-->

Sunday, September 20, 2015

Configuring Exchange 2013 Activesync in a Lab Environment

Introduction


When we install Exchange server 2013, the exchange activesync gets installed automatically as part of deployment. To know more about prerequisites and installation of exchange 2013 click
 Installing Exchange Server 2013.

Microsoft Exchange server 2013 activesync let user access mail, contact, tasks and calendar information directly from their mobile devices. The mobile device must be configured for activesync and activesync feature must be enabled for exchange 2013 users. Also user should consider using a service provider that supports direct push for their mobile clients because activesync works on both HTTPS and direct push.

In this article, we will configure a simple windows mobile 6.1 emulator for exchange activesync for a exchange sever 2013 mailbox user.

There is two part in this configuration
  1. Exchange server 2013 configuration
  2. Windows Mobile 6.1 configuration
Before we proceed, you must configure exchange sever 2013 client access role for external access. You need a certificate from known trusted certificate authority or Windows Enterprise Certificate Authority to secure communication between exchange server 2013 and Windows Mobile 6.1. This configuration works with other versions of Windows mobile Emulators also.

Exchange Server 2013 Activesync Configuration Steps

If you have already deployed exchange server 2013, then open Exchange Admin Center, you can access it from the following URL.

https:// <server_name>/ecp/?ExchClientver=15

Click on recipients and right above recipient's display name, click on + and open newUserMailbox wizard.

Exchange Admin Center

Type in the user name, display name and log on name of the user.


Create a new user

Click Save to save the user information.

Verify Activesync feature for new user

Select the new user and view it's property on right side of the windows. You should see activesync enabled for the user by default. Click Server from left to view server related configurations.


Avtivesync virtual directory

Under Server > click Virtual Directories and select Microsoft-Server-Active Sync (Default Web Site) virtual directory. This virtual directory must be configured for internal and external URL. The internal URL for activesync is for devices that connect through corporate network. For example,

https://exch2013.wt.com/Microsoft-Server-Active Sync (Default Web Site)/

It points to the exchange server 2013 client access host name for name resolution. Note that all activesync request from mobile clients are sent to activesync virtual directory. The external URL is no different, but the only difference is host name that should be published with a external dns server.For example,

https://mail.wt.com/Microsoft-Server-Active Sync (Default Web Site)/

The above is true for other virtual directories if you have not configured Exchange server 2013 client access role.
Activesync virtual directory settings
Type the appropriate internal and external url as discussed previously. There are some other important settings under authentication. SSL must be true for this virtual directory because we are going to use SSL certificate for Activesync. 
Since, most of the mobile users are external to the domain and connect from Internet, we will make sure that authentication method is basic. So when we select basic the password is sent in clear text and that is why it is necessary to secure the exchange server 2013 and mobile device communication using certificate.
Do not select any other setting and click Save to save the information.


Authentication settings for ActiveSync virtual directory


Configuring Certificate for Exchange Server 2013 Client Access Server for ActiveSync

Next we will configure certificate for exchange server 2013 client access server, click Certificate tab under Server.


Certificates Configuration

This part requires that we already have access to a certificate authority or Windows Enterprise Root CA in the domain. We have a Enterprise Root CA for the purpose for this lab. Select the Client Access Server which you want to configure and click + to open New Exchange Certificate. Note that you can also create a certificate request through Exchange 2013 Management Shell using New-Exchange Certificate cmdlets.



Create a new Certificate Request

There are two options to create a.certificate request.
  1. Create a certificate request from a Certificate Authority.
  2. Create a self-signed certificate.
The difference between self-signed  and certificate from CA is the root certificates that validates the certificate. In case of self-signed there is not root certificate in the absence of a CA. That's way you need to click on Create a certificate request from a CA option.


Friendly name for Certificate

Type a friendly name for the certificate and click next to continue. The next page is to enable Wild card for the certificate. The certificate has *.domain entry which make sure that the host name is resolved dynamically.
Skip this option as we do not want any wild card certificate, instead we will create a SAN certificate that supports multiple url names, meaning certificate will honor multiple dns names for various client access services such as auto discover, activesync, owa, ecp, etc.

