Samstag, 31. Dezember 2011

Home Downloads Exchange 2010 EMC and Certificates Management

Microsoft chose moving to secure messaging and secure service access since Exchange Server 2007. The only troublesome task for administrators was to manage these certificates. Folks who are highly addicted to GUI found it little hectic. Good news for those who don’t want to take too many efforts and would like to have a graphical interface that can manage certificates for exchange!
Though not with exchange 2007, Exchange 2010 Beta offers some extended functionality of creating, removing and managing certificates using GUI.
To create a new certificate you can choose the following options;

1. Select Server Configuration from left hand side pane in EMC and Exchange Certificates tab in left hand pane.

2. Right click in free space in left hand side pane of Exchange Certificates tab and select New Exchange Certificate

3. Selecting New Exchange Certificate from the context menu will bring up the introduction screen.
Here at this screen you are prompted to enter a friendly name for the certificate that will appear in EMC as a primary reference for management of certificates if you have multiple certificates created for multiple websites.

4. Once you have specified a friendly name for the certificate you are taken to the next screen upon clicking the Next button. This New Exchange Certificate screen will now gather the actual required information where you get a chance to choose among the options to use this certificate for various services.
Services like IIS based web services including Autodiscover, OWA EAS and other services like POP/IMAP, Outlook Anywhere and UM.
You can observe the screenshot below and notice that you get an option to write the URL of the service locations for OWA, EAS, Federated Services, SMTP transport, Etc. These URLs will be used in the certificate request which will be further used to write the SAN certificate information.

5. here the wizard collects the Organization related information like company name, department, location, etc. At this stage the wizard has collected almost all the information it needed. You may notice that the path right beside the Browse button is the path to the certificate request file path.

6. Next screen summarizes the information you entered.

7. And there you go with the final screen of the wizard where it displays the powershell command it will be attempting to generate the certificate request. Once you hit the Finish button the wizard completes the certificate request.

8. Here a point to be noted is; the wizard does not create an actual certificate. It will simply generate the request and keep it accessible via EMC. So when you are done with the wizard you have to manually send this request to the online CA within your Exchange/AD premises.
Limitations of New Exchange Certificate Wizard:
  1. The new Exchange Certificate Wizard does not send the request to the online CA directly unless you manually complete the pending request.
  2. Renewals of expired certificates can not be done using Exchange Certificate Wizard. You still have to user EMS for renewal of certificates.
  3. New certificates created using New Exchange Certificate Wizard does not get assigned to IIS directly though you do specify the certificate utilization for Exchange Web Services and other IIS integrated exchange services. (You may refer Permanent Link to How to renew a self signed certificate in Exchange Server 2007 for renewal of certificates)
This is the second part of the blog entry Exchange 2010 EMC and Certificate Management in the previous post I wrote about creating a certificate request and the limitations of the new certificate request wizard. In this part we will be looking at obtaining a new certificate and then installing it on the server.
To complete installing a new certificate on your Exchange Server 2010 server you first need to obtain a certificate from CA within your organization or from a third party CA. As stated in last post the New certificate wizard generates a request in a .req file.
1. To obtain a certificate from a third party CA or your internal CA, your first need to copy the contents of the .req file and paste it to the web console of your certification authority. For my internal Enterprise CA the picture looked like below. Please see carefully that the Certificate Template used for this certificate request is Web Server.
2. Once you are done with above interface by pasting the contents of .req file and choosing a correct template you will be presented with another page in your browser to download the certificate. This interface may vary depending upon the configuration of your CA. You may need to wait till the certificate is approved and issued by CA administrator if configured so. You can now download the certificate in DER encoded format or Base 64 encoded format and save it to some location on your desktop or server. You will also need to download the whole certificate chain if the issuing authority is not a trusted CA by your server.
3. Now, as you have downloaded the certificate to the server. You will need to complete the pending certificate request in your EMC. Select the complete pending request by right clicking on the pending certificate request in EMC.
4. A new interface asking you the path to the certificate will pop up. This wizards will ask the location for newly downloaded certificate. Click on the Browse button, select the newly downloaded .cer file and click on complete button.
5. You may recall, Exchange 2007 to have the imported certificate to be enabled before it can be used actually used exchange services. E14 is not an exception to it but you don’t need to use Enable-ExchangeCertificate this time. You can do it using  GUI easily. Now that you know, you have a new certificate imported correctly. You need to assign it to the services those will be using it.
Again, locate the new imported certificate in EMC and right click on it. Select Assign Services to Certificate… from the context menu.
One quick difference you may notice between the step 3 and now. That is the certificate status. It changes from Pending to Valid and icon in front of the certificate gets blue colored check mark on it.
6. Assign Services to Certificate… will list the services on a window those will be assigned to use this certificate. Select the services you want to use this certificate with and click on Assign button. In my case I did not have the UM role installed on the server so the Unified Messaging check box is grayed out.
7. You may notice a pop up asking your consent to assign this certificate to SMTP service on the server as the default certificate will be replaced if you have selected Simple Mail Transport Protocol to use the new certificate in step 6. Click Yes and your default self signed certificate created and assigned to SMTP during server  install will be replaced with new one.
Click Finish in the wizard and you are done.
In some cases you may end up with a warning message; warning you that this certificate will not be used for TLS connections. Something like below:
Here you need to really understand the configurations you choose at the time of new certificate request. If you want to use this new certificate for a connector which provides a TLS connections, you will have to mention that during the New Certificate Request Wizard.

