Veeam Virtual Labs & SureBackup

KB ID 0001572

Problem

If you require a ‘Virtual Lab’ for testing patches or config changes, on copies of your live servers, or simply want to test the ‘integrity‘ of your backups, then this is the post for you!

Licence Requirements: SureBackup and On Demand Sandbox require Enterprise Plus Veeam Licensing.

Host Licences: Hosts that are only used for SureBackup  / On Demand Sandbox DO NOT NEED Licences, (in Veeam,) only hosts that you back up FROM need licences.

SureBackup and Virtual labs are built on vPower, which allows you to power on your ‘backup files’ in a test/sandbox environment. It’s actually the same technology that Veeam use for U-AIR recovery.

Three components make up a virtual lab;

1. Application Group: This is a group of VMs, and the ‘Order’ they need to be powered on, e.g. for Exchange server you would also need a DC (global catalog server,) and maybe your mail filter appliance to be in the same group.

2. Virtual Lab: Requires a ‘Host’, and a DataStore, (for redo logs only), this only needs to be 10% of the size of the VMs that are being powered on in the lab.

3. SureBackup: This is the process that ‘Tests backups‘, it will bring your backed up machines online, and perform some tests on them, some are simple like ‘ping’ tests others are specific to particular server roles, like additional tests for Domain Controllers, Exchange servers etc.

Solution

Veeam Backup and Recovery Download

Here’s how it all ‘hangs together’. We are backing up a Domain Controller, and an Exchange Server, and we are going to use those backup files to power on a copy of the servers in our ‘Test-Lab’.

Note: I’m using VMware ESX, you can also use Microsoft Hyper-V.

These are presented though a ‘Veeam Proxy Appliance’, which presents them to the VEEAM server with a changed ‘octet’ in their IP address. (So by default any other machine needs a static mapping, {see below}).

Create a Veeam SureBackup Application Group

As mentioned above, make sure you have ‘Enterprise Plus‘ licences.

It should go without saying, but you will also need a ‘good’ backup of your servers.

Backup Infrastructure > SureBackup > Application Group > Add App Group > VMware.

Give the app group a name > Next > Add VM > From Backup > Select the VMs for the Lab > Add Next.

 

Put the server(s) in the correct order, i.e. the domain controllers at the top.

If you are just going to use SureBackup to check backups, then ‘Edit’ the servers, and change their ‘role’ so the correct tests get performed on them. If you are just wanting a Virtual Lab, don’t bother as you will be interacting with them directly anyway. Here are the settings for a Domain Controller.

And here for Exchange.

Next > Finish.

Create a Veeam SureBackup Virtual Lab

Backup Infrastructure > SureBackup > Virtual Labs > Add Virtual Lab > VMware.

Give the lab a name > Next > Choose > Select the ‘Target’ ESX Server to use > OK > Next > Choose > Select a datastore for the ‘redo’ logs, remember this needs to be about 10% of the size of the restored VMs. > OK > Next.

Next > ‘Advanced Single Host’ > Next > Add > Browse to the ‘Port Group’ your production VMs are in > Add > OK > Next.

Note: If you need to have your lab network on its own VLAN, this is where you need to specify that traffic to be ‘tagged’ accordingly.

Add > Specify the IP for the ‘inside’ of your Veeam Proxy Appliance, this MUST BE the same as the default gateway on the live network. Then select a sensible masquerade network address > OK > Next.

Veeam: What’s a Masquerade Address?

The proxy server basically will perform NAT from the test lab to the live network, (their actual IP addresses never change, that’s why the proxy appliance had the same IP as the default gateway on the live network. The Masquerade addresses simply change one ‘octet’ of the IP address so the Veeam server can speak directly to each sand-boxed, (Test lab) VM.

If required, Add a ‘Static Mapping‘ i.e if you want to be able to ‘speak’ to a test lab VM from the live network.

How Do Veeam Virtual Lab ‘Static Mappings’ Work?

Using the example, I used above, here if someone on the live network speaks to 192.168.100.21, they are actually talking to 192.168.100.196 in the test lab.

Apply > Finish.

Create a Veeam SureBackup Job

There are two ways of doing this, if you want to create a SureBackup job that just checks your backups, then you would schedule the job, and connect it to your backups, or if you just wanted to do some lab testing, you would create a ‘one off’ SureBackup job and leave the VMs powered on (I’ll point this out below).

Home > SureBackup Job > VMware > Give the job a name > Next.

