“Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.” Microsoft released official hotfixes to this issue that are available from the following link.

• Read more
• No comments

“Exchange 2010 SP1 ExFolders” – “This new tool is really just a port of PFDAVAdmin to Exchange 2010. We changed the name to ExFolders because it no longer relies on DAV, and it's not just for public folders (even PFDAVAdmin, in its public release, was not just for public folders). The name just didn't make sense anymore, so we changed it to the easier-to-pronounce ExFolders. “. The toll can be downloaded from the following link.

• Read more
• No comments

Microsoft released Update Rollup 5 for Exchange Server 2007 Service Pack 3 (KB2602324). The update can be downloaded from the following link.

• Read more
• No comments

The following post will cover the installation process of Microsoft ADMT 3.2 on Windows 2008 R2 SP1 Domain Controller.

Please note: Microsoft recommended to install the ADMT 3.2  tool a non domain controller computer. Using ADMT 3.2  on Domain Controller may reduce the security level of all the Domain Controller in the organization.

The installation process in divided to four sections:

1. SQL 2008 Express installation.

2. ADMT 3.2 installation.

3. ADMT 3.2 Configuration.

4. Enable Password Migration.

Note: In the past ADMT tool used Access database to save the migration configurations and data. ADMT 3.2 require to use SQL database.

 

1. SQL Express Installation

1.1 Download SQL 2008 Express x64.

Microsoft® SQL Server® 2008 Express Edition Service Pack 1

Note: ADMT 3.2 doesn’t support SQL 2008 R2.

1.2  Logon into the target domain controller.

1.3 Launch "SQLEXPR_x64_ENU.exe" file.

1.4  Press on the link "Installation":

1.5 Press on the link  "New SQL Server stand-alone installation or add feathers to exiting  installation":

1.6 Press on "Ok" button and then press on "Next" button.

1.7  Mark the checkbox "I accept the license term" and press on "Next" button.

1.8 Press on "Install" button.

1.9 Press on "Next" button.

1.10 Mark the checkbox "Database Engine Services" and then Press on "Next" button.

1.11 Press on "Next" button.

1.12 Press on "Next" button.

1.13 Set the database engine to use "Administrator" account (or any equivalent domain account that is member of domain admins group) and press on "Next" button.

1.14 Add the domain admins group and Administrator account as "SQL Server Administrator" and press on "Next" button.

1.15 Press on "Next" button.

1.16 Press on "Next" button.

1.17 Press on "Install" button.

1.18 Press on "Close" button.

 

2 ADMT 3.2 Installation

2.1 Download Microsoft ADMT 3.2.

2.2 Logon into the target domain controller.

2.3 Run the following commands:

NET LOCALGROUP SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS /ADD

* The SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group should be created as local domain group.

* To user that using the ADMT 3.2 should be added to SQLServerMSSQLUser$DomainControllerName$SQLEXPRESS group.

SC SHOWSID MSSQL$SQLEXPRESS

MD %SystemRoot%\ADMT\Data

ICACLS %systemroot%\ADMT\Data /grant *S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143:F

S-1-5-80-3881436512-7290199661-1648723128-3569869737-3631323143 = The SID that was obtained by using SC SHOWSID MSSQL$SQLEXPRESS command.

Source:  ADMT 3.2 installation incomplete, MMC console error "cannot open database 'ADMT' requested by the login"

2.4 Launch ADMT 3.2 setup.

2.5 Approve the EULA and press on Next button.

2.6 Press on Next button (Don’t choose to participate in the CEIP program).

2.7 Point the ADMT 3.2 Installation to " .\SQLEXPRESS" instance.

2.7 Press on "Next" button.

2.8 Press on "Finish" button.

 

3. ADMT 3.2 Configurations

During the first running of ADMT 3.2 the following changes would be done automatically on the domain controllers that handle the migration process (usually source and target domain controller hosting PDC Emulator FSMO).

I recommended to allow the ADMT 3.2 wizard to set the required settings automatically and not make this changes manually.