Few things to note:
  • You must make sure that you have chosen the option to use new certificate for TLS connections during the request generation.
  • You must have the root CA and the entire certificate chain installed your Exchange Server as well as clients if you are using your internal CA for new request processing. Outlook as well as Outlook Anywhere and other web based services may be affected otherwise.
  • You must back up the certificate as soon as it is enabled on the server. I will write about it in Part-3 of this series.
  • I recommend backing up and removing any old certificate from the server as soon as the new certificate is active and fully functional.

How to renew a self signed certificate in Exchange Server 2007

When a new Exchange Server 2007 role is installed on a computer the server automatically generates a self signed certificate to be used with services like transport (SMTP), POP,  IIS (OWA and Exchange Web Services) and IMAP. This certificate expires right after the completion of one  year from the date server was installed or the certificate was reassigned manually. To check the status of the certificate using Exchange Management Shell. Executing the cmdlet Get-ExchangeCertificate |FL displays all relevant information about all the certificates assigned, enabled and being used or not used by Exchange Services.
You may see more than one certificate listed on your exchange server(s) and that may be simply because you or someone else from your team have already tried working with certificates on the server.
If you see the above picture, you will notice that the certificate I have on my server is valid till 24th March 2010. NotAfter holds the value in mm/dd/yyyy h:mm:ss format.NotAfter – means this certificate will not be valid after the time stamp listed in this field. On the other hand the value NotBefore – means that this certificate will not be valid before the time stamp mentioned.
So once you cross the date listed in field NotAfter the certificate becomes invalid and indeed may open up doors to many other troubles like connectivity to web services, SMTP transport, POP and IMAP retrieval, etc. To renew the certificate you can simply run a cmdlet and get a new self signed certificate. But, this is just not as simple as simply running a cmdlet and get a new certificate, there is a procedure to do it. Check the following steps:
1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down theThumbprint of certificate into a notepad.
2. Run Get-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63” | New-ExchangeCertificate . This renews the certificate. You will notice the moment you press enter on keyboard you may be prompted to confirm if you want to use the same certificate for SMTP service.
3. Check if the certificate is renewed. This can be simply examined by looking at the changes in thumbprint of the certificate after running the cmdlet mentioned in step 2. You can see the changed thumbprint in below picture.
4. Looking correctly to the above picture you will also notice that the certificate is not being used to secure IIS based services anymore though the NotAfter and NotBefore dates have changed. To enable this renewed certificate for IIS as well run Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS
5. Verify all the services are working correctly after renewing and enabling the certificate.
6. Remove old certificate by running Remove-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63”

Freitag, 30. Dezember 2011

GMAIL - eMails verzögert (zu einer definierten Zeit) versenden

Doch! Es geht schon lange! Aber nicht über eine direkt in Google Mail implementierte Funktion, sondern über die Browser-Erweiterung "Boomerang" - die gibt's bislang für Firefox 3.6+ und Google Chrome 5.0+ (sowie für MS Outlook und in einer Mobile-Variante).

Weitere Infos unter 

Group Policy with WMI Filtering

Hallo zusammen,
Manchmal müssen Group Policys nur angewendet werden, wenn bestimmte Bedingungen erfüllt sind. Beispielsweise eine bestimmte Software ist installiert, ein bestimmtes Betriebsystem, ein bestimmtes Computermodell etc.
Dies kann über WMI Filtering in Group Policys erreicht werden.In meinem Beispiel soll die Gruppenrichtlinie nur angewendet werden, wenn der Computername mit VISTA* anfängt.
Als erstes erstellen wir einen WMI Filter
Der WMI Filter hat folgende Bedingung:
SELECT * FROM Win32_ComputerSystem WHERE Name like 'VISTA%'
Nun erstellen wir eine neue GPO und wenden den erstellten WMI Filter an
Zum einfachen Testen werwende ich Group Policy Preferences um einen Link auf dem Desktop zu erstellen
Im Detail sieht das so aus
Erzeuge einen Hyperlink mit der URL und dem namen auf dem Desktop
Nun muss die GPO noch mit der richtigen OU verlinkt werden.
So, nun gehts ans testen... Auf einer VM starte ich gpupdate - da der Computername nicht mit VISTA anfängt zieht die GPO nicht.
Auf dem Computer welcher dem WMI Filter enspricht, wird der Link jedoch erzeugt.
Weitere Informationen

