There are two different models for completing volume activation:
1.Multiple Activation Key (MAK) - MAK activates systems on a one-time basis, using Microsoft's hosted activation services.2.Key Management Service (KMS) – KMS allows organizations to activate systems within their own network. This is new model designed for Windows 7, Windows 2008, Office 2010 and above.
* Volume activation landing page (http://technet.microsoft.com/en-us/windows/dd197314.aspx)
* Guide to use KMS host on Windows 2008 R2The guide is based on this video guide (http://technet.microsoft.com/en-us/windows/ff716620.aspx?ITPID=flpbook). If you use Windows 2008 for KMS, you need to install this KMS patch (http://support.microsoft.com/kb/968912). If you use Windows 2003 for KMS, you need to install this KMS patch (http://support.microsoft.com/kb/968915)Part 1. Do these steps on the KMS Host* Open an elevated Command Prompt (right click, Run As Administrator)* cscript slmgr.vbs /dlv* cscript slmgr.vbs /ipk <KmsKey> (to provide the KMS key found in your licensing paper)* cscript slmgr.vbs /ato (Internet connection via the default gateway is recommended)* cscript slmgr.vbs /dlv (the 'Current count' field should be zero)* Control Panel/Windows Firewall, and allow "Key Management Service" requests from DOMAIN clients (through the port 1688)* DNS server: Forward Lookup Zones, your_domain_name, _tcp, and check properties of the _VLMCS SRV record
Part 2. Do these steps on the KMS Clients (Win 7, Win 2008, Office 2010)* Open an elevated Command Prompt (right click, Run As Administrator)* cscript slmgr.vbs /dlv* cscript slmgr.vbs /ato (No need to provide the product key, no Internet connection is required). You may get this error "Code: 0xC004F038, ... the computer could not be activated. The count reported by your Key Management Service (KMS) is insufficient." This is expected because you do not have the required number of activations at the moment, that is why we need Part 4 below.
Part 3. Do these steps on the KMS Host* cscript slmgr.vbs /dlv (the 'Current count' field should be one)
Part 4. Repeat steps in Part 2 on the additional KMS Clients (totalling 25 Win 7 machines or 5 Win 2008 machines or 5 Office 2010 machines)
Part 5. Do these steps on the KMS Host* cscript slmgr.vbs /dlv and check for the 'Current count' value to see if that is 25 or 5 respectively.
Part 6. Do these steps on all KMS clients to see if they are successfully activated (the 'License Status' value is Licensed)* cscript slmgr.vbs /dlv
Publication of the KMS ServiceThe KMS service uses service (SRV) resource records (RR) in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol , if available, to publish the KMS SRV RRs. If dynamic update is not available or the KMS host does not have rights to publish the RRs, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts
Client Discovery of the KMS ServiceBy default, KMS clients query DNS for KMS service information. The first time a KMS client queries DNS for KMS service information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.
The address of a DNS server containing the SRV RRs can be listed as a suffixed entry on KMS clients, which allows advertisement of SRV RRs for KMS in one DNS server and KMS clients with other primary DNS servers to find it.
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688
* Guide for Co-hosting Office KMS host with a Windows KMS host, activating over telephone http://technet.microsoft.com/en-us/library/ee624357.aspx If currently you have a Windows KMS host running on an operating system that supports an Office KMS host, we recommend that you use the same computer as your Office KMS host
* Volume Activation Management Tool (VAMT) 2.0 http://www.microsoft.com/downloads/details.aspx?FamilyID=ec7156d2-2864-49ee-bfcb-777b898ad582&displaylang=en
* Plan MAK proxy activation of Office 2010 http://technet.microsoft.com/en-us/library/ff603512.aspx
- PowerPoint slide presentation (1.6M) download (courtersy: Phung Phuoc Linh, Microsoft Vietnam) - Volume Activation Deployment Guide - http://technet.microsoft.com/en-us/library/dd772269.aspx By default, Windows 7 and Windows Server 2008 R2 operating systems use KMS for activation. To change existing KMS clients to MAK clients, simply install a MAK key. Similarly, to change MAK clients to KMS clients, run slmgr.vbs /ipk <KmsSetupKey>- VA 2.0 Poster http://download.microsoft.com/download/4/5/f/45fb677a-c215-442e-afd0-419e08b6c5d1/VA%202.0%20Vertical%20Wall%20Poster%20RTM.pdf - KMS setup demo video: http://www.microsoft.com/downloads/details.aspx?FamilyID=bbf2eb61-2b30-4f2d-bccd-df53e220b8e9&displaylang=en
* Quote from KMS FAQ (source: http://www.microsoft.com/licensing/existing-customers/product-activation-faq.aspx)
What is Key Management Service (KMS) and how does it work?
KMS is a lightweight service that does not require a dedicated system and can easily be co-hosted on a system that provides other services. With KMS, you can complete activations on your local network, eliminating the need for individual computers to connect to Microsoft for product activation.
A KMS host key is used only to activate the KMS host with a Microsoft activation server. A KMS host key can activate 6 KMS hosts with 10 activations per host. Each host can activate an unlimited number of computers. If you have an existing machine configured as Windows KMS* host, you will need to enter and activate the Office 2010 KMS host key before the KMS host can activate Office 2010, Project 2010, and Visio 2010. If you need additional KMS activations so you may activate more than 6 KMS hosts, find the telephone number for your Microsoft Activation Center to activate your KMS host.
KMS requires a minimum number of either physical or virtual computers in a network environment. These minimums, called activation thresholds, are set so that they are easily met by enterprise customers. For computers running:
Windows Server 2008 and Windows Server 2008 R2 you must have at least five (5) computers to activate.
Windows Vista or Windows 7 you must have at least twenty-five (25) computers to activate. These thresholds can be a mix of server and client machines to make up the threshold number.
For Office 2010, Project 2010 and Visio 2010 you must have at least five (5) computers to activate. If you have deployed Microsoft Office 2010 products, including Project 2010 and Visio 2010, you must have at least five (5) computers running Office 2010, Project 2010 or Visio 2010.
Here are some more reference materials to assist you:
For Activation thresholds, please see the Volume Activation Planning Guide.
For Office 2010, Project 2010, and Visio 2010 please see Volume Activation Quick Start Guide for Office 2010, and Overview of Volume Activation for Office 2010.
Read more details about the product activation process and the specific products that use Volume Activation.
