In Exchange 2003 and Exchange 2007 to let a user manage distributions groups from Outlook  we only set him as the distribution group owner  and then he’ll be able to add and remove users from the D.G as needed.

Starting from Exchange 2010 we don’t leverage ACL anymore, we introduced RBAC (from more detail see my previous post)

Now, if we act as we used to do, meaning assign a user as a Distribution Group owner

And then try to modify the D.G membership from Outlook, this is the error you get

One more thing, by default in Exchange 2013, when you create a D.G it will be configured in a way that anyone can join it or leave it without approval

You need to change the default setting to make a Distribution Group closed or to require the owner approval.

For this blog, we’ll make the D.G closed

We need to use an existing RBAC user Role or create a new one if the build-in role has more permission than what we want to grant to the end users.

To understand what are the RBAC permissions granted to the end users by default, you need to look at the “Default Role Assignment Policy”

 As you can see, there is a RBAC role called “MyDistributionGroups” that is not added to the default policy.

To understand now what kind of things can be done with this Role, we need to run this PowerShell command

From the output we can understand that any user for which we grant this role will be able NOT ONLY to manage Distribution Groups, but also to create and remove D.Gs

In this blog we’ll focus on how to give the end users the same permissions they have when they were assigned as the D.G owner in Exchange 2003 and Exchange 2007.

For that, we need to create a custom RBAC Role that has “MyDistrbutionGroups” as parent by running this PowerShell command

We need now the customize this RBAC Role by removing the “Extra” permissions not required for the end users

1. We need to prevent them from modifying the D.Gs properties, from the PowerShell, run the Command below

1. We need to prevent them from creating new D.Gs by running the Command below

1. We need to prevent them from removing D.Gs by running the Command below

Now we need to check what are the permissions left for this RBAC custom Users Role

As you can see, when we going to add this Custom Role to the “Default Role Assignment Policy” the users that will be granted as a Distribution Group owners will only be able to manage the D.G membership.

Now we need to add this Role to the “Default Role Assignment Policy”

Doing the test again from Outlook, you see that now we can add and remove Distribution Groups members as required

Ghazi Boufaden from NEPA PFE team.

Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2010/2013. With RBAC, you don't need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.

RBAC enables you to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables you to more closely align the roles you assign users and administrators to the actual roles they hold within your organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. In Exchange 2010/2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

In this Blog I’ll walk you through the creation of a custom Role Group “Admin1” that has to perform the tasks below

Admin1	Recipient  Management Create Mailboxes Create Distribution Lists Create contacts move mailboxes
	View only of the overall Organization
	Messages tracking
	Databases switchover Management Mount/Dismount databases Update/Suspend/resume databases copies Check databases copies status Switchover/Failover databases
	Mailbox Import Export

Procedure

1. Create 2 Management Roles for “Admin1” to make them:

• Mount/Dismount databases

• Update/Suspend/resume databases copies

• Check databases copies status

• Switchover/Failover databases

   

a. Create a Management Role that has the same permission as the “Database Copies” management Role with the following command

b. Remove the management Role entries that are not required for Admin1 Group with the commad below

c. Repeat STEP-B until you remove all the unnecessary commands

d. Check the entries that you left in the Management Role with the following command

Note: Make sure you left only the list shown below:

e. Create a Management Role that has the same permission as the “Databases” Management Role with the following command

f. Remove the management Role entries that are not required for Admin1 Group with the commad below 

g. Repeat Above until you remove all the unnecessary commands as shown below

2. Grant “Admin1” the "View-Only Configuration" role permissions with the command below

3. Create a management Role that has the same permission as the “Organization Configuration” Management Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. Repeat above until you remove all the unnecessary commands as shown below

c. To Grant the “Admin1” Group the management role "Admin1_Organization Configuration" run the command below

4. Create a management role that has the same permission as "Message Tracking" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. To Grant the “Admin1” Group the management role "Admin1_Message Tracking" run the command below

5. Create a management role that has the same permission as "Recipient Policies" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below:

b. Create a new RoleGroup "Admin1_Recipient Management", granted the permissions to create/manage recipients and  add “Admin1” Group as member "Admin1_Message Tracking" with the command below

6. Grant “Admin1” the ""Support Diagnostics" Role permissions with the command below

7. To Grant the “Admin1” Group the right to perform Mailbox Import Export run the command below

8. Create a management role that has the same permission as “Exchange Server Certificates" Role with the following command

a. Remove the management Role entries that are not required for Admin1 Group with the commad below

b. To Grant the “Admin1” Group the management role "Admin1_Exchange Server Certificates" run the command below

9. From the ECP, add the Management Roles “Admin1_Database_Copies” and “Admin1_Databases” to the Role Group “Admin1”

Ghazi Boufaden from NEPA PFE team.

Hello,

Fazal Muhammad Khan has made an excellent series of videos showing and explaining the different features and enhancements in Active Directory on Windows Server 2012!

We continue with Part 3 : Group Managed Service Accounts

Enjoy!

All the videos:

http://blogs.technet.com/b/nepapfe/archive/2013/11/08/windows-2012-active-directory-domain-services-videos.aspx

http://blogs.technet.com/b/nepapfe/archive/2014/02/05/windows-2012-active-directory-domain-services-videos-2.aspx

Fazal Muhammad Khan from NEPA PFE team.

Operations Manager requires mutual authentication be performed between agents and management servers prior to the exchange of information between them. To secure the authentication process between the two, the process is encrypted. When the agent and the management server reside in the same Active Directory domain or in Active Directory domains that have established trust relationships, they make use of Kerberos V5 authentication mechanisms provided by Active Directory. When the agents and management servers do not lie within the same trust boundary, other mechanisms must be used to satisfy the secure mutual authentication requirement.

