Category Archives: Windows Server

Setup AD FS and Enable Single Sign On to Office 365

Facebookgoogle_plus

Microsoft Office 365 cloud solution is a set of tools designed to propose full or partial Active directory, office 2013 application, Lync and SharePoint.
Full Office365 solution much known as Azure, but in this article we’ll deal with Setting up AD FS and Enable Single Sign On to Office 365, which is basically installing local Active directory and connect it to Office 365 cloud mail solution using Single Sign On. The main idea for using Single Sign On is to replicate passwords so user will not have to deal with two separate passwords for AD and for Office365. The following process will show How to Setup AD FS and Enable Single Sign On to Office 365.

Setup AD FS
1. Install AD FS Server role in Active directory server.
2. Install IIS in AD FS server.
3. Install Active Directory Sync Tool in a separate server in domain (not active directory server).
4. In case you are using internal domain name that doesn’t match the domain name need to be federated with Office 365, add a custom UPN suffix that matches that external name as follow:
a. Open Active Directory Domains and Trusts.
b. Go To “Tree” window pane < Right-click “Active Directory Domains and Trusts” < click “Properties”.
c. Under the “UPN Suffixes” tab, type the new requested UPN suffix.
d. Click “Add” < click “OK”.
e. Set up all requested users in AD with the new UPN (you may do it by multi checking all users in any OU and change the “User logon name” under account properties.

Enable Single Sign On to Office 365.

5. Setup up AD FS third party SSL certificate as follow:
a. Open Server Manager < click “tools” < choose “Internet Information Services (IIS) Manager”.
b. Go to “local server” < Select “Server Certificates” < Click Open Feature < Click “Create           Certificate Request”.
c. Fill certificate request using the format name “sts.domain.com”. For example: if you want to create certificate for domain JangoNet.com use certificate request “STS. JangoNet.com”.
d. Fill in all other details < click “next” < set “Cryptographic service provider” as default < Change the “Bit Length” to 2048 < Select a file location for the request < click “finish”.
e. But a standard certificate from one of the domain registrations companies like Go Daddy. Please be sure to but standard certificate and not wildcard certificate as wildcard will not propagate the request in IIS in windows 2012 servers.

6. Complete the certificate request in IIS as follow:
a. Go to “Internet Information Services (IIS) Manager” < select “local server” < select “Server Certificates” < Click “Open Feature” .
b. Click “Complete Certificate Request” < Select the path to certificate that downloaded from provider in section 5e < Enter a “friendly name” for the certificate < Select “Personal” at the certificate store < see the added certificate under “server certificates”.

7. bind the default website to the server certificate as follow:
a. Go to IIS < Expand “Sites” < Select Default Web Site < Click Bindings < click “add” < Change the type to HTTPS.
b. Select the site certificate from the list <click “OK”.

8. Configure Local AD FS Federation Server as follow:
a. Go to ” Server Manager” < ” Tools” < choose ” AD FS Management” < click ” AD FS Federation Server Configuration Wizard”
b. Check “Create a new Federation Service”
c. Check “New Federation Server Farm” < click “next”.
d. The “SSL Certificate” should be choosing already.
e. In “Federation Service Name” choose the certificate from list.
f. Click “next” < enter the “AD FS service account” name and password.
g. Click “next” <see all process marked with green V < click “close”.

9. Set the active directory email address settings for users in Office 365 as follow:
a. Open active directory users and computers.
b. Right click user < click “properties”.
c. Click “attribute editor” on the bottom pane.
d. Seek for ” ProxyAddress” field.
e. Add the requested mailbox address like this < for the default mail address enter: SMTP:user@domain.com for example: SMTP:jonathan@jangonet.com .
f. Add as many aliases as you want with “smtp” small letters like: smtp:jona@jangonet.com.

10. Check federation connectivity works as follow:
a. User Active directory sync tool on another server in domain to sync local Active directory users to Office365 cloud. This tool is very easy and all you should do is put the Office 365 admin user and password, local active directory user and password, mark “sync passwords” and make sync. After the sync you should see users in Office 365 marked with “AD synced user”.
b. Change password for one of the users in local Active directory and after 10 minutes to login to Office365 with new user password. That will indicate that the password replicated to cloud.
c. In Office365 cloud < under exchange settings < check users got the current default SMTP address and alternative smtp address to ensure “Proxyaddress” field replicated to cloud.