Where iOS Apps Are Stored Locally in Mac OS X and Windows

iOS Apps location
iOS apps are downloaded as bundles with a .ipa file extensions, but they are stored in different places than your default iOS backups location. If you want to access iPhone and iPad apps manually, here’s where to find them for both Mac OS X Lion, Snow Leopard, and Windows 7:
The easiest way to access these directories is by hitting Command+Shift+G and using Go To Folder, note the path is different depending on the OS:
  • Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes Media/Mobile Applications/
  • Mac OS X 10.6: ~/Music/iTunes/Mobile Applications/
  • Windows 7: C:\Users\Username\My Music\iTunes\iTunes Media\Mobile Applications\
As long as you’ve downloaded and bought the apps from the same Apple ID and all hardware has been authorized with iTunes, you can move the .ipa bundles from one machine to another, place them in the appropriate folder, and they will continue to sync with the approved iOS hardware. (You won’t want to do this with a new Mac though, you need to authorize it first within iTunes.)
Most of the IPA files are pretty small, but if an apps file size seems too small, it’s probably because it was paused in the middle of a download from iTunes. That doesn’t mean you don’t own the app, it just means you have to download it again if you want to use and sync it. Generally the app sizes are reasonable enough and you wouldn’t need to move this directory to another drive, but for unique scenarios, go for the same methodology of moving iOS backups to another drive and using symbolic links to keep everything working as intended.

How To Renew Exchange Server 2010 Certificates

I am sure a lot of you have found these posts helpful. All of these posts however did not talk about the certificates issued by public CAs. I thought it would be even more helpful to put up a separate post that would talk more about the certificate renewal process in Exchange 2010 which indeed would cover few steps for Exchange 2007 certificate renewals as well.
If you run through the Exchange 2010 EMC and Certificate Management posts you would know how it really works when you are preparing, requesting and assigning a new certificate to your Exchange 2010 CAS and HT servers but these posts do not talk about renewal of the certificates once you assign them and they are just about to expire :-O
A little bit of stuff that you may or you may not know:
Whenever you work with certificates on an exchange server role installed on any OS, you are dealing with the local computer certificate stores on the at OS which is easily accessible by using Start—> Run –> MMC –> Add/Remove Snap In –> Certificates –> Local Computer. Just take a look at the local computer’s Personal certificate store and you wouldn’t be surprised to see these certificates in there. The only reason I wanted to bring this point here in this post because you may really need to run through this sometimes if you experience something that was mentioned in one of previous posts Missing Private Key on Exchange Certificate
So let’s have a look at what is it and how to do it!
Just like above linked two posts talking about how to manage the exchange certificates using GUI, you need to locate the certificate that you need to renew in EMC. Right click on the certificate and select Renew
Provide the path in the wizard that appears which will save you a .req file. Once you have completed the wizard you are ready to use this .req file to be supplied to any certification authority that supports  your request. The reason I said ‘any CA that supports your request’ is because, some CAs do not support SAN extensions supplied in the request.
Once you supply the contents of the file generated above your CA will provide you a certificate that can be imported here. To import a certificate using GUI follow steps mentioned in Exchange 2010 EMC and Certificates Management Part – 2
We have a lot of powershell lovers by now and they feel powershell is much easier than GUI sometimes. For all of those
Find the certificate you need to renew using Get-ExchangeCertificate
Copy the certificate thumbprint and run following command to generate the CSR
Get-ExchangeCertfiicate -Thumbprint <Thumbprint> | Renew-ExchangeCertificate -GenerateRequest:$True -PrivateKeyExportable:$True
The above command displays the CSR that you need to be supplied to the CA. Copy the CSR and paste it to the CA interface.
Once you have downloaded the certificate issued by the CA use below command to import it. You need to make sure that you have not removed the certificate request generated by your last operation using EMC or powershell. This will lead you to another situation where you wouldn’t be able to import the certificate.
Import-ExchangeCertificate  -FileData ([Byte[]]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.cer -Encoding Byte -ReadCount 0))
If you have recieved your certificate in .pfx format then use
Import-ExchangeCertificate  -FileData ([Byte[]]$(Get-Content -Path C:\Users\Milind\Documents\Certificate.pfx -Encoding Byte -ReadCount 0)) -Password:(Get-Credential).Password
And the final stage is to enable it for the services
Enable-ExchangeCertificate -Thumprint <Thumbprint> -Services IIS,IMAP,POP
Same procedure applies to Hub Transport Server Role certificate renewal as well but the Edge Transport Server Role. To manage certificates on the Edge Transport Server Role  you must be logged on the server and use powershell.
After you have renewed certificate on an edge transport server, you need to resubscribe it to the site since the subscription contains the certificate information in it too. Read more about Edge Transport here

