Exchange 2000 / 2003 – Exporting Mail to .pst files with ExMerge

KB ID 0000091

Problem

ExMerge has been around for a long time, its used (as the name implies) to merge pst files into existing mailbox’s. However its also a great tool to export/backup users mail box’s if you’re doing a migration, or if you have got your “Disaster Recovery” hat on.

The following is a run through of how to export from a mail store to pst files – Note on a live system this can take some time, the example below was done in VMware on a test Exchange box that had 1000 users (as it was a test server the mailbox’s were tiny) If you need to do this on a production server plan in a LOT of time if your moving a large amount of data.

Solution

 

Note: I’ve mentioned it in the video, but just to reiterate, your mailbox’s need to be smaller than 2GB, if that can not be achieved, you can either;

1. Use ExMerge and export particular “date ranges” and produce multiple .pst files for the same mailbox (hopefully less than 2GB).

2. Use Outlook 2007 (or greater) to export the mailbox to .pst files individually.

Related Articles, References, Credits, or External Links

Download ExMerge 

Exchange 2010 Bulk Import .pst Files

Exchange 2007 – Export Mailbox’s to PST files

Gpupdate: Windows Could Not Locate the Directory Object

KB ID 0001625

Problem

Saw this on a Windows client on my test network;

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Note: You may also see Event ID 1101

Event ID 1101

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1101
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: PNL-PROD-WIN10.pnl.com
Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Solution

Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.

After that everything was peachy!

Related Articles, References, Credits, or External Links

NA

Convert MBR Partitioned Drives to GPT

KB ID 0001407

Problem

I got asked if I’d ever had to do this today, I vaguely remember having this problem in the past, but I can’t remember how I solved it. You set the ‘Partition Table Type‘ on a  disk in Windows, when the drive is first initialised, like so;

And the default is MBR, so that usually gets ticked, the problem is MBR only supports disks up to 2TB in size. Now if it’s just a new disk, with no partitions on it, you can simply change it;

But if it’s got a partition on it, (and probably some live data) you cant!

Previously, (before Windows 10, and Server 2016,) The Microsoft solution was to delete the partitions and create a new one, which can be a little time consuming, especially if you have live data on it! So can you convert it to GPT Live with no data loss? 

Solution

Yes! As usual, make sure you have a decent backup first, and if you are using a virtual environment, you can snapshot the virtual machine before hand, (I tested this in the lab, by taking a snapshot, converting a drive from MBR to GPT, then reverting to the snapshot, and it flipped back to MBR with no loss of data). 

You need to know what disk number Windows has assigned to the drive, in disk management right click the drive, and select properties.

Windows 10 and Windows Server 2016

Using this method will require (after you have finished) you machine. is set to UEFI boot, otherwise it will work fine until you try and reboot, then the machine won’t boot! So if you are doing this on a Virtual Machine in Hyper-V MAKE SURE it’s a generations 2 VM!

You will find MBR2GPT.exe in C:\Windows\System32, if it’s not there do a full round of Windows updates! Simply open an Administrative command window and run the following commands;

[box]

cd c:\windows\system32
mbr2gpt /convert /disk:1 /allowfullOS

[/box]

Take note of the warning the machine should now be set to UEFI boot mode, so if its a VMware VM, then change this value;

For OLDER Vesions of Windows

Download and extract gptgen-1.1 then run the following command;

[box]gptgen.exe -w \\.\\physicaldrive1[/box]

Note: Where ‘1‘ is the disk number you took note of above.

Note: If you see “Block read failed, check permissions!” Then you might want to use MBR2GPT {above} instead.

That’s it done! In ‘disk management’ you will need to ‘Rescan Disks’ to see the change.

In the unlikely event that something exploded, you can ‘roll-back‘ to your snapshot.

Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

KB ID 0001179 

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Grant your firepower user Remote Enable > Apply > OK.

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

Open the agent and add in your domain controllers.

Note: Sometimes, you may have the following problem;

FirePOWER Agent – Real-Time Status ‘Unavailable’

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)

Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users  > Ensure all the methods are selected.

Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.

