Using Windows Server 2012 R2 Server Manager to manage 2008 R2 servers

A topic that some administrators have searched for and not found too much information about, is how to configure a Windows Server 2008 R2 server to be managed from Server Manager on Windows Server 2012 (R2). This is fully possible, and fairly easy. This is a very quick guide to how.

Start by installing .NET 4.0. You can find this here. Then, continue installing Windows Remote Management 3.0 (KB 2506143) from here. After installing these two, configure Windows Remote Management 3.0 to listen for incomming connections with the following command. Remember to run this as administrator.


PS: > winrm quickconfig

Answer yes to all questions. This will automatically configure a listener and firewall exceptions. After this command completes, you will be able to add the server to Server Manager.

If you also require reading performance counters in order to trigger performance alers in Server Manager, you will also need to install KB 2682011.

Exchange – export eDiscovery search to a pst downloads an application file

You are using eDiscovery / multi mailbox search in Exchange, you click the “Export to a PST file” and a strange application file is downloaded. You are also using Google Chrome or another non-IE browser.

The problem is that your browser does not support ClickOnce. For Google Chrome you can find a plugin here. Tested and works fine.

Outlook AutoDiscover redirect limit (0x800c8206)

Today I encountered something I’ve not seen before, and I am sure more people will encounter this. If a client is in an Active Directory site without an AutoDiscover serviceConnectionPoint (SCP), it will try to connect to all AutoDiscover instances in the organization simultaneously. If the user have been cross-forest migrated, a redirect response will come from each server, and if there are more than 8 of them, Outlook reaches a redirect limit and fails to AutoDiscover.

After a cross-forest migration, the targetAddress of the source Active Directory object will be set to an address in the routing domain. For example when you do migrate to Office 365 / Exchange Online, your user will get a tenant.mail.onmicrosoft.com address, in my case mailNickname@gwrnd.mail.onmicrosoft.com. After the migration, when requesting details from AutoDiscover On-Premise, the response will be a redirect to the Exchange Online autodiscover. The problem is that when SCP is enabled in Outlook, it will count each response On-Premise as a redirect. This means that if it requests from all of your AutoDiscover instances, it will fail (the limit is 10).

If you believe this is your issue, you can look for error code 0x800c8206 in “Test E-mail Autoconfiguration” in Outlook. If you find this error code, here is your solution.

Disable SCP on the client

Instead of having Outlook look for SCPs in AD, you can disable this feature by adding the following to the registry on the client.


[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover]
"ExcludeScpLookup"=dword:00000001

With this disabled, Outlook will work more like on the internet. It will look at the UserPrincipalName (UPN), and try autodiscover.goodworkaround.com if your UPN ends with @goodworkaround.com. The reason this helps is that it will only get one response On-premise, not one per AutoDiscover virtual directory.

Configure AutoDiscoverSiteScope

By default a CAS only serves its own site. You can use the cmdlet Set-ClientAccessServer -identity -AutodiscoverSiteScope Oslo,Beijing,Boston,Seattle to configure it to serve more sites. This can help if you for example have 4 datacenters with 3 AutoDiscover instances in each, and some sites in AD does not have an Exchange server. The sites with the Exchange server will try all of the 12 AutoDiscover instances, and fail because it reaches the limit. If you configure the site to only try one of the sites, it will succeed because it will only try 3 servers.

Reduce the number of AutoDiscover instances

Do you really need 12? Remember that this is a lightweight service, and you can have a CAS without AutoDiscover. If you can manage to have 8 or less AutoDiscover instances you are safe.

Hope this helps someone.

ADFS authentication customization

Active Directory Federation Services (ADFS) offers the possibility of a lot of customization. Because it’s C# based and running on IIS, you can do basically everything. However, most people want to add a two factor authentication or customizing the looks and feel. In this article we will first implement an additional shared password for all users, and then show how you can extend this functionallity to implement two factor authentication mechanism.

When doing these customizations, you will need to use forms authentication. This means I assume that you know how to configure this (your ADFS proxy server(s) are already configured like this). The files we will be modifying is FormsSignIn.aspx and FormsSignIn.aspx.cs.

The first thing you would want, is to add the following to your FormsSignIn.aspx file. This just adds the PIN text box, nothing else.

<tr>
	<td>
		<span class="Label">PIN</span>
	</td>
	<td>
		
	</td>
	<td>&nbsp;</td>
</tr>

After modifying the file, your login page should look something like the following.

When you hit enter og the Sign In-button, the method SubmitButton_Click defined in FormsSignIn.aspx.cs is called. By default, this just involves calling SignIn( UsernameTextBox.Text, PasswordTextBox.Text ) and catching an exception if the authentication fails, but we want more. Continue on editing FormsSignIn.aspx.cs, replacing SubmitButton_Click with the following modified version.

protected bool VerifyPIN(string username, string PIN)
{
	return PIN.Equals("12345")
}

protected void SubmitButton_Click( object sender, EventArgs e )
{
	try
	{
		if(!VerifyPIN(UsernameTextBox.Text, PINTextBox) {
			ErrorTextLabel.Visible = true;
			ErrorTextLabel.Text = "Wrong PIN"
			return;
		}

		// PIN was ok, let's continue with SignIn
		SignIn( UsernameTextBox.Text, PasswordTextBox.Text );
	}
	catch ( AuthenticationFailedException ex )
	{
		HandleError( ex.Message );
	}
}

After changing this, the PIN for all users must be 12345, or they will not be able to log on. Now this does not seem to handy, i understand, but at this point you can instead of checking whether the PIN is 12345, check against a database, a web service, a radius service or other One-Time Password services. Just put whatever you need in the VerifyPIN function. I’ll make an article on it some day.

