In Exchange 2003 and Exchange 2007 to let a user manage distributions groups from Outlook  we only set him as the distribution group owner  and then he’ll be able to add and remove users from the D.G as needed.

Starting from Exchange 2010 we don’t leverage ACL anymore, we introduced RBAC (from more detail see my previous post)

Now, if we act as we used to do, meaning assign a user as a Distribution Group owner

And then try to modify the D.G membership from Outlook, this is the error you get

One more thing, by default in Exchange 2013, when you create a D.G it will be configured in a way that anyone can join it or leave it without approval

You need to change the default setting to make a Distribution Group closed or to require the owner approval.

For this blog, we’ll make the D.G closed

We need to use an existing RBAC user Role or create a new one if the build-in role has more permission than what we want to grant to the end users.

To understand what are the RBAC permissions granted to the end users by default, you need to look at the “Default Role Assignment Policy”

 As you can see, there is a RBAC role called “MyDistributionGroups” that is not added to the default policy.

To understand now what kind of things can be done with this Role, we need to run this PowerShell command

From the output we can understand that any user for which we grant this role will be able NOT ONLY to manage Distribution Groups, but also to create and remove D.Gs

In this blog we’ll focus on how to give the end users the same permissions they have when they were assigned as the D.G owner in Exchange 2003 and Exchange 2007.

For that, we need to create a custom RBAC Role that has “MyDistrbutionGroups” as parent by running this PowerShell command

We need now the customize this RBAC Role by removing the “Extra” permissions not required for the end users

1. We need to prevent them from modifying the D.Gs properties, from the PowerShell, run the Command below

1. We need to prevent them from creating new D.Gs by running the Command below

1. We need to prevent them from removing D.Gs by running the Command below

Now we need to check what are the permissions left for this RBAC custom Users Role

As you can see, when we going to add this Custom Role to the “Default Role Assignment Policy” the users that will be granted as a Distribution Group owners will only be able to manage the D.G membership.

Now we need to add this Role to the “Default Role Assignment Policy”

Doing the test again from Outlook, you see that now we can add and remove Distribution Groups members as required

Ghazi Boufaden from NEPA PFE team.

Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2010/2013. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.

RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010/2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

In this Blog I’ll walk you through the creation of a custom Role Group “Admin1” that has to perform the tasks below

Procedure

1. Create 2 Management Roles for “Admin1” to make them:

• Mount/Dismount databases

• Update/Suspend/resume databases copies

• Check databases copies status

• Switchover/Failover databases

   

a. Create a Management Role that has the same permission as the “Database Copies” management Role with the following command

b. Remove the management Role entries that are not required for Admin1 Group with the commad below

c. Repeat STEP-B until you remove all the unnecessary commands

d. Check the entries that you left in the Management Role with the following command

Note: Make sure you left only the list shown below:

e. Create a Management Role that has the same permission as the “Databases” Management Role with the following command

f. Remove the management Role entries that are not required for Admin1 Group with the commad below 

g. Repeat Above until you remove all the unnecessary commands as shown below

2. Grant “Admin1” the "View-Only Configuration" role permissions with the command below

3. Create a management Role that has the same permission as the “Organization Configuration” Management Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. Repeat above until you remove all the unnecessary commands as shown below

c. To Grant the “Admin1” Group the management role "Admin1_Organization Configuration" run the command below

4. Create a management role that has the same permission as "Message Tracking" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. To Grant the “Admin1” Group the management role "Admin1_Message Tracking" run the command below

5. Create a management role that has the same permission as "Recipient Policies" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below:

b. Create a new RoleGroup "Admin1_Recipient Management", granted the permissions to create/manage recipients and  add “Admin1” Group as member "Admin1_Message Tracking" with the command below

6. Grant “Admin1” the ""Support Diagnostics" Role permissions with the command below

7. To Grant the “Admin1” Group the right to perform Mailbox Import Export run the command below

8. Create a management role that has the same permission as “Exchange Server Certificates" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. To Grant the “Admin1” Group the management role "Admin1_Exchange Server Certificates" run the command below

9. From the ECP, add the Management Roles “Admin1_Database_Copies” and “Admin1_Databases” to the Role Group “Admin1”

Ghazi Boufaden from NEPA PFE team.

Hello,

Fazal Muhammad Khan has made an excellent series of videos showing and explaining the different features and enhancements in Active Directory on Windows Server 2012!

We continue with Part 3 : Group Managed Service Accounts

Enjoy!