3.1 On the target domain PDC Emulator FSMO, set the following registry key:

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

Registry value: AllowNT4Crypto

Type: REG_DWORD

Data: 1

3.2  On the PDC emulator of the old domain set the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Modify the registry entry TcpipClientSupport, of data type REG_DWORD, by setting the value to 1.

3.3 On the target domain PDC Emulator FSMO set the following Group Policy:

3.3.1  Click Start, point to All Programs, point to Administrative Tools, and   then click Group Policy Management.

3.3.2  Navigate to the following node: Forest | Domains | Domain | Domain Controllers | Default Domain Controllers Policy

                             Right-click Default Domain Controllers Policy and click Edit.

3.3.3  In Group Policy Management Editor, in the console tree, navigate to the following node: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy

3.3.4  In the details pane, right-click Audit account management, and then click Properties.

3.3.5  Click Define these policy settings, and then click Success and Failure.

3.3.6  Click Apply, and then click OK.

3.3.7  In the details pane, right-click Audit directory service access and then click Properties.

3.3.8  Click defines these policy settings and then click Success.

3.3.9  Click Apply, and then click OK.

3.12   If the changes need to be immediately reflected on the domain controllesr, open an elevated command prompt and type gpupdate /force.

3.13  Reboot the PDC emulators servers in each domain.

 

4. Enable Password Migration

The PES service installation in the source domain requires an encryption key. However, you must create the encryption key on the computer running ADMT in the target domain.

This way, you can store it in a secure location and reformat it after the migration is completed.

 

4.1 On the target domain controller create a new encryption key:

admt key /option:create /sourcedomain: SourceDomainName.Local/keyfile:<KeyFilePath> /keypassword:{<password>|*}

Note: The source domain should set to: SourceDomainName.Local

4.2  On the old domain, logon into the PDC emulator.

4.3 Run the Pwdmig.msi that was created in the previous steps.

Note: You may need to provide the encryption

4.4 Follow the instructions bellow:

To configure the PES service in the source domain

1. On the domain controller that runs the PES service in the source domain, insert the encryption key disk.

2. Run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, provide the password that was given when the key was created, and then click Next.

Wizard page	Action
Welcome to the ADMT Password Migration DLL Installation Wizard	Click Next.
Encryption File	To install the ADMT Password Migration dynamic-link library (DLL), you must specify a file that contains a valid password encryption key for this source domain. The key file must be located on a local drive. You use the admt key command to generate the key files. For more information, see the previous procedure "To create an encryption key."
Run the service as	Specify the account that you want the PES service to run under. You can specify either of the following accounts: · The local System account · A specified user account Note If you plan to run the PES service as an authenticated user account, specify the account in the format domain\user_name.
Summary	Click Finish to complete the PES service installation. Note To use the password migration of ADMT, you must restart the server where you installed the PES service.

3. After installation completes, restart the domain controller.

4. After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services.

5. In the details pane, right-click Password Export Server Service, and then click Start.

Note

Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.

Source:  Enabling Migration of Passwords

4.5  Navigate to the following registry subkey on the source domain: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

4.6 Verify that "AllowPasswordExport" (REG_DWORD) was set to 1.

4.7 Add target Domain Admin group as members of "Administrators" group in the source domain.

 

For further information, please review:

ADMT 3.2: Common Installation Issues

• Read more
• 5 comment(s)

The following post will cover the advantages and disadvantages of using self-signed certificates.

Self-signed certificates usually created automatically during installations of server side applications (e.g. Exchange 2010, SCOM 2007 R2 etc.).

By using self-signed certificates, no PKI (Public Key Infrastructure) is needed to be deployed before/after deployment of server side applications. However, using self-signed certificates has it advantages and disadvantages.

Advantages

1. No PKI (Public Key Infrastructure) is needed.

2. Automatic deployment (Usually Self-signed certificates created automatic during the installation process of the server side applications).

Disadvantages

1. The certificates aren't trusted by other applications/operating systems. This may lead to authentications errors etc.

Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.

2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.

3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .

4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).

5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.