*Only Windows Server 2003, Windows 7 volume editions, and Windows Server 2008 R2 are supported as Office KMS hosts
If a “child” company (owned by a “parent” company) has an individual agreement, can the parent company use the same key (such as a Windows Server 2008 Standard/Enterprise R2 KMS key) to deploy Windows 7 and Windows Server 2008 R2 across both companies?Although they may choose to do so, customers do not have to use keys provided under a specific Licensing ID (agreement, enrollment, affiliate, or license) for use the licenses specified under that Licensing ID. They can choose to use keys specific to agreements/licenses, or one set of keys for all. Customers have this flexibility so they can centrally manage their deployment/image.
PUBLIC VOLUME LICENSE KEYS (http://technet.microsoft.com/en-us/library/ff793421.aspx )
Windows 7 Professional - FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
Windows 7 Enterprise - 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH (convert 90-day eval to KMS)
Windows Server 2008 R2 Standard - YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Windows Server 2008 R2 Enterprise - 489J6-VHDMP-X63PK-3K798-CPX3Y
Windows Server 2008 R2 Datacenter - 74YFP-3QFB3-KQT8W-PMXWJ-7M648 (convert 180-day eval to KMS)
Windows Server 2008 Standard - TM24T-X9RMF-VWXK6-X8JC9-BFGM2
Windows Server 2008 Enterprise - YQGMW-MPWTJ-34KDK-48M3W-X4Q6V
Question: Can you convert the evaluation version to a full version?Answer: Although it is not blocked, it is unsupported to upgrade to a full version or to change the product key to a full version. To upgrade to a full version, you must use non-evaluation media to do a new install. If you change the product key to Full Version the visual evaluation references in Winver and in displayed in Slmgr /DLV output are removed, however, the WLMS service is still on the system and this is still evaluation media.Source: Windows Server 2008 R2 evaluation version - http://support.microsoft.com/default.aspx?scid=kb;en-US;2021579
The below article is obtained from: http://pkjayan.wordpress.com/2010/05/17/agent-managed-non-trusted-servers-without-gateway/. The text in green color is my own comment. The scenario is not using any gateway server.
- make sure the wkg-srv has the domain suffix, that means FQDN is wkg-srv.mycompany.com.vn. also a DNS entry for wkg-srv is needed
Monitoring non-trusted servers using SCOM-Step by step
In this scenario, monitoring of a remote, untrusted workgroup or environment isolated from any Active Directory domain is desired. Certificate authentication will be required between the management server and agent-managed workgroup servers, which will authenticate and communicate directly to the management server.Five steps to complete
To test if the required ports are open:
Do the same from the management server back to the non-trusted server
Certificates need to be installed
Retrieve and install the Root CA certificate
Download root certificate from the Root Certificate Authority server:
Import root certificate to Management Server certificate store
Expand certificates and right click on “Trusted Root Certification
Click on all tasks, Import
When the wizard opens navigate to the downloaded cert is
certnew.p7b . (change the file type to PKCS #7 to select the cert file)
Accept the defaults and finish
Perform the above steps on all Management Servers.
Copy the downloaded root certificate to non-trusted servers and import the same using above steps.
Create and Export Custom OpsMgr Certificate
Do this on the certificate server (at least on Windows Server 2008 Enterprise, or Windows 2008 R2 Standard) Create certificate template for custom OpsMgr Certificate:
In my case, the certificate server is running Windows Server 2008 Enterprise (not R2!)
In the Certification Authority snap-in, select the Local computer (the computer this console is running on) option.
Click Close, and then click OK.
In the Certification Authority snap-in, verify that the Certificate Templates snap-in and the Certification Authority snap-in appear.
Click Certificate Templates.
In the details pane, right-click Computer, and then click Duplicate Template. You will be presented with 2 options, just choose Windows 2003 Server, Enterprise Edition
On the General tab, change the template name to OpsMgr2007.
Verify that the validity period meets your organization’s requirements.
Click the Request Handling tab, and then click Allow private key to be exported.
Click the Subject name tab, and then click Supply in the Request option.
Click the Security tab.
Grant Enroll and Auto enroll permissions for the following groups in all domains:
Click Apply, and then click OK.
To verify the settings, expand Certificate Templates.
In the details pane, right-click the template that you configured, click Properties, verify your settings, and then click OK.
Expand Certification Authority (local), and then expand your certification authority.
In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.
Select the new template, and then click OK.
Verify that the new template appears in the details pane, and then verify that the Server Authentication entry and the Client Authentication entry appear under Intended Purpose.
Close the snap-in.
Click Start, click Run, type gpupdate /force and then press Enter.
Click Start, click Run, type http://<certificateserver>/certsrv in the Open field, and then press ENTER.
If you are prompted, enter the domain administrator account name and the password.
On the Certificate Services Web page, click Request a certificate under Select a task.
Click Advanced certificate request.
Click Create and submit a request to this CA.
In the Certificate template list, verify that your new certificate template appears. In my case, I have to restart the certificate server for that new template to appear.
On the management server, use the Certificates MMC (not the web UI) to request 02 certificates of the newly duplicate template for FQDN of the management server as well as the non-domain server, then export to 2 files named RMS.cfx and WKG-SRV.pfx to be used with MOMImport utility later.
Submit the certificate request to the certification authority server:
In the Name field, type the FQDN of the Root Management Server
Select the Mark key as exportable check box. When you are using the Web certificate request UI, you must also check the Store the certificate in the local computer certificate store box (In my Web certificate enrollment UI, there is no such checkbox, so I have to use Certificate MMC: navigate to Local Computer/Personal and choose to Request a Certificate, then fill the FQDN in the Common Name and Display Name fields, that means the Web UI cannot be used)Click Submit to submit your request to the certification authority server, and then follow the instructions that appear on the screen
Depending on the security configuration on the CA, you have to wait for an administrator to manually approve the request. It is not guaranteed that the CA can be downloaded immediately
Once the certificate is issued, Export the certificate for further configuration
Click Start, click Run, type mmc, and then press Enter
On the File menu, click Add/Remove Snap-in
Click Certificates, and then click Add
Select Computer account, and then click Finish
Select Local computer, click Finish, click Close to close the snap-in list, and then click OK to close the Add/remove snap-in window
Expand Certificates (local computer), expand Personal, expand Certificates, and then select a suitable certificate
Right-click the certificate, point to All tasks, and then click Export
Select Yes, export private key, and then click Next
Use the default setting for the file format
Type a password for the file
Type a file name, and then click Next. For example, type C:RMS.pfx
Also on the management server, export the certificate of the non-domain server to a file named WKG-SRV.pfx then copy to the non-domain server.
Repeat the above step on all the non-trusted servers. Since the non-trusted servers are not part of the same domain as the CA, create the certificate on a different server and export it to a USB drive or other storage device. Then manually copy it to the gateway server and import it.
The below import step on the management server may not be needed since we are using two separate certificates for the management server and non-domain server???.