Select the lab you created above > Next > Select the App Group you created above. (NOTE: If you want to leave your machines ‘powered on’ after the job, i.e. for performing upgrades, patch tests etc, then TICK the option indicated).

Link this job to the backup job for the VMs in question > Add > Select the backup Job > OK.

Note: The option at the bottom, specifies how many VMs are tested at a time in a standard SureBackup Job.

Next > Next.

Schedule the job (if required) > Apply > If you didn’t schedule, then you can click ‘Run the job when I click Finish‘ for ‘one-off’ jobs > Finish.

If you selected the option to leave the machines powered on, then there will ‘always’ be a job running and the job will stop at 99%. (You will need to manually stop the job to remove the test VMs). If you do continuous backups this will be a familiar sight anyway!

There’s my test VMs powered on, that I can interact with, update, patch, and change configurations, without it affecting my live servers.

Related Articles, References, Credits, or External Links

NA

Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

Windows Server 2012 R2 – Deploying Remote Desktop Services

KB ID 0001136 

Problem

I’ve had to do a rollout of Remote Desktop Services on Server 2012 R2, and publish it with Active Directory Federation Services and Web Application Proxy. I’m a little rusty on RDS and needed to deploy a few roles, so for my proof of concept I deployed RDS on TWO servers. Below is a run though and my notes on deploying RDS ONLY (I’ll put the links to other articles at the bottom of this post as I write them).

Solution

To save yourself some hassle, visit every server that will be in the Remote Desktop Server deployment, and add all the others into each others ‘server manager’ console.

Manage > Add Roles and Features > Next > Remote Desktop Services Installation > Next.

Standard Deployment. Note: If you choose Quick Start it puts all the roles on one server  > Next.

Session-based desktop deployment > Next.

Next.

Select the server that will host the Connection Broker Rule and add it  > Next.

Add the server that will host the Remote Desktop Web Access role > Next.

Add the server that will host the Remote Desktop Session Host role > Next.

Tick the ‘restart the destination server automatically if required’ > Deploy.

Finish. (Note: There will be a licensing error, we will address that in a minute).

In Server Manager > Remote Desktop Services > Overview > Note: There are two options yet to be configured, (shown in green). Select ‘RD Gateway’.

Add in the server that will host the RD Gateway role > Next.

Add in the public name of the RD Gateway server, this will generate a self signed certificate, (you can replace this with a proper one later).

Add.

Close

Now Add RD Licensing.

Add in the server that will host the licensing role > Next.

Add

Close

All the nodes should now be displayed..

In production you would now add your Remote Desktop Licences, If you don’t,  the whole thing will run for 120 days, (though it continues to nag you about adding licences). I’m content with the 120 day licence for my test deployment. But I will still ‘Activate’ my licensing server.

Follow the instructions

Now you need to create a ‘Collection‘, this is a group of host servers that host applications you can publish. Server Manager > Remote Desktop Services > Collection > Task > Create Session Collection.

Next.

Give the collection a name  > Next.

Add in the server(s) running the RD Host role that will be included in this collection > Next.

Select the user groups that you want to grant access to. Here Im simply using the domain users group  > Next.

If you want to deploy ‘profile disks’ enter a UNC path to the share > Next.

Create.

Close.

To actually publish applications, select the collection you just created > RemoteApp Programs > Tasks  >Publish RemoteApp Programs.

Select the applications, (or add them in if they are not displayed)  > Next.

Publish.

Note: You can change certificates from within Server Manger, but I prefer the manual approach, on the RD Gateway Server > Launch the IIS Manager > Select the server > Server Certificates.

Import > Import your publicly signed certificate, (you can use a self signed certificate but DON’T FORGET your remote client needs to be able to check your CRL, and trust your issuing CA if you do).

Sites > Default Web Site > Edit Bindings.

Select ‘https’ > Edit > Add in your certificate > OK > Close.

Bounce the services with an ‘iisreset‘ command.

Update 070316 You also will need to restart the Remote Desktop Services Service!

Connect to the server on the https://{FQDN}/RDWeb address, and you can check the correct certificate is used.

You should now be able to log into Remote Desktop Services Web Access.

Related Articles, References, Credits, or External Links

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Publishing Remote Desktop Services With Web Application Gateway

SEM – SPAMfighter Exchange Module – Installation and Configuration with Exchange 2013

KB ID 0000824 

Problem

“I seem to get a lot of spam”, and “I get a lot more spam than I used to” are right up there with “My computer is running slow”. It’s a problem that, eats up users time and fills your mail stores with junk, and time/disk space costs money.

