Category Archives: Microsoft

Messaging and Collaboration, Sharepoint.. etc

Migrating DFS from 2000 Mode to 2008 step by step

The Story

Few months ago I have got a request from one of my clients regarding migrating DFS from 2012R2 to 2016.

2012R2 was migrated from 2008r2 and was based on 2000 Mode. To do this you’ve got a list of requirements as it can be migrated but certain features won’t be supported if you continue to use the 2000 Mode in DFS on Windows 2016 server.

How to Start

In this tutorial I will explain how to do this migration by doing a demo step by step and guide you through this Migration with screenshots and the required commands.

I have added a tiny comparison also to make it clear why are we going to use this particular method of migrating DFS mode and Server.

clip_image001[4]

To migrate a domain-based namespace to Windows Server 2008 mode

  1. Open a Command Prompt window and type the following command to export the namespace to a file, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file:
On the source DC/DFS Server

Dfsutil root export \\domain\namespace C:\filename.xml

clip_image002[4]

clip_image003[4]

  1. Write down the path (\\ server \ share ) for each namespace server. You must manually add namespace servers to the recreated namespace because Dfsutil cannot import namespace servers.

clip_image004[4]

clip_image005[4]

  1. In DFS Management, right-click the namespace and then click Delete , or type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace:
    Copy
    Dfsutil root remove \\domain\namespace

clip_image006[4]

Let’s go refresh the console and see if it’s deleted there

clip_image007[4]

clip_image008[4]

Next remove

clip_image009[4]

clip_image010[4]

I will remove the rest of the name spaces

clip_image011[4]

All have been removed, Now lets remove the name spaces from the display and observe what happens to the replication groups

clip_image012[4]

NOTE:

Replication groups didn’t get affected

clip_image013[4]

  1. In DFS Management, recreate the namespace with the same name, but use the Windows Server 2008 mode, or type the following command at a command prompt, where \\ server \ namespace is the name of the appropriate server and share for the namespace root:
    Dfsutil root adddom \\server\namespace v2
I will use the UI instead of the command

clip_image014[4]

Although we raised the forest and domain function forest but still the 2008 is still greyed out. Lets try to restart the DFS services on the FSMO server

clip_image015[4]

clip_image016[4]

After restarting

clip_image017[4]

clip_image018[4]

Next, I will copy all the xml files to the new server and import them there

My new server is 2016

clip_image019[4]

  1. To import the namespace from the export file, type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the file to import:
    Dfsutil root import merge path\filename.xml \\domain\namespace

clip_image020[4]

After the Import

clip_image021[4]

clip_image022[4]

I will continue to import the rest of the namespaces

First we need to create them with their matching namespaces from the GUI

clip_image023[4]

clip_image024[4]

Now I will import and merge the xml file

clip_image025[4]

clip_image026[4]

After adding the NEW folder which has replicating group existing already from the previous mode. First it didn’t show up

clip_image027[4]

but after navigating to the NewFolder and clicking on Replication tab then Navigate to the replication group showed the replication group underneath the Replication

clip_image028[4]

What has changed?

The only noticeable thing which has changed is the NameSpace Servers everything else like ( Folder targets still the same, replication is identical to previous settings)

See this screenshot

clip_image029[4]

Let’s check the access to the new namespace

clip_image030[4]

Finally, Let’s import the latest namespace and its configuration (PublicFolder)

clip_image031[4]

clip_image032[4]

Let’s check the result on GUI

clip_image033[4]

Notice the replication group for the PF didn’t come, so let’s do as we have explained before to show the replication group

Here we go

clip_image034[4]

Right after this process finishes, the command creates some kind of a report with time, importing status and other related settings such as site cost, timeout.. Etc

clip_image035[7]

Note

To minimize the time that is required to import a large namespace, run the Dfsutil root import command locally on a namespace server.

Add any remaining namespace servers to the recreated namespace by right-clicking the namespace in DFS Management and then clicking Add Namespace Server , or by typing the following command at a command prompt, where \\ server \ share is the name of the appropriate server and share for the namespace root:
Copy
Dfsutil target add \\server\share

Note

You can add namespace servers before importing the namespace, but doing so causes the namespace servers to incrementally download the metadata for the namespace instead of immediately downloading the entire namespace after being added as a namespace server.