Related Articles, References, Credits, or External Links

Original article written  27/04/16

Windows Folder Redirection

KB ID 0000467 

Problem

Q: What is Folder Redirection?

A: Essentially you can take folders that hold things like your “My documents” or your “Favorites” folder, and put them out on a network server, which is great if you want to back that sort of information up for disaster recovery.

Q: What’s the difference between this and a roaming / roving profile?

A: Folder redirection keeps information on a server and you access it remotely, Roaming profiles are designed to sync that information (and your WHOLE user profile) backwards and forwards to a network share as your users logon and log off.

Q: What folders can be redirected?

A: From Server 2008 onwards, and with Windows 7 clients and above, the following can be redirected.

  • AppData(Roaming)
  • Desktop
  • Start Menu
  • Documents
  • Pictures
  • Music
  • Videos
  • Favorites
  • Contacts
  • Downloads
  • Links
  • Searches
  • Saved Games

Solution

1. On a server create a folder to hold the redirected data, In this case you will notice I’ve called my share Redir$ (The dollar sign just means it’s a hidden share, and can’t be seen if people are network browsing).

Folder Redirection: Permissions for the Root Folder

2. Set the share permissions to Everyone: Full Control (Don’t worry we will secure it with NTFS permissions).

3. On the security tab of the folder click advanced.

4. For Server 2012 / 2016 you should see something like this;

For Server 2008 and older it should look more like this;

5. For server 2012 / 2016 Disable Inheritance and select ‘Convert’.

For 2008 and older, untick “Include Inheritable permissions from this objects parent” > At the warning click “Add”.

6. Select each User in turn (You will need to add the Everyone group) > Then Edit the permissions so that they are as follows.

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only).
  • System – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only).
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only).
  • Everyone – Read Attributes (Apply onto: This Folder Only).
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only).

2012 / 2016

‘Show Advanced Permissions’

2008 and older.

7. Now REMOVE BOTH the entries for USERS > Apply  > OK.

7. On your domain controller open the Group Policy Management Console, (Under Administrative Tools) and either create a new USER policy of edit one that already linked to the users you want to enforce this policy upon.

8. I prefer to create a new policy and call it something sensible so if there’s a problem it’s easy to find in the future.

9. Navigate to:

[box]User Configuration > Policies > Windows Settings > Folder Redirection[/box]

Locate the folder you want to redirect (In this case its just the documents folder) > Right click > Properties.

10. I’m going to redirect all my users documents to the one folder I created earlier, so I will choose basic.

Note: You can choose “Advanced” and redirect different groups folders to different locations.

Enter the path to the root folder AS A UNC PATH, DONT click the browse button and browse to it.

11. I’m going to accept the defaults on the settings tab, the option I’ve highlighted creates the folders with exclusive rights on the folders for the user in question and SYSTEM, so the domain admin had no access (this is OK, it’s the same way user profiles work, you can still back them up).

12. Now as your users log on their folders will be redirected to the share you setup.

Backing up Redirected Folders

13. Even with exclusive rights you can still back this data up:

Related Articles, References, Credits, or External Links

Original Article written 22/06/11

ADMT (Active Directory Migration Tool) Domain Migration – Part 1

KB ID 0001305

Problem

I’ve not used ADMT for ages, I’ve got a domain migration to do soon, so I thought I’d get on the bench and have a reminder. Although ADMT 3.2 was ‘re-jigged’ to support Server 2012 R2, I’m still going to install it on Server 2008 R2. I’ve got a test domain built to migrate from, and a new domain setup ready to migrate into.

  • Old/Source Domain: olddomain.com
  • Old/Source Domain Controller: Source-DC.olddomain.com
  • New/Target Domain: newdomain.com
  • New/Target Domain Controller: Target-DC.newdomain.com

 

Solution

ADMT – DNS Setup

The old domain needs to be able to resolve names in the new domain, and the new domain needs to be able to resolve names in the old domain. To achieve this you need to setup ‘Conditional Forwarding’ in each domain for the other one.

