Can I ‘Shrink’ My Exchange Database?

KB ID 0001706

Problem

Saw this asked in a forum today, and my response was;

It never gets smaller, if you delete things out of it, it just creates more ‘whitespace’ within the database, unless you;

a) Take it offline, and defragment it using eseutil.
b) Move the mailboxes out of it, to another database and delete it.

Which is true, but even Microsoft say you should not need to defragment a database! Before you do anything make sure you have a good backup of Exchange and the mailbox databases!

Defragment an Exchange Database

Stop! Why are you doing this, if it’s because you are running out of room, then migrating mailboxes out of a database into another database, on another piece of storage with more room is what you should be doing, and does not involve long periods of downtime!

If you have just deleted hundreds of GB from a mailbox database, and you simply want to compress the DB, and you have a BIG window for downtime, (allow 1 hour for every 9GB of database size). Then you are in about the only use case scenario I can think of to want to do this!

Before You start: This process creates a temporary mailbox database, (you need to tell it where), if you are pressed for room, I suggest you add another volume/drive and put it there. (Though in my example I have room in the same folder). Allow for the entire database’s existing size plus ten percent to be on the safe side.

Let’s have a look, and see how  much room we might be able to reclaim (whitespace);

[box]

Get-MailboxDatabase -Status | Select Name, DatabaseSize, AvailableNewMailboxSpace

[/box]

The database has to be dismounted before you can run Eseutil on it (downtime starts here).

[box]

Dismount –Database Database Name

Eseutil /d C:\Folder\DatabaseName.edb> /t T:\Folder\TempDB.edb>"

[/box]

When complete, mount the datastore again, (downtime ends here).

[box]

Mount-Database Database Name

[/box]

Hopefully you should see the whitespace has decreased.

Don’t forget to set off a full backup of the store as soon at it’s back online.

Move Mailboxes To Another Exchange Database (To Reclaim Space)

This is the much more elegant solution, create a shiny new database move everything  from the old database into the new one, and delete the old database.

Will This Impact My Users? Any user using their mailbox while it is getting moved wont be affected, until the move is complete then they will see a popup that looks like;

The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook.

Cool eh! So lets start by creating a New Mailbox Database.

[box]

New-MailboxDatabase -Name New Database Name -EdbFilePath C:\Folder\DB-Name.edb -LogFolderPath C:\Folder\Folder\

[/box]

Make sure you follow the advice and restart the information store, (yes you can mount the new DB and proceed, but Exchange does not allocate the resources correctly if you do this).

[box]

Restart-Service MSExchangeIS

[/box]

Let’s move our ‘Normal’ mailboxes to the new DB.

[box]

Get-Mailbox -Resultsize Unlimited | New-MoveRequest -TargetDatabase Target Database Name

[/box]

Depending on how many (and how large) mailboxes there are this can take a while, (days for large databases!) When they’ve all completed you need to remove the  move requests, (if you have any failures, or speed issues use the search box above, I’ve had to cope with thousands of these things not working correctly in my time!)

Let’s assume we are all moved, so we want to remove the move requests.

[box]

Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

[/box]

Now let’s see if we have any Arbitration Mailboxes, we do so let’s shift them;

[box]

Get-Mailbox -Database Source Database Name -Arbitration

Get-Mailbox -Database Source Database Name -Arbitration | New-MoveRequest -TargetDatabase Target Database Name

[/box]

Again, when complete, remove the move requests.

[box]

Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

[/box]

Now let’s see if we have any Auditlog Mailboxes, we do so let’s shift them;

[box]

Get-Mailbox -Database Source Database Name -Auditlog

Get-Mailbox -Database Source Database Name -Auditlog | New-MoveRequest -TargetDatabase Target Database Name

Get-MoveRequest | Get-MoveRequestStatistics

Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

[/box]

Now let’s see if we have any Archive Mailboxes, we do NOT so I will skip them, let’s check for Monitoring Mailboxes, we have those so let’s move them;

[box]

Get-Mailbox -Database Source Database Name -Archive

Get-Mailbox -Database Source Database Name -Monitoring

Get-Mailbox -Database Source Database Name -Monitoring | New-MoveRequest -TargetDatabase Target Database Name

[/box]

And clean those up as before.

