..

 

-Ivan

MSDN Forum Jam 2012 Updates Cross Post Original by Chris Givens

Chris Givens put together a contest for fun and a couple of Beers. But there are so many MVPs that are more active in the forums than I am I don’t think I stand a chance..

I have included the results from 01/23/2013, but you will need to visit Chris’s Blog in order to be kept up to date… http://blogs.architectingconnectedsystems.com/blogs/cjg/archive/2012/12/07/MSDN-Forum-Jam-2013-Updates.aspx

MSDN Forum Jam 2012 Updates -Latest Results – 1/23/2013

Name

Points

Posts

Answers

MaartenSundman

2140

59 126

Amit V

1170

28 62

Chris Givens

815

17 60

Ivan Sanders

725

20 46

Marc D Anderson

690

30 43

CoreyRoth

420

10 17

Doug Hemminger

135

6 8

Fabian G Williams

130

7 8

Gavin Barron

125

3 8

Nicholas Holloway

90

1 8

EricaToelle

60 1 5

Xenox

35 3 2

cimares

25 1 1

In other new I have created 2 new sites on Codeplex

The first SharePoint Demo Builds http://sharepointdemobuilds.codeplex.com/ where I have created Content Packs for Populating Active Directory, Installing and Configuration of SQL 2012 SP1 with AS Tabular, Multidimensional, and PowerPivot modes and of course Integrated mode. Along with Self Service BI with documentation and walkthroughs of the Labs and Demos, ECM primarily Focused on Search and Social features, Big data which is all about data Mining and displaying the results in SharePoint 2013.

The second site SharePoint 2013 Databases Documented http://sharepoint2013dbdocs.codeplex.com/. I have used tools Apex SQL DOC to list all of the stored procedures, tables, dependencies, functions and much more for every SharePoint 2013 Database.

Anyway to all my felloow MVPs I cant wait to hang out with Everyone in 3 weeks in Redmond. As always it will be a blast… Have fun…

 

-Ivan

The really cool thing about this latest….

The really cool thing about this latest OS release from Microsoft isn’t how cool the Windows OS is by itself though I admit it’s a lot faster and easier to use. It’s the power of the seamless integration and co-existence with the Server products.. But it doesn’t stop there.

image

The Microsoft product line (Applications, Servers, Operating Systems, Tools) have all matured. Though I dream of the days when Microsoft would just listen to the market and include all of the widgets everyone wanted into the next OS. I remember all too well when several governments considered Microsoft a monopoly and I would like to avoid at all costs what that misled finding did to the products and company I love and perhaps took for granted. If you still need your start menu, I am sure one will be available via the app store in the near future…

 

 

-Ivan

 

I’m presenting at the SharePoint Conference 2012 in Las Vegas–November 12-15, 2012

We received the Official announcement on Thursday that Norm Warren and I will be presenting on: 

Practical Deployment Aspects of Business Intelligence

Please join Ivan Sanders and Norm Warren as they walk you through the best practices on the Design, Development and Deployment of Business Intelligence Objects with with SQL Server 2012, SharePoint 2013 on Windows Server 2012 using Visual Studio 2012

 

 

Don’t forget to register, this event will sell out http://www.mssharepointconference.com/Pages/register.aspx

 

-Ivan

 

Best Practices and Practical Deployment Aspects of Business Intelligence with SharePoint 2013, SQL Server 2012 on Windows Server 2012

I am very lucky in that I have been accepted to present on Business Intelligence Best Practices at a few upcoming SharePoint Saturdays which I hope all of you will attend.

This session is primarily based on walking you through demos on the Design, Development and Deployment of Business Intelligence Objects following SharePoint Best Practices in all aspects from Design to Deployment methodologies of SharePoint 2013. This session will start with a very quick walk through the foundational aspects of Business intelligence when integrated with SharePoint along Best practices in the Design, Development and deployment of Business Intelligence solutions in SharePoint Server 2013, with SQL Server 2012, on Windows Server 2012 that will include Analysis Services Solutions, with PowerPivot, PowerView and Reporting Services, Excel and Visio Services.

Also, Norm and Ivan will walk through the governance issues surrounding the deployment of SharePoint 2013 in general and the Business Intelligence Aspects in specific. In addition, Norm will quickly explain practical paths for designing tabular models in PowerPivot and the SQL Server Data Tools environment. He will explain decision points such as hybrid approaches with Direct Query, and include best practices for automating data refresh in SharePoint and scheduling processing in Analysis Services.

