Category Archives: Uncategorized

How to Archive in Outlook 2010

Archiving is storing your email on your local hard drive. This enables you to keep your mailbox capacity within limits as well as organized.

There are two different types of archiving:

Manual Archiving: you do archiving manually for each specific folder.

Auto Archiving: Outlook automatically archives specific folders based on the time interval specified.

This article will instruct you on how to do manual archiving using Microsoft outlook 2010 Details:

1) Click the File tab, then click ‘Cleanup Tools’

Image of Cleanup Tools Outlook 2010...Click File, then CleanUp Tools.

 

2) Click Archive

Click Archive under the cleanup tools drop down menu

 

3) Click the Archive this folder and all subfolders option, and then click the folder that you want to archive. Any subfolder of the folder you select is included in this manual archiveImage of Archive settings pane...Check 'archive this folder and all subfolders' then select the folder you would like to archive.

 

4) Under Archive items older than, enter a date

5) If you do not want to use the default file or location, under Archive file, click Browse to specify a new file or location. Browse to find the file that you want, or enter the file name, then click OK. The destination file location appears in the Archive file box.

7) Select the Include items with ‘Do not Auto Archive’ checked check box to include any items that might be individually marked to be excluded from automatic archiving. This option does not remove that exclusion from these items, but instead ignores the Do not Auto Archive check box for this archive only.  Should you want to archive archive manually only, follow the Turn off Auto Archive instructions below.

 

How to turn off Auto Archive:

If you want to archive manually only, you must turn off Auto Archive. Do the following:

1) Click the File tab, then click Options

Image of Outlook 2010 Options...Click File, then Options.

 

3) On the Advanced tab, under Auto Archive, click Auto Archive Settings.

Image Outlook 2010 advanced options - Under auto Archive... under auto archive, click auto archive settings

 

4) Clear the Run Auto Archive every n day’s check box, then click ok.  Auto Archive is now disabled, you will need to manually archive to backup any of your e-mail after performing this step.

Auto archive settings pane...Clear run auto archive every n days check box

How to Archive Email Messages in Outlook 2013

To begin archiving your email, click the “File” tab on the ribbon.

01_clicking_file_tab

On the Account Information screen, click the “Cleanup Tool” button next to “Mailbox Cleanup.”

02_clicking_cleanup_tools

Select “Archive…” from the drop-down menu.

03_selecting_archive

The Archive dialog box displays. Select “Archive this folder and all subfolders” and select a folder to archive. If you want to archive all your email, select the node with your email address at the top.

Click the “Archive items older than” drop-down list to select the latest date for items to be archived. A calendar pops up. Select a date in the current month by clicking on the date or scroll to a different month to select a date. All items older than the selected date will be archived.

Click the “Browse” button if you want to change the location where the archive file will be saved and the name of the archive file. Click OK when you have made your selections.

04_selecting_archive_options

The archived .pst file is saved to the chosen location.

05_outlook_archive_created

Notice that all the email messages you chose to archive are not available anymore in the main .pst file. The archived .pst file should become available automatically in Outlook. However, if it doesn’t, click the “File” tab.

06_clicking_file_tab_to_open_archive

In the blue panel on the left side of the “Account Information” screen, click on “Open & Export.”

07_clicking_open_and_export

On the “Open” screen, click “Open Outlook Data File.”

08_clicking_open_outlook_data_file

The “Open Outlook Data File” dialog box opens. Navigate to the location where you saved the archived .pst file, select it, and click OK.

09_selecting_outlook_data_file

In the left pane of the main Outlook Mail window, a section called “Archives” displays and the emails you archived are available.

10_archives_open_in_outlook

Archiving email can help you keep your emails organized, making it easier to find older emails and to keep your inbox and folders uncluttered.

AD FS High Availability

 

Prepare the Server for AD FS

 

We are going to jump between a few of my other posts, to prepare the server. Sorry, but I am too lazy to re-write the content.

  1. Domain join the new AD FS server
  2. Use, Prepare the Local AD FS Server, and complete the following sections
    1. Install AD FS Server Role
    2. Install Sign-in Assistant
    3. Install the Windows Azure Active Directory Module for Windows PowerShell
    1. Follow the instructions and import and assign the certificate on the new AD FS server

This will get us to the point where we can add the AD FS server to the existing AD FS Farm

 

Method 1 – Adding a Server to an AD FS farm with the AD FS Configuration Wizard

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Open Server Manager
  3. Click Tools
  4. Click AD FS Management
  5. Click AD FS Federation Server Configuration Wizard

  6. Walk through the wizard and the second server is added.

 

Method 2 – Adding a Server to an AD FS Farm from the Command Prompt

 

  1. Login to the server that you just prepared for AD FS, with an administrative account
  2. Get the Thumbprint from the certificate that you imported on the AD FS server. This is located on the certificate.

  3. Open a Command Window as an Administrator
  4. Change the directory to the path where AD FS 2.0 was installed.
    1. Windows Server 2008 C:\Program Files\Active Directory Federation Services 2.0
    2. Windows Server 2012 C:\Windows\ADFS
  5. Add the server with FsConfig.exe

FsConfig.exe JoinFarm /PrimaryComputerName PRIMARY AD FS SERVER /ServiceAccount DOMAIN\SERVICE ACCOUNT /ServiceAccountPassword PASSWORD /CertThumbprint “ff eb 43 bb 8b f9 34 56 4b 45 ec 6f 53 bb 99 7f bf 48 7e”

Now we have the second AD FS server added to the AD FS farm.

 

 

Network Load Balance the AD FS Servers in the Farm

Now that we have two servers in the AD FS Farm, we still have to load balance them. In an Enterprise production environment, I always recommend that you use a hardware based load balancing solution. In non-production and small to medium organizations you can use Windows Network Load Balancing. Regardless of the load balancing solution, you need to make sure that you are load balancing TCP 443 to the AD FS Farm name.

NLB Cluster Name – sts.office365supportlab.com

Nodes –

FS01.office365supportlab.com

FS02.office365supportlab.com

 

If you need help configuring Windows NLB, please use Configuring Windows NLB for AD FS 2.0

 

DNS Configuration

Since we are now using network load balancing, we need to make sure that our A record for sts.office365supportlab.comis updated with the IP address that you assigned as the VIP to the NLB cluster.