Don’t worry if it looks like there’s a problem as long as the DNS servers can se each other, (and there’s no firewall in-between blocking TCP and UDP port 53). Just add in the DNS server give it a while then re-open the forwarders settings and it should have ‘gone-green’.

You can test it’s working by pinging BOTH the old and new domain names, in BOTH domains.

In addition, we want all machines (in both domains) to set their primary DNS Suffix, to their own domain, and their DNS suffix search list to look for their own domain first, then the other domain. The easiest way to do that is via group policy.  On a domain controller > Administrative Tools > Group Policy Management Console.

It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

 

Edit the policy you have just created.

Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > Network > DNS Client > [/box]

Setting: Primary DNS Suffix: Set to current domain.

Setting: DNS Suffix Search List: Set to current domain ‘comma‘ other domain.

Then wait or Force a Group Policy Update, to test visit a machine and issue an ‘ipconfig /all‘ command;

Above: you can see both the policies have taken effect.

Repeat the procedure in the new domain, (but the domain names will be the opposite way round) like so;

ADMT – Creating Domain Trust

Both domains need to trust each other for the migration to take place. If you have two simple domains like I do a “two way domain trust” is fine. You would only need a ‘forest-trust‘ if you were migrating from/to root and sub domains for example.

As the name implies Trusts are setup from Administrative tools > Active Directory Domains and Trusts. You can setup the whole thing from one domain, below I’m creating it in the old domain.

Welcome Screen  = Next > Provide the name to the ‘other’ domain > Next > External Trust > Next.

Two Way > Next > Both this domain and the specified domain > Next > Provide administrative credentials for the ‘other’ domain > Next.

Domain wide authentication > Next > Domain wide authentication > Next > Next.

Next > Yes. Confirm outgoing trust > Next > Yes. Confirm incoming trust > Next.

Finish > READ the warning about SID history, we will have to mess about with SID History filtering a bit further on > OK.

This step is not really necessary, (it’s just for peace of mind). I do this in BOTH domains and validate each trust, (so you will do this four times).

Select the trust > Properties > Validate > Type in credentials > OK > Type in Credentials > OK > OK.

ADMT – Users / Admins and Rights Assignment

 Create the user that will do all the hard work in the NEW domain. Then add that user to the domain admins group (again in the NEW domain).

Username: ADMTAdmin (Can be anything you want, but I’ll refer to this username throughout).

Over in the OLD domain, you won’t be able to add your ADMT user into the domain admins group, you need to add the ADMTAdmin account from the NEW domain into the Builtin\Administrators group on the OLD domain.

Additionally: the ADMTAdmin user needs to have local administrative rights to all the machines in the OLD domain. The easiest way to do that is again with a group policy.

In the OLD domain create a group, (Type: Domain Local)

Group Name: GP-ADMT-Admins, (again you can call it something else if you want).

Add your ADMTAdmin account to this group, (Note: I like to add the domain admin account for the NEW domain as well, though that’s not necessary).

On a domain controller > Administrative Tools > Group Policy Management Console.

Once Again: It’s better practice to ‘link’ your policy to the actual OU that your computers are in, to keep things simple, (and because I’m lazy) I’m going to link my policy to the root of the domain.

Edit the policy you have just created;

Navigate to;

[box]Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups[/box]

Add Group > Select GP-ADMT-Admins > OK > Add (bottom option) > Administrators > OK.

Setup correctly it should look like this;

To Test: On a client Open an administrative command window > and run ‘gpresult-R’.

Or the best test is, make sure that the GP-ADMT-Admins group is actually in the local admins group.

ADMT – Database Requirements

OK, a lot of posts say don’t install ADMT/SQL on a domain controller. That’s not strictly true, you can install ADMT and SQL on a domain controller, in fact that’s what Im going to do (there are a few commands and extra steps that I will point out below).

You can you use full blown SQL if you like, but it’s just as easy to use SQL Express 2008 SP1 > Download and run > Instalation > New SQL Server stand-alone installation or add features to an existing installation.

Accept the defaults > In feature Installation select ‘Database Engine Services’.

Accept the named instance ‘SQLExpress’.

