Migrating Radius from Windows Server 2003 to 2012 R2

To follow up on my previous blog post regarding migration DHCP from Windows 2003 to Windows 2012 due to the End-of-life of Windows 2003 on July 14th 2015, I will continue down this track and provide you with a simple guide to migrate the Radius server from a source server, running on Windows 2003 to target server on Windows 2012 R2.

Export Internet Authentication Service (Radius) from Windows 2003

  • Copy %windir%\syswow64\iasmigreader.exe from a server running Windows 2012
  • Copy iasmigreader.exe to the source server into C:\WINDOWS\system32
  • On the source server in command prompt, type iasmigreader.exe and then press ENTER. The migration tool will automatically export settings to a text file.
  • IAS settings are stored in the file ias.txt located in the %windir%\system32\ias directory on the source server.
  • Copy the ias.txt file to the target server (beware the file contains passwords)

On Target server Install NPS

  • In Server Manager, add new Role Services, select Network Policy Server, Install with default values

Import Settings to Target server Running NAS

  • Open command prompt, and type Netsh nps import filename=”<path>\ias.txt”

Register the NPS server in the default domain using the netsh command

  • At the command prompt, type netsh ras add registeredserver and then press ENTER. Remember the account must, as minimum, be member of “Domain Admins”

Verify that Radius is active and supporting clients.

Udgivet i Uncategorized | Tagget , , , , , , , , | Skriv en kommentar

Mobile Device Management in Office 365

Since TechEd in Barcelona this fall, where Microsoft announced that they would include Mobile Device Management (MDM) capabilities in Office 365, beyond the existing features from Exchange server, I have tried to catch any information released around it’s feature set and how it would distinguish itself from Microsoft Intune.

Finally end of March this year some solid information were released in this article: Overview built-in Mobile Device Management for Office 365and with more detailed description of the capabilities of the release here: Capabilities of built-in Mobile Device Management for Office 365

These released information came about the same time as Microsoft announced the general availability of the new Office 365 features in this article: Built-in mobile device management now generally available for Office 365 commercial plans

As my company is enrolled for First Releases I eagerly awaited the features to pop in our Office 365 Admin Center, but apparently Microsoft takes their time (4-6 weeks) as stated in the blog post mentioned above.

So for now I am still waiting – with more information on it’s capabilities I should say – but never the less still waiting.

I hope they have come round to upgrade our tenant in time for my next blog post where I will cover my experiences with the new features.

Udgivet i Uncategorized | Tagget , , , , | Skriv en kommentar

IAM vs. IDM vs. IAG vs…

For Identity and Access Management specialists like us, the case is the same, and it is becoming a struggle to communicate our message clearly and in a way that can be compared to what is already out there. So, here is a guide to the forest of terms related to Identity and Access Management.

Basically, the idea behind what is known as Identity and Access Management, among other names, is to club access rights from a number of systems and applications into logical and easily controlled “Identities”. In that way, we avoid the very common problem of lazily adding access rights based on other users, and start handling them based on the organization’s structure according to the actual job description, or job function of each user.

As an overview, here is a list of some of the most common terms and practices that all cover what are required, valuable components of a well-prepared and well-thought-out IAM project:

IAM – Identity and Access Management.
IDM – Identity Management.
IAG – Identity and Access Governance.
RBAC – Role Based Access Control.
ABAC – Attribute Based Access Control.
Perimeter Management.

No 2015 IAM solution falls under just one category. Some will argue that IAM is the umbrella term—the mother of all Identity and Access Management efforts, but it actually depends quite a lot on your need, or your primary “pain”.

Your need might very well be to get things under control. It can be to respond to an audit, or maybe you find that Governance and Auditing is, in general, a hassle that keeps getting worse. Perhaps your colleagues and yourself work in a very scattered environment, traveling a lot or having offices that are spread out, and still need to be in control of all the pieces. Perhaps your license management has gotten out of hand.

Maybe you need to comply with well-known international or local Compliance frameworks, or your major customers and shareholders demand that you do—how do you document that you are in fact compliant?!

Udgivet i Uncategorized | Tagget , , , , , | Skriv en kommentar

Lync will become Skype for Business

Back in November 2014, Microsoft announced the rebrand of Lync to ‘Skype for Business’. Since then, a lot of speculation has occurred. When would this change happen, what was going to happen with all the Lync Servers, what new features will come out, etc…

Lync will become Skype for Business, with a new user interface in the Windows desktop application.