Do not choose wild card options

In the next screen, you will receive an option to change the domain name of all the client access services.
Select Activesync and click the Edit option to change its url that match the url on the Activesync virtual directory.


Change Domain url that match virtual directory settings

The summary of all the URLs for the certificate is displayed and the one highlighted on the top will be the common name of the certificate. A common name of the certificate is the one which will be shown on top when you view certificate information, other URLs will be under Subject Alternative Names field.


Summary of the URLs

Now provide other information about the certificate such as Company name, Country, Department, City, etc. Click on Next to continue.


Save your request  as .REQ file

The certificate request is almost complete and the only thing remaining is to save the request file as .REQ file to a safe location. The request must be generated from a server where we plan to install it later. 


View the Certificate request status

When you review the Certificate section, the status of you certificate request is Pending. That's because we need to submit our certificate request and get a valid certificate and import it on the server.


Certificate Request information

Go to the location where you have saved the .REQ file and open it and you should see information similar to the above screenshot. Copy the information to clipboard. Open the CA Web Enrollment page as follows

type http:// < server name or IPaddress >/Certsrv and type domain administrator credentials to log on.
You should see the page for Certificate Server Web Enrollment.


Web Enrollment


Click on Request a Certificate option and then click Advanced Certificate Request and click on Submit a certificate request by using base64......


Submit your request to base64 encoded...

Now it is time to submit your request information, paste you certificate information copied earlier and select Web sever as certificate template. Click Submit to submit your request.

Submit you request and click Submit


Once you have received a certificate from your CA, you can save it to disk drive. Open the Exchange Admin Center > Server > Certificates.

Import the certificate

Now click on the three dots just above the server name and Import/ Export Exchange Certificate option will appear. Select Import Exchange Certificate option.

Alternatively, you can import using Exchange Management Shell cmdlets.


Import certificate using Exchange Management Shell.

Verify the status of the certificate under Exchange Admin Center and you will find that it shows Valid.



Exchange Certificate Status is Valid

It is not enough to create a certificate, but you must assign the certificate to client access services.


Assign Exchange Certificate to Services.

We will assign this certificate to IIS service only and click Save to save the settings. There are other activesync settings but we can set those after a proper communication between device and the server is established.

Summary

In this first part of article, we have configured exchange server 2013 for Activesync. Though the configuration is straight forward , we must be careful about few things such as

  1. Do not choose wrong authentication settings for activesync virtual directory.
  2. Configure proper certificates for Client Access sever and it must not be an expired one.
  3. External and internal URLs for ActiveSync virtual directory must be included in the certificate properly.
We now come to end of our first part, these configurations are only for a test lab setup, to implement the same on a production you must plan the deployment thoroughly.We recommend to test it out in a lab first and understand  the deployment completely.
In the next part we will configure a Windows Mobile 6.1 client and test out our server configuration and discuss few troubleshooting steps to resolve activesync issues.



Wednesday, September 16, 2015

Agentless monitoring in System Center 2012 Operations Manager

Introduction


In System Center 2012 Operations Manager, an operations manager agent monitors the managed computer. A managed computer is any computer that has an operations manager agent installed on it. To install an agent is not possible every time. For some monitoring object you cannot install an agent. For example, you cannot install an agent for NLB VIP or server Cluster VIP because they are not physical or virtual servers.

In this article, we are going to monitor virtual ip of Windows nlb. For more information on installing System Center 2012 Operations manager.

Installing System Center 2012 Operations manager Part-I
Installing SQL 2008 R2 for System Center 2012 Operations manager Part-II
Installing System Center 2012 Operations manager Part-III


Configuring SCOM 2012 Proxy Agent


Open the System Center 2012 Operations console and click on Administration workspace. Right click any place under Administration > Device Management and select Discover Wizard.


