At his point I’m going to assume you know that there are Standard Exchange CALs/SALs, and Enterprise Exchange CALs/SALs. And you know the difference! If you’re unsuresee my comments here.
With older versions of Exchange 2010/2007 etc. You could get this information from the GUI. Now you need to use some PowerShell.
Solution
The two commands you want to use are;
Find Out How Many Exchange Standard CALs / SALs Are Required
On a Domain Controller you will get Group Policy Management, (by default) listed under administrative tools. But if you have a ‘Management Server‘ of a ‘Jump Box‘, that you want to install the tool onto, (without making it a domain controller!) Then do the following;
Option 1: Install GPMC with Powershell
This is the quickest and simplest option! Open a PowerShell Windows and execute the following command;
[box]
Install-WindowsFeature –Name GPMC
[/box]
Note: For older, (Windows Server 2012 and older) servers use the following commands instead.
I like to learn the keyboard shortcuts for these sort of things, (because developers will change the way things are done in the GUI). So in the good old days I simply ran msconfig, and located the offending software on the startup list and disabled it. Then that got removed and put in ‘Task Manager’, then that got removed. So I’m pulling a frowny face at Microsoft Developers for their lack of continuity 🙁 (It’s not just them Cisco and VMware are just as bad!)
I’ve got an administration server I use, (Server 2016,) and it’s got a load of software on there that usually would not be on a server, Skype Client, Citrix Client etc. So how do I stop them autoloading?
Solution
Well I could start digging around in the registry manually, but a much simpler option is to download and run AutoRuns;
Either untick the offender or right click and go to the source and manually disable it yourself.
Related Articles, References, Credits, or External Links
Massive thanks to Syinternals and Mark Russinovich, who has been bailing me out of the mire for many years!
Life was simpler when we had DVD Drives and a wallet full of CD/DVDs! I was building an HP DL360 This morning and needed to install Windows. I created a bootable USB with Unetbootin and selected a Windows Server ISO, it wouldn’t boot. So I thought ‘Fine I’ll play the game” I pressed F10 for Intelligent Provisioning.
After selecting USB media – the system could not see my USB Drive?
After a couple of seconds head scrathing the penny dropped, it wants the iso not a bootable drive, (doofus!) So I used a FAT formatted USB and that didn’t work either?
Option 1: Use iLO
Before you all start emailing me, you can install an operating system from virtual media WITHOUT and advanced iLO licence! Annoyingly I was building the server on the bench, so I had to connect my laptop into the iLO with a crossover cable but, here’s me proving it works.
Option 2: Use ExFAT
Format your USB drive using ExFAT, luckily I use macOS and Disk Utility will format a drive using ExFAT for me.
Note: Windows will also format as ExFAT 🙂
Then simply put your install .iSO file(s) on the media.
Now you can see your install media.
Option 3: Use the HP Media Creator
I didn’t try this option, but feel free to download it and give it a try, comment below to let me know how you get on.
The actual configuration of ADFS depends largely on what you intend to do with it. Here I’m using it to broker connections from my Microsoft Web Application Proxy. This article is just to ‘join the dots’ and covers just the installation of the role itself.
Solution
Before you Start: Make sure you have a certificate ready to use for ADFS. I typically use a wildcard cert for this, it’s better if you have purchased one, or if you use certificate services, here’s how to create a wildcard certificate.
Note: You can add adfs.{your-domain} to your wildcard as a SAN, (Subject Alternative Name), Also add certauth.adfs.{your-domain}. Yes, even on a wildcard certificate!
For example: adfs.petenetlive.com and certauth.adfs.petenetlive.com.
You can either create a service account for ADFS to run under, or use a GROUP MANAGED SERVICE ACCOUNT.
What’s a Group Managed Service Account?
It’s an AD object that acts as a service account, and you don’t need to worry about entering a password for it.
Create a Group Managed Service Account
Before you can have a GSMA account you need a KDS Root Key in active Directory, to set that up, execute the following command;
[box]
If you have only one domain controller;
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
If you have more than one domain controllers;
Add-KdsRootKey –EffectiveImmediately
If you use the second option you must then WAIT 10 HOURS!