Install and configure the Custom OpsMgr Certificate on Management server
Import the custom certificate to local store:
Expand Certificates (local computer), expand Personal, expand Certificates
Right-click the certificate, point to All tasks, and then click Import
Browse and Select the copied certificate, and then click Next
Check off Mark this key as exportable
Click next, make sure the certificate store is personal, click next and finish
On the management server, use MOMCertImport utility to import the RMS.cfx (a password is needed)
Import the custom certificate to Operations Manager on Management server:
Do this on all SCOM management servers. Root Management Server, Management Servers.
Repeat the following step on the workgroup (non-trusted) computers
Install and configure the Custom OpsMgr Certificate issued by CA for non-trusterd server
Install the agent on the workgroup computer:
Verify that all information that you have entered is correct, and then click Install to start the installation.
When the installation is complete, click Finish.
On the non-domain server, use MOMCertImport utility to import the WKG-SRV.cfx (a password is needed)
After agent installation, Import the custom certificate to Operations Manager:
Run the momcertimport utility
Use the same pfx certificate (the custom OpsMgr certificate) that created in previous step. This tool writes the certificate serial number to the registry. This also helps OpsMgr components find the proper certificate for authenticating easily.
The momcertimport utility is on the install cd under supporttoolsi386
Copy momcertimport.exe and the pfs certificate into the same folder
Open a command prompt, navigate to the folder with both files and type the following command
C:>MOMCertImport.exe certfilename.pfx (Custom OpsMgr Certificate issued by CA for non-trusterd server)
Restart the OpsMgr Health service. On SCOM 2007 R2, the new names are "System Center Data Access/Management and Management Configuration"
Wait for the management server to see the manual installation and to request approval. This should take some time (five to ten minutes).
When you are prompted, approve the agent. The non-trusted server agent can now communicate with the Management server.
The high-level process to obtain a certificate from a stand-alone certification authority (CA) is as follows:
1. Download the Trusted Root (CA) certificate – do this from a machine that has access to the certificate server and then copy to the workgroup machine.
2. Import the Trusted Root (CA) certificate to the workgroup machine.
3. Create a setup information file to use with the CertReq command-line utility –do this on the workgroup machine.
4. Create a request file – do this on the workgroup machine and then copy file to a server that has access to the certificate server
5. Submit a request to the CA using the request file from a server that has access to the certificate server
6. Approve the pending certificate request – from the certificate server
7. Retrieve the certificate from the CA – from a machine that has access to the certificate server and then copy certificate to workgroup computer
8. Import the certificate into the certificate store on the workgrou computer
9. Import the certificate into Operations Manager using MOMCertImport – on workgroup computer.
10. And then install the agent and approve install from opsmgr console
I found the steps from the below article:
Make sure your USB stick is big enough to accomodate the Windows 7 installation bits. And here below is the summary of steps and output on my own machine:
Microsoft DiskPart version 6.1.7054
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: MY-PC
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 37 GB 0 B
Disk 1 Online 189 GB 5120 KB
Disk 2 Online 15320 MB 0 B
DISKPART> select disk 2
Disk 2 is now the selected disk.
DiskPart succeeded in cleaning the disk.
DISKPART> create partition primary
DiskPart succeeded in creating the specified partition.
DISKPART> select partition 1
Partition 1 is now the selected partition.
DiskPart marked the current partition as active.
DISKPART> format fs=ntfs
100 percent completed
DiskPart successfully formatted the volume.
DiskPart successfully assigned the drive letter or mount point.
C:\Windows\system32>e: (E: drive is where the Windows 7 installation bits are located)
Volume in drive E is GRC1CULFRER_EN_DVD
Volume Serial Number is F0D7-C053
Directory of E:\boot
03/22/2009 08:37 PM <DIR> .
03/22/2009 08:37 PM <DIR> ..
03/22/2009 08:37 PM 262,144 bcd
03/22/2009 08:37 PM 3,170,304 boot.sdi
03/22/2009 08:37 PM 1,024 bootfix.bin
03/22/2009 08:37 PM 97,280 bootsect.exe
03/22/2009 08:37 PM <DIR> en-us
03/22/2009 08:37 PM 4,096 etfsboot.com
03/22/2009 08:37 PM <DIR> fonts
03/22/2009 08:37 PM 484,928 memtest.exe
6 File(s) 4,021,240 bytes
4 Dir(s) 0 bytes free
E:\boot>bootsect.exe /NT60 G:
Target volumes will be updated with BOOTMGR compatible bootcode.
Successfully updated NTFS filesystem bootcode.
Bootcode was successfully updated on all targeted volumes.
If "could not be locked" & “Access denied” error happens, try this command: bootsect.exe /NT60 G: /force
Then copy all files from DVD to USB, and there you go!
* OpsMgr 2007 R2 on Windows 2003 setup steps guide download (6.7 M)
* Use Server Manager, Add Features, and under ".NET Framework 3.5.1 Features" select ".NET Framework 3.5.1"
* Install SQL 2008 Std x64, select Database Engine Services & Reporting Services (no SQL Server Replication, no Full-Text Search, no Analysis Services), then update to SP1. Use a domain account (such as MYCOMPANY\svcacct) for running SQL services. If you get this error "No mapping between account names and security IDs was done" then you might have not selected the "Generalize" checkbox when running Sysprep.
* Use Server Manager, add "Web Server" role. The following Web Server Role Services should automatically be selected: Static Content, Default Document, Directory Browsing, HTTP Errors, Request Filtering. Click to select additional Role Services: ASP.NET, .NET extensibility, ISAPI Extensions, ISAPI Filters, Windows Authentication, IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility.
* Install AJAX Extension 1.0 for ASP.NET 2.0 (for WebConsole Health Explorer)
* NOTE: If SQL 2008 R2 is used, please use this setup guide http://support.microsoft.com/kb/2425714. Make sure to read this section first "High level steps for a new installation". The tool DBCreateWizard.exe can be found in <SCOM Installation Media>\SupportTools\AMD64 folder".
* Install Operations Manager 2007 R2 - Management Server Action Account: MYCOMPANY\svcacct (the account used for agent push installation)
* Install Operations Manager 2007 R2 Reporting - Start SQL Reporting service - Data Warehouse Write Account & Data Reader Account: MYCOMPANY\svcacct
* Manual agent installation on managed servers: - Servers to be managed often have personal firewall so manual agent installation is the easiest way. - To allow agent manual install, in OpsMgr console, click the Administration tab, Settings node, then Security item, Properties: and choose "Review new manual agent installation in pending management view" if it is has not been selected. - Copy the Agent folder (found in the OpsMgr installation media) to the servers to be managed, and launch "MOMAgentInstaller.exe" - In OpsMgr console, Admin tab,, Pending Management node, approve the manual agent installation requests.