The session includes a thorough demo of creating an Odata feed from SharePoint lists and SQL Azure to relate a date table for quickly showing aspects of time intelligence. The demo will continue by showing how to create partitions in SQL Server 2012 and schedule data refresh (with an interval of 15 minutes) using XMLA. Lastly, the team will discuss how to choose the right Business Intelligence tools to start using now so you can show immediate results while planning for the future evolution of your SharePoint Business Intelligence Dashboards.. All demos are built on Windows Server 2012, SQL Server 2012, and SharePoint Server 2013.

clip_image001I have been very blessed this year to be working on the Second edition of the Business Intelligence in Microsoft SharePoint 2013 with the illustrious group of Norman P. Warren, Mariano Teixeira Neto, John Campbell, Stacia Misner the author’s of the First edition Business Intelligence in Microsoft SharePoint 2010.

Norm currently works for Ancestry.com to help people discover, preserve and share their family history. Norm was previously a writer for PerformancePoint Server 2007 and SharePoint Server 2010 at Microsoft, and has written articles on PerformancePoint Server for the information worker, IT Pro, and SQL Server BI developer audiences. Norm has his Master’s degree in computer information technology and is currently earning his MBA with an emphasis in financial accounting.

Norm has an active member of the community to provide the right content about Microsoft business intelligence such the SharePoint BI poster (Visio (http://go.microsoft.com/fwlink/p/?LinkId=167409). His past time is with his family, mountain biking, and sharing his passion of BI in SharePoint.

Norm will be joining me for the first two in an upcoming series of SharePoint Saturdays during the next few months. The first of this series is coming up on September 22nd 2012 in Redmond WA. at the Microsoft Conference Center. Where if you are like me and have a passion for all things Microsoft then you know its one of the best cities in the world ad I hope you will join us for this event and the place to register is http://spsred.eventbrite.com/

The second in the series will be held ion Bend OR. on October 6th 2012 at Central Oregon Community College in Bend, Oregon. If you were unable to join us in Redmond then this is the event we hope you can attend due to the numerous seasoned experts, MVPs and MCMs alike. Please don’t forget to register http://spsbend2012.eventbrite.com/

The last in the series leading up to the SharePoint Conference in Las Vegas Nevada will be held in Sacramento California on October 13th 2012 at the Woodlake Hotel near the Cal Expo in downtown Sacramento. I was fortunate enough to be the keynote speaker last year and the number of people attending and the excellent venue made this one of the highlights of my year of presenting at many SharePoint Saturdays of which I was privileged. Registration is open http://spssacramento.eventbrite.com/

Last I would like to thank the many sponsors that make all of the free SharePoint Saturday events possible:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you have been in the SharePoint industry  for any length of time you may be able to tell from the number of sponsors with SharePoint products and services, the SharePoint community is getting better very year and becoming more vibrant every day.

Thank You to ALL our SPONSORS and VOLUNTEERS for making SharePoint Saturdays possible…

 

-Ivan

 

Administration Toolkit for RMS, SP2 – IRM Check – Configuration Test

The Administration Toolkit contains additional programs that Microsoft developers created while working on Windows Rights Management Services (RMS). We found them useful in troubleshooting registry overrides, intended and allowed us to make modifications and get information about the environment.

We have taken great care to ensure that the tools operate as they should, but they are not part of Windows RMS and are not supported by Microsoft. For this reason, Microsoft technical support is unable to answer questions about this toolkit.

Note: The administration toolkit is designed for use on servers with US-English regional options.

The following tools are included in the toolkit. To learn more about a tool, open the Readme file for the tool:

AD SCP Register
Use this tool to register or unregister a service connection point in Active Directory.

  • Get RMS SCP
    Use this tool to validate the current service connection point registered in Active Directory
  • IRM Check
    For enterprises that are using RMS with Office System 2003. Use this tool to create an html-based report of the client configuration, Office version, registry keys, and other settings that impact the RMS system.
  • RMS Cert Analyzer
    Use this tool to check the certificate chain on a given rights account certificate, view rights data and certificate information.
  • RMS Config Editor
    Use this tool to easily view and edit data in the RMS configuration database.
  • RMS Event Viewer
    Use this tool to map RMS log entries to events, enabling the logs to be viewed using the Event Viewer.
  • RMS Log Analyzer
    Use this tool to analyze the log file of your RMS server to track server errors, query for specific users, and other logged events.
  • RMS Queue Recovery
    Use this tool to recover logged events from the MSMQ dead letter queue.
  • RMS Service Locator
    Use this tool to provide a report of all the URLs that RMS uses.