[box]

Get-MoveRequest | Get-MoveRequestStatistics

Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

[/box]

Finally let’s see if we have any Public Folder Mailboxes, we have one of those so let’s move that;

[box]

Get-Mailbox -Database Source Database Name -PublicFolder

Get-Mailbox -Database Source Database Name -PublicFolder | New-MoveRequest -TargetDatabase Target Database Name
[/box]

We now need to remove the ‘Source‘ Database but first we need to dismount it.

[box]

Dismount-Database OLD Database Name

Remove-MailboxDatabase -Identity OLD Database Name

[/box]

I get an error message saying I cant delete the database.

 

Related Articles, References, Credits, or External Links

NA

VMware vSphere – How to Import and Export OVF and OVA Files

KB ID 0000562

Problem

I prefer to think of OVF Templates as “Zip” files for Virtual Machines and Virtual Appliances. Where as the OVA file is the complete appliance pre packaged. There are two things you will want to do with an OVF Template;

1. Export a VM to an OVF Template

2. Import an OVF Template (Note: VMware call this “Deploy an OVF Template”)

Note: There are tools for OVF templates for other VMware virtualisation products, this is just for vSphere / ESX.

Tech Note: I find it a lot simpler to do this from PowerCLI now, see the article below;

VMware: Export a VM to OVA With PowerCLI

Solution

Export a Virtual Machine to OVF (vSphere v6)

Note: Machine must be Powered Off and have No Snapshots!

Select the VM > Templates > Export OVF Template.

Change the name, annotation as required > OK.

Your files will be downloaded, (the location will depend on your browser settings!)

 

Export a Virtual Machine to OVF (vSphere v3, v4 and v5)

Note: Machine must be Powered Off and have No Snapshots!

1. Connect to your host with the VI client > With your virtual machine powered off > Select it > File > Export > Export to OVF Template.

2. Select a location to save the files to > OK.

3. Depending on the size of the VM this can take a while.

4. It will give you the following message when it’s finished.

5. Here are the files that it has created.

Import / Deploy an OVF Template to a Virtual Machine

HTML5 Web Client: You can select Deploy OVF Template from either the Cluster or Host Level.

Flash Web Client: If importing OVA or OVF files into vSphere via the vSphere Web client, you can import them at the vCenter, Host, or Cluster Level.

 

From this point forward: The procedure is the same for both Flash and HTML5 clients, Ill show the process using the HTML5 client.

Choose Files > Navigate to and select ALL the applicable files > Next.

  

Give the new VM a name, and, (if applicable) select a folder to put it into > Next > Select a host to deploy to > Next.

Review details > Next > Choose the storage, (and optionally disk format) > Next.

Select the Port Group you want to connect the new VM to > Next > Again review the details > Finish.

 

Import / Deploy an OVF Template to a Virtual Machine (vSphere v3, v4 and v5)

1. To create a VM from an OVF template, connect to your host with the VI client > File > Deploy OVF Template.

2. Browse to the location that the .ovf file is stored > Next.

3. Read the details > Next.

4. Give the new VM a name > Next.

5. Select the disk format (Thick or Thin) you want the new VM to use.

What does Lazy Zeroed and Eager Zeroed Mean?

Data on disks is stored as a 1 (one) or a 0 (zero), so if all the blocks on the disk are set to zero, when you put data on the disk, it only has half the work to do (i.e. write the ones). Eager Zeroed, puts zeros on all the blocks on the disks straight away, Lazy Zeroed puts all zeroes in a block the first time the block is read.

