How to change the Directory Restore Safe Mode (DSRM) administrator password on a Windows Server 2003 Domain Controller?

The Directory Restore Safe Mode (DSRM) administrator password is set up during the promotion process for the domain controller. To change this password you can use Microsoft NTDSUTIL tool.

Steps to reset DSRM password

• Click Start and Run.
  
• Type ntdsutil and click OK.
  
• Type the following command: set dsrm password.
  
• Type one of the following commands:

  1. reset password on server null - to change password on the local server.

  2. reset password on server <servername> - to channge password for another server (<servername> is the DNS name for the server) 

• At the DSRM command prompt, type: q.
  
• At the NTDSUTIL command prompt, type: q.

Read more... Comment now » December 28th, 2008

How to create custom reports in System Center Configuration Manager 2007?

Microsoft published new guide about custom reports in System Center Configuration Manager 2007. Documentation package “Creating Custom Reports By Using Configuration Manager 2007 SQL Views” is now available for download: http://www.microsoft.com/downloads/details.aspx?FamilyId=87BBE64E-5439-4FC8-BECC-DEB372A40F4A&displaylang=en

Package CreatingCustomReportsByUsingSQLViews.msi includes the following files:

• Before You Use – Readme document (BeforeYouUse_Readme.doc)
• Using Configuration Manager 2007 SQL Views to Create Custom Reports help file (CM2007CustomReports.chm)
• Configuration Manager 2007 SQL View Schema Microsoft Visio document (CM2007SQLViewsSchema.vsd)
• Configuration Manager 2007 SQL Views Excel spreadsheet (CM2007SQLViews.xls)

Read more... Comment now » December 21st, 2008

How to create a new SQL object (function, view) for custom reports in SCCM 2007?

When you want to create a custom report in System Center Configuration Manager 2007 you can use existing objects in SQL SCMM database or you can create  new SQL objects using SQL Server Management Studio.

1. Create a new SQL object

• Open SQL Server Management Studio
• Use Object Explorer: [Server name] > Databases > [SCCM Database] > (click the right mouse button) New Query
• Create your new object by using SQL query (for example view, function)

2. Add permission for created object

SQL Function:

• Use Object Explorer: [Server name] > Databases > [SCCM Database] > Programmability > Functions > [Your function] > (click the right mouse button) > Properties
• Select Permissions and click the Add… button
• Add the smsschm_users role (Database role) with permissions: Execute (Grant)
• Add the webreport_approle role (Application role) with permissions: Execute (Grant)

SQL View:

• Use Object Explorer: [Server name] > Databases > [SCCM Database] > Programmability > Functions > [Your function] > (click the right mouse button) > Properties
• Select Permissions and click the Add… button
• Add the smsschm_users role (Database role) with permissions: Select (Grant)
• Add the webreport_approle role (Application role) with permissions: Select (Grant)

Useful links:

• Documentation for Microsoft SQL Server 2005 “SQL Server 2005 Books Online”: http://go.microsoft.com/fwlink/?LinkId=60544

Read more... Comment now » December 21st, 2008

How to generate a certificate request (CRS) using OpenSLL?

Useful links:

• The OpenSSL Project: http://www.openssl.org/
• OpenSSL for Windows: http://www.slproweb.com/products/Win32OpenSSL.html

We want to get an official SSL certificate from well-known public Certificate Authority (CA). We have to generate a certificate request, for example using OpenSSL.

Steps to request a certificate - to generate a CRS file (Certificate Signing Request)

1. Creating a private key
You need to create a private key before you create a certificate or a certificate request.

• Use command line
• Navigate to folder with OpenSSL (default: “C:\Program Files\OpenSSL\bin”)
• Do one of the following:
  - Generate a private key with password. Type the following command:
  openssl genrsa -des3 -out MyKey.key 1024
  - Generate a private key with no password (not recommended solution). Type the following command:
  openssl genrsa -out MyKey.key 1024

IMPORTANT: Keep a private key in a safe place and back up the file. Your certificate is used with private key.

2. Creating CRS-file

• Use command line
• Type the following command:
  openssl req -new -key MyKey.key -out YourCSR.csr

You have to enter following information:

• Country Name (C) - The two-letter ISO abbreviation for your country. [US],
• State or Province Name (ST) - The state or province where your organization is located. [Arizona],
• Locality Name (L) - The city where your organization is located. [Phoenix],
• Organization Name (O) - The exact legal name of your organization. [My Company Inc.],
• Organizational Unit Name (OU) - Optional for additional organization information. [IT Department],
• Common Name (CN) - Since this is your root certificate. [mydomain.com],
• Email Address - The email address for the CA (who to contact) [info@mydomain.com],
• Additional attributes - [Enter],
• A challenge password - [Enter],
• An optional company name - [Enter]