============= Exchange Servers monitoring
- By default, after the agents are installed on Exchange servers, these servers are still not discovered and displayed in the SCOM console until we do some Override.
* Enable Proxy for Agents on Exchange servers
* Download and install some typical Management Packs: - Windows Server Base OS System Center Operations Manager 2007 MP.msi - Active Directory Operations Manager 2007 MP.msi - Exchange Server 2007 Operations Manager 2007 R2 MP.msi
* In Authoring/Management Pack Objects/Object Discoveries, override the following: (change the Disabled to Enabled, change the discovery frequency to 120 sec)- Exchange 2007 CAS Role Discovery
- Exchange 2007 CCR Clustered Mailbox Server Role Discovery? - Exchange 2007 CCR Node Role Discovery?
- See also: this article for Exchange 2010.
* To enable External OWA synthetic transaction monitoring: - On DNS, create CNAME mail.mycompany.com.vn pointing to the Exchange CAS server. - On Exchange CAS: Open IIS MMC, select Server node, create Domain Certificate, set common name and friendly name to mail.mycompany.com.vn; select "Default Web Site" node, Binding, delete existing SSL binding, create a new one, and associate the newly created SSL certificate with it. - On Exchange CAS MMC, set both internal external OWA virtual directories to https://mail.mycompany.com.vn/owa, run New-TestCasConnectivityUser.ps1, then Test-OwaConnectivity.ps1
* To see incoming emails with a specific subject from a Management Server - Authoring tab, create a "command line" task for Exchange Hub Transport servers, Full Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Parameters: -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command "Get-MessageTrackingLog -EventID 'RECEIVE' -MessageSubject 'test email' | fl Timestamp, Sender, Recipients, MessageSubject" - Monitoring tab, Exchange group, Hub Transport node, Hub Servers State, click the newly created task on Action pane
* OpsMgr 2007 R2 overview slide download
* OpsMgr 2007 R2 introduction labs video download (12M)01.Importing Mgmt Pack .e.3m.avi02.Creating n using Views.e.4m.avi03.Creating n using Tasks.e.6m.avi04.Monitor_Override_Simple_Event.e.6m.avi05.Monitor_Override_IIS_Performance.e.7m.avi06.Creating_IIS_Perf_Rule.e.6m.avi07.Web_Console.e.4m.avi08.Role-based Security.e.7m.avi
+++++++++++++++++++++++++++++++ External links ++++++++++++++++++++++++++++++++++++++++++++++++++
* Monitoring Exchange 2010. Part 2
* How to test notification settings after you configure e-mail notifications for a recipient or for a subscription in Operations Manager 2007
* How to Obtain a Certificate Using Windows Server 2008 Stand-Alone CA in Operations Manager 2007
* How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007
* Creating Graphical Reports for Exchange 2007 (Part 1)
* Configuring the Native Exchange 2007 MP for OpsMgr 2007 R2 (Part 1)
* Why do my group memberships for Windows Computers have machines that don't belong there? There is a relationship in this MP that we need to disable.
* Logical disk space monitoring
* 2006.03 Exchange 2003 DR with NtBackup step by step demo (PowerPoint format) download (17M)
This was done on a single server with AD, DNS and Exchange 2003 installed
================ Demo 1: Backup best practices- Important: System State backup first, then "First Storage Group"data (separately)- IIS, local computer, "Backup/Restore config" --> system32\inetsrv\MetaBack folder- First Storage Group, deselect "circular logging"- Mailbox store, Limits tab, Deletion settings, "Keep deleted items" from 7 to 30, "Keep deleted mailboxes" unchanged, and select "Do not permanently delete mailboxes and items until the store has been backed up"
================ Demo 22a. Recover a mistakenly deleted mailbox+ Mailboxes, Run Clean Up Agent+ Mailbox Recovery Center, Add Mailbox Store, select the deleted mailbox, Find Match, Reconnect
Note: if mailbox is deleted & purged --> unavailable in "Mailbox Recovery Center" & "Recovery Storage Group" cannot connect to the original DB --> alternate server is needed to restore
2b. Recover mistakenly deleted email messages+ Create Recovery Storage Group+ Recovery Storage Group/ Add database to Recover/This DB can be overwritten by a restore+ Restore Exchange mailbox data using ntbackup, enter temp folder, and check "Last Restore Set", Mount, Refresh+ Select the mailbox, Recover Mailbox Data option, Merge, Outlook will auto sync
============== Demo 3: Recovering a corrupted Mailbox Store (using DIAL TONE databases)+ in First Storage Group, dismount Mailbox store+ rename priv1.edb & stm to Corrupted.edb & stm+ remount Mailbox store, a new & empty priv1.edb & stm (dial tone databases) will be created and linked with "Recovery Storage Group"+ in Outlook, old messages can still be seen (due to Cached mode)+ close and reopen Outlook, "Recovery Mode" message appears, Outlook is now empty, send a new message+ Recovery Storage Group, dismount Mailbox store, set "overwritten" flag+ use NtBackup to restore. Note that with "Recovery Storage Group", only Mailbox store can be recovered, not the Storage Group
3a. Option 1: use "Recover Mailbox Data" or EXMERGE (will take hours with large DBs)
3b. Option 2: Swap databases (to move small dial tone data to the recovered DBs)+ dismount Mailbox store in both "First Storage Group" and "Recovery Storage Group"+ use "Windows Explorer" to swap edb & stm files between "MDBDATA" & "Recovery Storage Group" folders, Remount+ Outlook will auto display message asking to restart Outlook, old messages reappear, new (dial tone) message cannot be seen+ continue with Option 1, and use EXMERGE for merge dial tone message on all mailboxes
============= Demo 4: Replacing an Exchange server+ Basic installation of Windows with same version, edition, patch level on same volume & path & identical hardware+ Restore System State (AD database will also be restored, if Exchange shares same server with DC, but SHORTCUTS to AD tools not restored)+ restart, System Log will display some errors relating to Exchange services+ run dsa.msc to open "AD Users & Computers", all users (without Mailbox properties) will be shown+ Exchange setup /DisasterRecovery switch+ NtBackup to restore Mailbox data
============= Demo 5: Alternate server recovery+ Relatively identical hardware, different AD forest, AD+DNS+Exchange can be on a single server+ Same settings required: Org, Admin group, Storage group, DB name, LegacyExchangeDN (AD setting)+ Alternate server: ldifde -f recovery.ldf, open, search legacyExchangeDN text (should be the same as existing server)++ do not create & use "Recovery Storage Group"++ dismount Mailbox store, set "overwritten" flag++ use Ntbackup to restore mailbox & log data (NOTE: AD info not selected), remount store++ ADUC, no users are shown++ Mailbox store, refresh. Mailboxes will be shown (but still orphan, because no associated AD users), "Run Cleanup Agent"++ "Maibox Recovery Center", add "Mailbox Store", select mailbox, "Find Match" --> no result, Export, deselect "userAccountControl", user will be shown in ADUC, "Find Match" again successfully, Reconnect++ use EXMERGE (make sure the running account have Domain Admin, Send As & RunAs permission), Extract/Import option, step 1 (Extract) to export data of that user to a PST file, copy that PST back to the production server, and use EXMERGE again to import
Recently I noticed the following error in the Application Event log:
Event Type: ErrorEvent Source: GetEngineFilesEvent Category: Engine ErrorEvent ID: 6014Date: 2/9/2008Time: 10:08:43 AMUser: N/AComputer: GATEWAYDescription:Microsoft Forefront Server Security encountered an error while performing a scan engine update.Scan Engine: Kaspersky5Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5Proxy Settings: DisabledError Code: 0xC0001F58Description: The operation timed out.