6. Read the summary, and if you want to power on the VM on completion, tick the box > Finish.

7. Depending upon the amount of data this can take a while.

8. It will give you the following message when it’s finished.

9. And here is your VM, imported, powered up, and working.

Related Articles, References, Credits, or External Links

Original Article Written 26/01/12

Using Azure Site Recovery for Migrations

KB ID 0001513

Requirement

ASR (Azure Site Recovery) is primarily used to provide a ‘failover’ environment to be used in a disaster or major outage scenario. Essentially you deploy an Azure Site Recovery Configuration Server in your environment, then in your Azure Portal you create and configure a failover vault.

OK, but we are talking about migrations, well we can use exactly the same procedure to migrate from on premises virtual machines, (or physical machines). We setup replication, then failover to Azure, then simply DON’T fail back 🙂

Networking Considerations

We are dealing with getting your machines replicated to Azure, and then failing over to them. You will also need to consider how you will connect the them ‘Post Migration’ This is usually via VPN from your location(s) into Azure. (If you have Cisco networking equipment you are in luck, see the links at the bottom of the page for further help). I’m making the assumption that you have already got this covered.

Solution

Veeam Backup and Recovery Download

While the initial ‘work’ is carried out on your own site, there are a few things that will need to already exist in Azure before you start, you will need a ‘Resource Group‘.

I’m creating a Virtual LAN, for Failover only, theres nothing to stop you using your existing Azure networking but you will need a ‘Virtual Network‘, and a ‘Subnet‘, here I’m using 192.168.0.0/16 and 192.168.100.0/24 respectively.

You will also need to create a ‘Recovery Service Vault

Deploying Microsoft Azure Site Recovery Configuration Server

As you can see I’m running VMware vCenter (6.7), you can also download an image for Hyper-V. Download the ‘appliance’ as an OVA image and deploy it into your VMware infrastructure.

Download Microsoft Azure Site Recovery Configuration Server

What you will get is a Windows 2016 server (on 180 day eval) as soon as it starts, it will ask you to set the LOCAL administrator password, then reboot, once rebooted, log in and this wizard will launch. Give the server a name, and let it connect to the internet.

Authenticate to your Azure Subscription.

Give the server a static IP, (or it will complain later)

As usual, Microsoft assumes everyone’s American, change the Time Zone and ENSURE the time is set correctly.

Configure Microsoft Azure Site Recovery Configuration Server

Launch the desktop shortcut.

Select your subscription > Resource Group and Recovery Services Vault. Then proceed to installing MySQL. (How times have changed eh?)

Continue > It will perform some checks, if any of them fail, then rectify the problem, and re-run the tests.

Continue > Enter your vCenter, (or ESXi if you have stand alone hosts) details.

Add > Ensure the correct details are listed, and any other vCenters/ESXi hosts as appropriate.

Add in some credentials, either local admin credentials for the servers, or some domain admin credentials, (currently) it does not like the UPN username format so use DOMAIN\Username format > Add > Continue.

Don’t know if I hit a bug here, but selecting “No” didn’t do anything, i.e. I could not progress, so I clicked “Yes” and it let me “Finalize Configuration“, (once you change your locale to non American, I wish it would spell things correctly!)

That’s us done!

In PART TWO we will perform a ‘Test Failover”.

Related Articles, References, Credits, or External Links

Microsoft Azure To Cisco ASA Site to Site VPN

Microsoft Azure To Cisco ISR Router Site to Site VPN

Azure Migration Guides

Migrate a VM from vCenter to Azure

Veeam: Restore / Migrate a VM to Azure

Linux (CentOS 7) Generating CSR (Certificate Signing Requests)

KB ID 0001206 

Problem

If you want to use digital certificates on your CentOS server, then you will need to generate a CSR. It does not matter if you want to purchase a publicly signed certificate, or even if you are going to sign your own. Below is how to generate a CSR for a single web host.

Note: Most cert vendors now require a minimum key length of 2048 so thats what I’m going to use. And I’m assuming you have openSSL installed (type ‘openssl version‘ to find out). 