Type Name IP
A sts.office365supportlab.com 10.0.0.20
A fs01. office365supportlab.com 10.0.0.14
A fs02. office365supportlab.com 10.0.0.17

Single Sign On with Office 365

Steps

1

Add your email domain name to the Office 365 portal

Start by signing into your Office 365 portal account as admin. Usually this is the assigned admin login in this format. username@domainname.onmicrosoft.com We are really just adding a UPN suffix to this existing domain name so don’t get it complicated in your head Find the Domains area and click Add Domain Add your domain name, (for the this guide I will use domainname.com). Choose the domain registrar and add a registrant name You will need to add a TXT record to your domain DNS to prove you own the domain, this does not have any affect on production services so do this, wait about 15 min and then come back and have Office 365 verify the record exists. Once this process is complete we can move on to the next steps. Hit next and you will be given the choice to let the Office 365 portal login to your registrar and configure the correct DNS records. DO NOT ALLOW THIS ON A PRODUCTION DOMAIN! Email will be redirected to the Office 365 exchange service. If this is a new domain then by all means let the portal do the work. But I am usually working on production stuff so I need to do this manually.

2

Create a separate VM-ADFS server on your VM host

I like to host this service on its own specific server. You can co-locate these services on other servers but it makes troubleshooting a bit more complex when you cannot just reboot servers during the day. This also gives you the flexibility of moving this ADFS server in the perimeter if you have one. If you need help setting up a new Windows VM server, and connecting it to your local AD domain you can search Google as there are numerous guides on the web to help you. Try not to colocate this on your DC, although I have gotten it to work in a pinch it is not “recommended”. I say whatever to that if you need it use it on whatever server you can get your hands on.

3

Install ADFS on the new server

Download ADFS plugin for 2008 or install the ADFS role in 2012

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en

On the server roles when configuring the settings for ADFS you need to choose Federation Server The install should gather the required prerequisites and install them which include: Windows Powershell – 2008 .net 3.5.1 SP1 IIS Windows Identity Foundation Be sure these get installed correctly otherwise you will have issues configuring the next steps. Once complete choose the option to start the ADFS management (2008) or find ADFS in Administrative tools on 2012.

4

GET A 3RD PARTY SSL CERT

I cannot stress this enough, if you had trouble in the past setting up ADFS most likely it was the SSL cert not being 3rd party. Don’t even attempt this if you cannot afford a simple 3rd party SSL. I usually use either the existing WildCard (*.domainname.com) or get a cheap one for (adfs.domainname.com).

5

Request or Assign SSL Cert

After you have gotten permission to get a new SSL cert you need to request or assign your existing wildcard cert to IIS on the new ADFS server. Super easy to do Open IIS on the ADFS server you created Choose the server name in the upper left and then Server Certificates on the Home screen. Either create a new request to send to your 3rd party or import the PFX cert for your wildcard cert. Be sure the request bit length is 2048 or better, Office 365 will not work with lower SSL bit lengths.

6

Bind SSL To The Default Website

Now go to Default Website and on the right, click bindings Add a binding Choose Type = HTTPS IP Address = All Unassigned Port = 443 Host Name = blank SSL certificate – drop down and choose your new cert Hit OK

7

Create an ADFS Login Service Account

Go to AD users and computers and create a new ADFS service account with domain admin, and enterprise admin rights to AD. Don’t be silly and use any easy password, this server is exposed directly to the internet so be smart.

8

Add adfs.domainname.com to DNS

You now need to add adfs.domainname.com to both internal and external DNS for resolution. Internal DNS should point to the LAN IP External DNS should point to the public IP address assigned to port 443 on your firewall.

9

Configure ADFS

Once the SSL cert is installed and bound to the Default Website and all external and internal DNS is setup we can move on to configuring ADFS. Go to Administrative tools and choose ADFS management Once the management window opens choose the ADFS configuration wizard link in on the Home screen. Choose Create New Federation Service – Next Choose New Federation Server Farm – Next Federation Service Name – Drop Down and choose your SSL cert – in the service name box type adfs.domainname.com Hit Next Specify the service account logon we created in the previous step hit next and let ADFS configure – remedy any errors that might show on the Configuration report. Again this is why I like to do this on a fresh box so that the install goes clean and smooth.

10

Office 365 Powershell Plugin

Install the Office 365 Powershell Plugin 32bit OS http://g.microsoftonline.com/0BD00en-US/85 64bit OS http://g.microsoftonline.com/0BD00en-US/126

11

Install the Office 365 Sign on Assistant – Old can be skipped as it is included with DirSync now

Download and install the correct Sign On Assistant for your OS version 32bit http://g.microsoftonline.com/0BX00en/500 64bit http://g.microsoftonline.com/0BX00en/501

12

Configure Trust With Office 365 to enable SSO

Open programs and find the Powershell Icon for Microsoft Online Services Identity Federation Right click on this icon and Run As Administrator Type the following commands For creds use the admin@domainname.onmicrosoft.com account created when you setup Office 365 the first run; Change Domainname.com in the third command to your root email domain name)

$cred=Get-Credential Connect-MsolService –Credential $cred Set-MsolAdfscontext -Computer adfs.domainname.com Convert-MsolDomainToFederated –DomainName domainname.com

If this works you should see = Successfully updated ‘domainname.com’ domain

13

Enable Directory Sync

Now that AD FS is setup and configured you can enable Directory Sync. Open your Office 365 portal and sign in as admin@domainname.onmicrosoft.com Under users choose Set up next to Active Directory Synchronization Steps one and two should already be complete Choose Activate under step 3 – Wait a sec Download the Directory Sync Tool from the same page Install the DirSync.exe tool Choose Next Accept the EULA Choose a install path Check the box to start configuration wizard Hit next Enter your admin@domainname.onmicrosoft.com login Enter your ADFS service account log in If you have an on premise Exchange server and want Hybrid connectivity with your Office 365 Exchange then choose the option for Enable Rich Coexistence. Otherwise leave it unchecked. Once complete the inital Sync should begin. I found a GUI (miisclient.exe) to administrate the Dir Sync but it does not put an Icon on the desktop. Copy a shortcut to the desktop so you can see all the Sync results and specific user errors and initiate a new sync using the GUI. C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

14

SSO and UPN

In order to get SSO to work you need to be sure you already have the email address UPN suffix on your local AD domain and the users account login UPN suffix has been updated. Otherwise you will notice that the users that get Sync’d to Office 365 will get a username@domainname.onmicrosoft.com login. Adding a UPN Suffix to a Forest

Open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties. On the UPN Suffixes tab, type the new UPN suffix (@domainname.com) that you would like to add to the forest. Click Add, and then click OK.