Followed immediately by:
Event Type: InformationEvent Source: GetEngineFilesEvent Category: GeneralEvent ID: 2017Date: 2/9/2008Time: 10:08:43 AMUser: N/AComputer: GATEWAYDescription:Forefront Server Security has rolled back a scan engine.Scan Engine: Kaspersky5
This was happening every 5 minutes after Event ID 2034, which reports that Microsoft Forefront Server Security is attempting a scan engine update of the Kaspersky5 scan engine.To solve this error make the following change to the registry on the server running Forefront:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server(Note for 32bit Exchange: the path is HKLM\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server)
Note: You do not have to restart Forefront Server services or Exchange Server services after you change this registry entry.
Now perform a manual scanner update in Forefront:
Check the Application event log to ensure that the scan engine has updated properly (Event ID 2012).
Source: http://social.technet.microsoft.com/Forums/en-US/sharepointgeneral/thread/09d6222b-1106-4a92-8516-0660e698a4db/ Courtesy: Jimmy Patel
* Exchange 2010 tech overview slide download (6M)
* UPDATE: Exchange 2010 SP1 typical installation on a single Windows Server 2008 R2 Std SP1 domain controller
The prerequisites can be installed using the followings PowerShell commandsImport-Module ServerManagerAdd-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
Then install Microsoft Office 2010 Filter Packs from http://go.microsoft.com/fwlink/?LinkID=191548
Outlook 2010 60-day evaluation can be downloaded from here (and can be used 30 day without having to activate)Typical deployment steps (in PowerPoint format) can be downloaded here (8 MB).
* Exchange 2010 RTM typical installation on a single Windows Server 2008 R2 Std domain controller:
NOTE: If you use the WS08R2 Server Manager GUI to install IIS and W3SVC... you may still receive errors saying that the metabase database cannot be accessed. The solution is to use PowerShell scripts to install those prerequisites as described in http://technet.microsoft.com/en-us/library/bb691354(EXCHG.140).aspx
Summary of the steps:- Download and install Office 2007 System Converter: Microsoft Filter Pack from http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC&displaylang=en- Right click Start/Accessories/Windows PowerShell/PowerShell, Run As Admin, and execute 3 following commands:+ Import-Module ServerManager+ Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart+ Set-Service NetTcpPortSharing -StartupType Automaticand then you can run setup. It took me 20min on my laptop.
Keep in mind that "setup /prepareAD" will be performed automatically and then no Exchange 2007 can be added.
* Exchange 2010 Editions and Product Keys (source: http://technet.microsoft.com/en-us/library/bb232170.aspx)
Enterprise Edition can scale to 100 databases per server; Standard Edition is limited to 5 databases per server. These are licensing editions that are defined by a product key. When you enter a valid license product key, the supported edition for the server is established.
Product keys can be used for the same edition key swaps and upgrades only; they can't be used for downgrades. You can use a valid product key to move from the evaluation version (Trial Edition) of Exchange Server 2010 to either Standard Edition or Enterprise Edition. You can also use a valid product key to move from Standard Edition to Enterprise Edition
* Exchange 2007 typical pre-setup steps- Raise Domain to Native mode (in AD Domains and Trusts)- Install DotNet framework 2.0 SP1 (Dot.NET Framework 2.0 SP1 -32b- NetFx20SP1_x86.exe)- Install the TimeZone fix (TimeZone fix - 32b - WindowsServer2003-KB933360-x86-ENU.exe)- Install PowerShell (for example PowerShell WindowsServer2003.WindowsXP-KB926139-v2-x64-ENU.exe for the 64 bit enviroment)- Run Ex 2007 SP1 setup, Typical; Org Name: My Company; remember to choose to support Outlook 2003, and ignore the SMTP/Send Connector warning- Restart
* Exchange 2007 Edge pre-setup steps- Install DotNet framework 2.0 SP1 (Dot.NET Framework 2.0 SP1 -32b- NetFx20SP1_x86.exe)- Install the TimeZone fix (TimeZone fix - 32b - WindowsServer2003-KB933360-x86-ENU.exe)- install ADAM SP1 (ADAMSP1_x86_English.exe)- enter DNS suffix for computer name (My Computer Properties) --> for example, HN-EDGE-01.mycompany.com.vn
* To register Exchange 2007 roles with Security Configuration Wizard (SCW)CD C:\WINDOWS\security\msscw\kbscopy "c:\program files\microsoft\exchange server\scripts\*.xml (to copy Exchange2007.xml, Exchange2007Edge.xml, Exchange2007Edge_WinSrv2008.xml, Exchange2007_WinSrv2008.xml)scwcmd register /kbname:MSExchange2007 /kbfile:exchange2007.xmlscwcmd register /kbname:Ex2007EdgeKB /kbfile:Exchange2007Edge.xml
* Start Outlook 2003
* Clicking SendReceive in Outlook --> 8004010F Exchange object not found- Exch 2003: Exchange System Mgr, Recipients, Offline Address Lists, right click Default Offline Address List, Rebuild- Exch 2007: Org Config/Mailbox/Offline Address Book, Update (watch the Status bar for task completion) Then go to Server Config/Mailbox/First Storage Group/Mailbox DB/Properties/Client Settings: browse to enter 'Defautl Offline Address List'- Close, and reopen Outlook
* Create mailboxes for director1, manager1, staff1, staff2; send a welcome message
* OWA publishing:- hn-srv-01, IIS Mgr, Default WebSite, Directory Prop, View Cert, Copy To, Export private key+Cert chain- ISA-Server: MMC, Computer Cert, Import cert to Personal folder- ISA-Server: Publish Exchange Web rule, Exchange 2007, SSL, internal name: www.mycompany.com.vn- Internet: MMC, Computer Cert, Import hn-srv-01 root cert to Trusted Root folder
* IMPORTANT: OWA from Internet requires logging on 2 times --> Server Config/Client Access/OWA/Authentication tab: change from "Use form-based" to "Use on or more", Basic then iisreset /noforce
* OWA from Internet machine: Revocation information for the security certificate for this site is not available--> Resolution 1: Uninstall the "IE Advanced Security"--> Resolution 2: http://support.microsoft.com/kb/308087 - Wrong Message Appears When You Visit a Secure Web Site Whose CDP Is UnavailableIE/Tools/Options/Advanced, Security: uncheck "Check for server certificate revocation (requires restart)"
* Outlook Anywhere:- ISA-Server: add one path to the OWA rule: /rpc/*- hn-srv-01: Server Config/ Client Access/ right click hn-srv-01 /Enable Outlook Anywhere (external host: www.mycompany.com.vn)- hn-srv-01: need to wait 15min (check in app event log)Event Source: MSExchange RPC Over HTTP Autoconfig, EventID: 3006,The Outlook Anywhere feature has been enabled. The ValidPorts registry setting has been modified to reflect this change.New value: HN-SRV-01:6001-6002;HN-SRV-01:6004;hn-srv-01.mycompany.com.vn:6001-6002;hn-srv-01.mycompany.com.vn:6004- Test for all users
