Partner Technical Services Blog

A worldwide group of consultants who focus on helping Microsoft Partners succeed throughout the business cycle.

December, 2011

  • Monitoring machines using Certificates with System Center Operations Manager 2007 R2 - Part 1

    (Post courtesy Rohit Kochher)

    In this series of two blogs, we will discuss about monitoring machines in non-trusted domain. In part one we will discuss about scenarios to use certificates and configuring certificate template for Operations Manager. In part two, we will talk about installation, approval of gateway servers and configuring monitoring for Workgroup machines.

    Kerberos or Certificates

    System Center Operations Manager 2007 R2 uses mutual authentication to communicate with agents. This can be done using Kerberos v5 or certificates. In case the monitored computers are in the same domain as that of Operations Manager server, or if the two domains have a two way trust we can use Kerberos. But if you want to monitor machines in a workgroup or in a non-trusted/one way trusted domain we need certificates. Certificates help in Mutual authentication.

    The following blog post from the Operations Manager support team has a nice diagram that shows where you would use Kerberos vs. certificates for authentication: Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server.

    Scenarios to used Certificates

    If my Operations Manager server is in domain A and I want to monitor machines which are in a workgroup, I need to use certificates. I will install certificates on my Operations Manager server and on each workgroup machine that I want to monitor.

    If my Operations Manager server is in domain A and I want to monitor machines in untrusted domain B, I will use certificates along with a gateway server. But this time I don’t need to install certificates on all machines in domain B. I can simply install the Gateway Server in domain B and have certificates installed on the Operations Manager server of domain A and the Gateway Server of domain B. Within Domain B, Kerberos is the security mechanism between the agents and the Gateway server. Between the Gateway and Operations Manager servers, certificates are used to provide mutual authentication.

    Another benefit of gateway servers is that I need to open only 1 port 5723 (TCP) between the Gateway and Operations Manager servers.

    We will also need name resolution between the Operations Manager server and gateway server. This can be done using DNS, host files etc.

    Let’s get it Started

    I have installed Active Directory Certificate Services (AD CS) and Certificate Authority Web Enrollment roles on 2008 R2. Certificate Authority is of Enterprise type. More on 2008 R2 CA can be found here. Also to configure HTTPS binding for CA, check this article.

    Configuring certificate template for SCOM

    1) On 2008 R2 Server, Click Start, then Administrative Tools and open Certification Authority snap-in. Click on Certificate templates, then on Manage.

    clip_image001

    2) Right Click on IPSec (offline request) template and select Duplicate Template option.

    Select Windows Server 2003 Enterprise option for the version.

    3) In Properties of new Template on General tab, give any name to template like OpsMgr Certificate using Template Display Name.

    clip_image002

    4) On request handling tab check Allow private key to be exported.

    5) Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.

    clip_image003

    6) Click Add and then select Client Authentication and Server Authentication and click OK.

    clip_image004

    7) Click on Security tab and give Authenticated users Read and Enroll permissions.

    8) Close the Certificate templates console.

    Add the configured templates to certificate templates folder

    Right click Certificate templates in CA console. Click on New and then Certificate template to issue. Select the certificate template that we named in step 3.

    clip_image005

    This way we configure our certificate for SCOM. In part 2 we will discuss about installation of certificates and deployment of gateway server.

    Stay Tuned!!

    Additional Resources

  • Monitoring machines using Certificates with System Center Operations Manager 2007 R2 - Part 2

    (Post courtesy Rohit Kochher)

    In part 1, we discussed scenarios where Operations Manager uses certificates to monitor computers in a workgroup or non-trusted domain. We also configured the certificate template for Operations Manager. In this post we will use certificates for gateway servers and deploy them. At the end we will also have the steps to monitor machines in a workgroup.

    Download and Import trusted Root (CA) Certificate

    Open browser https://<servername>/certsrv where <servername> is name of server running Active Directory Certificate Services. On the welcome page click download a CA Certificate, certificate chain, or CRL

    clip_image001

    Save the certificate. Now to import it open MMC. From File, select Add/Remove Snap-in. Add certificates snap-in and select Computer Account.

    Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates. Use All tasks to Import the trusted root (CA) certificate.

    We already covered on configuring template for SCOM in part 1.

    Request a certificate for SCOM/Gateway server

    1) Open browser with https://<servername>/certsrv again. In Select a task page click Request a certificate.

    2) In request a Certificate page , select advanced certificate request.

    clip_image002

    3) In Advanced Certificate request , select Create and Submit a request to this CA

    clip_image004

    4) In Certificate template, from the drop down, select the certificate template that we configured in Part 1 of the series.

    clip_image005

    5) At the bottom of the page in Friendly Name, give the FQDN for SCOM Server/ Gateway server.

    We need to install certificate both on SCOM server and gateway server.

    Installation of Gateway server

    On gateway server, open the media of SCOM. Click Install Operations Manager 2007 R2 Gateway. Enter the management group name, Management server.

    clip_image006

    Select Gateway Action Account and we have two options from Local System or Domain account

    clip_image007

    Click next and wait for installation to get complete.

    Registering Gateway server with Management group using gateway approval tool

    Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager 2007 installation directory.

    Open a Command Prompt window, and navigate to the \Program Files\System Center Operations Manager 2007 directory.

    Syntax of command is Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

    clip_image009

    Importing Certificates with the MOMCertImport.exe Tool

    We need to import certificate both on management and gateway server.

    On Command prompt Navigate to \SupportTools\<platform> (i386 or ia64).

    Run momcertimport.exe /SubjectName <certificate subject name>.

    clip_image010

    With this, I was able to monitor machines in non-trusting domain using gateway server and certificates. To confirm everything is good, you can check one thing.

    Open the certificate that you install on management/gateway server. Click on Details Tab and check the Serial Number.

    Now navigate to HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings and check the value of ChannelCertificateSerialNumber. Serial number of certificate should be listed backwards here in registry.

    Further I can configure multiple gateway servers for agents to fail over. Also I can configure multiple SCOM servers for my gateways to fail over. This can be done using Power shell and is covered in the blog.

    Monitoring Workgroup machines using certificates

    Now, we will discuss about how we can monitor machines which are in a workgroup. I have outlined this in few steps:

    Name resolution between SCOM server and workgroup server can be done by host files which are located at C:\Windows\System32\drivers\etc

    Make sure TCP port 5723 is opened for communication. You can telnet to confirm same.

    You can manually install SCOM agent on workgroup server and later use certificates. Copy the AGENT folder from SCOM media. Based on 32/64 bit OS, run the MSI. Specify the management group and SCOM server name and complete the installation.

    Check the Download and Import trusted Root (CA) Certificate in beginning of this blog. Perform that to download and import CA certificate on local computer. CA certificate should be imported in Trusted Root Certification Authorities store. Here I am assuming you can connect to https://<servername>/certsrv through your browser.

    Next step is to get certificate for workgroup server. We already discussed in part 1 on how to configure certificate template for SCOM. Check Request a certificate for SCOM/Gateway server section at top of the blog to request certificate from workgroup server. You need to have permissions in domain of SCOM server for this. Also while requesting certificate, in FRIENDLY NAME give name of workgroup server.

    Certificate will by default get installed in personal store of Current user. Open MMC and export that certificate from current user store to some location. Later import it in Personal section of Local computer.

    Importing Certificates with the MOMCertImport.exe Tool

    Copy MOMCertImport from SCOM support tools on workgroup server.

    On Command prompt Navigate to \SupportTools\<platform> (i386 or ia64).

    Run momcertimport.exe /SubjectName <certificate subject name>.

    Process Manual Agent Installations in Operations Manager 2007

    On your Operations Manager server, configure the security settings for manually installed agent. It should be Review new manual agent installations in pending management view with/without Auto-approve new manually installed agents depending upon your security settings. Refer to the article for more details.

    Thanks for reading!!

  • Configuration Manager 2012 RC: Configure Software Catalogue portal and publish applications

    (Post courtesy Anil Malekani)

    The Software Catalogue portal is a cool new feature in System Center Configuration Manager 2012. Administrators can publish applications for end users, and optionally they can enforce authorization before actual deployment of the application. I tried to configure the feature in the release candidate of Configuration Manager 2012 and captured screenshots at each important step.

    Before you start to configure the Application Catalogue, look for prerequisites at the following TechNet link

    Prerequisites for Application Management in Configuration Manager

    Now, Right click on one of the SCCM 2012 Primary site systems, to add new Role.

    clip_image002

    Select Application Catalog Web Service Point and Application Catalog Website Point

    clip_image004

    clip_image006

    You may specify a name for the web application

    clip_image008

    Provide Organization name and web theme.

    clip_image010

    clip_image012

    That done, you have the website ready but you still need to publish applications for users.

    1. Publish Application to Catalogue, from application properties > Application Catalog tab.

    2. Deploy application to all users. Make it available and (optionally) set "approval required" if users requests application .

    clip_image014

    clip_image016

    Finally, define Application Catalog synchronization frequency. Right click on site server and go to "Site Maintenance" option. Scroll down to the bottom of the list and select Update Application Catalog Tables option. In to properties define an interval in minutes.

    Configure Application Catalogue update setting

    clip_image018

    clip_image020

    User Experience

    When a users opens the application catalog website, he can see a list of published applications and request application.

    clip_image022

    clip_image024

    If an application requires approval before deployment, the administrator will see a pending approval request under Application Management. Administrators can either approve or deny the deployment request and also write comments.

    clip_image026

    Once approved, the client will see the following on their workstation

    clip_image027

    clip_image028

    Additional Resources

  • Extending Remote Desktop Services using PowerShell

    (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

    What? Are you kidding me? I never knew we could automate Remote Desktop Services using PowerShell. But, yes we can. You can almost automate everything within your Remote Desktop Services Infrastructure using Windows PowerShell.

    So the burning question is, when should I use PowerShell and when should I prefer using a GUI?