Solution

Execute the following command

[box]

[root@WebHost ~]# openssl req -newkey rsa:2048 -nodes -keyout www.YourSite.com.key -out www.YourSite.com.csr

[/box]

The CSR Generation process will begin and you will have to answer some questions;

[box]

Generating a 2048 bit RSA private key
.........................................+++
........................+++
writing new private key to 'www.YourSite.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Teesside
Locality Name (eg, city) [Default City]:Middlesbrough
Organization Name (eg, company) [Default Company Ltd]:YourSite
Organizational Unit Name (eg, section) []:YourSite
Common Name (eg, your name or your server's hostname) []:www.YourSite.com
Email Address []:administrator@YourSite.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:YourSite

[/box]

This will actually create the CSR, now you need to get the text from the CSR, and sent it to your certificate vendor ,or sign it with your own CA.

[box]

[root@WebHost ~]# cat www.YourSite.com.csr
-----BEGIN CERTIFICATE REQUEST-----
NIIDKTCCAhECAQAwga4xCzAJBgNVBAYTAkdCMREwDwYDVQQIDAhUZWVzc2lkZTEW
MBQGA1UEBwwNTWlkZGxlc2Jyb3VnaDEUMBIGA1UECgwLUGV0ZU5ldExpdmUxFDAS
BgNVBAsMC1BldGVOZXRMaXZlMRwwGgYDVQQDDBN3d3cucGV0ZW5ldGxpdmUuY29t
MSowKAYJKoZIhvcNAQkBFhtpbmZvcm1hdGlvbkBwZXRlbmV0bGl2ZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCudW2OhXUnEIpiN2oQnREoZVAn
Cvvb07+7gZb5NgxSSc8pYab3ic6mmEabM3c/m9mLtO3m4ZSTJrU9QC91Vn6PF90K
iqApOfizUnNFEOSJptpcoLxlUWUJF8PZUn9fYZyNhp30QQ3B5ajxc4ML0BB+4Wp2
1sjJzfAvtSsFmUSCEXlJTrWnYkGpZz4dYYRlQgTniY4++M/AG9gL99XuSKcSD5K0
4qr07J9a6AYA0tXJq+yN3EzcLSBkIVDuNv84e+CyXc8RV+BkaRTr/gYGwQU4C+IG
87Lw8GC6P1adUi2mR4GMMbZLPYa14Psao4ZA/Ihk9EFS2xqXQH2AZ2nUGPM7AgMB
AAGgNTAXBgkqhkiG9w0BCQcxCgwIcGFzc3dvcmQwGgYJKoZIhvcNAQkCMQ0MC1Bl
dGVOZXRMaXZlMA0GCSqGSIb3DQEBCwUAA4IBAQAPUo4AVBajrflZQRI8MrRyndpD
s6MqZQwYlrceZVZrut+htS14ZC/GbaPC7gOvxYyS52RSW4UiG3egi6H7NnhqHjR+
Dz859bLKIut3YeCo3sK5+aCxvcGEjA1uduqKg5WFwPj5BvnsIYezq3O5Q4FvfQAy
FElb9snk0sJ6GFYifjeza8+w6CIabUpyl0kyDoAbnjnnyhR0s5/h4L7X3zqaQ0J+
OZVRyj54nLXoFDw1n8pGRb31khlEwDzXvVe9+wreCZ6lLqhDki94Uq5LenqofUlw
MPucqVIA9lgvQ8vjyTWVQYYffMRlAx7g/SdVTIhFBqq7rsh9/XHn7qfXlc4c
-----END CERTIFICATE REQUEST-----
[root@WebHost ~]#

[/box]

Related Articles, References, Credits, or External Links

NA

Using OSPF over DMVPN

KB ID 0001151 Dtd 03/02/16

Problem

This article is a supplement to the earlier one on Setting Up DMVPN. It covers how to use OSPF over the top of DMVPN.