* Disable Screen Saver for all users on Client02
* Client02: Display\Themes\Browse to use the built-in Luna.theme at C:\WINDOWS\Resources\Themes, background: Azul(need to start the Theme service first)
* Install ForeFront for Exchange SP1, run SCW
* To configure AntiSpam agent (Content Filtering) on the Hub TransportSOURCE: Book Online: mk:@MSITStore:C:\Program%20Files\Microsoft\Exchange%20Server\bin\exchhelp.chm::/html/5683549a-4f48-429d-b353-cc2b7c784e29.htm
- close Exchange Mgmt Console- Open "Exchange Management Shell", change to "C:\Program Files\Microsoft\Exchange Server\Scripts"and type "install-AntispamAgents.ps1", then restart "Exchange Transport" service
- Set-OrganizationConfig -SCLJunkThreshold:9
- launch Exchange Mgmt Console
- For demo purpose: Org Config/Hub Transport/AntiSpam: turn off 'Content Filtering'
* Room Mailbox Auto Accept setting: Set-MailboxCalendarSettings MeetingRoom2 -AutomateProcessing:AutoAccept
* To receive mails from Internet, on Exchange 2007 MMC:. Server Config/Hub Transport/Manage Hub Transport/Receive Connectors/<Default SERVERNAME>/Props Permission Groups and select "Anonymous users" (Note: do not select <Client SERVERNAME> receive connector)
- Publish SMTP Server thru ISA (Publish Mail Servers command, server to server comm)
* To send mails to Internet: . Org Config/Hub Transport/Send Connectors/Create New Send Connector Name: 'My SMTP Send Connector to Internet', Intended use: Internet Add Address Space: Address: *, 'Use DNS MX...', no need to select 'Use external DNS on Transport server' (whose settings can be configured in Server Config/Hub Transport/hn-srv-01/Prop/External DNS lookups
- In ISA, 'Create Access Rule' command to allow outgoing SMTP, DNS
* To allow OWA users to open File Shares:. Server Config/Client Access/owa/Prop/Remote File Servers/Allow: enter 'hn-srv-01'
* /AccountingWeb/*, /hrWeb/*, /ResetPwdWeb/* --> in HN-SRV-01/IIS Mgr, folder prop, DirSec, Auth: change to BasicError Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
. Enroll RMS. Activate RMS (MS Word, Restricted Permission As...) for all users in HN-SRV-01 & CLIENT02. Create test RMS-protected doc on \\hn-srv-01\shared\reports
- Copy sample virus files to all machines- ForeFront set to 2 engines (Kapersky & Sophos) for (Transport/Realtime/Manual scan)- create ISA rule for EAS- Ex 2007 console: modify device policy to enforce device password- server config/client access/EAS: add hn-srv-01 to Allow List- create shared doc for accessing from within OWA and Windows Mobile
************************ OTHER INFO *************************************
* Group Policy not processed at Client01: Source: Userenv Event ID: 1053, test using netdiag and dcdiag, then restart hn-srv-01
* Error Code: 404 Not Found. The requested item could not be located. (12028) --> Resolution: run SCW on hn-srv-01 again
* * Security Configuration Wizard (SCW) Update for Internet Security and Acceleration (ISA) Server 2006 Standard Edition and Enterprise Editionhttp://www.microsoft.com/downloads/details.aspx?familyid=2748A927-BD3C-4D87-80FA-8687D5E2AB35&displaylang=en
************** RCP/HTTP EXCHANGE 2003 +DC CO-LOCATED SETUP BEGIN ***************** hn-srv-01, Exch System Mgr, RPC/HTTP tab, back end server, OK, OK, do not reboot* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]"Enabled"=dword:00000001"ValidPorts"="hn-srv-01:6001-6002;hn-srv-01.mycompany.com.vn:6001-6002;hn-srv-01:6004;hn-srv-01.mycompany.com.vn:6004;"
* configure RPC folder in IIS, basic auth, SSL required* ISA-Server: create RPC path in OWA publishing rule* Outlook RPC/HTTP on client (on public Internet) will virtually work immediately.* Restart hn-srv-01 to make sure the changes are in effect
* user staff1 initially cannot be used with RPC/HTTP. Reason: Outlook Profile/Connection Tab/Use HTTP... check box is not selected. Resolution: Delete Windows profile for staff1************** RCP/HTTP EXCHANGE 2003 +DC CO-LOCATED SETUP END **************
* publish hrweb, accountingweb, pwdresetweb: Basic auth, require SSL in IIS, Form Based auth in ISAError Code: 500 Internal Server Error. The target principal name is incorrect. (-2146893022) --> Resolution: rule prop, To tab, This rule applies to this published site: enter 'www.mycompany.com.vn', Path tab, change from "/hrWeb" to "/hrWeb/*"
* disable: System Event Notification (sens) on hn-srv-01
* Edge Subscription- IP: 220.127.116.11, DNS: 18.104.22.168- ISA 2006 Std between Hub and Edge servers- In the Edge server: configure FQDN name; - Install the pre-requisites, then Ex 2007 Edge role- CD C:\WINDOWS\security\msscw\kbs; copy "c:\program files\microsoft\exchange server\scripts\*.xml; scwcmd register /kbname:Ex2007EdgeKB /kbfile:Exchange2007Edge.xml; Run Security Configuration Wizard- Create a record in HOSTS file, pointing to the external NIC of ISA server: 22.214.171.124 hn-srv-01.mycompany.com.vn- In HN-SRV-01, DNS, create a record for Edge: 126.96.36.199 hn-edge-01.mycompany.com.vn- In ISA: allow outgoing DNS/SMTP and a custom protocol 50636 (Edge Sync) TCP only from Internal to External; - From Hub, telnet hn-edge-01.mycompany.com.vn 25; - From Hub, telnet hn-edge-01.mycompany.com.vn 50636; - In ISA: publish SMTP server of the Hub- From Edge: telnet hn-srv-01.mycompany.com.vn 25- In Edge, Exchange Shell: New-EdgeSubscription –filename c:\edgesub.xml- In Hub, New Edge Subscription- No need to modify the Hub, including Anonymous user support in Default Receive connector, and Smart Host (--) in the "Edge Sync - Inbound to Default-First-Site-Name"- From ISP, email to email@example.com, in Edge Queue Viewer, error: 500 5.5.1 Unrecognized command. Solution: disable SMTP filter (Configuration/Add-in) in ISA. More info: Message Queue on an Edge Transport Server with 500 5.1.1 Unrecognized Command Error, and How to Add SMTP Verb Commands to ISA Server 2006
* ForeFront Protection 2010 for Exchange- Prerequisites: MSXML 6.0, dotnet framework 3.0, dotnet framework 3.0 SP1- Sample EICAR virus string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*- Sample Gtube string for spam email testing (from http://spamassassin.apache.org/gtube/)XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
* 03 physical machines:
Note: the guide is to illustrate the concepts only so it may not follow the best practices & guidance.