Update the users in your local AD that need SSO Office 365 accounts with the UPN suffix. Use the DIRSync GUI to start a new sync and watch the progress, you can see any specific user errors here. One note I had trouble with some users UPN suffix not updating to Office 365 and only after finding the specific errors in the DIRSYNC GUI was I able to pin it down. The main rub is if the users happend to already be on Office 365 from a previous attempt at ADFS you need to ground the UPN suffix by updating the user login on your local AD to the other UPN suffix (domainname.local), sync the directory to office 365 and wait for it to update the Office 365 login to username@domainname.onmicrosoft.com once it has grounded then you can change the UPN suffix back to user@domianname.com and start another DIRSYNC

15

Add adfs.domainname.com to the Local Intranet Zone

Either manually add adfs.domainname.com to the Local Intranet Zone in IE or use GPO to push this out.

16

Test SSO

You should now be able to sign out and back on to any domain user assigned Office 365 licenses and get a SSO experience. Browse to https://portal.microsoftonline.com Key in a user email that has Office 365 licenses assigned and the user name has been updated by DIRSYNC and you should bypass the password screen and go directly into the office 365 portal.

17

Add Scheduled Task To Update Metadata

Office 365 uses Metadata Tokens to run with ADFS and those tokens will expire from time to time. To automate the token update process you use a little Powershell script to create a scheduled task to do it for you. Download the script here http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc Open Powershell on the ADFS server by running as Administrator CD to the path with the .ps1 file in it Set-ExecutionPolicy Unrestricted .\O365-Fed-MetaData-Update-Task-Installation.ps1

 

Configure iSCSI connections with MPIO on Windows Server

I would like to install and test Multipath I/O (MPIO) for iSCSI connection. After enabling MPIO for iSCSI connection, we can use all or selected NICs to connect iSCSI target. MPIO can utilize all NICs to transfer data to same destination and then it supports error handling, failover and recovery function by Device-Specific Modules (DSM). By default, the Microsoft DSM is available in Windows Server 2012 and Windows Server 2012 R2.

Microsoft provided the more detail information about MPIO, please read the following web site for your information.
 
Lab environment
  • 1 Windows Server 2012 R2 named DC01 is a domain controller of tls1.local
  • 2 Windows Server 2012 R2 named MS01 and MS02 were joined tls1.local
  • 4 NICs were installed in each server except DC01
  • IP addresses for domain network are 192.168.8.10 (DC01), 192.168.8.21 (MS01) and 192.168.8.22 (MS02)
  • IP addresses for MS01, iSCSI target, are 192.168.9.11, 192.168.9.21 and 192.168.9.31
  • IP addresses for MS02, iSCSI initiator, are 192.168.9.12, 192.168.9.22  and 192.168.9.32
  • Un-check “Register this connection’s addresses in DNS” option for iSCSI network
Installing and configuring iSCSI target
1. On MS01, log in as Domain Administrator.
2. Launch “Server Manager“.
3. On “Server Manager“, click “Add roles and features“.
4. On “Before You Begin” window, click “Next“.
5. On “Installation Type” window, select “Role-based or feature-based installation“.
6. Click “Next“.
7. On “Server Selection” window, click “Next“.
8. On “Server Roles” window, check “iSCSI Target Server” and then click “Add Features“.
9. Click “Next” twice.
10. On “Confirmation” window, click “Install“.
11. On “Results” window, click “Close“.
12. On “Server Manager” window, select “File and Storage Services“.
13. Select “iSCSI“.
14. Click “To create an iSCSI virtual disk, start the New iSCSI Virtual Disk Wizard“.
15. On “iSCSI Virtual Disk Location” window, click “Next“.
16. On “iSCSI Virtual Disk Name” window, next to “Name“, enter “MS02-Lun-0“.
17. Click “Next“.
18. On “iSCSI Virtual Disk Size” window, next to “Size“, enter “30“.
19. Select “Dynamically expanding“.
20. Click “Next“.
Remark: In Windows Server 2012, there is no option to select the types of VHD. In Windows Server 2012 R2, the virtual hard disk format of iSCSI target is VHDX.
21. On “iSCSI Target” window, select “New iSCSI target“, click “Next“.
22. On “Target Name and Access” window, next to “Name“, enter “MS02.tls1.local“.
23. Click “Next“.
24. On “Access Servers” window, click “Add“.
25. On “Add initiator ID” window, select “Enter a value for the selected type“.
26. Next to “Type“, select “IQN“.
27. Next to “Value“, enter “iqn.1991-05.com.microsoft:ms02.tls1.local” the iSCSI initiator of  MS02.
Remark: “iqn.1991-05.com.microsoft” is the default prefix of IQN of Microsoft iSCSI initiator. After entering the prefix, we need to enter the FQDN of the server.
28. Click “OK“.
29. On “Access Servers” window, click “Next“.
30. On “Enable Authentication” window, click “Next“.
31. On “Confirmation” window, click “Create“.
32. On “Results” window, click “Close“.
install MPIO and configure iSCSI initiator in MS02.

Installing MPIO
1. On MS02, log in as Domain Administrator.
2. Launch “Server Manager“.
3. On “Server Manager” window, click “Add roles and features“.
4. On “Before You Begin” window, click “Next“.
5. On “Installation Type” window, select “Roles-based or feature-based installation“.
6. Click “Next“.
7. On “Server Selection” window, click “Next” twice.
8. On “Features” window, check “Multipath I/O“.
9. Click “Next“.
10. On “Confirmation” window, click “Install“.
11. On “Results” window, click “Close“.
12. Press “Start” button and then enter “MPIO“.
13. Click the “MPIO” icon.
14. On “MPIO Properties” window, select “Discover Multi-Paths” tab.
15. Check “Add support for iSCSI devices” and then click “Add“.
16. On “Reboot Required” window, click “Yes” to restart the Windows.
17. After restarting the computer, log in as Domain Administrator and then launch “MPIO“.
Make sure “MSFT2005iSCSIBusType_0x9” was added after restarting the computer.
18. Click “OK“.
Enabling and configuring iSCSI initiator in MS02
After installing MPIO in MS02, we can configure the iSCSI connections.
1. On MS02, press start button and then enter “iSCSI Initiator“.
2. Click “iSCSI Initiator” icon.
3. On “Microsoft iSCSI” window, click “Yes” to enable iSCSI service.
4. On “iSCSI Initiator Properties” window, next to “Target“, enter “ms01.tls1.local“.
5. Click “Quick Connect“.
6. On “Quick Connect” window, click “Done“.
7. Select “Favorite Targets” tab.
8. Click “Remove“.
9. Select “Targets‘ tab.
10. Click “Properties“.
11. On “Properties” window, check the first “Identifier” and then click “Disconnect“.
12. Click “Add session“.
13. On “Connect To Target” window, check “Enable multi-path” and then click “Advanced“.
14. On “Advanced Settings” window, next to “Local adapter“, select “Microsoft iSCSI Initiator“.
15. Next to “Initiator IP“, select “192.168.9.12“.
16. Next to “Target portal IP“, select “192.168.9.11 / 3260“.
17. Click “OK” twice.
18. Repeat step 12 – 17 to add other connections like (192.168.9.22 to 192.168.9.21 and 192.168.9.32 to 192.168.9.31).
19. Click “OK“.
20. Select “Favorite Targets” tab.
21. Select each target and then click “Details” to verify the connection.
Make sure all connections are correct.
22. Click “OK” to close “iSCSI Initiator Properties“.
23. Launch “Server Manager” and then select “File and Storage Services“.
24. Select “Disk“.
The disk is available. The connection was made.
Testing MPIO
I limited the bandwidth of NICs of MS02 to 20Mbps for testing.