Ref:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753875(v=ws.11)

LYNC 2013 TO SKYPE FOR BUSINESS IN-PLACE UPGRADE WITH MONITORING DATABASE

This article guides you through the steps of doing an in-place upgrade from Lync 2013 to Skype for business. I am copying the article as is from my lab with all the errors that I have been through to give you a real experience feed back of what is this like.

You might get issues that you have never expected, but resolving them is not that hard and if you have any issues please don’t hesitate to leave a comment and I will get back to help you.

Prerequisites

Extensible Chat Communication Over SIP protocol (XCCOS)

From <https://technet.microsoft.com/en-us/library/dn951390.aspx>

References:

https://technet.microsoft.com/en-us/library/dn951371.aspx?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/library/dn933900.aspx

Lync CU 5

https://www.microsoft.com/en-us/download/details.aspx?id=36820

Kb2533623 Windows Server 2008 R2

http://support.microsoft.com/kb/2533623

Kb2858668 Windows Server 2012

http://support.microsoft.com/kb/2858668

KB2982006 Windows Server 2012 R2

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

SQL 2012 SP2 for Express version

https://www.microsoft.com/en-us/download/details.aspx?id=43351

clip_image001

First Issue:

Upon running the setup I have got the following error:

Prerequisite not satisfied: Internet Information Services (IIS) must be installed before attempting to install this product.

Prerequisite not satisfied: The following Internet Information Services (IIS) role services must be installed before attempting to install this product: Static Content, Default Document, HTTP Errors, ASP.NET, .NET Extensibility, Internet Server API (ISAPI) Extensions, ISAPI Filters, HTTP Logging, Logging Tools, Tracing, Client Certificate Mapping Authentication, Windows Authentication, Request Filtering, Static Content Compression, Dynamic Content Compression, IIS Management Console, IIS Management Scripts and Tools

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft ASP.NET 4.5 by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install the ASP.NET 4.5 role service of the Web Server (IIS) role.

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft Windows Communication Foundation Activation by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install WCF Services and HTTP Activation, which are included with the Microsoft .NET Framework 4.5 feature.

http://go.microsoft.com/fwlink/?LinkId=519376

Powershell

$PSVersionTable

clip_image002

I will re-run prerequisites to make sure that all are satisfied before running setup again.

STEP 1 : Installing Prerequisites for this In-Place Upgrade

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS, Desktop-Experience, Telnet-Client

https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/server-requirements

Updated aug-2018

clip_image003

clip_image004

STEP 2: Installing CU5

Download and install CU5

https://www.microsoft.com/en-us/download/details.aspx?id=36820

clip_image005

clip_image006

After the restart we will apply the update of the databases which in my case is going to be the FQDN of the FE server since it’s standard version and not Backend server.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn lyncfe01.adeo.local -Verbose

clip_image007

clip_image007[1]

Time to upgrade the Archiving/Monitoring databases.

To upgrade we’ll use the same command except change the FQDN of the SQL server to the SQL server where Monitoring and Archiving databases are at.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn sql01.adeo.local -Verbose

clip_image008

clip_image009

clip_image010

Applying CMS upgrade

clip_image011

Install-CsDatabase -CentralmanagementDatabase -SqlServerFqdn Lyncfe01.adeo.local -SqlInstanceName rtc -verbose

clip_image012

clip_image013

Then run enable-cstopology

Last thing in the CU5 update is

%ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

clip_image014

clip_image015

https://support.microsoft.com/en-us/kb/2809243

Step 3 : Installing Windows OS hotfix.