All the videos:

http://blogs.technet.com/b/nepapfe/archive/2013/11/08/windows-2012-active-directory-domain-services-videos.aspx

http://blogs.technet.com/b/nepapfe/archive/2014/02/05/windows-2012-active-directory-domain-services-videos-2.aspx

Fazal Muhammad Khan from NEPA PFE team.

Operations Manager requires mutual authentication be performed between agents and management servers prior to the exchange of information between them. To secure the authentication process between the two, the process is encrypted. When the agent and the management server reside in the same Active Directory domain or in Active Directory domains that have established trust relationships, they make use of Kerberos V5 authentication mechanisms provided by Active Directory. When the agents and management servers do not lie within the same trust boundary, other mechanisms must be used to satisfy the secure mutual authentication requirement.

In Operations Manager, this is accomplished through the use of certificates issued for each computer. If there are many agent-monitored computers, this results in high administrative overhead for managing all those certificates. To reduce this administrative overhead, Operations Manager has a server role called the gateway server. Gateway servers are located within the trust boundary of the agents and can participate in the mandatory mutual authentication.

To support the mandatory secure mutual authentication between the gateway servers and the management servers, certificates must be issued and installed, but only for the gateway and management servers. This reduces the number of certificates required, and in the case of an intervening firewall it also reduces the number of authorized endpoints to be defined in the firewall rules. The following illustration shows the authentication relationships in a management group using a gateway server.

In this blog section, we will see how to install a Certificate Authority Server and How to create a template to issue Operations Manager Certificates.

All you have to do is to Add Active Directory Certificate Services role and the Certification Authority Web Enrollment.

Open the Active Directory Certificate Services and Click on Certificate Template then Right click on IPSec (offline request) and choose Duplicate Template.

Once you click on Duplicate Template the following wizard will pop up

Name your certificate template 

Ensure that Allow Private Key to be exported is ticked.

 In the Security Tab Allow Authenticated users to Enroll Certificate.

In the Extensions Tab, double click on Application Policies and remove PKI and add Client Authentication and Server Authentication. 

Then right-click on Certificate Template > New > Certificate Template To Issue.

And Select the Template that you have just created.

Now we have our Certificate Authority ready to issue certificates that will be used for the mutual Authentication.

On all machines that are not joined to Domain including the Gateway server the Root CA Certificate must be installed and added to the Trusted root Citification Authorities because these machines don’t trust the Enterprise CA installed before.

To do that, Open MMC

Add you don’t trust the Enterprise CA, and choose Certificates Snap-in

Add both My user account and Computer account

The certificate from the Root CA needs to be added in this list.

Open the web browser on the gateway server, and go to the CA Web service: http://CAserver/certsrv

Add the certsrv website to the Trusted Sites.

Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.

Here we need to request the CA chain

Ensure that ActiveX is enabled.

The certificate is now in the list of Trusted Root Certifications Authorities, meaning our workgroup gateway server will trust certificates issued by the Enterprise Root CA created before.

Now we need to request a certificate for our gateway server

Advanced request

Create and submit

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.

Since mine is in a workgroup, the NetBIOS name is sufficient.

And now the certificate is generated and we can install it

Done

When you install the certificate, it will be installed in the User store.

But since we are authenticating computer the certificate must be imported in the computer store.

So open the Certificates MMC and export the certificate from the user store and import it to the local computer store.

The certificate is now installed and you can verify if everything is installed correctly by opening the certificate and checking if the certification path is ok.

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our MS that is a domain member.

Now we can start installing the agent on the non-domain machine.

Give the management group name - this can be found in the title bar of the console on the management server - and the management server name; note that you must add in the hosts file the name of the management server and its corresponding IP.

The port number can be changed if desired. By default it is 5723.Only this port needs to be open on the firewall from the non-domain agent to the Management Server.

Then we have to Export the created certificate

And import it in the Personal Store of the Computer Account and User Account.

Then copy the MOMCertImport.exe tool to the non-domain agent.

MOMCertImport.exe can be found in the SupportTools Folder

Run MOMCertImport.exe and point to the Imported Certificate

You’ll get a message that the action succeeded, and you can check progress in the Operations Manager event log.

Troubleshooting:

If you get event 21006, make sure the firewalls on the gateway and/or on the management server are not blocking communication

Don‘t forget to enable Agent Proxy for the gateway, as this one will act as a proxy for other systems connecting through the gateway server!

To check if it’s working, go to the Operations Manager Console – you should see something similar to this

Dany Abboud from NEPA PFE team.