I also created a 20GB file, named test.txt, in C drive of MS02 to copy to iSCSI disk, Drive E.

1. On MS02, log in as Domain Administrator.
2. Press “Start” button and then launch “Task Manager“.

3. On “Task Manager” window, click “More details“.

4. Select “Performance” tab.
5. Those NICs are idle at this moment.

6. Launch “Windows Explorer“, copy “test.txt” to E:\.

7. Back to “Task Manager“.

All NICs were utilized because we configured “Enable mutli-path” in iSCSI initiator.

8. Disconnect 1 of NICs in MS02.

1 of NICs was disconnected and then the copying file process stopped. However, the file transfer doesn’t close because MPIO can detect the failed path and try to resubmit the I/O on new paths.

After 30 – 60 seconds, the file transfer were recovered and it is using the new paths to transfer the file.

9. Disconnect 1 of NICs which is transferring the data in MS01.

The copying file process stopped again because MPIO is detecting the failed path and try to resubmit the I/O on new paths.

After 30 – 60 seconds, the file transfer were recovered and it is using a new path to transfer the file.

As a result, the MPIO with iSCSI connections is working.

How to Configure Exchange Server 2010 Outlook Anywhere

In this tutorial I will demonstrate how to enable and configure Exchange Server 2010 Outlook Anywhere to provide secure mailbox connectivity for remote Outlook users.

Outlook Anywhere is a much better solution for remote email access than POP or IMAP because the end user experience is the same when the user is using Outlook on the LAN or remotely. Thanks to SSL encryption Outlook Anywhere is also inherently more secure than other protocols that have non-encrypted options that companies often deploy.

What is Outlook Anywhere?

Outlook Anywhere is a service provided by the Client Access server role that allows Outlook clients to make a secure connection over SSL/HTTPS to the mailbox from remote locations.  Previously this was known as RPC-over-HTTPS but was renamed to Outlook Anywhere in Exchange 2007 and 2010.

By wrapping normal Outlook RPC requests in HTTPS the connections are able to traverse firewalls over the common SSL/HTTPS port without requiring the RPC ports to be opened.

There are three main tasks to deploy Outlook Anywhere in an Exchange environment:

  • Enable and configure Outlook Anywhere on the Client Access server
  • Configure the perimeter firewall to allow SSL/HTTPS connections from external networks to the Client Access server
  • Configure the Outlook clients to use Outlook Anywhere when connecting from remote networks

Enable Outlook Anywhere on Exchange Server 2010

In the Exchange Management Console navigate to Server Configuration -> Client Access, and select the Client Access server you want to enable for Outlook Anywhere.

If you have multiple Client Access servers in an Active Directory site then choose the one that is the internet-facing Client Access server.  Or if you have deployed a CAS array you will need to repeat this process on all members of the array.

Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere
Choose the Exchange Server 2010 Client Access Server to configure for Outlook Anywhere

With the server selected, in the action pane of the Exchange Management Console click on Enable Outlook Anywhere.

Enable Outlook Anywhere for Exchange Server 2010
Enable Outlook Anywhere for Exchange Server 2010

The Enable Outlook Anywhere wizard launches.  Enter the external host name for Outlook Anywhere users to use when connecting remotely to Exchange, and choose an authentication method.

Configure Outlook Anywhere for Exchange Server 2010
Configure Outlook Anywhere for Exchange Server 2010

The external host name you choose should ideally be one that is already included in the Exchange certificate configured on the Client Access server.  Otherwise you will need to create a new certificate for Exchange.

The Outlook Anywhere authentication method you choose will depend on a few factors in your environment.

  • Basic Authentication – this requires that Outlook users enter their username and password each time they connect to Outlook Anywhere.  The credentials are sent in clear text so therefore it is critical that Outlook Anywhere connections only occur over SSL/HTTPS.  You may need to choose Basic Authentication if the connecting computers are not members of the domain, if the ISA Server publishing rule and listener are shared with other Exchange services that require Basic Authentication, or if the firewall being used does not support NTLM authentication.
  • NTLM Authentication – this is ideal for connecting clients that are domain members because the username and password will not need to be entered by the user each time they connect.  However NTLM may not work with some firewalls or ISA Server publishing scenarios.

When you have configured the Outlook Anywhere settings click Enable to continue, and then click Finish to close the wizard.

The Outlook Anywhere configuration for Exchange 2010 will take effect within 15 minutes of completing the wizard.  The Application Event Log will record Event ID 3008 and a series of other events when the configuration has been applied to the server.

Configure the Firewall for Exchange Server 2010 Outlook Anywhere

To enable remote Outlook users to connect to Outlook Anywhere the perimeter firewall for the network must be configured to allow the SSL/HTTPS connections to pass through to the Client Access server.

The precise steps for this will depend on which firewall you are using in your environment.  However the basic components of this configuration are:

  • A public DNS record for the external host name you are using for Outlook Anywhere
  • A public IP address on the firewall that the public DNS record resolves to
  • A NAT or publishing rule to allow SSL/HTTPS connections to reach the Client Access server
Exchange Server 2010 Outlook Anywhere Firewall Overview
Exchange Server 2010 Outlook Anywhere Firewall Overview

If you are running an internet-facing Exchange Server 2010 CAS array then you would configure the firewall rule to direct traffic to the CAS array IP address.

Configure Outlook Clients for Exchange Server 2010 Outlook Anywhere

Before an Outlook client can connect to Outlook Anywhere it needs to be configured with the correct settings.  In Outlook 2010 open the Account Settings for the Outlook profile that is configured.

Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere
Outlook 2010 Account Settings for Exchange Server 2010 Outlook Anywhere

Double-click to open the properties of the Exchange Server profile that is configured.

Outlook 2010 Exchange Server Profile Settings
Outlook 2010 Exchange Server Profile Settings

Click on More Settings, and then select the Connection tab of the settings dialog box that appears.