Deploy windows and office with MDT 2010

Facebookgoogle_plus

Deploy windows and office with MDT 2010 is the quickest, easiest and protected way to deploy automated install of windows 7 or windows 8 workstations with office 2003, office 2007 or office 2010 applications for entire organization.
Microsoft Deployment toolkit is a program that can be install on windows workstation or server. During writing this article the updated version is Microsoft Deployment toolkit 2010 update 1. In order to deploy windows and office with MDT 2010 there are some prerequisites we should install first to allow clean and fast working with Microsoft Deployment toolkit:

  1. .Net framework version 2.0 service pack 2 or older (if installing Microsoft Deployment toolkit on server this is a server role needed to be add to server).
  2. Windows automated installation for windows 7.
  3. Windows 7 or windows 8 operation system files (with available MAK or KMS serial numbers for activation).
  4. Office 2003 or office 2007 or office 2010 files (again with appropriate serial key).

Be sure to have a spare logical or physical drive to work in for that matter.

We’ll split the procedure to few sub procedures to make life easier.

Prepare MDT 2010 installation files and prerequisites:

  1. Install software below from section 1-4.
  2. Create on spare drive with approximately 50GB free the following folders:Windows OS, Office Application.
  3. Copy the windows 7 or windows 8 files to “Windows OS” folder.
  4. Copy the office application files to “Office Application” folder.
  5. Open the “Deployment workbench” application < right click “deployment shares” and choose “new deployment share”.
  6. Name the share, fill in the description, mark the “ask if an image should be captured” and walk through the end of process.
  7. Check the share availability by clicking the “Start” < run < \\ServerName\Sharename
  8. Under “deployment shares” < open the Deployment share name you created.

Create operation system files

  1. Right click “operating systems” < choose the “import operation system” option.
  2. Choose “full set of source files”.
  3. Browse to the windows source folder contains the source files you prepared on section 3.
  4. Select the “move the files to deployment share to make the process faster.
  5. Finish the process < check on the Windows OS folder to see that all files transferred.

 Create application files

  1. Right click “operating systems” < choose the “applications” option.
  2. Choose “new application”.
  3. Fill in publisher, application name and version
  4. Browse to the Office Application folder contains the source files you prepared on section 4.
  5. Set the startup command file to “setup.exe”.
  6. Finish the process < check on the Office Application folder to see that all files transferred.

 Create task sequence

  1. Right click “task sequence” < choose the “new task sequence” option.
  2. Fill in the task sequence ID, name and comments if you have.
  3. Leave the template as standard.
  4. Select the OS < fill in the KMS license key < set admin password for automated task< finish the process.

Update deployment share

  1. Go to ” deployment share name” you created < right click and choose ” update deployment share”
  2. Finish the process while make sure all WIM and ISO files created under the spare logical or physical drive \ deployment share name you created.
  3. Burn the ISO file (bootable) to CD and use it to start stations with automated windows and office install on the network.

nstallation for workstations without network

For those computers excluded from network or have no network card or network port available you should create a separate media which will be larger than the network boot media since it contains all windows and office installations inside.

To deploy windows and office with MDT 2010 to computers with no network access:

  1. Create a folder under the logical drive (for ex: E:).
  2. Open the “Deployment workbench” application < right click “deployment shares” and choose “advanced configurations” < right click “Media” < choose “new Media” < name it “WinLocal”
  3. On “media Path” browse to folder you created on section 1 <finish the process.
  4. Right click the “WinLocal” < click “Update media content” < the process will copy all media content to local “media” folder on logical drive and create a ISO file that can be burned and use for workstations without network.

Configuration

You can always change configuration for task sequence, applications and operation systems by right click the item < choose “properties” and change running platform, enable and disable task and edit XML configuration depending on the item.

Windows 2008 server SMTP

Facebookgoogle_plus

Windows 2008 server SMTP service allows taking advantage of SMTP abilities to monitor hardware and software activity in order to be updated about any service or error on server.
The most important configuration Windows 2008 server SMTP service needs to run is open relay for server and appropriate firewall ports open.
Testing Windows 2008 server SMTP service can be done using the windows telnet command to port 25.

In order to configure Windows 2008 server SMTP service:

  1. Add SMTP features on server under “add feature wizard” .
  2. Add IIS web services console and tools.
  3. Open IIS under “administrative tools”.
  4. Browse to SMTP virtual server box.
  5. Right click on server name in IIS and choose “Add new SMTP virtual server”.
  6. Name the new SMTP virtual server.
  7. Choose the IP in which the virtual server uses for service SMTP requests.
  8. Select home directory.
  9. Fill in the domain name that will hold the SMTP server.
  10. Click “finish”
  11. Go to new SMTP server on left pane < right click “properties”.
  12. Check the “limit connection to” and choose some reasonable connection number (30).
  13. Go to “access” tab < press “authentication” < uncheck “anonymous access” < check the “basic authentication” and “Require TLS encryption” < fill in the domain name < press ok or uncheck all and check “windows based authentication”.
  14. Go to “connection control” < click “connection” button < grant access only to local server IP.
  15. Click the “relay” button < check the “grant access to list below” < add you domain name for accessing this virtual server.
  16. Go to “delivery” < check the “outbound security” button < check the “integrated windows authentication” and fill in admin user and password.