3. Private key verification

• Use command line
• Type the following command:
  openssl rsa -noout -text -in MyKey.key

4. CSR-file verification

• Use command line
• Type the following command:
  openssl req -noout -text -in MyKey.csr

5. Viewing CSR-file contents

CSR-file is a text file, example:
—–BEGIN CERTIFICATE REQUEST—–
RWWQiooCCAYsCAQAwgeExCzAJBgNVBAYTAlBMMREwDwYDVQQIEwhsdWJ1c2tpZTEV
MBMGA1UEBxMMWmllbG9uYSBHb3JhMTkwNwYDVQQKEzBDZW50cnVtIFRlY2hub2xv
Z2lpIEludGVybmV0b3d5Y2ggQ1RwIFNwLiB6IG8uby4xLDAqBgNVBAsTI0R6aWFs
IEJlenBpZWN6ZW5zdHdhIFNpZWNpb3dlZ28gQ1RJMRswGQYDVQQDExJ3d3cuc2Vj
dXJpdHluZXQucGwxIjAgBgkqhkiG9w0BCQEWy2luZm9Ac2VjdXJpdHluZXQucGww
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANPLRce19dfcvQQuiAtjuRhTo5QX
T5/ifOTlYgtCw/jgyP401sglIgBH2o6f6sYJ6m1rO1s42bj4/VJ+R0DUvTinOT8N
snYjUHhCDKzQCEkjASRGUN892o9RIOE0oGRknc7+B/9rGfWjsdouQJMtqiWrn9rj
mKtRCd5/6VJTWyl3AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBSKrGLWLxexaIc
59ePRJpV+ZQ10HVqhJMtSjrNkXuiDt91c3XBpKowv/n23uuBob8Af/H+s5n45qbq
6i5cYXw+qdz93vzV5M2QMczu3uKwJ6g6pcXgSjjX7w3CqpHnxmD1oooO2THj9bBo
SxEgsSr2k2eOeItxqrMLemA+MP4l9o==
—–END CERTIFICATE REQUEST—–

6. Sending CSR-file to the official commercial CA.

Read more... Comment now » December 21st, 2008

Generating SSL Certificates for ISA Server 2006 - Microsoft Exchange Server 2007 services: OWA, ActiveSync, OutlookAnywhere

Useful links:

• New-ExchangeCertificate cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/aa998327.aspx
• Get-ExchangeCertificate cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb124950.aspx
• Import-ExchangeCertificate cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb124424.aspx

We need certificates to publish internal Exchange 2007 services (like OWA, ActiveSync, OutlookAnywhere) using Microsoft ISA 2006. We want to get a private SLL certificate from internal Certification Authority (CA). We have to generate a certificate request, for example using Exchange Management Shell - Exchange Server 2007 tool, built on Microsoft Windows PowerShell technology.

1. Creating a certificate request (CSR) for ActiveSync service using Exchange Management Shell

- Logon to the Exchange Server 2007
- Start Exchange Management Shell
- Type the following cmdlet:
New-ExchangeCertificate –GenerateRequest –Path c:\activesync.mydomain.com.csr –KeySize 1024 –SubjectName “CN=activesync.mydomain.com, O=My Company Inc., L=Phoenix, S=Arizona, C=US” –PrivateKeyExportable $True

2. Viewing CSR-file contents

CSR-file is a text file, example:
—–BEGIN CERTIFICATE REQUEST—–
RWWQiooCCAYsCAQAwgeExCzAJBgNVBAYTAlBMMREwDwYDVQQIEwhsdWJ1c2tpZTEV
MBMGA1UEBxMMWmllbG9uYSBHb3JhMTkwNwYDVQQKEzBDZW50cnVtIFRlY2hub2xv
Z2lpIEludGVybmV0b3d5Y2ggQ1RwIFNwLiB6IG8uby4xLDAqBgNVBAsTI0R6aWFs
IEJlenBpZWN6ZW5zdHdhIFNpZWNpb3dlZ28gQ1RJMRswGQYDVQQDExJ3d3cuc2Vj
dXJpdHluZXQucGwxIjAgBgkqhkiG9w0BCQEWy2luZm9Ac2VjdXJpdHluZXQucGww
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANPLRce19dfcvQQuiAtjuRhTo5QX
T5/ifOTlYgtCw/jgyP401sglIgBH2o6f6sYJ6m1rO1s42bj4/VJ+R0DUvTinOT8N
snYjUHhCDKzQCEkjASRGUN892o9RIOE0oGRknc7+B/9rGfWjsdouQJMtqiWrn9rj
mKtRCd5/6VJTWyl3AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBSKrGLWLxexaIc
59ePRJpV+ZQ10HVqhJMtSjrNkXuiDt91c3XBpKowv/n23uuBob8Af/H+s5n45qbq
6i5cYXw+qdz93vzV5M2QMczu3uKwJ6g6pcXgSjjX7w3CqpHnxmD1oooO2THj9bBo
SxEgsSr2k2eOeItxqrMLemA+MP4l9o==
—–END CERTIFICATE REQUEST—–