DirSync reports cd-error when litigation hold is enabled

Just experienced a problem with a Exchange 2010 SP3 Hybrid environment, with Office 365 wave 15. When In-place Hold is activated (typically for eDiscovery), DirSync returns cd-error when exporting the user attributes to Active Directory. This will not affect the functionallity, but will give you events in the Event Viewer telling you the following.

Executing export run profile on source MA failed for System.ManagementPropertyData. Failed to export objects:
dn="CN=User account,OU=User accounts,DC=goodw,DC=goodworkaround,DC=com",error-type=cd-error,error-code=87

If you open miisclient.exe (please do not do this if you do know know FIM!), you will see the cd-error on the SourceAD Management Agent, on the Export run profile. Digging further down will show you “Parameter incorrect”, and digging even further down, shows you that you are unable to export the attribute msExchUserHoldPolicies.

Doing some quick searches gives you this, telling you that this is a new attribute in Exchange 2013. Go ahead and extend the Active Directory schema to Exchange 2013, and you should see this error go away.

Eject DVD iso from Hyper-V 2012 using PowerShell

Very short article this one. Ever tried googling/binging for how to eject the dvd-drive in Hyper-V 2012 using PowerShell? It is actually very easy and logical, and also documented in the examples.

The following Get-Help cmdlet shows you how to do this.

# Get-Help Set-VMDvdDrive -examples

Basically do the following to eject ALL your dvd-drives (first line), or use the second line to eject all dvd drives that have mounted an ISO from the E:\Install directory. You can of course also use the third line to eject from a single VM.

# Get-VM | Get-VMDvdDrive | Set-VMDvdDrive -path $null
# Get-VM | Get-VMDvdDrive | where{if($_.Path) {$_.Path.ToLower().StartsWith("e:\install\")}} | Set-VMDvdDrive -path $null
# Get-VM dc1.marius.local | Get-VMDvdDrive | Set-VMDvdDrive -path $null

Drupal 7 on Lighttpd with rewrite

Apache is a well known web server that I have used quite a lot. It does however have it’s problems. First of all Apache is a memory hog of dimensions and is not working very well on low memory servers like Virtual Private Servers (VPS). Second it’s quite very mainstream so some security holes are discovered. And third, it is very big and therefore also very slow.

As I have currently been experimenting with a VPS, I have been working on making Drupal 7 working properly on Lighttpd, with pretty URLs / mod_rewrite enabled with quite good results. I have found no best practices for running Drupal on Lighttpd, so here is my configuration.

My setup

Operating System Debian 6 – 64 bit
Web server Lighttpd 1.4.28
PHP version 5.3
PHP modules imagick, mysql, mysqli, cgi-fcgi, gd, curl, iconv, mcrypt, pdo, pdo_mysql

Configuring lighttpd with php and rewrite

server.modules = (
        "mod_access",
        "mod_alias",
        "mod_compress",
        "mod_redirect",
        "mod_rewrite",
        "mod_fastcgi"
)

server.document-root        = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                               " index.lighttpd.html" )

url.access-deny             = ( "~", ".inc" )

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

include_shell "/usr/share/lighttpd/use-ipv6.pl"

dir-listing.encoding        = "utf-8"
server.dir-listing          = "disable"

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/x-javascript", "text/css", "text/html", "text/plain" )

include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

fastcgi.server = ( ".php" => ((
                "bin-path" => "/usr/bin/php5-cgi",
                "socket" => "/tmp/php.socket"
        ))
)

There are some changes from the default configuration file. First of all the modules mod_rewrite and mod_fastcgi is enabled. Then PHP is configured as a fastcgi server module.

The site configuration

$HTTP["host"] =~ "^goodworkaround\.com$" {
        server.document-root = "/home/marius/websites/drupal7/"
        server.errorlog = "/var/log/lighttpd/goodworkaround.com.error.log"
        accesslog.filename = "/var/log/lighttpd/goodworkaround.com.access.log"
        server.error-handler-404 = "/e404.php"

        url.rewrite-if-not-file += (
                "^/([^.?]*)\?(.*)$" => "/index.php?q=$1&$2",
                "^/([^.?]*)$" => "/index.php?q=$1",
                "([a-zA-Z\-\.\/\?\=\&]*)" => "/index.php"
        )
}

The important part here is the rewrite rules that you will need to make pretty URLs work. This is my own creation, so please refer to this page if you copy it and post it somewhere. 😉

This rewrite rule will work with things like overlay, image styles etc, all with pretty URLs enabled.

Have fun!