SEM is tiny! In a world where a graphics driver is now over 100MB the entire install suite is less than 11MB. This is going into my test network so testing its ability to limit spam is NOT the point of this exercise, I’m looking at the ease of installation, configuration, and administration.

SEM Pre-Requisites

1. Exchange 2000, 2003, 2007, 2010, or 2013.

2. Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2, or 2012.

3. .Net framework version 2.0 (SP1).

4. MDAC (Microsoft Data Access Components) version 2.7.

5. Internet Information Services.

Solution

Before You Start

1. If you have already installed the Microsoft Anti Spam agents you might want to remove them, (not that you have to). If you don’t know you can run the following command;

[box]
Get-TransportAgent[/box]

If you just have the four below then you DO NOT have the extra agents installed.

2. If yours looks like the one below, then YOU DO have them installed.

3. As stated you don’t have to remove them but if you want to simply execute the following two commands;

[box]

cd "Program FilesMicrosoftExchange ServerV15Scripts"
./Uninstall-AmtispamAgents.ps1

[/box]

4. Answer each question, then run;

[box]
services.msc[/box]

5. Restart the Microsoft Exchange Transport service.

Install SPAMfighter

6. Download the installer, and run it.

7. The installer is pretty straight forward > Next > Accept the EULA > Next > Enter your details > Next > Accept or change the install location > Next.

8. The product will install.

9. At this point it’s downloading definitions form the internet, and it will take a while.

10. When complete it needs to setup a user that the services will run under. Just supply a password > Next.

Note: This user (by default) is added to the local administrators group, and the Exchange Organization Management group.

11. Finish.

12. The management console installs on TCP port 5000, so if you need to access it through a firewall you will need to open that port.

13. Toolbars Tab: From here, I’ll jump straight to the configuration section, this drops you straight onto the Plugins tab. From here you can change the logo that will be displayed with the toolbar (this is NOT visible with Outlook 2013). You can also change the URL it points to and adding rights to users.

14. Toolbar Tab > Outlook Toolbar: On a client running Outlook > Download Outlook Toolbar > Run the installer.

Note: The installer is a .exe file, I would have preferred a .msi file, so I could deploy this out (on mass), to domain clients via GPO.

15. Next > Accept the EULA > Next > Next.

16. Finish.

17. Now when you launch Outlook you can see the plugin loading.

18. You will now have an extra toolbar with the following options.

BE AWARE: You install the OWA toolbar ONCE on the Exchange CAS server.

19. Toolbars > Outlook Web Application: Install OWA toolbar.

20. Yes.

21. Now when your clients access OWA, you have the toolbar.

22. Latest news: Essentially this is just an RSS feed from the manufacturer to keep you abreast of software updates etc. If you have some RSS aggregation software you can add this same feed.

23. Mailbox Tab > Mailboxes: Here it will list all the mailboxes, by default the ‘Default policy’ will be applied and virus filtering will NOT be enabled (this is an add on license). you can also access statistics for this particular mailbox, and view quarantined emails. The User filter settings are for applying an exception for this one mailbox (I’ll cover this later). If you can’t locate a particular user there is also a search function.

24. Mailbox Tab > Usergroups: Usergroups are used to apply policies, any new group requires you to maintain membership manually. But if your Active Directory is well designed, you can select your SPAMfighter groups based on your OU structure.

SEM – SPAMfighter – Configuring and Working with Policies

This is pretty intuitive, and the default policy comes preconfigured and already applied, though with all filtering systems it will probably take you a little while to get it streamlined to your requirements. The policies section has four main tabs;

Filter Settings: What tools you are going to use to look for spam.
Accept Actions: What it will do if it finds nothing.
Block Actions: What it will do if it finds something.
User Filter settings: Exceptions to the filters for one or more users.
Mailboxes: Puts you straight back to the mailbox section you saw earlier.

25. Out of the box there are five filters enabled.

26. But there are four further filters that you can add to the policies.

SPAMfighter – Filters

27. VIRUSfighter Antivirus Filter for SPAMfighter Exchange Module: Remember this is an ‘Add on’ so it would only apply to mailboxes that have this enabled. It’s on its most conservative setting, and will replace the infected email with safe content.