In Operations Manager, this is accomplished through the use of certificates issued for each computer. If there are many agent-monitored computers, this results in high administrative overhead for managing all those certificates. To reduce this administrative overhead, Operations Manager has a server role called the gateway server. Gateway servers are located within the trust boundary of the agents and can participate in the mandatory mutual authentication.

To support the mandatory secure mutual authentication between the gateway servers and the management servers, certificates must be issued and installed, but only for the gateway and management servers. This reduces the number of certificates required, and in the case of an intervening firewall it also reduces the number of authorized endpoints to be defined in the firewall rules. The following illustration shows the authentication relationships in a management group using a gateway server.

In this blog section, we will see how to install a Certificate Authority Server and How to create a template to issue Operations Manager Certificates.

All you have to do is to Add Active Directory Certificate Services role and the Certification Authority Web Enrollment.

Open the Active Directory Certificate Services and Click on Certificate Template then Right click on IPSec (offline request) and choose Duplicate Template.

Once you click on Duplicate Template the following wizard will pop up

Name your certificate template 

Ensure that Allow Private Key to be exported is ticked.

 In the Security Tab Allow Authenticated users to Enroll Certificate.

In the Extensions Tab, double click on Application Policies and remove PKI and add Client Authentication and Server Authentication. 

Then right-click on Certificate Template > New > Certificate Template To Issue.

And Select the Template that you have just created.

Now we have our Certificate Authority ready to issue certificates that will be used for the mutual Authentication.

On all machines that are not joined to Domain including the Gateway server the Root CA Certificate must be installed and added to the Trusted root Citification Authorities because these machines don’t trust the Enterprise CA installed before.

To do that, Open MMC

Add you don’t trust the Enterprise CA, and choose Certificates Snap-in

Add both My user account and Computer account

The certificate from the Root CA needs to be added in this list.

Open the web browser on the gateway server, and go to the CA Web service: http://CAserver/certsrv

Add the certsrv website to the Trusted Sites.

Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.

Here we need to request the CA chain

Ensure that ActiveX is enabled.

The certificate is now in the list of Trusted Root Certifications Authorities, meaning our workgroup gateway server will trust certificates issued by the Enterprise Root CA created before.

Now we need to request a certificate for our gateway server

Advanced request

Create and submit

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.

Since mine is in a workgroup, the NetBIOS name is sufficient.

And now the certificate is generated and we can install it

Done

When you install the certificate, it will be installed in the User store.

But since we are authenticating computer the certificate must be imported in the computer store.

So open the Certificates MMC and export the certificate from the user store and import it to the local computer store.

The certificate is now installed and you can verify if everything is installed correctly by opening the certificate and checking if the certification path is ok.

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our MS that is a domain member.

Now we can start installing the agent on the non-domain machine.

Give the management group name - this can be found in the title bar of the console on the management server - and the management server name; note that you must add in the hosts file the name of the management server and its corresponding IP.

The port number can be changed if desired. By default it is 5723.Only this port needs to be open on the firewall from the non-domain agent to the Management Server.

Then we have to Export the created certificate

And import it in the Personal Store of the Computer Account and User Account.

Then copy the MOMCertImport.exe tool to the non-domain agent.

MOMCertImport.exe can be found in the SupportTools Folder

Run MOMCertImport.exe and point to the Imported Certificate

You’ll get a message that the action succeeded, and you can check progress in the Operations Manager event log.

Troubleshooting:

If you get event 21006, make sure the firewalls on the gateway and/or on the management server are not blocking communication

Don‘t forget to enable Agent Proxy for the gateway, as this one will act as a proxy for other systems connecting through the gateway server!

To check if it’s working, go to the Operations Manager Console – you should see something similar to this

Dany Abboud from NEPA PFE team.

Hi there!

I have noticed the following at many customers who had upgraded their Active Directory from Windows 2000/2003 to 2008 and plus: they do not (or forget to) upgrade Sysvol from FRS to DFSR!

Several Technet articles covered the steps to do for Sysvol migration, so there is no need to go in details here…

“Upgrading to DFSR? What is DFSR? Besides, everything is working fine! Why should I upgrade?”

Those are –very often- the questions and feedbacks I get from customers :)

So here is the thing:

• Keep in mind that Sysvol is a shared folder (with DFS name space) that needs to be the same copy on each DC,
• Sysvol is replicated through DCs using File Replication Service (FRS) or Distributed File System Replication (DFS-R),
• This replication follows the Active Directory replication topology and paths,
• We have stopped any development on FRS since 2003, which means for example: no updates or hotfixes! On the other side, DFSR is here to stay for a long time (cross-fingers!)
• FRS is not a bandwidth optimization service, but DFSR is! For example, DFSR replicates partial file changes / efficient compression / self-healing mechanism for database corruption or journal wraps …etc (see the comparison here)
• DFSR requires Domain Functional Level –DFL for short- of minimum Windows 2008 (how to check and upgrade your DFL here), so you have to review the upgrade possibility in your environment,

All right! I’m planning to do it, what are the actions?

That’s good! Here are the summarized actions for upgrading your Sysvol to DFS-R:

1. Migrating to the “Prepared state” : FRS is still being used for replication, and DFS-R will hold a copy of your Sysvol data,
2. Migrating to the “Redirected state” : DFSR-R will be used for replication the ‘copy’ Sysvol, and answering new requests, but FRS is still replicating the ‘old’ Sysvol folder,
3. Migrating to the “Eliminated state” : no more FRS, only DFS-R is being used for Sysvol replication  

Side notes:

• Required firewall ports for DFS-R here
• Troubleshooting DFSR upgrades here
• More info on TechNet  

Hope it’s simple now!

Imed Boukhaf from NEPA team.