3. Uploading the certificate request to local CA by using the Certificate Web Enrollment Services

- Start Internet Explorer
- Browse to: http://<server name>/certsrv
- Select “Request a Certificate”
- Next
- Select “Advanced Certificate Request”
- Next
- Select “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file…”
- Paste CSRfile “activesync.mydomain.com.csr” contents into the first field
- Select “Web Server” as “Certificate Template”
- Submit
- Select “Base 64 Encoded” and “Download certificate”
- Save file with “CER” extension on local disc

4. Importing the certificate using Exchange Management Shell

- Start Exchange Management Shell
- Type the following cmdlet:
Import-ExchangeCertificate –path “c:\activesync.mydomain.com.cer”

5. Certificate verification using Exchange Management Shell

- Start Exchange Management Shell
- Type the following cmdlet:
Get-ExchangeCertificate | fl

6. Exporting the certificate to PFX-file

- Start > Run… > mmc > Add Snap-in > Select Certificates
- Select “Computer Account”
- Select “Local Computer…”
- Select from certificates list “activesync.mydomain.com” and open
- Select “Details” tab and “Copy to file”
- Select “Yes, Export the Private Key”
- Select “Personal Information Exchange” with options: “Include all certificates in the certification path if possible”, “Enable strong password…”
- Enter password
- Save SSL certificate with “PFX” extension on local disc

7. Importing the private SSL-certificate into ISA 2006 server

- Copy SSL-certificate “activesync.mydomain.pfx” to ISA 2006 server
- Logon to the ISA Server
- Import the certificate PFX-file using “Certificates” Snap-in

Read more... Comment now » December 21st, 2008

Deploying SCCM 2007 clients via GPO

Deploying SCCM 2007 clients via GPO.

1. Import the Configuration Manager 2007 Group Policy ADM template
Start Group Policy Management
Create a new Group Policy Object called SCCM Installation Policy
Edit SCCM Installation Policy and import ConfigMgr2007Installation.adm
(ConfigMgr2007Installation.adm template you can find in folder TOOLS\ConfigMgrADMTemplates\)

2. Configure Configuration Manager 2007 Group Policy
In the Group Policy Object Editor, browse to the Configuration Manager 2007 Client policy. Double-click to open the Configure Configuration Manager 2007 Client Deployment Settings policy.
Enable the policy and then in the CCMSetup field, enter SMSSITECODE= SMSSLP=SCCMserver FSP=SCCMserver
Add a new package in the Software Installation section of the Group Policy Object Editor.
Browse to \\SCCMserver\CCMSetup
Select ccmsetup.msi and verify that Assigned is selected.
In the Group Policy Management console, link the SCCM Installation Policy to the OU.
Open Active Directory User and Computers and move “computers” to proper OU.

Read more... Comment now » December 19th, 2008

How to install new Exchange Server 2007 on Windows Server 2008

If you are deploying a new Exchange organization, and you are preparing your Active Directory schema and domain by using a computer running Windows Server 2008, you must first install the Active Directory Domain Services remote management tools on Windows Server 2008.
To install ADDS remote management tools run command:

ServerManagerCmd -i RSAT-ADDS

 
Next you must install Windows PowerShell.

To install Windows PowerShell run command:

ServerManagerCmd -i PowerShell

 
 Preparing Active Directory and Domains for Exchange 2007

setup /PrepareSchema

setup /PrepareAD /OrganizationName:contoso

 
To install the Windows Server 2008 operating system prerequisites for a computer that will host the Hub Transport, Client Access, and Mailbox server roles.

You must run all this commands:

ServerManagerCmd -i Web-Server

ServerManagerCmd -i Web-ISAPI-Ext

ServerManagerCmd -i Web-Metabase

ServerManagerCmd -i Web-Lgcy-Mgmt-Console

ServerManagerCmd -i Web-Basic-Auth

ServerManagerCmd -i Web-Digest-Auth

ServerManagerCmd -i Web-Windows-Auth

ServerManagerCmd -i Web-Dyn-Compression

ServerManagerCmd -i RPC-over-HTTP-proxy

Installation Exchange 2007 SP1 on Windows Server 2008

Remember if you deploying Exchange on Windows Server 2008, you must use Exchange Server with Service Pack 1.

Step 1. Run setup.exe file.

Step 2. On the Introduction page click Next.

Step 3. On the License Agreement page read the license agreement, select I ACCEPT the terms in License Agreement, and then click Next.

Step 4. On the Error Reporting page select YES, and then click Next.

Step 5. On the Installation Type page select Typical Exchange Server Installation, and then click Next.