Hi there!

I have noticed the following at many customers who had upgraded their Active Directory from Windows 2000/2003 to 2008 and plus: they do not (or forget to) upgrade Sysvol from FRS to DFSR!

Several Technet articles covered the steps to do for Sysvol migration, so there is no need to go in details here…

“Upgrading to DFSR? What is DFSR? Besides, everything is working fine! Why should I upgrade?”

Those are –very often- the questions and feedbacks I get from customers :)

So here is the thing:

• Keep in mind that Sysvol is a shared folder (with DFS name space) that needs to be the same copy on each DC,
• Sysvol is replicated through DCs using File Replication Service (FRS) or Distributed File System Replication (DFS-R),
• This replication follows the Active Directory replication topology and paths,
• We have stopped any development on FRS since 2003, which means for example: no updates or hotfixes! On the other side, DFSR is here to stay for a long time (cross-fingers!)
• FRS is not a bandwidth optimization service, but DFSR is! For example, DFSR replicates partial file changes / efficient compression / self-healing mechanism for database corruption or journal wraps …etc (see the comparison here)
• DFSR requires Domain Functional Level –DFL for short- of minimum Windows 2008 (how to check and upgrade your DFL here), so you have to review the upgrade possibility in your environment,

All right! I’m planning to do it, what are the actions?

That’s good! Here are the summarized actions for upgrading your Sysvol to DFS-R:

1. Migrating to the “Prepared state” : FRS is still being used for replication, and DFS-R will hold a copy of your Sysvol data,
2. Migrating to the “Redirected state” : DFSR-R will be used for replication the ‘copy’ Sysvol, and answering new requests, but FRS is still replicating the ‘old’ Sysvol folder,
3. Migrating to the “Eliminated state” : no more FRS, only DFS-R is being used for Sysvol replication  

Side notes:

• Required firewall ports for DFS-R here
• Troubleshooting DFSR upgrades here
• More info on TechNet  

Hope it’s simple now!

Imed Boukhaf from NEPA team.

1. Remove the Mailbox database copy:

1.2 In the EAC, go to Servers > Databases.
1.2 Select the mailbox database whose copy you want to remove.
1.3 In the Details pane, locate the passive copy you want to remove and click Remove.
1.4 Confirm the removal on the warning dialog box by clicking yes.
1.5 Click ok to confirm the removal after reviewing any messages.
1.6 After all copies are removed, preserve the database and transaction log files from each server from which the database copy is being removed by moving them to another location. These files are being preserved so the database copies don't require re-seeding after they have been re-added.

2. Move the mailbox database path to the new location.

2.1 In the console tree, navigate to Organization Configuration > Mailbox.
2.2 In the result pane, on the Database Management tab, select the database you want to configure.
2.3 In the work pane, click Move Database Path

2.4 In the Move Database Path wizard, under Database paths, click Move to move the database path to the default location. You can change the location for the database file path by editing the Database file path field. You can change the location for the log folder path by editing the Log folder path text field.

2.5 View the status of the move operation. The wizard moves the database file path and the log folder path to the new location. Click Back to make configuration changes.
2.6 On the Completion page, confirm whether the move process completed successfully. A status of Completed indicates that the wizard completed the task successfully. A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
2.7 Click Finish to complete the Move Database Path wizard.
2.8 Create the necessary folder structure on each Mailbox server that previously contained a passive copy of the moved mailbox database. For example, if you moved the database to C:\mountpoints\DB1, you must create this same path on each Mailbox server that will host a mailbox database copy.
2.9 After creating the folder structure, move the passive copy of the mailbox database and its log stream to the new location. These are the files that were left from and preserved after Step 3. Repeat this process for each database copy that was removed in Step 1-6.

Othman Benkirane from NEPA PFE team.

Below is the easiest way to perform an "in place upgrade" of all SCOM 2012 SP1 Roles. Let us start and see Operations Manager 2012 R2 looks like.

First of all the System Requirements from the Supported Configurations page on Technet can be found here http://technet.microsoft.com/en-us/library/dn281925.aspx

My SCOM is running on the top of Windows 2008 R2 SP1 and SQL 2008 R2 SP2 and of course has SCOM 2012 SP1 with CU4 installed.
First reboot the machine to be sure that there is no issue. Once everything is up and running, we can proceed with the installation.
Download the SCOM 2012 R2 ISO file and mount it to the machine.