28. SPAMfighter Sender Filter > Whitelist:Simply add either a particular email address you want to allow or add in an entire domain.

29. If your lists get a little unwieldy you can import or export them, and chose weather to overwrite them or append the imported list to your existing list.

30. And where there is a Whitelist there is a Blacklist, it’s configured exactly the same.

31. Automatic Whitelist: This is a brilliant feature! It dynamically adds the addresses our users send to to the Whitelist, and maintains the cache for 10 days (which you can alter). I’m surprised this is disabled by default.

Note: This will be enabled by default in the next release.

32. SPAMfighter Content Filter > Whitelist phrases: Gives you the power to automatically Whitelist emails based on a phrase they contain i.e. Your corporate email disclaimer or default signature.

33. SPAMfighter Content Filter > Blacklist phrases: As the warning says be careful with this section, this is the sort of thing that is handy for blocking “We attempted to deliver your parcel but were unable to” emails that urge you to click an attached zip file full of infected spyware nastiness.

34. SPAMfighter Content Filter > Whitelist Attachments: Here you can upload an attachments (like your company logo from your email signatures) and the system will whitelist and allow through emails containing them.

35. SPAMfighter Content Filter > Blacklist Attachments: Thankfully this is disabled by default, the list of file extensions is quite long, and contains some commonly used file extensions, You will need to do some planning and testing with this one if you want to enable it.

36. SPAMfighter Community Filter: This will filter mail based on mails that have already been blocked by other SPAMfighter users, it uses a scoring/weighting system. You simply set a threshold the higher you set it the more mail will be stopped, this will require some fine tuning.

37. SPAMfighter Language Filter:This is enabled by default, but no languages are selected (which is sensible). If you are never expecting any emails in Chinese you can block them here.

SPAMfighter Filters that you can Manually Add to the Policy.

38. SPAMfighter IP-address Filter: Pretty much does what it says on the tin! Though blocking spammers by IP address is a little hard to manage, and it’s pretty easy to spoof an IP address anyway, which is probably when this is not on the default policy.

39. SPAMfighter Sender Policy Framework Filter: Personally I think you would be crazy to turn this on! If you don’t know what an SPF record is then read the following article.

Setting up the Correct DNS Records for your Web or Mail Server

40. SPAMfighter DNSBL Filter: A DNSBL is a dynamic DNS list of known spammers, if you are familiar with RBL block lists this is similar.

41. SPAMfighter Combined Spam Score Filter: All the other filters check the mail and give it a score, if the score is higher than a certain threshold this this filter will aggregate all those scores and block the mail.

SPAMfighter – Policies > Accept Actions

42. If the mail makes it through all the filters, then this section decides what happens with it.

43. And that is adding information to the mail header that says the mail was scanned and accepted.

SPAMfighter – Policies > Block Actions

44. If the mail gets blocked by any of the filters, this section decides how that is handled.

Note: You can add other actions from the drop-down list below if this does not do what you require.

45. Just as for the accept policy action, this modifies the email header, though this one says the mail was blocked.

46. SPAMfighter Move To Folder Policy Action > Mailboxes : The second default policy action takes that filtered email and places it within a folder called SPAMfighter within the users mailbox.

Note: You can redirect that mail to another mailbox if that is your preference.

47. The system for Public Folders (if you use them) is identical.

48. Contacts: As is says contacts do not have a mailbox, but you can redirect filters contact mail to a specific mailbox should you wish.

49. User Filter Settings: This section can create an exception for one particular user, it simply creates another policy that you can apply to that user.

50. You can create new policies and apply then to particular users or usergroups, and make the system as granular as you like.

51. Statistics: On my test network I didn’t have any throughput on which to pull some meaningful statistics.

52. Statistics > Notifications: You can have daily/weekly/monthly reports emailed to you.

53. If you decide to purchase, the licenses are priced per mailbox. Prices start at £14.50 each (or £29.00 with the Antivirus) And go down to £2.45 (or £4.90 with Antivirus) depending on the amount you buy. They are available for 1, 2, and 3 year periods. For an up to date price list go here.

Related Articles, References, Credits, or External Links

NA

Server 2008 – TS (Remote Desktop Services) Licensing

KB ID 0000523 Dtd 23/03/12

Problem

A couple of months back I put in a 2008 Terminal Services Server, or Remote Desktop Services as it’s now called. I installed the Licensing server and successfully added in the licences the client had purchased, but a while later he rang to say he was having licensing issues.