Conclusions

From my point of view, PKI (Public Key Infrastructure) must to be deployed as prerequisite to any installation of Enterprise server side applications. However, self-signed certificates can be used for limited scenarios (e.g. Installation of a single Exchange 2010 server in the organization etc.)

• Read more
• 96 comment(s)

The following post describes the common methods to provides a high availability solution by using TMG 2010.

Note: This post doesn’t cover Internet service provider high availability solutions.

 

Option 1: Using TMG 2010 Enterprise and Load Balance Mechanism

Pre-Prerequisites:

1. At least two TMG 2010 Enterprise Servers.

Source: About the Forefront TMG Editions

2. The TMG 2010 Servers should be setup to use Windows NLB or Hardware load balancer (The load balancer should support IP affinity).

Note1: Without using some load balance mechanism no automatic failover / load balance would be done. By using load balance mechanism there is no need to deploy and manage Windows cluster.

Note2: Some Load Balance Mechanisms support a Active/Passive mode. By this, one server is online and only after the load balance mechanism dedicate issue with the first server, the Passive server “move” it self to Active state (e.g. Serving users etc.)

Note3: Although you can use DNS Round Robin feather as a load balance mechanism,  I wouldn’t recommended to use it.

3. TMG 2010 Enterprise License/s.

4. Optional: A third server - EMS-managed server for supporting Enterprise Array.

For further information please review: About enterprise storage 

Advantages:

1. All the Array members share the same configuration (e.g. Firewall Policy, Publishing rules etc.)

Note: EMS-managed - provides additional management capabilities, like creating the option to create a single policy and deploy it on multiple TMG Arrays etc.

2. Support for Intra-array communication - enables communication between array members on a dedicated network only.

Source: Enabling intra-array communication

3. Easy backup/restore settings for the Array (Standalone/Enterprise).

4. Supporting: Caching in Forefront TMG arrays

“In arrays, Forefront TMG uses Cache Array Routing Protocol (CARP) to provide a single, logical cache, for all the servers in the array. CARP allows Forefront TMG array members to efficiently balance Web-based client load, and split cached content between them. On the client side, CARP provides client computers with the information and algorithms required to identify which is the best server in the array to serve their request, thus eliminating the need for array members to forward requests between the array members. CARP also supports array server selection by the servers themselves and chained proxies.

Source: Planning to cache Web content

Disadvantages:

1. Cost.

2. Additional knowledgebase may need for deployment and troubleshooting.

Note: “NLB’s maximum total bandwidth was found to be about 500 Mbps”.

Source: Forefront TMG 2010 hardware recommendations

3. No connection state synchronization is be done by the Array members.

 

Option 2: Using TMG 2010 Standard and Load Balance Mechanism

Pre-Prerequisites:

1. At least two TMG 2010 Servers.

2. The TMG 2010 Servers should be setup to use Windows NLB or Hardware load balancer (The load balancer should support IP affinity).

Note1: Without using some load balance mechanism no automatic failover / load balance would be done. By using load balance mechanism there is no need to deploy and manage Windows cluster.

Note2: Some Load Balance Mechanisms support a Active/Passive mode. By this, one server is online and only after the load balance mechanism dedicate issue with the first server, the Passive server “move” it self to Active state (e.g. Serving users etc.)

Note3: Although you can use DNS Round Robin feather as a load balance mechanism, I wouldn’t recommended to use it.

 Advantages:

1. Low cost.

2. Higher bandwidth support then solution “Option 3”.

Disadvantages:

1. Additional resources for management would be require (e.g. Changing Firewall rules in one TMG 2010 Server wouldn’t be copied automatically to the other TMG 2010 Server. For this, a manual change or/and script for configurations synchronization may need to implement).

2. No support for Cache Array Routing Protocol (CARP).

3. Additional management resources may need for troubleshooting issues.

Note: “NLB’s maximum total bandwidth was found to be about 500 Mbps”

Source: Forefront TMG 2010 hardware recommendations

4. No connection state synchronization is be done by the Array members.

 

Option 3: Using TMG 2010 Standard and Failover Mechanism

Pre-Prerequisites:

1. At least two TMG 2010 Servers.

2. To provides a Failover Mechanism, you can use one of the following technics:

2.1 Using DNS “A Record” for the Proxy FQDN name (e.g. Proxy.MyDomainName.local) that point to one of the TMG Server IP. In case of problem, changing manually the IP in the A record would provide a failover.