KB2982006 Windows Server 2012 R2

Since the FE is on Windows Server 2012 R2 then we’ll need to download this link

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

RESTART is Required

clip_image016

STEP 4 : Install SQL Service Pack 2 (Express) for your Lync Front end Standard Edition

First Download SQL Express SP2 setup

clip_image017

You can patch the server by opening a Lync Management Shell window and entering the following commands:

Stop-CsWindowsService

.\SQLEXPR_x64_ENU.exe /ACTION=Patch /allinstances /IAcceptSQLServerLicenseTerms

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

clip_image024

clip_image025

Step 5: SQL Server (Standard or Enterprise) for (Monitoring, Archiving)

https://support.microsoft.com/en-us/kb/321185

clip_image026

My SQL Server version is SP1 so I don’t need to upgrade it to SP2

clip_image027

Step 6- In-place Upgrade for Skype For Business

In order to do the in-place upgrade, we’ll need to use a machine that doesn’t have Lync 2013 to install the new Topology builder and do the upgrade process

On a different Machine that’s joined to the same domain, I will run the prerequisites script and restart the machine. then I’ll load the Skype for business ISO and install

clip_image028

D:\Setup\amd64\Setup.exe

clip_image029

clip_image030

clip_image031

clip_image032

We’ll now press on Installing Administrative tools

clip_image033

clip_image034

clip_image035

Now in order to continue we’ll have to open the topology builder in order to upgrade our Lync 2013 topology

I’ll open the topology builder and save the topology file somewhere

clip_image036

Once the topology is open, I’ll navigate to the Standard FE Servers and right click on my main server to upgrade

clip_image037

clip_image038

I’ll click on Upgrade to Skype for Business Server 2015…

clip_image039

As soon as you press Yes, the Frontend server that you selected will be moved under the Skype For Business Server 2015 tab as you can see below.

clip_image040

Since I have two FE servers (FE and SBS) I will be upgrading them both but not in the same time not not fall into any errors, so I will publish the topology and see what happens.

clip_image041

clip_image042

We’ll check what do we need to do now in order to upgrade the servers, here is what we’ll do.

Import existing normalization rules from the previous Skype for Business Server deployment. If you want to keep your existing normalization rules you will need to import them using the Import-CsCompanyPhoneNormalizationRules cmdlet. If you have separate normalization rules for each pool then you will need to run the command for each set.

To perform an in-place upgrade of your Skype for Business Server, you’ll need to do the following, in order:

(1) Stop the Skype for Business services on all of the servers that you are upgrading;

(2) Run Skype for Business Server setup (Setup.exe) on all of the servers you are upgrading;

(3) Start the Skype for Business services on all of the servers you upgraded. To start the services in a Front End pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet. All the servers in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet. To start the services in all other pools (e.g. Edge pool, Mediation pool), run the Start-CsWindowsService cmdlet on every server in the pool;

Server FQDN: lyncfe01.adeo.local, Pool FQDN: lyncfe01.adeo.local

On Lync FE 01 I’ll stop all the services using Stop-cswindowsservice

clip_image043

Now on the same server I’ll load the Skype4B ISO and start the setup

D:\Setup\amd64\Setup.exe

clip_image029[1]

clip_image030[1]

clip_image031[1]

Started at 1:40pm

clip_image044

clip_image045

clip_image046

clip_image047

clip_image048

clip_image049

NOTE:

The required time for the upgrade process is estimated around 75-90 Minutes for each FE Server.

clip_image050

clip_image051

Starting ‘Verifying upgrade readiness…’

‘Verifying upgrade readiness…’ completed successfully

Starting ‘Installing missing prerequisites…’

‘Installing missing prerequisites…’ completed successfully

Starting ‘Uninstalling roles…’

‘Uninstalling roles…’ completed successfully

Starting ‘Detaching database…’

‘Detaching database…’ completed successfully

Starting ‘Uninstalling local management services…’

‘Uninstalling local management services…’ completed successfully

Starting ‘Installing and configuring core components…’

‘Installing and configuring core components…’ completed successfully

Starting ‘Installing administrative tools…’

‘Installing administrative tools…’ completed successfully

Starting ‘Installing local management services…’

‘Installing local management services…’ completed successfully

Starting ‘Attaching database…’

‘Attaching database…’ completed successfully

Starting ‘Upgrading database…’

‘Upgrading database…’ completed successfully

Starting ‘Enabling replica…’

‘Enabling replica…’ completed successfully

Starting ‘Installing roles…’

‘Installing roles…’ completed successfully

Starting ‘Verifying installation…’

‘Verifying installation…’ completed successfully

clip_image052

Upgrade the SBS (Survivable Branch Server) in the pool to Skype4B

clip_image053

clip_image054

Publish the topology

clip_image055

I’ll stop the service before I start the upgrade process.

clip_image056

I’ll load the ISO on the second server and start the upgrade.