Outlook 2010 Connection Settings
Outlook 2010 Connection Settings

Tick the box to Connect to Microsoft Exchange using HTTP, and then click the Exchange Proxy Settings button.

Enable Outlook Anywhere in Outlook 2010
Enable Outlook Anywhere in Outlook 2010

Enter the External Host Name that was configured for Outlook Anywhere earlier on the Client Access server, and then configure the Proxy Authentication Settings to match the client authentication method chosen on the server.

Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010
Configure the Outlook Anywhere External Host Name and Authentication Settings in Outlook 2010

Click OK, OK, Next and then Finish to apply the change to Outlook 2010.  You must restart Outlook for the new settings to take effect.

Now that Outlook 2010 has been configured for Exchange Server 2010 Outlook Anywhere, any time the user launches Outlook from a remote connection and can reach the perimeter firewall over the internet they will be able to securely access their mailbox as though they were still on the corporate network.

Windows Dynamic Access Control (DAC)

  • Active Directory management enhancements
    • Active Directory Administrative Center
      • Active Directory Recycle Bin management
      • Fine-Grained Password Policy management
      • Windows PowerShell History Viewer
      • Dynamic Access Control
    • Group Policy enhancements
    • Kerberos constrained delegation changes
  • Active Directory deployment enhancements
    • Remote DCPromo and built-in troubleshooting
    • ADPrep integration
    • Improved virtualization support
      • Domain controller cloning
      • Active Directory snapshots
  • Active Directory-based activation
    • Active Directory Federation Services 2.1 built in

In this post we will concentrate on Dynamic Access Control (DAC). DAC allows administrators to create and manage central access and audit policies in Active Directory, which can be managed through the AD Administrative Console to help organizations reach data compliance.

**NOTE: DAC is the amalgamation of different features working together. It leverage AD, GPO, File Servers … It is one the more involved Labs we have tackled so far.

Microsoft has focused on the following areas:

  • Identify the information that needs to be managed to meet business and compliance requirements
  • Apply appropriate access policies to information
  • Audit access to information
  • Encrypt information

You can now create and managed Central Access and Audit Policies in Active Directory through the ADAC . These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control:

  • Who the user is
  • What device they are using, and
  • What data is being accessed

Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: “User is from the Finance department” and “User’s security clearance is High”

Here is a sample usage of DAC

Policy Type Usage
Organization-wide authorization policy
  • Most commonly initiated from the information security office
  • Driven by compliance or a high-level organization requirements
  • Relevant across the organization.
  • Example: HBI files are accessible to only full-time employees
Departmental authorization policy
  • Each department in an organization has some special data-handling requirements that they want to enforce
  • Example: the finance department might want to limit access to finance servers to the finance employees
Specific data-management policy
  • Usually relates to compliance and business requirements, and is targeted at protecting the correct access to the information that is being managed
  • Example: financial institutions might implement information walls so that analysts do not access brokerage information and brokers do not access analysis information
Need-to-know policy
  • Typically used in conjunction with the previous policy types
  • Example: vendors should be able to access and edit only files that pertain to a project they are working on

You king find different scenarios of DAC usage here.

What we will do in this post is setup DAC and create a rule to show the flexibility and the value you can get from this technology.

Step-by-Step: enabling and configuring DAC

DAC is a claim based security feature.

Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature.

To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts.

  1. Claim Type
  2. Resource properties for files
  3. Resource property lists ( add resource property to global)
  4. Create new central access rule
  5. Create central access policy

First, we logged on our domain controller ITCamp-DC1 and created some accounts for this lab.

  1. Create the following users with the attributes indicated:
 User Username Email address Department Country/Region
Myriam Delesalle MDelesalle MDelesalle@ITCAMP.Local Finance Canada
Miles Reid MReid MReid@ITCAMP.Local Finance United States
Esther Valle EValle EValle@ITCAMP.Local Operations Canada
Maira Wenzel MWenzel MWenzel@ITCAMP.Local HR Canada
Jeff Low JLow JLow@ITCAMP.Local HR United States

It’s now time to enable Dynamic Access Control for ITCamp.Local

  1. Open the Group Policy Management Console, click ITCamp.Local, and then double-click Domain Controllers.
  2. Right-click Default Domain Controllers Policy, and select Edit.
  3. In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.
  4. Double-click KDC support for claims, compound authentication, and Kerberos armoring and select the option next to Enabled. You need to enable this setting to use Central Access Policies.
  5. Open an elevated command prompt, and run the following command:

gpupdate /force

Configure Claim Type

In this step we will configure Claim type for Users. We will add existing Active Directory attributes to the list of attributes that we can use when evaluating dynamic access control. In our case, the user’s department and his country

1- After login to the DC , you can just open the Active Directory Administrative Center to start configuring the Dynamic Access Policy (DAP).

image

2- In the Claim Type Section, click “New” and “Claim Type” in the task pane,

image

3- Select the attribute you want to use, in our case “c” and in the suggested value section define the countries you want to define. In our Lab we will look for Canada and United States.

image

4- Repeat for the department attribute with the following suggested value. (HR, Finance, Operations)

Configure Resource properties for files

1- In this step, we will configure the properties which will be downloaded by file servers and used to classify files or directories or shares. The DAC rules will compare user attribute values with resource properties. You can enable existing properties or create new ones.

image

2- Click on resource property and here you can select the existing resource properties or also you can create the new ones, I have selected Country and Department.

image

Resource property lists (add resource property to global)

1- Each resource property must be added to at least one resource property list. It will then be downloaded by file servers in your environment. The global resource property list is downloaded by all file servers.

image

Our properties are already part of the global list.

Create new central access rule

This is when we create a Rule that uses the properties we have defined earlier. This describes which conditions must be met in order for file access to be granted.

1- In the Central Access Rule section, click “New” and “Central Access Rule”

image

2- Give it a name in the Create Central Access Rule form.

image

3- In the Permission section, click “Use Following Permissions” and click “Edit”

image

4- Click “Add” and in the following “permission Entry for Permissions” select The “Authenticated User” as the principal and set the following conditions.

image

5- Click “OK” you are back to the DAC configuration screen.

Create central access policy

This part is very straight forward.

1- In the Central Access Policy, click “New” and “Central Access Policy” and give the new policy a name in the “Create Central Access Policy” form. We named our CAP. You also need to Add the Central Access Rule you created earlier to the policy.

image

2- Once that is created we need to tell AD about the policy. In the “Group Policy Management Console” we edited the “Default domain policy” but you can apply a different policy as you see fit. And in the Computer ManagementàPoliciesàWindows SettingsàSecurity settingsàFile SystemàCentral Access Policy, right-click the right pane and select manage Central Access Policy.

image

3- Add the Policy you created to the Applicable Central Access Policies.

image

We are done configuring the DAC… well… not quite. We still need to configure our shares and share properties.