Prerequisites:

• Microsoft System CLR types for SQL Server 2012.
• Microsoft Report Viewer 2012 Runtime.

You must restart the system before proceeding with the report viewer installation 

Now we proceed with the Microsoft Report Viewer 2012 installation:

Ensure that your current Operating system is fully updated.
Let’s start with the in place upgrade.Please insert the System Center Operations Manager R2 Media.

Note that all roles are combined on one machine.

Click on Install

So as we can see, the wizard found the installed roles and will check the prerequisites for that upgrade.

Quick Tip:Before doing any upgrade , ensure that both databases are backed up (OperationsManager , and OperationsManagerDW).

Now it asks you to agree with the license terms.

Select installation location. In my case the default installation location is fine, so I will click Next.

A prerequisite checker starts running which verifies the hardware and software configuration.

Passed! Next!

As we can see, you have the choice of Local System or domain account. If the database is running locally as it’s the case you can leave it at Local System.

If the databases are on remote server it requires to use a domain account.

We are ready to upgrade Click  Button.

It will take a while for the upgrade to finalize, there is a progress bar for each role.

During the Operational Database Configuration phase it also imports a whole set of management packs that takes some time.

After upgrade finishes, just close the setup screen.

You will find a warning that indicates the current version of the product is not licensed, please start the Operations Manager Shell and use the Set-SCOMLicense cmdlet to license the product.

Start the SCOM console and go to Help -> About.

Next we have to update the SCOM agents.
Go to the Administration Pane of the SCOM console and open the Pending Management node, you will see all the agents that needs update, just approve them.

All the agents that are installed through the SCOM console are manageable and set to Pending Management with the note Agent Requires Update. Right-click on them and select Approve. Use the default action account or a domain account you provide and select Upgrade.

Next jump over to the Monitoring Pane, and on the left hand side go to Operations Manager -> Agent Details -> Agents by Version.

You will see that the agents are upgraded and its version is 7.1.10184.0 this value refer to 2012 R2.

In my Next Blog, I will demonstrate how to monitor non-domain servers.

Dany Abboud From NEPA PFE Team.

Exchange 2007 provides high availability through four models; Local continuous replication, Single copy cluster, cluster Continuous replication and Standby continuous replication.

Exchange 2007 single copy cluster provides high availability for the node failure scenarios and can be implemented with at least two nodes in Active/Passive model. This is very much similar to the Exchange 2003 cluster setup where shared storage is used between the nodes and storage group resides on that shared storage.

I have been to couple of customers where there were complains cluster of shifting and dismounting of the databases. I have started checking and found that resources dependency model on those Exchange 2007 clusters were not configured as per the recommendations.  Resource dependency model in Exchange 2007 Single copy clusters were implemented like exchange 2003 conventional cluster although it is changed in Exchange 2007 single copy clusters.

I have found that for both of the customers were not having physical disk resources in the dependency for the Exchange 2007 database instances. I have also found that for one of the customer “Affect the group” option for the Microsoft Exchange information store resource were not set to its default value and it was enabled.

Correcting and comparing the whole resource dependency model for Exchange 2007 Single copy cluster according to the best practices alleviated many pains to the customers and helped them to avoid critical situations.

Following articles could be used for further details and comparisons against the recommended configurations.

http://technet.microsoft.com/en-us/library/aa998607(v=exchg.80).aspx
http://technet.microsoft.com/en-us/library/aa997195(v=exchg.80).aspx

Configuring Disk Dependencies

http://technet.microsoft.com/en-us/library/bb691095(v=exchg.80).aspx

Farooq Ahmed from NEPA team.

Hello,

Fazal Muhammad Khan has made an excellent series of videos showing and explaining the different features and enhancements in Active Directory on Windows Server 2012!

We start with Part 1 and 2 

Enjoy!

Part 1 (direct link)

Part 2 (direct link)

All the videos:

http://blogs.technet.com/b/nepapfe/archive/2013/11/08/windows-2012-active-directory-domain-services-videos.aspx

http://blogs.technet.com/b/nepapfe/archive/2014/02/05/windows-2012-active-directory-domain-services-videos-2.aspx

Fazal Muhammad Khan from NEPA PFE team.

With the new concept “Managed Availability” in Exchange 2013 which runs on all Exchange servers for monitoring servers health, this process analyze  hundreds of health metrics when something wrong happened an action will be invoked to correct this problem .

In some cases when Managed Availability perform an action to recover from an error you may need to know which health metrics “Probe” Managed Availability used to decide that Exchange component or server needs a fix.

Why you need to know that? Because you may need to stop a behavior like “system reboot” when an error occurred, you may find in some situations that it’s better to know the root cause and fix this problem by yourself instead of automatically let Managed Availability fix it.

Managed Availability

First lets overview what are the main components of Managed Availably:

• Probe engine:  The Probe Engine takes measurements on the server.
• Monitoring probe engine:  The Monitoring Probe Engine stores the business logic about what constitutes a healthy state. It functions like a pattern recognition engine, looking for patterns and measurements that differ from a healthy state, and then evaluating whether a component or feature is unhealthy.
• Responder engine:  When the Responder Engine is alerted about an unhealthy component, its first action is to try to recover that component. Managed availability enables multi-stage recovery actions. The first attempt may be to restart the application pool, the second attempt may be to restart the corresponding service, and the third attempt may be to restart the server. And, the final attempt may be to put the server offline, so that it no longer accepts traffic. If all of these actions fail, an alert is sent to the help desk.

All above are controlled by the Exchange Health Manager Service (MSExchangeHMHost.exe) and the Exchange Health Manager Worker process (MSExchangeHMWorker.exe)

The relationship between these components is like

Probes (monitor and when fails occur) --> Monitor status change --> Responder takes action

So to find the root cause and why a responder invoked a specific actions we will go in the reverse way

Responder takes action --> which monitor? --> Find the failing probe.

For Example: Use the following command to get all windows events for responder that forced your server to reboot.

The output will be like this:

In this case, the bug check was initiated by the ActiveDirectoryConnectivityConfigDCServerReboot

Now let’s get more details about this Responder

The AlertMask show which Probe used by the ActiveDirectoryConnectivityConfigDCServerReboot Responder.

A repetitive failed probe causes a Monitor change and a recovery action is invoked.  The details of the failing Probe is going to provide information about the exact failure.

Now we need to dig inside the Windows Events to get a Failed probe and check the error message associated with.

The Result may show you an error like

<Error>Received a referral to contoso.com when requesting DC=contoso,DC=com from dc1.child.contoso.com.  You have specified the wrong server for this operation. Filter = (&amp;(objectClass=\2a)(!(msExchCU=*))).</Error> 

Now what! Now You know why this Probe failed and made a corresponding responder to restart your server .what you can do now is to stop this responder till you fix this issue if it going to take much time .

This Responder is temporary disabled by adding a GlobalMonitoringOverride

Important: The main focus should be to analyze and resolve the main issue that is causing the Probe failure.  If you decide to disable the responder, be aware that you are preventing Exchange from taking automated recovery actions for any monitors that call this responder.  The Responder should be disabled only if the Responder’s actions are causing serious outages and fixing the main issue is going to take a significant amount of time. 

Later you can enable this Responder by removing the GlobalMonitoringOverride

Mohamed Dawy from PFE Egypt team.

In this post we will discuss some of the new features in Group Policy in Windows Server 2012 / Windows 8.

Many changes and enhancements have been introduced in Group Policies such as, enhanced Group Policy Reporting, reducing service utilization, remote refresh of group policies, new starter GPOs and Infrastructure Status that contains important information about group policy infrastructure for a domain 

Group Policy Infrastructure Status

If you have worked in GPO troubleshooting before properly you know about gpotool.exe.

GPOtool.exe is a Windows 2000 resource kit tool used to verify the consistency between GPO parts Group Policy Template and Group Policy Container on only one DC or on all DCs in the domain.

Each GUID folder in SYSVOL contains many files critical to applying group policy, Gpotool only checks the Gpt.ini files in SYSVOL and doesn’t check any other critical files for group policy applying such as registry.pol

In GPMC, there is a new tab labeled ‘status’ at each domain and group policy object node (not link), through it you can see the current status of GPOs replication across all Domain Controllers and you can select a baseline DC for a comparison between GPO parts for the following: 

• ACL on each GPC
• VersionNumber attribute on each GPC
• Count of GPC objects
• ACL on each GPTCount of GPT folders and files

Ok, what are the requirements to use this feature? The answer is simply Windows Server 2012 member server with the GPMC feature installed or a Windows 8 machine with RSAT installed …. no schema extension no specific functional level no needs even for domain controller running Windows Server 2012 …….. WOOW !! That’s is great

To start the check just select a baseline DC (default is the PDCe)

Then click detect now

When GPMC cannot contact a domain controller or that server does not match the baseline, the server moves to the replication in progress section. GPMC displays further messaging to assist you troubleshooting the problem

Note: The Status tab will not appear if you click on any OU level, it appears only on domain level and on the GPO itself (not the link) 

Group Policy Reporting Enhancement

Group Policy Result in Windows Server 2012 / Windows 8 includes more information to help determine if a Group Policy setting was applied to a computer or user and assists in troubleshooting

You can generate RSOP report using either GPMC.msc or gpresult.exe.

New information in “Summary” section: 

• If a slow link or fast link is detected
• If block inheritance is set
• If enforced is set
• If loopback is enabled
• Disabled User or Computer configurations  

New information in “Component Status”: 

• Displays the amount of time each client-side extension took to process and the last time each client-side extension processed.
• Provides a link in the Event Log column that displays the event log messages from the last Group Policy refresh. This functionality is equivalent to the information that is returned from the GPLogview.exe utility.

To use RSoP reporting for remotely targeted computers through the firewall, you must have firewall rules that allow inbound network traffic on the ports listed in the following table. This allows remote WMI and event log traffic to flow between the computer running the GPMC and the remotely targeted computer

To generate a report using gpresult.exe command line:

Gpresult.exe /h <report.htm>

To target a remote computer:

Gpresult.exe /s <computer name> /h <report.htm>

To target only the user or computer scope remotely, use:

Gpresult.exe /scope <user> OR <computer> /s <computer name> /h <report.htm>

Remote Group Policy Update

Another nice feature called Remote Group Policy Update: that has been requested from long time and is finally here, now you can refresh Group Policy settings by using this feature that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC).

This functionality schedules a task on all computers in a selected OU and child OUs to refresh policy (via gpupdate /force) for computer and currently logged on users. The refresh happens within 1-10 minutes, randomized on a per-computer basis.

If the computers are online, the user has permission, the firewall rules are correct, and the WMI and Scheduled Tasks services are running, the tasks are created without errors.

Otherwise, a Windows error returns (typically: The remote procedure call was cancelled).

Also this can be using Invoke-GPUpdate PowerShell cmdlet with different options

To schedule a remote Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table.

Notes: 

1. This option is not available on domain level and can’t not be used on OU without computer accounts to refresh Group Policies
2. All connections are direct for each remote client from the computer running the tool, not from Domain Controllers
3. Requires permissions sufficient to allow remote WMI and scheduled task creation (local administrator)
4. Creates a scheduled task to run in the context of that computer and in the context of each logged on user
5. You can remotely refresh Group Policies on the following operating systems:

• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8
• Windows Server 2012

A complete list of new and enhanced functionality for Group Policy in Windows Server 2012 can be found here

http://technet.microsoft.com/en-us/library/jj574108.aspx

Thanks

Mahmoud Abdul Wahab from NEPA team.

Today we are going to show how can we migrate user profile settings, data & app settings from windows 7 to windows 8 using USMT V.5 (User State Migration Tool), using a Network Compressed Migration store, this type is used to be labeled as (PC Refresh, Using a Compressed Migration Store)

Download Assessment & deployment Kit, and run the installation:

• Run the installation file, then click Next
• Download link: http://www.microsoft.com/en-eg/download/details.aspx?id=30652#system-requirements

• Select No, then click Next

• In the License Agreement window click Accept

• Select (User State Migration Tool) and click Install

• Based on your OS architecture you have to choose either the 64bit or the 32bit version of the USMT tool, and for simplicity you may copy the installation folder to the root of the drive to reach it more quickly

• On that step, we are going to open and configure the outlook on the windows 7 PC and do some custom configuration inside as an example to test the application settings migration

• In this example, I have configured my Hotmail account and synchronized my e-mail
• Download and install the Outlook Hotmail Connector before you configure your Hotmail account
• Download link: http://www.microsoft.com/en-eg/download/details.aspx?id=24677

• Synchronization is now completed

• In this example we shall create an outlook rules as shown

• We shall also set an outlook signature for new e-mails as shown

• After that we shall open the IE and add some web pages in the favorites bar as shown

• Change the wallpaper to a specific one as shown

• Create a word document in the Documents folder , in this example the document name is "1.docx"

• On the windows 8 PC prepare a network share to place the migrated data on as shown