Raid1 auf dem Mac Mini Snow Leopard Server aktivieren

Apple liefert die Mac Mini Server zwar mit 2 500 GB Festplatten aus, allerdings sind diese noch nicht im Raid vorkonfiguriert und DVD Laufwerk ist keines vorhanden. Nach ein wenig Recherche habe ich jedoch rausgefunden wie sich das RAID per Commandline nachträglich konfigurieren lässt ohne die ganze Installationsprozess durchzuführen.

Ich empfehle Euch den Raid gleich vor der Endkonfiguration des vorinstallierten Systems zu erstellen, da der Server sonst erheblich länger benötigt um die Platten zu spiegeln.

Auf einem entfernten Mac (der sich im selben Netzwerk wie der Server befindet) kann unter “Programme” -> “Dienstprogramme” -> “Enternte Mac OS X Installation” gestartet werden. Mit diesem Programm lässt sich über das Netzwerk die beigelegte Snow Leopard Server Installations DVD am Mac Mini mounten.

Auf dem Mac Mini muss man nun beim Starten die “Alt” Taste betätigen und nach einigen Sekunden sollte die entsprechende Server Installations Disk zur Auswahl stehen. Diese wird dann über das Netzwerk gebootet.

Der Bootvorgang kann einige Minuten in Anspruch nehmen und danach kann ein Terminal Fenster gestartet werden. Folgender Befehl listet alles Disks und Volumes auf:

diskutil list

Unser Volume “Server HD” ist hier mit dem Identifier “disk0s2″ und das Volume “Macintosh HD2 als “disk1s2″ aufgeführt. Da der Wert variieren kann und nich bei jedem System gleich ist empfehle ich euch die Bezeichnungen zu notieren.

Nun konvertieren wir unsere “Server HD” zu einem Raid1 Mirror:

diskutil appleRAID enable mirror disk0s2

Mit dem Befehl “diskutil list” kann man nun die Änderung sehen:

Am Ende der Ausgabe erscheint nun eine neue “Server HD” “disk9″.
Nun fügen wir das (zuvor notierte) 2. Volume zum Raid1 Verbund (disk9) hinzu:

diskutil appleRAID add member disk1s2 disk9

Die beiden Festplatten sind nun im Raid1 Verbund und das System beginnt die Daten zu replizieren. Der Vorgang kann einige Zeit in Anspruch nehmen. Mit folgendem Befehl kann der Rebuild Status überprüft werden.

diskutil checkRAID

Achtung: rebootet den Server auf keinen Fall bevor der Rebuild Prozess abgeschlossen ist.

Montag, 19. Dezember 2011

Gmail IMAP – Solving the [Gmail] separation

When you are using a Gmail account over IMAP in Outlook, you’ll also automatically get an [Gmail] or [Google Mail] folder containing all the “system folders” of Gmail itself.
To break yourself out of this additional subfolder and have all these folders listed directly under your mailbox in Outlook, you can set a root folder for your Gmail IMAP account. However, this has an effect on any Labels that you might use in Gmail. Luckily, there is a workaround for this as well.

Setting a root folder for your Gmail account

To make the change, you’ll have to go to the “Advanced Settings” tab of your account configuration;
  1. Open your Account Settings dialog;
    • Outlook 2003
      Tools-> E-mail Accounts…-> option: View or change existing e-mail accounts-> button Next
    • Outlook 2007
      Tools-> Account Settings…-> tab tab E-mail
    • Outlook 2010
      File-> section Info-> button Account Settings-> Account Settings…-> tab E-mail
  2. Double click on your Gmail IMAP account to open the account settings.
  3. Click on the More Settings… button.
  4. Select the Advanced tab.
  5. At the bottom, set the “Root folder path” option to; [Gmail]  Setting the Root folder path in your IMAP account settings.
    Setting the Root folder path in your IMAP account settings.
  6. After setting the option and confirming your way out of all of the opened dialogs, you’ll get a notification that your IMAP cache needs to be rebuild.
  7. In some cases, you’ll need to set the Sent Items and Deleted Items folder for the Gmail IMAP account again.
Before - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
After - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
Setting a root path for your Gmail account will free you from the [Gmail] folder structure.