Skype for Business will roll out as an update to Lync on April 14th as part of the monthly Office updates for users with Office 365 ProPlus, Office 365 Business Premium or Office 2013.

The Skype for Business client will be the default user experience and will replace the Lync.

Controlling the UI in Lync Online and Skype for Business Online

Disable Skype user interface (UI) for all users:

  • Grant-CsClientPolicy -PolicyName ClientPolicyDisableSkypeUI

Enable Skype UI for all users:

  • Grant-CsClientPolicy -PolicyName ClientPolicyEnableSkypeUI

Controlling the UI in Lync Server and Skype for Business Server

Enable Skype UI for all users:

  • Set-CsClientPolicy -Identity Global -EnableSkypeUI $true

Disable Skype user interface (UI) for all users:

  • Set-CsClientPolicy -Identity Global -EnableSkypeUI $false

You can also download the scripts from the Microsoft Download Center: Skype for Business Online – Switching the client user interface

For the Lync Server experience will not change for now, but Microsoft announced that it will start the roll out of the Lync Online management portal on April 14th, and the Lync Server roll out on May 1st.

What is coming?

3(2)

The Enterprise Voice in the Cloud will make a tech preview this summer in the US, and by the end of this year, we will get a general availability. But we still don’t know the features of the Enterprise Voice on the cloud, so let’s wait and see.

user experience. The good news is that Microsoft has released ways for Lync Administrators to control the switchover of the client experience with some quite simple PowerShell Commands.

Udgivet i Uncategorized | Tagget , , , , , , , | Skriv en kommentar

SCCM 2012 Deployment starts out successful but turns bad in time

I recently made an SCCM application and deployed it for a customer. At first everything looked fine; the application was deployed successfully to 200 plus clients, with only 1 install failure. A couple of days later, I checked up on the deployment status in the Configuration Manager console and this is what I saw.

1

Somehow, a successful deployment had turned bad and the number of errors was rising! After wiping the sudden sweat from my forehead, I opened the deployment status to find a couple of workstations, where the application was now failing to check log files. However, in the deployment status on the “error” tab, there was nothing.

2

After doing several “run summarizations” hoping for some information to show up, I went to the SCCM reporting site, to see if there was something there. After looking at different reports without much luck, I found the following in the “Application Infrastructure Error” report.

3

CI Version Info timed out.

I found a client with the problem and went through the logs. According to AppEnforce.log, the software installation had been successful. When logging onto the computer, the software was working as well. The same was true for other computers i decided to inspect. Also, the service desk had not had any calls from users, about the software. So it was looking a lot like some sort of false negative.

Then I went through the various CI logs. In CIAgent.log I found the following:

4

Notice that it says “version 10 not available”. So I went and checked the revision number of my application, turns out it was revision 6. So no wonder revision 10 is not available, it hasn’t been created yet. I went on to check the logs of several other clients, with the issue, and all of them reported the same in the CIAgent.log. Ok, so apparently it was not my application, which was causing the false negatives. The ID of the faulting application was an error from CIAgent.log, so I put that into an SQL query to get the friendly name of it.

select top 10 * from CI_ConfigurationItems where CI_UniqueID like’%/Application_faeb6a44-1457-42aa-af0c-ae42889012a1′

This led me to the offender: “Microsoft Office Professional Plus 2007 DADK 1”. OK, so somehow MS Office 2007 was making my deployment fail. I took a look at some other deployments and found that they also had the “CI Version Info timed out” error.

I took a look at the Office application, it was revision 12 and it was deployed as a part of the OS install task sequence. The task sequence was referencing version 12, which would be the correct version. Nonetheless I did the following, to ensure it was referencing the newest version:

  • Opened the TS and removed Office 2007 from it.
  • Saved the TS.
  • Opened it again and re-added the Office application.
  • Saved it again.

After doing this, the deployment status started to go back to green, and not only for my application, but for all the others, as well. Apparently when the clients run the policy evaluation and gets to an application, which has been deployed by a TS and have had its revision updated since then, it would stop and fail the evaluation of all applications. Luckily this is a rare bug and it was supposedly be fixed with sp1, however this happened on a SCCM 2012 R2, so you might still run into it. Three days later, the deployment looks almost all green. Only 10 clients still have the error and that is just because they have not yet done another policy evaluation.