[/box]
Then go to a Domain Controller, and issue the following command;
In case you are interested, you will then see it appear in Active Directory.
Then ON the ADFS Server, run the following command;
[box]
setspn -a host/localhost {GSMA-Account-Name}
[/box]
Deploying Active Directory Federation Services
Server Manager > Manage > Add Roles and Features > Next > Next > Select the server > Next > Server Roles > Select Active Directory Federation Services > Accept all the defaults and install the role.
Launch the configuration wizard > Create the first federation server in a federation farm > Next.
I’m setting this up while logged on as the domain administrator, so I’ll use that account to connect to AD > Next.
WARNING: If you use a wildcard cert like me it will choose the name of *.{domain-name}. THIS IS BAD! Change the federation service name to something sensible, like adfs.domain.com. The ‘Federation Service Display Name‘ is what will be shown to the users as they authenticate. > Next.
Make sure the federation server DNS name can be resolved in DNS! Remember if your Web Application Proxy server is in your DMZ, or outside the firewall, it will also need to be able to resolve this name, (I put them in the ‘hosts‘ file on my DMZ servers for this reason).
Enter your Group Managed Service Account, (created above) > Next.
Create a database. (Note; If you are reinstalling it will discover any existing databases, and ask if you want to overwrite them) > Next.
Next
Configure.
Close. (Note: I’ve got some warnings but all is well, trust me!)
To test, open a web browser and go to https://{FQDN-Of FS-Service}/adfs/ls/idpinitiatedsignon and log in.
Note: If using Server 2016 or Server 2019, you have to enable this, or it will error! See the link below.
At this point, how you proceed depends on what you are using Active Directory Federation Services for. You would set up either a relying or a claims provider trust next.
As said above I’m using this for Web Application Proxy. When that article is complete, I’ll put the link at the bottom of this article.
Related Articles, References, Credits, or External Links
I was setting up ADFS in Server 2019 today, and once I have all the basics setup, I like to got to, https://{server-fqdn}/adfs/ls/IdpInitiatedSignon to test, but this happened;
The resource you are trying to access is not available. Contact your administrator for more information.
Error details
.Activity ID: 3c53140c-cff3-4b59-0900-0080010000d4
.Error details: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
.Node name: 8d53ee58-2a75-42c1-ac37-88c7bc00ce97
.Error time: Thu, 02 May 2019 12:35:56 GMT
.Cookie: enabled
.User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
Solution
At first I though I’d broken something or forgotten to tick a tick box! But it seems this was turned off in Server 2016. You need to enable it on the ADFS server.
I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.
Disable Domain Users in Bulk from CSV
Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;
While replacing a server, I copied over some scripts, (batch files) the client was using to back up some data. I scheduled them on the new server, but noticed they were finishing with a status of 0x1. (and not actually backing anything up!)
Solution
Edit the properties of the job > General Tab > Tick “Run with the highest privileges”.
Note: You can also tick “Do not store password. This task will only have access to local computer resources” if the process is only running on this machine.
Actions > Select the Action and edit it > Change the ‘Start In‘ section, so that it points to the folder the script is in > OK >Apply > OK.
Rerun the job and it should complete with a 0x0 status (successful).
Related Articles, References, Credits, or External Links
This might seem like an odd title for an article here at PNL? But I’m going to use this page as a place to put all the commands I’m sick of Googling for, and/or working out every time I do an Exchange job.
So as with all the posts here, it’s here for my benefit, and if anyone else gets something from it great!
I’m without access to all my test equipment at the moment, so when I needed to do some testing, I thought I’d use Hyper-V on my new work laptop. I needed to ‘knock up’ a quick vSwitch that would NAT my test machines, to my laptops connected NIC.
Solution
Open an administrative PowerShell window, and execute the following three commands. Note: You can change the values in RED to suit your own requirements, or leave them as they are to copy my network setup.
As far as Hyper-V is concerned that’s it! Now simply connect your virtual machines to the new switch.
Remember you have a NAT switch, it’s not doing DHCP, you will need to assign your virtual machines static IP addresses, though you can of course configure a DHCP server on one of your virtual machines.
Related Articles, References, Credits, or External Links