To configure the shares the File Server Resource Manager must be installed on the server that will be used as the files server. In our case the file server we are using is VMHost10B.itcamp.local.

  1. Logon VMHost10B.itcamp.local as itcamp\administrator
  2. In Server Manager, click Add Roles and Features.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Next.
  5. On the Select destination server page, click Next.
  6. On the Select Server Roles page, expand File and Storage Services, select the check-box next to File and iSCSI Services, expand, and select File Server Resource Manager.
  7. In the Add Roles and Features Wizard, click Add Features, and then click Next.
  8. On the Select features page, click Next.
  9. On the Confirm installation selections page, click Install.
  10. On the Installation progress page, click Close

On the VMHost10B machine we created 2 SMB Shares-Advanced shares. (HR, Finance) select all defaults to complete this part.

Once the shares have been created, we need to go the location where the directory has been created and modify the properties of each folders.

image

To include the classification of these folders.

image

And in the advanced Security Settings, in the Central Policy Tab, change the “No central Access Policy” to “CAP” the policy we defined.

You can test to see if everything worked well by using the effective Access tab.

image

That is that start of the value that DAC can bring

Lock Down Remote Desktop Services Server 2012 / RDS 2012 R2

This article describes some basic Group Polices to get you started configuring RDS Server.

Preparation

Create OU for RDS Server in Active Directory. Create security group for users who will use Remote Desktop Host (i.e. RDS Users). Create GPO (i.e. RDS Server Lock Down). In Security Filtering delete Authenticated Users, add RDS Server Computer Account, and the security group created in previous step.

Configure users who can connect to the server remotely:

Log in to RDS Server >>> Run >>> control system >>> Remote Settings >>> Remote tab >>> Select users >>> Delete any groups/users >>> Add security group for RDS users

Disable Server Manager Pop Up at user log on:

On RDS Server open Task Scheduler. Navigate to Task Scheduler Library\Microsoft\Windows\Server Manager. Disable task “ServerManager” which triggers at log on of any user.

Some group policies might not be available in your group policy manager. You will need to add Administrative Templates for the Windows 8.1 and Windows Server 2012 R2: see Adding Windows 8.1 and Server 2012 R2 Administrative Templates. 

Configure Group Policy for RDS Server Lock Down

Loopback Processing

[Computer Configuration\Policies\Administrative Templates\System\Group Policy]

Configure user Group Policy loopback processing mode: Enable – Merge

This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
If you enable this setting, you can select one of the following modes from the Mode box:
“Replace” indicates that the user settings defined in the computer’s Group Policy Objects replace the user settings normally applied to the user.
“Merge” indicates that the user settings defined in the computer’s Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer’s Group Policy Objects take precedence over the user’s normal settings.

 

Disable Control Panel Items

[User Configuration\Policies\Administrative Templates\Control Panel]

Hide specified Control Panel items: Enable

This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item’s canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.

Add following items to the disallowed Control Panel items:
Microsoft.AdministrativeTools
Microsoft.AutoPlay
Microsoft.ActionCenter
Microsoft.ColorManagement
Microsoft.DefaultPrograms
Microsoft.DeviceManager
Microsoft.EaseOfAccessCenter
Microsoft.FolderOptions
Microsoft.iSCSIInitiator
Microsoft.NetworkAndSharingCenter
Microsoft.NotificationAreaIcons
Microsoft.PhoneAndModem
Microsoft.PowerOptions
Microsoft.ProgramsAndFeatures
Microsoft.System
Microsoft.TextToSpeech
Microsoft.UserAccounts
Microsoft.WindowsFirewall
Microsoft.WindowsUpdate
Microsoft.DateAndTime
Microsoft.RegionAndLanguage
Microsoft.RemoteAppAndDesktopConnections
Install Application On Remote Desktop Server
Java
Flash Player

 

Remove Administrative Tools and Powershell

Restrict access to Administrative tools

  • Open RDS Lock Down Group Policy.
  • Navigate to Computer Configuration >>> Policies >>> Windows Settings >>> Security Settings
  • Right click on File System, choose Add File… .
  • In the Add a file or folder window, put %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools in the Folder field and click OK.

 

 

  • On the next window Database Security for %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk remove Users and check that Administrators have Full Access

Database Security for Server Manager.lnk

  • On the Add Object window choose Configure this file or folder then Propagate inheritable permissions to all subfolders and files. Click OK.

Add Object

  • Do the same for PowerShell shortcut (+ delete Creator Owner in database security): %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk
  • Do the same for Server Manager shortcut: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk

File Explorer Configuration

[User Configuration\Policies\Administrative Templates\Windows Components\File Explorer]

Enable – Restrict A, B, C and D drives only: Hide these specified drives in My Computer

This policy setting allows you to hide these specified drives in My Computer. This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. If you enable this policy setting, select a drive or combination of drives in the drop-down list.

Enable – Remove Hardware tab

This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device.

Enable – Hides the Manage item on the File Explorer context menu

Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer.

Enable – Remove Security tab

Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question.

Disable Registry Modification

[User Configuration\Policies\Administrative Templates\System]

Enable – Prevent access to registry editing tools

Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.

 

Configure Windows Installer and Windows Updates

[Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer]

Enable: Prevent users from using Windows Installer to install updates and upgrades

This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.

 Enable Always: Turn off Windows Installer

This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.

[Computer Configuration\Administrative Templates\Windows Components\Windows Update]

Enable: Do not display ‘Install Updates and Shut Down’ option

This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.

[Computer Configuration\Administrative Templates\Windows Components\Windows Update]

Enable: Do not display ‘Install Updates and Shut Down’ option

This policy setting allows you to manage whether the ‘Install Updates and Shut Down’ option is displayed in the Shut Down Windows dialog box.

 Disable: Allow non-administrators to receive update notifications

This policy setting allows you to control whether non-administrative users will receive update notifications based on the “Configure Automatic Updates” policy setting.

Additional Policies

[Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits]

Enable (i.e. 30 minutes): Set time limit for disconnected sessions

You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session.

 When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.

 If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.

[Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection/Remote Desktop Session Host/Session Time Limits]

Set time limit for logoff of RemoteApp sessions: Enable (i.e. logoff delay 1 hour)

This policy setting allows you to specify how long a user’s RemoteApp session will remain in a disconnected state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.

By default, if a user closes a RemoteApp program, the session is disconnected from the RD Session Host server, but it is not logged off.