Note: For information about implementing, deploying, and administering RMS, see the RMS TechCenter http://go.microsoft.com/fwlink/?LinkID=42498

IRM Check – Configuration Test

image

image

 

As time permits I will continue this series and write about the additional tools… Most if not all of the additional features require .Net 3.5.

image

Also, the only tool I found that did not work was the RMS Log Analyzer as can be seen from the screenshot below. I haven’t had the chance to debug but it looks like a table wasn’t created when you create the DRMS_Log_Admin Db

image

Additional Reference

SharePoint Information Rights Management (Health model) http://technet.microsoft.com/en-us/library/cc560952(v=office.12) Pretty much very EventId associated with SharePoint IRM this link is invaluable

image

 

-Ivan

Windows Server 2012 AD RMS with SharePoint IRM a Step by Step Guide

I have included below for your review and use a copy of a document that I recently created for a 3 Server DEV environment for SharePoint IRM

Create Service Accounts

Account Name

User Logon Name

Group

ADRMSSRVC

ADRMS

 

ADRMSADMIN

ADRMSADMIN

Enterprise Admins

Server Names Operating System and Role / Applications

Server Names

OS

Roles  / Applications

DSI-DC1

Windows Server 2012

AD DS, ADRMS, DNS

DSI-SQL

Windows Server 2012

SQL Server 2012

DSI-SP2010

Windows Server 2012

SharePoint 2010

AD RMS Installation

1. Log on to Domain Controller DSI-DC1 as administrator.

2. Click on Desktop then click Server Manager then click Manage and Add Role and Features

3. Read the Before You Begin section, and then click Next.

Add Role AD RMS

On the Select Server Roles page, select the Active Directory Rights Management Services check box.

img2A

Add Required Features

The Add Required Features page appears informing you of the AD RMS required role services and features. Click Next.

img2C

Select Additional Features

The Add Additional Features page appears, Click Next

img2D

Active Directory Rights Management Services Introduction

Read the AD RMS introduction page, and then click Next.

img2E

Select Role Services

On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.

img2F

Web Server Role (IIS)

Read the Web Server Role (IIS) introduction page, and then click Next.

img32

Select Role Services

On the Select Role Services page, verify that the Web Server Services, and then click Next.

img34

Confirm Installation Selections

Confirm the AD RMS Installation selections, and then click Next.

img35

Installation Progress

img36

Active Directory Rights Management Configuration

img37

Create a new AD RMS Cluster

Click the Create a new AD RMS root cluster option, and then click Next.

img38

Select Configuration Database Server

Click the Specify a database server and a instance option type DSI-SQL , and choose Default Instance, then Click Next. If you have any issues connecting to the instance you may have to enable the SQL Brower. This is especially the case if you are configuring AD RMS on Windows Server 2012 that has the AD DS Role.

img39

Specify Service Account Requires Domain Admin User Rights

Click Specify, type DIMENSION-SI\ADRMSSVC, click Next.

img3A

Specify Cryptographic Mode

img3B

Specify Key Storage Mode

Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.

img3C

Specify Cluster Key Password

Type a strong password in the Password box and in the Confirm password box, and then click Next.

img41

Specify The AD RMS Web Site

Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be DEFAULT Web Site.

img42

Specify Cluster FQDN

Click Connection Type Use an SSL-encrypted connection (https://). In the Fully-Qualified Domain Name box, type https://adrms.dimension-si.com, and then click Next

img43

Choose SSL Certificate

Click the Create a self-signed certificate for SSL encryption option, and then click Next.

img4B

Name the Server Licensor Certificate

Type a name that will help you identify DSI-DC1-ADRMS in the Friendly name box, and then click Next.

img4C

Register Service Connection Point

Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.

img4D

Confirm Installation Selections

Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation and Click Close.

img4E

Confirm Installation Results

img4F

Sign Out

Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS

img50

By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must add the permissions in order for Office SharePoint Server 2010 to integrate with AD RMS.

Add DSI-SP2010 to the AD RMS Certification Pipeline

1. Log on to DSI-DC1 as DIMENSION-SI\Administrator.

2. Click Start, and then click Computer.

3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.