This is the topology I’m going to use;

As I’ve said (above) this is not a run though on setting up DMVPN, but if you want to spin it up in GNS3, or on the test bench, here’s the DMVPN config;

[box]

Hub Site

configure terminal
interface Tunnel10
ip address 192.168.254.1 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 10.10.10.10
tunnel mode gre multipoint
exit
!
crypto isakmp policy 10
authentication pre-share
encryption aes
group 2
crypto isakmp key DMVPNdf3fdc829fj2iw2ndh2ds82 address 0.0.0.0
crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
crypto ipsec profile PF-PNL
set transform-set TFS-PNL
interface Tunnel10
tunnel protection ipsec profile PF-PNL
exit

Spoke1

configure terminal
interface Tunnel10
ip address 192.168.254.2 255.255.255.0
ip nhrp map 192.168.254.1 10.10.10.10
ip nhrp map multicast 10.10.10.10
ip nhrp network-id 1
ip nhrp nhs 192.168.254.1
tunnel source 11.11.11.11
tunnel mode gre multipoint
exit
!
configure terminal
crypto isakmp policy 10
authentication pre-share
encryption aes
group 2
crypto isakmp key DMVPNdf3fdc829fj2iw2ndh2ds82 address 0.0.0.0
crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
crypto ipsec profile PF-PNL
 set transform-set TFS-PNL
interface Tunnel10
tunnel protection ipsec profile PF-PNL
exit

Spoke2

configure terminal
interface Tunnel10
ip address 192.168.254.3 255.255.255.0
ip nhrp map 192.168.254.1 10.10.10.10
ip nhrp map multicast 10.10.10.10
ip nhrp network-id 1
ip nhrp nhs 192.168.254.1
tunnel source 21.21.21.21
tunnel mode gre multipoint
exit
!
configure terminal
crypto isakmp policy 10
authentication pre-share
encryption aes
group 2
crypto isakmp key DMVPNdf3fdc829fj2iw2ndh2ds82 address 0.0.0.0
crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
crypto ipsec profile PF-PNL
 set transform-set TFS-PNL
interface Tunnel10
tunnel protection ipsec profile PF-PNL
exit

[/box]

Solution

To add OSPF over the top, here’s the additional config;

[box]

Hub Site

interface tunnel 10
ip mtu 1400
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 255
!
router ospf 1
router-id 192.168.254.1
network 192.168.254.0 0.0.0.255 area 52
network 192.168.0.0 0.0.0.255 area 52

Spoke 1

interface tunnel 10
ip mtu 1400
ip ospf network non-broadcast
ip ospf priority 0
!
router ospf 1
router-id 192.168.254.2
network 192.168.254.0 0.0.0.255 area 52
network 192.168.1.0 0.0.0.255 area 52

Spoke 2

interface tunnel 10
ip mtu 1400
ip ospf network non-broadcast
ip ospf priority 0
!
router ospf 1
router-id 192.168.254.3
network 192.168.254.0 0.0.0.255 area 52
network 192.168.2.0 0.0.0.255 area 52

[/box]

Related Articles, References, Credits, or External Links

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

Implementing GDOI into DMVPN

VMware View 5 – Configure and Deploy Clients in ‘Kiosk Mode’

KB ID 0000610 

Problem

Kiosk mode is quite useful, if you have some machines that you want to put in a public area for visitors to use, or for machines that are used in displays etc. Or if you have some older PC’s that you just want to repurpose as internet terminals or ‘point of sale’ box’s.

Essentially it’s a system that delivers a virtual VMware View desktop to a PC or Thin client without the need to authenticate to the connection server. Kiosk authentication is disabled by default, so you need to run a few commands to get it enabled.

Solution

Before starting you will need a Virtual Machine ready to be used for the Kiosk machine. You might want to create this machine with a “nonpersistent” disk.

Configure Windows 7 to be a VMware View Desktop

Step 1: Prepare Active Directory

1. Set yourself up an OU to hold your kiosk machine, and a security group that will contain the user account you are going to create later.

Step 2: Configure the VMware Connection Server

2. Now log into your VMware Connection Server, open a command window with elevated privileges. then issue the following command;

[box]vdmadmin -Q -clientauth -setdefaults -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -noexpirepassword -group kioskusers[/box]

Note: where kioskusers is the name of the group you created.

3. Now I will create a user ‘custom-kiosk-user’ with a password of ‘Password123’, and put him in the OU and group we created earlier;

[box]vdmadmin -Q -clientauth -add -domain petenetlive -clientid custom-kiosk-user -password “Password123” -ou “OU=Kiosk,OU=ViewDesktops,DC=petenetlive,DC=com” -group kioskusers -description “Kiosk Terminal”[/box]

Note: Alternatively you can create a user that matches the MAC address of the client machine and auto generate a password like so, (this assumes the thin client or PC’s MAC addresses is 3C:4A:92:D3:12:1C).

4. Then allow this connection server to accept kiosk connections with the following command;

[box]vdmadmin -Q -enable -s PNL-CS[/box]

Note: Where PNL-CS is the name of my VMware Connection Server.

5. You can view the settings configured on this connection server with the following command;

[box]vdmadmin -Q -clientauth -list[/box]

6. While still on your connection server open VMware View Administrator, and create a ‘Pool’ for your Kiosk machine.

7. Manual Pool > Next.

8. Dedicated > Next.

9. vCenter virtual Machines > Next.

10. Next.

11. Give the pool an ID and Display name > Next.

12. Select the machine you are using as the source for the Kiosk machine > Next.

13. When the pool is created > Entitlements.

14. Add in the group that you created in step 1 > OK.

15. Just check on the ‘desktops’ tab and make sure the machine is listed as ‘available’.

Step 3: Connect to the Kiosk Machine

16. Now from your client machine or thin client, you can execute the following command to open the kiosk session.

[box]c:program filesvmwarevmware viewclientbinwswc” -unattended -serverURL PNL-CS -userName custom-kiosk-user -password “Password123″[/box]

Note: In a live environment you may want to make the host machine or thin client automatically log on and put this command in the ‘startup’ folder, or call it from a startup/logon script so the machine will boot straight into the kiosk virtual machine.

17. All being well you should be presented with the kiosk VM machine, note you no longer get the normal VMware View tool bar etc, it will behave as if the machine is in front of you.

Related Articles, References, Credits, or External Links

Deploying VMware View 5

Draytek Router – Firmware Update

KB ID 0000568 

Problem

You have a Draytek router (In my case a 2800 ADSL 2/2+), and you want to update the firmware to the latest version.

Solution

1. Make sure you have EXACTLY the correct model number, this one’s a Draytek Vigor2800.

2. Go here and download the latest firmware for your model.

3. The firmware will be in a ZIP file download and extract it to your machine.

4. Log into the web console of your Draytek > Navigate to > System Maintenance > Firmware Upgrade. (Note: Newer models will let you upload the firmware from here, ours sadly does not).

5. Download the run the Draytek Firmware Update Utility > Locate the IP address of your router (If you have multiple NICS select the one you will use) > Navigate to the firmware you extracted above > Enter the routers password > Send > Have a Coffee > OK.

Note: Select the firmware that has an .all extension, WARNING selecting the firmware that has an .rst extension will upgrade the router BUT it also removes all the settings.

6. If you now check your firmware version, it should be correct.

Related Articles, References, Credits, or External Links

DrayTek Vigor Router Port Forwarding

DrayTek Vigor – Reset To Factory Settings

Windows XP – Sysprep (for imaging)

KB ID 0000599 

Problem

A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).

They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.

Solution

Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.

Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.

Windows XP SP3 version of Deploy.cab

1. Build your reference machine, and configure it as you require.

2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).

3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.

4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.

5. Create New > Sysprep Setup > Windows XP Professional.

6. Fully Automate > Enter Name and Organisation > Set the Display Properties.

7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.

8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.

9. Telephony (I just skip this) > Regional Settings > Languages.

10. Printers > Run Once commands > Additional Commands.

11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.

12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.

Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.

The machine will then shut down and can be imaged.

Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!