You may limit outbound connection under “outbound connection”.

Add active directory group to users

Facebookgoogle_plus

Add active directory group to users is a procedure that back then before the windows shell option, could be achieved using 3rd party modifying tools.
With windows PowerShell, the option to add active directory group to users can be done by using the Add-ADGroupMember cmdlet as follow:

Assuming we want to add Daniel, John and Goe to group Finance Team the powershell cmdlet as follow:
Add-ADGroupMember  -Identity Finance Team -Members Daniel, John ,Goe
-identity will hold the group name required to add users to.
-members will hold member names.

You may also emport users to CSV as described here.Then use this CSV file to apply to -ADGroupMember cmdlet as follow(Assuming  exported to file named: Myusers.csv):
Import-CSV “C:\MyUsers.csv” | % {
Add-ADGroupMember -Identity Finance Team -Member $_.UserName 

Export active directory users to CSV

Facebookgoogle_plus

For many reasons, we sometimes need to Export active directory users to CSV.
We can perform this operation in some ways, the two best ways are the Dsquery command and the PowerShell cmdlet Get-ADUser.

To use DSquery command to export users to CSV, we should use samAccountName and Name while Modifying the filter based on information needed as follow:
Dsquery * -filter “&(objectClass=User)(objectCategory=Person)” –attr samAccountName Name >>MyUsers.csv

To use Get-ADUser command:
Get-ADUser -Filter * -SearchBase “ou=OU,dc=Gmalaya,dc=Local” -Properties * | Export-Csv  “d:\MyUsers.csv”

Windows 2008 Display Data Prioritization

Facebookgoogle_plus

For those of you who remember the old Terminal Services versions, sometimes, the remote session was suddenly frozen while trying to copy files, print files or do any network related operation. Windows Server 2008 included with a nice feature called “Display Data Prioritization”  that allows you as system administrators, the ability to control the percentage of resources allocated to  display, keyboard and mouse from one hand and  issues regarding file transfers on the other hand over the virtual tunnel session. Microsoft design by default that 70% of the bandwidth will be reserved for display, keyboard and mouse and 30% will be reserved for other traffic over the tunnel. Windows 2008 Display Data Prioritization is helps ,If this ration needs to be changed by system, administrator for some reason, the registry key to modify it is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD subkey
Whereas:
FlowControlDisable—This subkey Enables or disables flow control.
FlowControlDisplayBandwidth—stands for the bandwidth allocated for display, keyboard and mouse
FlowControlChannelBandwidth—stands for the bandwidth allocated for other traffic tunnels.

Adding windows 2008 server to domain with command line

Facebookgoogle_plus

Adding windows 2008 server to domain with command line can be done  as follow: 

1. Open command line (Start < Run < type ‘cmd’ < press ‘run’.

2. In the command line type the following command :

Netdom join <ServerName> /domain:<DomainName> /userd:<DomainName>\<UserName> /password:<Adminpassword>

Replace <ServerName> with DNS name of local server.

Replace <DomainName> with the domain name which you want to add the server to.

REplace <UserName> with administrator user that has privillidge to join server to domain.

Replace <Adminpassword> with the password for administrator user.

3. Reset the server.

Assigning a Static IP Address with command line

Facebookgoogle_plus

Some group policies designed to disable “Network connection” feature in control panel.
If the policy was deployed to OU in active directory, it will avoid administrator from viewing this feature.
If from some reason administrator wants to get a static IP, using the command line is a workaround to accomplish this:
1.To display a list of network interfaces,run the following command (Start < Run < type ‘cmd’ < press ‘run’:
netsh interface ipv4 show interfaces

2.Make note or screen capture of the name and unique ID of the network interfaces listed.

3.To change the IP address to a Static IP, use this command line:
netsh interface ipv4 set address name=”<ID\Name>” source=static address=<RequestedStaticIP>
mask=<Subnetmask> gateway=<Defaultgateway>

Replace ”<ID\Name>” with the requested network interface ID or name from section 2.
Replace <RequestedStaticIP> with the new IP address.
Replace <Subnetmask> with the appropiate subnet mask for this IP.
Replace <Defaultgateway> with the default gateway.

When using the same network as IP scope that was used with DHCP, just copy the <Subnetmask> and <Defaultgateway>
IP addresses.
When using an IP address from DHCP scope, make sure to exclude this IP address in DHCP server first.

4.For each Static DNS configuration entry, use this in command line:
netsh interface ipv4 add dnsserver name=”<ID\Name>” address=<DnsServerIP>index=1
example:
add dnsservers “local area connection” 10.10.1.83 (Which is DNS IP) index=2

5.Check Configurations using the command:
IPConfig /all