If you enable this policy setting, when a user closes the last running RemoteApp program associated with a session, the RemoteApp session will remain in a disconnected state until the time limit that you specify is reached. When the time limit specified is reached, the RemoteApp session will be logged off from the RD Session Host server. If the user starts a RemoteApp program before the time limit is reached, the user will reconnect to the disconnected session on the RD Session Host server.

If you disable or do not configure this policy setting, when a user closes the last RemoteApp program, the session will be disconnected from the RD Session Host server but it is not logged off.

Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.

 [Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection/Remote Desktop Session Host/Session Time Limits]

Set time limit for active but idle Remote Desktop Services sessions: Enable ( i.e. 1 hour)

This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.

If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.

If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default,  Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.

If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.

 [User Configuration/Policies/Administrative Templates/Start Menu and Taskbar]

Go to the desktop instead of Start when signing in or when all the apps on a screen are closed: Enable

This policy setting allows users to go to the desktop instead of the Start screen when they sign in, or when all the apps on a screen are closed.  This policy setting applies to all versions of Windows, and versions of Windows Server with the Desktop Experience installed.

If you enable this policy setting, users will always go to the desktop when they sign in, or when all the apps on a screen are closed.

 [User Configuration/Policies/Administrative Templates/Start Menu and Taskbar]

Remove the Action Center icon: Enable

This policy setting allows you to remove the Action Center from the system control area.

If you enable this policy setting, the Action Center icon is not displayed in the system notification area.

If you disable or do not configure this policy setting, the Action Center icon is displayed in the system notification area.

 [User Configuration/Policies/Administrative Templates/Windows Components/Windows Update]

Remove access to use all Windows Update features: Enable (0 = Do not show any notifications)

This setting allows you to remove access to Windows Update.

If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.

If enabled you can configure one of the following notification options:

0 = Do not show any notifications

This setting will remove all access to Windows Update features and no notifications will be shown.

1 = Show restart required notifications

This setting will show notifications about restarts that are required to complete an installation.

[User Configuration/Policies/Administrative Templates/Windows Components/File Explorer]

Remove CD Burning features: Enable

This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.

If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed.

If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features.

Note: This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer.

[User Configuration/Policies/Administrative Templates/Windows Components/File Explorer]

Prevent access to drives from My Computer: Enable (choose the drives)

Prevents users from using My Computer to gain access to the content of selected drives.

If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.

To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the “Do not restrict drives” option from the drop-down list.

Note: The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action.

 Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics.

[User Configuration/Policies/Administrative Templates/Windows Components/Credentials User Interface]

Do not display the password reveal button: Enable

This policy setting allows you to configure the display of the password reveal button in password entry user experiences.

If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.

If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.

By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.

The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.

[User Configuration/Policies/Administrative Templates/Windows Components/AutoPlay Policies]

Turn off Autoplay: Enable (CD-ROM and removable media drives)

This policy setting allows you to turn off the Autoplay feature.

Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.

Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.

Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.

If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.

This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.

If you disable or do not configure this policy setting, AutoPlay is enabled.

Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.

[User Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection]

Do not allow passwords to be saved: Enable

Controls whether a user can save passwords using Remote Desktop Connection.

If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection

Upload VHD to Azure

In this article:

This article shows you how to upload a virtual hard disk (VHD) with an operating system so you can use it as an image to create virtual machines based on that image. For more information about disks and images in Microsoft Azure, see About Disks and Images in Azure.

Prerequisites

This article assumes you have the following:

  1. An Azure subscription – If you don’t have one, you can open an Azure account for free: You get credits you can use to try out paid Azure services, and even after they’re used up you can keep the account and use free Azure services, such as Websites. Your credit card will never be charged, unless you explicitly change your settings and ask to be charged. You also can activate MSDN subscriber benefits: Your MSDN subscription gives you credits every month that you can use for paid Azure services.
  2. Microsoft Azure PowerShell – You have the Microsoft Azure PowerShell module installed and configured to use your subscription. To download the module, see Microsoft Azure Downloads. A tutorial to install and configure the module is available here. You’ll use the Add-AzureVHD cmdlet to upload the VHD.
  3. A supported Windows operating system stored in a .vhd file – You have installed a supported Windows Server operating system to a virtual hard disk. Multiple tools exist to create .vhd files. You can use a virtualization solution such as Hyper-V to create a virtual machine and install the operating system. For instructions, see Install the Hyper-V Role and Configure a Virtual Machine.

The following Windows Server versions are supported:

OS SKU Service Pack Architecture
Windows Server 2012 R2 All editions N/A x64
Windows Server 2012 All editions N/A x64
Windows Server 2008 R2 All editions SP1 x64

This task includes the following steps:

Step 1: Prepare the image to be uploaded

Before you can upload the image to Azure, you need to generalize it by using the Sysprep command. For more information about Sysprep, see How to Use Sysprep: An Introduction.

From the virtual machine that the operating system was installed to, complete the following procedure:

  1. Log in to the operating system.
  2. Open a Command Prompt window as an administrator. Change the directory to %windir%\system32\sysprep, and then run sysprep.exe.

    Open Command Prompt window

  3. The System Preparation Tool dialog box appears.

    Start Sysprep

  4. In the System Preparation Tool, select Enter System Out of Box Experience (OOBE) and make sure that Generalize is checked.
  5. In Shutdown Options, select Shutdown.
  6. Click OK.

Step 2: Create a storage account in Azure

You need a storage account in Azure to upload a .vhd file so it can be used in Azure to create a virtual machine. You can use the Azure Management Portal to create a storage account.

  1. Sign in to the Azure Management Portal.
  2. On the command bar, click New.
  3. Click Data Services > Storage > Quick Create.

    Quick create a storage account

  4. Fill out the fields as follows:
    • Under URL, type a subdomain name to use in the URL for the storage account. The entry can contain from 3-24 lowercase letters and numbers. This name becomes the host name within the URL that is used to address Blob, Queue, or Table resources for the subscription.
    • Choose the location or affinity group for the storage account. An affinity group lets you place your cloud services and storage in the same data center.
    • Decide whether to use geo-replication for the storage account. Geo-replication is turned on by default. This option replicates your data to a secondary location, at no cost to you, so that your storage fails over to that location if a major failure occurs at the primary location. The secondary location is assigned automatically, and can’t be changed. If you need more control over the location of your cloud-based storage due to legal requirements or organizational policy, you can turn off geo-replication. However, be aware that if you later turn on geo-replication, you will be charged a one-time data transfer fee to replicate your existing data to the secondary location. Storage services without geo-replication are offered at a discount. More details on managing geo-replication of Storage accounts can be found here: Create, manage, or delete a storage account.