D:\Setup\amd64\Setup.exe

clip_image029[2]

clip_image030[2]

clip_image031[2]

clip_image057

Apparently I forgot to update Lync to the latest CU

clip_image058

clip_image059

clip_image060

Exchange RPC over HTTP problem with TMG

Issue:

When you try to setup your Outlook with Exchange account, you get the below issue.

Note:

  • In this scenario I’m using windows signed certificate for exchange but I have the CA installed on Client side.
  • Client is not joined to the domain.
  • Client is not on VPN.

Symptoms:

Outlook 2010/2013 keeps prompting you for credentials even though you entered them correctly several times.

And when cancelling you receive that “The action couldn’t be completed. The connection to Exchange is unavailable”.

Investigation:

Let’s test our autodiscover and see what’s wrong.

I will first go to www.testexchangeconnectivity.com and test the autodiscover

Now testing Autodiscover have resulted positively.

There’s no need to test RPC over HTTP when using a windows/self-signed certificate as it won’t result positive anyway

Next let’s check TMG’s configuration.

Every rule that involves RPC should be checked in order to make sure that your Publishing configuration is correct.

RPC Server should be pointing internally to your Exchange server and externally to your mail.domain.com External IP Address.

Although when you use TMG’s wizard to publish Exchange TMG does everything for you but still you need to check if it’s the right configuration.

This is my autodiscover rule configuration’s paths and RPC is also included there.

Testing rule seems to result positive for all the published paths.

Let’s try testing the following link and see if it authenticate. The RPCproxy is required for outlook clients to be configured properly

Outlook client tries to connect to the below link after finding the autodiscover settings

https://autodiscover.demotesas.com/rpc/rpcproxy.dll

If you type your credentials, it most likely won’t connect and will keep prompting or will probably say that request is invalid!

Resolution:

What if we changed the RPC path from autodiscover to mail.demotesas.com? The authentication method might be the problem in this case as I am using a total different authentication methods for the mail and for autodiscover rules.

Once we publish the rule, we will have to check the result of the following link

https://mail.demotesas.com/rpc/rpcproxy.dll

The site will mostly be accessed without any issues.

Now we can test our Outlook client setup and see if it will go well without any issues!

The problem was related to the RPCproxy.dll was not being set on the right rule and on the appropriate domain.

It should be on the mail.domain.com with the same authentication delegation.

Pfsense and Active Directory Integration

In this tutorial. I will integrate my Active directory with Pfsense in order to authenticate Users from Active directory instead of using Pfsense’s User manager.

The process will give you more options and will make managing users much easier. so in order to do that follow the following steps.

First open your Pfsense Web UI and click on System – > user manager

Next go to Servers Tab

Click + in the right corner

After you click on the + icon you will get the following page.

Fill these details accordingly, for help on how to fill these in check the below snapshot

Note: Make sure that your password is simple and contains only letters, no numbers or special characters e.g. Pfsense

When done click on Select and the result will be that you will be able to view the following OU/CN.

Now create a group on AD e.g. “PF” and create the same identical group name on Pfsense. On AD add any user to this group.

Then go back to pfsense – > system – > user manager -> goto Settings Tab – > from Authentication server select your AD and save

Now click on Diagnostic -> Authentication -> select your AD server

Type in your username and password for the user which you have added to the group pf in the AD and click test then you will see the result on top. “User: Pfsense authenticated successfully. this user is a member of these groups: pf

Hope this will help you find your way through Pfsense. 🙂

Upgrading Exchange 2013 RTM to Latest SP and CU

To check for the current version use the following command line

Version 15.0 (Build 516.32)

Get-Exchangeserver | ft Name,Admin* -Autosize

How to upgrade your existing Exchange Server 2013 to CU7 using command-line

You will have to download CU7 pack, extract it and run the command line from CMD with administrative privileges.

http://www.microsoft.com/en-us/download/details.aspx?id=45221

Here we run the CMD as admin

Drag and drop the folder you extracted into CMD window to be able to enter into the path in order to run the setup file.