Keep accepting defaults until you get to ‘Server configuration‘ page, add in the ADMTAdmin account.

Then add in your ADMTAdmin account again. (Once again theres nothing wrong with adding the domain admin account as well).

ADMT – Additional SQL Steps For Domain Controllers

Open an administrative command window > and run the following commands;

[box]

NET LOCALGROUP SQLServerMSSQLUser$Target-DC$SQLEXPRESS /ADD
SC SHOWSID MSSQL$SQLEXPRESS
{Copy the SID to the clipboard you will need it in a minute}
MD %SystemRoot%\ADMT\Data
ICACLS %Systemroot%\ADMT\Data /grant *{Paste the SID from above}:F
i.e.
ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:F

[/box]

ADMT – Downloading and Installing ADMT

Download the ADMT software, if that link ever dies use this one. Download ADMT 3.2. Launch the installer and accept all the defaults until you get to database selection, use .SQLEXPRESS

No we don’t want to import and data from an existing database > Next > Finish.

We can now open the ‘Active Directory Migration Tool’ management console.

 In Part Two we will look at SID filtering, setup a password export server, and do some group policy work.

Related Articles, References, Credits, or External Links

NA

Can A Domain Trust Another Domain With The Same ‘Root Domain’ Name?

KB ID 0001288 

Problem

About a month ago I was with a client to do some investigation/consultancy, they were a large company with their head office in the UK and a number of other offices around the world. They had a number of domains and sub domains and wanted to consolidate them all into a new domain.

Well that’s all OK, but the UK company has been purchased by a large American company, who were putting a lot of pressure on them to ‘get this done’.

So what was the problem? Well the American company had a domain called olduscomp.com, and were undergoing their own migration (not yet started) to newuscomp.com. The UK company wanted to use ukcomp.newuscomp.com 

Me: Thats OK once newuscomp.com is built, we will make ukcomp a child domain of that, that’s not a problem.

Client: Well that might not be built for quite some time, the guys in the states have problems of their own.

Me: OK we will build it here, then build our child domain, then we can then give them the root domain?

Client: That probably wont fly either, can we just build ukcomp.newuscomp.com here, them make it a child domain later?

Me: No, (the fist DC in a child domain needs to be a member of the parent domain).

Client: OK can we build ukcomp.newuscomp.com, and then when the US guys build newuscomp.com, can we get the domains to trust each other?

Me: I dont think so, (they have a similar namespace), I don’t think that will work? I would need to test it to see if it was possible.

The problem was dancing about on my mental ‘back-burner’ for the next few weeks, so in my free time, I thought I would investigate if it was possible.

Solution

Well I built both the domains, my usual procedure to creating a domain trust is;

  1. Create a conditional DNS forwarder in domain A for domain B
  2. Create a conditional DNS forwarder in domain B for domain A
  3. Go to Active Directory Domains and Trusts and setup the trust

As you can see from the diagram above I used subdomain.domain.com for the first domain, and I used domain.com for the second domain. So when I started, the only thing these domains shared is some namespace.

Creating a conditional forwarder in subdomain.domain.com for domain.com went without a hiccup.

However when I tried to create a conditional forwarder in domain.com for subdomain.domain.com this happened;

A problem occurred when trying to add the conditional forwarder. A zone configuration problem has occurred.

Oh dear, some investigation explained why;

Above from: Technet: Using Forwarders

However it does say I can delegate the namespace to another DNS server, would that work? If you don’t know what a delegation is read this article.

Then I setup the trust, and validated it.

So yes it does work, but you need to remember that these are two different domains that trust each other they just share a common piece of namespace. If it was a parent and child domain then when you were assigning permissions you would see something like this;

But instead, in our case when assigning permissions  you will see;

So yes it works and it looks like a sub domain, you can even call is a subdomain, but it isn’t, it’s just another domain that you can trust.

Related Articles, References, Credits, or External Links

NA

Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed. 

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. This was just what I needed, I just need to test the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

 

Solution

Before starting I would suggest creating a ‘service account’  to run the enrolment service, you need to be an admin to install the services but this account does not need to be. (It does need to be in the LOCAL IIS_USERS group on your CES/CEP server(s)). Below you will see I’ve named my user svc_ca.