4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.

5. Click Advanced, click Enable Inheritance, select the Include inheritable permissions from this object’s parent check box, and then click OK two times.

6. Click Edit, and then click Add.

7. Click Object Types, select the Computers check box, and then click OK.

8. Type DSI-SP2010, and then click OK.

9. Click OK to close the ServerCertification.asmx Properties sheet.

By default the Read & execute and the Read permissions are configured for the DSI-DC1 computer account object and all other accounts inherited from the parent folder.

10. Click Start, and then click Command Prompt.

11. Type iisreset, and then press ENTER.

Once the AD RMS cluster certification pipeline is inheriting and you have added DSI-SP2010, you must configure Office SharePoint Server 2010 to use the AD RMS cluster:

SharePoint 2010 Information Rights Management Configuration Guidance

Before using IRM, you must have a Windows Rights Management Services (RMS) server to connect to. In addition, you must have installed the Windows Rights Management Services Client Service Pack 2 on every front-end Web server in the farm running SharePoint Server 2010.

SharePoint IRM Configuration Step by Step

1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.

2. On the Security page, in the Information Policy section, click Configure information rights management.

Central Administration > Security > Information Rights Management

Use the default RMS server specified in Active Directory Select this option if your organization has specified an RMS server in Active Directory Domain Services (AD DS) and Click OK

 

img53

 

Event Log Errors and Reference

If you are unable to open a document from an IRM protected library you may receive two similar events

Event ID 5085 (Windows SharePoint Services health model)

img55

Reference: http://technet.microsoft.com/en-us/library/cc561091(v=office.12)

Event ID 5065 (Windows SharePoint Services health model)

img54

‘Reference: http://technet.microsoft.com/en-us/library/cc561018(v=office.12)

As the event states the most likely event is the User email Address has not been configured. However, the documentation has not been updated to support SharePoint 2010. The SharePoint 2010 Architecture has change and you now must ensure that the User Profile Service has synced.

If users attempt to open IRM Protected documents prior to the sync, they will NOT open and you will receive the two errors 5065, 5085 listed above  in the event log. Unfortunately, the two references I list above do not allow for comment or I would have added the comment to the technet library

 

Cheers,

 

-Ivan

Microsoft Windows Unauthorized Digital Certificates

Original release date: June 04, 2012 Source: US-CERT Alert TA12-156A

Systems Affected

  • All supported versions of Microsoft Windows, including:
  • * Windows XP and Server 2003
  • * Windows Vista and Server 2008
  • * Windows 7 and Server 2008 R2
  • * Windows 8 Consumer Preview
  • * Windows Mobile and Phone
  • Overview
  • X.509 digital certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates.

Description

  • Microsoft Security Advisory (2718704) warns of active attacks using illegitimate certificates issued by the the Microsoft Terminal Services licensing certificate authority (CA). There appear to be problems with some combination of weak cryptography and certificate usage configuration. From an MSRC blog post:

We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

Security Advisory 2718704: Update to Phased Mitigation Strategy What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.

The following details about the affected certificates were provided in Microsoft Security Advisory (2718704):

Certificate: Microsoft Enforced Licensing Intermediate PCA

  • Issued by: Microsoft Root Authority
  • Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70

Certificate: Microsoft Enforced Licensing Intermediate PCA

  • Issued by: Microsoft Root Authority
  • Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08

Certificate: Microsoft Enforced Licensing Registration Authority CA (SHA1)

  • Issued by: Microsoft Root Certificate Authority
  • Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

Impact

  • An attacker could obtain a certificate that could be used to illegitimately sign code as Microsoft. The signed code could then be used in a variety of attacks in which the code would appear to be trusted by Windows. An attacker could offer software that appeared to be signed by a valid and trusted Microsoft certificate chain. As noted in an MSRC blog post, “…some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”

Solution

  • It is important to act quickly to revoke trust in the affected certificates. Any certificates issued by the Microsoft Terminal Services licensing certificate authority (CA) could be used for illegitimate purposes and should not be trusted.

Apply updates

  • Apply the appropriate versions of KB2718704 to add the affected certificates to the Untrusted Certificate Store. Updates will reach most users via automatic updates and Windows Server Update Services (WSUS).

Revoke trust in affected certificates Manually add the affected certificates to the Untrusted Certificate Store. The Certificates MMC snap-in and Certutil command can be used on Windows systems.

References

-Ivan

« Previous Page