Discover Wizard

 The discovery wizard will give you three options to select under "Choose the type of computers or devices of discover and manage".
  1. Windows computers
  2. UNIX/Linux computers
  3. Network devices
Select the Windows computers and click next to continue. In this article, we are monitoring a server that has Windows 2008 R2 operating system installed.


Choose computer or device type

On the next page, select Advanced Discovery, under "Choose automatic or advanced discovery". The first option of automatic discovery searches entire directory "WT" and returns a list of computers available in the domain for monitoring. But if you want to monitor specific computers, select advanced discovery option. Also there is option to choose the object for discovery.
  1. Servers and Clients         -returns both server and client objects.
  2. Servers only                      -returns only server objects.
  3. Clients only                       -returns only client objects.           
And you can select a specific management server if you have more than one installed in a management group to monitor the discovered servers or clients or both.


Select advanced discovery option

There are two methods to discover the computers - use active directory query and browse or type computer names to discover.
We want to discover a specific server hence select "Browse for or type-in computer names". Then type-in the computer names and click next to continue.




Type-in the computer names

Once discovered, the System Center 2012 Operations manager will install agent on the target computer object. The discovery process is done using management server action account. However, to install the agent it needs local administrator privileges. Under Administrator Account, select other user account option and type-in the credentials for built-in domain administrator account and click Discover.


Type in credential for built-in administrator

After a few minutes, SCOM 2012 discovers the computer object and shows under "Discovery Results".
We do not want to install an agent on this server, but we want to monitor this server object using proxy agent. In other words, we will monitor this server using agent that is installed on a different computer. Under management mode, select Agentless and  notice that the management server option changed to Proxy Agent. Select the server that you will act as proxy agent by clicking Change. Click next to continue.


Select management mode as Agentless


To start installing agent and managing computers, click Finish.


Click Finish to complete the discovery


Note: There is no agent installation in this type of discovery.

Make another managed computer as proxy agent


To configure a managed computer as a proxy agent so that you could configure it later using Discovery wizard. Click Managed computer under Administration workspace and select the specific managed computer object.

Right click the computer object and click Properties.


Enable Agent proxy option under Security tab

Select the Security tab and check the option "Allow this server to act as a proxy and discover managed objects on other computers" and Apply and OK.

Summary


Managing computer using proxy agent is similar to installing an agent and monitoring the managed computer. In the case of proxy agent, the agent is installed on a different computer which means there must be good network link between the proxy agent and agentless managed computer.

Since the agent on proxy agent computer has more task of monitoring another computer make sure that we have enough resources such as memory, etc for good performance.

Saturday, September 12, 2015

Installing System Center 2012 Operations Manager Part-III

The previous two parts, we installed software prerequisites and SQL server 2008 R2 for SCOM 2012. In this third part of the series, we are installing System Center 2012 Operations Manager. Before reading this article read the previous two parts in the series.

Installing System Center 2012 Operations Manager Part-I
Installing SQL 2008 R2 for Operations Manager Part-11

Click Install from SCOM 2012 setup screen. Also note other option available on the page.

Setup Page

In the next screen, select features to install you have following choices
  1. Management server
  2. Operations console
  3. Web console
  4. Reporting server 
The operational database and other databases get installed automatically. Now if a feature is not supported by the operating system, then you cannot install, so do not select that feature.

Select features to install

Select the installation location if you want to change the location of default installation path to some other directory then click on Browse. Otherwise, click next to continue with the installation.


Installation location

The setup will do hardware and software prerequisite check and then give report. If any issue is found, it will be reported immediately.
In our example, we found few memory issues with the virtual machine.


Setup detected memory issues

After resolving the issue, click Verify Prerequisites Again and make sure that the error or warnings are gone. Click next to continue with the installation.

We have two options, under Specify an installation option.
  • Create the first Management server in a new management group.
  • Add a Management server to an existing management group.
First option is to create a new management group and add a single management server to it. This management server will be the first one in the management group.  Type the name of the management group if this option is selected. The management group name must be unique.

Installation Options


Select an Installation option

If we select the second option then you already have an existing management group and at least one management server in that group. This should be additional management server in the group.