    To explain this, let’s discuss common scenario. You have about 10 Remote Desktop Session Host Servers in your Farm. You would like to do an inventory of the RemoteApps running on each of these servers. Now ideally, it is recommended to run the same RemoteApps on RDSH Servers running in a Farm. But let’s take an exception here. What would be your approach in this case?

    One way to tackle this is to use the RemoteApp Manager, connect to each RDS Server and check the RemoteApps running on it. Well, nothing very complex about this approach. But imagine the amount of time you’d spend on doing this! Consider there are more than 10 Servers participating in a Farm. You’d be just:

    • clicking around,
    • connecting to remote servers,
    • taking a note of the RemoteApps and then
    • drafting a report from the data collected from it.

    The other way to deal with this scenario is, yes, you guessed it right, use PowerShell.

    Ask yourself a question: If you were in charge of a team of IT administrators, which ones would you want in your team?

    The ones who need several minutes to click their way through a GUI for each task?

    OR

    The ones who can perform tasks in a few seconds after automating them?

    It’s an obvious choice. PowerShell has given the term “administration” a new definition and very soon who will see the Microsoft IT Administration world split into two worlds:

    Ones who would continue to ignore PowerShell, use GUI and continue to use GUI even if it results in skipping their meals to get the tasks done.

    Ones who already are comfortable with the GUI and use it to perform one time tasks while harness PowerShell to automate bulk operations.

    Now that I have set the background on “Why to use PowerShell?”, let me on take you to a seven part journey to automate your existing RDS Environment using PowerShell.

    Milestone 1 – Installing Remote Desktop Role Services

    Milestone 2 – Configuring Remote Desktop Session Host using the RDS Provider for PowerShell

    Milestone 3 – Configuring Remote Desktop Connection Broker

    Milestone 4 – Configuring Remote Desktop Farms

    Milestone 5 – Configuring Remote Desktop Gateway

    Milestone 6 – Configuring Network Load Balancing for RD Gateway using PowerShell

    Milestone 7 – Using Best Practices Analyzer to review our RDS Infrastructure

    Milestone 8 – Using additional resources

    Alright, so let’s dive straight into the first part, i.e. Installing RDS Roles using PowerShell. Let’s be immediately effective.

    Milestone 1 – Installing Remote Desktop Role Services

    To install any role or feature on a Windows Server 2008 R2 Server, we will leverage the Add-WindowsFeature command of the ServerManager Module. This Command is not installed by default but we can import the ServerManager module in the current PowerShell RunSpace.

    To import the ServerManager module, use the following command

    Import-Module ServerManager

    To see what all commands are being loaded as a part of the import process, you can use the –verbose parameter

    Import-module ServerManager –verbose

    clip_image002

    Because the names of the Roles, Role Services and Features are case sensitive, we will first get the names of the Roles Services, the way PowerShell understands them by using the command below

    Get-WindowsFeature –Name *RDS*

    clip_image004

    The names are case-sensitive, so while using the Add-WindowsFeature, ensure that you use the correct case as shown above.

    If you used the Server Manager module to install a Role, you will notice that while installing a Role, if there are any dependent features, the Server Manager automatically prompts you for installing them as well. In PowerShell, we can achieve this by using the –IncludeAllSubFeature parameter of the Add-WindowsFeature.

    The best part about PowerShell is the –whatif parameter. When you use this parameter with any command that attempts to make changes to your system, PowerShell will notify you of the changes the command will make but actually doesn’t implement them. In this way, you can validate the changes being made even before making them. Let’s see this in action by running the following command

    Add-WindowsFeature –Name RDS-RD-Server –IncludeAllSubFeature -WhatIf

    clip_image006

    Note that, PowerShell tells you that performing this action would install the Remote Desktop Session Host Role on the server and a restart would be required.

    Let’s run the same command again but this time we will omit the –whatif parameter so that the role is actually installed.

    To restart the server after the role is installed, you can append the –Restart parameter to automatically restart the server once the role is installed.

    clip_image008

    Once the Server has rebooted, run the Get-Module –ListAvailable command to see the RDS PowerShell Module installed as part of the RD Session Host Role installation.

    clip_image010

    Let’s import the module of RDS PowerShell and see what all commands are available within it.

    Import-Module RemoteDesktopServices

    Get-Command –Module RemoteDesktopServices

    clip_image012

    What!! Just 7 commands? How can you automate my RDS Infrastructure using just seven commands? Also note that I am using Windows Server 2008 R2 SP1, so I get additional commands that work with Virtual GPUs (RemoteFX is only available with Server 2008 R2 SP1)

    RDS PowerShell adds a PS Provider (RDS:) that allows you to access your Remote Desktop Services Configuration like a file system. This is a known fact. To access the RDS Provider, run the following command:

    Get-PSProvider

    clip_image014

    Oops! the name got chopped off. Let’s pipeline Get-PSProvider to Format-Table to auto fit the contents within the PowerShell Runspace.

    clip_image016

    To access the RDS PS Drive, we will change directory to it.

    cd RDS:

    clip_image017

    To view the subdirectories with the RDS drive, run the dir or the Get-ChildItem (note that dir is an alias for Get-ChildItem)

    clip_image019

    We will tackle the RDSConfiguration and the RemoteApp Containers one by one.

    RDSConfiguration

    To access the RDSConfiguration container, change directory to it. You just need to type in the first few characters of the container name that makes it unique and hit the tab key to auto complete the name for you and as well as provide its absolute path.

    clip_image020

    The command commands you would use with the RDS Provider are as follows

    Dir

    Get-ChildItem {which is same as dir}

    Get-item

    Set-Item

    Remove-Item

    New-Item

    To access the sub contents of the RDSConfiguration, let’s do a dir on RDSConfiguration

    clip_image022

    Let’s analyze this content a bit.

    The first column displays the name of the container or setting. You can determine whether a particular item is a container or an individual setting by looking at the Type Column (the second column). Containers will have further subdirectories whereas the settings are leaf objects and will not have any further hierarchy below it.

    The third column is the CurrentValue which as the name suggests indicates the current value of the setting. As you can see in the screenshot above, UserLogonMode is currently set to 0. What does 0 mean? Park that question for a moment and we will figure that out once we get into configuring settings.

    The fourth column is GP which stands for Group Policy. This indicates whether the current setting is configured via RDS Group Policies or not.

    The Fifth column is PermissibleValues which as the name suggests, indicates the permissible values that the configuration item can accept.

    The Last column is PermissibleOperations that indicates current PowerShell cmdlets that are permitted to be used in the Configuration Item.

    Note that this information is similar to what you see in the Remote Desktop Session Host Configuration Console under edit settings.

    clip_image024

    Let’s browse Connections and further drill down RDP-TCP.

    clip_image026

    clip_image028

    Now, it’s time to set a particular configuration item.

    To get more information about any leaf or configuration setting, just use the following syntax

    Dir <setting name> | Format-List *

    For example, dir .\ConnectionStatus | Format-List *

    clip_image030

    From the screenshot above, we can see that ConnectionStatus defines the “status of the connection” as given in the description. Setting it as 0 disables the setting and setting it as 1 enables it. By default, it is enabled.

    We will take a step further and access the content of the LogonSettings Directory. Here, we will set the ClientLogonInfoPolicy to 0, which will ensure that the server’s connection will override the user’s connection settings

    By default, it is set to 1 which means that the User’s Connection Settings will override Server’s connection setting. We can verify it via the GUI as well.

    clip_image031

    Let’s see the complete information of the ClientLogonInfoPolicy by running the command below:

    dir .\ClientLogonInfoPolicy | fl *

    clip_image033

    Now, let’s set the value to 0 by using the command below:

    Set-Item .\ClientLogonInfoPolicy 0

    Note that I am running this from the Path RDS:\RDSConfiguration\Connections\RDP-Tcp\LogonSettings

    If you running this from any other drive, you can use the –Path parameter and you need to explicitly provide the entire path. I have used this approach to revert the value back to 1.

    Set-Item –Path RDS:\RDSConfiguration\Connections\RDP-Tcp\LogonSettings\ClientLogonInfoPolicy 0

    clip_image035

    To verify, let’s fire up the GUI for the same setting. Wow!, we see that the configuration change has been made. Huraaaaaaaaaaaaaay ! J

    clip_image036

    To revert it back, we will set the value back to 1. This will ensure that the client settings override the server’s setting

    clip_image038

    clip_image039

    Do not forget to refresh the console. The setting will be in effect only if you refresh the console and explore the properties again

    So let me reiterate, you should use the following commands to work your way out with RDS PowerShell

    Dir

    Get-item

    Set-item

    New-item

    Remove-item

    Use the Dir <setting Name> | Format-List * to get information about a particular setting

    Installing Role Services Remotely:

    How do you install a Role Service, let’s say RD Web Access Remotely. Unfortunately, the Add-WindowsFeature does not have the –ComputerName parameter wherein we can specify the name of the Remote Computer.

    However, we do have a workaround in the form of PowerShell Remoting. To enable PowerShell remoting, you need to run the following command

    Enable-PSRemoting

    I am going to run this command on a remote server named FUJI

    clip_image041

    This will automatically configure the firewall exceptions and the WinRM (Windows Remote Management) service to allow the server to accept remote commands. Server 2008 R2 has GPOs to configure PowerShell Remoting which I will cover in a different blog post. You can use GPOs to automatically enable PS Remoting on all your server machines so that they can be remotely managed.

    Now that I have enabled PS Remoting on FUJI, we will remotely install the RD Web Access Role Component on it.

    For the time being, I will use 1:1 Remoting.

    New-PSSession –Name FUJIRemote –ComputerName FUJI

    clip_image043

    Next we will enter the session that was just opened

    Enter-PSSession –Name FUJIRemote

    If you are able to connect to the session, you should now see the PowerShell to display the name of the computer before the PS Prompt

    [fuji]: PS C:\Users\Administrator.POWERSHELL\Documents>

    This indicates that you are now connected to the remote session and whatever you do at this prompt will be now performed on the remote server which is FUJI in our case.