You need to already have a PKI/CA setup. You can split the CES ‘Web Service’ and CEP ‘Policy Web Service’ across different hosts if you want, but for this example I’m simply putting both roles on the same server.

Then you need to run the post deployment configuration.

Again I’m configuring both roles at the same time.

I’ve only got one, but choose the CA server on which to house the CES role.

As I mentioned above, I’m using Windows authentication, if you are deploying certs to a DMZ, yours may be better set to username/password.

Specify your service account, you created earlier.

Again choose your authentication method.

Now you need to create a ‘Service Principle Name’ SPN for your service account, that’s tied to your Certificate Enrolment Web Services server. Open an Administrative Command Window on the CES server and issue the following command;

[box]setspn -s http:/{FQDN-OF-Server} {Domain-Name}\{User-Name}[/box]

Now your user has an SPN, they will get another ‘Tab’ on their user object, called ‘Delegation‘ Add in the CES server for the following service types.

  • HOST
  • rpcss

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Locate the Friendly Name section > Locate the ‘Value‘ > Change its last hexadecimal character (0 to 9 or A to F) from what it is currently > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Setup Enrolment Policies

To actually use the CES/CEP service your client needs to know where it is, there are TWO methods of letting them know, you can either use the certificate snap-in, or use a ‘Local Group Policy’ on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Key+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Note: To access via https, you may need to manually add a Web Server certificate for the URL/Common name of the CEP server. See the following article;

IIS: How to Create a Certificate Request

Validate Server > Add-

Managing Enrolment Policies With Certificates Local Group Policy

Windows Key+R > gpedit.msc {Enter} > Computer Configuration > Windows Settings > Security Settings > Public-Key Policies > Certificate Services Client – Certificate Enrolment Policy.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Validate Server > Add.

If you already have an Active Directory Enrolment Policy listed, make sure it’s NOT selected, and your newly created CES policy is set as default > Apply.

Enrol Or Renew Certificates From CES

Now if you attempt to enrol for a certificate, your machine will use the CES policy.

 

Related Articles, References, Credits, or External Links

URI Was Validated Successfully But there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

Exchange – ‘Not all the required authentication methods were found’

KB ID 0001180 

Problem

I had to visit a client who had recently gone through an Exchange migration, now his external mail clients were having a nightmare staying connected to Outlook Anywhere. I ran the Exchange connectivity tester and got this;

Additional details
Not all the required authentication methods were  found
Methods Found: Basic
Methods Required: NTLM

 

Solution

Looks like an open and shut case, someone forgot to enable Windows Authentication on the ‘rpc’ virtual directory in Exchange, and when I looked, it wasn’t so I enabled it, like so;

Now I was feeling smug, and enjoying a coffee before I left site, when it went off again? As it happens, not only do you need to set it correctly in IIS, but if someone has set it incorrectly in Exchange, then Exchange wins! As you can see by my query below;

[box]

[PS] C:\Windows\system32>Get-OutlookAnywhere


RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL03
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic} << OOPS! :(
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL03.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL03
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL03
DistinguishedName               : CN=PNLMAIL03,CN=HTTP,CN=Protocols,CN=PNLMAIL03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL03\PNLMAIL03
Guid                            : 3403795b-af71-4687-ba81-da4c876ed7bc
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 01/10/2015 13:34:26
WhenCreated                     : 14/06/2013 09:27:03
WhenChangedUTC                  : 01/10/2015 12:34:26
WhenCreatedUTC                  : 14/06/2013 08:27:03
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL02
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic}
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL02.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL02
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL02
DistinguishedName               : CN=PNLMAIL02,CN=HTTP,CN=Protocols,CN=PNLMAIL02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL02\PNLMAIL02
Guid                            : 40ea303b-9c68-47ab-84fd-362c07f0a2db
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 01/10/2015 13:34:37
WhenCreated                     : 14/06/2013 09:26:49
WhenChangedUTC                  : 01/10/2015 12:34:37
WhenCreatedUTC                  : 14/06/2013 08:26:49
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

[/box]

Well that explains the error! To fix that;

[box]

[PS] C:\Windows\system32>get-outlookanywhere | set-outlookanywhere -iisauthentication ntlm, basic

[/box]

Now let’s check again.