License Agreement

Read and select I have read understood and agree with the license terms and click next to continue with the setup.



Specify database and SQL instance name

To configure the operational database, type the name of the server and instance name. You can see various database information, port and database size and even the path is mentioned. Click next to continue.

Specify data warehouse database settings and click next.

data warehouse database settings

Configure instance name for the SQL reporting services and click next to continue with the setup. You can check the SQL instance name under SQL reporting service configuration page and make sure that the instance is running.

SQL Reporting services instance

It is very important the SQL Agent service is running on the server while you select the instance name. If the Agent service is not running, we get an error as shown in the screenshot below.

SQL agent service not running hence not able to select instance for reporting services.

Open the services console on the SQL server which also the SCOM 2012 server and start the SQL agent service.


Start the sql agent service

Next page, we configure the Web console settings and if you need to secure the access then select Enable SSL option and click Next.


Select Enable SSL to get secure web console access

You may experience problem enabling for SSL because that requires HTTPS bindings under IIS 7.5 on the local server.
Go to IIS 7.5 manager on SCOM 2012 server and select the Default Web Site because that is the website for Web console. If you have selected any other website then go to that site under IIS 7.5 manager.

Select the Default Web Site and click Bindings


Click on Bindings under Action pane. The Site Binding window will open and if you do not see 443 then SSL is not configured on this server. Click on Add on this window.

In Site Binding click Add

Then under Add Site Bindings, click on the drop-down Type and select HTTPS binding. The IP Address must be All Unassigned because it allows multiple IP for the website including loopback IP 127.0.0.1. Simply means the website will run on different IP at different times for same port 443. The HTTPS binding need a certificate, so click on SSL Certificate and select available certificate to select. If  we do not see any certificate then generate a new Certificate Request and then sumbit it to a CA.
The is an option to generate certificate from IIS 7.5 also. Click on the Web server name on right hand side and then click Server Certificate and select create a self-signed certificate option in IIS 7.5. Click on Close and click next under Operations Manager setup.


select Authentication Mode


Select the Use Mixed Authentication and click next.


Specify appropriate service accounts

SCOM 2012 deployment document and SCOM 2012  Operations document have information about service accounts required for SCOM 2012 and rights required to run these services.
The Management server action account and Configuration Service and Data Access Service is always Local system account which has full rights on the local server.
Remember that we created two service accounts in Part-I of the series. Specify the account details under Data Reader account and Data Writer account. These are the accounts required to read and write information to SQL database and click next to continue.

You can skip the Customer Improvement Experience Program (CIEP) by selecting No to all options, unless you really want to take part in the program. Click next to continue the setup.

Similarly, turn off the security updates by selecting Off option under Microsoft Update, if you have other means to update the servers. The Windows Automatic Updates will also update the server. Otherwise, click On and click next to continue the SCOM 2012 setup.

Installation Summary


Take a look at the Installation Summary

We reached the final step of the installation wizard, click Install to start the installation if you are satisfied with the installation summary.


The installation completed successfully

The Operations manager setup will take few minutes to complete and select the option to 'Start the Operations console when the wizard closes'.

Finally you we see the Operations console and different workspaces at the bottom left corner.


Operations console

Summary

 

SCOM 2012 installation is very simple and straight forward. However, there are a few things we need to be careful about. First the prerequisites must be installed correctly including SQL server. Second, we must verify that the SQL server is accessible and the port 1433 is not blocked.
The SQL services should be running and service account must be configured properly for SCOM 2012 installation. You may also install SCOM 2012 on Windows 2012 server, but .Net framework 4.5 or 4.5
sp1 is not supported which is native feature of  Windows 2012 sever.

For more information visit technet.microsof.com.




Friday, September 11, 2015

Installing SQL 2008 R2 for System Center 2012 Operations Manager

Introduction

 

In the first part of the series, we installed the software prerequisites for System Center 2012 Operations Manager. This is a three part series about installation of SCOM 2012 on Windows 2008 R2 sp1 server. We recommend you to read the first part before you go through this article.