At first I thought it might have “dropped” it’s licences so I checked Remote Desktop Licensing Manager, and they were still there:

Note: The Windows 2000 Server Built in TS Per Device unlimited licences are a throwback from earlier versions of windows that had a CAL on the client. (Primarily Windows 2000, but some XP clients purchased in a particular time range slipped under the bar as well).

Solution

As it turns out there’s one more step to carry out on Server 2008.

1. Launch the “Remote Desktop Services Host Configuration” console, and check the licensing section, it should give the licensing mode as “Per User” or “Per Device“. In my case it said “Not Specified”. It should also say a licensing server has been specified. (If it does not double click the incorrect entry).

2. Change the licensing mode and/or add a licensing server as required.

Per User or Per Device?

Per Device: CALs for the device get stored in the registry of the machine/device that access’s the TS/RDS server. When issued it expires after a number of days (a random number between 52 and 89 days) at this point it’s freed up to be issued again.

Per User: In this mode the CAL is issued to the user, if one user logs onto multiple devices you only use 1 licence.

Note: As a rule of thumb if you have more devices than users, choose per user. If you have more users than devices then choose per device.

Adding TS or RDS ‘Select’ Licences

You will need your select agreement number, and the amount of CALs you have purchased.

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 Deploying Applications with RemoteApp

KB ID 0000528

Problem

RemoteApp is a solution for delivering applications to your users from a Remote Desktop Services Server.

Why would you want to do this? Imagine you only had one copy of office to update in your entire organisation when a new service pack or security update is released., or Adobe bring out a new version of Dreamweaver that’s on all your machines – you simply update the master copy on the RDS server, or redeploy new RemoteApps.

In the following example I’ll configure the server, and create a RemoteApp application (Word 2010) and finally, deploy it to my domain clients.

Client requirements: Windows XP (SP2), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.

Note: For XP and Server 2003 clients you need to have installed Remote Desktop Connection (Terminal Services Client 6.0).

Solution

1. On a 2008 R2 Server (That’s a domain member), Start > Run > CompMgmtLauncher.exe {enter} > Roles > Add Roles > Remote Desktop Services > Add the following “Role Services” > Remote Desktop Session Host > Remote Desktop Web Access > (If you do not have a RDS Licensing services Licencing server add that also).

2. Select “Network Level Authentication” >Select your licensing mode > Add in the user(s) and/or group(s) you want to grant access to > Set your client experience options > Set the scope for the licensing server (per forest or per domain) > When complete let the server reboot.

3. If you do not already have a RDS Licensing server then activate the Licensing Server and follow the instructions. (Start > Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager).

4. Then Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > Locate Licensing > And click the “Not Specified” > Then add in the licencing server you just activated.

5. Install and configure the applications you want to deploy. Then Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager > Add RemoteApp Programs > Install and configure the desired application.

6. Add the computers that need access to RemoteApp(s) to the LOCAL group on the RDS server called “TS Web Access Computers”.

8. In the RemoteApp Manager select “Create Windows Installer Package” follow the instructions and put the resulting .msi file in a network share that your domain clients can access.

9. Send out the .msi file generated to your clients by group policy.

10. By default your deployed RemoteApps will be listed on the clients start menu under “Remote Programs”.

Related Articles, References, Credits, or External Links

Server 2008 – Terminal Server (Remote Desktop Services) Licensing

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Error Adding Office KMS Keys “0x80072F8F”

KB ID 0000584 

Problem

Seen when adding an Office 2010 KMS key on a Windows 2008 R2 KMS Server.

Note: Using the Microsoft Office 2010 KMS Host License pack as per this article.

An error occurred: 0x80072F8F
To display the error text run the following:
slui.exe 0x2a 0x80072F8F

Solution

1. If you do run the command that they have asked you to, all you get is;

Code:
0x80072F8F
Description:
A Security error occurred

2. Not very helpful, however some Google searching turned up the solution. Check the time on the KMS server is correct, mine was way out.

Note: This had happened because the domain controller was on an ESXi host with the incorrect time, the KMS server took its time from the domain controller when it booted. (Domain clients typically take their time from the DC holding the PDC emulator role).

Locate your FSMO Role Servers

3. With the time fixed, try once again, and you should be successful.

Related Articles, References, Credits, or External Links

Using KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010

Office 2010 – Find your Version and Licensing Information

Activation Error: Code 0x8007232b DNS Name does not exist

 

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses