Hi all...
during a migration project I got Exchange mailbox aliases like this Lechner?Christian.
This was caused by the fact that a mailbox alias can not contain any spaces or a comma. The alias was generated by our migration tool, based on the user displayname.
I wrote a small script to change the mailbox alias to the samAccountName of the user.
foreach ($mbx in (Get-Mailbox -filter {Alias -Like '*'})) {Set-Mailbox $mbx -Alias $mbx.samaccountname}
You can save the script as changeAlias.ps1 and run it directly from the Exchange Powershell.
This is nothing special but I hope it can helps...
Chris
Donnerstag, 18. November 2010
Freitag, 5. November 2010
How to enable SAN certificate issuing on a Windows CA
The following post is more for me than for public. :-)
Exchange Server 2007 and Exchange Server 2010 heavily rely on certificates for the secure communications between servers and clients.
When you decide to go with a third party CA for certificate requirements you need to pay them depending upon their pricing and almost every year or depending upon your subscription.
To avoid paying money for a third party CAs yet to keep your communications secure most of the companies prefer to deploy their own internal CAs. After you have deployed your internal CA one of the problems you normally face is with issual of a certificates that contains multiple subject names (Subject Alternative Name). Both Windows Server 2003 and Windows 2008/R2 are NOT configured to issue SAN certificates by default. The default policy module that is configured during the installation of the CA keeps it disabled by default.
To allow our Windows CA issual of certificates to the requests that contain Subject Alternate Name extension you must enable it using the CERTUTIL.EXE tool on the CA.
To enable SAN certificate issual on the CA you can follow below steps:
1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.
2. Run the command certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Server Name>\PolicyModules\C
ertificateAuthority_MicrosoftDefault.Policy
and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)
C:\>certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Server Name>\PolicyModules\C
ertificateAuthority_MicrosoftDefault.Policy\EditFlags:
Old Value:
EditFlags REG_DWORD = 11014e (1114446)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
New Value:
EditFlags REG_DWORD = 15014e (1376590)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
4. Restart certification services using services manager snap in or command prompt. net stop certsvc && net start certsvc
5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.
Warning! You should not enable SAN extension support on your Enterprise Root CA. If you must enable it, it must be on one of the standalone CAs dedicated for issuing SAN certificates.
Office 2010 activation process in a terminal server environment
This week I was working with a customer on his Lotus Notes to Exchange migration project. Almost all of his users are working with Thin Clients on Citrix XenApp 5.0 terminal servers. All Citrix servers where deployed using Citrix Provisioning Services and Xen Server as a hypervisor.
He was going to install Outlook 2010 on his master image. The installation was running fine and he was going to change the product key for the Office 2010 activation. He typed in his product key which wasn't very good. From that point every user was asked to activate Outlook or change the product key. This occurred every time a user logged in after the terminal server was rebooted. We figured out that he has typed in his MAK key. When using a MAK key it is necessary to active Outlook for every user "manually" via internet or telephone.
After that I installed the Office 2010 Key Management Host Service on a Windows Server 2008 R2 machine. The Key Management Host for Office hast nothing to do with the Windows KMS service but can be installed on the same machine. You can download the program directly from the Microsoft website. http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=97b7b710-6831-4ce5-9ff5-fdc21fe8d965
If you do like me and try to install the program on a Windows 2008 Server (the customer want me to use Windows 2008 Server, because he had no virtual template of a Windows Server 2008 R2 machine. :-( ) you'll get the following error message.
Office 2010 Key Management Host Service can only be installed on Windows Server 2003, Windows Server 2008 R2 and Windows 7. Windows KMS isn't that particular.
After you've started the installation of the KeyManagementServiceHost.exe you need to accept the typical Microsoft license agreement and the Office license files are automatically installed. 
You'll be prompted to enter your Office 2010 KMS Host Key which can be found in the Microsoft Licensing (VL) portal. It depends on your Microsoft contract. The Host Key is automatically activated if your machine has got internet access.
No need to type in something like –ipk and –ato as you need to do with the Windows Host Key and the slmgr.vbs script.
If the installation is done and the key is activated you can check the service status for Office with the following command:
cscript slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864
If you want to see the status information from Windows and Office you can use:
cscript slmgr.vbs /dlv all
Since the introduction of KMS with Windows Vista and Windows Server 2008 there is a minimum activation threshold. That value is the necessary amount of client to start the activation process.
The minimum activation threshold for Office 2010 clients is 5. If you have less than 5 Office 2010 clients you need to use the MAK key for the activation. You can find more information here: http://technet.microsoft.com/en-gb/library/ff603508(office.14).aspx
The initial grace period for Office 2010 is 25 days. If your Office 2010 is not activated after those 25 days you can still use your Office products without any limitation. All you see is a red bar on top of your product and a message box that tells you to activate your product or change the product key.
The Office KMS client key is integrated in the Office 2010 installation. There is no need to enter a KMS client key. But as I mentioned earlier in this post my customer accidently entered his MAK key on his terminal server master image. It was necessary to change the product key back to the KMS client key to activate Office against out Key Management Service Host. We don't want to install Office again!
How can we do that?
First of all we need the Office 2010 client key which can be found here:
This keys are public and can be found here: http://technet.microsoft.com/en-gb/library/ee624350.aspx
I DON'T POST ANY CUSTOMERS PRODUCT KEYS HERE! :-)
We need to change the product key back to the KMS client key now. This is done using the command below on my terminal server.
cscript ospp.vbs /inpkey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
I set the Office Key Management Service Host to the FQDN of my server.
cscript ospp.vbs /sethst:KMShost.domain.int
And last but not least I was trying to activate Office with the following command.
cscript ospp.vbs /act
ospp.vbs can be found in the installation directory of Office. Normally it would be something like %ProgramFiles%\Microsoft Office\Office14
Now you can check the activation request by using cscript slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864 on the KMS server.
That should be it.
Have a nice weekend.
Chris
Freitag, 29. Oktober 2010
Exchange 2010 Setup fails when trying to install additional Exchange role
Hi there…
My name is Christian Lechner. I'm a consultant at a german IT service provider Cellent AG http://www.cellent.de.
The main part of my work is messaging with Microsoft Exchange and identity management with Microsoft ILM 2007 or FIM 2010 along with the necessary IT infrastructure products around (Active Directory, DNS, DHCP and so on…).
My fist post is about a problem I had with a customer of mine when trying to install an additional Exchange role on an existing Exchange 2010 server. I started with installing a clean Windows Server 2008 R2 Enterprise Server with all Windows Updates available. After that I installed an Exchange 2010 Server (without any Service Pack) with the roles Mailbox, Hub Transport and Client Access. Everything was working well and the server is serving the clients and users as expected. At the end of August with the RTM of Exchange 2010 SP1 we updated our server with an installation source downloaded directly from the Microsoft Website http://www.microsoft.com/downloads/en/details.aspx?familyid=50B32685-4356-49CC-8B37-D9C9D4EA3F5B&displaylang=en without any problems.
A few weeks later, the customer decided to try Exchange 2010 Unified Messaging. No Problem, I thought. I took the downloaded SP1 installation source (extracted to C:\Users\Administrator\Downloads) from Microsoft and started the setup. I ended up with a very strange error.
The Exchange 2010 DVD (without SP1) was still in the DVD-drive of the server.
I couldn't get rid of this error until I started the setup from a SP1 DVD. The Exchange 2010 SP1 setup is always looking for the same source drive and folder where the original installation came from.
You can find a video from my installation on youtube. Don't worry. It's from my lab and not from the customers installation. :-)
Happy weekend
Chris
Abonnieren
Posts (Atom)