Note: Its recommended to change the cache time of the A record in the DNS server to 1-3 minutes.

2.2 Using Hardware load balancer or NLB (Only one server should be active in the same time).

Note: Only a single server should be active in one time.

2.3 Changing the Proxy name/IP by using GPO.

2.4. Using Forefront TMG 2010 with WPAD server mechanism (Auto Proxy Discovery)

Note: Me. Raihan Al-Beruni wrote a nice article on this option: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step
2.5. Using configuration file. This file contain the proxy settings and the clients Brower can query it. Updating the file content would allow the client to use a few Proxy server or/and a new Proxy server.

Advantages:

1. Low cost.

Disadvantages:

1. No support for Cache Array Routing Protocol (CARP).

2. Without a proper failover mechanism, a manual changes may required in the “D Day”.

3. No connection state synchronization is be done by the TMG 2010 Servers.

4. Low bandwidth support (Comparing to Option 1 + 2).

 

Appendix 1: How the client Brower can find the correct Proxy settings in the network?

Microsoft TechNet provides a excellent summary of the methods that could be sued for updating the Proxy details in the client side.

You may found out that some of this topic was cover in my post.

Planning automatic Web proxy detection 

 

Appendix 2: Limitations of TMG 2010 server with a single network adapter

About single network adapter limitations

For Further information please review:

Planning for Forefront TMG server high availability and scalability

Troubleshooting NLB

• Read more
• 12 comment(s)

Symptoms:

1. Opening Lync 2010 client may produce the following error: "Please wait while windows configures Microsoft Lync 2010".

2. MSI Installer errors may appear in the System Event Log:

 

 

 

 

Resolution:

Workaround: Create a new folder named: “OCSetupDir” in the %SystemDrive% (Usually “C” drive).

Also, its recommended to review Microsoft release notes for new updates/service pack for Lync 2010 client.

Please note that changing the registry key value:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C7376A18AE70EB645A6EA7E5F5CE44F9”

-> “CBF94811614C24742897713C2A8CF527” manually may not resolve this issue.

This updates may resolved the issue that described above, without the need to use this workaround.

• Read more
• 2 comment(s)

The following error/s may appear in the Exchange 2010 Management Console:

“Exchange 2010 Certificate Revocation Checks and Proxy Settings” or “The Certificate Status could not be determined because the revocation check failed”

Cause:

1. You may use a Proxy server that block access to the CRL.

2. The CRL isn't available.

How to Debug this issue:

Obtain any (current) certificate from the Certificate Authority and run the following command:

“certutil –verify –urlfetch C:\CertificateName.cer >Log.txt”

Usually you may find out issues like errors messages on expired CRL or Offline CA.

Resolutions:

1. Review Proxy settings by using “netsh winhttp show proxy”

You can reset the proxy settings by using the commands:

“netsh winhttp reset proxy”
”netsh winhttp reset tracing”

Note: You can also add Proxy exceptions (e.g. The CRL location) by using the following commands:

“netsh winhttp import proxy ie”

“netsh winhttp set proxy proxy-server=http://192.168.1.1:80 bypass-list="crlserver.DomainName.local"

“netsh winhttp set proxy proxy-server=http://192.168.1.1:443 bypass-list="crlserver.DomainName.local"

2. Review the current CRL settings in the Active Directory by using:

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

Usually, if you are using a Offline CA (Root CA for example), you may find out that the current CRL was expired.

Usually its recommended to change the CRL expire date in the relevant CA and then re-publish the CRL.

Then, import the CRL into the Active Directory by using the command:

“certutil -f -dspublish CRLFileName.crl”

3. If the CRL is published to a File Share and/or Web Server (HTTP/s), please verify that the URL paths exits and aren't blocked by third party system (e.g. Firewall, Antivirus, IPS etc.) Its also recommended to verify that no NTFS/Share permissions blocked access to the CRL.