• Create a shared folder on the a network share "in this case it is the target Windows 8 PC itself" to place the migrated data on it
• Run the ScanState tool in an elevated CMD with the following syntax:
• Scanstate.exe \\win8-1\Migration /i:migapp.xml /i:migdocs.xml /v:5 /vsc /encrypt /key:KamalKey
• Note here that we are migrating User Application settings and Documents, we also used the following switches for:
• /v:5 to turn the verbose output mode
• /vsc to turn on the volume shadow copy during the migration phase
• /encrypt: to encrypt the data on the target network share for protection and privacy
• /key:keyname used to decrypt the data during the restoration on the new windows 8 PC

• On the target machine (Win8-1):
• Copy the installation folder from the source PC (Win7-1) "c:\User State Migration Tool\amd64\" to the target pc (Win8-1)
• Open the CMD on "Win8-1" and type the following:
• Loadstate.exe \\win8-1\Migration /i:migdocs.xml /i:migapp.xml /i:miguser.xml /v:5 /decrypt /key:KamalKey

• After the migration is done, note the wallpaper you configured on the windows 7 workstation is now set to the new windows 8 machine

• Open MS outlook and notice the same configuration is now migrated and your Hotmail account in that example if working fine

• Open to check for your configured signature, you shall find it as it was in the Win7 PC

• Open your "Documents" and note the sample document you created "1.docx" is found!

• And finally open the Internet Explorer and note you Favorite bar, contains your Favorite Sites

I hope you find this Blog post Helpful.

Thank You for your time

Mohamed Kamal from NEPA team.

First, let me say that I am really pleased to start this series which I wanted to call "It's Simple!" aiming to simplify things a little bit and make them easier to assimilate.

Now back to our topic, shall we?

So you said Time Configuration right? Why should we care at the first place?

It's simple! Active Directory can't work correctly (or at all) if the clock is not synchronized around domain controllers/member machines.

For example, in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate (which is configurable by GPO: Maximum tolerance for computer clock synchronization in Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy).

Another example is replication, Active Directory uses time stamps to resolve replication conflicts.

Now, let's see how time should be configured in Active Directory:

1. In Active Directory, we use the Windows Time service for clock synchronization: W32Time,
2. All member machines synchronizes with any domain controller,
3. In a domain, all domain controllers synchronize from the PDC Emulator of that domain: using NT5DS (which simply means: follow the domain hierarchy and get me my PDC emulator)
4. The PDC Emulator of a domain should synchronize with any domain controller of the parent domain: using NTP,
5. The PDC Emulator of the root domain in a forest should synchronize with an external time server (could be clock device, a router, another standalone server, an internet time server…)

But how do I configure time in my Active Directory?

Well, it's simple! Normally it should be set correctly if we don't modify it in purpose,

Otherwise, we do provide some tools for that: w32tm.exe command-line utility and GPO

• Using w32tm.exe

   

  • Run the following command on the PDC emulator:  

    w32tm /config /manualpeerlist:timeserver /syncfromflags:manual /reliable:yes /update

    (where timeserver is a –space delimited– list of your time source servers)

    Once done, restart W32Time service.

     

  • Run the following command on all other DCs (that are not PDC):  

    w32tm /config /syncfromflags:domhier /update

    Once done, restart W32Time service.

     

• Using GPO with WMI filter

   

  Using a GPO is always better to automate as much as possible (and of course in case we had to transfer the PDC role to another DC): 

  • Create a GPO and link it to the Domain Controllers container
  • Set a WMI filter to target the PDC emulator, using the following syntax:

     Select * from Win32_ComputerSystem where DomainRole = 5

     

  • Open the GPO for edition and go to: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Configure Windows NTP Client + Enable Windows NTP Client

     

     

    
    Quick note: NtpServer contains a space-delimited time source servers with the format: Name-or-IP,server-flag

     

  • All non-PDC domain controllers should be set to NT5DS (domain hierarchy).

     

• Creating a global settings GPO

   

  • Create a GPO and link it to Domain Controllers organizational unit,
  • Edit the settings under: Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers then Global Configuration Settings
  • Depending on the use, you may leave the default values.

   

• Checking 
• • You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):

    Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

  • You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
  • To check the source time server: w32tm /query /status

Side notes:

• Please note that we recommend using w32tm command-line utility instead of "net time" command (why?),
• We recommend using w32tm or GPO tools to configure time services instead of registry tool,
• The PDC should not synchronize with itself (RFC 1305),
• More details on the WMI filter here and GPO time settings here.
• About NtpServer value syntax and server flags here and here.

Hope its simple now!

Imed Boukhaf from NEPA team.