    Enter storage account details

  5. Click Create Storage Account. The account now appears under Storage.

    Storage account successfully created

  6. Next, create a container for your uploaded VHDs. Click the storage account name and then click Containers.

    Storage account detail

  7. Click Create a Container.

    Storage account detail

  8. Type a Name for your container and select the Access policy.

    Container name

Step 3: Prepare the connection to Microsoft Azure

Before you can upload a .vhd file, you need to establish a secure connection between your computer and your subscription in Azure. You can use the Microsoft Azure Active Directory method or the certificate method to do this.

Use the Microsoft Azure AD method

  1. Open the Azure PowerShell console.
  2. Type:
    Add-AzureAccount

    This command opens a sign-in window so you can sign with your work or school account.

    PowerShell Window

  3. Azure authenticates and saves the credential information, and then closes the window.

Use the certificate method

  1. Open the Azure PowerShell console.
  2. Type: Get-AzurePublishSettingsFile.
  3. A browser window opens and prompts you to download a .publishsettings file. It contains information and a certificate for your Microsoft Azure subscription.

    Browser download page

  4. Save the .publishsettings file.
  5. Type: Import-AzurePublishSettingsFile <PathToFile>

    Where <PathToFile> is the full path to the .publishsettings file.

Step 4: Upload the .vhd file

When you upload the .vhd file, you can place the .vhd file anywhere within your blob storage. In the following command examples, BlobStorageURL is the URL for the storage account that you created in Step 2, YourImagesFolder is the container within blob storage where you want to store your images. VHDName is the label that appears in the Management Portal to identify the virtual hard disk. PathToVHDFile is the full path and name of the .vhd file.

  1. From the Azure PowerShell window you used in the previous step, type:

    Add-AzureVhd -Destination "<BlobStorageURL>/<YourImagesFolder>/<VHDName>.vhd" -LocalFilePath <PathToVHDFile>

    PowerShell Add-AzureVHD

    For more information about the Add-AzureVhd cmdlet, see Add-AzureVhd.

Step 5: Add the Image to Your List of Custom Images

After you upload the .vhd, you add it as an image to the list of custom images associated with your subscription.

  1. From the Management Portal, under All Items, click Virtual Machines.
  2. Under Virtual Machines, click Images.
  3. And then click Create an Image.

    PowerShell Add-AzureVHD

  4. In Create an image from a VHD, do the following:
    • Specify name
    • Specify description
    • To specify the URL of your VHD, click the folder button to open the following window:

    Select VHD – Select the storage account your VHD is in and click Open. This returns you to the Create an image from a VHD window. – After you return to the Create an image from a VHD window, select the Operating System Family. – Check I have run Sysprep on the virtual machine associated with this VHD to acknowledge that you generalized the operating system in Step 1, and then click OK.

    Add Image

  5. OPTIONAL : You can the Add-AzureVMImage cmdlet instead of the Management Portal to add your VHD as an image. In the Azure PowerShell console, type:

    Add-AzureVMImage -ImageName <Your Image's Name> -MediaLocation <location of the VHD> -OS <Type of the OS on the VHD>

    PowerShell Add-AzureVMImage

  6. After you complete the previous steps, the new image is listed when you choose the Images tab.

    custom image

    This new image is now available under My Images when you create a virtual machine. For instructions, see How to Create a Custom Virtual Machine Running Windows.

    create VM from custom image

Azure Site Recovery

Deploying Microsoft Azure Site Recovery Manager to replicate and failover virtual machines on Hyper-V host servers that are located in System Center Virtual Machine Manager (VMM) clouds. It’s not Microsoft Hyper-V alone protection anymore, they have managed to protect VMWare and Physical Servers on Primary Sites too.

SCVMM to AzureSCVMM 2012 R2 to Azure

 

 

ASR Start Configs

Microsoft Azure Site Recovery Quick Start

On April 30, 2015. You could choose from the Quick Start page the following configurations :

  • Between an On-Premises VMM Site and Azure
  • Between Two On-Premises VMM Sites
  • Between an On-Premises Hyper-V Site and Azure
  • Between Two On-Premises VMWare Sites
  • Between Two On-Premises VMM Sites with SAN Array Replication.

I choose the first one, Microsoft System Center 2012 R2 Virtual Machine Manager RU6 and Microsoft Azure.
Before we begin :  information about Azure Site Recovery prerequisites and supported scenarios. 

When Your Microsoft Azure Subscription is Active and you have created a Storagepool in Azure, you can follow the next step.

 

ASR1

Quick Create a Site Recovery Vault by giving it a Name and choose a Region

ASR2

This is my Azure Site Recovery called HybridCloud

From here start the Quick Start Page of your Azure Site Recovery Vault by clicking on

Quickstart

 

Choose option

I Choose for SCVMM to Azure

Step1

Just Click on the links for a Registration key and the SCVMM Provider Software

ASR3ASR4Click on Install

ASR5

Set the Proxy settings when you behind an Proxy Server

ASR9

Browse to your downloaded Registration key of the Azure Site Recovery

ASR10

Give the directory path for the Certificate

ASR11

Registration software in SCVMM is completed

ASR12

Here you see your SCVMM Server in the Azure Site Recovery Vault

ASR13

In System Center 2012 R2 Virtual Machine Manager RU6 is ASR also Active

Next Step is to install the ASR Agent on Hyper-V :

ASR Agent 1a

Choose your Cache Location with Enough Storage

ASR Agent 2

Set your Proxy Settings and Click Next

ASR Agent 3

Click Install

ASR Agent 4

Click on Proceed to Registration

ASR Agent 5

Next Step in Virtual Machine Manager

If you don’t have your Virtual Machines in a SCVMM Cloud, you have to make Cloud(s) with Virtual Machine Manger.
The next step is to make a Cloud if you don’t have any.

Create Cloud

ASR14

Give your Private Cloud a Name and Mark the Checkbox for ASR Protection

ASR15

Select your Resources

ASR16

Choose the right network

ASR17

Click Next

ASR18

Choose the right Storage pool(s) for this Cloud

ASR19

Check the Summary and make your Private Cloud with SCVMM

ASR20

When you have a VM in your Cloud Click on Manage Protection

ASR24

Select the Replication settings

ASR22

The SCVMM Cloud is in the Azure Recovery Site

ASR23

Configure now the network Maps

MAP Network

Map the Azure VNET to your Local Network

When you protect the Virtual Machine you will see this in Azure :

Saving 1

And after this Hyper-V Replica to Azure is replicating the VM to the Microsoft Cloud :

Saving 2

When the Sync is completed we can make an Azure Recovery Plan :

Recovery Plan