Getting your Labels back in Outlook

Since you are now using [Gmail] as the mailbox root folder and Labels are created on a higher level, you won’t be able to see your Gmail Label folders in Outlook.
A way around this is to prefix each of your Labels with [Gmail]/. So a label called My Label 1 should be renamed to [Gmail]/My Label 1 via the Gmail web interface.
Instead of prefixing your Labels, you can also create a Label called [Gmail] and configure My Label 1 as a nested Label of the [Gmail] Label.
Before - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
After - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
Prefix your labels with [Gmail]/, or make them a nested label of the [Gmail] label in the web interface, will make them available in Outlook again.
Note:Any changes you make to the names and the structure of your folders via the Gmail web interface won’t be visible in Outlook until you restart Outlook.

Grouping your Labels together

As you are now working of the [Gmail] root folder in Outlook, you’ll see all your Labels directly under your main mailbox. This might end up being a long list and make the Gmail “system folders” harder to recognize (now you know why they grouped them under a [Gmail] folder ;-) ).
To solve this, create another Label under the [Gmail] Label in the web interface and call it for instance “Labels”. Now you can make all your own Labels a nested Label of the Labels folder.
As an alternative, you can also prefix your Labels with [Gmail]/Labels/ since the / character is being used as a separator to indicate a subfolder.
Before - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
After - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
Prefix your labels with [Gmail]/Labels, or nest them under Labels in the web interface, will group them together in Outlook.

Creating subfolders in Outlook and Labels in Gmail

Gmail itself doesn’t really use/understand the concept of subfolders; everything is a Label. If you were to create a subfolder under the Inbox folder, you’ll actually be creating the Label INBOX/My subfolder in the web interface of Gmail.
Once the mailbox is rooted to the [Gmail] folder, and since the Inbox folder lives outside it, unfortunately it is not possible anymore to create or access subfolders directly under the Inbox folder as you would be able to if it wasn’t rooted. Trying to create a subfolder for the Inbox folder will then result in the following error;
Cannot create the folder. Cannot create or navigate to the folder. You cannot create or navigate to subfolders of your Inbox when you have a non-empty Root Folder Path. (click on image to enlarge)
Setting a [Gmail] root folder prevents you from creating subfolders under the Inbox folder in Outlook. (click on image to enlarge)
To work around this, you can create a new label via the Gmail web interface called;
[Gmail]/Inbox/My subfolder
Unlike any INBOX/name subfolders, folders prefixed with [GMAIL]/Inbox/ will show up in Outlook as a subfolder of the Inbox folder even when the mailbox is rooted to [Gmail].
Before - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
After - Setting a root path for your Gmail account will free you from the [Gmail] folder structure.
Prefix your labels with [Gmail]/Inbox, or nest them under the Inbox label in the web interface, will allow you to create subfolders under the Inbox folder.
This is only required for any folder which should be a direct subfolder of the Inbox folder. Any subsequent subfolders can be directly created in Outlook without errors.

However, in the web interface of Gmail, this folder will be created with the name “INBOX” instead of “Inbox” which could separate the folders again in Outlook after a restart. In that case, you’ll have to rename the “INBOX” part of the label to “Inbox” in the Gmail web interface and restart Outlook.

Final thoughts

How useful is this change? Well, if you are also often using the web interface of Gmail and are a heavy user of Labels, I’d say it is not very useful at all. After all, instead of having the [Gmail] folder structure in Outlook, you’d then have it in the web interface. Combine that with the amount of work it is to set it up and the 40 character limit of Labels (including the characters of parent folders!), it’s probably not worth the trouble.
However, if you mainly use Outlook (or any another mail client for that matter), sort your mail into subfolders and don’t really care about the Gmail web interface and its Labels, setting a root folder would make sense. The result would be a flatter and more consistent folder structure in Outlook.

Freitag, 16. Dezember 2011

Mobilitätscenter deaktivieren

Wer das Mobilitätscenter ganz abschalten will, der muß unter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
den Schlüssel MobilityCenter erstellen. Danach erstellt man einen DWORD mit dem Namen NoMobilityCenter und weist den Wert zu.
Um das ganze wieder rückgängig zu machen, ändert man den Wert auf 0, oder löscht den Eintrag wieder.

Enable SNMP on vmware 5.5 ESXi

Trying to start snmpd on vmware from where i get the following error: Call "HostServiceSystem.Start" for object "serviceSyste...