SCOM 2012 supports all kind of SQL version that supports 64 bit architecture. Here is a list of SQL server supported by SCOM 2012 operations database.



  1. SQL Server 2008 SP1
  2. SQL Server 2008 SP2
  3. SQL Server 2008 SP3
  4. SQL Server 2008 R2
  5. SQL Server 2008 R2 SP1
  6. SQL Server 2008 R2 SP2
  7. SQL Server 2012 or SQL Server 2012 SP1.
For purpose this second part of the article, we are installing SQL 2008 R2 on Windows 2008 R2 Sp1 server.
Once you run the setup for SQL 2008 R2 the SQL Installation Center will open up with lot of options. But click Installation on the left and select New Installation or add features to an existing installation.



SQL Installation Center

The Setup Support Rules will find initial problems related to installation and report it.


Setup Support Rules


You can view detailed report of setup support rules. Problems must be corrected before we proceed with the installation.
Then click on OK.




Select SQL Edition


Next we need to enter product key to install, if you do not have a product key then specify a free edition which a Evaluation.




SQL License Agreement


Then select I accept the license terms and click next. In the next screen, click Install.




Under Setup Support File > Click Install


Once again we have a report from setup support rules in which all rules have passed except the .Net Application Security. Click on the warning to check the warning message.


Setup support rules with list of rules that have passes or not passed




.Net Application Security warning details




The warning is about access to
http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl. When we tested the url on browser, it was found working and prompted with a download shown in the screenshot below.


MicrosoftRootAuthority.crl file

MicrosoftRootAuthority.crl is accessible and available for download. But downloading is not necessary. So safely ignore the warning in setup support rules and click next.



Choose a setup role to install

We need to decide what components or SQL features to install under Setup Role page. There are three choices.

  1. SQL Server Feature Installation
  2. SQL Server Power Pivot for Sharepoint.
  3. All Features with Defaults
The SQL Server Feature Installation allows you to select feature that you want to install. You can choose to install Database Engine Services, Analysis Services, Reporting Services, Integration Services and other features.

The second option, SQL Server Power Pivot for SharePoint requires SharePoint server for Power Pivot data.
The third option, will install all the features available for this installation. Select All Features with Defaults.


Unselect the options you do not want

The all features default also allows you to remove some of the feature that you do not want, otherwise click next to complete the installation.

Installation Rules


The setup runs Installation Rules to determine if there is any issue. All the issues must be fixed before continuing installation. If you want to see the default reports then click the link View detailed report.

Instance Configuration

We have to configure the instance or select the Default instance. The default instance is called MSSQLSERVER. Click next to continue with the installation.


Disk summary page

The next page is Disk Space Requirements which shows a summary of available disk space and allotted disk space, Click next to continue.

Configure Service Accounts

In the server configuration page, we define the service accounts to be used for different sql services. You must specify the account for services which are not defined. Select different accounts for different services and no need to enter the password.
Click next to continue with the installation.

Database Engine Configuration

Configure the database engine configuration and to select the account for Windows Authentication mode, click Add Current user. Then click next.


Analysis Service Configuration

Configure Analysis Service Configuration and click Add Current User to specify administrator account. This account will have unrestricted access to analysis service.


Reporting Service Configuration

For reporting service configuration, click install the native mode default configuration. This option will make sure that reporting services is ready as soon as we finish the setup.

Skip the Error Reporting screen, if you want to report errors to Microsoft select this error reporting otherwise click next.

View detailed reports of installation rules


The installation configuration rules will check for possible problems and we must resolve any issues that might block the SQL setup.

Now we are ready to install SQL

Finally we are ready to complete the installation, view the summary for configuration and click INSTALL to start the installation.


Installation Completed successfully

The installation will take several minutes depending on features selected and system resources. Click Close to finish the installation.

Summary


In the second part of this series, installing System Center 2012 Operations Manager. we have selected and installed SQL 2008 R2 with all required features. Microsoft recommends enough system resouces for SQL server for better performance. SCOM 2012 configuration and reports are stored in SQL databases. So we must ensure effortless communication with SQL server.