    The rest is simple. We will follow the same steps that we did to install the RD Session Host Role.

    clip_image045

    As you can see we were able to install the RD Web Access role on the Remote Server FUJI and PowerShell tells you that the server does not require a reboot after the installation of the RD Web Access. I knew that beforehand and hence didn’t specify the –Restart parameter J

    clip_image047

    We will verify the same by taking a look the Server Manager on the Fuji Server

    clip_image049

    This is just one example of PowerShell Remoting. You can also do a 1:Many Remoting wherein you can specify a bunch of computer names in a text file or so and then perform actions on each of those computers.

    With this we conclude the first milestone of our Project, i.e. Installing Role Services using PowerShell. We also touch based upon some of the configuration settings.

    Next Post: Extending Remote Desktop Services via PowerShell – Part 2

  • Set Up a Shared Mailbox in Office 365

    (Post courtesy Himankini Shah)

    A shared mailbox is a mailbox that multiple users can open to read and send e-mail messages. Shared mailboxes allow a group of users to view and send e-mail from a common mailbox. They also allow users to share a common calendar, so they can schedule and view vacation time or work shifts.

    Shared mailboxes in Microsoft Office 365

    In Office 365, shared mailboxes don’t require a license. But each user who accesses a shared mailbox must have a user subscription license. Users with Exchange Online Kiosk subscriptions can’t access shared mailboxes. Also, shared mailboxes can’t be used to archive e-mail, except for the messages that are actually sent to or received from the shared mailbox

    Create and configure a shared mailbox:

    After you create a shared mailbox, you have to assign permissions to all users who require access to the shared mailbox. Users can't sign in to the shared mailbox. They have to sign in to their own mailbox and then open the shared mailbox to which they've been assigned permissions.

    Steps for configuring Shared Mailboxes for Office365 are as follows:

    Connect Windows PowerShell to the Online Services

    Once you have installed and configured Windows PowerShell v2 and Windows Remote Management (WinRM) on your computer (for more information, see Install and Configure Windows PowerShell), you have to connect the Windows PowerShell on your local computer to the cloud-based service to perform tasks in your cloud-based organization.

    When you open Windows PowerShell v2 on your computer, you're in the Windows PowerShell session of your local computer. A session is an instance of Windows PowerShell that contains all the commands that are available to you.

    The Windows PowerShell v2 session of your local computer, called the client-side session, only has the basic Windows PowerShell commands available to it. By connecting to the cloud-based service, you connect to the Microsoft datacenter's server environment, called the server-side session, which contains the commands used in the cloud-based service.

    Connect Windows PowerShell v2 on your local computer to the cloud-based service

    1. Click Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell.

    2. Run the following command:

    $LiveCred = Get-Credential

    image

    In the Windows PowerShell Credential Request window that opens, type the credentials of an account in your cloud-based organization. When you are finished, click OK.

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

    The AllowRedirection parameter enables cloud-based organizations in datacenters all over the world to connect Windows PowerShell to the cloud-based service by using the same URL.

    image

    Import-PSSession $Session

    A progress indicator appears that shows the importing of commands used in the cloud-based service into the client-side session of your local computer. When this process is complete, you can run these commands.

    After connecting to the online services, here's how you can create and configure a shared mailbox for the Printing Services department at learningdesk domain.

    Create a shared mailbox: To create the shared mailbox for Printing Services, run one of the following commands:

    New-Mailbox -Name "Printing Services" -Alias print -Shared

    image

    Set-Mailbox print -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB

    image

    After we create a shared mailbox, we have to assign permissions to all the users who require access to the shared mailboxes. Users can't sign into their shared mailboxes. They have to sign in to their own mailbox and then opened the shared mailbox to which they have been assigned permissions.

    Create a security group for the users who need access to the shared mailbox

    In the Exchange Control Panel, create a security group for the staff who need access to the shared mailbox for Corporate Printing Services.

    1. Select My Organization > Users & Groups > Distribution Groups > New.

    2. Specify a display name, alias, and e-mail address. In this example, we'll use Printing Services Staff, printdg, and printdg@learningdesk.co.in .

    3. Select the Make this group a security group check box.

    4. In the Ownership section, click Add to add an owner, if necessary.

    5. In the Membership section, click Add.

    6. In the Select Members page, select the users you want to add. When you are finished, click OK.

    7. On the New Group page, click Save.
    After we create a security group, the membership is closed. When membership is closed, only group owners can add members to the security group, or owners have to approve requests to join the group. Additionally, only group owners can remove members from the security group.

    Assign the security group the FullAccess permission to access the shared mailbox To enable members of the Printing Services Staff security group to open the shared mailbox, read e-mail, and use the calendar, run the following command:

    Add-MailboxPermission "Printing Services" -User printdg -AccessRights FullAccess

    image

    Assign the security group the SendAs permission to the shared mailbox

    To enable members of the Printing Services Staff security group to send e-mail from the shared mailbox, run the following command:

    Add-RecipientPermission "Printing Services" -Trustee printDG -AccessRights SendAs

    image

    It may take up to an hour until users can access a new shared mailbox or until a new security group member can access a shared mailbox. Assign an Exchange Online (Plan 1) or Exchange Online (Plan 2) license to a shared mailbox if you need additional functionality.

    Thanks and Regards,

    Himankini

    Additional Resources

  • Troubleshooting Connectivity Issues with Lync 2010

    (Post courtesy Kapil Hudiya)

    In order to make sure that your Lync server is running successfully with all the required features, I want to share my experience of troubleshooting Lync Server 2010 and client connectivity

    If you have followed best practices and configured Lync 2010 according to Microsoft recommendations, it is less likely that you will run into errors. Common factors for the errors that I have encountered include network configuration steps (such as DNS, Firewall, etc.) and other configuration steps such as certificates, integration with Exchange Servers.

    I would say 95% of the issues that I have encountered are due to improper configuration. For quick resolution, we have to first identify the issue and that’s very important. So let’s first see how we can identify and solve Lync client connectivity issues:

    Lync Client Connectivity issues Internal and Externally.

    If it is Client connectivity issues to Front end server internally then you should have following information:

    1) Check if users trying to login is enabled in Lync server.

    2) Go to Settings –> Tools –> Options

    clip_image002

    Then select Advanced Connection Settings:

    clip_image004

    • If automatic configuration is selected then we have to check DNS records.
    • If there is an IP address specified in Manual Configuration then you should check if you are able to ping.

    3) Now let’s Check DNS records:

    On DNS server, go to Start-> Administrator tools -> DNS -> Forward lookup Zone -> contoso.com (Domain name)-> _TCP . See if _sipinternalTLS record is created.

    If yes then check if it matches following settings. If no then create new record by right click on zone ->other new records -> SRV.

    clip_image006

    Domain will be Contoso.com

    The host offering this service should be pool name of Front End Server. If Director Servers are installed then the Director Server pool name should be entered.

    More details available at the following TechNet article: Determining DNS Requirements

    4) The last option you have to check is Certificates.

    Install the Root certificate of the internal CA in trusted root certificate of the computer.

    Open Internet Explorer -> in address bar enter Internal CA FQDN followed by /certsrv.

    Example: DC1.contoso.com/certsrv.

    a) Under select task: Download CA certificate, certificate chain, or CRL.

    b) Download CA certificate chain, save the file on desktop.

    c) Now, Start->Run -> type MMC -> Under File -> Add/remove snap-in -> select certificate under Add remove snap-ins , select Add, computer account ,next and then Finish. Then click ok to close the window.

    d) Under Console 1 -> Expand Certificates ->Trusted root certificate -> certificate -> right click on certificate-> All Task and then click Import.

    e) On Certificate Import Wizard, select next, under File name select Browse and select the Root certificate, then next, In certificate store select next, then Finish.

    If you are experiencing Client connectivity issues to the Lync Edge server externally (Remote connectivity) then you should have following information:

    1) Follow first and second steps mentioned above.

    2) Now let’s Check public DNS records and network configuration:

    a. _sip._tls. Contoso.com

    b. A record for Access Edge Server .

    image

    http://technet.microsoft.com/en-us/library/gg412787.aspx

    3) Let’s Check the topology Builder:

    clip_image010

    4) Certificates:

    Check if the public Certificate common name is same as access edge server name published in Public DNS.

    Without Hardware Load balancer:

    http://technet.microsoft.com/en-us/library/gg398519.aspx

    5) Firewall Ports: Check if required Firewall ports are open by Port Query Tool (http://support.microsoft.com/kb/310099)

    image

    clip_image013

    6) A few more steps …..

    a. On Lync Front End, Check the SQL (CMS) replication status by using the following Lync PowerShell cmdlet:

    get-csmanagementstorereplicationstatus

    the uptodate: option should be true.  If not, ports are blocked or  there are other Lync edge Server deployment issues.

    b. Make sure the user is allowed for remote access by remote access policy.

    7) Now check with the Remote Connectivity Analyzer at https://www.testocsconnectivity.com/ to verify if you get Green\

  • Extending Remote Desktop Services via PowerShell – Part 2

    (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

    Previous Post: Extending Remote Desktop Services via PowerShell – Part 1

    Configuring Remote Desktop Session Host Server using RDS Provider for PowerShell

    If you have installed the RD Session Host Role via PowerShell, the first thing you will note is that the RD Session Host Server is set to “Don’t allow connections to this computer” and the Remote Desktop Users Group is empty.

    clip_image001

    clip_image002

    To allow connections, we will browse to the SessionSettings Container and set the value of AllowConnections to 1.