5

Udgivet i Uncategorized | Tagget , , , , , | Skriv en kommentar

Using WMI filters for Group policy

This guide describes how to apply WMI filters to a Group Policy in order to target computers with a particular system configuration/information. WMI contains almost any information about the computers’ configuration, which gives us the opportunity to use this information to make sure that the Group Policy that we are using, only applies to the computers fulfilling the requirements specified in the WMI filter.  In this case we will use it to target only computers with Windows 8 and 8.1 installed.

  • Open the “Group Policy Management” console.

1

  • Right click the “WMI Filters” and click New.

2

  • Write a describing name and description and click the Add button.

3

  • In this case, keep the Namespace as it is and write the WMI query in the “Query” field.

4

This WMI query checks, if the version of the OS is either 6.2 (Windows 8 and Server 2012) or 6.3 (Windows 8.1 and Server 2012 R2) and Product type is 1 (Desktop OS). This narrows the result to only be true when running on a Windows 8 and Windows 8.1 operative system.

  • Click OK. If presented with a warning regarding namespace, just click OK again.

5

  • Save the WMI filter and the filter is done. Now we just need to apply it to a Group Policy.

6

  • Select the Group Policy that you wish to apply the WMI filter to. Under the Scope, choose the WMI filter at the bottom of the console.

7

  • Click yes to the prompt and you are done.

8

This is just one out of thousands or millions of different WMI filters that could be made. This is to show how it is created and to give an idea of how to use it. WMI queries can easily be found with a little bit of searching the web, if you are not that familiar with WMI.

Udgivet i Uncategorized | Tagget , , , , , , , | Skriv en kommentar

Incorrect holidays in Outlook 2007/2010

In this step-by-step guide, it will be shown how to do a work-around regarding Microsoft release of a .HOL file on August 28 2012, where the holiday is listed incorrectly. To correct this, you will have to locate the .HOL file and edit it with the corrected holidays. There are multiple options regarding how the changes can be made in the Calendar. The below guide is a “global” solution and is specifically used to correct the holidays if you have a lot of effected users, or if you do not want to do it manually on 5-10 PCs. I would not use this solution if it is only a problem on 1-3 computers.If that is the case, simple go to Calendar and drag-and-drop the holiday from the wrong date to the correct one.

Method 1: Before importing the .HOL file for the first time

  1. Before starting this step by step guide; Exit Outlook if it’s open on the PC you want to import fro
  2. In Microsoft Windows Explorer, you must locate the following file to edit changes for holidays:
  • drive letter:\Program Files\Microsoft Office\Office “xx”\LCID\outlook.hol à I had to go to: C:\Program Files (x86)\Microsoft Office\Office14\1033 (Because of version 2010)

>>Where “xx” is 12 for 2007 Microsoft Office and 14 for Office 2010<<

  1. Making a backup copy of the .HOL file is recommended as you may need to start over etc.
  2. Right click on the Outlook.HOL file then press “Open With -> Choose Notepad” (Or preferred editor) after you have finished editing the file, you can do the same again, but instead choose to “Open with -> Choose Outlook” – This is completely a matter of choice.
  3. Press Crtl+F to search for “Whit Sunday” or find it manually (Sometimes the search is not working).
  4. Change Whit Sunday, 2015/5/28 to Whit Sunday, 2015/5/24.
  5. Do this for every occurrences of Whit Sunday that you can find in the .HOL file.
  6. Press Crtl+F to search for “Whit Monday” or find it manually (Sometimes the search is not working).
  7. Change Whit Monday, 2015/5/29 to Whit Monday, 2015/5/25.
  8. Do this for every occurrences of Whit Monday that you can find in the .HOL file.
  9. Save and close the Outlook.HOL file if Not possible, maybe with notepad – open ‘as admin’, save to the desktop and copy it to the right folder.

Now you can import the corrected Holidays into your calendar. Before this step the holidays must be deleted manually!! (press, viewthen list then identify cat. holidays and then delete – Import the file after you deleted the old ones (Holidays).

Udgivet i Uncategorized | Tagget , , , , , , | Skriv en kommentar