4. Reset urlcache by using the following power shell commands:

“certutil -urlcache ocsp delete”
”certutil -urlcache crl delete”

5. Reset the Exchange Internet Web Proxy to null by using the following power shell command:

“Set-ExchangeServer  -InternetWebProxy $NULL”

6. Delete MMC cache files from:

“C:\Users\%username%\AppData\Roaming\Microsoft\MMC”

7. Verify that CRL for Root & SubCA URL’s/Paths are current. Also,

8. Verify that the Root CA Certificate was added to the computer Trusted Root CA Store.

Also, verify that the SubCA Certificate was added to the computer Intermediate CA Store.

9. As a temporary workaround, you can enable the required certificate by using Exchange Power Shell command: Enable-ExchangeCertificate

However, this workaround wouldn’t resolved the error message, but would enable you to assign the certificate to the Exchange services.

For farther information, please review: Certificate Revocation and Status Checking

• Read more
• No comments

1. Finding SQL Server Version:

Select @@version;

or

EXEC master..sp_MSgetversion

2. Finding SQL Databases names and size:

Use master;

EXEC sp_helpdb;

3. Finding the physical location of the SQL databases and logs:

SELECT name, physical_name AS current_file_location
FROM sys.master_files

4. Finding list of tables and views in SQL database:

Use master;

EXEC sp_tables;

5. Finding which user/s is/are currently logging to the SQL server:

EXEC sp_who;

6. Move to Advanced Configurations Mode:

USE master;
EXEC sp_configure 'show advanced option', '1';
7. Reviewing Advanced Configurations Mode options:”

RECONFIGURE;

EXEC sp_configure;

8. Finding SQL Locking:

EXEC sp_lock

• Read more
• No comments

Mr. Ingolfur Arnar Stangeland (Microsoft) write a few excellent posts on the recommended strategy to resolve  slow logon or slow startup.

Due the fact that most of the IT staff would need to handle this issue from time to time, I attached a link to the official posts:

Troubleshooting the intermittent slow logon or slow startup

Time travel and factors that increase client startup or login time

• Read more
• No comments

To Publish Root Certificate and Intermediate Root Certificate in Active Directory, please use the following commands:

Root certificate: certutil -dspublish -f RootCACertificate.crt RootCA

Intermediate certificate: certutil -dspublish -f SubCACertificate.crt SubCA

 

To publish the certificate/s to NTAuth store, please review the following knowledgebase: 

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

 

Note: NTAuth store point to: CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com

• Read more
• No comments

If you are using a PKI (Public Key Infrastructure), you may found out that Root Certificate and Intermediate Certificate may need be installed manually for Workgroup computers.

Also, in case that you don’t use Active Directory (e.g. GPO etc.) to publish the Root Certificate and Intermediate Certificate details, you may need to add this certificates manually.

To accomplish this task, please use the following commands:

 

Installing Root Certificate: “Certutil -addstore -f Root MyRootCACertificate.crt”

Installing Intermediate Certificate: “Certutil -addstore -f CA MySubCACertificate.crt”

 

You can use the following commands to review the result of the previous commands:

“certutil -v –store my > LocalCertStore.txt“ or “certutil –verifystore root” /  “certutil –verifystore CA”

• Read more
• 1 comment(s)

During Lync 2010 installation, the following error may appear: “Prerequisite installation failed: SqlExpressRtcLocal“.

This error usually caused due to one of the following reasons:

1. Permission issue.

2. Corrupted Registry:

How to manually rebuild Performance Counter Library values

3. Corrupted installation media.

• Read more
• No comments

Exchange 2010 contain a build in scripts directory:

"C:\Program Files\Microsoft\Exchange Server\V14\scripts\"

To access this folder from Exchange Power Shell Interface you can use the following command:

"cd $exscripts"

• Read more
• No comments

Get-Mailbox MyUserMailboxAlias |fl name, *data*

or

Get-Mailbox “First Name Last Name” |fl name, *data*

• Read more
• No comments