    Dir .\AllowConnections | fl *

    Set-Item .\AllowConnections 1

    clip_image004

    clip_image006

    Having set the value of AllowConnections to 1, we can verify if the RDS Server now accepts connections by going to the Remote Properties of the RD Session Server

    clip_image007

    Awesome, it worked. But it is using a less secure way to allow connections. In other words, it is not using Network Level Authentication.

    To enable the NLA, we will have to browse to the path RDS:\RDSConfiguration\Connections\RDP-Tcp\SecuritySettings and set the value of the UserAuthenticationRequired to 1 as shown in the screenshot below.

    Set-Item .\UserAuthenticationRequired 1

    If you are wondering where did I get this path, its all about browsing each directory and reading the help by using the dir <setting name> | format-list *

    There are so many settings in Remote Desktop Services and hence it made sense to not to create a cmdlet for each configuration. Rather expose them via the RDS Provider and simply use the get-item or the set-item to retrieve and configure settings accordingly.

    clip_image009

    When we pop up the Remote Properties of the RD Session Host Server, we see that it has now be configured to use NLA

    clip_image010

    So we set up the RD Session Host server to accept connections using NLA. Now, let’s populate our Remote Desktop Users Group.

    To add Users to the Remote Desktop Users Group, we will use the Microsoft.TerminalServices.PSEngine.UserGroupHelper Runtime. To view a list of static members, I pipelined the runtime to Get-Member (alias is gm) and used the –static parameter

    [Microsoft.TerminalServices.PSEngine.UserGroupHelper] | gm –Static

    clip_image012

    As verified earlier via GUI and now with PowerShell below, the Remote Desktop Users group is empty

    [Microsoft.TerminalServices.PSEngine.UserGroupHelper]::ListMembers(“Remote Desktop Users”)

    clip_image014

    But if we use the same Runtime to list members of the Administrators Group which is obviously having the Domain Admins and the Administrator Account, we do get results displayed as shown below

    clip_image016

    Pay close attention to the syntax in which the Administrator (User Account) and the Domain Admins (Group) has been returned.

    So if we need to add a group say Domain Users to the Remote Desktop Users Group, the input should go as Domain Users@POWERSHELL

    We will now leverage the AddMembers member to add Domain Users to the Remote Desktop Users group

    [Microsoft.TerminalServices.PSEngine.UserGroupHelper]::AddMembers(“Remote Desktop Users”, “Domain Users@POWERSHELL”)

    clip_image018

    clip_image019

    Configuring Certificates for our RD Session Host Server:

    To assign a SAN certificate to my RD Session Host Server, we will first need to obtain the thumbprint of the Certificate.

    clip_image020

    You can get this information either by accessing the Details tab of the Certificate or via PowerShell itself. Browse to the Cert: PS Drive as shown below:

    Dir –path Cert:\LocalMachine\My

    clip_image022

    Copy the Thumbprint and provide it as an input to the following command shown below

    clip_image024

    Let’s verify via the GUI.

    clip_image025

    To digitally sign our RemoteApp Servers, we will assign the same SAN certificate to the RemoteApp Configuration.

    Browse to the DigitalSignatureSettings container and first set the value of HasCertificate to 1 and then it will prompt you for the certificate thumbprint as shown below:

    clip_image027

    Check the RemoteApp Manager and refresh it if required. It should have the Digital Signature Settings use the SAN certificate we just assigned.

    clip_image028

    While on RemoteApps, let quickly populate our TS Web Access Computers Group with the name of our FUJI Server which is essaying the role of the RD Web Access Server

    To do that, we will connect to the WebAccessComputers container (RDS:\RemoteApp\WebAccessComputers) and use the New-Item command to add the computer FUJI as given below

    New-Item –Name FUJI@POWERSHELL

    The following command will work from any location within PowerShell

    New-Item –Path RDS:\RemoteApp\WebAccessComputers -Name FUJI@POWERSHELL

    clip_image030

    clip_image031

    clip_image032

    Configuring IP Virtualization:

    To Configure IP Virtualization, we will first set the value of VirtualIPActive to 1 and then set the value of VirtualIPMode to 1 which defaults to Per Program

    Set-Item .\VirtualIPActive 1

    Set-Item .\VirtualIPMode 1

    clip_image034

    Again, remember the golden rule, to see what 1 or 0 means, refer the help by using the dir <setting name> | format-list * command

    clip_image035

    To add a Program to the list, we will use the new-item command as shown below

    New-Item –Name Notepad

    clip_image037

    clip_image038

    Installing RemoteApps:

    To Add a Program to the RemoteApp Program List, you the following command. In the example below, we would be adding the Notepad application and set it to not use any CommandLine Argument

    New-Item –Path RDS:\RemoteApp\RemoteAppPrograms –Name “Notepad” –ApplicationPath “C:\Windows\System32\Notepad.exe” –CommandLineSetting 0

    clip_image040

    You can further drill down and go to the Notepad Container to assign users to the Notepad Application

    clip_image042

    clip_image044

    clip_image046

    clip_image047

    clip_image048

    In this way, you configure every setting that is available on the RD Session Host Server by using the RDS Provider for PowerShell.

    Offline, I will install the RD Session Host Role on another server, FUJI, which also has the RD Web Access Role. Ideally we would separate out the workloads but since I have just a few VMs to play around with, we would use FUJI as our second RD Session Host Server.

    Also note that the RD Web Access Role does not install the PowerShell Module for Remote Desktop Services which is quite obvious because in a typical environment there are only few instances of the Web Access role and it has just one time configuration involved.

    Next Post: Extending Remote Desktop Services via PowerShell – Part 3

  • Integration of System Center Configuration Manager and App-V (part 1)

    (Post courtesy of Yashkumar Tolia. Steps below are from the Virtual Application Management with Microsoft Application Virtualization 4.5/4.6 and System Center Configuration Manager 2007 R2 White Paper)

    Application Virtualization is an important component of the virtualization stack. An important and a vital ingredient in the Virtual Desktop Infrastructure cuisine, it separates out the application from the Operating System. Configuration Manager, on the other hand, is widely used for patching, updating and management of an entire IT infrastructure. The integration of these two technologies gives the freedom of managing the virtualized application and leverages it by rapid deployment of the App-V client.

    Overview of Configuration Manager and App-V Integration

    Configuration Manager includes capabilities to integrate with App-V out-of-the box. Configuration Manager Uses only publicly documented interfaces to interact with the App-V Client software. All integration is implemented with the following methods:

    • Configuration Manager uses the App-V Client's enhanced SFTMIME command line interface to manage virtual application publishing and delivery to the App-V Client cache.
    • Configuration Manager uses the App-V Client’s new OverrideURL registry value to direct the App-V Client to retrieve application packages from a specific Distribution Point server.
    • Configuration Manager uses the App-V Client’s SFTTRAY command line interface to launch virtual applications.
    • Configuration Manager uses the App-V Client's Windows Management Instrumentation (WMI) provider to query and report on the status of virtual applications that reside in the App-V Client cache.
    • Standard Configuration Manager metering rules and reports must be manually configured in Configuration Manager to track virtual application usage.

    App-V Integration with Configuration Manager is streamlined as Configuration Manager is simply automating tasks that can be done with App-V. Organizations with Configuration Manager already in place or those in the process of implementing Configuration Manager; can implement one infrastructure using a seamless, scalable solution to deliver, report, and manage the application lifecycle from one console.

    Configuration Manager and App-V Infrastructure Overview

    Configuration Manager and App-V can be integrated to provide a comprehensive deployment and update service for virtual applications. With Configuration Manager, the typical App-V infrastructure is reduced to the App-V Sequencer and Client. Configuration Manager takes the place of the publishing and streaming components in a typical App-V full infrastructure. The following figure illustrates the minimal Configuration Manager and App-V processes and components required to manage virtual applications with Configuration Manager. The App-V Sequencer produces packages that can be distributed via a Configuration Manager infrastructure to the App-V Clients. This eliminates the need for two separate infrastructures to support application deployment. Configuration Manger can be used to deploy both traditional and virtual applications.

    clip_image002

    Figure 1 – Configuration Manager and App-V Infrastructure

    Publishing virtual applications using Configuration Manager requires a simple process to be followed. The following section describes the virtualization (using App-V) and distribution (using Configuration Manager) process.

    Process

    At a high level, managing virtual applications with Configuration Manager requires applications to be sequenced, published using Configuration Manager Advertisements, and delivered to the end clients. The following minimum process is required to support App-V in a Configuration Manager infrastructure.

    Sequencing – The process of taking a physical application and turning it into a virtual application. Configuration Manager requires sequencing applications with an App-V 4.5 or newer Sequencer to create the necessary files for publishing and delivery (Manifest.xml file).

    Publishing – The process of provisioning virtual applications to users or computers in Configuration Manager. Configuration Manager utilizes the Site Server components for publishing applications. This process will present the application to the computer before the application assets have been delivered.

    Delivery – The process of moving the virtual application assets to the client computers. This is normally referred to as “streaming” in an App-V full infrastructure. Configuration Manager provides two options for delivery of virtual applications (“Streaming” and “Download and Execute”).

    Components

    Managing virtual applications with Configuration Manger will require an App-V Sequencer for creating packages, a Configuration Manager Site Server, Configuration Manager Distribution Point(s) for delivery of the packages, and Configuration Manager client computers with the App-V Client installed. The following minimum components are required to support App-V in a Configuration Manager Infrastructure.

    Microsoft App-V Sequencer – The App-V Sequencer ‘program’ is used to package virtual applications for deployment with Configuration Manager.

    Configuration Manager Site Server – A part of the Configuration Manager Site hierarchy, the Configuration Manager Site Server manages virtual application distribution through Configuration Manager Distribution Points to target systems, either as a streaming service, or as a locally delivered package.

    Configuration Manager Distribution Point (Distribution Point) – Configuration Manager Distribution Point site roles provide management services such as hardware and software inventory, operating system deployment, and software updates, as well as software distribution of both physical and virtual applications, to Configuration Manager target systems (often referred to as ‘clients’).