Run the following command to upgrade the existent server

Setup /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

Below you can see the upgrade process to install the Cumulative Update 3.

Once the upgrade process is finished you will be able to see the new version in the cmdlet after you apply the cmdlet

Get-ExchangeServer | ft Name,Admin* -AutoSize

The version must show 15.00.1044.025

Testing Exchange ActiveSync

If you have an issue with ActiveSync on Exchange 2010/2013 and you want to troubleshoot it, you will have to first test ActiveSync from Microsoft Exchange Management shell for any failing user

You can use the following cmdlet to start

Test-ActiveSyncConnectivity -MailboxCredential (Get-Credential domain\user) -UseAutodiscoverForClientAccessServer

clip_image001

As you can see in the previous snapshot, the test failed in folder syncing part. But in order to get the full report on the failure we’ll have to add the option | fl and if you want to export the report to a text file you can use the parameter >c:\1.txt which will export the command output to a text file name called 1.txt on the C root drive.

clip_image002
clip_image003

Resolution:

As you can see the eror says “Internal server error” and if you proceed to read the error in the middle it says “Active Directory operation failed on DC.server.local. This error is not retriable. Additional information: Access is denied. Active Directory response: 000000005 up to <INSUFF_ACCESS_RIGHTS>. Searching for this error a little bit I found that it’s related to Inheritance under the user’s security advanced settings.

clip_image004
clip_image005

Once this was applied the user was able to log in from mobile without an issue

Owa Redirection results in 401 Unauthorized access message

I have been asked by one client of mine to do a redirection to their mail.domain.com to go directly to the Owa page but after applying the redirection configuration I faced an issue.

Whenever I try to go to the OWA page using only the FQDN mail.domain.com I get a 401 unauthorized access page.

Resolution:

The solution was to add authenticated users to wwwroot with full permission and restart the IIS with noforce parameter.

OWA an unexpected error occurred and your request couldn’t be handled

OWA an unexpected error occurred and your request couldn’t be handled

Resolution 1:

The error happens due to a redirection of OWA has been configured. To fix the issue simply remove the redirect option.

Resolution 2:

Another resolution that works without turning Redirection off for default site is to turn off redirection from the Public folder.

Outlook 2007 keeps prompting users for password

After migration from Exchange 2003 to Exchange 2010 outlook 2007 keeps prompting users for password:

Symptoms

After migration of Exchange 2003 to Exchange 2010, some outlook 2007 client users keeps getting prompted to enter their credentials once again.

Cause

The problem might be related to the authentication method used on Outlook Anywhere. (Basic Authentication). (due to password being not saved in windows authentication mode.).

Resolution:

Changing the authentication method of Outlook anywhere to NTLM will resolve the issue.

Offline Address book Issue after migration from Exchange 2003 to Exchange 2010

Error: event ID: 9360

OABGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list

RESOLUTION 1

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To resolve this issue, follow these steps on the server that is running Exchange Server 2003:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry subkey:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
  4. Point to New, and then click DWORD Value.
  5. Type OAL post full if diff fails to name the new value.
  6. Right-click OAL post full if diff fails, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Exit Registry Editor.
  9. Dismount and then mount the Public Folder Store again. To dismount and then mount the public folder store, follow these steps:
    1. Start Exchange System Manager.
    2. Expand Servers, expand the server that you want, expand Storage_Group_Name, and then right-click Public Folder Store.
    3. Note If administrative groups are defined, follow these steps:
      • Expand Administrative Groups.
      • Expand Administrative_Group_Name.
      • Expand Servers.
      • Expand the server that you want.
      • Expand Storage_Group_Name.
      • Right-click Public Folder Store.
    4. Click Dismount Store, and then click Yes to continue.
    5. Right-click Public Folder Store, click Mount Store, and then click OK.

A new parent Legacy Exchange DN container value ‘/o=HEMA/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients’ was found during generation of the differential update file for offline address list ‘\Global Address List’. This will force clients using this offline address list to do a full download of the offline address list.

– \Default Offline Address List

Resolution 2:

If the first resolution didn’t work, try to disable version 2 and 3 OAB, then update again and see if you get any errors.

Note that this may take some time to take effect.