[box]

[PS] C:\Windows\system32>Get-OutlookAnywhere


RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL03
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm} << BOOM :)
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL03.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL03
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL03
DistinguishedName               : CN=PNLMAIL03,CN=HTTP,CN=Protocols,CN=PNLMAIL03,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL03\PNLMAIL03
Guid                            : 3403795b-af71-4687-ba81-da4c876ed7bc
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 02/10/2015 13:13:55
WhenCreated                     : 14/06/2013 09:27:03
WhenChangedUTC                  : 02/10/2015 12:13:55
WhenCreatedUTC                  : 14/06/2013 08:27:03
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

RunspaceId                      : a268959b-a2c9-435a-883e-97acef3ec828
ServerName                      : PNLMAIL02
SSLOffloading                   : False
ExternalHostname                : webmail.petenetlive.co.uk
ClientAuthenticationMethod      : Ntlm
IISAuthenticationMethods        : {Basic, Ntlm}
XropUrl                         :
MetabasePath                    : IIS://PNLMAIL02.PNL.local/W3SVC/1/ROOT/Rpc
Path                            : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : PNLMAIL02
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : PNLMAIL02
DistinguishedName               : CN=PNLMAIL02,CN=HTTP,CN=Protocols,CN=PNLMAIL02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=PeteNetLive,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=PNL,DC=local
Identity                        : PNLMAIL02\PNLMAIL02
Guid                            : 40ea303b-9c68-47ab-84fd-362c07f0a2db
ObjectCategory                  : PNL.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                     : 02/10/2015 13:13:58
WhenCreated                     : 14/06/2013 09:26:49
WhenChangedUTC                  : 02/10/2015 12:13:58
WhenCreatedUTC                  : 14/06/2013 08:26:49
OrganizationId                  :
OriginatingServer               : PNLDC01.PNL.local
IsValid                         : True

[/box]

 

Related Articles, References, Credits, or External Links

NA

VMware View – Using Persona Management

KB ID 0000615 

Problem

Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.

Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.

Solution

Create a “Roaming Profile” Network share with the correct permissions

1. On a network accessible server, create a folder and set the SHARE permissions as follows;

Share Permissions

Everyone = Read. Domain Users = Full Control.

Note: You may also want to DISABLE Caching on this folder.

2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;

Security / NTFS Permissions

Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.

Note: I’m using domain users, you might have a different security group that you want to substitute.

3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).

Configure Windows 7 to be a VMware View Desktop

4. You need to get the administrative template for Persona Management. You will find it on your VMware Connection Server in the following location;

[box] C:Program FilesVMwareVMware ViewServerextrasGroupPolicyFiles [/box]

Locate the ViewPM.adm file and copy it to a domain controller.

5. Create a new group policy that is linked to the OU containing your View machines.

6. Edit the policy > Expand Computer Configuration > Policies >Administrative Templates > Right Click > add/Remove Administrative Temple > Add in the ViewPM.adm template.

7. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management [/box]

8. In the roaming and Synchronisation Section > Manage user persona > Set to Enabled > Next Setting.

9. Enable > Enter the shared folder you created earlier > Next Setting.

10. Enabled (to remove local cached copies of the profile).

11. Enabled to roam the local folder > That’s all I’m going to configure in this branch of the policy.

Persona Management Folder Redirection

12. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management > Folder Redirection [/box]

Here you will find the folders that can be redirected to a central location.

13. For example, here I’m redirecting the users “My Documents” folder.

14. And their “My Pictures” folder.

15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.

Creating a ‘Manual Pool’ and Connecting a View Client

Deploying Linked Clone View Desktops

16. Now when your users connect to their View Desktops.

17. Their user profile will be persistent.

18. Because their settings are stored in your profile shared folder.

Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.

Related Articles, References, Credits, or External Links

NA