    Configuration Manager / App-V Clients – Client devices include desktop/laptop PCs, terminal servers and Virtual Desktop Infrastructure (VDI) clients. Configuration Manager Clients that receive delivery of virtual applications from a Configuration Manager infrastructure require both the Configuration Manager Advanced Client and App-V Client software to be installed and configured. The Configuration Manager and App-V Client software work together to deliver interpret and launch virtual application packages. The Configuration Manager Client manages the delivery of virtual application packages to the App-V Client. The App-V Client executes the virtual application on the client PC.

    Next Post: Integration of System Center Configuration Manager and App-V (part 2)

  • How to Install the Configuration Manager 2012 Primary site

    (Post courtesy Anil Malekani)

    Previous Post: How to Install the Configuration Manager 2012 Central Administration Site

    On the primary site server, again make sure you have following components available.

    1. Make sure you have x64 Windows server 2008 Operating System

    2. Install supported version of SQL server 2008 (for Configuration Manager 2012 RC you must have SQL 2008 SP2 with CU6)

    3. Extend the Active Directory Schema with Schema Administrator's rights ( <CM2012RCMedia>\SMSSETUP\BIN\I386\extadsch.exe)

    4. Install .Net Framework 4.0

    5. Add IIS as a role, with WebDAV, Remote Differential Compression, ASP.Net, ASP

    6. Under Features, add BITS

    7. If you do not have internet connection on the Configuration Manager server, make sure you have Configuration Manager updates downloaded from the link highlighted below on the first screen of setup.

    Installing the Configuration Manager 2012 Primary site

    1. Double click on Splash.hta from the CM 2012 install media

    2. Click on Install , once you have all prerequisites in place

    3. Select Install a Configuration Manager Primary Site and hit Next

    clip_image002

    2. Point to available updates for CM 2012, downloaded previously. Or you may download again.

    clip_image004

    3. Provide Site Code, Site Name and Installation folder location on local disk.

    clip_image006

    4. Select to join the site to an existing hierarchy. Provide CAS site server name.

    clip_image008

    5. Provide SQL database information

    clip_image010

    clip_image012

    6. Select the client communication settings. Go with second option, unless you have all certificate requirements in place.

    clip_image014

    7. Select to install MP and DP in HTTP mode

    8. Follow rest of the Wizard and you are done :)

    clip_image016

    clip_image018

    clip_image020

  • How to Install the Configuration Manager 2012 Central Administration Site

    (Post courtesy Anil Malekani)

    When I recently had to install Configuration Manager 2012 RC in my lab setup, I thought of capturing screenshots. I installed a Central Administration Site and a Primary site attached to it.

    To follow along, download the System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection Release Candidates

    Here is a high level overview of all steps involved:

    1. Make sure you have x64 Windows server 2008 Operating System

    2. Install supported version of SQL server 2008 (for Configuration Manager 2012 RC you must have SQL Server 2008 SP2 with CU6)

    3. Extend AD Schema with Schema Administrator's rights ( <CM2012RCMedia>\SMSSETUP\BIN\I386\extadsch.exe)

    4. Install .Net Framework 4.0

    5. Add IIS as a role, with WebDAV, Remote Differential Compression, ASP.Net, ASP

    6. Under Features, add BITS

    7. If you do not have internet connection on SCCM server, make sure you have SCCM updates downloaded from the link highlighted below on the first screen of setup.

    8. Install Central Administration Site with steps listed below

    9. Install Primary site with Steps listed below

    clip_image002

    Installing Central Administration Site

    1. Double click on Splash.hta from the CM 2012 install media

    2. Click on Install , once you have all prerequisites in place

    3. Select "Install a Configuration Manager Central Administration Site"

    clip_image004

    4. Accept Terms and Conditions (I hope you go though all Terms and conditions :) ...)

    5. Download Updates to a location or if you have already downloaded, point wizard to that location

    clip_image006

    6. Select the language

    clip_image008

    7. Select Client Language

    clip_image010

    8. Provide Site Code, Site Name and Installation Folder location on local drive

    clip_image012

    9. Provide SQL Database information (Make note of the SQL Server Service Broker at the bottom )

    10. Follow the rest of the wizard and Complete the installation

    11. If any prerequisite is missing the SCCM will inform you, before it starts the installation. Fix all prerequisites and proceed.

    clip_image014

    clip_image016

    clip_image018

    clip_image020

    clip_image022

    The next post will discuss how to install the Configuration Manager 2012 Primary Site.

  • Plan for your upgrade/migration to Office 365 with the Microsoft Assessment and Planning Toolkit 6.5

    As Steve Ballmer regularly reminds us, we are “all in” with the cloud here at Microsoft.  On the Partner Services team, we regularly assist our Partners with migrating their customers to the cloud, whether it is e-mail to Office 365, managing clients with Windows Intune, or moving applications to Windows Azure.

    In order to successfully plan for these transitions, it is important to assess your current environment. What software is currently in use? Is it compatible with Office 365? Do I have databases that could be consolidated or migrated? Can we upgrade to Windows 7 and Internet Explorer 9?

    Fortunately, the Solution Accelerators team has just released an update to their excellent Microsoft Assessment and Planning Toolkit.  MAP is an agentless inventory, assessment, and reporting tool that can securely assess IT environments for various platform migrations—including Windows 7, Office 2010 and 365, Windows Server 2008 R2, Hyper-V, Windows Azure, and Microsoft Private Cloud.  The announcement and features follow, but make sure to visit and bookmark the Microsoft Assessment and Planning (MAP) Toolkit page on TechNet.

    Download these resources to get you started with the MAP Toolkit:

    Simplify your cloud migration planning with MAP 6.5

    We are pleased to announce that the next version of the Microsoft Assessment and Planning (MAP) Toolkit—version 6.5—is now available for download.

    · Download MAP 6.5

    The journey to the cloud is now smoother than ever with the Microsoft Assessment and Planning (MAP) Toolkit 6.5. The MAP Toolkit’s new capabilities help users to securely assess heterogeneous IT environments while enabling the evaluation of workloads for migration to Microsoft’s private and public cloud platforms. Consolidate existing server workloads using the updated Microsoft Private Cloud Fast Track capacity planning feature. The Database Consolidation Appliance Assessment allows you to simplify SQL Server migration planning for the private cloud. The revamped Azure Migration capability in MAP 6.5 provides more in-depth analysis of the suitability of migrating on-premises applications to the Windows Azure™ platform. Other significant new features in MAP 6.5 include the discovery of active Windows® devices, Software Usage Tracking for Forefront® Endpoint Protection (FEP), and the discovery of Oracle instances on Itanium-based servers with HP-UX to assist in the planning of migration to SQL Server®.

    Key features and benefits of MAP 6.5 help you:

    • Accelerate private and public cloud planning with Microsoft Private Cloud Fast Track Onboarding
    • Simplify SQL Server migration planning for the private cloud through the Database Consolidation Appliance
    • Analyze your portfolio of applications for a move to the Windows Azure platform
    • Identify migration opportunities with enhanced heterogeneous server environment inventory
    • Assess your usage of Microsoft software with the Software Usage Tracking feature, now updated with Forefront Endpoint Protection (FEP)
    • Discover Oracle instances on Itanium-based servers for migration to SQL Server

    MAP works with the Microsoft Deployment Toolkit and Security Compliance Manager to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. Learn more.

    Next steps:

    Get the latest tips from Microsoft Solution Accelerators—in 140 characters or less! Follow us on Twitter: @MSSolutionAccel.

    MAP 6.5 - New Features & Benefits

    Accelerate planning for the private cloud with Microsoft Private Cloud Fast Track Onboarding.

    Planning your private cloud just got easier. Microsoft Private Cloud Fast Track Onboarding, an updated assessment available with MAP 6.5, provides consolidation guidance and validated configurations with preconfigured Microsoft Private Cloud Fast Track Infrastructures including computing power, network, and storage architectures. The updated feature provides more flexibility in planning private cloud migration by allowing users to customize computer powers and shared resources to accommodate workloads. Get a quick analysis of server consolidation on Microsoft Private Cloud Fast Track Infrastructures to help accelerate your planning of P2V migration to Microsoft Private Cloud Fast Track.

    Identify migration opportunities with heterogeneous server environment inventory.

    MAP has expanded its heterogeneous server environment inventory to include VMware Server, VMware vSphere and VMware vCenter. Inventory and reporting on the number of servers and guests deployed and managed by VMware infrastructure helps you identify migration opportunities and accelerates the migration planning process. SQL Server, SharePoint Server and Exchange Server run better on Hyper-V, and MAP 6.5 has the capability of identifying Microsoft workloads deployed on VMware guests.

    Simplify consolidation of SQL Server to the Database Consolidation Appliance

    MAP 6.5 simplifies SQL Server consolidation planning and provides recommendations for migration to Database Consolidation Appliance. Using MAP, you can measure the current database workloads, estimate the capacity required for migrating to Database Consolidation Appliance, and take the next steps in the process. The Database Consolidation Appliance provides better agility through a fully elastic database infrastructure and allows you to consolidate thousands of SQL Server instances into a single appliance, resulting in exceptional operational cost savings.

    Discover Oracle instances on Itanium-based servers for migration to SQL Server.

    MAP 6.5 adds to the heterogeneous database inventory and reporting capability with the discovery of Oracle instances on Itanium-based servers with HP-UX. The MAP Toolkit can help determine total cost of ownership for maintaining Oracle and the potential return on investment (ROI) from switching to SQL Server. MAP also allows users to discover, plan, and migrate to SQL Server. Along with reporting of the size and use of each schema, MAP provides an estimate of the complexity of migration and suggests candidates for migration to SQL Server. This heterogeneous database inventory and reporting capability will help you accelerate migration to SQL Server from MySQL, Oracle, and Sybase databases.