Part 1. DC-SC domain promotion, VMM and SSP installation steps
1. Win 2008 R2 with SP1 - Activate - Rename to DC-SC - Set ip (192.168.1.1) and time zone - Promote to DC - install SQL 2008 DB, update to SP1
2. Install SCVMM 2008 R2 and console, choose to use a supported version of SQL, and choose to create a new database (ports 8100, 80, 443)
3. To install SSP 2.0 portal on the DC-SC
3.a. Prerequisites installation:
3.a.1. MSMQ server installation on the DC AD Users & Computers, View/Advanced Features, select Domain Controller server, prop, Security, Advanced, Add, (type) NETWORK SERVICE (Check Names), and tick Allow box for "Create MSMQ Configuration object", then in Server Manager, Features, install MSMQ server & MSMQ directory svc integration
3.a.2. Install IIS 7 role, check ASP.NET, Win Auth and IIS 6 MetaCompat
3.b. SSP installation: - Database server: DC-SC - account for server component: svcacct (needed to be a member of local admins, or username/pwd incorrect err msg will appear) - list of data center admins: mycompany\administrator - application pool's identity: svcacct
3.c. To open SSP portal: http://DC-SC, and add this site to Trusted Zone
3.d. SSP intial config: - Settings/DataCenter mgmt, Configure Data Center resources, VMMServer: DC-SC.mycompany.com.vn; click Add Network, enter ProdLAN in both “Network Name” and “Hyper-V Network Name” boxes, click Submit; AD domain: mycompany.com.vn; Env: My Demo Environment - Settings/VM Templates, Import templates, will not see any VMM server to search. Remedy: in VMM 2008 R2 console, Administration tab, User Roles, Administrator, properties, Members: add svcacct to that role
4. Virtual storage on the DC-SC - install MS iSCSI Software Target 3.3.16554 - right click iSCSI Targets, Create iSCSI Target, name PRIVATE-CLOUD. In iSCSI Initiators Identifiers screen, click Advanced, Add, choose IP Address, enter 192.168.1.11 then 192.168.1.12 and say Yes when asked to allow multiple initiators. - right click Devices, Create Virtual Disk, File: c:\VHD\quorum.vhd, size 1000 MB (1G), desc: Quorum, Access: PRIVATE-CLOUD. - repeat for storage01.vhd and storage02.vhd, size 45000 MB (45G) each
Part 2. Node1 & Node2 installation
1. WS08R2 wSP1 - activate - rename to NODE1, NODE2 - Rename network card name to NIC, set IP ( 192.168.1.11 & 12) and Time Zone - install HyperV role - create a Virtual Network named “ProdLAN”, connect to External (a physical NIC), and remember to check “Allow management OS to share this NIC” (On real servers with multiple NICs, this box does not need to be checked) - In “Network Connections”, switch to Detailed View, and rename the newly-created-connection to ProdLAN. Check the NIC properties (only Microsoft Virtual Network Switch is checked, and IPv4 is not checked). Check the ProdLAN properties (now IPv4 is 192.168.1.11 & 12) 2. Connect to the shared storage - In NODE1, Control Panel/iSCSI initator, choose service auto start, Target: 192.168.1.1, click Quick Connect, status should be Connected. Click “Volume and Devices” tab, click “Auto Configure”, there should be 3 volumes listed. - In NODE1, Server Manager, Storage, Disk Mgmt: bring online and initialize 03 new disks. Create and format volume named Quorum for the quorum disk and assign Q: dive letter. Create and format Storage01 and Storage02 but choose “Do not assign a driver letter…” option (new support in WS08R2) - In NODE2, iSCSI initiator as above, bring Online, and Change to Q: drive letter for quorum device
3. Cluster installation - NODE1: add Failover Clustering feature - NODE2: add Failover Clustering feature
- NODE1: in Failover Cluster Manager, Validate a Configuration, Browse, select NODE1;NODE2, then choose Run All Tests, takes 5 min, click View Report. There is a Warning sign in Network (IPConfig warning: no Default gateway info & Network Comm: Nodes are reached by only one pair of interfaces due to only a single network card is used) - NODE1: Create a Cluster, Name: PRIVATE-CLOUD, IP: 192.168.1.51, takes 1 min, View Report, should be no warning/error. Quorum type should be: Node and Disk Majority (Cluster Disk 1). (The Quorum device is auto selected as Cluster Disk 1 ) - NODE1: Enable Cluster Shared Volumes, the c:\ClusterStorage will be auto created on both nodes. Click CSV node, Add storage, add Storage01 & 02. The Volume1 and Volume2 subfolders will be auto created in c:\ClusterStorage
Part 3. Live Migration testing - Using SCVMM to manage and deploy VMs
1. Create a VM template in SCVMM libary - DC SC, in SCVMM console: Add Host - NODE1: create or import a reference VM (the VM should be copied to C:\ClusterStorage\Volume1), 512 MB in memory, set Processor compatibility, networking, etc.. You can test the Live Migration if needed.IMPORTANT: the reference VM (WS08R2) should use a fixed virtual disk of 15 GB. If the default dynamically expanding virtual disk (default size is 127 GB) is used, the portal will not be able to Create the VM due to insufficient storage. - DC-SC: in SCVMM console: Virtual Machines tab, right click ref VM, choose “New template” command (the source VM will be generalized (sysprep’ed) and deleted), Browse to select “\\dc-sc.mycompany.com.vn\MSSCVMMLibrary” as the Path - DC-SC: in SSP portal, Settings, Configurate VM templates, Import templates, select DC-SC as Library server, MSSCVMMLibrary, then click Search, select the listed VM template, “Add Selected”, Next and click “Submit Request”
2. Create infrastructure in SSP portal - Requests/ Register business unit (sample data: CoreBankingUnit, CBU01, firstname.lastname@example.org, Administrators: mycompany\administrator, mycompany\staff1. (make sure to create staff1 and allow Domain Users to logon locally to DC-SC using Default Domain Controllers Policy Group Policy). Click Requests again, and Approve. - Requests/Create Infrastructure Request: CoreBankingInfra, Expected Decommision Date, Memory: 1G, Storage: 45G, Next to “Service and Service Roles” page, CoreBankingService, My Demo Environment, Memory: 1G, Storage 45G, click “Request for Network”, select ProdLAN and click Add, click “Add Service Roles”, CoreBankingServiceRole, add ProdLAN, Save and Close, Next to “VM template” tab, select available VM template, Save and Close - Requests, select the Infra Request, click CoreBankingService, in Template Library section, click “Assign Library”, select DC-SC as Library Server and MSSCVMMLibrary as Share, Submit, enter the same info for “Stored Virtual Machine Location” section, click Save and Close. Click CoreBankingService, click Save and Close. Click the selected VM template, click Save and Close, then click Approve.