Step 6. If you have any client computers running Outlook 2003 or earlier select YES, and then click Next.

Step 7. On the Readiness Checks page click Install.

Step 8. On the Completion page click Finish.

Read more... Comment now » December 18th, 2008

Error on Exchange 2007 during import mailbox data from .PST file to a mailbox

During import mailbox data from .PST file to a mailbox when you use Exchange Management Shell console, you can see this error:

Import-Mailbox : Error occurred in the step: Moving messages. Failed to copy messages to the destination mailbox store with error: MAPI or an unspecified service provider. ID no: 00000000-0000-00000000

You should add mailbox permission to the user’s mailbox for administrator:
 
Get-Mailbox -Identity albert.black@company.pl | Add-MailboxPermission -User Administrator -AccessRights FullAccess

Useful links:

• How to Import Mailbox Data on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb691363.aspx
• Get-Mailbox cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb123685.aspx
• Add-MailboxPermission cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb124097.aspx

Read more... Comment now » December 13th, 2008

Exchange 2007 – Opening the other mailbox via OWA

Described method regards access to user mailbox on Microsoft Exchange 2007 mail Server. We presume that our user has got proper privileges to open mailbox for this profile.

To open mailbox of a certain user or joint users you can use one of following methods:

1. Login to your own account on OWA, for example:

https://owa.company.local/owa and open the other user mailbox with OWA menu. Your mailbox name will be displayed in the upper right-hand corner, with a drop-down menu. Click on your name and type the name of the other mailbox.

2. Login to your own account on OWA, for example:

https://owa.company.local/owa and after login use Web browser and type: https://<owa address>/<e-mail address>, for example: https://owa.company.local/owa/Albert.Black@company.local

3. In case of Microsoft Outlook 2003 - Run Outlook and choose from menu:
Tools -> E-mail accounts -> [Next] -> [Change…] -> [More options…] -> Tab – Advanced -> [Add…] -> <name of the other mailbox>

4. In case of Microsoft Outlook 2007 - Run Outlook and choose from menu:
Tools -> Accounts settings… -> Tab – E-mail -> Choose your account -> [Change…] -> [More settings...] -> Tab - Advanced -> [Add...] -> <name of the other mailbox>

Read more... Comment now » December 13th, 2008

Active Directory user logon script

You can assign logon script to a certain user or configure it by Group Policy. Use “Profile” tab from user’s properties in Active Directory console (ADUC). It applies to workstations from operating systems like: Windows 95, Windows 98, Windows ME, Windows NT.  Group Policy script allows for a user logon script configuration for operating systems staring from Windows 2000 upwards.

Following VBS user logon script allows to:

1. Map network disks
2. Conditional mapping – it regards belonging to a certain Active Directory security group
3. Making shortcuts on the Desktop
4. Adding Network printers

‘=============================
Easy Active Directory user logon script (.vbs)
‘=============================
Option Explicit
On error resume next
Dim wshNetwork
Dim wshShell
Dim objShell
Dim userLink
Dim userDesktop
Dim userGroup
Set wshNetwork = CreateObject(”Wscript.Network”)
Set wshShell = CreateObject(”Wscript.Shell”)
Set objShell = CreateObject(”Shell.Application”)

‘————
‘Disk mapping
‘————
wshNetwork.MapNetworkDrive “R:”,”\\Server1\CompanyDocuments”, true
objShell.NameSpace(”R:”).Self.Name = ” CompanyDocuments “

‘————————————————————
‘Mapping only if User is a member of a certain security group
‘————————————————————
userGroup = “ProjectTeam”
If (IsMember(userGroup) = True) Then
 wshNetwork.MapNetworkDrive “P:”,”\\Server1\Projects”, true
 objShell.NameSpace(”P:”).Self.Name = “Projects”
End If

‘——————————-
‘Making shortcuts on the desktop
‘——————————-
userDesktop = wshShell.SpecialFolders(”Desktop”)
set userLink = wshShell.CreateShortcut(userDesktop & “\CompanyDocuments.lnk”)
userLink.TargetPath = “R:”
userLink.Save
set userLink = wshShell.CreateShortcut(userDesktop & “\Outlook.lnk”)
userLink.TargetPath = “C:\Program Files\Microsoft Office\Office12\outlook.exe”
userLink.Save

‘———————————–
‘Conditional add of network printers
‘———————————–
userGroup = ” HP-Printer ”
If (IsMember(userGroup) = True) Then
 wshNetwork.AddWindowsPrinterConnection “\\Server2\HP-Printer”
End If
userGroup = “EPSON-Printer”
If (IsMember(userGroup) = True) Then
 wshNetwork.AddWindowsPrinterConnection “\\Server2\EPSON-Printer”
End If

Read more... Comment now » December 13th, 2008