    Assess your software usage and evaluate your licensing needs.

    The enhanced Software Usage Tracking feature in MAP 6.5 simplifies your software license management and compliance process in terms of product coverage and the ability to track devices. The Forefront Endpoint Protection (FEP) scenario measures server and client usage for the FEP product, a recent addition to the Microsoft Core Client Access License (CAL) Suite. Active Devices is a new inventory scenario that allows organizations to report Windows devices that are active on the network. This information is useful in Enterprise Agreement scenarios as well as for maintaining Active Directory information for the environment. This strengthened tracking feature provides consistent software usage reports for key Microsoft server products: Forefront Endpoint Protection, Windows Server, SharePoint Server, System Center Configuration Manager, Exchange Server, and SQL Server. Run updated reports whenever you need to accurately assess current software usage and client access history in your environment. This reduces time and administrative costs for managing your server and CALs and helps you to streamline the management of your software assets.

    Accelerate planning and migration with new UI and usability updates in MAP 6.5.

    MAP 6.5 offers an improved user interface (UI) and usability updates to accelerate your planning needs. The improved MAP scenario interface simplifies the assessment and planning process as users can clearly identify the sequence of next steps they must perform.

    Assess your client environment for Office 365 readiness.

    MAP 6.5 helps make your planning process easier and faster for business productivity solutions. MAP 6.5 includes an Office 365 client assessment that evaluates the compatibility of the Office suite software deployed in your environment. This assessment helps you quickly pinpoint the clients ready for upgrade to Office 365. The tool obtains machine-level details to determine the upgrade readiness and quickly identifies the compatibility of current Office suite software installed with Office 365.

    Determine readiness for migration to Windows 7 and Windows Internet Explorer 9.

    Simplify your organization's migration to Windows 7 and Windows Internet Explorer 9 with MAP 6.5. The MAP Internet Explorer migration assessment—now updated for Internet Explorer 9 migration—inventories your environment and reports on deployed web browsers, Microsoft ActiveX controls, and add-ons, and then generates a migration assessment report and proposal for easier migration to Windows 7 and Internet Explorer 9.

    Solution Accelerators background information

    The Microsoft Assessment and Planning Toolkit, Microsoft Deployment Toolkit, and Security Compliance Manager provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. All are freely available, and fully-supported by Microsoft.

    Planning your migration to new Microsoft technologies

    Use the Microsoft Assessment and Planning Toolkit to inventory your IT environment and assess your hardware readiness for migration to Windows 7, Windows Server 2008 R2, Hyper-V, Microsoft Private Cloud Fast Track, Windows Azure and Microsoft Office 2010 and 365—in just a few hours. MAP automatically generates detailed reports on hardware, device, and application compatibility—information you can immediately put to work in your migration plans.

    Securely Deploying and Managing new Microsoft technologies

    The Microsoft Deployment Toolkit and the Security Compliance Manager are the essential toolset to automate your desktop and server deployment of new Microsoft technologies. Using MDT and SCM, you can significantly reduce the costs and time to securely deploy and manage Windows 7, Windows Server 2008 R2, Hyper-V, and Microsoft Office 2010 across your organization.

    MAP 6.5 enhanced user interface (UI)

    image

    image

    image

    MAP Toolkit Support:
    Online Resources:


    Contact us:
    Other Resources:
  • Configuration Manager 2012 RC: What's new in Software Update Management?

    (Post courtesy Anil Malekani)

    Configuration Manager 2012 is introducing a lot of changes in update deployment procedures. Most of the changes are around the "HOW" part while there are some new concepts too.

    In this post I'll talk about what some of the changes are around:

    • Configuration of Software Updates components
    • Deployment of software updates to endpoints
    • Monitoring and tracking deployment status

    Configuration of Software Updates Components

    1. Software Update Point

    a. If you have a Central Administration site in your design, you'll first need to have the Software Updates Management Site role installed on your Central Administration Site (CAS) server before you install this role on any other primary site server. The CAS Software update point will work as the upstream server for all updates and all primary sites.

    b. If you have a single primary site server, you can install Software update point on the same server.

    2. Now you'll find the Software Update Point configuration option under sites, Configure Site Components on the ribbon bar or if you right click on the site server

    3. Supersedence Rules - helps you to control when a superseded update should be expired, so that the changes reflect accordingly on your SCCM compliance reports.

    a. You can now opt to immediately expire a superseded software update

    b. OR expire a superseded update after a specified time

    clip_image002

    4. Under Client Settings, Software Updates, now you'll see an additional option to install all updates meeting deadline in a specified future time. This option will save you from multiple restarts on computers.

    clip_image003

    Software Update Deployment

    1. Filter Updates - The same concept of search folders , and you can easily add a criteria from the drop down list. Save search criteria with a name and use it every next time. Very helpful for your monthly deployments for different categories of machines.

    clip_image004

    2. Software Update Groups - Same concept of Update lists, but it will also include the deployment. Saves you from going to another folder to manage deployment.

    clip_image006

    3. Automatic Deployment Rules - This is what most of SMB customers were looking for. Now you can automate your monthly patch deployments for Workstations (or even servers) as well as for Forefront Endpoint Antivirus definition updates. You can also opt to perform deployment manually, by simply doing a right click and select "Run now".

    clip_image008

    4. More controls to end users under Software Center.

    clip_image010

    Monitoring and tracking deployment status

    Alerts and Deployment status summary - In console alerts save you from switching screens between console and SCCM reports to track compliance data.

    clip_image011

    Click on the View Status hyperlink and you'll get detailed status summary.

    clip_image013

    Finally, you can also view and control alerts from the console.clip_image015

    Additional Resources

  • Extending Remote Desktop Services using PowerShell – Part 5

    (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

    Previous Post: Extending Remote Desktop Services via PowerShell – Part 4

    Configuring Remote Desktop Gateway

    Now that we have our RDS Farm setup, let’s extend our RDS Farm over the internet by configuring the RD Gateway Role Service.

    We will use our PYRAMID Server as our RD Gateway Server.

    Using the Add-WindowsFeature, we will install the RD-Gateway Role Service.

    Add-WindowsFeature –Name RDS-Gateway –IncludeAllSubFeature

    clip_image002

    clip_image004

    Now that we have the RD Gateway Role Installed, it’s time to a configure it using PowerShell. Start by importing the RemoteDesktopServices Module and then by navigating to the RDS: PS Drive.

    clip_image006

    As you can see in the screenshot above, there are many settings you can configure via the GatewayServer container. In this blog post, I am going to concentrate on a few important ones.

    Creating a Connection Authorization Policy (CAP)

    RD CAP has the following configurations

    clip_image008

    Let’s take a quick look at some of the mandatory properties, AuthMethod and UserGroups

    clip_image010

    clip_image012

    Alright, based on the description and information given above, let’s quickly create a CAP Policy which uses Password Authentication and grants Domain Users access to connect to RD Gateway Server

    clip_image014

    You can then further drill down and configure additional settings by navigating to the TestCAP Container.

    Creating a RAP (Resource Authorization Policies)

    RAP has the following configuration Settings

    clip_image016

    We will take a closer look at the ComputerGroupType Setting

    clip_image018

    Based on the above information, let’s create a RAP Policy using PowerShell

    clip_image020

    You can further drill down on the DemoRAP container to configure additional settings.

    Next Post: Extending Remote Desktop Services using PowerShell – Part 6

  • Integration of System Center Configuration Manager and App-V (part 2)

    (Post courtesy of Yashkumar Tolia. Steps below are from the Virtual Application Management with Microsoft Application Virtualization 4.5/4.6 and System Center Configuration Manager 2007 R2 White Paper)

    Previous Post: Integration of System Center Configuration Manager and App-V (part 1)

    How to Perform Common Virtual Application Management Tasks with Configuration Manager

    App-V integrates seamlessly with System Center Configuration Manager workflows, enabling IT administrators to manage physical and virtual applications through a single management experience. IT administrators can follow known processes and workflow for delivering virtual applications to end users. This reduces the learning curve and enables IT to deliver applications more quickly. Using Configuration Manager, virtual applications can be delivered to either machines or users. Administrators can inventory virtual applications, meter the virtual application licenses, and deliver virtual applications as part of Operating System Deployment Task Sequences. Together, App-V and System Center Configuration Manager 2007 R2 provide a full PC lifecycle management solution for deploying and managing both physical and virtual applications for enterprise customers.

    Deploy the App-V Client Software to Configuration Manager Client PCs

    1. Obtain the App-V Client software from Microsoft (i.e., download the MDOP 2011 software form the Microsoft Volume Licensing Services Web site) and extract the App-V Client software into a source directory. This directory should include the following App-V Client assets:

      • AppVReadme.htm file
      • Setup.exe file
      • Setup.msi file
      • Support subdirectory containing the Dr Watson 2.0 redistributable (dw20shared.msi)

        2. Customize the AppVirtMgmtClient.sms package definition file to suit your App-V Client installation requirements.

        Before proceeding to the next step to create the software distribution package, edit the AppVirtMgmtClient.sms package definition file and add/change the command line options for the setup.exe program to customize the App-V Client installation options.

        The default command line provided in the AppVirtMgmtClient.sms file follows:

        COMMANDLINE=setup.exe /s /v"/quiet /norestart /qn"0\"\"

        The above command line performs a silent installation of the App-V Client software with all of the default values and suppresses the client PC reboot.

        Note: Because the App-V Client includes a virtual file system driver, it is necessary to reboot the client PC when upgrading the App-V Client. However, a reboot is not required for installation of the App-V Client on a client PC that does not already include the App-V Client software.