3. Create BusinessUnitUser: - DC-SC, in SSP portal, click User Roles tab, select BUITAdmin, click View/Edit Member (both administrator and staff1 are included); Select BusinessUnitUser, View/Edit Members, select Business Unit, Infra, Service…, click Add Members, enter mycompany\staff2 (previously created), Save and Close
4. VM Provisioning: Request and Approve - Close the SSP portal - Shift + Right click IE, Run as different user, mycompany\staff1 (as BUIT admin), add http://DC-SC to Favorite Bar. Notice that the Settings tab is missing. Another way to change the user is to do it over Remote Desktop (need Enable Remote Desktop in Computer Properties as well as to add Domain Users to ‘Allow log on through Remote Desktop Services” Group Policy item and gpedit /force) - Click Virtual Machines tab, click Create virtual machine, enter 2 as the number of VM, enter “CloudDemo” as Computer Name and 001 as Index suffix, then Under Template, choose the desired template, click “View Properties” to make sure the Storage is under the 45G limit, then click Create - In Node1 HyperV Manager, CloudDemo001 will be created. In Node 2 HyperV Manager, CloudDemo002 will be created, and in Failover Cluster Manager/PRIVATE-CLOUD/Services and Apps node: SCVMM CloudDemo001 Resources and SCVMM CloudDemo002 Resources will be created.
Part 4. PRO Tips implemetation- Install SCOM 2007 R2 with default options (SQL 2008 Std wSP1 with just Database & Analysis engines)- IMPORTANT: Install the SCOM Agent on NODE1, and NODE2 (note: add mycompany\svcacct to Domain Admins for Agent Push Installation to work)
- Import the required MPs for SCVMM integration + Windows Server Internet Information Services 2003 + Windows Server Internet Information Services 2008 + Windows Server Internet Information Services Library + SQL Server Core Library
To do that, download, install these files "Windows Server Base OS System Center Operations Manager 2007 MP.msi", "Internet Information Services MP.msi" & "SQL Server Operations Manager 2007 MP.msi" then import the above MPs.
- Insert SCVMM 2008 R2 media, select "Configure Operations Manager" option. This will ask to remove the SC VMM console. Once that is completed, select "Configure Operations Manager" option again. This will install the SC VMM console again and configure SCOM (add SCVMM MP to SCOM).
- Relaunch the SC VMM console, Administration tab, System Center, Operations Manager Server, and type SCOM server name
- In SC VMM console, click Diagram (2nd line from the top, right below the Menu bar) --> the respective SCOM Diagram View of the whole Private Cloud will be shown (Node1, Node2, VM1, VM2, etc...)
- In SC VMM console, right click Private-Cloud host, click PRO tab, deselect Inherit PRO settings... box, select "Enable PRO..." and "Automatically implement PRO tips"
- Open Admin Tools/Performance Monitor, delete all existing counters. Click Add, browse to select NODE1, then choose "Hyper-V Hypervisor Logical Processor - % Guest Run Time", click OK. Do the same for NODE2. Make the line bigger and of different colors.
- In VM1 and VM2, create and run cpubusy.vbs (Remeber to right click, Open with Command Prompt). In HyperV Manager, CPU Usage will be around 48%, but in Task Manager of the host, it is still 0%. In performance monitor, the Guest Run Time lines will be around 50%
- Use SC VMM console Live Migration to move all VM to NODE2 --> NODE2 HyperV will show 2 VMs, with CPU usage of each VM is 48% (Task Manager: still 0%), and Performance Monitor counter for NODE2 will be around 99%, and counter for NODE1 will be around 1%.
- Wait a little and a PRO Tip will be displayed in SC VMM console as well as SCOM alert view. The PRO Tip will be also executed to automatically balance the VM load.
Appendix. cpubusy.vbs file content:
Dim goalDim beforeDim xDim yDim igoal = 2181818
Do While True before = Timer For i = 0 to goal x = 0.000001 y = sin(x) y = y + 0.00001 Next y = y + 0.01 WScript.Echo "I did three million sines in " & Int(Timer - before + 0.5) & " seconds!"Loop
Part 5. SCVMM SSP Dashboard installation
- server name: DASHBOARD
- install ms.com Windows SharePoint Services 3.0 x64 wSP2, using the Advanced option, then Stand-alone,
- setup sql 2008 w sp1
- dashboard setup process
+ VMM SSP Dashboard screen. app pool identity mycompany\svcacct. DB server name: DC-SC (which is SSP server name). VMM SSP dbname: DITSC (fixed)
+ WSS 30 info screen. site owner: mycompany\administrator. SharePoint DB server name: DASHBOARD ("Session Database Name" will be auto created). accept the default URL which is http://dashboard:12345/
- How to Integrate Operations Manager with VMM 2008 R2 http://technet.microsoft.com/en-us/library/ee236428.aspx
-------------- to be continued