A database availability group (DAG), together with mailbox database copies, can provide automatic recovery from a variety of server, storage, network, and other hardware failures. A DAG can also provide a site resilience solution so that you can perform a datacenter switchover in the event of a site-level disaster. But even a comprehensive, intelligent, and robust solution such as a DAG can't protect you from all possible disasters, including disasters that affect an entire DAG.

Example of Exchange Environment

We'll work with a two-member DAG named DAG1 that contains 2 HUB/CAS/Mailbox servers named HCM1 and HCM2. HCM1 hosts the active copy of a database named DAG1-DB1, which is replicated to HCM2. In addition to hosting the passive copy of DAG1-DB1, HCM2 also hosts the active copy of DAG1-DB2, which is replicated to HCM1.

We also have an Edge server in the DMZ.

In this article we'll only focus on the required steps to rebuild an entire DAG, it will not covers the recovery of the Edge server.

To be able to perform successfully the recovery you should have documented the following information:

• IP Addresses
• Hostname
• LUNs configuration
• Database copies that the server hosted
• The installation and databases / logfiles path. This is necessary because after adding the server back into the DAG, the databases and logfiles will be created on the previous location. The database and log location can be retrieved by looking at other servers in the DAG.
• The Exchange installation path : can be obtained by looking at the "MsExchInstallPath" attribute in the following key: CN=ExServerName,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=ExOrg Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,CN=Com

Prepare the DAG for Recovery

• Using Active Directory Users and Computers, locate the CNO for the DAG. In our example, the name of the CNO is DAG1.
• Right-click the computer account for DAG1, point to All Tasks, and then select Reset Account.
• Right-click the computer account for DAG1, point to All Tasks, and then select Disable Account. When the prompt appears, click Yes, and then click OK.

• Right-click the computer account for HCM1, point to All Tasks, and then select Reset Account.
• Right-click the computer account for HCM2, point to All Tasks, and then select Disable Account. When the prompt appears, click Yes, and then click OK
• Repeat Step 4 and 5 to HCM2
• Open ADSIEDIT, connect to Configuration partition
• From ADSIEDIT browse to Services -> Microsoft Exchange –> Org Name –> Administrative Groups –> Exchange Administrative Group (FYDIBOHF23SPDLT) –> Servers –> HCM1

   

• Right click the server and select properties

  

• Double click the attribute msExchEdgeSyncCredential and then remove all the values

• Double click the attribute msExchMDBAvailabilityGroupLink and then remove the value

Build Replacement Mailbox Servers

• Install and configure Windows Server.
• Rename the computer with the appropriate name.
• Configure the server as the one you lost (same IP addresses, LUNs, OS, etc…)
• Join the computer to the appropriate Active Directory domain.
• Install the prerequisites for running installed Exchange server roles. For details, see Exchange 2010 System Requirements
• Insert the Exchange Media
• From the first node you're going to restore

  Run Setup /preparead

   

   

Run the following Command

Setup /m:recoverserver /DoNotStartTransport

•  Restart the server

Perform the Cleanup Operation to Prepare for DAG Recovery

• Form the first server you restored run the following Exchange Management Shell commands to remove the databases copies

• Form the first server you restored run the following Exchange Management Shell command to remove the remaining node from the DAG

• Run the following Exchange Management Shell command to verify that the remaining node was successfully removed from the DAG

Add back the servers to the DAG

• Run the following Exchange Management Shell command to Add back the HCM1 to the DAG

• If you received an error related to a lack of permission to update the CNO proceed with Step 3 to 5

• From "Active Directory Users and Computers", right click the Cluster Name Object (DAG1) and go to the security tab to affect full control to the "Exchange Trusted Subsystem" Security Group

   

• Run again the command described in Step1

   

• Set back the default permissions of the "Exchange Trusted Subsystem" Security Group as described below

   

• Run the following Exchange Management Shell command to Add back the second server HCM2 to the DAG

 Add Mailbox Database Copies to the DAG

The final step is to add mailbox database copies back to the appropriate DAG member. Depending on the nature of the failure, the previously passive copies of the databases hosted on these servers may not be available. If the files on disk are preserved and in their original location or copied to the original location, the Microsoft Exchange Replication service may be able to perform an incremental resynchronization of the passive copies, thereby eliminating the need for a full reseed. However, if the original passive copies aren't available, you'll need to perform a full reseed.

• To add the mailbox database copies back to the DAG, run the following commands.

• Verify the health and status of all mailbox database copies with the following commands

Ghazi Boufaden from NEPA team.