        3. Use the AppVirtMgmtClient.sms to create a Configuration Manager software distribution package for the App-V Client software as follows:

        1. In the Configuration Manager Admin Console, navigate to System Center Configuration Manager –> Site Database –> Computer Management –> Software Distribution.
        2. Right-click on Packages, point to New, and then click Package from Definition.

          clip_image002

        Figure 1 – Configuration Manager Admin Console Distribution Point Properties

        The Create Package from Definition Wizard will appear. For Welcome, click Next.

        clip_image004

        Figure 2 – Create Package from Definition Wizard

        For Package Definition, click Browse… and navigate to the AppVirtMgmtClient.sms package definition file.

        clip_image006

        Figure 3 – Package Definition

        Note: The default location of the AppVirtMgmtClient.sms file is C:\Program Files\ Microsoft Configuration Manager\Tools\VirtualApp\AppVirtMgmtClient.sms.

        Click on the AppVirtMgmtClient.sms file and click Open.

        clip_image008

        Figure 4 – Selection of the Package

          1. Application Virtualization Desktop Client should appear in the list of available package definitions.
          2. Click on Application Virtualization Desktop Client and click Next.
          3. Select Always obtain files from a source directory and click Next.

        clip_image010

        Figure 5 – Configuration Manager Admin Console Distribution Point Properties

          1. Select Network path (UNC path) or Local drive on site server.
          2. Click Browse…, navigate to the source directory where you extracted the installation files for the App-V Client software, click OK.
          3. Click Next and click Finish.
        1. Advertise the App-V Client package to one or more collections of client PCs.
          1. In the Configuration Manager console, navigate to System Center Configuration Manager/Site Database/Computer Management/Software Distribution.
          2. Right-click Advertisements, point to New, and then click Advertisement.
          3. Mention the name of the Package and deploy it to the appropriate collections.

        clip_image012

        Figure 6 – New Advertisement Wizard

          1. Click on Next.
          2. In Schedule, select the option to deploy it as soon as possible.

        clip_image014

        Figure 7 – Providing appropriate schedule information

          1. Select appropriate distribution points.

        clip_image016

        Figure 8 – Installing the program locally and running; or streaming delivery

          1. Select appropriate users to interact with.

        clip_image018

        Figure 9 – User Interaction Page

          1. Select the users that should have permissions on this object.

        clip_image020

        Figure 10 – Provision of appropriate permissions to access the package

          1. Click on Finish. You will find the advertisement in the console.

        clip_image022

        Figure 10 – App-V Client is published

        Note: With App-V 4.6, there are both 32-bit and 64-bit versions of the client. Two separate packages, programs, and advertisements will need to be created in order to accommodate both platforms. The appropriate collections for 32-bit and 64-bit applications will need to be used to ensure delivery to the correct platform.

        Next post: Integration of System Center Configuration Manager and App-V (part 3)

      1. Integration of System Center Configuration Manager and App-V (part 3)

        (Post courtesy of Yashkumar Tolia. Steps below are from the Virtual Application Management with Microsoft Application Virtualization 4.5/4.6 and System Center Configuration Manager 2007 R2 White Paper)

        Previous Post: Integration of System Center Configuration Manager and App-V (part 2)

        Configure Configuration Manager Distribution Point Servers and Client to Enable Virtual Application Deployment

        1. Enable Standard Distribution Point server(s) to Deliver Virtual Applications to Configuration Manager Clients

        a. Install the BITS and IIS Server software on all Configuration Manager standard Distribution Point servers that you plan to use for delivery of virtual applications.

        b. Configure the standard Distribution Point server(s) to enable virtual application delivery as follows:

        i. In the Configuration Manager Admin Console, open the properties of a specific standard Distribution Point server.

        ii. On the General tab, select “Communication Settings à Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS.”

        clip_image002

        Figure 12 – Configuration Manager Admin Console Distribution Point Properties

        iii. If streaming delivery will be used with this Distribution Point, on the Virtual Applications tab, select “Enable virtual application streaming.”

        Note: If you plan to only use local delivery for virtual applications (i.e., no streaming delivery), then do not select this option. If you plan to use a combination of local delivery and streaming delivery for virtual applications, then do select this option.

        The following screen shot highlights the setting described above:

        clip_image004

        Figure 13 – Configuration Manager Admin Console Distribution Point Properties

        1. Enable Branch Distribution Point server(s) to Stream Virtual Applications to Configuration Manager Clients

        a. In the Configuration Manager Admin Console, edit the properties of a specific Branch Distribution Point.

        b. On the Virtual Applications tab, select “Enable virtual application streaming.”

        Note: If you plan to only use local delivery for virtual applications (i.e., no streaming delivery), then do not select this option. If you plan to use a combination of local delivery and streaming delivery for virtual applications, then do select this option.

        The following screen shot highlights the setting described above:

        clip_image005

        Figure 14 – Configuration Manager Admin Console Distribution Point Properties

        1. Enable Configuration Manager Clients to Evaluate Advertisements for Virtual Application Delivery. To enable Configuration Manager Clients to evaluate advertisements for virtual application delivery, the Configuration Manager Advertised Programs Client Agent must be configured to allow clients to execute virtual application package advertisements as follows:

        a. In the Configuration Manager Admin Console, open the properties of the Advertised Programs Client Agent and select “Allow virtual application package advertisement.”

        The following screen shot highlights the setting described above:

        clip_image007

        Figure 15 – Configuration Manager Admin Console Advertised Programs Client Agent Properties

        IMPORTANT: This action gives Configuration Manager, control of the App-V Client on the Configuration Manager Client PC.

        This will cause the Configuration Manager Advanced clients to remove all previously deployed virtual application packages (published through an App-V Full Infrastructure or standalone MSI).

        Deploy a Virtual Application to Configuration Manager Clients

        1. Sequence an Application.

        A sequencing engineer uses the App-V Sequencer program to sequence an existing application and saves the new virtual application package to a specified content directory.

        1. Create a Configuration Manager Virtual Application Package.

        Use the New Virtual Application Package Wizard to specify the sequenced application source directory location and import the sequenced application into the Configuration Manager site.

        The New Virtual Application Package Wizard is launched as follows:

            1. Open the Configuration Manager Admin Console
            2. Expand Site Database à Computer Management à Software Distribution
            3. Right-click on Packages and select New à Virtual Application Package
            4. The New Virtual Application Package Wizard will appear

        clip_image009

        Figure 16 – Installing the program according to the distribution boundary

              • Package Source: %Drive%\location\Sequenced_application.xml
              • Name: Sequenced_Application
              • Version: Version Number
              • Manufacturer: Manufacturer Name
              • Remove this package from clients when it is no longer advertised: Enabled
              • Data Source: \\UNC_path\source
        1. Distribute Virtual Application Package to Specific Distribution Point/Branch Distribution Point Servers.

        After a virtual application package has been imported into Configuration Manager, the package must be replicated to the Distribution Points that will be used to deliver the virtual application package to clients. The Configuration Manager administrator chooses which Distribution Points the virtual application package will be sent to.

        1. Create Collection(s) that will be used to target virtual application delivery to clients (or users).

        Configuration Manager Advertisements are targeted at collections. These can be collections of computers or users. Both user- and machine-based targeting are fully supported.

        1. Advertise Virtual Application for Deployment to Configuration Manager Clients.

        After a virtual application package has been replicated to Distribution Points, it can be advertised to any Configuration Manager collection. This can be done according to the steps shown earlier. The New Advertisement Wizard can specify things such as:

        • The collection of client PCs (or users) to which the package should be delivered.
        • The time at which the application should be delivered.
        • Whether the application delivery should be mandatory or the user(s) should have an option to install or reject the package.
        • When delivered, whether the application should be added as a streaming virtual application or a locally available virtual application (“Stream from Distribution Point” or “Download and Run”).

        Verify Virtual Application Delivery to a Specific Client

        1. Log on to a client PC that is a member of a collection that you have targeted for delivery of a virtual application package.
        2. Wait for the application advertisement to run on the client.
        3. When the client PC evaluates the advertisement, it will create program shortcut(s) for the programs contained in the virtual application package on the Start Menu, Desktop and/or Quick Launch bar. If the virtual application package is advertised for local delivery, the SFT file will also be downloaded to the Configuration Manager and App-V Client caches.
        4. Locate one of the program shortcuts for the virtual application on the client and click on the shortcut to launch the application.
        5. Depending on the method used to deliver the application to the client, the application should immediately launch (local delivery), or stream and then launch (streaming delivery).
      2. Extending Remote Desktop Services via PowerShell – Part 3

        (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

        Previous Post: Extending Remote Desktop Services via PowerShell – Part 2

        Configuring Remote Desktop Connection Broker

        Now that we have our two RD Session Hosts Servers (COLFAX and FUJI) and our Web Access Server (FUJI) up and running properly, let’s go ahead and install the RD Connection Broker Role on the LIBERTY Server

        Add-WindowsFeature –Name RDS-Connection-Broker

        clip_image002

        clip_image003

        Upon Importing the RemoteDesktopServices Module, we see that there are two top level containers

        Import-Module RemoteDesktopServices

        CD RDS:

        dir

        clip_image005

        We really don’t have to bother with the RDSFarms container. It will auto populated when we have configured the RDS Farm using the ConnectionBroker Container.

        Let’s take a peek at the contents of the ConnectionBroker.

        cd .\ConnectionBroker

        dir

        clip_image007

        We will first configure certificates for digital signature settings. We will use the same SAN certificate we used for our RD Session Host and RD Web Access

        cd cert:

        cd .\LocalMachine\My

        dir

        clip_image009

        Once we have the Thumbprint available, let’s assign it to the Connection Broker server by navigating to the Digital Signature Settings as shown below:

        cd .\DigitalSignatureSettings

        dir

        clip_image011

        clip_image012

        Next, we will populate our TS Web Access Computers Group by adding FUJI to it and the Session Broker Computers Group by adding FUJI and COLFAX (Our Session Host Servers) to it.

        cd .\WebAccessComputers

        New-Item –Name FUJI@POWERSHELL

        clip_image014

        With Web Access Group Populated, let’s proceed with the population of the Session Broker Computers Group.