Related Articles, References, Credits, or External Links

Windows Deployment Services (Server 2003)
Deploying Windows XP

Windows Deployment Services (On Server 2008 R2)
Deploying Windows 7

Windows Server 2012 ‘Direct Access with Windows 8’

KB ID 0000842

Problem

In the following procedure I’m using Window Server 2012, and Windows 8 Enterprise, I am NOT configuring for Windows 7 so I don’t need to worry about PKI and certificates. (Other than the one the direct access server uses for https identification).

I’m not adding in any Application or Infrastructure servers, this is just a basic run through on setting up Direct Access to get you up and running.

Solution

Step 1 Create Direct Access Group

You can of course accept the default of allowing access to the domain computers group, but I would like to tie things down a little further.

1. Server Manager> Tools > Active Directory Administrative Center > Select the OU (or create one) where you want to create the group.

2.Give the group a sensible name like DirectAccessComputers.

3. Remember when you try and ‘add’ members it will by default NOT have computers listed you will need to add them in.

4. Add in your computer objects as required.

Step 2 Install Direct Access

5. You can simply execute the following command;

[box]
Install-WindowsFeature RemoteAccess -IncludeManagementTools[/box]

6. Or from Server Manager > Tools > Add Roles and Features.

7. Simply add in ‘Remote Access’ and accept all the defaults.

Step 3 Configure Remote Access

8. Once installed launch Remote Access Management.

9. Run the getting stated wizard.

10. Deploy Remote Access Only (I’m not deploying VPNs).

11. Select how the server will be deployed, mine has a single NIC and I’m going to port forward TCP Port 443 (https) to it from the firewall. Enter its Publicly addressable name > Next > Finish.

Note: If you get an error see here.

12. Configure Remote Clients > Edit.

13. I want both options > Next

14. Remove the domain computers and add in the group we created above. Untick the ‘mobile only’ option.

Note: Force Tunnelling means that the remote clients will access the internet though YOUR corporate network. This is only a good idea if you have internet filtering, AV or NAP that you want to take advantage of. (It’s literally the exact opposite of split tunnelling).

15. Remote Access Server > Edit.

16. Select an existing Cert or create a new one > Next.

17. Remember I’m just using Windows 8, if you see the Windows 7 box and think “ooh I’ll tick that!” Then you need to start using certificates > Finish.

18. Finish.

19. Review the settings > Apply.

20. Operation Status.

21. Press Refresh until all the services are green.

Step 4 Configure Clients

The title is a misnomer and to be honest there is no configuration to be done, but they have to get the settings through group policy, so log then onto the domain.

22. A quick simple check is to run the following command;

[box]
Get-DaConnectionStatus[/box]

Note: If you get an error message make sure you are not using Windows 8 Pro see here.

23. The client knows it’s ‘inside’ the LAN, because it has a Name Resolution Policy Table and it can see your internal DNS, you can prove this with the following command;

[box] Get-DNSClientNrptPolicy[/box]

Step 5 Test Clients Externally

Note: Before you proceed your Direct access server needs to be publicly available via the name you specified on the certificate in step 11, and needs to have https open to it.

25. Whilst out on the internet you can test your remote client by first making sure it’s pointing to the correct place;

[box]netsh interface httpstunnel show interface[/box]

This should give the the URL that is on the certificate you specified in step 11, when you ping it by name you should expect a reply (unless ICMP has been blocked by your edge device).

26. And to prove that the client knows it’s NOT on the corporate LAN execute the following;

[box]netsh dnsclient show state[/box]

27. So If i try to ping the internal FQDN of my Direct Access server it should respond (Note its IPv6 address will respond this is normal).

Note: Here I’ve only setup the one server, you can add more Infrastructure and Application servers in the Remote Access Management Console.

28. Because I can resolve that, I can access resources on that server like UNC paths.

29. To access shared resources.

Step 6 Monitoring Remote Access Clients

30. Back on the Direct Access server, you can see the remote clients under ‘Remote Client Status’.

31. Right click each one for a more detailed view.

Related Articles, References, Credits, or External Links

NA