        Here, we will again use the Microsoft.TerminalServices.PSEngine.UserGroupHelper Runtime.

        clip_image016

        Next, let’s populate the RemoteApp Sources by browsing to the RemoteAppSources Container and adding our session host computers there.

        clip_image018

        Note that while adding the RemoteApp Sources we just gave the NetBIOS names of the Session Host Computers (unlike the way we specified earlier with the @ symbol). I know its strange and you might be tempted to use the FUJI@POWERSHELL way to add a computer account but this might result in an error.

        So while adding RemoteApp Sources, just follow the syntax below:

        New-Item –Name <NetBIOS name of the Session Host Server>

        clip_image020

        To give our RDS a more personal look, let’s change the display name by setting the string value of the DisplayName setting within the ConnectionBroker Container as shown below:

        clip_image022

        clip_image023

        In a similar way, we can configure the other settings like RD Virtualization Hosts etc. using the ConnectionBroker Container.

        Next Post: Extending Remote Desktop Services via PowerShell – Part 4

      3. Extending Remote Desktop Services via PowerShell – Part 4

        (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

        Previous Post: Extending Remote Desktop Services via PowerShell – Part 3

        Configuring a RDS Farm using PowerShell

        So far, we have installed two RD Session Host Servers, added some RemoteApps, configured the Session Host Servers, installed the Web Access Server, installed and configured the Connection Broker.

        We are all set to create a RDS Farm. I have already created the related DNS records (RDSFARM) as shown in the screenshot below:

        clip_image002

        Let’s connect to our RD Session Host Server COLFAX and navigate to the ConnectionBrokerSettings Container

        clip_image004

        Before we start creating a FARM, we need to figure out the corresponding value of the FARM membership as defined in the ServerPurpose Property.

        As you can see in the screenshot below, the value 3 corresponds to the Farm Membership.

        dir .\ServerPurpose | fl *

        clip_image006

        We also need to the IP address of the NIC attached to the Session Host Server (RedirectableAddresses)

        clip_image008

        To create a FARM, we can run the following command

        Set-Item ServerPurpose -value 3 -ConnectionBroker <FQDN-OF-RD-CONNECTIONBROKER- GOES-HERE> -FarmName <FQDN-FARM-NAME-GOES-HERE> -IPAddressRedirection 1 -CurrentRedirectableAddresses <IP-ADDRESS-YOU-WANT-TO-USE-GOES-HERE>

        Since, we have only one NIC card attached to each of the RD Session Host Servers, the value of the CurrentRedirectableAddresses can be substituted by the Name Property of the RedirectableAddresses as shown in the figure below

        clip_image010

        In the above case, we are storing all the contents of the RedirectableAddresses container into a PowerShell variable called $currentaddress.

        Now, let’s take a look at the members of the $currentaddress

        clip_image012

        Notice that $currentaddress is a Custom TSObject and has the Name as a Property. To just display the contents of the Name Property, run $currentaddress.Name as shown below

        clip_image013

        Now, let’s re-examine the original syntax for creating the FARM

        Set-Item ServerPurpose -value 3 -ConnectionBroker <FQDN-OF-RD-CONNECTIONBROKER- GOES-HERE> -FarmName <FQDN-FARM-NAME-GOES-HERE> -IPAddressRedirection 1 -CurrentRedirectableAddresses <IP-ADDRESS-YOU-WANT-TO-USE-GOES-HERE>

        Based on our current environment, the values for the Parameters above would be as follows:

        -ConnectionBroker - Liberty.powershell.ms

        -FarmName – RDSFARM.powershell.ms

        -IPAddressRedirection – 1 {this implies that IP address redirection is enabled}

        -CurrentRedirectableAddresses - $currentaddress.Name {this implies that the value of the CurrentRedirectableAddresses can be obtained from the Name Property of the RedirectableAddresses Container}

        So here is the logic that we would apply

        1) Connect to the RDS PowerShell Drive

        2) Store the value of the Name Property of the RedirectableAddresses in a PowerShell variable called $currentaddress

        3) Run the base script for creating a farm by substituting the values

        Step 1:-

        clip_image015

        Step 2:-

        clip_image017

        Step 3:-

        clip_image019

        That’s all about it. Let’s check the properties of the RD Session Host Server.

        clip_image020

        clip_image021

        Now, you must be wondering why did I take the pain of storing the value of the IP Address into a variable and not just directly assign it to the CurrentRedirectableAddresses. Assigning the values directly will work for one or two servers, but when you want to add say about 10 servers into the FARM, you will have to go to each server and run this script.

        Wouldn’t it be easier, if we could get a list of computers, pass it as an input to a script that will connect to each computer in the list and configure the FARM settings.

        It is a pretty simple script as given below. Here, I assume that you have saved the computer names, one per line, into a Text file called Servers.txt in the C:\Scripts Directory

        Get-Content C:\Scripts\Servers.txt | Foreach-Object {

        $session = New-PSSession –ComputerName $_

        Invoke-command –Session $session –ScriptBlock { ipmo RemoteDesktopServices;$currentaddress = dir –Path RDS:\RDSConfiguration\ConnectionBrokerSettings\RedirectableAddresses; Set-Item –Path RDS:\RDSConfiguration\ConnectionBrokerSettings\ServerPurpose –Value 3 –ConnectionBroker ‘Liberty.powershell.ms’ –FarmName ‘RDSFARM.powershell.ms’ –IPAddressRedirection 1 –CurrentRedirectableAddress $currentaddress.name}

        Get-PSSession | Remove-PSSession

        }

        Now that we have our script ready, I just removed the Colfax server from the FARM Membership as shown below:

        clip_image023

        In this way, I can test whether the script is working as expected. I also created a text file called Servers.txt which contains the names of our two RD Session Host Servers. PowerShell Remoting has been enabled on both the Session Host Servers.

        clip_image025

        Now, it’s the time to run the script. I have changed the default script execution behavior of PowerShell to Unrestricted

        clip_image027

        Okay, we have a good start. The Script ran without errors and returned the cursor back on the next prompt. But did it do what it was supposed to do?

        Let’s take a quick look at the RD Connection Broker Properties of both, COLFAX and FUJI.

        COLFAX

        clip_image029

        FUJI

        clip_image031

        Yipeeeeeeee!!, it worked as expected. J This is the ‘Power of PowerShell’. By just using a simple logic, and a few lines of code, we were able to automate the creation of a RDS FARM.

        Next Post: Extending Remote Desktop Services using PowerShell – Part 5

      4. Extending Remote Desktop Services using PowerShell – Part 6

        (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

        Previous Post: Extending Remote Desktop Services using PowerShell – Part 5

        Network Load Balancing Farm Members:

        To avoid problems with stale DNS entries, you might decide to implement NLB or Network Load Balancing.

        To configure NLB Cluster, we will install the NLB feature on each of the FARM members and then configure the cluster and finally add a DNS entry mapping the FARM name to the Cluster IP address.

        Starting with Windows Server 2008, NLB was re-engineered so that implementing NLB in the unicast mode on one network adapter now allows for host to host communication.

        To install NLB, yes, you guessed it right :), use the ServerManager Module

        So, we will install the NLB feature first on COLFAX.

        clip_image002

        Add-WindowsFeature –Name NLB –IncludeAllSubFeature

        clip_image004

        Next, we will install NLB feature on the FUJI server. Note here, I would use the 1:1 Remoting Feature of PowerShell as shown below.

        clip_image006

        Like RDS, NLB also installs a PowerShell Module so that we can consume it to create NLB clusters via PowerShell

        clip_image008

        Next, let’s quickly examine the commands available in NLB Cluster Module. Note that we can use the wildcard characters to specify the name of the module. I am a bit too lazy to type the entire name again :).

        clip_image010

        We will use the New-NLBCluster command to create a NLB Cluster as shown in the screenshot below:

        clip_image012

        You can get information about the NLBCluster just created using the Get-NLBCluster command.

        clip_image014

        Now, let’s add the COLFAX server to the NLBCluster

        clip_image016

        And that’s all about it.

        clip_image018

        Let’s check the same in the NLB Manager.

        clip_image020

      5. Extending Remote Desktop Services using PowerShell – Part 7

        (Post courtesy Manoj Ravikumar Nair, who you can follow on his excellent blog at http://www.powershell.ms)

        Previous Post: Extending Remote Desktop Services using PowerShell – Part 6

        Using Best Practice Analyzer for Remote Desktop Services

        To use the Best Practice Analyzer for Remote Desktop Services, we will import the Best Practices Module for PowerShell

        clip_image001

        clip_image003

        The Get-BpaModel tells you which all Scans are available for you to run on the box. As shown in the screenshot below, we do have access to the Microsoft/Windows/TerminalServices scan since the RDS Role has been installed on the server.

        clip_image004

        To run the scan, we will pipeline the Get-BpaModel to the Invoke-BpaModel Cmdlet as shown below:

        clip_image006

        The final step is to use the Get-BpaResult command to get the results dumped on the console. Note that we are in compliance with most of the Rules. J

        clip_image008

        Next Steps

        Wow!! Now that was too much of a PowerShell dose. However, hopefully you will now start truly appreciating the “Power of PowerShell”.

        Having understood what you need to know about RDS PowerShell to automate it, you can start leveraging your new found knowledge to start scripting some advanced stuff.

        Here are some additional references.

        TechNet Script Center Repository

        http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=remotedesktopservices&f%5B0%5D.Text=Remote%20Desktop%20Services

        RDS RemoteApp PowerShell Module

        http://archive.msdn.microsoft.com/PSRDSRemoteApp

        If you recollect from the first part, you can use this Module to author a simple script that would pull the RemoteApps from Remote Servers.

        I hope you found the series informative. Please do let me know your valuable feedback by replying to this post.

        Go back to series beginning.

        Enjoy your quest to conquer PowerShell. Be what’s Automated…™